Re: [fw-wiz] Blackberry MDS Connection Bypassing firewall

My guess is that the best way to solve this problem would be to isolate the BES on its own system (blackberry recommends this anyway) and then restrict that computers egress access as necessary. All BES/MDS connections coming in from RIMM and through the proxy will then get handled by your regular firewall.


From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of miedaner
Sent: Friday, January 11, 2008 10:47 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Blackberry MDS Connection Bypassing firewall


Wondering if anyone has dealt with this problem with BES.

Blackberry enterprise server is configured by default to allow TCP traffic from the Blackberry clients through the encrypted BES connection to a internal network. As the Blackberries are java based some clever folks have built things like SSH clients for them.

The problem is that this type of access bypasses firewall and VPN rules.

I know that there are ACL's possible on the MDS connection service that allows this but I am told that it is either block all tcp or block none.

I am wondering if anyone knows if the BES ACl really is all or none and if anyone has implemented a solution to restrict internal network access through BES to only protocols like http or hhtps.

firewall-wizards mailing list