Wi-Fi Implementation Supplement - BlackBerry Software ... · PDF fileWi-Fi Implementation Supplement Last modified: ... FAILURE TO REALIZE ANY EXPECTED SAVINGS, ... Configuring layer

Wi-Fi Implementation Supplement


Last modified: 16 May 2008

Document ID: 10626870 Version 26

At the time of publication, this documentation supplements the documentation for the following releases:

• BlackBerry Enterprise Server Version 4.1 SP3 or later

• Blackberry Professional Software Version 4.1 SP4 or later

©2008 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType® and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used as trademarks in the U.S., Canada, and countries around the world.

Bluetooth is a trademark of Bluetooth SIG. GSM is a trademark of the GSM MOU Association. IBM, DB2, DB2 Universal Database, Domino, and Lotus are trademarks of International Business Machines Corporation. IEEE, 802.1X, 802.11, 802.11a, 802.11b, 802.11g, and 802.11i are trademarks of the Institute of Electrical and Electronics Engineers, Inc. Microsoft, Active Directory, and SQL Server are trademarks of Microsoft Corporation. Novell and GroupWise are trademarks of Novell, Inc. RSA and RSA SecurID are trademarks of RSA Security. Wi-Fi, Wi-Fi Protected Access, WPA, and WPA2 are trademarks of the Wi-Fi Alliance. All other trademarks are the properties of their respective owners.

The BlackBerry smartphone and other devices and/or associated software are protected by copyright, international treaties, and various patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460; D416,256. Other patents are registered or pending in the U.S. and in various countries around the world. Visit www.rim.com/patents for a list of RIM (as hereinafter defined) patents.

This documentation including all documentation incorporated by reference herein such as documentation provided or made available at www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by Research In Motion Limited and its affiliated companies ("RIM") and RIM assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized terms. RIM reserves the right to periodically change information that is contained in this documentation; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.

This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party web sites (collectively the "Third Party Products and Services"). RIM does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by RIM of the Third Party Products and Services or the third party in any way.

EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

http://www.rim.com/patents

http://www.blackberry.com/go/docs

http://www.blackberry.com/go/docs

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.

THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.

IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.

Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Installation or use of Third Party Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM.

The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server Software, BlackBerry Desktop Software, and/or BlackBerry Device Software and may require additional development or Third Party Products and Services for access to corporate applications.

This product includes software developed by the Apache Software Foundation (http://www.apache.org/) and/or licensed pursuant to Apache License, Version 2.0 (http://www.apache.org/licenses/). For more information, see the NOTICE.txt file included with the software. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

http://www.apache.org/

http://www.apache.org/licenses/

Published in Canada

Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada

Research In Motion UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom

Contents1 Using the Wi-Fi Implementation Supplement.................................................................................................9

Supported environments ................................................................................................................................. 9Required BlackBerry Enterprise Server documentation ............................................................................. 9BlackBerry Enterprise Server administrative roles .....................................................................................10

2 Technical overview .............................................................................................................................................. 11BlackBerry Enterprise Server architecture overview ...................................................................................11Wi-Fi environment overview............................................................................................................................11

Wi-Fi coverage types................................................................................................................................ 12Wi-Fi connection options......................................................................................................................... 13Supported IEEE 802.11 wireless networking standards ...................................................................... 13

Architecture: Options for Mobile and Wi-Fi connections ..........................................................................14Architecture components ...............................................................................................................................14

BlackBerry Enterprise Server components ...........................................................................................14BlackBerry Enterprise Server remote components..............................................................................15BlackBerry Enterprise Server support for Wi-Fi enabled BlackBerry devices .................................15Wireless access points .............................................................................................................................16

BlackBerry Enterprise Server process flows.................................................................................................16

3 Installation and configuration overview .........................................................................................................17Quick reference................................................................................................................................................ 17

4 Configuring security in your environment..................................................................................................... 19Security for Wi-Fi enabled BlackBerry devices............................................................................................19Prerequisites: Configuring layer 2 access security.....................................................................................19Prerequisites: Configuring layer 3 VPN access security...........................................................................20Configuring software tokens.........................................................................................................................20Configuring MAC access control lists...........................................................................................................21Configuring service-specific access security............................................................................................... 21Configuring a captive portal .......................................................................................................................... 21

5 Installing and configuring the BlackBerry Enterprise Server.....................................................................23Verifying that you are ready to install the BlackBerry Enterprise Server .............................................. 23Configuring the BlackBerry Enterprise Server environment.................................................................... 23Preparing to support Wi-Fi enabled BlackBerry devices .......................................................................... 24Installing the BlackBerry Enterprise Server................................................................................................ 25Adding administrators to roles ..................................................................................................................... 25Setting up the BlackBerry Enterprise Server environment....................................................................... 25

6 Setting up user accounts on the BlackBerry Enterprise Server ................................................................. 27Setting up user accounts ............................................................................................................................... 27Adding user accounts..................................................................................................................................... 27Adding user groups......................................................................................................................................... 28Customizing organizer data synchronization ............................................................................................. 28

7 Configuring WLAN and VPN settings .............................................................................................................29WLAN and VPN profiles .................................................................................................................................29Configuring WLAN and VPN profiles...........................................................................................................29

Configure a WLAN profile ......................................................................................................................29Configure a WLAN profile based on an existing profile ....................................................................30Configure a VPN profile .........................................................................................................................30Configure a VPN profile based on an existing profile ........................................................................31Associate a VPN profile with a WLAN profile.......................................................................................31

Assigning profiles ........................................................................................................................................... 32Assign a WLAN profile to a user account............................................................................................. 32Assign a VPN profile to a user account................................................................................................ 32

Managing profiles........................................................................................................................................... 32Change a setting in a WLAN profile ..................................................................................................... 32Change a setting in a VPN profile ........................................................................................................ 33Delete a WLAN profile ............................................................................................................................ 33Delete a VPN profile ............................................................................................................................... 33

Managing WLAN and VPN settings using IT policies................................................................................ 34Download the IT policy definitions file................................................................................................. 34Importing the IT policy rules.................................................................................................................. 34

Configuring and assigning IT policies ......................................................................................................... 35Configuring and assigning IT policies in BlackBerry Enterprise Server Version 4.0.x ................. 35Configuring and assigning IT policies in BlackBerry Enterprise Server Version 4.1 or later .......36

Configure a Wi-Fi profile manually on the BlackBerry device ................................................................. 37

8 Configuring encryption and authentication methods on the BlackBerry device ...................................39Configure WEP encryption.............................................................................................................................39Configure PSK encryption .............................................................................................................................40Using the IEEE 802.1X and EAP authentication framework.....................................................................40Configure LEAP authentication .....................................................................................................................41Configuring PEAP, EAP-TLS, or EAP-TTLS certificate-based authentication ........................................ 42Configure PEAP authentication.................................................................................................................... 43Configure EAP-TLS authentication ..............................................................................................................45Configure EAP-TTLS authentication ............................................................................................................ 47Configure EAP-FAST authentication ...........................................................................................................49

9 Configuring software tokens.............................................................................................................................51Using software tokens on the BlackBerry device .......................................................................................51

Prerequisites: Minimum software versions for software token use ..................................................51RSA Authentication Manager documentation resources...................................................................51

Preparing the RSA Authentication Manager for software token use ......................................................51Configure PIN policies for software tokens..........................................................................................51Import the token seed file into the RSA Authentication Manager Database ................................ 52Create a user record in the RSA Authentication Manager Database.............................................. 52Issue a software token ............................................................................................................................ 52

Synchronize the date and time on the BlackBerry device with the RSA Authentication Manager computer .......................................................................................................................................................... 52Set the default WLAN connection parameters for the BlackBerry Domain........................................... 53Set the default VPN connection parameters for the BlackBerry Domain.............................................. 53Set the user’s profile for software token use ..............................................................................................54

10 Implementing BlackBerry devices...................................................................................................................55Minimum software requirements .................................................................................................................55Implementing BlackBerry devices................................................................................................................55

11 Activating BlackBerry devices over the enterprise Wi-Fi network ............................................................57Using the BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network . 57Setting up the environment for BlackBerry device activations over the enterprise Wi-Fi network ...58Preparing to install a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network...................................................................................................................................................58Confirm the installation credentials ............................................................................................................59

Configuring a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network...................................................................................................................................................59

Install and configure a new BlackBerry Router ..................................................................................59Configure an existing BlackBerry Router.............................................................................................60

Prerequisites: Activating BlackBerry devices over the enterprise Wi-Fi network.................................60Create and send activation information.......................................................................................................61Reactivate an existing BlackBerry device ....................................................................................................61Confirm that the activation is successful .....................................................................................................61

12 Troubleshooting..................................................................................................................................................63Push settings to the BlackBerry device .......................................................................................................63Troubleshooting connection and configuration issues on a Wi-Fi enabled BlackBerry device ..........63Troubleshooting connection issues on a Wi-Fi enabled BlackBerry device...........................................64

Verify that the Wi-Fi connection is turned on.....................................................................................64View basic diagnostic information on a Wi-Fi enabled BlackBerry device.....................................64View detailed diagnostic information on a Wi-Fi enabled BlackBerry device ...............................64

Wi-Fi Diagnostics status indicators..............................................................................................................64Status indicator groups ..........................................................................................................................64Status indicator states ............................................................................................................................65Wi-Fi connection status indicators .......................................................................................................65VPN connection status indicators.........................................................................................................68UMA/GAN connection status indicators............................................................................................. 70BlackBerry Infrastructure connection status indicators..................................................................... 71Enterprise connection status indicators .............................................................................................. 72

Verify whether the BlackBerry device can reach an IP address .............................................................. 72Resolve a host name to an IP address ......................................................................................................... 73

13 IT policy rules and configuration settings .....................................................................................................75Using WLAN IT policy rules with a WLAN configuration set.................................................................... 75WLAN IT policy group..................................................................................................................................... 75WLAN configuration settings .........................................................................................................................81VPN IT policy group........................................................................................................................................86VPN configuration settings ...........................................................................................................................89

Glossary............................................................................................................................................................... 95

1

Using the Wi-Fi Implementation Supplement

Supported environmentsYou can use this guide to supplement an installation of either the BlackBerry® Enterprise Server or the BlackBerry® Professional Software. In this guide, consider BlackBerry® Enterprise Server to mean BlackBerry Professional Software in the relevant reference information or in the tasks that the BlackBerry Professional Software supports.

Required BlackBerry Enterprise Server documentationThe BlackBerry Enterprise Server Wi-Fi Implementation Supplement provides information that you might require when you install and administer a BlackBerry® Enterprise Server in an environment in which some user accounts have Wi-Fi® enabled BlackBerry devices.

Use this supplement with the following BlackBerry Enterprise Server documentation for your messaging environment:

• BlackBerry Enterprise Server Installation Guide

• BlackBerry Enterprise Server System Administration Guide

To complete some tasks described in this supplement, you might require one or more of the following documentation resources:

• BlackBerry Enterprise Server Capacity Calculator

• BlackBerry Enterprise Server Handheld Management Guide (BlackBerry Enterprise Server Version 4.0.x)

• BlackBerry Enterprise Server Performance Benchmarking

• BlackBerry Enterprise Solution Security Technical Overview

• Placing the BlackBerry Enterprise Solution in a segmented network

• Policy Reference Guide

Required BlackBerry Enterprise Server documentationBlackBerry Enterprise Server administrative roles


BlackBerry Enterprise Server administrative rolesIn BlackBerry® Enterprise Server Version 4.1 or later, the BlackBerry Enterprise Server uses predefined roles, which correspond to common corporate administrative roles, to control who can perform specific tasks and limit who can access sensitive data in your organization. To perform many of the tasks, you require security administrator or enterprise administrator permissions.

For information about the tasks for each administrative role, see the BlackBerry Enterprise Server System Administration Guide.

10

2

Technical overview

BlackBerry Enterprise Server architecture overviewThe BlackBerry® Enterprise Server consists of services and components. The BlackBerry services are designed to provide productivity tools—such as email, instant messaging, and organizer functionality—and data from your organization’s applications to BlackBerry device users. The BlackBerry components are designed to monitor the BlackBerry services; process, route, compress, and encrypt data; and communicate with the mobile network.

Typically, user accounts with BlackBerry devices can connect to the mobile network. No changes to the BlackBerry Enterprise Server architecture are required to support Wi-Fi® enabled BlackBerry devices.

For more information about the BlackBerry Enterprise Server architecture, see the BlackBerry Enterprise Server Feature and Technical Overview for your messaging environment.

Wi-Fi environment overviewWith a Wi-Fi® enabled BlackBerry® device, a user can access voice and data services across multiple radio technologies.

Most BlackBerry device users connect over the mobile network to the BlackBerry® Enterprise Server for access to productivity tools and your organization’s data and applications.

If a user’s mobile network provider makes UMA technology (GAN technology) available, and the user has subscribed to the UMA feature, a Wi-Fi enabled BlackBerry device can access the mobile network provider’s voice and data services over a mobile network or using a Wi-Fi connection. In addition, the user can establish concurrent connections to data services over a Wi-Fi connection during a call over the mobile network.

A BlackBerry device can establish a Wi-Fi connection from an enterprise Wi-Fi network or, in conjunction with a VPN session, from a personal Wi-Fi network or from a Wi-Fi hotspot to complete a direct route to the BlackBerry Router.

In addition, using a direct Wi-Fi connection to the BlackBerry Router, with or without a VPN session, or using a Wi-Fi network that allows a connection to the Internet on port 443, a Wi-Fi enabled BlackBerry device is designed to establish a safe connection to the BlackBerry® Internet Service, the BlackBerry® Messenger, and PIN messaging. Verify with your wireless service provider that your service plan provides access to these services over a Wi-Fi connection.

BlackBerry Enterprise Server architecture overviewWi-Fi environment overviewArchitecture: Options for Mobile and Wi-Fi connectionsArchitecture componentsBlackBerry Enterprise Server process flows


Wi-Fi coverage typesExamples of Wi-Fi® network types include a WLAN within an organization’s environment, a personal Wi-Fi network, or a public hotspot that offers a Wi-Fi connection.

Enterprise Wi-Fi networksAn enterprise Wi-Fi® network usually has multiple wireless access points to provide one of the following types of coverage:

• ubiquitous coverage: Access point coverage in a workplace is contiguous, and users can roam between access points anywhere in the workplace.

• hotspot coverage: Access points provide a Wi-Fi connection in specific areas, such as conference rooms and other common areas. If coverage areas are not contiguous, users cannot roam between access points.

• mixed coverage: Access points offer ubiquitous coverage in some areas of the workplace and hotspot coverage in other areas. Users might or might not be able to roam between access points.

An enterprise Wi-Fi network typically has strong authentication and link layer security. An organization might consider an enterprise Wi-Fi network untrusted and require that all Wi-Fi connections to the internal network occur through a VPN concentrator.

Personal Wi-Fi networksA personal Wi-Fi® network typically uses a single wireless access point to provide Internet access through a broadband gateway. The broadband gateway usually implements NAT and allows VPN connections to traverse the firewall. A personal Wi-Fi network is typically configured with link layer security and uses password-based authentication.

HotspotsHotspots offered by an ISP, a mobile network provider, or a property owner can provide a Wi-Fi® connection in public and semipublic areas. The network is typically an open network without link layer encryption, with a captive portal for authentication. The captive portal performs the following functions:

• blocks all network traffic except traffic that uses HTTP

• redirects HTTP requests to a login page

After a hotspot user successfully logs in, the captive portal grants the user access to wireless network services.

Hotspots usually have a firewall in place, and they usually allow VPN connections.

12

2: Technical overview

Wi-Fi connection options

Direct connection to the BlackBerry Router over an enterprise Wi-Fi networkA Wi-Fi® enabled BlackBerry® device can establish a connection over an enterprise Wi-Fi network that provides a direct route to the BlackBerry Router.

