Wi Fi Implementation

Wi-Fi Implementation Supplement
Last modified: 16 May 2008
Document ID: 10626870 Version 26
At the time of publication, this documentation supplements the documentation for the following releases:
• BlackBerry Enterprise Server Version 4.1 SP3 or later
• Blackberry Professional Software Version 4.1 SP4 or later
©2008 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, SureType® and related trademarks, names,
and logos are the property of Research In Motion Limited and are registered and/or used as trademarks in the U.S., Canada, and countries
around the world.
Bluetooth is a trademark of Bluetooth SIG. GSM is a trademark of the GSM MOU Association. IBM, DB2, DB2 Universal Database, Domino, and
Lotus are trademarks of International Business Machines Corporation. IEEE, 802.1X, 802.11, 802.11a, 802.11b, 802.11g, and 802.11i are trademarks
of the Institute of Electrical and Electronics Engineers, Inc. Microsoft, Active Directory, and SQL Server are trademarks of Microsoft
Corporation. Novell and GroupWise are trademarks of Novell, Inc. RSA and RSA SecurID are trademarks of RSA Security. Wi-Fi, Wi-Fi Protected
Access, WPA, and WPA2 are trademarks of the Wi-Fi Alliance. All other trademarks are the properties of their respective owners.
The BlackBerry smartphone and other devices and/or associated software are protected by copyright, international treaties, and various
patents, including one or more of the following U.S. patents: 6,278,442; 6,271,605; 6,219,694; 6,075,470; 6,073,318; D445,428; D433,460;
D416,256. Other patents are registered or pending in the U.S. and in various countries around the world. Visit www.rim.com/patents for a list of
RIM (as hereinafter defined) patents.
This documentation including all documentation incorporated by reference herein such as documentation provided or made available at
www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee,
representation, or warranty of any kind by Research In Motion Limited and its affiliated companies ("RIM") and RIM assumes no responsibility
for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and
confidential information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized terms. RIM
reserves the right to periodically change information that is contained in this documentation; however, RIM makes no commitment to provide
any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products or services including
components and content such as content protected by copyright and/or third-party web sites (collectively the "Third Party Products and
Services"). RIM does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content,
accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products
and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by RIM of
the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS,
GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY
CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING
FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE,
OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND
SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE.
SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT
PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT
BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST
ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE
OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE,
HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY
OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED
DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION,
LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR
RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES,
DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES,
COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES,
WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY,
OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT
LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF
ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY
OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL
PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR
SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO
INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT,
DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR
RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service
provider has agreed to support all of their features. Installation or use of Third Party Products and Services with RIM's products and services
may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are
solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If
required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses
have been acquired. Any Third Party Products and Services that are provided with RIM's products and services are provided as a convenience to
you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by
RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and
subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent
expressly covered by a license or other agreement with RIM.
The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN
THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR
PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.
Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server Software, BlackBerry Desktop
Software, and/or BlackBerry Device Software and may require additional development or Third Party Products and Services for access to
corporate applications.
This product includes software developed by the Apache Software Foundation (http://www.apache.org/) and/or licensed pursuant to Apache
License, Version 2.0 (http://www.apache.org/licenses/). For more information, see the NOTICE.txt file included with the software. Unless
required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
limitations under the License.
Research In Motion Limited Research In Motion UK Limited
295 Phillip Street 200 Bath Road
Waterloo, ON N2L 3W8 Slough, Berkshire SL1 3XE
Canada United Kingdom
Published in Canada
Contents
1 Using the Wi-Fi Implementation Supplement.................................................................................................9
Supported environments ................................................................................................................................. 9
Required BlackBerry Enterprise Server documentation ............................................................................. 9
BlackBerry Enterprise Server administrative roles .....................................................................................10
2 Technical overview .............................................................................................................................................. 11

BlackBerry Enterprise Server architecture overview ...................................................................................11
Wi-Fi environment overview............................................................................................................................11
Wi-Fi coverage types................................................................................................................................ 12
Wi-Fi connection options.........................................................................................................................13
Supported IEEE 802.11 wireless networking standards ......................................................................13
Architecture: Options for Mobile and Wi-Fi connections ..........................................................................14
Architecture components ...............................................................................................................................14
BlackBerry Enterprise Server components ...........................................................................................14
BlackBerry Enterprise Server remote components..............................................................................15
BlackBerry Enterprise Server support for Wi-Fi enabled BlackBerry devices .................................15
Wireless access points .............................................................................................................................16
BlackBerry Enterprise Server process flows.................................................................................................16
3 Installation and configuration overview .........................................................................................................17

Quick reference................................................................................................................................................ 17
4 Configuring security in your environment..................................................................................................... 19

Security for Wi-Fi enabled BlackBerry devices............................................................................................19
Prerequisites: Configuring layer 2 access security.....................................................................................19
Prerequisites: Configuring layer 3 VPN access security...........................................................................20
Configuring software tokens.........................................................................................................................20
Configuring MAC access control lists...........................................................................................................21
Configuring service-specific access security............................................................................................... 21
Configuring a captive portal .......................................................................................................................... 21
5 Installing and configuring the BlackBerry Enterprise Server..................................................................... 23
Verifying that you are ready to install the BlackBerry Enterprise Server .............................................. 23
Configuring the BlackBerry Enterprise Server environment.................................................................... 23
Preparing to support Wi-Fi enabled BlackBerry devices .......................................................................... 24
Installing the BlackBerry Enterprise Server................................................................................................ 25
Adding administrators to roles ..................................................................................................................... 25
Setting up the BlackBerry Enterprise Server environment....................................................................... 25
6 Setting up user accounts on the BlackBerry Enterprise Server ................................................................. 27

Setting up user accounts ............................................................................................................................... 27
Adding user accounts..................................................................................................................................... 27
Adding user groups......................................................................................................................................... 28
Customizing organizer data synchronization ............................................................................................. 28
7 Configuring WLAN and VPN settings .............................................................................................................29

WLAN and VPN profiles .................................................................................................................................29
Configuring WLAN and VPN profiles...........................................................................................................29
Configure a WLAN profile ......................................................................................................................29
Configure a WLAN profile based on an existing profile ....................................................................30
Configure a VPN profile .........................................................................................................................30
Configure a VPN profile based on an existing profile ........................................................................31
Associate a VPN profile with a WLAN profile.......................................................................................31
Assigning profiles ........................................................................................................................................... 32
Assign a WLAN profile to a user account............................................................................................. 32
Assign a VPN profile to a user account................................................................................................ 32
Managing profiles........................................................................................................................................... 32
Change a setting in a WLAN profile ..................................................................................................... 32
Change a setting in a VPN profile ........................................................................................................ 33
Delete a WLAN profile ............................................................................................................................ 33
Delete a VPN profile ............................................................................................................................... 33
Managing WLAN and VPN settings using IT policies................................................................................ 34
Download the IT policy definitions file................................................................................................. 34
Importing the IT policy rules.................................................................................................................. 34
Configuring and assigning IT policies ......................................................................................................... 35
Configuring and assigning IT policies in BlackBerry Enterprise Server Version 4.0.x ................. 35
Configuring and assigning IT policies in BlackBerry Enterprise Server Version 4.1 or later .......36
Configure a Wi-Fi profile manually on the BlackBerry device ................................................................. 37
8 Configuring encryption and authentication methods on the BlackBerry device ...................................39
Configure WEP encryption.............................................................................................................................39
Configure PSK encryption .............................................................................................................................40
Using the IEEE 802.1X and EAP authentication framework.....................................................................40
Configure LEAP authentication .....................................................................................................................41
Configuring PEAP, EAP-TLS, or EAP-TTLS certificate-based authentication ........................................ 42
Configure PEAP authentication.................................................................................................................... 43
Configure EAP-TLS authentication ..............................................................................................................45
Configure EAP-TTLS authentication ............................................................................................................ 47
Configure EAP-FAST authentication ...........................................................................................................49
9 Configuring software tokens.............................................................................................................................51

