Blocking Personal Blackberrys storing corporate emails
No firewall, No antivirus and all those sensitive email on their home machines. Scared yet? If this is a problem for you, the only REAL fix is to turn off OWA. But, that is a tough pill to swallow. Here is a possible alternative.
Check your IIS logs and you'll see entries like this..
008-04-22 16:48:25 W3SVC1 127.0.0.1 POST /exchange/username/##emailname##/ - 443 username 127.0.0.1 BWC/Worker/1.0 200 0 0
2008-04-21 13:35:22 W3SVC1 127.0.0.1 BMOVE /exchange/firstname.lastname/Inbox/ - 443 firstname.lastname 127.0.0.1 BWC+Engine+/2.0 207 0 0
Here you can see an unauthorized blackberry copying emails to the handhelds through the Outlook Interface. The BWC+Engine is the User-Agent used by the Blackberry email client. You may also have some of these...
2008-04-20 23:06:40 W3SVC1 127.0.0.1 POST /Microsoft-Server-ActiveSync Cmd=Get
ItemEstimate&User=jusername&DeviceId=PLMOx8xxxx0&DeviceType=PalmOneTreoAce&Log=V4XXX:0AXXXX:0XXXXD0SP:1XXXXXXXH0P 443 username 127.0.0.1 PalmOne-TreoAce/2.01m01 200 0 0
2008-04-20 23:42:13 W3SVC1 127.0.0.1 OPTIONS /Microsoft-Server-ActiveSync User
=username&DeviceId=2F8xxxxxxxxxxx&DeviceType=SmartPhone&
Log=VNAXXX:0XXXXX:0A0XXXXX:0C0XXXXXXXH 443 username 127.0.0.1 MSFT-SPhone/5.2.203 200 0 0
If your goal is to keep personal device from synchronizing over Outlook Web Access you will want to block those also.
So how to you block specific User-Agent strings on IIS? Pretty simple in Apache right? Not so much on IIS. You may think (as I did) that you can use URLSCAN. It has this [DenyHeaders] section which allows you to specify a User-Agent. That doesnt' work. It will allow you to block any web request that has a User-Agent (Yeah.. All of them), but not a specific User-Agent. Thank for nothing Microsoft! So how then? You can use a third party ISAPI filter that implements Apache Mod Rewrite functionality on IIS. You can download ISAPI REWRITE from http://www.isapirewrite.com There is a LITE and a FULL version available for download at the site. The LITE version is free and it will work for many of the OWA implementations. Here is the configuration file to use to block User-Agents for Blackberry, PalmTrio, Microsoft Smart Phones, and Avant Go.
RewriteEngine on
#Block Blackberry and other smartphones
RewriteCond %{HTTP:User-Agent} (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*) [NC]
RewriteRule .? - [F,L]
#Block Blackberry and other smartphones
RewriteCond %{HTTP:User-Agent} (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*) [NC]
RewriteRule .? - [F,L]
This takes care of all of the Microsoft Smart Phones, Palm Treo's and AvantGo users. In my testing it also breaks the functionality on the Blackberries. However, Blackberries which use BIS still make requests with IE user agents strings which are not blocked. The BIS service uses multiple user agents including IE and the BWC agents. You can block the BIS address ranges from reaching OWA at your firewall. Those ranges are:
I found these on Bill Warnke's blog. Here
Blackberry posts their ranges in this article.
Continue to review your IIS logs to watch for other User-Agents. The following unix commands will show you all the User-Agents accessing your system.
cat \windows\system32\logfiles\w3svc1\* | awk '{print $11}' | sort | uniq