A Wi-Fi profile for the user must already be configured. The profile is either created manually on the device or sent to the device in an IT policy by an administrator.

After associating with a Wi-Fi connection using a Wi-Fi profile, the BlackBerry device tries to make a direct IP connection to the BlackBerry Router. With some network architectures, a VPN session might be required to complete the direct BlackBerry Router connection. As a result, the BlackBerry device includes a built-in VPN client that can be configured and associated to any Wi-Fi profile on the BlackBerry device. If a direct BlackBerry Router connection is possible (with or without a VPN session), the BlackBerry® Enterprise Server automatically passes data using the existing BlackBerry security methods. Connecting directly to the BlackBerry Router is typically used when a Wi-Fi enabled BlackBerry device is within an organization’s existing Wi-Fi environment.

Wi-Fi connection without a VPN connection or direct BlackBerry Router connectionIf a direct IP connection to the BlackBerry® Router is not available (with or without a VPN connection) on a Wi-Fi® network that can access the Internet (for example, a personal Wi-Fi network or hotspot), the Wi-Fi enabled BlackBerry device automatically establishes an SSL connection over the Internet to the BlackBerry® Infrastructure. After the BlackBerry device connects to the BlackBerry Infrastructure, all of the user’s provisioned data services automatically start to send data to the device using the existing BlackBerry® Enterprise Solution security methods. After the initial connection to the Wi-Fi network is established from an existing or newly configured Wi-Fi profile, no user configuration is required.

You must configure an outgoing TCP connection for the Wi-Fi network on port 443 to the Internet. No other configuration is required.

Supported IEEE 802.11 wireless networking standards

Characteristic IEEE 802.11a IEEE 802.11b IEEE 802.11g

frequency 5 GHz 2.4 GHz 2.4 GHz

maximum speed 54 Mbps 11 Mbps 54 Mbps

fallback speeds 48, 36, 24, 18, 12, 9, 6 Mbps 5.5, 2, 1 Mbps 48, 36, 24, 18, 12, 9, 6 Mbps

nonoverlapping channels up to 19 3 3

sources of interference • Bluetooth® wireless technology

• some satellite systems

• 5 GHz cordless phones

• Bluetooth wireless technology

• microwave ovens

• 2.4 GHz cordless phones

Bluetooth wireless technology

• microwave ovens

2.4 GHz cordless phones

13


Architecture: Options for Mobile and Wi-Fi connections

Mobile network and Wi-Fi connections

Architecture components

BlackBerry Enterprise Server components For information about the BlackBerry® Enterprise Server components, see the BlackBerry Enterprise Server Feature and Technical Overview for your messaging environment. No additional BlackBerry Enterprise Server components are required for Wi-Fi® enabled BlackBerry devices.

Internet

Mobilenetworkprovider

BlackBerryEnterpriseServer

BlackBerryInternetService

Enterprise firewall

Enterprise wirelessaccess points

UNC/GANC

Internet

BlackBerryInfrastructure

Mobile network

Personal or hotspotwireless accesspoint

EnterpriseWi-Fi network

Wi-Fi connection

Wi-Fi connection

14

2: Technical overview

BlackBerry Enterprise Server remote componentsWi-Fi® enabled BlackBerry® devices can use the same distributed configurations as BlackBerry devices that access only the mobile network. For information about distributed BlackBerry® Enterprise Server components, see the BlackBerry Enterprise Server Feature and Technical Overview for your messaging environment.

BlackBerry Enterprise Server support for Wi-Fi enabled BlackBerry devices

Feature DescriptionBlackBerry Enterprise Server version

4.0 4.1 4.1 SP2 4.1 SP3 4.1 SP4 4.1 SP5

BlackBerry® Router The BlackBerry Router is required for a BlackBerry device to connect to the BlackBerry® Enterprise Server over a Wi-Fi® connection for access to an organization’s data.

per-user IT policy Per-user IT policies are designed to simplify the configuration of user-specific Wi-Fi and VPN information (such as user IDs and passwords).

expanded groups of WLAN and VPN IT policy configuration settings

Expanded configuration settings provide the ability to control and manage Wi-Fi connections from BlackBerry devices.

A new IT policy template file makes the additional configuration settings available for earlier versions of the BlackBerry Enterprise Server.

multiple Wi-Fi and VPN profiles

Multiple Wi-Fi and VPN profiles are designed to address user needs in a variety of environments.

wireless backup of Wi-Fi and VPN profiles

BlackBerry device activation over the enterprise Wi-Fi network

Activation over the enterprise Wi-Fi network is designed to simplify the activation or updating of BlackBerry devices.

software token provisioning

Software token provisioning is designed to provide the ability to centrally provision and manage the seed for software token authentication (for example, for VPN connections) on BlackBerry devices.

15


Wireless access pointsA wireless access point must conform to the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE® 802.11g™ wireless networking standard.

To check the number of connections on each access point and to verify that users will be able to roam between access points, complete a site survey as directed in the documentation for your access points, and follow the recommendations for channel assignments.

Types of wireless access pointsWireless access points can be either thin or thick, with the following characteristics:

• A thin or controller-based access point is usually part of a centrally managed enterprise Wi-Fi® network. This type of access point requires an external controller to manage network traffic. You can administer one or more thin access points through their controller.

• A thick access point, which is also referred to as an intelligent or autonomous access point, has the intelligence to operate as a standalone component without a controller.

Thin access points with an external controller can provide a more seamless roaming experience for users with Wi-Fi enabled BlackBerry® devices during data and voice sessions.

Wireless access points and NATIf your organization uses NAT, wireless access points must support NAT traversal.

BlackBerry Enterprise Server process flowsExcept for the differences in the network architecture, process flows for voice and data are the same, regardless of how a BlackBerry® device connects to the mobile network provider.

For more information about process flows, see the workflow information in the BlackBerry Enterprise Server Feature and Technical Overview for your messaging environment.

access to the BlackBerry® Infrastructure over a Wi-Fi connection

Wi-Fi enabled BlackBerry devices can connect directly to the BlackBerry Infrastructure over the Internet for access to voice and data services that a mobile network provider offers, even if UMA is not available. Verify with your wireless service provider that your service plan supports access to BlackBerry messaging services over a Wi-Fi connection.

Feature DescriptionBlackBerry Enterprise Server version

4.0 4.1 4.1 SP2 4.1 SP3 4.1 SP4 4.1 SP5

16

3

Installation and configuration overview

Quick reference

Quick reference

Task Document

Set up your enterprise Wi-Fi® network.

• Verify that your wireless access points comply with the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE® 802.11g™ standard, that they allow NAT traversal if you use NAT in your organization, and that you have addressed the recommendations in your access point documentation to provide sufficient coverage for the number of Wi-Fi connections in your environment.

• If necessary, set up the DHCP server.

• If necessary, set up NAT.

• Documentation for your enterprise Wi-Fi network components

Configure security. • Documentation for your security hardware and software

• BlackBerry Enterprise Solution Security Technical Overview

Configure the firewall settings.

• Open the required ports, as described in Placing the BlackBerry Enterprise Solution in a segmented network.

• If you use a proxying firewall, configure the proxy so that it is transparent to users.

• Verify that the BlackBerry® network IP addresses that are relevant to your environment are permitted addresses.

• Security documentation

Configure the ports required for network traffic associated with a Wi-Fi network. • BlackBerry Enterprise Server Wi-Fi Implementation Supplement

Address hardware, software, operating system, messaging, networking, and database requirements for the BlackBerry Enterprise Server environment.

• BlackBerry Enterprise Server Capacity Calculator

• BlackBerry Enterprise Server Performance Benchmarking


Install the BlackBerry® Enterprise Server. • BlackBerry Enterprise Server Installation Guide

Verify that the BlackBerry Enterprise Server can connect to the BlackBerry® Infrastructure.


Verify that the enterprise Wi-Fi network can connect to the BlackBerry Router and that the BlackBerry Router is in the DNS server.


Add administrators to roles. • BlackBerry Enterprise Server System Administration Guide

Add users to the BlackBerry Enterprise Server. • BlackBerry Enterprise Server System Administration Guide


Configure the WLAN settings and the IT policy settings for Wi-Fi connections. • BlackBerry Enterprise Server Wi-Fi Implementation Supplement

Manually create a Wi-Fi profile on the BlackBerry device to verify connectivity to the enterprise Wi-Fi network.

• BlackBerry Enterprise Server Wi-Fi Implementation Supplement

Implement BlackBerry devices. • BlackBerry Enterprise Server Wi-Fi Implementation Supplement

Task Document

18

4

Configuring security in your environment

Security for Wi-Fi enabled BlackBerry devicesWhen a user account in your environment is associated with a Wi-Fi® enabled BlackBerry® device, Wi-Fi networks extend your organization’s LAN. You must protect your organization’s extended network from unauthorized use. Protective measures might include the following:

• All wireless devices must complete authentication before gaining access to your organization’s LAN.

• All wireless communication between wireless devices and the LAN must use some encryption process.

The steps that you can take to provide security for BlackBerry devices that can access both the mobile network and one or more Wi-Fi networks are part of your organization’s plan to provide security for your entire BlackBerry® Enterprise Solution. This includes developing a plan for distributing sensitive information, such as authentication credentials.

For more information about BlackBerry Enterprise Solution security, see the BlackBerry Enterprise Solution Security Technical Overview. In addition, refer to the documentation for your Wi-Fi components for recommendations and implementation suggestions.

Prerequisites: Configuring layer 2 access security Layer 2 security methods and protocols at the IEEE® 802.11™ link layer operate between a Wi-Fi® enabled BlackBerry® device and a wireless access point on the enterprise Wi-Fi network using encryption alone, or using encryption with user authentication.

Security for Wi-Fi enabled BlackBerry devicesPrerequisites: Configuring layer 2 access securityPrerequisites: Configuring layer 3 VPN access securityConfiguring software tokensConfiguring MAC access control listsConfiguring a captive portal

Component Requirement

BlackBerry® Enterprise Server Version 4.0 or later

• See the BlackBerry Enterprise Server Installation Guide for network operating system requirements.

• Verify that a local or remote BlackBerry Router is installed.

• Verify that you have configured the required WLAN and VPN settings.

wireless access points • Verify that all access points comply with the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE® 802.11g™ standard.

access security using the layer 2 method • Verify that you are using one of the supported layer 2 security methods.


Prerequisites: Configuring layer 3 VPN access securityThe Wi-Fi® enabled BlackBerry® device has a built-in VPN client that supports several VPN concentrators.

To create a VPN profile, you configure the VPN client settings (for example, the IP address of the VPN concentrator, user names and passwords, and cryptographic methods used) either on the BlackBerry device directly or using VPN settings or IT policy rules.

Depending on the security policy of your organization, you can save each user name and password to the BlackBerry device to prevent the BlackBerry device from prompting the user for credentials the first time (or each time) the BlackBerry device connects to the enterprise Wi-Fi network.

You can associate a VPN profile with a WLAN profile so that the VPN profile opens automatically when the WLAN profile starts.

Related topicVPN IT policy group

Configuring software tokensBlackBerry® Enterprise Server Version 4.1 SP3 or later is designed to work with the RSA® Authentication Manager to provide software token support for use with layer 2 and layer 3 authentication on each supported BlackBerry device.

The RSA SecurID® Library (a cryptographic library) on the BlackBerry device allows a supported BlackBerry device to periodically generate a software token tokencode. The BlackBerry device combines the tokencode with a saved software token PIN that the BlackBerry device user provides as a prefix string to the tokencode to create a passcode for use with a two-factor authentication process on the BlackBerry device.

When you configure a software token for a BlackBerry device user, the BlackBerry device is designed to automatically use the passcode to authenticate the BlackBerry device user to WLANs (using PEAPv1, EAP-GTC, and EAP-TTLS/EAP-GTC authentication methods) and VPNs.

BlackBerry device • Using the DNS lookup tool on the BlackBerry device, verify that the BlackBerry device has access to the DHCP server and the DNS server.




• Verify that you have configured the recommended WLAN and VPN settings.


VPN access security using IPSec VPN • Verify that a supported VPN concentrator is installed.

BlackBerry device • Using the DNS lookup tool on the BlackBerry device, verify that the BlackBerry device has access to the DHCP server and the DNS server.


20

4: Configuring security in your environment

You can configure multiple software tokens for a BlackBerry device user. For example, you can configure one software token for use with Wi-Fi® authentication and a second software token for use with VPN authentication. When the BlackBerry device user tries to establish a WLAN or VPN connection that requires two-factor authentication on the BlackBerry device, the BlackBerry device prompts the BlackBerry device user to type the software token PIN and submit the current tokencode for that connection type to create the passcode for two-factor authentication.

Configuring MAC access control listsEach network client has a unique 48-bit MAC address. To program a MAC ACL, you add the MAC address of every device that is allowed to access a specific enterprise Wi-Fi® network (a whitelist) or not allowed to access a specific enterprise Wi-Fi network (a blacklist) to the controller for each wireless access point.

Configuring service-specific access securityIf you do not use layer 2 or layer 3 access security, you can help to protect access to your trusted LAN by installing the BlackBerry® Router component in the DMZ, outside your organization’s firewall. You can also allow access to the enterprise Wi-Fi network using a captive portal.

Configuring a captive portalA captive portal is a web-based mechanism for an enterprise Wi-Fi® network client to authenticate to your organization’s Wi-Fi network. The client gains access to the network and is placed in a walled garden using IP filters. A browser request from the client is directed to an HTML login page, which allows the network to authenticate the client before giving access to the network.

If your organization has a captive portal, you can permit users to access the captive portal using the Wi-Fi login application on the Wi-Fi enabled BlackBerry® device. Users must authenticate to the Wi-Fi login application using the login credentials that you provide.

After authenticating to the captive portal, the user can visit other web sites using a web browser on the BlackBerry device.




• Verify that you have applied the required WLAN and VPN settings.


BlackBerry device • Verify that the BlackBerry device has access to the DHCP server, if you are not using static IP addresses, and to the DNS server.

captive portal login • Verify that a captive portal for your organization is configured.

• Verify that the WLAN Enable Authentication Page option is set to True to allow users to access the captive portal using the WLAN Login browser on the BlackBerry device.

21


22

5

Installing and configuring the BlackBerry Enterprise Server

Verifying that you are ready to install the BlackBerry Enterprise Server

Configuring the BlackBerry Enterprise Server environment

Configuring the BlackBerry Enterprise Server environmentPreparing to support Wi-Fi enabled BlackBerry devicesInstalling the BlackBerry Enterprise ServerAdding administrators to roles

BlackBerry Enterprise Server version

Messaging environment Document Resource

BlackBerry® Enterprise Server Version 4.0.x

Microsoft® Exchange

IBM® Lotus® Domino®

Novell® GroupWise®

BlackBerry Enterprise Server Installation Guide

Preparing your environment

BlackBerry Enterprise Server Version 4.1.x

Microsoft Exchange

IBM Lotus Domino

Novell GroupWise


System requirements








Configure required permissions

Configure required network protocols


Microsoft Exchange

IBM Lotus Domino

Novell GroupWise


Configuring your environment


Preparing to support Wi-Fi enabled BlackBerry devicesComponent Minimum configuration

wireless access point installation and configuration

• Install the access points for your enterprise Wi-Fi® network.

• If you do not use a switched enterprise Wi-Fi network and you have multiple subnets, configure the subnets to cover the same physical area. The configuration can affect the user experience with calls.

• Assign an SSID to each access point or to each group of access points that share an SSID.

• If users will roam between access points, configure all relevant SSID profiles on each access point.

• If your organization uses NAT traversal, verify that your access points support NAT traversal.

access point authentication • Set authentication using one of the supported authentication methods.

access point encryption • Set encryption using one of the supported encryption methods.

VPN concentrator (optional) • Verify that a supported VPN concentrator is installed. Consult with your organization’s firewall or VPN concentrator administrator to determine proper configuration settings.