Using software tokens on the BlackBerry device .......................................................................................51
Prerequisites: Minimum software versions for software token use ..................................................51
RSA Authentication Manager documentation resources...................................................................51
Preparing the RSA Authentication Manager for software token use ......................................................51
Configure PIN policies for software tokens..........................................................................................51
Import the token seed file into the RSA Authentication Manager Database ................................ 52
Create a user record in the RSA Authentication Manager Database.............................................. 52
Issue a software token ............................................................................................................................ 52
Synchronize the date and time on the BlackBerry device with the RSA Authentication Manager
computer .......................................................................................................................................................... 52
Set the default WLAN connection parameters for the BlackBerry Domain........................................... 53
Set the default VPN connection parameters for the BlackBerry Domain.............................................. 53
Set the user’s profile for software token use ..............................................................................................54
10 Implementing BlackBerry devices...................................................................................................................55

Minimum software requirements .................................................................................................................55
Implementing BlackBerry devices................................................................................................................55
11 Activating BlackBerry devices over the enterprise Wi-Fi network ............................................................57

Using the BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network . 57
Setting up the environment for BlackBerry device activations over the enterprise Wi-Fi network ...58
Preparing to install a BlackBerry Router for BlackBerry device activations over the enterprise
Wi-Fi network...................................................................................................................................................58
Confirm the installation credentials ............................................................................................................59
Configuring a BlackBerry Router for BlackBerry device activations over the enterprise
Wi-Fi network...................................................................................................................................................59
Install and configure a new BlackBerry Router ..................................................................................59
Configure an existing BlackBerry Router.............................................................................................60
Prerequisites: Activating BlackBerry devices over the enterprise Wi-Fi network.................................60
Create and send activation information.......................................................................................................61
Reactivate an existing BlackBerry device ....................................................................................................61
Confirm that the activation is successful.....................................................................................................61
12 Troubleshooting..................................................................................................................................................63
Push settings to the BlackBerry device .......................................................................................................63
Troubleshooting connection and configuration issues on a Wi-Fi enabled BlackBerry device ..........63
Troubleshooting connection issues on a Wi-Fi enabled BlackBerry device...........................................64
Verify that the Wi-Fi connection is turned on.....................................................................................64
View basic diagnostic information on a Wi-Fi enabled BlackBerry device.....................................64
View detailed diagnostic information on a Wi-Fi enabled BlackBerry device ...............................64
Wi-Fi Diagnostics status indicators..............................................................................................................64
Status indicator groups ..........................................................................................................................64
Status indicator states ............................................................................................................................65
Wi-Fi connection status indicators .......................................................................................................65
VPN connection status indicators.........................................................................................................68
UMA/GAN connection status indicators............................................................................................. 70
BlackBerry Infrastructure connection status indicators..................................................................... 71
Enterprise connection status indicators .............................................................................................. 72
Verify whether the BlackBerry device can reach an IP address .............................................................. 72
Resolve a host name to an IP address ......................................................................................................... 73
13 IT policy rules and configuration settings .....................................................................................................75

Using WLAN IT policy rules with a WLAN configuration set.................................................................... 75
WLAN IT policy group..................................................................................................................................... 75
WLAN configuration settings .........................................................................................................................81
VPN IT policy group........................................................................................................................................86
VPN configuration settings ...........................................................................................................................89
Glossary............................................................................................................................................................... 95
1
Using the Wi-Fi Implementation Supplement
Required BlackBerry Enterprise Server documentation
BlackBerry Enterprise Server administrative roles
Supported environments
You can use this guide to supplement an installation of either the BlackBerry® Enterprise Server or the
BlackBerry® Professional Software. In this guide, consider BlackBerry® Enterprise Server to mean BlackBerry
Professional Software in the relevant reference information or in the tasks that the BlackBerry Professional
Software supports.
Required BlackBerry Enterprise Server documentation

The BlackBerry Enterprise Server Wi-Fi Implementation Supplement provides information that you might require
when you install and administer a BlackBerry® Enterprise Server in an environment in which some user accounts
have Wi-Fi® enabled BlackBerry devices.
Use this supplement with the following BlackBerry Enterprise Server documentation for your messaging
environment:
• BlackBerry Enterprise Server Installation Guide
• BlackBerry Enterprise Server System Administration Guide
To complete some tasks described in this supplement, you might require one or more of the following
documentation resources:
• BlackBerry Enterprise Server Capacity Calculator
• BlackBerry Enterprise Server Handheld Management Guide (BlackBerry Enterprise Server Version 4.0.x)
• BlackBerry Enterprise Server Performance Benchmarking
• BlackBerry Enterprise Solution Security Technical Overview
• Placing the BlackBerry Enterprise Solution in a segmented network
• Policy Reference Guide
BlackBerry Enterprise Server administrative roles

In BlackBerry® Enterprise Server Version 4.1 or later, the BlackBerry Enterprise Server uses predefined roles, which
correspond to common corporate administrative roles, to control who can perform specific tasks and limit who can
access sensitive data in your organization. To perform many of the tasks, you require security administrator or
enterprise administrator permissions.
For information about the tasks for each administrative role, see the BlackBerry Enterprise Server System
Administration Guide.
10
2
Technical overview
BlackBerry Enterprise Server architecture overview
Wi-Fi environment overview
Architecture: Options for Mobile and Wi-Fi connections
Architecture components
BlackBerry Enterprise Server process flows
BlackBerry Enterprise Server architecture overview

The BlackBerry® Enterprise Server consists of services and components. The BlackBerry services are designed to
provide productivity tools—such as email, instant messaging, and organizer functionality—and data from your
organization’s applications to BlackBerry device users. The BlackBerry components are designed to monitor the
BlackBerry services; process, route, compress, and encrypt data; and communicate with the mobile network.
Typically, user accounts with BlackBerry devices can connect to the mobile network. No changes to the BlackBerry
Enterprise Server architecture are required to support Wi-Fi® enabled BlackBerry devices.
For more information about the BlackBerry Enterprise Server architecture, see the BlackBerry Enterprise Server
Feature and Technical Overview for your messaging environment.
Wi-Fi environment overview

With a Wi-Fi® enabled BlackBerry® device, a user can access voice and data services across multiple radio
technologies.
Most BlackBerry device users connect over the mobile network to the BlackBerry® Enterprise Server for access to
productivity tools and your organization’s data and applications.
If a user’s mobile network provider makes UMA technology (GAN technology) available, and the user has
subscribed to the UMA feature, a Wi-Fi enabled BlackBerry device can access the mobile network provider’s voice
and data services over a mobile network or using a Wi-Fi connection. In addition, the user can establish concurrent
connections to data services over a Wi-Fi connection during a call over the mobile network.
A BlackBerry device can establish a Wi-Fi connection from an enterprise Wi-Fi network or, in conjunction with a
VPN session, from a personal Wi-Fi network or from a Wi-Fi hotspot to complete a direct route to the BlackBerry
Router.
In addition, using a direct Wi-Fi connection to the BlackBerry Router, with or without a VPN session, or using a
Wi-Fi network that allows a connection to the Internet on port 443, a Wi-Fi enabled BlackBerry device is designed
to establish a safe connection to the BlackBerry® Internet Service, the BlackBerry® Messenger, and PIN
messaging. Verify with your wireless service provider that your service plan provides access to these services over
a Wi-Fi connection.
Wi-Fi coverage types

