We just rolled out a Blackberry Express Server, and would like to make sure that all Blackberry devices that our users own are connecting SOLELY through the BES server. We are running Exchange 2010 SP1.
I've read some links that discuss blocking BIS at the firewall level. Before doing that, however, I'd like to individually contact all users with Blackberries and make sure that they have a chance to switch to the BES server. I've sent a company-wide email, but unsurprisingly folks tend to tune these out until they are forced into action.
Is there an easy way to identify the users with Blackberries by searching IIS logs, or perhaps using the Exchange Management Shell? Especially some automated way? I've tried searching for the Blackberry identifier, but it does not appear next to any user name, so it's not as helpful as it could be.
Edit: to clarify, what I'm talking about is the fact that Blackberries can use OWA to download mail to the phone. We do not allow IMAP or POP access through our firewall so that's not a concern–just folks with Blackberries using Blackberry's hack to allow it to connect to Exchange without a BES server. As far as I know, Blackberries are the only popular phones that use this method to download mail.
Best Answer
Not sure what you mean by "Blackberry identifier" - BIS spoofs an IE user-agent string for its requests. The best way to find the requests in my experience is looking at the IIS logs for requests coming from the BIS servers (address ranges are here). These requests WILL have usernames in the requests they send, something like
https://owa.example.com/exchange/username.As far as finding all the requests.. it's a pain if you don't have a good means to search the logs. The BIS servers seem to batch the requests for all users on your server into requests coming from a specific server, so once you find one, searching for other requests from that specific IP is a good approach.
As far as blocking, I've found that it's pretty effective to block the BIS ranges directly in the reverse proxy's config so that I can find (from the 403's in the log) which users are attempting to set their phones up with BIS and set them straight.