• Set the VPN credentials on the BlackBerry® device to match the VPN configuration. You can complete this task either manually on the BlackBerry device or using an IT policy (recommended).

firewall • Open the required ports, as described in Placing the BlackBerry Enterprise Solution in a segmented network.

• If you use a proxy firewall, configure the proxy to be transparent.

ports for Wi-Fi network traffic • Configure the following ports for network traffic associated with a Wi-Fi network (the port assignments might vary by mobile network provider):

• port 4101: from the BlackBerry device to the BlackBerry Router (incoming only; TCP)

• port 4500: from the BlackBerry device to the mobile network UMA infrastructure (outgoing only using IPSec and TCP)

• port 500: from the BlackBerry device to the mobile network UMA infrastructure (outgoing only using IPSec and TCP)

• port 443: from the BlackBerry device to the BlackBerry Router (optional; outgoing only using TCP; used only for direct Wi-Fi connections to the BlackBerry® Infrastructure)

DHCP server (optional) • Configure the DHCP server for use with your enterprise Wi-Fi network.

DNS server • Verify that the BlackBerry device can access one or more DNS servers.

AAA server (optional) • Configure the AAA server to support your Wi-Fi authentication method.

• Authorize all access points for use with the AAA server.

BlackBerry user accounts • Create authentication credentials for the BlackBerry device user.

• If you are using EAP-TLS, EAP-TTLS, or PEAP authentication methods, permit access to a PKI infrastructure and certificates.

BlackBerry® Enterprise Server • Install BlackBerry Enterprise Server Version 4.0 or later.

• If you use the BlackBerry Enterprise Server for Novell® GroupWise®, and you want the date and time on the BlackBerry device to synchronize from the BlackBerry Router over the mobile network, install BlackBerry Enterprise Server Version 4.0 SP2 or later.

• If necessary, import the correct IT policy template file.

24

5: Installing and configuring the BlackBerry Enterprise Server

Installing the BlackBerry Enterprise Server

Adding administrators to roles

Setting up the BlackBerry Enterprise Server environment








Installing the BlackBerry Enterprise Server


Microsoft Exchange

IBM Lotus Domino

Novell GroupWise


Installing the BlackBerry Enterprise Server software







— —


Microsoft Exchange

IBM Lotus Domino

Novell GroupWise

BlackBerry Enterprise Server System Administration Guide

Mapping roles in your organization to BlackBerry roles







BlackBerry Enterprise Server Administration Guide

Managing the BlackBerry Enterprise Server


Microsoft Exchange

IBM Lotus Domino

Novell GroupWise


Setting up the BlackBerry environment

25


26

6

Setting up user accounts on the BlackBerry Enterprise Server

Setting up user accountsTo set up a user account on the BlackBerry® Enterprise Server, you complete the following tasks:

• add the user account to the BlackBerry Enterprise Server

• optionally, assign the user account to a group (BlackBerry Enterprise Server Version 4.1 or later)

• customize organizer data synchronization

Adding user accounts

Setting up user accountsAdding user accountsAdding user groupsCustomizing organizer data synchronization




Microsoft® Exchange BlackBerry Enterprise Server Administration Guide

Add a user

IBM® Lotus® Domino® BlackBerry Enterprise Server Administration Guide

Add a user from a local or foreign domain

Novell® GroupWise® BlackBerry Enterprise Server Administration Guide



Microsoft Exchange

IBM Lotus Domino

Novell GroupWise




Adding user groups

Customizing organizer data synchronization




— — —






Managing user groups








Managing PIM synchronization

Turn off or turn on wireless message reconciliation on the server

Managing redirection filters

BlackBerry Enterprise Server Version 4.1

Microsoft Exchange BlackBerry Enterprise Server System Administration Guide

Customizing PIM synchronization

IBM Lotus Domino

Novell GroupWise


PIM synchronization

Customizing PIM synchronization

BlackBerry Enterprise Server Version 4.1 SP2 and Version 4.1 SP3

Microsoft Exchange

IBM Lotus Domino

Novell GroupWise


Organizer data synchronization

Customizing organizer data synchronization

28

7

Configuring WLAN and VPN settings

WLAN and VPN profilesYou can use WLAN and optional VPN settings to manage the access and behavior of your user accounts associated with BlackBerry® devices that can operate on both mobile and Wi-Fi® networks.

In BlackBerry® Enterprise Server Version 4.1 SP2 or later, you can manage these settings for individual user accounts on a BlackBerry Enterprise Server through WLAN and VPN profiles.

You can create and assign one or more WLAN or VPN configuration profiles through the BlackBerry Manager, using a process that is similar to the process for creating an IT policy and assigning it to a user. If a user has a VPN profile, you can associate the profile with the user’s WLAN profile.

For groups, you assign the settings through WLAN and VPN IT policies.

If you run a version of the BlackBerry Enterprise Server previous to Version 4.1 SP2, you manage WLAN and VPN settings through IT policies.

Configuring WLAN and VPN profilesYou can use configuration profiles to manage WLAN and VPN settings for individual user accounts on BlackBerry® Enterprise Server Version 4.1 SP2 or later.

Configure a WLAN profile1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.

2. On the Global tab, click Edit Properties.

3. Click WLAN Configuration.

4. In the WLAN Configuration Administration section, double-click WLAN Configuration Sets.

5. Click New.

6. Double-click Name.

WLAN and VPN profilesConfiguring WLAN and VPN profilesAssigning profilesManaging profilesManaging WLAN and VPN settings using IT policiesConfiguring and assigning IT policiesConfigure a Wi-Fi profile manually on the BlackBerry device


7. Type a name for the new WLAN configuration profile.

8. In the left pane, click WLAN Settings.

9. In the right pane, double-click a WLAN configuration setting.

10. Select or specify a value for the setting.

11. Repeat the preceding two steps for each additional WLAN setting.

12. Click Apply.

Related topicUsing WLAN IT policy rules with a WLAN configuration set

Configure a WLAN profile based on an existing profile1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.




5. Click a WLAN configuration set.

6. Click New Copy.

7. Double-click Name. Type a name for the new WLAN configuration profile.


9. Change or add the required settings.

10. Click Apply.

Related topicUsing WLAN IT policy rules with a WLAN configuration set

Configure a VPN profile1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.



4. In the WLAN Configuration Administration section, double-click VPN Configuration Sets.

5. Click New.

6. Double-click Name. Type a name for the new VPN configuration profile.

7. In the left pane, click VPN Settings.

8. In the right pane, double-click a VPN configuration setting.

30

7: Configuring WLAN and VPN settings


10. Repeat the preceding two steps for each additional VPN setting.

11. Click Apply.


Configure a VPN profile based on an existing profile1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.




5. Click a VPN configuration set.

6. Click New Copy.

7. Double-click Name. Type a name for the new VPN configuration profile.


9. Change or add the required settings.

10. Click Apply.


Associate a VPN profile with a WLAN profileYou can associate a VPN profile with a WLAN profile so that, for example, a BlackBerry® device automatically makes a VPN connection if a user requires a connection for access to services on the enterprise Wi-Fi® network.

1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.




5. In the Name list, double-click the WLAN profile that you want to associate with a VPN profile.

6. In the left pane, click Associations.

7. In the right pane, click Associated VPN Configurations.

8. In the list, click the name of the VPN profile that you want to associate with the WLAN profile.

9. Click Apply.

31


Assigning profiles

Assign a WLAN profile to a user accountYou can assign more than one WLAN or VPN profile to a user account.

1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.

2. On the All Users tab, double-click the user account to which you want to assign the profile.

3. In the Properties for the user account, click WLAN Configuration.


5. Click New.

6. In the Select WLAN Base Configuration dialog box, click the WLAN profile that you want to assign.

7. Click OK.

8. Click OK.

9. In the WLAN Configuration Administration section, verify that the correct profile is assigned.

Assign a VPN profile to a user account1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.

2. On the All Users tab, double-click the user account to which you want to assign the profile.

3. In the Properties for the user account, click WLAN Configuration.


5. Click New.

6. In the Select WLAN Base Configuration dialog box, click the VPN profile that you want to assign.

7. Click OK.

8. Click OK.

9. In the WLAN Configuration Administration section, verify that the correct profile is assigned.

Managing profiles

Change a setting in a WLAN profile1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.




32


5. Double-click the profile that you want to change.

6. In the left pane, click one of the following options:

• WLAN Settings

• Associations

7. In the right pane, make your changes.

8. Click Apply.

Change a setting in a VPN profile1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.




5. Double-click the profile that you want to change.


7. In the right pane, change the settings as required.

8. Click Apply.

Delete a WLAN profile1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.




5. Click the profile that you want to delete.

6. Click Remove.

7. Click Apply.

Delete a VPN profile1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.




5. Click the profile that you want to delete.

33


6. Click Remove.

7. Click Apply.

Managing WLAN and VPN settings using IT policiesYou can use the settings in the WLAN and VPN IT policy groups to manage Wi-Fi® enabled BlackBerry® devices in the following situations:

• You run a version of the BlackBerry® Enterprise Server previous to Version 4.1 SP2.

• You want to configure WLAN or VPN settings for groups of user accounts with Wi-Fi enabled BlackBerry devices.

For more information about creating and assigning IT policies, see the BlackBerry Enterprise Server System Administration Guide.

Download the IT policy definitions fileIf you run a version of the BlackBerry® Enterprise Server previous to Version 4.1 SP2, you import the IT policy definitions file for your version. This file provides the required WLAN and VPN settings and adds the settings to the existing IT policy rules in the BlackBerry Manager. When you import the additional IT policy definitions file, the BlackBerry Configuration Database preserves the existing BlackBerry Enterprise Server IT policy settings when it updates the BlackBerry Manager.

If you previously configured any per-user IT policy rules as global rules using IT Policy settings for BlackBerry Enterprise Server Version 4.0.x, during an upgrade to BlackBerry Enterprise Server Version 4.1 or later, the settings for those IT policy rules might revert to the default values. You should manually resend all per-user IT policy rules using the BlackBerry Manager provided in BlackBerry Enterprise Server Version 4.1 or later.

1. Visit www.blackberry.com/support.

2. Locate the correct IT policy template file.

3. Download the IT policy template file to your administration computer.

Importing the IT policy rules

Import the IT policy rules in an environment that uses a Microsoft SQL Server database1. At the command prompt, type

osql -E -d BESMgmt -i "<path>\ITPolicyTemplateFile.sql"

where <path> is the location of the downloaded IT policy template file, and <ITPolicyTemplateFile.sql> is the name of the downloaded IT policy template file.

34

http://www.blackberry.com/knowledgecenterpublic/livelink.exe


Import the IT policy rules in an environment that uses an IBM DB2 Universal Database1. At the command prompt, type

db2cmd

2. Type one of the following commands:• db2 connect to besmgmt• db2 connect to besmgmt user besadmin

A password prompt appears after the second command.

3. If the current user is not the database schema owner, type the following command at the command prompt:db2 SET CURRENT SCHEMA <SCHEMA OWNER>

where the default <SCHEMA OWNER> value is BESADMIN.

4. At the command prompt, typedb2 -td~ -n -f “<path>\<ITPolicyTemplateFile.sql>”

where <path> is the location of the downloaded IT policy template file, and <ITPolicyTemplateFile.sql> is the name of the downloaded IT policy template file.

5. At the command prompt, typedb2 disconnect all

Configuring and assigning IT policies

Configuring and assigning IT policies in BlackBerry Enterprise Server Version 4.0.x In BlackBerry® Enterprise Server Version 4.0, the IT policy rule settings are global. To apply WLAN and VPN settings for a specific user account, you create a custom IT policy for each Wi-Fi® enabled BlackBerry device.

Configure an IT policy in a Microsoft Exchange environment1. In the BlackBerry® Manager, in the left pane, right-click a server. Click IT Policy.

2. Click New.

3. Type a name for the new IT policy.

4. In the Policy rule list, select the IT policy rules to add to the IT policy.

5. Click OK.

Configure an IT policy in an IBM Lotus Domino environment or a Novell GroupWise environment1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.


3. Click IT Policy.

4. In the IT Policy Administration section, double-click IT Policies.

35


5. Click New.

6. Double-click IT Policy Name.


8. From the Policy rule list, add IT policy rules to the IT policy:

• In the left pane, click an IT policy group.

• In the right pane, double-click the IT policy rule to assign a value or to choose between True or False.

9. Click OK.

Configuring and assigning IT policies in BlackBerry Enterprise Server Version 4.1 or laterIn BlackBerry® Enterprise Server Version 4.1 or later, you can configure specific WLAN and VPN settings to apply to one user only. You can also assign WLAN and VPN settings to a group using IT policies.

Configure an IT policy1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.


3. Click IT Policy.

4. In the IT Policy Administration section, double-click IT Policies.

5. Click New.

6. Double-click IT Policy Name.


8. To configure the IT policy rules, perform the following actions:

• In the left pane, click a policy group.

• In the right pane, double-click an IT policy rule.

• Set a value for the IT policy rule.

9. Click OK.

Assign an IT policy to a user account1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.


3. Click IT Policy.

4. In the IT Policy Administration section, double-click IT Policy to User Mapping.

5. In the left pane, click a user account.

36


6. In the right pane, select the IT policy that you want to assign.

7. Click OK.

Assign an IT policy to a group1. In the BlackBerry® Manager, in the left pane, click User Groups List.

2. In the Group Name list, click a group.

3. Click Edit Group Template.

4. Click IT Policy.

5. To override any user exceptions to the IT policy rules, in the right pane, select the IT Policy Name option.

6. In the drop-down list, click an IT policy.

7. Click Reapply Template.

8. Click Yes.

9. Click OK.

Configure a Wi-Fi profile manually on the BlackBerry deviceBy default, new Wi-Fi® profiles appear at the bottom of the Wi-Fi profile list on the BlackBerry® device.

1. On the Home screen or in the application list, click Manage Connections.

2. Click Manage Connections.

3. Click Set Up Wi-Fi Network.

4. Complete the instructions on the screen.

5. On the Wi-Fi Setup Complete screen, perform any of the following actions:

• To change the order of Wi-Fi profiles, click Prioritize Wi-Fi Profiles. To return to the Wi-Fi Setup Complete screen, press the Escape key.

• To specify registration information, click Wi-Fi Hotspot Login. To return to the Wi-Fi Setup Complete screen, press the Escape key.

6. Click Finish.

37


38

8

Configuring encryption and authentication methods on the BlackBerry device

For more information about security features, see the BlackBerry Enterprise Solution Security Technical Overview.

Configure WEP encryptionWEP uses a matching encryption key at both the wireless access point and the wireless client to secure wireless communication. This key can be 40 bits (for 64-bit WEP) or 104 bits (for 128-bit WEP) in length.

Configure WEP encryptionConfigure PSK encryptionUsing the IEEE 802.1X and EAP authentication frameworkConfigure LEAP authenticationConfiguring PEAP, EAP-TLS, or EAP-TTLS certificate-based authenticationConfigure PEAP authenticationConfigure EAP-TLS authenticationConfigure EAP-TTLS authenticationConfigure EAP-FAST authentication

Requirement Notes

Obtain the WEP keys for the wireless access point.

For more information, see the documentation for your access points.

Distribute the WEP keys to the Wi-Fi® enabled BlackBerry® device.

You can configure the WEP keys either in the default IT policy rules or in the WLAN configuration settings for the user. The BlackBerry® Enterprise Server sends the WEP key information during the initial configuration and activation of a new Wi-Fi enabled BlackBerry device.

The WEP keys on the BlackBerry device must match the WEP keys on the wireless access point.

You can configure four WEP keys and a default key ID. The WEP key numbering on the BlackBerry device does not match the WEP key numbering in the IT policy for the enterprise Wi-Fi network. For example, WEP key 1 on the BlackBerry device is WEP key 0 in the IT policy; WEP key 2 on the BlackBerry device is WEP key 1 in the IT policy. You type or copy the WEP keys of your access point as a string of hexadecimal digits.