Examples of Wi-Fi® network types include a WLAN within an organization’s environment, a personal Wi-Fi network,
or a public hotspot that offers a Wi-Fi connection.
Enterprise Wi-Fi networks

An enterprise Wi-Fi® network usually has multiple wireless access points to provide one of the following types of
coverage:
• ubiquitous coverage: Access point coverage in a workplace is contiguous, and users can roam between access
points anywhere in the workplace.
• hotspot coverage: Access points provide a Wi-Fi connection in specific areas, such as conference rooms and
other common areas. If coverage areas are not contiguous, users cannot roam between access points.
• mixed coverage: Access points offer ubiquitous coverage in some areas of the workplace and hotspot coverage
in other areas. Users might or might not be able to roam between access points.
An enterprise Wi-Fi network typically has strong authentication and link layer security. An organization might
consider an enterprise Wi-Fi network untrusted and require that all Wi-Fi connections to the internal network
occur through a VPN concentrator.
Personal Wi-Fi networks

A personal Wi-Fi® network typically uses a single wireless access point to provide Internet access through a
broadband gateway. The broadband gateway usually implements NAT and allows VPN connections to traverse the
firewall. A personal Wi-Fi network is typically configured with link layer security and uses password-based
authentication.
Hotspots
Hotspots offered by an ISP, a mobile network provider, or a property owner can provide a Wi-Fi® connection in
public and semipublic areas. The network is typically an open network without link layer encryption, with a captive
portal for authentication. The captive portal performs the following functions:
• blocks all network traffic except traffic that uses HTTP
• redirects HTTP requests to a login page
After a hotspot user successfully logs in, the captive portal grants the user access to wireless network services.
Hotspots usually have a firewall in place, and they usually allow VPN connections.
12
2: Technical overview
Wi-Fi connection options

Direct connection to the BlackBerry Router over an enterprise Wi-Fi network
A Wi-Fi® enabled BlackBerry® device can establish a connection over an enterprise Wi-Fi network that provides a
direct route to the BlackBerry Router.
A Wi-Fi profile for the user must already be configured. The profile is either created manually on the device or sent
to the device in an IT policy by an administrator.
After associating with a Wi-Fi connection using a Wi-Fi profile, the BlackBerry device tries to make a direct
IP connection to the BlackBerry Router. With some network architectures, a VPN session might be required to
complete the direct BlackBerry Router connection. As a result, the BlackBerry device includes a built-in VPN client
that can be configured and associated to any Wi-Fi profile on the BlackBerry device. If a direct BlackBerry Router
connection is possible (with or without a VPN session), the BlackBerry® Enterprise Server automatically passes
data using the existing BlackBerry security methods. Connecting directly to the BlackBerry Router is typically
used when a Wi-Fi enabled BlackBerry device is within an organization’s existing Wi-Fi environment.
Wi-Fi connection without a VPN connection or direct BlackBerry Router connection

If a direct IP connection to the BlackBerry® Router is not available (with or without a VPN connection) on a Wi-Fi®
network that can access the Internet (for example, a personal Wi-Fi network or hotspot), the Wi-Fi enabled
BlackBerry device automatically establishes an SSL connection over the Internet to the BlackBerry®
Infrastructure. After the BlackBerry device connects to the BlackBerry Infrastructure, all of the user’s provisioned
data services automatically start to send data to the device using the existing BlackBerry® Enterprise Solution
security methods. After the initial connection to the Wi-Fi network is established from an existing or newly
configured Wi-Fi profile, no user configuration is required.
You must configure an outgoing TCP connection for the Wi-Fi network on port 443 to the Internet. No other
configuration is required.
Supported IEEE 802.11 wireless networking standards

Characteristic IEEE 802.11a IEEE 802.11b IEEE 802.11g
frequency 5 GHz 2.4 GHz 2.4 GHz
maximum speed 54 Mbps 11 Mbps 54 Mbps
fallback speeds 48, 36, 24, 18, 12, 9, 6 Mbps 5.5, 2, 1 Mbps 48, 36, 24, 18, 12, 9, 6 Mbps
nonoverlapping channels up to 19 3 3
sources of interference • Bluetooth® wireless • Bluetooth wireless Bluetooth wireless technology
technology technology • microwave ovens
• some satellite systems • microwave ovens
2.4 GHz cordless phones
• 5 GHz cordless phones • 2.4 GHz cordless phones
13
Architecture: Options for Mobile and Wi-Fi connections
Mobile network
UNC/
Mobile
GANC
network BlackBerry
provider Infrastructure
BlackBerry
Internet
Service
Internet
Wi-Fi connection Internet
Personal or hotspot
wireless access
point
Enterprise firewall
Enterprise
Wi-Fi connection Wi-Fi network
Enterprise wireless
access points BlackBerry
Enterprise
Server
Mobile network and Wi-Fi connections
Architecture components
BlackBerry Enterprise Server components
For information about the BlackBerry® Enterprise Server components, see the BlackBerry Enterprise Server
Feature and Technical Overview for your messaging environment. No additional BlackBerry Enterprise Server
components are required for Wi-Fi® enabled BlackBerry devices.
14
2: Technical overview
BlackBerry Enterprise Server remote components

Wi-Fi® enabled BlackBerry® devices can use the same distributed configurations as BlackBerry devices that
access only the mobile network. For information about distributed BlackBerry® Enterprise Server components, see
the BlackBerry Enterprise Server Feature and Technical Overview for your messaging environment.
BlackBerry Enterprise Server support for Wi-Fi enabled BlackBerry devices

BlackBerry Enterprise Server version
Feature Description
4.0 4.1 4.1 SP2 4.1 SP3 4.1 SP4 4.1 SP5
BlackBerry® Router The BlackBerry Router is required for a
BlackBerry device to connect to the
BlackBerry® Enterprise Server over a Wi-Fi®
connection for access to an organization’s
data.
per-user IT policy Per-user IT policies are designed to simplify
the configuration of user-specific Wi-Fi and
VPN information (such as user IDs and
passwords).
expanded groups of Expanded configuration settings provide the
WLAN and VPN IT ability to control and manage Wi-Fi
policy configuration connections from BlackBerry devices.
settings A new IT policy template file makes the
additional configuration settings available
for earlier versions of the BlackBerry
Enterprise Server.
multiple Wi-Fi and Multiple Wi-Fi and VPN profiles are
VPN profiles designed to address user needs in a variety
of environments.
wireless backup of Wi-
Fi and VPN profiles
BlackBerry device Activation over the enterprise Wi-Fi network
activation over the is designed to simplify the activation or
enterprise Wi-Fi updating of BlackBerry devices.
network
software token Software token provisioning is designed to
provisioning provide the ability to centrally provision and
manage the seed for software token
authentication (for example, for VPN
connections) on BlackBerry devices.
15
BlackBerry Enterprise Server version

Feature Description
4.0 4.1 4.1 SP2 4.1 SP3 4.1 SP4 4.1 SP5
access to the Wi-Fi enabled BlackBerry devices can
BlackBerry® connect directly to the BlackBerry
Infrastructure over a Infrastructure over the Internet for access to
Wi-Fi connection voice and data services that a mobile
network provider offers, even if UMA is not
available. Verify with your wireless service
provider that your service plan supports
access to BlackBerry messaging services
over a Wi-Fi connection.
Wireless access points

