Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Blackberry Enterprise and Internet Browsing

Posted on 2009-06-29
14
512 Views
Last Modified: 2012-05-07
We're trialing BES 4.1 and one of the trial users was browsing the web on their blackberry over the weekend and complained that a website they were trying to visit was filtered by our corporate firewall - he got the 'filtered' message webpage he is used to seeing when attempting to access a filtered website that's normally only seen when browsing the web from the corporate network.

If he's using his blackberry using the cellular network, I'm not sure how or why he would have his traffic filtered through our firewall. Is there a configuration somewhere in BES that let's you toggle this feature?
0
Comment
Question by:DVation191
  • 6
  • 5
  • 3
14 Comments
 
LVL 11

Expert Comment

by:techzter
ID: 24738231
Have you been able to recreate this issue while the user has been in the office? I do not see how this would be possible while the users was on the cell network. Not without some sort of VPN software which would allow him to tunnel back into your network, and back out again through your filter.

Was the user in the office at the time? Any chance that they activated the wifi on the Blackberry and were surfing using that instead?
0
 
LVL 20

Author Comment

by:DVation191
ID: 24738342
Yes, in fact when I found out what URL it was that was generating the filtered web page error, I had another user try to access the site and it was also redirected to the firewall's filter page. We are not using any VPNs, not on the blackberries either.

I double checked the WiFi and it was disabled on both phones. Really odd problem!
0
 
LVL 11

Expert Comment

by:techzter
ID: 24739604
Can you post the link? I can try it with my Blackberry to see what I get. Wouldn't that be a fun prank. Post up a site that appears to be an error just to drive other site admins crazy figuring it out. ;)

Some others may have an idea but am stumped. I don't know of any way from the standard BES setup that the users blackberry would access the internet back through your network rather than going straight to the internet.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 19

Expert Comment

by:-jonny-
ID: 24739833
That's completely normal for BES

Web page requests from the blackberry browser (i.e. default browser using MDS) gets sent via the BES. The BES will take the request and retrieve the website, in the process being subject to all the firewall and proxy settings that a PC/Server on your corporate network is subject to). Once the web page has been returned it is formatted and sent down to the device.

It's done like this on purpose - your blackberry is essentially a wireless kiosk with access to your internal network. You don't want your users bypassing all the safeguards and security you've put in place.

Hope that helps.
0
 
LVL 20

Author Comment

by:DVation191
ID: 24743811
@jonny
Are you suggesting that this is not configurable?
0
 
LVL 11

Expert Comment

by:techzter
ID: 24744526
Wow -johnny- thanks for filling us in. I had no idea that it worked that way for internet access. This is easy to verify. If you access an IP reporting site using your Blackberry device you will see that the IP logged is the external IP of your office network.

Perhaps -johnny- may be able to tell you of a way to disable this feature and allow direct access to the net. In the meantime my thought would be that you can create an exception to the filter rule and use the IP of the BES server for that rule. I think that this would allow access to the site from the handheld for the user. I think that this will open up that site for all Blackberry users. Just something to keep in mind.
0
 
LVL 19

Expert Comment

by:-jonny-
ID: 24754688
You can't configure the request going from a BES-activated device going via the BES. You can, however, get the BES to bypass the proxy by several methods, like the one mentioned by techzter.

Is there a reason why a website filtered by your internal proxy should be allowed on a user's blackberry? Surely the filter is there for a purpose? If you're going to allow it on a blackberry you might as well allow it on a PC, so perhaps you can just unblock that website?

If you want direct access to the net, without going via the BES, then you can do it two ways:

1. Get the user to create a BIS account. When they do this they'll also get the BIS browsing service books, giving them a "public" browser. Then, on the BES, select the user and disable MDS connection services. The user will only have the BIS browser to use

2. Install Opera mini or a third-party browser. Opera mini uses the TCP settings you can specify under options -> advanced options -> TCP. You can get these settings from your carrier, and it's a direct pipe to the internet.

Just a word of warning - if you do go down the opera mini route then I would also set the IT policy "Disable Split Pipes" to true.
0
 
LVL 20

Author Comment

by:DVation191
ID: 24754872
Well the situation is that the Blackberry device is owned by the employee. They have paired up with the BES server to get corporate email. In my opinion, the user should not have their web filtering restricted, especially when outside the office, when he/she is using the cellular data network that they pay for themselves.

I'll give some of these configurations a try and see if we can get this resolved. Thanks for the tips.
0
 
LVL 19

Expert Comment

by:-jonny-
ID: 24754989
You have to remember that while the employee has bought the blackberry and is paying for the tariff, they're still connecting to your corporate network. It's dangerous to forsake corporate security for the sake of one user paying their own bill.

Whether they're physically outside the office or not, you essentially have a wireless kiosk connected to your network that can access internal networks in the form of the blackberry.

Give some of those configs a try and let us know how you get on.
0
 
LVL 20

Author Comment

by:DVation191
ID: 24755424
Just want to make sure I have the right policy here. I Created a new policy and drilled down to "MDS Integration Services" and set "Disable MDS Integration" to TRUE.

Is that the policy you are referring to? I pushed that new policy out to one of the devices and it didn't make any difference.
0
 
LVL 19

Accepted Solution

by:
-jonny- earned 500 total points
ID: 24755472
No, MDS Integration is the service to push out applications from the BES and control that. If you right-click on the user then you should have the ability to disable MDS connection services. I think it might also be available as a global property of the server too (it's not in IT policy).
0
 
LVL 20

Author Comment

by:DVation191
ID: 24756445
Closing setting I could find was "Disable connection and collaboration services"  ... nothing explicitly referring to MDS. Upon disabling that for the user, the site continued to be blocked.
0
 
LVL 19

Assisted Solution

by:-jonny-
-jonny- earned 500 total points
ID: 24771386
Sorry it's taken a while - had to dig out my old 4.1 VM image!
Under BlackBerry Domain - Servers, in the right hand pane select the Servers tab, then in the window right click the Server and choose Disable BlackBerry MDS Connection service (note that this disables all BES-browsing for ALL users).

You can also stop the service which would do the same thing - the green MDS_CS_1 box under "servers"; select it and choose stop service.

Note: you've now taken away the ability to browse via the BES - the user MUST have the BIS-browsing service books on their device (on their device go to: options - advanced options - service book and ensure that "IPPP for BIBS [IPPP]" is there).

Also, their device may still try to connect using MDS as newer devices remember which service you used to go to individual websites. For the blocked website, create a bookmark on the user's device. Highlight the bookmark and choose "Edit bookmark". Under "Browser", ensure that it's set to "Internet Browser".

Finally, under options - advanced options - browser, ensure that default browser configuration is set to internet browser.
0
 
LVL 20

Author Comment

by:DVation191
ID: 25012732
"Finally, under options - advanced options - browser, ensure that default browser configuration is set to internet browser."

I think that was the key - disabling the connection and collaboration services was part of it, but unless you set the browser to use the "internet browser" instead of the blackberry one, it continues to route through the BES browser. Thank you.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
upgrading BES 5 to BES 10 6 1,623
Where is the link of the last MAPI CDO ? 1 316
BES Server 5.04 Phone Not Receiving Messages 23 588
Blackberry server migration 6 617
The latest Citrix Receiver has been released (May 2010) and is finally available for BlackBerry devices, version 1.0. Once installed, BB users can access Citrix applications from their device, on any* mobile network or WiFi connection. This is cu…
BlackBerry can provide (arguably) the best global email delivery solution. That is, until something goes wrong at which point it can be a nightmare to troubleshoot. The log files on a BES can only be decoded by an expert and some of the errors that …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question