A WEP passphrase is not supported.


Configure PSK encryptionThe IEEE® 802.1X™ standard defines a generic framework that provides layer 2 access control to wireless and wired networks. IEEE® 802.11i™ specifies two enterprise Wi-Fi® network access control methods using IEEE 802.1X: one based on PSKs and one based on EAP.

Small office and personal environments where it is not feasible to set up a server-based authentication infrastructure might use the PSK method. The wireless access point and the wireless client use a PSK to mutually derive link layer encryption keys. The PSK method uses TKIP or AES-CCMP algorithms to secure enterprise Wi-Fi network communications between a client device and the access point, but it relies on a single, shared passphrase that is up to 256 bits in length for access control. All access points and wireless clients must know the passphrase.

The implementation of PSK on the Wi-Fi enabled BlackBerry® device is compatible with the WPA™-Personal and WPA2™-Personal specifications.

Using the IEEE 802.1X and EAP authentication frameworkThe IEEE® 802.1X™ standard defines a generic authentication framework that enterprise Wi-Fi® network client devices and wired or wireless networks can use to authenticate with each other to permit or deny the enterprise Wi-Fi network client devices to access the network. IEEE 802.1X uses EAP methods to provide authentication for network access control.

An IEEE 802.1X environment for Wi-Fi enabled BlackBerry® devices includes the following components:

• built-in IEEE 802.1X and EAP client software, also called a supplicant, running on the Wi-Fi enabled BlackBerry device

• IEEE 802.1X software running on the wireless access point, also called an authenticator

• authentication server that authenticates the enterprise Wi-Fi network client device on behalf of the authenticator

In most cases, the authentication server uses the RADIUS protocol (RFC 2865 and RFC 3579) to communicate with the authenticator on the access point.

If you are using one of the supported EAP authentication methods, all of which are designed to provide mutual authentication between Wi-Fi enabled BlackBerry devices and the enterprise Wi-Fi network, you can grant and revoke access to the enterprise Wi-Fi network for a BlackBerry device by updating the central authentication server only. You do not need to update the configuration of each access point.

Requirement Notes

Obtain the passphrase for the wireless access point.

For more information, see the documentation for your access point.

Distribute the passphrase for user authentication to the Wi-Fi enabled BlackBerry device.

You can set the passphrase and distribute it to the BlackBerry device using the WLAN Preshared Key IT policy rule.

The passphrase on the BlackBerry device must match the key or passphrase on the wireless access point.

40

8: Configuring encryption and authentication methods on the BlackBerry device

An IEEE 802.1X framework uses EAP methods to provide authentication. PEAP, EAP-TLS, EAP-TTLS, and EAP-FAST authentication methods are designed to provide mutual authentication between the BlackBerry device and the enterprise Wi-Fi network, if required by your organization’s security policy. If you are using PEAP, EAP-TLS, or EAP-TTLS methods, you require a certificate authority to generate the certificates that each BlackBerry device and the RADIUS server stores.

When a wireless client first associates itself with an access point that is enabled for IEEE 802.1X security, the only communication that the access point permits is IEEE 802.1X authentication. Using a negotiated EAP method, the supplicant on the Wi-Fi enabled BlackBerry device sends its credentials (typically, a BlackBerry device user name and password) to the access point, which forwards the information to the authentication server. The authentication server authenticates the BlackBerry device on behalf of the access point and instructs the access point to permit or prevent access to the enterprise Wi-Fi network.

After an authentication server permits the BlackBerry device to access the enterprise Wi-Fi network, the access point and the BlackBerry device use IEEE 802.1X EAPOL-key messages to establish the WEP, TKIP, or AES-CCMP encryption keys, depending on the encryption method that you have configured on your enterprise Wi-Fi network. After the access point and the BlackBerry device exchange encryption keys, the BlackBerry device has an encrypted connection to the access point.

When using EAP-TLS, PEAP, or EAP-FAST, the Wi-Fi enabled BlackBerry device and the access point can cache a PMK, which is derived from keying material that the EAP exchange generates. PMK caching reuses previously established keying material to skip IEEE 802.1X authentication with an access point to which it is connecting. This feature helps to reduce the roaming latency between access points in an enterprise Wi-Fi network environment for the Wi-Fi enabled BlackBerry device.

The BlackBerry device supports the EAP methods LEAP, PEAP, EAP-TLS, EAP-TTLS, and EAP-FAST. If BlackBerry device users share a single set of EAP credentials, you can set an IT policy to send those credentials to each BlackBerry device automatically. Because EAP credentials are often unique to each BlackBerry device user, you can use a per-user IT policy rule or WLAN configuration settings for a specific user to set an EAP method.

Configure LEAP authenticationLEAP is a proprietary authentication mechanism developed by Cisco Systems that provides one-side, server-based authentication between the enterprise Wi-Fi® network and the Wi-Fi enabled BlackBerry® device, per-client dynamic generation of WEP keys, and automatic WEP key updates during a session.

The BlackBerry device supports LEAP authentication based on a user name and password. The BlackBerry device uses a one-way function to encrypt passwords before sending them to the authentication server.

You must set strong password policies if Wi-Fi network authentication uses LEAP authentication.

Requirement Notes

On the wireless access point, configure the LEAP settings to accept SSID association requests from users with the credentials that you specify, or identify the authentication server used to authenticate user credentials.


Set the user name and password for LEAP authentication.

The user must type the correct credentials for authentication and receive the session-based WEP key.

41


Configuring PEAP, EAP-TLS, or EAP-TTLS certificate-based authenticationPEAP is an open standard that Microsoft Corporation, RSA Security, and Cisco Systems jointly developed. PEAP allows for supplicant authentication with an authentication server by

• creating an encrypted tunnel between the supplicant and the authentication server using TLS

• using the TLS tunnel to send the supplicant authentication credentials to the authentication server

When you implement PEAP, EAP-TLS, or EAP-TTLS authentication, the Wi-Fi® enabled BlackBerry® device must authenticate to an authentication server to connect to the enterprise Wi-Fi network.

When mutual authentication is enforced, each of these three EAP methods uses a server-side digital certificate to authenticate the authentication server to the supplicant. Next, a TLS tunnel is established to pass the supplicant’s credentials.

EAP-TLS uses a client-side certificate as its supplicant credentials.

EAP-TTLS and PEAP authentication are similar to EAP-TLS authentication. Like EAP-TLS, each of these methods encrypts EAP transactions within a TLS tunnel; however, EAP-TTLS and PEAP use a user name and password as supplicant credentials.

Successful PEAP, EAP-TLS, or EAP-TTLS authentication requires the BlackBerry device to trust the certificate of the authentication server. The certificate binds the authentication server identity to a public and private key pair. A BlackBerry device does not automatically trust the authentication server certificate. To trust the authentication server certificate, the BlackBerry device must trust the certificate authority that issued the certificate. A certificate authority that the BlackBerry devices and the authentication server mutually trust must generate the certificate for the authentication server and the certificate for each Wi-Fi enabled BlackBerry device.

A certificate chain, from the certificate of an authentication server to the certificate of a certificate authority, indicates the trust relationship. The certificate chain continues back through the certificates of any other authorizing entities that are connected to the authentication server certificate. The original certificate in the chain is called a root certificate. A certificate authority server, which might be internal or external to your organization, stores the root certificate file.

Each BlackBerry device stores a list of explicitly trusted certificate authority certificates. A BlackBerry device that uses PEAP, EAP-TLS, or EAP-TTLS authentication requires the root certificate for the certificate authority server that created the certificate for the authentication.

42


Configure PEAP authenticationRequirement Notes

Using a public or private certificate authority, obtain or generate a digital certificate for the authentication server.

The root.der certificate file is stored in the location where the certificate was created. For example, the authentication server stores a self-signed certificate locally.

Configure each wireless access point as a client of the authentication server.

You must use the same version of PEAP on clients and servers.


Distribute the digital certificate for the authentication server to the BlackBerry® device using one of the following options:

• using the BlackBerry Manager: After you obtain a digital certificate for validating the authentication server, you create a per-user IT policy and send the policy to the BlackBerry device.

• using the certificate management features of Microsoft® Active Directory®: After you download the certificate to a computer, you install the certificate on the BlackBerry device.

Using the BlackBerry Manager

To send a server or root certificate from the BlackBerry® Enterprise Server to the BlackBerry device, you can create a per-user IT policy or use the WLAN configuration settings in the BlackBerry Manager and send the policy to the BlackBerry device.

Using Microsoft Active Directory

You can use the certificate management features of Microsoft Active Directory to distribute a server or root certificate to the user’s computer. For more information, see the documentation for Microsoft Active Directory.

The user installs the certificate on the BlackBerry device from the computer, as explained in the following tasks.

Installing the certificate on the BlackBerry device

Instruct your users to complete the following tasks to install a root certificate on their computers:

1. Download the root certificate from the certificate authority server to your computer.

2. On your computer, right-click the root certificate. Click Install certificate.

3. Click Next.

4. Click Place all certificates in the following store.

5. Click Browse.

6. Click Trusted Root Certification Authorities.

7. Click OK.

8. Click Finish.

9. In the Security Warning dialog box, click Yes.

Instruct your users to complete the following tasks to synchronize the certificates:

1. Connect your BlackBerry device to the BlackBerry® Desktop Manager.

2. In the BlackBerry Desktop Manager, select the Certificate Synch tool.

3. Type any password to use as your keystore password.

4. On the Root Certificates tab, select the certificate that you downloaded.

If the certificate synchronization tool is not installed on a user’s computer, instruct the user to reinstall the BlackBerry® Desktop Software using the custom installation option. During the custom installation, the user can install the certificate synchronization tool.

43


If security settings are not configured by IT policy, instruct your users to configure the security settings in the Wi-Fi® profile on the BlackBerry device.

Instruct your users to complete the following tasks:

1. On the BlackBerry device, in the device options, click Wi-Fi Connections.

2. Click the Wi-Fi profile that you want to configure.

3. Click Edit.

4. Set the Security Type field to PEAP.

5. Type your User name and User password for the messaging server.

6. In the CA certificate list, click the certificate for the authentication server.

7. Select the Inner link security type.

8. In the Token list, select the token type, if applicable. If you use EAP-MS-CHAPv2, you require only a user name and password and cannot choose a token.

9. Specify the Server subject or Server SAN, or both, if applicable. The Server subject and Server SAN fields provide additional identification information from the server certificate (the server name and identifier, or alternative name, in the form of a URL, such as server1.domain.com or server1.domain.net). If you leave these fields blank, the BlackBerry device skips them during server authentication.

10. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS is selected.

11. Verify that Allow inter-access point handover is selected.

12. Select the Prompt before connection check box, if applicable. If you do not select the check box, the BlackBerry devices automatically connects to an available wireless access point.

13. Select the Notify on authentication failure check box, if applicable.

14. Choose your VPN profile, if applicable.

Requirement Notes

44


Configure EAP-TLS authenticationRequirement Notes




You must use the same version of EAP-TLS on clients and servers.














3. Click Next.


5. Click Browse.


7. Click OK.

8. Click Finish.


Instruct your users to complete the following tasks to synchronize the certificates:






Using a public or private certificate authority, obtain and install a user certificate on the BlackBerry device.

The tasks are the same as the tasks for obtaining and installing a server certificate.

45






3. Click Edit.

4. If a warning about a VPN profile appears, click OK. EAP-TLS does not require a VPN profile.

5. Set the Security Type field to EAP-TLS.

6. Type your User name for the messaging server.


8. In the Client certificate list, click the user certificate.




12. Select the Prompt before connection check box, if applicable. If you do not select the check box, the BlackBerry device automatically connects to an available wireless access point.


Requirement Notes

46


Configure EAP-TTLS authenticationRequirement Notes




You must use the same version of EAP-TTLS on clients and servers.














3. Click Next.


5. Click Browse.


7. Click OK.

8. Click Finish.


Then instruct your users to complete the following tasks to synchronize the certificates:






47






3. Click Edit.

4. Set the Security Type field to EAP-TTLS.



7. The Inner link security type is EAP-MS-CHAPv2.




11. Select the Prompt before connection check box, if applicable. If you do not select the check box, the BlackBerry device automatically connects to an available wireless access point.



Requirement Notes

48


Configure EAP-FAST authenticationEAP-FAST is an authentication method that Cisco Systems developed. Like PEAP, it encrypts EAP transactions within a TLS tunnel; however, where PEAP uses a server-side digital certificate to set up the TLS tunnel, EAP-FAST uses a PAC file.

The PAC file, which is shared between the client and authentication server, contains secret keys that are unique to the user. The PAC file is generated from the EAP-FAST master key on the authentication server. EAP-FAST uses the PAC file to establish the encrypted tunnel and then authenticates the user credentials through the tunnel.

Requirement Notes

Use automatic PAC provisioning over a safe network connection to distribute the PAC file to the wireless client.

For more information about the automatic provisioning process, see the documentation for your authentication server.

Configure each wireless access point to connect to the access control server and a DHCP server.


Verify that the DHCP server can provide the following information to the wireless client:

• IP address or network

• default gateway

• DNS server IP address

Configure the access control server. For more information, see the documentation for your access control server.

Instruct your users to configure the security settings in the Wi-Fi® profile on the BlackBerry® device.

Instruct your users to complete the following task:



3. Click Edit.

4. Set the Security Type field to EAP-FAST.


6. In the Inner link security list, click the security type.

7. In the Token list, select the token type, if applicable.


9. Select the Prompt before connection check box, if applicable. If you do not select the check box, the BlackBerry devices automatically connects to an available wireless access point.


49


50

9

Configuring software tokens

Using software tokens on the BlackBerry deviceBlackBerry® Enterprise Server Version 4.1 SP3 or later is designed to work with the RSA® Authentication Manager to provide software token support for use with layer 2 and layer 3 authentication on supported BlackBerry devices.

Prerequisites: Minimum software versions for software token use

RSA Authentication Manager documentation resourcesTo complete tasks in the RSA® Authentication Manager, view the RSA Authentication Manager online help, the RSA administration and installation guides, and the RSA SecurID Token for BlackBerry Handhelds Administrator’s Guide.

Preparing the RSA Authentication Manager for software token use

Configure PIN policies for software tokensIn the RSA® Authentication Manager, configure the following policies for the PINs of the software tokens in your organization:

• whether a PIN is required for authentication

• whether a PIN is defined by the user or generated by the RSA Authentication Manager

Using software tokens on the BlackBerry devicePreparing the RSA Authentication Manager for software token useSynchronize the date and time on the BlackBerry device with the RSA Authentication Manager computerSet the default WLAN connection parameters for the BlackBerry DomainSet the default VPN connection parameters for the BlackBerry DomainSet the user’s profile for software token use

Software Minimum version

BlackBerry® Desktop Software 4.2.2

BlackBerry® Device Software 4.2.2

BlackBerry® Enterprise Server 4.1 SP3

RSA® Authentication Manager, installed and running in your environment 6.1


• whether a PIN is alphanumeric or numeric only

• whether a PIN has a fixed length or a variable length, with a minimum of four characters and a maximum of eight characters

Import the token seed file into the RSA Authentication Manager DatabaseThe software token stores the token’s UID, which is also called a seed. You receive the software token seed files in .sdtid format, packaged separately, when you receive the RSA® Authentication Manager installation package.

When you install the RSA Authentication Manager, you create an empty RSA Authentication Manager Database. Import the seed file for each software token into this database. You can import either single or multiple seed files.

Create a user record in the RSA Authentication Manager DatabaseIn the RSA® Authentication Manager Database, create a user record for each software token holder.

Issue a software tokenIn the RSA® Authentication Manager Database Administration application, configure the following parameters for the software token seed file:

• serial number

• cryptographic algorithm

• user account to which the software token is assigned

• password to protect the software token seed file

If you configure a password to protect the token file, when you configure the user’s profile in the BlackBerry® Manager for software token use, you must add the password to the user’s Software Tokens configuration set. You must also communicate the password to the user.