A wireless access point must conform to the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE® 802.11g™ wireless
networking standard.
To check the number of connections on each access point and to verify that users will be able to roam between
access points, complete a site survey as directed in the documentation for your access points, and follow the
recommendations for channel assignments.
Types of wireless access points

Wireless access points can be either thin or thick, with the following characteristics:
• A thin or controller-based access point is usually part of a centrally managed enterprise Wi-Fi® network. This
type of access point requires an external controller to manage network traffic. You can administer one or more
thin access points through their controller.
• A thick access point, which is also referred to as an intelligent or autonomous access point, has the
intelligence to operate as a standalone component without a controller.
Thin access points with an external controller can provide a more seamless roaming experience for users with
Wi-Fi enabled BlackBerry® devices during data and voice sessions.
Wireless access points and NAT

If your organization uses NAT, wireless access points must support NAT traversal.
BlackBerry Enterprise Server process flows

Except for the differences in the network architecture, process flows for voice and data are the same, regardless of
how a BlackBerry® device connects to the mobile network provider.
For more information about process flows, see the workflow information in the BlackBerry Enterprise Server
Feature and Technical Overview for your messaging environment.
16
3
Installation and configuration overview
Quick reference
Quick reference
Task Document
Set up your enterprise Wi-Fi® network. • Documentation for your enterprise Wi-Fi
• Verify that your wireless access points comply with the IEEE® 802.11a™, IEEE® network components
802.11b™, or IEEE® 802.11g™ standard, that they allow NAT traversal if you use NAT
in your organization, and that you have addressed the recommendations in your
access point documentation to provide sufficient coverage for the number of Wi-Fi
connections in your environment.
• If necessary, set up the DHCP server.
• If necessary, set up NAT.
Configure security. • Documentation for your security hardware and
software
• BlackBerry Enterprise Solution Security
Technical Overview
Configure the firewall settings. • Security documentation
• Open the required ports, as described in Placing the BlackBerry Enterprise Solution
in a segmented network.
• If you use a proxying firewall, configure the proxy so that it is transparent to users.
• Verify that the BlackBerry® network IP addresses that are relevant to your
environment are permitted addresses.
Configure the ports required for network traffic associated with a Wi-Fi network. • BlackBerry Enterprise Server Wi-Fi
Implementation Supplement
Address hardware, software, operating system, messaging, networking, and database • BlackBerry Enterprise Server Capacity
requirements for the BlackBerry Enterprise Server environment. Calculator
• BlackBerry Enterprise Server Performance
Benchmarking
• BlackBerry Enterprise Server Installation Guide
Install the BlackBerry® Enterprise Server. • BlackBerry Enterprise Server Installation Guide
Verify that the BlackBerry Enterprise Server can connect to the BlackBerry® • BlackBerry Enterprise Server Installation Guide
Infrastructure.
Verify that the enterprise Wi-Fi network can connect to the BlackBerry Router and that • BlackBerry Enterprise Server Installation Guide
the BlackBerry Router is in the DNS server.
Add administrators to roles. • BlackBerry Enterprise Server System
Administration Guide
Add users to the BlackBerry Enterprise Server. • BlackBerry Enterprise Server System
Task Document
Configure the WLAN settings and the IT policy settings for Wi-Fi connections. • BlackBerry Enterprise Server Wi-Fi
Manually create a Wi-Fi profile on the BlackBerry device to verify connectivity to the • BlackBerry Enterprise Server Wi-Fi
enterprise Wi-Fi network. Implementation Supplement
Implement BlackBerry devices. • BlackBerry Enterprise Server Wi-Fi
18
4
Configuring security in your environment
Security for Wi-Fi enabled BlackBerry devices
Prerequisites: Configuring layer 2 access security
Prerequisites: Configuring layer 3 VPN access security
Configuring software tokens
Configuring MAC access control lists
Configuring a captive portal
Security for Wi-Fi enabled BlackBerry devices

When a user account in your environment is associated with a Wi-Fi® enabled BlackBerry® device, Wi-Fi networks
extend your organization’s LAN. You must protect your organization’s extended network from unauthorized use.
Protective measures might include the following:
• All wireless devices must complete authentication before gaining access to your organization’s LAN.
• All wireless communication between wireless devices and the LAN must use some encryption process.
The steps that you can take to provide security for BlackBerry devices that can access both the mobile network and
one or more Wi-Fi networks are part of your organization’s plan to provide security for your entire BlackBerry®
Enterprise Solution. This includes developing a plan for distributing sensitive information, such as authentication
credentials.
For more information about BlackBerry Enterprise Solution security, see the BlackBerry Enterprise Solution
Security Technical Overview. In addition, refer to the documentation for your Wi-Fi components for
recommendations and implementation suggestions.
Prerequisites: Configuring layer 2 access security

Layer 2 security methods and protocols at the IEEE® 802.11™ link layer operate between a Wi-Fi® enabled
BlackBerry® device and a wireless access point on the enterprise Wi-Fi network using encryption alone, or using
encryption with user authentication.
Component Requirement
BlackBerry® Enterprise Server Version • See the BlackBerry Enterprise Server Installation Guide for network operating system
4.0 or later requirements.
• Verify that a local or remote BlackBerry Router is installed.
• Verify that you have configured the required WLAN and VPN settings.
wireless access points • Verify that all access points comply with the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE®
802.11g™ standard.
access security using the layer 2 method • Verify that you are using one of the supported layer 2 security methods.
BlackBerry device • Using the DNS lookup tool on the BlackBerry device, verify that the BlackBerry device has
access to the DHCP server and the DNS server.
Prerequisites: Configuring layer 3 VPN access security

The Wi-Fi® enabled BlackBerry® device has a built-in VPN client that supports several VPN concentrators.
To create a VPN profile, you configure the VPN client settings (for example, the IP address of the VPN
concentrator, user names and passwords, and cryptographic methods used) either on the BlackBerry device
directly or using VPN settings or IT policy rules.
Depending on the security policy of your organization, you can save each user name and password to the
BlackBerry device to prevent the BlackBerry device from prompting the user for credentials the first time (or each
time) the BlackBerry device connects to the enterprise Wi-Fi network.
You can associate a VPN profile with a WLAN profile so that the VPN profile opens automatically when the WLAN
profile starts.
• Verify that you have configured the recommended WLAN and VPN settings.
VPN access security using IPSec VPN • Verify that a supported VPN concentrator is installed.
BlackBerry device • Using the DNS lookup tool on the BlackBerry device, verify that the BlackBerry device has
access to the DHCP server and the DNS server.
Related topic
VPN IT policy group

BlackBerry® Enterprise Server Version 4.1 SP3 or later is designed to work with the RSA® Authentication Manager
to provide software token support for use with layer 2 and layer 3 authentication on each supported BlackBerry
device.
The RSA SecurID® Library (a cryptographic library) on the BlackBerry device allows a supported BlackBerry device
to periodically generate a software token tokencode. The BlackBerry device combines the tokencode with a saved
software token PIN that the BlackBerry device user provides as a prefix string to the tokencode to create a
passcode for use with a two-factor authentication process on the BlackBerry device.
When you configure a software token for a BlackBerry device user, the BlackBerry device is designed to
automatically use the passcode to authenticate the BlackBerry device user to WLANs (using PEAPv1, EAP-GTC,
and EAP-TTLS/EAP-GTC authentication methods) and VPNs.
20
4: Configuring security in your environment
You can configure multiple software tokens for a BlackBerry device user. For example, you can configure one
software token for use with Wi-Fi® authentication and a second software token for use with VPN authentication.
When the BlackBerry device user tries to establish a WLAN or VPN connection that requires two-factor
authentication on the BlackBerry device, the BlackBerry device prompts the BlackBerry device user to type the
software token PIN and submit the current tokencode for that connection type to create the passcode for two-
factor authentication.
Configuring MAC access control lists

