1. t_penn's Avatar
    Our company has locked down access to corporate e-mail for devices that do not sync via ActiveSync. Blackberries using BIS used to be able to circumvent this but now all BIS ports are blocked on the firewall. This was done as there was no way of enforcing the ActiveSync policy on them. I've heard the newest Blackberry O/S may provide the ability to sync via ActiveSync but have not been able to test this yet. Basically the company wants to enforce a password policy and the ability to remotely wipe the device, hence an ActiveSync policy on the Exchange 2010 server. Other devices such as iPhones, Androids, etc are able to sync.
    Thanks for any help/insight.
    BTW - There's no BES Server.
    03-21-12 05:13 PM
  2. fire6's Avatar
    When you say BIS is blocked do you mean OWA or IMAP? Without a BES server that would be your only option. Maybe you can ask your IT person to allow one of those options until the BB10 phones are released. It sounds like you will be a early adopter for BB10. If your IT person will not allow OWA or IMAP then you could set up a forwarding rule to send your work email to another address. It's not the best but set up right it works. Good luck
    03-22-12 05:25 AM
  3. t_penn's Avatar
    There are a dozen or so network ranges that the RIM servers use for the BIS Service to communicate. All of these addresses are blocked on our firewall. The reason for the block of these address ranges is because if left open, our employees were able to get their corporate e-mail on the Blackberry and bypass ActiveSync policies which would require them to have a device lock and give the IT Dept the ability to remotely wipe the device if it were lost or stolen. We don't necessarily mind them getting their e-mail on their personal devices but we want to maintain at least a simple level of security. The users are able to access their e-mail on remote computers using OWA but if the only way for a Blackberry to access OWA is using BIS, then I guess they are out of luck. I was just trying to find out if it is possible for a Blackberry to sync via ActiveSync using the same ports, etc as iPhone, Androids, etc. I had heard rumours that the newest devices may have that capability but everything I've read so far indicates that it would still require the BIS service.

    Thanks
    03-22-12 04:21 PM
  4. cletis's Avatar
    There are a dozen or so network ranges that the RIM servers use for the BIS Service to communicate. All of these addresses are blocked on our firewall. The reason for the block of these address ranges is because if left open, our employees were able to get their corporate e-mail on the Blackberry and bypass ActiveSync policies which would require them to have a device lock and give the IT Dept the ability to remotely wipe the device if it were lost or stolen. We don't necessarily mind them getting their e-mail on their personal devices but we want to maintain at least a simple level of security. The users are able to access their e-mail on remote computers using OWA but if the only way for a Blackberry to access OWA is using BIS, then I guess they are out of luck. I was just trying to find out if it is possible for a Blackberry to sync via ActiveSync using the same ports, etc as iPhone, Androids, etc. I had heard rumours that the newest devices may have that capability but everything I've read so far indicates that it would still require the BIS service.

    Thanks
    BIS merely provides Internet access to the BB device; so the ports a BIS-enabled BB uses to access your Exchange server are either http ports, pop or imap ports, or EAS (Exchange ActiveSync) ports -- in exactly the way that any other remote computer or Web-enabled phone would. So unless I'm missing something about BIS, there's no way to block BIS access to EAS without also blocking all other EAS access. Your first sentence above, however, suggests that I am missing something. What are these dedicated BIS ports, and with which server is the remote BB opening a session over them? Is the Exchange server the one listening on these ports? Or do you also have a BES server in your enterprise that you haven't mentioned?

    What is the likelihood that the ports to which you refer are actually the EAS ports, so that NO device can use EAS through the firewall, and the iOS and Android devices that you say can sync with these ports are only able to do so via either internal WiFi or a corporate VPN?
    03-23-12 10:00 AM
  5. t_penn's Avatar
    Below is a link to the BIS address ranges that have been blocked on our firewall. Blackberries were able to sync messages previous to these ranges being blocked but as previously mentioned, bypassed ActiveSync policies in place. Now that these ranges are blocked, Blackberries are no longer able to sync messaging. Other devices such as iPhones and Androids are unaffected by this and continue to sync successfully without the need of a VPN connection. I believe this is because they are communicating directly with our Exchange 2010 server.
    I suspect that it is the RIM BIS servers that are actually logging in and providing the synchronization of messages so it's not a "true" EAS connection from the device itself. If BIS only supplied internet access to Blackberry devices, does that then mean that a Blackberry will work with a smartphone data plan instead of a BIS plan? In other words, take a SIM from an iPhone and insert it in the Blackberry as an example.
    There is no BES server in place.
    If there is a way of providing EAS support to Blackberries AND ensure ActiveSync policies are enforced, we would implement but there cannot be any added cost. The Blackberries are employee-owned devices.

    KB11036-Firewall and connection requirements for the BlackBerry Internet Service
    Last edited by t_penn; 03-23-12 at 12:04 PM.
    03-23-12 11:57 AM
  6. cletis's Avatar
    I misread your second post, so my response was not directly relevant; sorry.

    You're asking whether the QNX- and BB10-based EAS client supports policies set on the Exchange server. This thread suggests that the current answer is "partially."

    One could speculate that this might remain the case, since RIM has an interest in maintaining a feature set advantage in BlackBerry Mobile Fusion, as no-one would buy it if they could achieve the same thing natively within their existing Exchange infrastructure.
    t_penn likes this.
    03-23-12 01:30 PM
  7. t_penn's Avatar
    That thread is a similar situation to what we are experiencing. I missed it when searching the forums for this type of issue. Thanks!
    So to wrap this up, it seems like what we'd like to do is not currently possible but I will keep looking in case there are further developments that eventually allow this . . . reliably.
    Thanks again.
    03-23-12 02:40 PM
  8. TheScionicMan's Avatar
    The PlayBook native Mail app uses EAS. Don't know if this will be changed for BB10 but I would imagine it would be another option offered.
    t_penn likes this.
    03-23-12 02:55 PM
LINK TO POST COPIED TO CLIPBOARD