Then assign the software token to a user.

Synchronize the date and time on the BlackBerry device with the RSA Authentication Manager computerThe software token uses its UID and the current time to authenticate the BlackBerry® device to the RSA® Authentication Manager. For that reason, you must synchronize the system time on the BlackBerry device with the time on the RSA Authentication Manager, even though the RSA Authentication Manager is designed to accommodate time differences of up to three minutes.

> Instruct your BlackBerry device users to use one of the following methods to synchronize the date, time, and time zone setting on the BlackBerry device with the RSA Authentication Manager:

• manually adjust the time on the BlackBerry device using the Date/Time option

• use the BlackBerry® Desktop Manager to synchronize the date and time on the BlackBerry device with the date and time on the user’s computer

52

9: Configuring software tokens

Set the default WLAN connection parameters for the BlackBerry Domain1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.




5. Click New.


7. Type a name for the new WLAN configuration profile.


9. In the right pane, double-click a WLAN configuration setting.


11. Repeat the preceding two steps for each additional WLAN setting.

12. Click Apply.

Set the default VPN connection parameters for the BlackBerry Domain1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.




5. Click New.


7. Type a name for the new VPN configuration profile.


9. In the right pane, double-click a VPN configuration setting.


11. Repeat the preceding two steps for each additional VPN setting.

12. Click Apply.

53


Set the user’s profile for software token useDepending on the number of software token records you have available, you can configure up to three software tokens for each BlackBerry® device user.

1. In the BlackBerry Manager, in the left pane, click the name of the BlackBerry® Enterprise Server that hosts the user account.

2. On the Users tab, right-click the name of the user. Click Edit Properties.


4. In the WLAN Configuration Administration section, double-click Software Tokens.

5. Click New.

6. Type the serial number of the software token.

7. Double-click Seed.

8. Click Import from File.

9. Navigate to the software token seed file for the user. Click Open.

10. After you import the file, click OK.

11. If you configured a password in the RSA® Authentication Manager to encrypt the .sdtid file seed, type the password.

12. To confirm the password, type it again.

13. Set a value for the length of time that the BlackBerry device caches the PIN, using one of the following options:

• 0: The BlackBerry device does not cache the PIN and prompts the user to authenticate at each login.

• positive value (for example, 9): The BlackBerry device retains the PIN in the cache for the specified number of minutes and then deletes it.

• negative value (for example, -1): The BlackBerry device caches the PIN until the seed is deleted or changed.

If you do not configure a value, the PIN is always cached.

14. Click Apply.

54

10

Implementing BlackBerry devices

Minimum software requirements


Minimum software requirementsImplementing BlackBerry devices

Software Minimum version

BlackBerry® Desktop Software 4.2.2

BlackBerry® Device Software 4.2.2




Microsoft® Exchange BlackBerry Enterprise Server Administration Guide

Add a user from the address book

Managing user properties and statistics

Define PIM application synchronization settings

Setting the default IT policy

Protect a handheld remotely




Add a user from a local or foreign domain

Managing message redirection




Microsoft Exchange

IBM Lotus Domino

Novell GroupWise

BlackBerry Enterprise Server Handheld Management Guide

Deploying handhelds





Microsoft Exchange

IBM Lotus Domino

Novell GroupWise




56

11

Activating BlackBerry devices over the enterprise Wi-Fi network

In BlackBerry® Enterprise Server Version 4.1 SP3 and later, users can activate Wi-Fi® enabled BlackBerry devices over the enterprise Wi-Fi network in environments where the following situations occur:

• BlackBerry devices can connect to the enterprise Wi-Fi network but cannot connect to the mobile network.

• Users do not have the BlackBerry® Desktop Manager installed on their computers.

• Administrators must deploy and activate a large number of BlackBerry devices.

Using the BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi networkWhen you set up a BlackBerry® Router for BlackBerry device activations over the enterprise Wi-Fi® network, you configure the BlackBerry Router as an SMTP client, which is also known as a Mail User Agent. As an SMTP client, the BlackBerry Router communicates with an SMTP server, which sends the ETP message to the user. The ETP message is the email message that the BlackBerry Router sends to the user’s mailbox at activation.

An organization can host the SMTP server, or the SMTP server might be hosted by Research In Motion.

Using the BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi networkSetting up the environment for BlackBerry device activations over the enterprise Wi-Fi networkPreparing to install a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi networkConfirm the installation credentialsConfiguring a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi networkPrerequisites: Activating BlackBerry devices over the enterprise Wi-Fi networkCreate and send activation informationReactivate an existing BlackBerry deviceConfirm that the activation is successful


Setting up the environment for BlackBerry device activations over the enterprise Wi-Fi networkTo set up the environment for users to activate BlackBerry® devices over the enterprise Wi-Fi® network, complete the following tasks:

• Using the BlackBerry® Enterprise Server setup application, install and configure a BlackBerry Router whose only purpose is to provide a connection to the BlackBerry® Infrastructure when users activate their BlackBerry devices over the enterprise Wi-Fi network.

• Configure this BlackBerry Router to initiate a connection with the BlackBerry Enterprise Server that hosts each user account associated with a Wi-Fi enabled BlackBerry device, or with the BlackBerry Enterprise Server that you plan to use to host each user account.

• Configure one or more wireless access points to connect to this BlackBerry Router.

• Provide the credentials for each Wi-Fi enabled BlackBerry device to connect to the required wireless access point.

• Create an email account and activation password on the BlackBerry Enterprise Server for each new user, if you have not already done so.

• Provide the activation information, including the activation email address and login information, to users. Follow your organization’s security policies for informing users of highly sensitive information.

To begin the activation, the user types the email address and password into the activation screen on the BlackBerry device.

Preparing to install a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi networkYou can install a BlackBerry® Router for BlackBerry device activations over the enterprise Wi-Fi® network inside or outside the organization’s firewall.

You can install this BlackBerry Router in any of the following locations:

• on a remote computer as a standalone component

• on the same computer as the BlackBerry® Enterprise Server

• on the same computer as the BlackBerry Enterprise Server with BlackBerry MDS Services installed

You can complete the BlackBerry Router configuration as part of the initial installation of the BlackBerry Enterprise Server, or after the initial installation through the BlackBerry Configuration Panel.

This BlackBerry Router must be able to initiate a connection to the BlackBerry Enterprise Server that you plan to use to host the user account. More than one BlackBerry Enterprise Server can connect to this BlackBerry Router. However, each BlackBerry Enterprise Server can connect to only one BlackBerry Router used for BlackBerry device activations over the enterprise Wi-Fi network.

58

11: Activating BlackBerry devices over the enterprise Wi-Fi network

Confirm the installation credentialsYou require the BlackBerry® Enterprise Server installation credentials for installation or configuration of the BlackBerry Router.

> Confirm that you have the following credentials from the BlackBerry Enterprise Server installation media:

• client access license key

• SRP identifier

• SRP authentication key

• SRP host address

Configuring a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network

Install and configure a new BlackBerry Router1. In the BlackBerry® Enterprise Server installation media, double-click setup.exe.

2. Complete the instructions on the screen until you complete the WLAN SRP Setting step of the installation process.

3. At the WLAN OTA Activation step, select the Permit wireless activation in your WLAN environment check box.

4. Select the Prevent all serial bypass traffic through this router except WLAN activations check box.

This step is optional, but if you restrict the connections, this BlackBerry Router acts as a gateway only for wireless activation over the enterprise Wi-Fi® network but not for other network traffic, such as email messages or data and calendar synchronization.

5. In the Activation Gateway Settings area, select one of the following options to specify how the BlackBerry Router locates the SMTP server:

• To allow the BlackBerry Router to determine which SMTP server to use for ETP traffic based on the mail exchange record of the host domain, select Use MX Lookup to obtain SMTP server.

• To provide the SMTP server name and port, select Explicitly provide SMTP server name and port. Type the server name and server port for the SMTP server.

6. If the SMTP server requires authentication, type the SMTP login name and SMTP password.

7. In the From address for ETP messages text box, type the email address to use as the From address. The ETP message is the email message that the BlackBerry Router sends to the user’s mailbox at activation.

8. To restrict the domains that the BlackBerry Router accepts activation requests from, in the List of domains that ETP messages can be sent to text box, specify one or more domains.

59


9. Click Next.

10. Complete the remaining instructions on the screen.

Configure an existing BlackBerry Router1. On the computer that hosts the BlackBerry® Router, on the taskbar, click Start > Programs > BlackBerry

Enterprise Server > BlackBerry Server Configuration.

2. On the OTA Wi-Fi Activation tab, select the Permit wireless activation in your WLAN environment check box.

3. Select the Prevent all serial bypass traffic through this router except WLAN activations check box.

This step is optional, but if you restrict the connections, this BlackBerry Router acts as a gateway only for wireless activation over the Enterprise Wi-Fi® network but not for other network traffic, such as email messages or data and calendar synchronization.

4. In the Activation Gateway Settings area, select one of the following options to specify how the BlackBerry Router locates the SMTP server:

• To allow the BlackBerry Router to determine which SMTP server to use for ETP traffic based on the mail exchange record of the host domain, select Use MX Lookup to obtain SMTP server.

• To provide the SMTP server name and port, select Explicitly provide SMTP server name and port. Type the server name and server port for the SMTP server.

5. If the SMTP server requires authentication, specify the SMTP login name and SMTP password.

6. In the From address for ETP messages text box, type the email address to use as the From address. The ETP message is the email message that the BlackBerry Router sends to the user’s mailbox at activation.

7. Click Apply.

Prerequisites: Activating BlackBerry devices over the enterprise Wi-Fi network

Prerequisite Requirement

wireless access points • Verify that the required wireless access points can connect to the BlackBerry® Router that you configured for BlackBerry device activations over the enterprise Wi-Fi® network.

• If users must authenticate to an access point, configure each access point to accept each new user’s authentication credentials.

BlackBerry® Enterprise Server • Verify that the BlackBerry Enterprise Server can communicate with each access point that you plan to use to activate BlackBerry devices over the enterprise Wi-Fi network.

user accounts • Create an email account and an activation password for each user, if you have not already done so.

• For each BlackBerry device that a user will activate over the enterprise Wi-Fi network, create a user account on the BlackBerry Enterprise Server.

60

11: Activating BlackBerry devices over the enterprise Wi-Fi network

Create and send activation informationCommunicate the activation information to the user in a manner that your organization determines is safe. You might have to complete this task if the user is activating the BlackBerry® device for the first time, and you cannot push IT policies and WLAN configuration settings to the BlackBerry device.

> Create an activation message that users receive in their email application on their computers. Include the following information:

• activation password

• user credentials required for connection to the wireless access point

• BlackBerry® Enterprise Server access information

• instructions for activating the BlackBerry device

Reactivate an existing BlackBerry device1. On the BlackBerry® device, in the device options, click Advanced Options.

2. Click Enterprise Activation.

3. Type the activation email address.

4. Type the activation password.

5. In the activation server address box, type the IP address of the BlackBerry Router that BlackBerry devices use for activations over the enterprise Wi-Fi® network.

6. Click the trackball.

7. Click Activate.

Confirm that the activation is successful1. In the BlackBerry® Manager, in the left pane, click the name of a BlackBerry® Enterprise Server.

2. In the Users list, click the user name.

61


62

12

Troubleshooting

Push settings to the BlackBerry device> If Wi-Fi® connection settings do not appear on a BlackBerry® device but the BlackBerry device is supposed to

be Wi-Fi enabled, push the WLAN Allow Handheld Changes setting to the BlackBerry device using either an IT policy or the WLAN configuration settings.

Troubleshooting connection and configuration issues on a Wi-Fi enabled BlackBerry deviceUsing the Wi-Fi® Diagnostics screens on the Wi-Fi enabled BlackBerry® device, you can help users troubleshoot configuration issues on the BlackBerry device, network connectivity or configuration issues, or infrastructure issues that a user might have with a Wi-Fi enabled BlackBerry device.

Users can copy the diagnostic information and send it to you.

In addition, a user can ping network hosts from a BlackBerry device to check the availability and responsiveness of network hosts. A user can perform a DNS lookup from a BlackBerry device to resolve network or domain host names and IP addresses.

Push settings to the BlackBerry deviceTroubleshooting connection and configuration issues on a Wi-Fi enabled BlackBerry deviceTroubleshooting connection issues on a Wi-Fi enabled BlackBerry deviceWi-Fi Diagnostics status indicatorsVerify whether the BlackBerry device can reach an IP addressResolve a host name to an IP address


Troubleshooting connection issues on a Wi-Fi enabled BlackBerry device

Verify that the Wi-Fi connection is turned on1. On the BlackBerry® device, on the Home screen, click Manage Connections.

2. Click Wi-Fi Options.

3. Verify that a check mark appears beside Wi-Fi.

View basic diagnostic information on a Wi-Fi enabled BlackBerry device1. On the BlackBerry® device, in the device options, click Wi-Fi Connections.


3. Click Wi-Fi Diagnostics.

View detailed diagnostic information on a Wi-Fi enabled BlackBerry device1. On the BlackBerry® device, in the device options, click Wi-Fi Connections.




5. Click Options.

6. Change Display Mode to Advanced.

7. Click Save.

Wi-Fi Diagnostics status indicators

Status indicator groupsThe status indicators appear in the following groups:

• Wi-Fi®

• VPN

• UMA/GAN (if your mobile network provider supports UMA or GAN and you have subscribed for the service)

• BlackBerry Infrastructure

• Enterprise

Within the groups, the indicators follow a sequence that is typical for troubleshooting.

64

12: Troubleshooting

Status indicator statesThe status indicators have four possible states:

• Not applicable: black filled circle

• Trying: yellow horizontal line in a filled circle

• Successful: green check mark in a filled circle

• Error: red X in a filled circle

Wi-Fi connection status indicators

Status indicator Description Troubleshooting suggestions

Current Profile This field displays the name of the WLAN profile that the user is currently using.

• Verify that the Wi-Fi® connection on the BlackBerry® device is turned on.

• Verify that the BlackBerry device has one or more Wi-Fi profiles.

• Verify that the BlackBerry device is in coverage of a wireless access point whose SSID is stored in one of the profiles on the BlackBerry device.

SSID This field displays the identifier for the Wi-Fi network.

When a value is displayed, you know that the BlackBerry device has connected to a network, and you know the name of the network.

• Verify that the SSID of the wireless access point is configured on the BlackBerry device. The SSID is case-sensitive.

• Verify that the Wi-Fi settings were correctly configured on the BlackBerry device or through the BlackBerry® Enterprise Server, either manually or through an IT policy.

• Verify that the BlackBerry device has successfully authenticated.

• In the BlackBerry Manager, confirm that the user account is enabled.

• In the BlackBerry Manager, verify that the user is assigned to the correct BlackBerry device.

• Ping the BlackBerry device from the BlackBerry Enterprise Server.

• In the BlackBerry Manager, verify that the values configured through IT policies or in the WLAN configuration settings have been successfully pushed to the BlackBerry device.

65


AP MAC Address This field displays the MAC address of the wireless access point with which the BlackBerry device is associated.

When a value is displayed, you know that the BlackBerry device has successfully associated with the specified access point.

• Verify that the access point is available and within range of the BlackBerry device.

• Verify that the BlackBerry device is on the same channel as the access point.

• Use a device with wireless access, such as a laptop computer, to test the association with the access point. Use the same settings to configure the wireless connection as the BlackBerry device uses.

• Use a device with wireless access, such as a computer, to ping the BlackBerry Router. This tests whether the BlackBerry Router is on the ACL of the access point.

• For more information, see the documentation for your access points.

• If access point logs are available, view the logs to determine the error that occurred.

Security Type This field displays the link security method.