Each network client has a unique 48-bit MAC address. To program a MAC ACL, you add the MAC address of every
device that is allowed to access a specific enterprise Wi-Fi® network (a whitelist) or not allowed to access a
specific enterprise Wi-Fi network (a blacklist) to the controller for each wireless access point.
Configuring service-specific access security

If you do not use layer 2 or layer 3 access security, you can help to protect access to your trusted LAN by installing
the BlackBerry® Router component in the DMZ, outside your organization’s firewall. You can also allow access to
the enterprise Wi-Fi network using a captive portal.
• Verify that you have applied the required WLAN and VPN settings.
BlackBerry device • Verify that the BlackBerry device has access to the DHCP server, if you are not using static
IP addresses, and to the DNS server.
captive portal login • Verify that a captive portal for your organization is configured.
• Verify that the WLAN Enable Authentication Page option is set to True to allow users to access
the captive portal using the WLAN Login browser on the BlackBerry device.
Configuring a captive portal

A captive portal is a web-based mechanism for an enterprise Wi-Fi® network client to authenticate to your
organization’s Wi-Fi network. The client gains access to the network and is placed in a walled garden using IP
filters. A browser request from the client is directed to an HTML login page, which allows the network to
authenticate the client before giving access to the network.
If your organization has a captive portal, you can permit users to access the captive portal using the Wi-Fi login
application on the Wi-Fi enabled BlackBerry® device. Users must authenticate to the Wi-Fi login application using
the login credentials that you provide.
After authenticating to the captive portal, the user can visit other web sites using a web browser on the BlackBerry
device.
21
22
5
Installing and configuring the BlackBerry
Enterprise Server
Configuring the BlackBerry Enterprise Server environment
Preparing to support Wi-Fi enabled BlackBerry devices
Installing the BlackBerry Enterprise Server
Adding administrators to roles
Verifying that you are ready to install the BlackBerry

Enterprise Server
BlackBerry Enterprise Messaging
Document Resource
Server version environment
BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Preparing your environment
Server Version 4.0.x IBM® Lotus® Domino® Installation Guide
Novell® GroupWise®
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server System requirements
Server Version 4.1.x IBM Lotus Domino Installation Guide
Novell GroupWise
Configuring the BlackBerry Enterprise Server environment

Server version environment Document Resource
BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Configure required permissions
Server Version 4.0.x IBM® Lotus® Domino® Installation Guide Configure required network protocols
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Configuring your environment
Novell GroupWise
Preparing to support Wi-Fi enabled BlackBerry devices

Component Minimum configuration
wireless access point • Install the access points for your enterprise Wi-Fi® network.
installation and configuration • If you do not use a switched enterprise Wi-Fi network and you have multiple subnets, configure the
subnets to cover the same physical area. The configuration can affect the user experience with calls.
• Assign an SSID to each access point or to each group of access points that share an SSID.
• If users will roam between access points, configure all relevant SSID profiles on each access point.
• If your organization uses NAT traversal, verify that your access points support NAT traversal.
access point authentication • Set authentication using one of the supported authentication methods.
access point encryption • Set encryption using one of the supported encryption methods.
VPN concentrator (optional) • Verify that a supported VPN concentrator is installed. Consult with your organization’s firewall or
VPN concentrator administrator to determine proper configuration settings.
• Set the VPN credentials on the BlackBerry® device to match the VPN configuration. You can complete
this task either manually on the BlackBerry device or using an IT policy (recommended).
firewall • Open the required ports, as described in Placing the BlackBerry Enterprise Solution in a segmented
network.
• If you use a proxy firewall, configure the proxy to be transparent.
ports for Wi-Fi network traffic • Configure the following ports for network traffic associated with a Wi-Fi network (the port assignments
might vary by mobile network provider):
• port 4101: from the BlackBerry device to the BlackBerry Router (incoming only; TCP)
• port 4500: from the BlackBerry device to the mobile network UMA infrastructure (outgoing only
using IPSec and TCP)
• port 500: from the BlackBerry device to the mobile network UMA infrastructure (outgoing only using
IPSec and TCP)
• port 443: from the BlackBerry device to the BlackBerry Router (optional; outgoing only using TCP;
used only for direct Wi-Fi connections to the BlackBerry® Infrastructure)
DHCP server (optional) • Configure the DHCP server for use with your enterprise Wi-Fi network.
DNS server • Verify that the BlackBerry device can access one or more DNS servers.
AAA server (optional) • Configure the AAA server to support your Wi-Fi authentication method.
• Authorize all access points for use with the AAA server.
BlackBerry user accounts • Create authentication credentials for the BlackBerry device user.
• If you are using EAP-TLS, EAP-TTLS, or PEAP authentication methods, permit access to a PKI
infrastructure and certificates.
BlackBerry® Enterprise Server • Install BlackBerry Enterprise Server Version 4.0 or later.
• If you use the BlackBerry Enterprise Server for Novell® GroupWise®, and you want the date and time on
the BlackBerry device to synchronize from the BlackBerry Router over the mobile network, install
BlackBerry Enterprise Server Version 4.0 SP2 or later.
• If necessary, import the correct IT policy template file.
24
5: Installing and configuring the BlackBerry Enterprise Server
Installing the BlackBerry Enterprise Server

BlackBerry Enterprise Messaging Document Resource
BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Installing the BlackBerry Enterprise Server
Server Version 4.0.x IBM® Lotus® Domino® Installation Guide
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Installing the BlackBerry Enterprise Server software
Novell GroupWise
Adding administrators to roles

Document Resource
BlackBerry® Enterprise Microsoft® Exchange
Server Version 4.0.x IBM® Lotus® Domino® — —
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Mapping roles in your organization to BlackBerry roles
Server Version 4.1.x IBM Lotus Domino System Administration Guide
Novell GroupWise
Setting up the BlackBerry Enterprise Server environment

Document Resource
BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Managing the BlackBerry Enterprise Server
Server Version 4.0.x IBM® Lotus® Domino® Administration Guide
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Setting up the BlackBerry environment
Novell GroupWise
25
26
6
Setting up user accounts on the BlackBerry
Enterprise Server
Setting up user accounts
Adding user accounts
Adding user groups
Customizing organizer data synchronization
Setting up user accounts

To set up a user account on the BlackBerry® Enterprise Server, you complete the following tasks:
• add the user account to the BlackBerry Enterprise Server
• optionally, assign the user account to a group (BlackBerry Enterprise Server Version 4.1 or later)
• customize organizer data synchronization
Adding user accounts

BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Add a user

Server Version 4.0.x Administration Guide
IBM® Lotus® Domino® BlackBerry Enterprise Server Add a user from a local or foreign domain
Novell® GroupWise® BlackBerry Enterprise Server Adding user accounts
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Adding user accounts
Novell GroupWise
Adding user groups

BlackBerry® Enterprise — — —
Server Version 4.0.x
BlackBerry Enterprise Microsoft® Exchange BlackBerry Enterprise Server Managing user groups
Server Version 4.1.x IBM® Lotus® Domino® System Administration Guide
Customizing organizer data synchronization

BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Managing PIM synchronization
Server Version 4.0.x IBM® Lotus® Domino® Administration Guide Turn off or turn on wireless message reconciliation on
Novell® GroupWise® the server
Managing redirection filters
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Customizing PIM synchronization
Server Version 4.1 System Administration Guide
IBM Lotus Domino BlackBerry Enterprise Server PIM synchronization
Novell GroupWise Administration Guide Customizing PIM synchronization
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Organizer data synchronization
Server Version 4.1 SP2 IBM Lotus Domino System Administration Guide Customizing organizer data synchronization
and Version 4.1 SP3
Novell GroupWise
28
7
Configuring WLAN and VPN settings
WLAN and VPN profiles
Configuring WLAN and VPN profiles
Assigning profiles
Managing profiles
Managing WLAN and VPN settings using IT policies
Configuring and assigning IT policies
Configure a Wi-Fi profile manually on the BlackBerry device
WLAN and VPN profiles

You can use WLAN and optional VPN settings to manage the access and behavior of your user accounts
associated with BlackBerry® devices that can operate on both mobile and Wi-Fi® networks.
In BlackBerry® Enterprise Server Version 4.1 SP2 or later, you can manage these settings for individual user
accounts on a BlackBerry Enterprise Server through WLAN and VPN profiles.
You can create and assign one or more WLAN or VPN configuration profiles through the BlackBerry Manager,
using a process that is similar to the process for creating an IT policy and assigning it to a user. If a user has a VPN
profile, you can associate the profile with the user’s WLAN profile.
For groups, you assign the settings through WLAN and VPN IT policies.
If you run a version of the BlackBerry Enterprise Server previous to Version 4.1 SP2, you manage WLAN and VPN
settings through IT policies.
Configuring WLAN and VPN profiles

You can use configuration profiles to manage WLAN and VPN settings for individual user accounts on BlackBerry®
Enterprise Server Version 4.1 SP2 or later.
Configure a WLAN profile

1. In the BlackBerry® Manager, in the left pane, click BlackBerry Domain.
2. On the Global tab, click Edit Properties.
3. Click WLAN Configuration.
4. In the WLAN Configuration Administration section, double-click WLAN Configuration Sets.
5. Click New.
6. Double-click Name.
7. Type a name for the new WLAN configuration profile.

8. In the left pane, click WLAN Settings.
9. In the right pane, double-click a WLAN configuration setting.
10. Select or specify a value for the setting.
11. Repeat the preceding two steps for each additional WLAN setting.
12. Click Apply.
Related topic
Using WLAN IT policy rules with a WLAN configuration set
Configure a WLAN profile based on an existing profile

5. Click a WLAN configuration set.
6. Click New Copy.
7. Double-click Name. Type a name for the new WLAN configuration profile.
9. Change or add the required settings.
10. Click Apply.
Related topic
Configure a VPN profile

4. In the WLAN Configuration Administration section, double-click VPN Configuration Sets.
5. Click New.
6. Double-click Name. Type a name for the new VPN configuration profile.
7. In the left pane, click VPN Settings.
8. In the right pane, double-click a VPN configuration setting.
30
7: Configuring WLAN and VPN settings

10. Repeat the preceding two steps for each additional VPN setting.
11. Click Apply.
Related topic
VPN IT policy group
Configure a VPN profile based on an existing profile

5. Click a VPN configuration set.
6. Click New Copy.
7. Double-click Name. Type a name for the new VPN configuration profile.
9. Change or add the required settings.
10. Click Apply.
Related topic
VPN IT policy group
Associate a VPN profile with a WLAN profile

You can associate a VPN profile with a WLAN profile so that, for example, a BlackBerry® device automatically
makes a VPN connection if a user requires a connection for access to services on the enterprise Wi-Fi® network.
1. In the BlackBerry Manager, in the left pane, click BlackBerry Domain.
5. In the Name list, double-click the WLAN profile that you want to associate with a VPN profile.
6. In the left pane, click Associations.
7. In the right pane, click Associated VPN Configurations.
8. In the list, click the name of the VPN profile that you want to associate with the WLAN profile.
9. Click Apply.
31
Assigning profiles
Assign a WLAN profile to a user account
You can assign more than one WLAN or VPN profile to a user account.
2. On the All Users tab, double-click the user account to which you want to assign the profile.
3. In the Properties for the user account, click WLAN Configuration.
5. Click New.
6. In the Select WLAN Base Configuration dialog box, click the WLAN profile that you want to assign.
7. Click OK.
8. Click OK.
9. In the WLAN Configuration Administration section, verify that the correct profile is assigned.
Assign a VPN profile to a user account

2. On the All Users tab, double-click the user account to which you want to assign the profile.
3. In the Properties for the user account, click WLAN Configuration.
5. Click New.
6. In the Select WLAN Base Configuration dialog box, click the VPN profile that you want to assign.
7. Click OK.
8. Click OK.
9. In the WLAN Configuration Administration section, verify that the correct profile is assigned.
Managing profiles
Change a setting in a WLAN profile
32
5. Double-click the profile that you want to change.

6. In the left pane, click one of the following options:
• WLAN Settings
• Associations
7. In the right pane, make your changes.
8. Click Apply.
Change a setting in a VPN profile

5. Double-click the profile that you want to change.
7. In the right pane, change the settings as required.
8. Click Apply.
Delete a WLAN profile

5. Click the profile that you want to delete.
6. Click Remove.
7. Click Apply.
Delete a VPN profile

5. Click the profile that you want to delete.
33
6. Click Remove.
7. Click Apply.
Managing WLAN and VPN settings using IT policies

You can use the settings in the WLAN and VPN IT policy groups to manage Wi-Fi® enabled BlackBerry® devices in
the following situations:
• You run a version of the BlackBerry® Enterprise Server previous to Version 4.1 SP2.
• You want to configure WLAN or VPN settings for groups of user accounts with Wi-Fi enabled BlackBerry
devices.
For more information about creating and assigning IT policies, see the BlackBerry Enterprise Server System
Administration Guide.
Download the IT policy definitions file

If you run a version of the BlackBerry® Enterprise Server previous to Version 4.1 SP2, you import the IT policy
definitions file for your version. This file provides the required WLAN and VPN settings and adds the settings to
the existing IT policy rules in the BlackBerry Manager. When you import the additional IT policy definitions file, the
BlackBerry Configuration Database preserves the existing BlackBerry Enterprise Server IT policy settings when it
updates the BlackBerry Manager.
If you previously configured any per-user IT policy rules as global rules using IT Policy settings for BlackBerry
Enterprise Server Version 4.0.x, during an upgrade to BlackBerry Enterprise Server Version 4.1 or later, the settings
for those IT policy rules might revert to the default values. You should manually resend all per-user IT policy rules
using the BlackBerry Manager provided in BlackBerry Enterprise Server Version 4.1 or later.
1. Visit www.blackberry.com/support.
2. Locate the correct IT policy template file.
3. Download the IT policy template file to your administration computer.
Importing the IT policy rules

Import the IT policy rules in an environment that uses a Microsoft SQL Server database
1. At the command prompt, type
osql -E -d BESMgmt -i "<path>\ITPolicyTemplateFile.sql"
where <path> is the location of the downloaded IT policy template file, and <ITPolicyTemplateFile.sql> is the
name of the downloaded IT policy template file.
34
Import the IT policy rules in an environment that uses an IBM DB2 Universal Database
db2cmd
2. Type one of the following commands:

• db2 connect to besmgmt
• db2 connect to besmgmt user besadmin
A password prompt appears after the second command.

