• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3478
  • Last Modified:

Blackberry Enterprise Server MDS CS cannot browse HTTPS websites

BES 5.0.3 MR8 on Windows 2008R2, all blackberry services on a single server and all in the same AD domain.

Configured MDS Connection service, to use integrated authentication (I have edited the mdslogin.conf and krb5.conf by just changing the defaults to my own domain, no other changes).
See the attached screen shots of my BES configuration.
I cannot connect to any HTTPS site from my handset, but http are fine. IE: I can go to http://www.amazon.co.uk  but when I go to https://www.amazon.co.uk I get:

 "Unable to connect using the current security settings. Please contact your service provider." in the MDAT log I get <MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, u1 Not authorized to access service tcp www.amazon.co.uk:443/>

I have setup the MDS service to go direct under proxy settings, the checkpoint firewall allows HTTP and HTTPS.

********************************************************

MDAT Log extract

2012-08-22 16:17:56.062 BST>:[1105]:<MDS-CS_SERVER19_MDS-CS_1>:<INFO >:<LAYER = IPPP, DEVICEPIN = 22d8405e, DOMAINNAME = www.amazon.co.uk, CONNECTION_TYPE = DEVICE_CONN, ConnectionId = 1206734759, DURATION(ms) = 1198, MFH_KBytes = 1.321, MTH_KBytes = 3.794, MFH_PACKET_COUNT = 1, MTH_PACKET_COUNT = 1>
<2012-08-22 16:17:56.062 BST>:[1106]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = RemovedReceivingQueue, USERID:CONNECTIONID = u1:1206734759, ReceivingQueueSize = 0>
<2012-08-22 16:17:56.063 BST>:[1107]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Sending, VERSION = 1, COMMAND = SEND, TAG = 1313210384, SIZE = 4026>
<2012-08-22 16:17:57.025 BST>:[1108]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Receiving, VERSION = 1, COMMAND = STATUS, TAG = 1313210384, SIZE = 10, STATE = DELIVERED>
<2012-08-22 16:17:57.026 BST>:[1109]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Notification, TAG = 1313210384, STATE = DELIVERED>
<2012-08-22 16:17:57.541 BST>:[1110]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = RemovedSendingQueue, DEVICEPIN = 22d8405e, USERID = u1>
<2012-08-22 16:17:58.267 BST>:[1111]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Receiving, VERSION = 1, COMMAND = RECEIVE, TAG = 6262, SIZE = 314>
<2012-08-22 16:17:58.268 BST>:[1112]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Sending, VERSION = 1, COMMAND = RECEIVE, TAG = 6262, SIZE = 10>
<2012-08-22 16:17:58.268 BST>:[1113]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Receiving, TAG = -2075799122, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734760, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = bsm, PROTOCOL = TCP, PARAMETERS = [bsmhandler:0], SIZE = 137>
<2012-08-22 16:17:58.268 BST>:[1114]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = CreatedReceivingQueue, USERID:CONNECTIONID = u1:1206734760, ReceivingQueueSize = 1>
<2012-08-22 16:17:58.268 BST>:[1115]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = StartExecuting, TAG = -2075799122, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734760, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = bsm, PROTOCOL = TCP, PARAMETERS = [bsmhandler:0], SIZE = 137>
<2012-08-22 16:17:58.269 BST>:[1116]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = EndExecuting, TAG = -2075799122, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734760, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = bsm, PROTOCOL = TCP, PARAMETERS = [bsmhandler:0], SIZE = 137>
<2012-08-22 16:17:58.270 BST>:[1117]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = BSM DEVICEPIN = 22d8405e, Successful Update>
<2012-08-22 16:17:58.279 BST>:[1118]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = CreatedSendingQueue, DEVICEPIN = 22d8405e, USERID = u1>
<2012-08-22 16:17:58.279 BST>:[1119]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Sending, TAG = 1313210385, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734760, SEQUENCE = 0, TYPE = DISCONNECT-ORDER, SIZE = 17>
<2012-08-22 16:17:58.280 BST>:[1120]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Device connections: AVG latency (msecs)1>
<2012-08-22 16:17:58.280 BST>:[1121]:<MDS-CS_SERVER19_MDS-CS_1>:<INFO >:<LAYER = IPPP, DEVICEPIN = 22d8405e, DOMAINNAME = bsmhandler, CONNECTION_TYPE = DEVICE_CONN, ConnectionId = 1206734760, DURATION(ms) = 11, MFH_KBytes = 0.134, MTH_KBytes = 0.017, MFH_PACKET_COUNT = 1, MTH_PACKET_COUNT = 1>