The options are as follows:

• No Security

• WEP

• Pre-Shared Key (PSK)

• PEAP

• LEAP

• EAP-TLS

• EAP-FAST

• EAP-TTLS

When the link security method is displayed, you know that security on the Wi-Fi connection is turned on and active.

• Verify that the correct authentication method is configured.

• If a WEP key or PSK is required, verify that the key is configured correctly.

• WEP: Verify that the wireless access point is configured to not filter the MAC address of the BlackBerry device.

• LEAP: Verify that the user’s authentication credentials are correct.

• PEAP: Verify that the user’s authentication credentials are correct.

• EAP-TLS: Verify that the EAP-TLS certificate for the user is correct.

Association This field shows the status of the connection with the wireless access point. The status indicators are as follows:

• green check mark: The authentication key is successfully applied, authentication is complete, and keys are used to decrypt packets.

• black filled circle: There is not a network connection, or there is no profile for an association to a particular access point.

—

Authentication This field shows the status of the authentication on the BlackBerry device.

• Verify that the correct authentication method is configured on the wireless access point and on the BlackBerry device.


66

12: Troubleshooting

Local IP Address This field displays the IP address of the BlackBerry device. When a value is displayed, you know the network with which the BlackBerry device is associated.

• If a static IP address is configured, verify that the parameters such as the subnet mask, the default gateway IP address, and the DNS IP address are correctly configured.

• If DHCP is in use, verify that the BlackBerry device can successfully obtain a valid IP configuration (IP address, subnet mask, default gateway IP address, and DNS IP address).

• Verify that a wireless device, such as a laptop computer, can connect to the network using DHCP and obtain an IP address.

• Verify in the DHCP logs, if available, that a DHCP was granted to the BlackBerry device.

Signal Level The field displays the current signal strength. The value is based on the signal percentage level, from none to excellent.

Low signal strength might cause intermittent drops in data connectivity.

Connection Data Rate

This field displays the data rate in Mbps; IEEE® 802.11b™ has a data rate of 11 Mbps, while IEEE® 802.11a™ and IEEE® 802.11g™ have a data rate of 54 Mbps.

Low signal strength might cause intermittent drops in data connectivity.

Status This field provides a descriptive status message, such as “Status acquired.” It also displays warnings and errors encountered when the user tried to establish a connection to a wireless access point.

—

Network Type This field displays whether the wireless connection type is IEEE 802.11a, IEEE 802.11b, or IEEE 802.11g.

If no value displays, a Wi-Fi connection is not active, or the Wi-Fi network capability on the BlackBerry device is turned off.

Network Channel This field displays the 802.11 channel that the wireless access point uses.

If no value displays, a Wi-Fi connection is not active, or the Wi-Fi network capability on the BlackBerry device is turned off.

Pairwise Cipher This field displays information about how encryption keys are managed for a single user on the network. You can configure a wireless access point to support multiple pairwise ciphers. A pairwise cipher can be used with a group cipher.

—

Group Cipher This field displays information about how encryption keys are managed for all users on the network or locally. A pairwise cipher can be used with a group cipher.


• None

• WEP 40

• WEP 104

• TKIP

• AES-CCMP

A wireless access point that you configure to support multiple pairwise ciphers is only as strong as the weakest pairwise cipher.

—


67


VPN connection status indicators

Gateway Address This field displays the IP address of the gateway that routes any packets going outside the local network. In an enterprise Wi-Fi network, it is the IP address of the organization’s LAN gateway. In a personal Wi-Fi network, it is the internal IP address of the personal network’s router.

—

DHCP This field shows the status of the DHCP connection on the BlackBerry device. When a check mark is displayed, DHCP is complete.

—

Primary DNS This field displays the address of an optional computer that translates host names into IP addresses.

—

Secondary DNS This field displays the address of an optional computer that translates host names into IP addresses. The secondary DNS server is used if the primary DNS is not available.

—

DNS Suffix This field displays the domain name suffix, such as .com or .org.

—

Subnet Mask This field displays information about the subnet base for the IP address that was assigned to the BlackBerry device.

—

Server Domain Suffix This field displays the domain name suffix for the network with which the BlackBerry device has associated.

—

Certificate This field shows the certificate used for WLAN authentication, if applicable.

—

Software Token If a software token is configured for the BlackBerry device, this field displays the serial number of the software token.

—


Current Profile This field displays the name of the VPN profile that the user is currently using.

Concentrator Address

This field displays the IP address of the VPN concentrator. • Verify that the VPN is turned on.

• Ping the IP address of the VPN concentrator.

• Verify that the VPN concentrator host name resolves to an IP address. If it does not, configure the VPN IP address.

Contact This field shows the status of the BlackBerry® device contact with the VPN concentrator. A green check mark appears when the BlackBerry device has successfully connected with the VPN concentrator.

—

Authentication This field shows the status of the authentication on the BlackBerry device. If the last authentication attempt was unsuccessful, the field displays an error state.

• Verify that the security parameters are supported.

• Verify that the user’s VPN login credentials are correct.

Secure Device IP This field shows the IP address of the BlackBerry device on the private network that the VPN protects.

—


68

12: Troubleshooting

Status This field provides a descriptive current status message, such as “Error: Link down.”

—

Resolving Concentrator

This field indicates that the IP address of the VPN concentrator has been verified.

—

Concentrator IP This field shows the IP address of the VPN concentrator. —

Primary DNS When a VPN session is established, this is the DNS address that corresponds to the VPN primary DNS. If a VPN session is not established, this value corresponds to the configured WLAN address.

—

Secondary DNS This field shows the address of an optional computer that translates host names into IP addresses. The secondary DNS server is used if the primary DNS is not available.

—

DNS Suffix This field shows the domain that the BlackBerry device uses to resolve addresses on the enterprise Wi-Fi® network.

—

Secure Subnet Mask This field shows the subnet mask of the BlackBerry device on the private network protected by the VPN. The subnet mask and the IP address provide information about the subnet to which the BlackBerry device has connected.

—

Retry at If a login attempt is unsuccessful, this field shows the next date and time that the BlackBerry device can again try to log in.

—

Session Lifetime This field indicates the length of time in seconds that the the VPN session is maintained before the BlackBerry device renegotiates the session.

—

Re-login at This field indicates the length of the periodic rollover or new login period, which the BlackBerry device obtains from the VPN concentrator.

—

Failed Login Attempts This field displays the number of unsuccessful login attempts. If a user logs in successfully, the value is cleared and reverts to 0 automatically.

—

Certificate This field displays the certificate used for VPN authentication, if applicable.

—

Software Token If a software token is configured for the BlackBerry device, this field displays the serial number of the software token.

—


69


UMA/GAN connection status indicatorsIf your mobile network provider supports UMA or GAN, and you have subscribed to this service, a UMA category is present on the BlackBerry® device.


Connection Preference

This field shows how the BlackBerry device tries to connect to the mobile network provider’s voice and data services. Using the following settings, you or the user can configure how the BlackBerry device gains access to the to mobile network provider’s voice and data services:

Wi-Fi Preferred: The BlackBerry devices uses a Wi-Fi® connection when possible. When the user is not in a Wi-Fi coverage area, the BlackBerry device uses a mobile network connection.

Wi-Fi Only: The BlackBerry device uses only a Wi-Fi connection.

Mobile Network Only: The BlackBerry device uses only a mobile network connection to the mobile network provider.

Mobile Network Preferred: The BlackBerry device uses a mobile network connection, where possible, but can also use a Wi-Fi connection.

• Under Options > Mobile Network, verify that the Connection Preference line displays.

If the Connection Preference line does not display, at the Network line, type ALT-GANN to turn on UMA connectivity.

UMA Wi-Fi Available This field shows whether the user has a UMA profile. • Under Options > UMA, verify whether a UMA profile is set up.

You can safely ignore this status indicator.

Connection This field indicates whether the BlackBerry device is connected over UMA.

• Under Options > Mobile Network, verify that Wi-Fi Preferred is selected.

• Under Options > UMA, verify that at least one UMA profile is available.

If a UMA profile does not exist, create one using the credentials of the mobile network provider.

• Verify that under the currently selected UMA profile, the mobile network provider’s security gateway (SEGW) certificate field is not empty and is associated with a certificate for the corresponding mobile network provider.

• In the Wi-Fi Diagnostics screen, verify that the BlackBerry device is connected to a Wi-Fi network.

• Connect a computer to the same wireless access point.

• Verify the IP address of the BlackBerry device on the Wi-Fi Diagnostics screen. Ping the device.

• If you do not receive a response, you have isolated that the issue is on the Wi-Fi side.

• If all succeeds but nothing shows up, check the Status field for the reason.

Status This field shows the status of the UMA connection. —

70

12: Troubleshooting

BlackBerry Infrastructure connection status indicatorsThe BlackBerry® Infrastructure connection status indicators appear on the BlackBerry device when the user either makes a Wi-Fi® connection or tries to make a Wi-Fi connection.

Registered UNC Address

This field shows the address or FQDN of the UNC. A value displays only if the BlackBerry device has successfully registered on the UNC.

If a value does not display, use the same steps that you use for troubleshooting the Connection field.

Registration This field indicates that the BlackBerry device has registered with the UNC.

A value displays only if the BlackBerry device has successfully registered on the UNC.


Authentication This field indicates that the BlackBerry device has authenticated to the UNC.

A value displays only if the BlackBerry device has successfully registered on a UNC.


Serving UNC Address This field shows the UNC to which the BlackBerry device has connected.



Security Gateway IP This field shows the IP address of the mobile network provider’s security gateway.



Cellular information This field displays the GSM® cellular information as received from or sent to the UNC, MNC, MCC, the mobile network ID (Cell ID) of the BlackBerry device, and ARFCN.


Cellular handover to UMA failures

This field displays errors received during the transition from one network type to the other while the user is on a call.

—

Cellular rove-in failures

This field displays errors received during the transition from one network type to the other while the BlackBerry device is idle.

—


Address Used This field indicates the host name or IP address and port number used to connect to the SRP.

—

IP Used This field indicates the host name or IP address and port number used to connect to the SRP.

—

Connecting This field indicates the IP address and port number used to connect to the SRP.

—

Authenticating router This field displays the IP address of the server that performs authentication, if applicable.

—


71


Enterprise connection status indicators

Verify whether the BlackBerry device can reach an IP address1. On the BlackBerry® device, in the device options, click Wi-Fi Connections.




5. Click Ping.

Authenticating server This field displays the IP address of the server that performs authentication.

—

Last Contact At This field displays the time of the last BlackBerry device contact with the BlackBerry Enterprise Server through the SRP.

—


UIDs This field indicates the SRP UID of the BlackBerry® Enterprise Server that hosts the user account for the BlackBerry device.

—

Address Used This field indicates the host name or IP address and port number used to connect to the SRP.

—

IP Used This field indicates the host name or IP address and port number used to connect to the SRP.

—

Connecting This field indicates the IP address and port number used to connect to the SRP.

—

Authenticating router This field displays the IP address of the server that performs authentication, if applicable.

—

Authenticating server This field displays the IP address of the server that performs authentication.

—

Last Contact At This field displays the time of the last BlackBerry device contact with the BlackBerry Enterprise Server through the SRP.

—


72

12: Troubleshooting

6. Complete the applicable fields:

7. View the ping data:

Resolve a host name to an IP address1. On the BlackBerry® device, in the device options, click Wi-Fi Connections.




5. Specify either a name or an IP address to look up.


7. Click DNS Lookup.

8. Click Lookup.

9. Select an option.

10. View the DNS lookup results:

Field Description

Ping Type The options are as follows:

• IP or Name

• Self

• WLAN Gateway

• VPN Concentrator

• UNC (mobile network provider)

• BBR (BlackBerry Router)

Ping to In this field, you specify the IP address to ping.

Number of Pings In this field, you specify the number of times to ping an IP address.

Field Description

Device IP This field indicates the IP address of the BlackBerry device.

Last Time Used This field indicates the last time an IP address was pinged.

Results This field indicates what happened when the last IP address was pinged.

Field Description

Primary DNS This field indicates the IP address of the primary computer that is used to resolve host names.

Secondary DNS This field indicates the IP address of an optional computer used between networks.

Last Time Used This field indicates the last time that the host was looked up.

Results This field indicates the result of the last lookup, and lists each IP address found to which the last lookup resolved.

73


74

13

IT policy rules and configuration settings

Using WLAN IT policy rules with a WLAN configuration setIn BlackBerry® Enterprise Server Version 4.1 SP3 or later, you can configure the Wi-Fi® settings for the BlackBerry device using the WLAN IT policy rules or a WLAN configuration set in the BlackBerry Manager.

• If you use only WLAN IT policy rules and not a WLAN configuration set, a BlackBerry device uses both global WLAN settings and per-profile WLAN settings from the WLAN IT policy group.

• If you use both WLAN IT policy rules and a WLAN configuration set, a BlackBerry device takes the global WLAN settings from the WLAN IT policy rules. However, the BlackBerry device ignores any WLAN profiles in the WLAN IT policy and uses only the WLAN profiles from the WLAN configuration set.

As a result, if your WLAN IT policy rules include only the WLAN IT policy (which contains a WLAN profile), and you are not using a WLAN configuration set, the BlackBerry device adds the WLAN profile contained in the WLAN IT policy to the list of WLAN profiles.

If you make changes to a WLAN configuration set, or delete it, you must resend the IT policy for the changes to take effect immediately.

WLAN IT policy group

Using WLAN IT policy rules with a WLAN configuration setWLAN IT policy groupWLAN configuration settingsVPN IT policy groupVPN configuration settings

Setting Description Default value

Minimum requirements Use

BlackBerry Device Software

BlackBerry Enterprise Server software

WLAN Allow Handheld Changes

Specify whether to allow users to change all WLAN policy rules on the BlackBerry® device.

True 4.0.0 4.0.1 Set to False to permit users to change only the user-specific WLAN rules on the BlackBerry device.

WLAN Link Security

Specifies the type of security required for WLAN access (Open, WEP, PSK, EAP-PEAP, EAP-LEAP, EAP-TLS, EAP-FAST, EAP-TTLS).

Open (0) 4.0.0 4.0.1 If you do not specify a security type, Open is used.


WLAN SSID Type the network name of the WLAN and its wireless access points.

The SSID is case-sensitive.

—

4.0.0 4.0.1 Do not use the default SSID.

WLAN Default Key ID

Type the Default WEP Key ID. 1 4.0.0 4.0.1 The WEP Key ID must match the desired WEP access point ID and the corresponding WEP key.

WLAN WEP Key 0

Type the password for WEP key 1 using the format xx:xx:xx:xx:xx.

—

4.0.0 4.0.1 Allowable values are either 5 or 13 pairs of hexadecimal digits (0 to 9 and A to F) separated by a colon.

For example, “AB:CD:EF:01:23” or "AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23" are acceptable values.

WLAN WEP Key 1


—


For example, “AB:CD:EF:01:23” or "AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23" are acceptable values.

WLAN WEP Key 2


—


For example, "AB:CD:EF:01:23" or "AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23" are acceptable values.

WLAN WEP Key 3


—



WLAN Preshared Key

Type the PSK.—

4.0.0 4.0.1 Type the PSK if you specified PSK as the WLAN Link Security type.





76

13: IT policy rules and configuration settings

WLAN User Name

Type the user name for EAP-PEAP or EAP-LEAP security access on the BlackBerry device.

—

4.0.0 4.0.1 Set this value as a per-user IT policy rule, or within an IT policy that applies to only one user unless you want to set a default value for all users.

If the user manually types a user name value on the BlackBerry device, IT policy updates overwrite or delete that value. To retain the user-specified value on the BlackBerry device, set the updated IT policy to use the same value for this IT policy rule.

WLAN User Password

Type the user password for EAP-PEAP or EAP-LEAP security access on the BlackBerry device.

—

4.0.0 4.0.1 Set this value as a per-user IT policy rule, or within an IT policy that applies to only one user unless you want to set a default value for all users.

