Re: Blackberry MDS Connection Bypassing firewall

[Erik LaBianca <erik () ilsw com>]

My guess is that the best way to solve this problem would be to isolate the BES on its own system (blackberry 
recommends this anyway) and then restrict that computers egress access as necessary. All BES/MDS connections coming in 
from RIMM and through the proxy will then get handled by your regular firewall.

--erik

From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On 
Behalf Of miedaner
Sent: Friday, January 11, 2008 10:47 AM
To: firewall-wizards () listserv cybertrust com
Subject: [fw-wiz] Blackberry MDS Connection Bypassing firewall

Hi,

Wondering if anyone has dealt with this problem with BES.


Blackberry enterprise server is configured by default to allow TCP traffic from the Blackberry clients through the 
encrypted BES connection to a internal network.  As the Blackberries are java based some clever folks have built things 
like SSH clients for them.

The problem is that this type of access bypasses firewall and VPN rules.

I know that there are ACL's possible on the MDS connection service that allows this but I am told that it is either 
block all tcp or block none.

I am wondering if anyone knows if the BES ACl really is all or none and if anyone has implemented a solution to 
restrict internal network access through BES to only protocols like http or hhtps.

TIA

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards