[Jassyca]

Hi,

I'm the Exchange administrator for a company. Until recently, management has turned a blind eye to mobile devices. If they pretend it doesn't exist, then it can't be a problem, right? Riiiiight. So we have users with Blackberries, Treo's, etc. etc.. You name it, one of our users out there probably has one. Although most of these devices were purchased by the company, no one at the company has any idea who has a mobile and what it is. (Purchasing "assumed" the end user would contact the IT department whenever they requested a mobile phone so they didn't bother to track what was purchased, when and by whom.) Our PC Techs have a vague idea because they were often called upon to help users set up their phones. But we do have some users who are techie enough that they didn't need help setting up their phone. Plus, the PC Techs were also asked to set up phones which were (unknown to the PC Tech) not owned by the company. So we have no idea how many, what brand, who has one and which ones are company owned or user owned. (Arrgh.. )

Out of the blue, management has suddenly decided that all those unknown "rogue" mobile devices out there pose a security risk. (Gasp! No! Really? A security risk? With saved passwords and all that? What a surprise.) After much begging by the IT department, management has decided to allow us to standardize on one mobile solution. We chose Blackberries. So I need to find a way to stop ALL mobile devices from accessing email except Blackberries that are set up to use Enterprise Activation. If possible, we would also like to continue to allow Web Outlook. (Note: Web Outlook is set up to only allow HTTPS connections. So, by itself, it's not a security risk. But if we have to kill it to block rogue mobiles or to block users who were dumb enough to allow IE to automatically save their password, then that's what we'll do.)

Now, here are my questions:

1 - Looking at my Exchange server's web logs, I can tell that a number of our users have Blackberries out there because the IP address of the host that's used to view the user's mailbox resolves to Blackberry.com. As a test, I disabled Webmail for just my account. When I try to logon to Outlook through the web from a regular web browser, the server says No-way, webmail for my account has been disabled by the system administrator. However, if I have a Blackberry and it's configured my email settings but not with Enterprise Activation, it has no trouble whatsoever receiving messages. I can tell not only because the messages are on my Blackberry but I can also see my user name in the Exchange server's web logs with a result code of "200" (ie, webpage displayed successfully). Does anyone have any suggestions on how I can stop rogue Blackberries from successfully retrieving messages using webmail yet still allow webmail?

2 - If I have to completely disable Web Outlook in order to stop the rogue mobiles from accessing messages using Web Outlook, what affect will that have on Blackberries that are set up to use Enterprise Activation?


Here is what we have:

- Exchange 2007 with Service Pack 1 and Post Service Pack 1 Rollup 2. I don't know if it matters but POP3 is disabled.
- Blackberry Enterprise Server 4.1 with Service Pack 6 and Maintenance Release 1

Unfortunately, I cannot tell you what model Blackberries our user have (from this point forward, new requests will be filled by Blackberry Curves). I don't know if the model makes much of a difference.



PS: My apologies if this is posted multiple times. My company's junkware web filtering server gave me an error message when I tried to post this message the first time. I checked the forums and didn't see the message so I'm trying to post it again.

[SteveO86]

1- You could try setting up and extended access to deny the BlackBerry IP's to the IPs of your Exchange. (Just don't block the IP of your internal BES to the exchange the exchange)

2- If the BlackBerries went threw the Enterprise Activation then they have no need to access web mail the email goes threw the BES.. However you will be completely disabling OWA.

[Frank Castle]

Exchange already has the controls for any devices besides Blackberry. We don't have Exchange 2007 yet but in 2003 SP2 there is a global exchange policy where you enforce the ActiveSync policy settings. You likely want to check these out if you do have users who will get an exception so the policy somewhat matches our BES policy (password length, time out etc)

Now in Active Directory look up users and right click and go to the Exchange Features tab - If you only want OWA and OMA access off all the other settings, that is how we are setup for 95% of users and to validate I have a script I run monthly to see if someone was enabled. We basically don't allow any personal bought mobile devices other then OWA / OMA.

On the Blackberry side they won't be able to activate unless they get a EAP from someone. Tighten up your controls and if needed you could do a BES Enterprise Policy to only allow certains vendors, models.

I don't think disabling OWA is a great idea as I'm sure you have remote users who use it from home PC's, airport cafes etc. If anything kill OMA if you really want to lock down mobility.

[Jassyca]

Quote:

Originally Posted by jletendre

Exchange already has the controls for any devices besides Blackberry. We don't have Exchange 2007 yet but in 2003 SP2 there is a global exchange policy where you enforce the ActiveSync policy settings. You likely want to check these out if you do have users who will get an exception so the policy somewhat matches our BES policy (password length, time out etc)

You're right. That would work if we had devices using ActiveSync. But we don't. Not externally, anyway, because I only have ActiveSync configured internally, not externally. But it's a good thought.

SteveO86: That's an interesting idea about blocking the Blackberry IP's. What about our internal BES server? You said don't block it from the Exchange server (of course not) but didn't mention if traffic to/from Blackberry IP's should be blocked from it too. I assume that's because it shouldn't be blocked because BES needs to be able to talk to Blackberry's servers, yes? So just block external Blackberry IP's from Exchange and no other servers, yes yes? Sorry if this seems like a stupid question, I just want to make sure I understand things completely.

[AndyJUK]

If the devices are using push email through OWA, there should be a seperate device administration website on your exchange server.

you can then go onto this and essentially wipe the devices therfore forcing the users to contact IT and get a new device

[FNCslester]

Jassyca: I had the same problem several months ago. I had our networking guy block all Blackberry Internet Service IP's coming from the outside at our firewall. See Blackberry KB11036 for the IP ranges.

The IP's that your BES connects over are different from those that the Internet Service uses, but you can always test your connection from the BES to the Internet through the Blackberry Server Configuration>Blackberry Router> Test Network Connection.

[Drork]

BES basicly need only one outgoing Port to work whil the BIS uses either the web or pop3 to comunicate
I would block all mobile options (OMA) on the exchnge and al pop3 connections so the only thing hat can work is the BES.
as for OWA either block it for a short time until you get all straght and then slowly reopen monitoring it or try changing the port setting so it will need a specific url to access.

[Jassyca]

Thank you all so so much. These are all fantastic suggestions! I particularly like the suggestion about blocking Blackberry servers' IP because that doesn't disable Web Outlook.


Thank you FNCslester (for the KB article) and SteveO86. And everyone else too!

[pgleek]

The BIS IP range is not the same as the BES ip range, and technically the IP traffic from Blackberry to your BES never hits exchange.

Once you have a BES setup, it uses mapi connections from the server in your domain it's running to contact the email server and so therefore your exchange servers would not see those hitting your environment unless you are talking about blocking it at the firewall outside your DMZ.