[cristalin]

Hi,

I have a new BES4.1 which is used for mail and also for intranet website and internal application server purposes.

The Connection service allows us to access :
- to the internal websites and application server
- and also to the internet

I would like to deny the users to access the internet ONLY, and would like to let them access to the intranet website or application servers.

Anyone can help ?
Thankx.

[BB_0wned]

I believe there is an IT Policy to disallow external/internal connections. I dont have a BES infront of me to verify the specific names of these policys but Im almost certain that will control it.

[cristalin]

Hi,

That is what I thought.

But when you look at "deny external connections" you can see see that it denies connections from a handheld to SMS gateways, and other services offered by your telco provider (I mean all communication other than the ones which go to the BES are denied).
It seems that it is not dedicated to deny communication going from the MDS to the outside of the LAN.

Thankx

[|||||||]

Point the connection service to a proxy server or something and only allow it external access.

[cristalin]

Anyone can do what I need with It policies (I do not have a proxy)?

As I told it in my last answer, the "Deny external access" policy does not answer to my needs. (unless I am wrong and I misunderstood something)

I need something else.

Thankx.

[|||||||]

You can't do what you want with IT policies. Your BES and therefore your BlackBerrys are inside your firewall, they have open reign on what you allow them to access. You can always disable the connection service and force them to use Internet Browser.

[DoomBringer]

I think in the HCT, you can specify which addresses things are allowed to get to, but maybe not as fine grained as this.

[cristalin]

thanks for your answers.

|||||||, ok for your idea of stoping the connection service, but my blackberries need to access to an internal application server
Your idea of pointing to a proxy that I don't own is maybe the best solution. I will see this...

DoomBringer, perdon me, but is the "HCT" ?

Cheers.

[Snyder81]

This looks like it can be done on the BES, but it's not really intuitive at first glance.

To completely restrict URL pull access on BES 4.1 (for Exchange anyway), click on the specific BES server and click on Connection Service tab. Click Edit Properties button. Click Access Control bullet and change "Pull Authorization" from False to True. In my testing, I was unable to use this functionality without blocking all traffic, even URL's I tried to allow (See below for how to selectively make allow/block URL's.)

***The description for this feature says: Pull Authorization - Set to True to restrict the URL's requested by BlackBerry users connecting to an intranet or the Internet using HTTP, HTTPS, TCP, LDAP, and OCSP services. Set to False to not restrict the URL's.***

In your specific situation, you should only need add your domain name (assuming all internal resources use it) and set it to Allow. Ex: *mycompany.com

The presence of that rule should deny all other paths (e.g. www.).


In the BlackBerry Manager, click on "Servers" and then click on the Global tab. Click Edit Properties. Click Access Control bullet. Create a new Pull Rule - you can name it "URL Filter" or something like that. Under User Rules (Same screen as where you selected Pull Rules), assign the policy to someone for testing. Open URL Patterns and create a new rule. Create two rules that each list a specific URL (e.g. Google and www.msn.com).

Go to URL Pattern Rules. Choose to Allow the MSN URL and Deny the Google URL. Restart the MDS and see if you can get to one but not the other.

It should work.

[ccowen]

I have BES 4.0.4 and am trying to achieve a similar thing, only reversed.

I want users to be able to access the Internet, but not our corporate Intranet.

Has anyone done this?

I have tried denying connections to our intranet site, but it seems to also deny to all other sites..

When you start doing these rules, do you have to make an allow rule for specific sites once you start adding deny rules?

I.e I've denied to intranet:80/ (as config says to format it)
Now I can't get to the RIM website for instance.. do I have to have explicit Allow rules for rim.com ?

A little frustrating.

[sferical]

This is from memory as I don't have my BES in front of me so you may need to mess around with it a bit.

You ned to use the push/pull roles in MDS. Basically you add rules for all internet addresses such as www.*, http*, or specific sites such as Google and set them to deny or allow.

You then add groups and apply users to the groups and groups to the rules.

For example if I wanted my users to surf the intranet only I might add www.*, https://* etc to my deny rules and then add my intranet server with the following syntax to my allow rules:

.*://.*\.123\.com.*

- the .* for wildcard to allow for http or https
- then ://
- then .* for a wildcard (www, ww2, home, etc.). The . infront of the * says any character except new line.
- then \ to turn off the special meaning of the next character so it will see the . as a period
- then .123 (or what ever your Intranet domain is named)
- then \ to turn off the special meaning of the next character again
- then .com
- then .*any character after that

E.g. .*://.*\.mycompany\.com.*

I would then add my users to a single group and apply all the rules to the group.

Use the above syntax for both 4.0 and 4.1 servers and remember to restart the MDS service after any changes.

Hope this helps.

Sfez

[ccowen]

Thanks Sfez I'll give it a shot!

[ccowen]

No luck so far.. I'm also noticing that even users not assigned to roles w/ access to MDS are also being forced the same rules and getting forbidden 403 messages, despite not being on the Pull roles.

As soon as you add one role, do you have to then define the opposite?

I.e I want 3 out of 10 users (hypothetically) to have no access to intranet sites, so I configure them with that specific role.

Does that then mean that I need to configure the other 7 with another rule to ALLOW them ?

This getting rather tedious, I may end up running a proxy server to do this as the MDS config seems rather silly.. at least for what I need to do.

I can't see myself whitelisting every external website there is..