If the user manually types a user password value on the BlackBerry device, IT policy updates overwrite or delete that value. To retain the user-specified value on the BlackBerry device, set the updated IT policy to use the same value for this IT policy rule.

WLAN DHCP Configuration

Specify whether DHCP is used for dynamic network configuration.

True (enabled)

4.0.0 4.0.1 DHCP is turned on by default.

If you are implementing a subnetted WLAN, turn on DHCP to permit roaming between subnets.

WLAN IP Address

Type the IP address in IP address format (for example,10.0.0.1) for use if DHCP is turned off on the BlackBerry device (in other words, if the WLAN DHCP Configuration rule is set to False).

—

4.0.0 4.0.1 Warning: If the WLAN DHCP Configuration rule is set to True, do not set this rule to True.

WLAN Subnet Mask

Type the subnet mask in IP address format (for example, 10.0.0.1) for use if DHCP is turned off on the BlackBerry device.

—

4.0.0 4.0.1 Warning: Do not apply this rule if DHCP is turned on.

WLAN Primary DNS

Type the primary DNS in IP address format (for example, 10.0.0.1) if DHCP is turned off.

—4.0.0 4.0.1 Warning: Do not apply this rule if DHCP

is turned on.





77


WLAN Secondary DNS

Type the secondary DNS in IP address format (for example, 10.0.0.1) if DHCP is turned off.


is turned on.

WLAN Default Gateway

Type the default gateway in IP address format (for example, 10.0.0.1) if DHCP is turned off.


is turned on.

WLAN Minimal EAP-TLS Certificate Encryption Key Security Level

Specify the minimum security level for private keys used by EAP methods employing client certificates (for example, EAP-TLS).

1 4.0.0 4.0.1

(obsolete in 4.1.4)

If you do not specify a security level, the value 1 (low security) is used.

If you do not set this rule, a default value of 1 (low security) is used.

Low security: The BlackBerry device prompts the user only once for the key store password to retrieve the private key for encrypting messages. The BlackBerry device stores the unencrypted private key with the WLAN profile.

Medium security: The BlackBerry device prompts the user only once for the key store password to retrieve the private key for encrypting messages, and subsequently only after a device reset. The BlackBerry device caches the private key in memory but does not store it with the WLAN profile.

High security: The BlackBerry device always prompts the user for the key store password when accessing the private key for encrypting messages. The BlackBerry device does not store the unencrypted private key with the WLAN profile.

WLAN Enable Authentication Page

Specify whether the WLAN Login browser is available on the BlackBerry® 7270 smartphone.

False 4.0.0 4.0.1

(obsolete in 4.1.4)

Set to True to permit users to log in to a captive portal using the BlackBerry device.

Disable WLAN Specify whether users can access the WLAN capability on the BlackBerry device.

False 4.2.1 4.1.3 Set to True to prevent the use of WLAN on the BlackBerry device.





78


WLAN Password Hidden on Input

Specify whether the WLAN password is masked as the user types it.

False 4.2.1 4.1.3 Set to True to mask the password that the BlackBerry device user types.

Set to False to allow the BlackBerry device to display the password that the BlackBerry device user types.

Disable WAN-Only Mode

Specify whether to prevent users from selecting WAN-only mode from the GAN selection modes on the BlackBerry device.

False 4.2.1 4.1.3 Set to True to prevent the use of the WAN capabilities of the BlackBerry device.

Disable WAN-Preferred Mode

Specify whether to prevent users from selecting WAN-Preferred mode from the GAN selection modes on the BlackBerry device.

False 4.2.1 4.1.3 Set to True to prevent the use of the WAN-Preferred mode in the GAN selection modes on the BlackBerry device.

Disable GAN-Only Mode

Specify whether to prevent users from selecting GAN-Only mode from the GAN selection modes on the BlackBerry device.

False 4.2.1 4.1.3 Set to True to prevent the use of the GAN-Only mode in the GAN selection modes on the BlackBerry device.

Disable GAN-Preferred Mode

Specify whether to prevent users from selecting GAN-Preferred mode from the GAN selection modes on the BlackBerry device.

False 4.2.1 4.1.3 Set to True to prevent the use of GAN-Preferred mode in the GAN selection modes on the BlackBerry device.

Disable GAN Selection Mode Editing

Specify whether to prevent users from changing the GAN selection mode on the BlackBerry device.

False 4.2.1 4.1.3 Set to True to prevent users from changing the GAN selection mode on the BlackBerry device.

WLAN Disable Prompt for Credentials Re-Entry

Specify whether to turn off the prompt for users to re-enter WLAN credentials after authentication is unsuccessful.

False 4.2.1 4.1.3 Set to True if you do not want to prompt users to re-enter WLAN credentials after authentication is unsuccessful.

Disable WLAN User Profiles

Specify whether a user can create new WLAN profiles on the BlackBerry device.

False 4.2.1 4.1.3 Set to True to prevent the user from creating new WLAN profiles on the BlackBerry device.





79


GAN WLAN Threshold

Specify the WLAN signal quality threshold for changing from GAN to WAN. If the WLAN signal quality drops below this threshold in GAN-preferred mode, then the BlackBerry device tries to hand over or changing to the WAN, if an acceptable cell is available.

—

4.2.1 4.1.3 If you do not specify a value for this setting, the BlackBerry device chooses a suitable value (possibly specified by the mobile network provider).

Possible values are as follows:

Low: Use GAN mode unless the Wi-Fi® signal quality is very low.

Medium: Use GAN mode if the Wi-Fi signal quality is high or medium.

High: Use GAN mode only if the Wi-Fi signal quality is high.

GAN Signal Strength Threshold

Specify the signal strength threshold for rove-in from WAN to GAN.

—

4.2.1 4.1.3 In WAN-preferred mode, if the signal strength of the serving cell drops below this value, the BlackBerry device uses the GAN cell, if one is available.

This value is specified in RXLEV units, described in 3GPP 5.08 8.1.4:

• 0: -111 dBm

• 63: -48 dBm

If you do not specify a value for this setting, the BlackBerry device chooses a suitable value (possibly specified by the mobile network provider).

GAN Signal Quality Threshold

Specify the signal quality threshold for handover from WAN to GAN.

—

4.2.1 4.1.3 In WAN-preferred mode, if the signal quality drops below this level, the BlackBerry device tries a handover to GAN, if possible. The signal quality is related to bit error rate and is described in 3GPP 5.08 8.2.4:

• 0: good quality

• 7: worst quality

If you do not specify a value for this setting, the BlackBerry device chooses a suitable value (possibly specified by the mobile network provider).

Disable WLAN Access to BES

Specify whether a user’s BlackBerry device can connect to the BlackBerry® Enterprise Server using a Wi-Fi connection.

—

4.2.1 4.1.3 Set to True to deny access to the BlackBerry Enterprise Server from a Wi-Fi network.

The default value might vary by mobile network provider.





80


WLAN configuration settings





WLAN Allow Handheld Changes

Specify whether to allow users to change all WLAN policy rules on the BlackBerry® device.

True 4.0.0 4.0.1

(obsolete in 4.1.3)

Set to False to permit users to change only the user-specific WLAN rules on the BlackBerry device.

WLAN Link Security

Specifies the type of security required for WLAN access (Open, WEP, PSK, EAP-PEAP, EAP-LEAP, EAP-TLS, EAP-FAST, EAP-TTLS).

Open (0) 4.0.0 4.0.1 If you do not specify a security type, Open is used.

WLAN SSID Type the network name of the WLAN and its wireless access points.

The SSID is case-sensitive.

—

4.0.0 4.0.1 Do not use the default SSID.

WLAN Default Key ID

Type the Default WEP Key ID. 1 4.0.0 4.0.1 The WEP Key ID must match the desired WEP access point ID and the corresponding WEP key.

WLAN WEP Key 0


—



WLAN WEP Key 1


—



WLAN WEP Key 2


—



81


WLAN WEP Key 3


—



WLAN Preshared Key

Type the PSK.—

4.0.0 4.0.1 Type the PSK if you specified PSK as the WLAN Link Security type.

WLAN User Name

Type the user name for EAP-PEAP or EAP-LEAP security access on the BlackBerry device.

—

4.0.0 4.0.1 Set this value as a per-user IT policy rule, or within an IT policy that applies to only one user, unless you want to set a default value for all users.

If the user manually types a user name value on the BlackBerry device, IT policy updates overwrite or delete that value. To retain the user-specified value on the BlackBerry device, set the updated IT policy to use the same value for this IT policy rule.

WLAN User Password

Specify the user password for EAP-PEAP or EAP-LEAP security access on the BlackBerry device.

—

4.2.0 4.1.2 Set this value as a per-user IT policy rule, or within an IT policy that applies to only one user, unless you want to set a default value for all users.

If the user manually types a User password value on the BlackBerry device, IT policy updates overwrite or delete that value. To retain the user-specified value on the BlackBerry device, set the updated IT policy to use the same value for this IT policy rule.

WLAN DHCP Configuration

Specify whether DHCP is turned on for dynamic network configuration.

True (turned on)

4.2.0 4.1.2 Turn on DHCP to simplify WLAN configuration.

WLAN IP Address

Specify the IP address of the BlackBerry device if DHCP is unavailable.

—

4.2.0 4.1.2 Set this value only if you set the WLAN DHCP Configuration policy rule to False (made DHCP unavailable).





82


WLAN Subnet Mask

Specify the IP address of the subnet mask if DHCP is unavailable. —

4.2.0 4.1.2 Set this value only if you set the WLAN DHCP Configuration value to False (made DHCP unavailable).

WLAN Primary DNS

Specify the IP address of the primary DNS if DHCP is unavailable. —


WLAN Secondary DNS

Specify the IP address of the secondary DNS if DHCP is unavailable. —


WLAN Default Gateway

Specify the IP address of the default gateway. —


WLAN Minimal EAP-TLS Certificate Encryption Key Security Level

Specify the minimum security level for private keys used by EAP methods employing client certificates (for example, EAP-TLS).

1 4.0.0 4.0.1

(obsolete in 4.1.4)

If you do not specify a security level, the value 1 (low security) is used.

If you do not set this rule, a default value of 1 (Low security level) is used.

Low security: The BlackBerry device prompts the user only once for the key store password to retrieve the private key for encrypting messages. The BlackBerry device stores the unencrypted private key with the WLAN profile.

Medium security: The BlackBerry device prompts the user only once for the key store password to retrieve the private key for encrypting messages, and subsequently only after a device is reset. The BlackBerry device caches the private key in memory but does not store it with the WLAN profile.

High security: The BlackBerry device always prompts the user for the key store password when accessing the private key for encrypting messages. The BlackBerry device does not store the unencrypted private key with the WLAN profile.

WLAN Enable Authentication Page

Specify whether the WLAN Login browser is available on the BlackBerry® 7270 smartphone.

False 4.0.0 4.0.1

(obsolete in 4.1.4)

Set to True to permit users to log in to an organization’s captive portal using the BlackBerry device.





83


WLAN Hard Token Required

Specify whether a hard token is required for authentication.

False 4.2.1 4.1.3 Set to True if a hard token (for example, RSA SecurID®) is required as part of the password for authentication.

WLAN Token Serial Number

If a software token is required as part of the password for authentication, specify the serial number of the software token provisioned to the BlackBerry device.

—

4.2.1 4.1.3

—

WLAN Profile Visibility

Specify whether the user can view the settings of this WLAN profile.

0 4.2.1 4.1.3 The options are as follows:

Full visibility (0): The user can view all settings in this profile.

Restricted visibility (1): The user can view only the profile name.

Credentials visibility (2): The user can view only the profile name and user credentials.

WLAN Profile Editability

Specify whether the user can change the settings of this WLAN profile.


Full editability (0): The user can change all settings in this profile.

No editability (1): The user cannot change any settings in the profile.

Credentials editability (2): The user can change only the user credentials.

WLAN Allow Password Save

Specify whether the user can save WLAN passwords on the BlackBerry device.

True 4.2.1 4.1.3 The default value permits users to save WLAN passwords on the BlackBerry device.

WLAN Roaming Threshold

The roaming threshold determines how often the Wi-Fi® transceiver scans for neighboring wireless access points and roams to one of them if the signal quality is better than the signal of the current access point.

0 4.2.1 4.1.3 The values are as follows:

Auto (0): The device selects roaming thresholds automatically.

Low (1): The device roams only when signal quality is very low.

Medium (2): The device roams when the signal quality is medium to low.

High (3): The device roams aggressively to access points with better signal strength.

WLAN Server Subject

Type the contents of the Subject field of the server’s certificate. —

4.2.1 4.1.3 If you do not specify a server certificate, any valid server certificate is accepted.





84


WLAN Server SAN

Type the contents of the SubjectAltName (SAN) field of the server certificate.

—4.2.1 4.1.3 If you do not specify a server

certificate, any valid server certificate is accepted.

WLAN Inner Authentication Mode

Specify the authentication mode for tunneled EAP security.


• None (0)

• EAP-MS-CHAPv2 (1)

• EAP-GTC (2)

• PAP (3)

• CHAP (4)

• MS-CHAP (5)

• MS-CHAPv2 (6)

• EAP-MD5 (7)

WLAN Protected Access Credential Key

Specify the PAC key used for EAP-FAST.

—

4.2.1 4.1.4

—

WLAN Domain Suffix

Specify the internal domain name suffix using the FQDN format. —


WLAN Allow AP to AP Handover

Specify whether WLAN handovers between access points are permitted for this profile.

True 4.2.1 4.1.3 The default value permits handovers between access points in an enterprise Wi-Fi network.

Set to False to disallow access point handovers.

WLAN Band Type

Specify the band type or types that the wireless access points of a particular SSID are configured to operate on.

0 (IEEE® 802.11a™/ IEEE® 802.11b™/IEEE® 802.11g™)

4.2.2 4.1.4 The options are as follows:

• IEEE 802.11a/IEEE 802.11b/ IEEE 802.11g

• IEEE 802.11b/IEEE 802.11g

• IEEE 802.11a

• IEEE 802.11b

Associated VoIP Configuration

This is a hidden property that the BlackBerry® 7270 smartphone uses. The property contains the name of the associated VoIP configuration profile.

— —

4.1.2

—

Associated VPN Configuration

This is a hidden property that contains the name of the associated VPN configuration profile.

—4.2.0 4.1.2

—





85


VPN IT policy group





Enable VPN Specify whether the VPN client on the BlackBerry® device is turned on.

False 4.0.0 4.0.1

(obsolete in 4.1.3)

Set to True if the BlackBerry device requires the use of a VPN server to access a WLAN.

Set to False to turn off the VPN client on the BlackBerry device.

If you turn off the VPN client on the BlackBerry device, the BlackBerry device might not be able to use a WLAN that requires VPN access, or it might require the use of an alternative form of access control.

VPN Allow Handheld Changes

Specify whether users can change all VPN policy rules on the BlackBerry device.

True 4.0.0 4.0.1

(obsolete in 4.1.3)

If this rule is set to False, BlackBerry device users can still change their VPN user name and VPN password on a BlackBerry device.

VPN Vendor Type

Specify the type of VPN client that the BlackBerry device VPN client emulates.

—4.0.0 4.0.1 If you select a VPN client, verify that

the Enable VPN value is set to True.

VPN Gateway Address

Type the IP address or the FQDN of the VPN server.

—4.0.0 4.0.1

—

VPN Group Name

Type the VPN server group name.—

4.0.0 4.0.1 Specify the group name only if the VPN client type requires it.

VPN Group Password

Type the VPN server group password.—

4.0.0 4.0.1 Specify the group password only if the VPN client type requires it.

VPN User Name

Type the default user name that the BlackBerry device uses to log in to the VPN server.

—

4.0.0 4.0.1 If you specify a user name, you must set the Enable VPN rule to True.

Set this value as a per-user IT policy rule, or within an IT policy that applies to only one user, unless you want to set a default value for all users.

