Sigh.
You don't need to outright block all inbound access to those IP addresses; just port 80 and 443 . or whatever ports you have IIS serving OWA running on. That said, you could also block all inbound/outbound traffic to those IPs with the exception of TCP port 3101 outbound initiated. Remember, the NOC doesn't make any inbound connections; the BES makes a connection to the NOC, holds that session open and all the data flows through it. Much in the same way that when you make a VPN connection you establish a direct connection with an endpoint. You initiate the connection and provide some form of credential to authenticate . BES does the same thing with the SRP Key and Auth Id. That SRP connection always stays open . if it closes / drops communication between the BES and HHs stop. From: [email protected] [mailto:[email protected]] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 1:43 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email HDawg, Your post shows these addresses as the BIS servers: BIS IP Range 206.51.26.0/24 193.109.81.0/24 204.187.87.0/24 206.53.144.0/20 216.9.240.0/20 67.233.64.0/19 93.186.16.0/20 68.171.224.0/19 Another post on your site http://www.port3101.org/featured-blackberry-kb-articles/793-kb03735-firewall-connection-requirements-blackberry-enterprise-server.ht ml shows the same IP range for BES: BES IP Range 206.51.26.0 /24 193.109.81.0/24 204.187.87.0/24 216.9.240.0/20 206.53.144.0/20 67.223.64.0/19 93.186.16.0/20 68.171.224.0/19 Which means that I can't block those IP's or BES stops working as well. Back to the drawing board. Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | <http://www.papamurphys.com> www.papamurphys.com From: [email protected] [mailto:[email protected]] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 10:28 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email HDawg, This looks to be the most promising solution. Is there another list that shows the BES IP's? I'd want to make sure that they were allowed, the ranges provided for BIS are pretty large and I wouldn't be surprised if they overlap to some degree. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | <http://www.papamurphys.com> www.papamurphys.com From: [email protected] [mailto:[email protected]] On Behalf Of hdawg Sent: Tuesday, July 20, 2010 10:13 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS can also use OWA. See: http://www.port3101.org/featured-blackberry-kb-articles/792-kb11036-firewall-connection-requirements-blackberry-internet-service.htm l for a list of what IP's BIS connections are coming from. Block these inbound connections at the firewall and you've blocked BIS. From: [email protected] [mailto:[email protected]] On Behalf Of Jonathan Barker Sent: Tuesday, July 20, 2010 1:09 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: [email protected] [mailto:[email protected]] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 9:55 AM To: '[email protected]' Subject: [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | <http://www.papamurphys.com> www.papamurphys.com ------------------------------------------------------------------------------------ Consumer-voted "Best Pizza Chain in America" 2003-2009 ------------------------------------------------------------------------------------ Consumer-voted "Best Pizza Chain in America" 2003-2009 ------------------------------------------------------------------------------------ Consumer-voted "Best Pizza Chain in America" 2003-2009
_______________________________________________ Bes-Admins mailing list [email protected] http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins --------------------------------- Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
