We recently set up the same thing. All other Outlook access methods work fine,
this works because the BB's connect to RIM which then connects to your OWA
server. By blocking RIM's IP addresses it prevents unauthorized BB access.
Since your BES is an outgoing connection it's not affected by the inbound
blocking.
As for blocking other devices, I put my ActiveSync/POP/IMAP users in security
groups then call this PowerShell script 4 times a day:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
#Set POP3 access
$AD = (get-group 'Mail_POP_Enabled').members | select ObjectGuid |
ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name,
DistinguishedName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.PopEnabled} | select
Name, DistinguishedName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.DistinguishedName})
-notcontains $_.DistinguishedName) {Set-CASMailbox -identity
$_.DistinguishedName -PopEnabled $false}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.DistinguishedName})
-notcontains $_.DistinguishedName) {Set-CASMailbox -identity
$_.DistinguishedName -PopEnabled $true}}
#Set IMAP access
$AD = (get-group 'Mail_IMAP_Enabled').members | select ObjectGuid |
ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name,
DistinguishedName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.ImapEnabled} | select
Name, DistinguishedName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.DistinguishedName})
-notcontains $_.DistinguishedName) {Set-CASMailbox -identity
$_.DistinguishedName -ImapEnabled $false}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.DistinguishedName})
-notcontains $_.DistinguishedName) {Set-CASMailbox -identity
$_.DistinguishedName -ImapEnabled $true}}
#Set ActiveSync access
$AD = (get-group 'Mail_ActiveSync_Enabled').members | select ObjectGuid |
ForEach-Object {Get-User -Identity ([string]$_.ObjectGuid)} | select Name,
DistinguishedName
$EX = Get-CASMailbox -resultsize unlimited | where {$_.ActiveSyncEnabled} |
select Name, DistinguishedName
$EX | ForEach-Object {if (($AD | ForEach-Object {$_.DistinguishedName})
-notcontains $_.DistinguishedName) {Set-CASMailbox -identity
$_.DistinguishedName -ActiveSyncEnabled $false}}
$AD | ForEach-Object {if (($EX | ForEach-Object {$_.DistinguishedName})
-notcontains $_.DistinguishedName) {Set-CASMailbox -identity
$_.DistinguishedName -ActiveSyncEnabled $true}}
This automatically turns off ActiveSync/Pop/IMAP for all users then enables the
ones that are in the appropriate group. This way I can keep people from using
methods that I don't want them to.
d
Darhl Thomason | SysAdmin | Business Technology
Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 |
www.papamurphys.com<http://www.papamurphys.com>
From: [email protected]
[mailto:[email protected]] On Behalf Of Jonathan Barker
Sent: Friday, February 04, 2011 12:39 PM
To: A list for BES Admin's to discuss issues, etc.
Subject: Re: [Bes-admins] disable BIS Outlook web access?
Wonderful.
Not BES related, but has anyone had to deal with this that can pass along
information on blocking this for other devices and services? I'd like to keep
Outlook over RPC and maybe Outlook for mac working...
From: [email protected]
[mailto:[email protected]] On Behalf Of hdawg
Sent: Friday, February 04, 2011 12:05 PM
To: [email protected]
Subject: Re: [Bes-admins] disable BIS Outlook web access?
Pretty much webmail scraping ...
Block these IPs /network from OWA / POP / IMAP and you'll stop it:
http://www.blackberry.com/btsc/KB11036.
From: [email protected]
[mailto:[email protected]] On Behalf Of Jonathan Barker
Sent: Friday, February 04, 2011 3:03 PM
To: [email protected]
Subject: [Bes-admins] disable BIS Outlook web access?
Just discovered that you can connect a blackberry to webmail. We found out
because we had some problems with our ISA and after troubleshooting some users
arent' able to connect.
Does anyone know of documentation on how this works or how it's set up? Being
able to connect a mobile device (BlackBerry or other) to webmail circumvents
our mobile email device security policy.
------------------------------------------------------------------------------------
"#1 Rated Pizza Chain" - ZAGAT 2010 National Restaurant Chains Survey ®
_______________________________________________
Bes-Admins mailing list
[email protected]
http://www.dataoutages.com/mailman/listinfo/bes-admins
http://www.dataoutages.com
http://www.dataoutagenews.com
RSS Feed: http://feeds.feedburner.com/Bes-admins
---------------------------------
Bes-Admins mailing list is sponsored by Dataoutagenews.com.
http://www.dataoutagenews.com