3. If the current user is not the database schema owner, type the following command at the command prompt:
db2 SET CURRENT SCHEMA <SCHEMA OWNER>
where the default <SCHEMA OWNER> value is BESADMIN.

db2 -td~ -n -f “<path>\<ITPolicyTemplateFile.sql>”
where <path> is the location of the downloaded IT policy template file, and <ITPolicyTemplateFile.sql> is the
name of the downloaded IT policy template file.
db2 disconnect all
Configuring and assigning IT policies

Configuring and assigning IT policies in BlackBerry Enterprise Server
Version 4.0.x
In BlackBerry® Enterprise Server Version 4.0, the IT policy rule settings are global. To apply WLAN and VPN
settings for a specific user account, you create a custom IT policy for each Wi-Fi® enabled BlackBerry device.
Configure an IT policy in a Microsoft Exchange environment

1. In the BlackBerry® Manager, in the left pane, right-click a server. Click IT Policy.
2. Click New.
3. Type a name for the new IT policy.
4. In the Policy rule list, select the IT policy rules to add to the IT policy.
5. Click OK.
Configure an IT policy in an IBM Lotus Domino environment or a Novell GroupWise

environment
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
35
5. Click New.
6. Double-click IT Policy Name.
8. From the Policy rule list, add IT policy rules to the IT policy:
• In the left pane, click an IT policy group.
• In the right pane, double-click the IT policy rule to assign a value or to choose between True or False.
9. Click OK.
Configuring and assigning IT policies in BlackBerry Enterprise Server Version

4.1 or later
In BlackBerry® Enterprise Server Version 4.1 or later, you can configure specific WLAN and VPN settings to apply
to one user only. You can also assign WLAN and VPN settings to a group using IT policies.
Configure an IT policy
3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policies.
5. Click New.
6. Double-click IT Policy Name.
8. To configure the IT policy rules, perform the following actions:
• In the left pane, click a policy group.
• In the right pane, double-click an IT policy rule.
• Set a value for the IT policy rule.
9. Click OK.
Assign an IT policy to a user account

3. Click IT Policy.
4. In the IT Policy Administration section, double-click IT Policy to User Mapping.
5. In the left pane, click a user account.
36
6. In the right pane, select the IT policy that you want to assign.
7. Click OK.
Assign an IT policy to a group

1. In the BlackBerry® Manager, in the left pane, click User Groups List.
2. In the Group Name list, click a group.
3. Click Edit Group Template.
4. Click IT Policy.
5. To override any user exceptions to the IT policy rules, in the right pane, select the IT Policy Name option.
6. In the drop-down list, click an IT policy.
7. Click Reapply Template.
8. Click Yes.
9. Click OK.
Configure a Wi-Fi profile manually on the BlackBerry device

By default, new Wi-Fi® profiles appear at the bottom of the Wi-Fi profile list on the BlackBerry® device.
1. On the Home screen or in the application list, click Manage Connections.
2. Click Manage Connections.
3. Click Set Up Wi-Fi Network.
4. Complete the instructions on the screen.
5. On the Wi-Fi Setup Complete screen, perform any of the following actions:
• To change the order of Wi-Fi profiles, click Prioritize Wi-Fi Profiles. To return to the Wi-Fi Setup Complete
screen, press the Escape key.
• To specify registration information, click Wi-Fi Hotspot Login. To return to the Wi-Fi Setup Complete
screen, press the Escape key.
6. Click Finish.
37
38
8
Configuring encryption and authentication
methods on the BlackBerry device
Configure WEP encryption
Configure PSK encryption
Using the IEEE 802.1X and EAP authentication framework
Configure LEAP authentication
Configuring PEAP, EAP-TLS, or EAP-TTLS certificate-based authentication
Configure PEAP authentication
Configure EAP-TLS authentication
Configure EAP-TTLS authentication
Configure EAP-FAST authentication
For more information about security features, see the BlackBerry Enterprise Solution Security Technical Overview.
Configure WEP encryption

WEP uses a matching encryption key at both the wireless access point and the wireless client to secure wireless
communication. This key can be 40 bits (for 64-bit WEP) or 104 bits (for 128-bit WEP) in length.
Requirement Notes
Obtain the WEP keys for the wireless access For more information, see the documentation for your access points.
point.
Distribute the WEP keys to the Wi-Fi® enabled You can configure the WEP keys either in the default IT policy rules or in the WLAN
BlackBerry® device. configuration settings for the user. The BlackBerry® Enterprise Server sends the WEP key
information during the initial configuration and activation of a new Wi-Fi enabled BlackBerry
device.
The WEP keys on the BlackBerry device must match the WEP keys on the wireless access point.
You can configure four WEP keys and a default key ID. The WEP key numbering on the
BlackBerry device does not match the WEP key numbering in the IT policy for the enterprise
Wi-Fi network. For example, WEP key 1 on the BlackBerry device is WEP key 0 in the IT policy;
WEP key 2 on the BlackBerry device is WEP key 1 in the IT policy. You type or copy the WEP keys
of your access point as a string of hexadecimal digits.
A WEP passphrase is not supported.
Configure PSK encryption

The IEEE® 802.1X™ standard defines a generic framework that provides layer 2 access control to wireless and
wired networks. IEEE® 802.11i™ specifies two enterprise Wi-Fi® network access control methods using IEEE 802.1X:
one based on PSKs and one based on EAP.
Small office and personal environments where it is not feasible to set up a server-based authentication
infrastructure might use the PSK method. The wireless access point and the wireless client use a PSK to mutually
derive link layer encryption keys. The PSK method uses TKIP or AES-CCMP algorithms to secure enterprise Wi-Fi
network communications between a client device and the access point, but it relies on a single, shared passphrase
that is up to 256 bits in length for access control. All access points and wireless clients must know the passphrase.
The implementation of PSK on the Wi-Fi enabled BlackBerry® device is compatible with the WPA™-Personal and
WPA2™-Personal specifications.
Requirement Notes
Obtain the passphrase for the wireless access For more information, see the documentation for your access point.
point.
Distribute the passphrase for user You can set the passphrase and distribute it to the BlackBerry device using the WLAN
authentication to the Wi-Fi enabled Preshared Key IT policy rule.
BlackBerry device. The passphrase on the BlackBerry device must match the key or passphrase on the wireless
access point.
Using the IEEE 802.1X and EAP authentication framework

