Re: [Bes-admins] Prevent personal Blackberries from accessing company email
BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 9:55 AM To: 'bes-admins@dataoutages.com' Subject: [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com Consumer-voted Best Pizza Chain in America 2003-2009 ___ Bes-Admins mailing list Bes-Admins@dataoutages.com http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins - Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
Re: [Bes-admins] Prevent personal Blackberries from accessing company email
BIS can also use OWA. See: http://www.port3101.org/featured-blackberry-kb-articles/792-kb11036-firewall-connection-requirements-blackberry-internet-service.htm l for a list of what IP's BIS connections are coming from. Block these inbound connections at the firewall and you've blocked BIS. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Jonathan Barker Sent: Tuesday, July 20, 2010 1:09 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 9:55 AM To: 'bes-admins@dataoutages.com' Subject: [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | http://www.papamurphys.com www.papamurphys.com Consumer-voted Best Pizza Chain in America 2003-2009 ___ Bes-Admins mailing list Bes-Admins@dataoutages.com http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins - Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
Re: [Bes-admins] Prevent personal Blackberries from accessing company email
Yes, its usually IMAP/POP3 for BIS access. I have considered identifying RIM's BIS IP range and blocking at the firewall level. If those IP's are only used for BIS email access and I dont want that. What about IT Policy that blocks the service book? I think that this would only block the sending but the users would end up contacting helpdesk then right? I suddenly cant send emails any more?, Oh you are setup with BIS! -- Josh Armour MobileOps - Sysadmin jarm...@google.com (541) 205-4262 -- On Tue, Jul 20, 2010 at 10:09 AM, Jonathan Barker jonathanbar...@quinnemanuel.com wrote: BIS uses IMAP and POP3. Are you sure it’s turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. *From:* bes-admins-boun...@dataoutages.com [mailto: bes-admins-boun...@dataoutages.com] *On Behalf Of *Darhl Thomason *Sent:* Tuesday, July 20, 2010 9:55 AM *To:* 'bes-admins@dataoutages.com' *Subject:* [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I’m guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it’s not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! *Darhl Thomason *| SysAdmin | Business Technology *Papa Murphy’s* Int'l. | *d* 360-449-4044 | *c* 360-607-5617 | www.papamurphys.com Consumer-voted Best Pizza Chain in America 2003-2009 ___ Bes-Admins mailing list Bes-Admins@dataoutages.com http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins - Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com ___ Bes-Admins mailing list Bes-Admins@dataoutages.com http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins - Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
Re: [Bes-admins] Prevent personal Blackberries from accessing company email
Yes: http://www.port3101.org/featured-blackberry-kb-articles/793-kb03735-firewall-connection-requirements-blackberry-enterprise-server.ht ml. Keep in mind that all you have to do is explicitly deny port 80/443 to these IP addresses to block access to OWA. Also, keep in mind that with BES you're making an outbound-initiated connection and the RIM NOC never initiates a connection inbound . and even at that you only need TCP port 3101 open to these IPs. Hope this helps. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 1:28 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email HDawg, This looks to be the most promising solution. Is there another list that shows the BES IP's? I'd want to make sure that they were allowed, the ranges provided for BIS are pretty large and I wouldn't be surprised if they overlap to some degree. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | http://www.papamurphys.com www.papamurphys.com From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of hdawg Sent: Tuesday, July 20, 2010 10:13 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS can also use OWA. See: http://www.port3101.org/featured-blackberry-kb-articles/792-kb11036-firewall-connection-requirements-blackberry-internet-service.htm l for a list of what IP's BIS connections are coming from. Block these inbound connections at the firewall and you've blocked BIS. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Jonathan Barker Sent: Tuesday, July 20, 2010 1:09 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 9:55 AM To: 'bes-admins@dataoutages.com' Subject: [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | http://www.papamurphys.com www.papamurphys.com Consumer-voted Best Pizza Chain in America 2003-2009 Consumer-voted Best Pizza Chain in America 2003-2009 ___ Bes-Admins mailing list Bes-Admins@dataoutages.com http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins - Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
Re: [Bes-admins] Prevent personal Blackberries from accessing company email
HDawg, Your post shows these addresses as the BIS servers: BIS IP Range 206.51.26.0/24 193.109.81.0/24 204.187.87.0/24 206.53.144.0/20 216.9.240.0/20 67.233.64.0/19 93.186.16.0/20 68.171.224.0/19 Another post on your site http://www.port3101.org/featured-blackberry-kb-articles/793-kb03735-firewall-connection-requirements-blackberry-enterprise-server.html shows the same IP range for BES: BES IP Range 206.51.26.0 /24 193.109.81.0/24 204.187.87.0/24 216.9.240.0/20 206.53.144.0/20 67.223.64.0/19 93.186.16.0/20 68.171.224.0/19 Which means that I can't block those IP's or BES stops working as well. Back to the drawing board... Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 10:28 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email HDawg, This looks to be the most promising solution. Is there another list that shows the BES IP's? I'd want to make sure that they were allowed, the ranges provided for BIS are pretty large and I wouldn't be surprised if they overlap to some degree. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of hdawg Sent: Tuesday, July 20, 2010 10:13 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS can also use OWA. See: http://www.port3101.org/featured-blackberry-kb-articles/792-kb11036-firewall-connection-requirements-blackberry-internet-service.html for a list of what IP's BIS connections are coming from. Block these inbound connections at the firewall and you've blocked BIS. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Jonathan Barker Sent: Tuesday, July 20, 2010 1:09 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 9:55 AM To: 'bes-admins@dataoutages.com' Subject: [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com Consumer-voted Best Pizza Chain in America 2003-2009 Consumer-voted Best Pizza Chain in America 2003-2009 Consumer-voted Best Pizza Chain in America 2003-2009 ___ Bes-Admins mailing list Bes-Admins@dataoutages.com http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins - Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
Re: [Bes-admins] Prevent personal Blackberries from accessing company email
Just saw that, didn't realize that BES was outbound initiated, but good to know that I can block the inbound 80/443 from that IP range to block the BIS. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of hdawg Sent: Tuesday, July 20, 2010 10:39 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email Yes: http://www.port3101.org/featured-blackberry-kb-articles/793-kb03735-firewall-connection-requirements-blackberry-enterprise-server.html. Keep in mind that all you have to do is explicitly deny port 80/443 to these IP addresses to block access to OWA. Also, keep in mind that with BES you're making an outbound-initiated connection and the RIM NOC never initiates a connection inbound ... and even at that you only need TCP port 3101 open to these IPs. Hope this helps. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 1:28 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email HDawg, This looks to be the most promising solution. Is there another list that shows the BES IP's? I'd want to make sure that they were allowed, the ranges provided for BIS are pretty large and I wouldn't be surprised if they overlap to some degree. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of hdawg Sent: Tuesday, July 20, 2010 10:13 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS can also use OWA. See: http://www.port3101.org/featured-blackberry-kb-articles/792-kb11036-firewall-connection-requirements-blackberry-internet-service.html for a list of what IP's BIS connections are coming from. Block these inbound connections at the firewall and you've blocked BIS. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Jonathan Barker Sent: Tuesday, July 20, 2010 1:09 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 9:55 AM To: 'bes-admins@dataoutages.com' Subject: [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com Consumer-voted Best Pizza Chain in America 2003-2009 Consumer-voted Best Pizza Chain in America 2003-2009 Consumer-voted Best Pizza Chain in America 2003-2009 ___ Bes-Admins mailing list Bes-Admins@dataoutages.com http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins - Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
Re: [Bes-admins] Prevent personal Blackberries from accessing company email
Yes, I got it, sorry. I had sent this before your other message hit my inbox. I was just too quick on the reply. d Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of hdawg Sent: Tuesday, July 20, 2010 11:03 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email Sigh. You don't need to outright block all inbound access to those IP addresses; just port 80 and 443 ... or whatever ports you have IIS serving OWA running on. That said, you could also block all inbound/outbound traffic to those IPs with the exception of TCP port 3101 outbound initiated. Remember, the NOC doesn't make any inbound connections; the BES makes a connection to the NOC, holds that session open and all the data flows through it. Much in the same way that when you make a VPN connection you establish a direct connection with an endpoint. You initiate the connection and provide some form of credential to authenticate ... BES does the same thing with the SRP Key and Auth Id. That SRP connection always stays open ... if it closes / drops communication between the BES and HHs stop. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 1:43 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email HDawg, Your post shows these addresses as the BIS servers: BIS IP Range 206.51.26.0/24 193.109.81.0/24 204.187.87.0/24 206.53.144.0/20 216.9.240.0/20 67.233.64.0/19 93.186.16.0/20 68.171.224.0/19 Another post on your site http://www.port3101.org/featured-blackberry-kb-articles/793-kb03735-firewall-connection-requirements-blackberry-enterprise-server.html shows the same IP range for BES: BES IP Range 206.51.26.0 /24 193.109.81.0/24 204.187.87.0/24 216.9.240.0/20 206.53.144.0/20 67.223.64.0/19 93.186.16.0/20 68.171.224.0/19 Which means that I can't block those IP's or BES stops working as well. Back to the drawing board... Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 10:28 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email HDawg, This looks to be the most promising solution. Is there another list that shows the BES IP's? I'd want to make sure that they were allowed, the ranges provided for BIS are pretty large and I wouldn't be surprised if they overlap to some degree. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of hdawg Sent: Tuesday, July 20, 2010 10:13 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS can also use OWA. See: http://www.port3101.org/featured-blackberry-kb-articles/792-kb11036-firewall-connection-requirements-blackberry-internet-service.html for a list of what IP's BIS connections are coming from. Block these inbound connections at the firewall and you've blocked BIS. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Jonathan Barker Sent: Tuesday, July 20, 2010 1:09 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 9:55 AM To: 'bes-admins@dataoutages.com' Subject: [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.comhttp://www.papamurphys.com