If the user manually types a user name value on the BlackBerry device, IT policy updates overwrite or delete that value. To retain the user-specified value on the BlackBerry device, set the updated IT policy to use the same value as you specify for this setting.

86


VPN User Password

Type the default user password that the BlackBerry device uses to log in to the VPN server.

—

4.0.0 4.0.1 If you set this rule, you must set the Enable VPN rule to True.


If the user manually types a User password value on the BlackBerry device, IT policy updates overwrite or delete that value. To retain the user-specified value on the BlackBerry device, set the updated IT policy to use the same value as you specify for this setting.

VPN DNS Configuration

Specify the VPN DNS configuration. True 4.0.0 4.0.1 If you set this rule, you must set the Enable VPN rule to True.

If this value is set to True, the DNS settings are retrieved automatically from the VPN gateway.

If this value is set to False, the static settings specified in the VPN Primary DNS, VPN Secondary DNS, and VPN Domain Name policy rules are used.

VPN Primary DNS

Type the static setting for the IP address for the primary DNS server. —

4.0.0 4.0.1 If you set this rule, set the VPN DNS Configuration policy rule to False, and set the Enable VPN rule to True.

VPN Secondary DNS

Type the static setting for the IP address for the secondary DNS server. —

4.0.0 4.0.1 If you set this rule, set the VPN DNS Configuration policy rule to False, and set the Enable VPN rule to True.

VPN Domain Name

Specify the internal domain name suffix using the FQDN format.

—

4.0.0 4.0.1 If you set this rule, set the VPN DNS Configuration value to False, and set the Enable VPN rule to True.

When the VPN DNS Configuration rule is set to False, this setting is used.

Use VPN Xauth

Specify whether the client should use Xauth certificates to authenticate to the VPN gateway.

False 4.0.0 4.0.1 If you set this rule, you must set the Enable VPN rule to True.





87


VPN Xauth Type

Specify the type of user-level authentication that the VPN server uses.

0 4.0.0 4.0.1 If you set this rule, you must set the Enable VPN rule to True.

If you do not set an authentication type, the value 0 (user name and password is required) is used.

VPN IKE DH Group

Specify the Diffie-Hellman group used to generate key material.

7 4.0.0 4.0.1 Use Group 7 (elliptic curve cryptography).

If you set this rule, you must set the Enable VPN rule to True.

VPN IKE Cipher

Specify the encryption algorithm that the BlackBerry device uses to authenticate the IKE exchanges.

0 4.0.0 4.0.1 Use AES-128.

If you do not specify an encryption type, the value 0 (DES) is used.

VPN IKE Hash Specify the hash method authentication code to use.

0 4.0.0 4.0.1 Use SHA-1.

If you do not set a value, the value 0 (MD5 128 bits) is used.

VPN PFS Specify whether Perfect Forward Secrecy is turned on.

True 4.0.0 4.0.1 Leave this value set to True.

VPN IPSEC Cipher and Hash

Specify the encryption algorithm and hash for IPSec Security Associations.

3 4.0.0 4.0.1 Use SHA-1 with AES-128 Cipher.

VPN Allow Password Save

Specify whether the user can save the VPN password on the BlackBerry device.

True 4.0.0 4.0.1 If you set this value to False (password not saved), the user must type a password each time the BlackBerry device connects to the VPN concentrator.

VPN NAT Keep Alive

Type the NAT “keep-alive” frequency. 1 4.0.0 4.0.1 Specify the interval in minutes at which the BlackBerry device sends a keep-alive packet to maintain the connection to the VPN concentrator. The range is from 1 to 1439 minutes.

VPN Password Hidden on Input

Specify whether the VPN password is masked as the user types it.

False 4.2.1 4.1.3 Set to True to hide the VPN password as the user types it.

VPN Disable Prompt for Credentials Re-Entry

Specify whether to turn off the prompt for a user to re-enter VPN credentials after authentication is unsuccessful.

False 4.2.1 4.1.3 Set to True if you do not want to prompt a user to re-enter VPN credentials after authentication is unsuccessful.

Disable VPN User Profiles

Specify whether a user can create new VPN profiles on the BlackBerry device.

False 4.2.1 4.1.3 Set to True to prevent the user from creating new VPN profiles on the BlackBerry device.





88


VPN configuration settings

VPN Minimal Certificate Encryption Key Security Level

Specify the minimum security level for private keys used by methods that require client certificates.

1 (low security)

4.2.2 4.1.4 The options are as follows:

Low security (1): The user is prompted only once for the key store password. The private key is then retrieved and stored, unencrypted, with the VPN profile. The user is never again prompted for the key store password.

High security (2): The user is always prompted for the key store password when access to the private key is required. This might happen frequently, even if the user has recently typed the password. Private keys are not stored with the VPN profile.

Medium security (3): The user is initially prompted for the key store password and, from that point forward, is only prompted again after a device reset. Private keys are cached in memory but are not stored with the VPN profile.





Enable VPN Specify whether the VPN client on the BlackBerry® device is turned on.

False (VPN client on BlackBerry device is turned off)

4.2.0 4.1.2

(obsolete in 4.1.3)

If you turn off the VPN client on the BlackBerry device, the BlackBerry device might not be able to use a WLAN that requires VPN access, or it might require the use of an alternative form of access control.

Set this rule to True if the BlackBerry device requires the use of a VPN server to access a WLAN.





89


VPN Allow Handheld Changes

Specify whether users can change all VPN policy rules on the BlackBerry device.

True 4.2.0 4.1.2

(obsolete in 4.1.3)

The default setting allows the BlackBerry device user to configure VPN settings for remote troubleshooting purposes.

VPN Vendor Type

Specify the type of VPN client that the BlackBerry device VPN client emulates.

—4.2.0 4.1.2 If you select a VPN client, verify that

the Enable VPN value is set to True.

VPN Gateway Address

Type the IP address or the FQDN of the VPN Server.

—4.2.0 4.1.2

—

VPN Group Name

Type the VPN server group name.—

4.2.0 4.1.2 Specify this value only if the VPN client type requires it.

VPN Group Password

Type the VPN server group password.—

4.2.0 4.1.2 Specify this value only if the VPN client type requires it.

VPN User Name

Type the default user name that the BlackBerry device uses to log in to the VPN server.

—

4.2.0 4.1.2 If you specify this value, you must set the Enable VPN rule to True.


If the user manually types a user name value on the BlackBerry device, IT policy updates overwrite or delete that value. To retain the user-specified value on the BlackBerry device, set the updated IT policy to use the same value as you specify for this setting.

VPN User Password

Type the default user password that the BlackBerry device uses to log in to the VPN server.

—

4.2.0 4.1.2 If you set this value, you must set the Enable VPN rule to True.


If the user manually types a user password value on the BlackBerry device, IT policy updates overwrite or delete that value. To retain the user-specified value on the BlackBerry device, set the updated IT policy to use the same value as you specify for this setting.





90


VPN DNS Configuration

Specify the VPN DNS configuration. True 4.2.0 4.1.2 If you set this rule, you must set the Enable VPN rule to True.

If this value is set to True, the DNS settings are retrieved automatically from the VPN gateway.

If this value is set to False, the static settings specified in the VPN Primary DNS, VPN Secondary DNS, and VPN Domain Name settings are used.

VPN Primary DNS

Type the static setting for the IP address for the primary DNS server.

—

4.2.0 4.1.2 If you specify this value, set the VPN DNS Configuration value to False, and set the Enable VPN rule to True.

When the VPN DNS Configuration value is set to False, this setting is used.

VPN Secondary DNS

Type the static setting for the IP address for the secondary DNS server.

—

4.2.0 4.1.2 If you specify this value, set the VPN DNS Configuration value to False, and set the Enable VPN rule to True.

When the VPN DNS Configuration value is set to False, this setting is used.

VPN Domain Name

Specify the internal domain name suffix using the FQDN format.

—

4.2.0 4.1.2 If you set this rule, set the VPN DNS Configuration value to False, and set the Enable VPN rule to True.

When the VPN DNS Configuration rule is set to False, this setting is used.

Use VPN Xauth

Specify whether the client should use Xauth certificates to authenticate to the VPN gateway.

False 4.2.0 4.1.2 Enable this setting to identify the user who requests the VPN (IPSec) connection.

If you set this value to True, you must set the Enable VPN rule to True.

VPN Xauth Type

Specify the type of user-level authentication that the VPN server uses.

0 4.2.0 4.1.2 If you do not set an authentication type, the value 0 (user name and password is required) is used.

You must also set the Enable VPN rule to True.

VPN IKE DH Group

Specify the Diffie-Hellman group used to generate key material.

7 4.2.0 4.1.2 Use Group 7 (elliptic curve cryptography).

If you do not set a value, the value 7 (elliptic curve cryptography) is used.

You must also set the Enable VPN rule to True.





91


VPN IKE Cipher

Specify the encryption algorithm that the BlackBerry device uses to authenticate the IKE exchanges.

0 4.2.0 4.1.2 Use AES-128.

If you do not specify an encryption type, the value 0 (DES) is used.

VPN IKE Hash Specify the hash method authentication code to use.

0 4.2.0 4.1.2 Use SHA-1 160 bits.

If you do not set a value, the value 0 (MD5 128 bits) is used.

VPN PFS Specify whether Perfect Forward Secrecy is turned on.

True 4.2.0 4.1.2 Leave this value set to True.

VPN IPSEC Cipher and Hash

Specify the encryption algorithm and hash for IPSec Security Associations.

3 4.2.0 4.1.2 Use SHA-1 with AES-128 Cipher.

VPN Allow Password Save

Specify whether the user can save the VPN password on the BlackBerry device.

True 4.2.0 4.1.2—

VPN NAT Keep Alive

Type the NAT “keep-alive” frequency. 1 4.2.0 4.1.2 Specify the interval in minutes at which the BlackBerry device sends a keep-alive packet to maintain the connection to the VPN concentrator. The range is from 1 to 1439 minutes.

VPN Hard Token Required

Specify whether a hard token is required for authentication.

False 4.2.1 4.1.3 Set to True if a hard token (for example, RSA SecurID®) is required as part of the password for authentication.

VPN Token Serial Number

If a software token is required as part of the password for authentication, specify the serial number of the software token provisioned to the BlackBerry device.

—

4.2.1 4.1.3





92


VPN Minimal Certificate Encryption Key Security Level

Specify the minimum security level for private keys used by methods that require client certificates.

1 4.2.1 4.1.3

(obsolete in 4.1.4)

If you do not set this rule, a default value of 1 (low security level) is used.


Low security (1): The user is prompted only once for the key store password. The private key is then retrieved and stored, unencrypted, with the VPN profile. The user is never again prompted for the key store password.

High security (2): The user is always prompted for the Key Store password when access to the private key is required. This might happen frequently, even if the user has recently typed the password. Private keys are not stored with the VPN profile.

Medium security (3): The user is initially prompted for the key store password and, from that point forward, is only prompted again after a device reset. Private keys are cached in memory but are not stored with the VPN profile.

VPN Profile Visibility

Specify whether the user can view the settings of this VPN profile.


Full visibility (0): The user can view all settings in this profile.

Restricted visibility (1): The user can view only the profile name.

Credentials visibility (2): The user can view only the profile name and user credentials.

VPN Profile Editability

Specify whether the user can change the settings of this VPN profile.


Full editability (0): The user can change all settings in this profile.

No editability (1): The user cannot change any settings in the profile.

Credentials editability (2): The user can change only the user credentials.

VPN IP Address

Type the IP address of the VPN. 0 4.2.1 4.1.3 If you set this rule, set the VPN DNS Configuration policy rule to False and set the Enable VPN rule to True.





93


VPN Subnet Mask

Type the IP address of the subnet mask of the VPN. —

4.2.1 4.1.3 If you set this rule, set the VPN DNS Configuration policy rule to False and set the Enable VPN rule to True.

Suppress VPN Banner

Specify whether the VPN banner displays on the BlackBerry device.

True 4.2.1 4.1.3 The default value suppresses the VPN banner.

Set to False to display the VPN banner after the BlackBerry device connects to the VPN.





94

Glossary3GPP

Third Generation Partnership Project

802.11a

IEEE® 802.11a™ is a standard for a wireless network that operates at 5 GHz, with transmission speeds of up to 54 Mbps.

802.11b

IEEE® 802.11b™ is a standard for a wireless network that operates at 2.4 GHz, with transmission speeds of up to 11 Mbps.

802.11g

IEEE® 802.11c™ is a standard for a wireless network that operates at 2.4 GHz, with transmission speeds of up to 54 Mbps.

802.11i

IEEE® 802.11i™ is a standard that adds Quality of Service features and multimedia support to IEEE® 802.11a™, IEEE® 802.11b™, and IEEE® 802.11g™ standards.

ACL

An access control list (ACL) specifies the permissions for users or groups associated with an object, such as a service, file, or folder. An ACL is sometimes referred to as a whitelist.

AES

Advanced Encryption Standard

AES-CCMP

AES-Counter Mode CBC-MAC Protocol

ARFCN

absolute radio frequency channel number

CBC

cipher block chaining

DES

Data Encryption Standard (DES)


DHCP

Dynamic Host Configuration Protocol

DMZ

The demilitarized zone (DMZ) is a neutral subnetwork between the organization’s trusted LAN and the untrusted external mobile network and public Internet.

DNS

Domain Name System

EAP

Extensible Authentication Protocol

EAP-FAST

Extensible Authentication Protocol Flexible Authentication via Secure Tunneling

EAP-GTC

Extensible Authentication Protocol Generic Token Card

EAP-TLS

Extensible Authentication Protocol Transport Layer Security

EAP-TTLS

Extensible Authentication Protocol Tunneled Transport Layer Security

FQDN

fully qualified domain name

GAN

Generic Access Network

GANC

GAN controller

GSM

Global System for Mobile communications

handover

A handover refers to moving from a mobile network to a Wi-Fi® network, or from a Wi-Fi network to a mobile network while messages are transferring to or from a BlackBerry® device.

HTTP

The Hypertext Transfer Protocol

96

1: Glossary

IBM DB2 UDB

IBM® DB2 Universal Database™

IEEE

Institute of Electrical and Electronics Engineers

IKE

Internet Key Exchange

IP

Internet Protocol

IPSec

IP Security

ISP

Internet service provider

LAN

local area network

LEAP

Lightweight Extensible Authentication Protocol

MAC

message authentication code

MCC

mobile country code

MD5

Message-Digest Algorithm, version 5

MNC

mobile network code

MS-CHAP

Microsoft Challenge Handshake Authentication Protocol

MX record

mail exchange record

NAT

network address translation

97


PAC

Protected Access Credential

PEAP

Protected Extensible Authentication Protocol

PFS

Perfect Forward Secrecy

PIN

personal identification number

PKI

Public Key Infrastructure

PMK

pairwise master key

PSK

preshared key

RADIUS

Remote Authentication Dial In User Service

RFC

Request for Comments

RXLEV

Received Signal Level

SEGW

mobile network provider’s security gateway

SAN

server alternative name

SRP

Server Routing Protocol

SSID

The service set identifier (SSID) is the name of a Wi-Fi® network.

SSL

Secure Sockets Layer

98

1: Glossary

TKIP

Temporal Key Integrity Protocol

TLS

Transport Layer Security

TTLS

Tunneled Transport Layer Security

UID

unique identifier

UMA

Unlicensed Mobile Access

UNC

UMA controller

VPN

virtual private network

WEP

Wired Equivalent Privacy

WLAN

wireless local area network

WPA

Wi-Fi Protected Access™

99


100

©2008 Research In Motion Limited

Published in Canada.

Documents

Wi-Fi Implementation Supplement - BlackBerry Software ... · PDF fileWi-Fi Implementation Supplement Last modified: ... FAILURE TO REALIZE ANY EXPECTED SAVINGS, ... Configuring layer