<2012-08-22 16:17:58.280 BST>:[1122]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = RemovedReceivingQueue, USERID:CONNECTIONID = u1:1206734760, ReceivingQueueSize = 0>
<2012-08-22 16:17:58.280 BST>:[1123]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Sending, VERSION = 1, COMMAND = SEND, TAG = 1313210385, SIZE = 154>
<2012-08-22 16:17:58.811 BST>:[1124]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Receiving, VERSION = 1, COMMAND = STATUS, TAG = 1313210385, SIZE = 10, STATE = DELIVERED>
<2012-08-22 16:17:58.812 BST>:[1125]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Notification, TAG = 1313210385, STATE = DELIVERED>
<2012-08-22 16:18:03.541 BST>:[1126]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = RemovedSendingQueue, DEVICEPIN = 22d8405e, USERID = u1>
<2012-08-22 16:18:09.627 BST>:[1127]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Receiving, VERSION = 1, COMMAND = RECEIVE, TAG = 6263, SIZE = 282>
<2012-08-22 16:18:09.627 BST>:[1128]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Sending, VERSION = 1, COMMAND = RECEIVE, TAG = 6263, SIZE = 10>
<2012-08-22 16:18:09.627 BST>:[1129]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Receiving, TAG = -2075799121, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734761, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = defaulthandlernio, PROTOCOL = tcpchannel, PARAMETERS = [www.amazon.co.uk:443], SIZE = 98>
<2012-08-22 16:18:09.628 BST>:[1130]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = CreatedReceivingQueue, USERID:CONNECTIONID = u1:1206734761, ReceivingQueueSize = 1>
<2012-08-22 16:18:09.628 BST>:[1131]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = StartExecuting, TAG = -2075799121, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734761, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = defaulthandlernio, PROTOCOL = tcpchannel, PARAMETERS = [www.amazon.co.uk:443], SIZE = 98>
<2012-08-22 16:18:09.628 BST>:[1132]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = EndExecuting, TAG = -2075799121, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734761, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = defaulthandlernio, PROTOCOL = tcpchannel, PARAMETERS = [www.amazon.co.uk:443], SIZE = 98>
<2012-08-22 16:18:09.629 BST>:[1133]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, u1 Not authorized to access service tcp www.amazon.co.uk:443/>
<2012-08-22 16:18:09.630 BST>:[1134]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = CreatedSendingQueue, DEVICEPIN = 22d8405e, USERID = u1>
<2012-08-22 16:18:09.630 BST>:[1135]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Sending, TAG = 1313210386, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734761, SEQUENCE = 0, TYPE = DATA, SIZE = 170>
<2012-08-22 16:18:09.630 BST>:[1136]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Sending, TAG = 1313210387, DEVICEPIN = 22d8405e, USERID = u1, VERSION = 16, CONNECTIONID = 1206734761, SEQUENCE = 1, TYPE = DISCONNECT-ORDER, SIZE = 0>
<2012-08-22 16:18:09.631 BST>:[1137]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Device connections: AVG latency (msecs)0>
<2012-08-22 16:18:09.631 BST>:[1138]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Sending, VERSION = 1, COMMAND = SEND, TAG = 1313210386, SIZE = 314>
<2012-08-22 16:18:09.631 BST>:[1139]:<MDS-CS_SERVER19_MDS-CS_1>:<INFO >:<LAYER = IPPP, DEVICEPIN = 22d8405e, DOMAINNAME = www.amazon.co.uk, CONNECTION_TYPE = DEVICE_CONN, ConnectionId = 1206734761, DURATION(ms) = 3, MFH_KBytes = 0.096, MTH_KBytes = 0.166, MFH_PACKET_COUNT = 1, MTH_PACKET_COUNT = 2>
<2012-08-22 16:18:09.631 BST>:[1140]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, defaulthandlernio: DefaultJobPool-Thread-21 stopped>
<2012-08-22 16:18:09.631 BST>:[1141]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, defaulthandlernio: DefaultJobPool-Thread-21 cleaned up>
<2012-08-22 16:18:09.631 BST>:[1142]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SCM, Channel is closed>
<2012-08-22 16:18:09.631 BST>:[1143]:<MDS-CS_SERVER19_MDS-CS_1>:<DEBUG>:<LAYER = SRP, SRPID = T35501658[SERVER19:3200], EVENT = Sending, VERSION = 1, COMMAND = SEND, TAG = 1313210387, SIZE = 138>

