Solved

Blackberry Enterprise and Internet Browsing

Posted on 2009-06-29
14
509 Views
Last Modified: 2012-05-07
We're trialing BES 4.1 and one of the trial users was browsing the web on their blackberry over the weekend and complained that a website they were trying to visit was filtered by our corporate firewall - he got the 'filtered' message webpage he is used to seeing when attempting to access a filtered website that's normally only seen when browsing the web from the corporate network.

If he's using his blackberry using the cellular network, I'm not sure how or why he would have his traffic filtered through our firewall. Is there a configuration somewhere in BES that let's you toggle this feature?
0
Comment
Question by:DVation191
  • 6
  • 5
  • 3
14 Comments
 
LVL 11

Expert Comment

by:techzter
Comment Utility
Have you been able to recreate this issue while the user has been in the office? I do not see how this would be possible while the users was on the cell network. Not without some sort of VPN software which would allow him to tunnel back into your network, and back out again through your filter.

Was the user in the office at the time? Any chance that they activated the wifi on the Blackberry and were surfing using that instead?
0
 
LVL 20

Author Comment

by:DVation191
Comment Utility
Yes, in fact when I found out what URL it was that was generating the filtered web page error, I had another user try to access the site and it was also redirected to the firewall's filter page. We are not using any VPNs, not on the blackberries either.

I double checked the WiFi and it was disabled on both phones. Really odd problem!
0
 
LVL 11

Expert Comment

by:techzter
Comment Utility
Can you post the link? I can try it with my Blackberry to see what I get. Wouldn't that be a fun prank. Post up a site that appears to be an error just to drive other site admins crazy figuring it out. ;)

Some others may have an idea but am stumped. I don't know of any way from the standard BES setup that the users blackberry would access the internet back through your network rather than going straight to the internet.
0
 
LVL 19

Expert Comment

by:-jonny-
Comment Utility
That's completely normal for BES

Web page requests from the blackberry browser (i.e. default browser using MDS) gets sent via the BES. The BES will take the request and retrieve the website, in the process being subject to all the firewall and proxy settings that a PC/Server on your corporate network is subject to). Once the web page has been returned it is formatted and sent down to the device.

It's done like this on purpose - your blackberry is essentially a wireless kiosk with access to your internal network. You don't want your users bypassing all the safeguards and security you've put in place.

Hope that helps.
0
 
LVL 20

Author Comment

by:DVation191
Comment Utility
@jonny
Are you suggesting that this is not configurable?
0
 
LVL 11

Expert Comment

by:techzter
Comment Utility
Wow -johnny- thanks for filling us in. I had no idea that it worked that way for internet access. This is easy to verify. If you access an IP reporting site using your Blackberry device you will see that the IP logged is the external IP of your office network.

Perhaps -johnny- may be able to tell you of a way to disable this feature and allow direct access to the net. In the meantime my thought would be that you can create an exception to the filter rule and use the IP of the BES server for that rule. I think that this would allow access to the site from the handheld for the user. I think that this will open up that site for all Blackberry users. Just something to keep in mind.
0
 
LVL 19

Expert Comment

by:-jonny-
Comment Utility
You can't configure the request going from a BES-activated device going via the BES. You can, however, get the BES to bypass the proxy by several methods, like the one mentioned by techzter.

Is there a reason why a website filtered by your internal proxy should be allowed on a user's blackberry? Surely the filter is there for a purpose? If you're going to allow it on a blackberry you might as well allow it on a PC, so perhaps you can just unblock that website?

If you want direct access to the net, without going via the BES, then you can do it two ways:

1. Get the user to create a BIS account. When they do this they'll also get the BIS browsing service books, giving them a "public" browser. Then, on the BES, select the user and disable MDS connection services. The user will only have the BIS browser to use

2. Install Opera mini or a third-party browser. Opera mini uses the TCP settings you can specify under options -> advanced options -> TCP. You can get these settings from your carrier, and it's a direct pipe to the internet.

Just a word of warning - if you do go down the opera mini route then I would also set the IT policy "Disable Split Pipes" to true.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 20

Author Comment

by:DVation191
Comment Utility
Well the situation is that the Blackberry device is owned by the employee. They have paired up with the BES server to get corporate email. In my opinion, the user should not have their web filtering restricted, especially when outside the office, when he/she is using the cellular data network that they pay for themselves.

I'll give some of these configurations a try and see if we can get this resolved. Thanks for the tips.
0
 
LVL 19

Expert Comment

by:-jonny-
Comment Utility
You have to remember that while the employee has bought the blackberry and is paying for the tariff, they're still connecting to your corporate network. It's dangerous to forsake corporate security for the sake of one user paying their own bill.

Whether they're physically outside the office or not, you essentially have a wireless kiosk connected to your network that can access internal networks in the form of the blackberry.

Give some of those configs a try and let us know how you get on.
0
 
LVL 20

Author Comment

by:DVation191
Comment Utility
Just want to make sure I have the right policy here. I Created a new policy and drilled down to "MDS Integration Services" and set "Disable MDS Integration" to TRUE.

Is that the policy you are referring to? I pushed that new policy out to one of the devices and it didn't make any difference.
0
 
LVL 19

Accepted Solution

by:
-jonny- earned 500 total points
Comment Utility
No, MDS Integration is the service to push out applications from the BES and control that. If you right-click on the user then you should have the ability to disable MDS connection services. I think it might also be available as a global property of the server too (it's not in IT policy).
0
 
LVL 20

Author Comment

by:DVation191
Comment Utility
Closing setting I could find was "Disable connection and collaboration services"  ... nothing explicitly referring to MDS. Upon disabling that for the user, the site continued to be blocked.
0
 
LVL 19

Assisted Solution

by:-jonny-
-jonny- earned 500 total points
Comment Utility
Sorry it's taken a while - had to dig out my old 4.1 VM image!
Under BlackBerry Domain - Servers, in the right hand pane select the Servers tab, then in the window right click the Server and choose Disable BlackBerry MDS Connection service (note that this disables all BES-browsing for ALL users).

You can also stop the service which would do the same thing - the green MDS_CS_1 box under "servers"; select it and choose stop service.

Note: you've now taken away the ability to browse via the BES - the user MUST have the BIS-browsing service books on their device (on their device go to: options - advanced options - service book and ensure that "IPPP for BIBS [IPPP]" is there).

Also, their device may still try to connect using MDS as newer devices remember which service you used to go to individual websites. For the blocked website, create a bookmark on the user's device. Highlight the bookmark and choose "Edit bookmark". Under "Browser", ensure that it's set to "Internet Browser".

Finally, under options - advanced options - browser, ensure that default browser configuration is set to internet browser.
0
 
LVL 20

Author Comment

by:DVation191
Comment Utility
"Finally, under options - advanced options - browser, ensure that default browser configuration is set to internet browser."

I think that was the key - disabling the connection and collaboration services was part of it, but unless you set the browser to use the "internet browser" instead of the blackberry one, it continues to route through the BES browser. Thank you.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Ever have trouble updating the ringtone settings on a Blackberry Curve? If so, here are the steps for changing your ringtone settings.  1. The Key is in the Profiles | Select 'Profiles' Icon The most interesting thing about changing your rington…
After going through the deployment of BlackBerry Device Service 10, and seeing a number of questions posted about it, this article addresses some of the issues and particulars of the installation. There have been a number of other questions posted, …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now