********************************************************

What am I doing wrong?
MDS-CS-config-screens.pdf
0
bentham1
Asked:
bentham1
  • 6
  • 4
1 Solution
 
SriHarsha KTechnical Services SpecialistCommented:
Hi bentham1,

If you have BES enterprise you can apply the following policies:

1. Device-Only Items > Enable WAP Config = False. This will remove the carriers WAP browser. As a downside this will also disable MMS so a separate policy is required for users who require MMS\WAP.
2. Browser Policy Group > MDS Browser Title = <company name> Internet (e.g. Company Internet). This clearly identifies the MDS browser to users.
3. Browser Policy Group > Allow IBS Browser = False. This removes the internet browsing service that allows users to bypass the MDS service.
4. Browser Policy Group > MDS Browser Use Separate Icon = True. This ensures a separate icon on the home screen for the MDS browser.
5. Service Exclusivity policy group> Allow Other Browser services = False. This will allow no other browser services except for the BlackBerry Browser to access the web (this also disables MMS).

Courtasy : http://www.blackberryforums.com.au/forums/blackberry-general-discussion/13761-unable-connect-using-current-security-settings.html
0
 
SriHarsha KTechnical Services SpecialistCommented:
0
 
bentham1Author Commented:
Hi,
I had already tried these, thanks for the suggestion, I did go back through them though. Still exactly the same.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
SriHarsha KTechnical Services SpecialistCommented:
0
 
bentham1Author Commented:
We have the proxy type set to direct and firewall walls on a Checkpoint firewall to allow http and https outbound
0
 
SriHarsha KTechnical Services SpecialistCommented:
Hi,
I am sorry to give you direct links..
But even I dont have much idea into the issue.
Please check even this...
http://www.blackberryforums.com.au/forums/microsoft-exchange/1095-how-configure-proxy-server-blackberry-mds-connection-service.html
0
 
bentham1Author Commented:
Hi,
I don't actually need a proxy, this is direct to firewall. To rule this out I can get to internal web servers and it is only when it goes to ssl that I get this issue.
I have imported the ssl cert from one of our servers as defined by BB KB article:
http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB11623&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

And set all logging on and verbose, see attached log, there is no other error than:

<DEBUG>:<LAYER = IPPP, u1 Not authorized to access service tcp webapps.company.com:443/>

Could this be a policy, or are my https url rules wrong?
mdat.log
0
 
bentham1Author Commented:
Hi, Thanks for the help. I had been restarting the service throughout the changes, but I rebooted it and it started to work.
0
 
SriHarsha KTechnical Services SpecialistCommented:
Good that its working now.

Thank you for the points.



Cheers.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now