The IEEE® 802.1X™ standard defines a generic authentication framework that enterprise Wi-Fi® network client
devices and wired or wireless networks can use to authenticate with each other to permit or deny the enterprise
Wi-Fi network client devices to access the network. IEEE 802.1X uses EAP methods to provide authentication for
network access control.
An IEEE 802.1X environment for Wi-Fi enabled BlackBerry® devices includes the following components:
• built-in IEEE 802.1X and EAP client software, also called a supplicant, running on the Wi-Fi enabled BlackBerry
device
• IEEE 802.1X software running on the wireless access point, also called an authenticator
• authentication server that authenticates the enterprise Wi-Fi network client device on behalf of the
authenticator
In most cases, the authentication server uses the RADIUS protocol (RFC 2865 and RFC 3579) to communicate with
the authenticator on the access point.
If you are using one of the supported EAP authentication methods, all of which are designed to provide mutual
authentication between Wi-Fi enabled BlackBerry devices and the enterprise Wi-Fi network, you can grant and
revoke access to the enterprise Wi-Fi network for a BlackBerry device by updating the central authentication
server only. You do not need to update the configuration of each access point.
40
8: Configuring encryption and authentication methods on the BlackBerry device
An IEEE 802.1X framework uses EAP methods to provide authentication. PEAP, EAP-TLS, EAP-TTLS, and EAP-FAST
authentication methods are designed to provide mutual authentication between the BlackBerry device and the
enterprise Wi-Fi network, if required by your organization’s security policy. If you are using PEAP, EAP-TLS, or EAP-
TTLS methods, you require a certificate authority to generate the certificates that each BlackBerry device and the
RADIUS server stores.
When a wireless client first associates itself with an access point that is enabled for IEEE 802.1X security, the only
communication that the access point permits is IEEE 802.1X authentication. Using a negotiated EAP method, the
supplicant on the Wi-Fi enabled BlackBerry device sends its credentials (typically, a BlackBerry device user name
and password) to the access point, which forwards the information to the authentication server. The
authentication server authenticates the BlackBerry device on behalf of the access point and instructs the access
point to permit or prevent access to the enterprise Wi-Fi network.
After an authentication server permits the BlackBerry device to access the enterprise Wi-Fi network, the access
point and the BlackBerry device use IEEE 802.1X EAPOL-key messages to establish the WEP, TKIP, or AES-CCMP
encryption keys, depending on the encryption method that you have configured on your enterprise Wi-Fi network.
After the access point and the BlackBerry device exchange encryption keys, the BlackBerry device has an
encrypted connection to the access point.
When using EAP-TLS, PEAP, or EAP-FAST, the Wi-Fi enabled BlackBerry device and the access point can cache a
PMK, which is derived from keying material that the EAP exchange generates. PMK caching reuses previously
established keying material to skip IEEE 802.1X authentication with an access point to which it is connecting. This
feature helps to reduce the roaming latency between access points in an enterprise Wi-Fi network environment for
the Wi-Fi enabled BlackBerry device.
The BlackBerry device supports the EAP methods LEAP, PEAP, EAP-TLS, EAP-TTLS, and EAP-FAST. If BlackBerry
device users share a single set of EAP credentials, you can set an IT policy to send those credentials to each
BlackBerry device automatically. Because EAP credentials are often unique to each BlackBerry device user, you
can use a per-user IT policy rule or WLAN configuration settings for a specific user to set an EAP method.
Configure LEAP authentication

LEAP is a proprietary authentication mechanism developed by Cisco Systems that provides one-side, server-based
authentication between the enterprise Wi-Fi® network and the Wi-Fi enabled BlackBerry® device, per-client
dynamic generation of WEP keys, and automatic WEP key updates during a session.
The BlackBerry device supports LEAP authentication based on a user name and password. The BlackBerry device
uses a one-way function to encrypt passwords before sending them to the authentication server.
You must set strong password policies if Wi-Fi network authentication uses LEAP authentication.
Requirement Notes
On the wireless access point, configure the For more information, see the documentation for your access points.
LEAP settings to accept SSID association
requests from users with the credentials that
you specify, or identify the authentication
server used to authenticate user credentials.
Set the user name and password for LEAP The user must type the correct credentials for authentication and receive the session-based
authentication. WEP key.
41
Configuring PEAP, EAP-TLS, or EAP-TTLS certificate-based

authentication
PEAP is an open standard that Microsoft Corporation, RSA Security, and Cisco Systems jointly developed. PEAP
allows for supplicant authentication with an authentication server by
• creating an encrypted tunnel between the supplicant and the authentication server using TLS
• using the TLS tunnel to send the supplicant authentication credentials to the authentication server
When you implement PEAP, EAP-TLS, or EAP-TTLS authentication, the Wi-Fi® enabled BlackBerry® device must
authenticate to an authentication server to connect to the enterprise Wi-Fi network.
When mutual authentication is enforced, each of these three EAP methods uses a server-side digital certificate to
authenticate the authentication server to the supplicant. Next, a TLS tunnel is established to pass the supplicant’s
credentials.
EAP-TLS uses a client-side certificate as its supplicant credentials.
EAP-TTLS and PEAP authentication are similar to EAP-TLS authentication. Like EAP-TLS, each of these methods
encrypts EAP transactions within a TLS tunnel; however, EAP-TTLS and PEAP use a user name and password as
supplicant credentials.
Successful PEAP, EAP-TLS, or EAP-TTLS authentication requires the BlackBerry device to trust the certificate of
the authentication server. The certificate binds the authentication server identity to a public and private key pair. A
BlackBerry device does not automatically trust the authentication server certificate. To trust the authentication
server certificate, the BlackBerry device must trust the certificate authority that issued the certificate. A certificate
authority that the BlackBerry devices and the authentication server mutually trust must generate the certificate
for the authentication server and the certificate for each Wi-Fi enabled BlackBerry device.
A certificate chain, from the certificate of an authentication server to the certificate of a certificate authority,
indicates the trust relationship. The certificate chain continues back through the certificates of any other
authorizing entities that are connected to the authentication server certificate. The original certificate in the chain
is called a root certificate. A certificate authority server, which might be internal or external to your organization,
stores the root certificate file.
Each BlackBerry device stores a list of explicitly trusted certificate authority certificates. A BlackBerry device that
uses PEAP, EAP-TLS, or EAP-TTLS authentication requires the root certificate for the certificate authority server
that created the certificate for the authentication.
42
Configure PEAP authentication

Requirement Notes
Using a public or private certificate authority, The root.der certificate file is stored in the location where the certificate was created. For
obtain or generate a digital certificate for the example, the authentication server stores a self-signed certificate locally.
authentication server.
Configure each wireless access point as a You must use the same version of PEAP on clients and servers.
client of the authentication server. For more information, see the documentation for your access points.
Distribute the digital certificate for the Using the BlackBerry Manager
authentication server to the BlackBerry® To send a server or root certificate from the BlackBerry® Enterprise Server to the BlackBerry
device using one of the following options: device, you can create a per-user IT policy or use the WLAN configuration settings in the
• using the BlackBerry Manager: After you BlackBerry Manager and send the policy to the BlackBerry device.
obtain a digital certificate for validating Using Microsoft Active Directory
the authentication server, you create a
You can use the certificate management features of Microsoft Active Directory to distribute a
per-user IT policy and send the policy to
the BlackBerry device. server or root certificate to the user’s computer. For more information, see the documentation
for Microsoft Active Directory.
• using the certificate management
features of Microsoft® Active Directory®: The user installs the certificate on the BlackBerry device from the computer, as explained in
After you download the certificate to a the following tasks.
computer, you install the certificate on Installing the certificate on the BlackBerry device
the BlackBerry device. Instruct your users to complete the following tasks to install a root certificate on their
computers:
1. Download the root certificate from the certificate authority server to your computer.
2. On your computer, right-click the root certificate. Click Install certificate.
3. Click Next.
4. Click Place all certificates in the following store.
5. Click Browse.
6. Click Trusted Root Certification Authorities.
7. Click OK.
8. Click Finish.
9. In the Security Warning dialog box, click Yes.
Instruct your users to complete the following tasks to synchronize the certificates:
1. Connect your BlackBerry device to the BlackBerry® Desktop Manager.
2. In the BlackBerry Desktop Manager, select the Certificate Synch tool.
3. Type any password to use as your keystore password.
4. On the Root Certificates tab, select the certificate that you downloaded.
If the certificate synchronization tool is not installed on a user’s computer, instruct the user to
reinstall the BlackBerry® Desktop Software using the custom installation option. During the
custom installation, the user can install the certificate synchronization tool.
43
Requirement Notes
If security settings are not configured by Instruct your users to complete the following tasks:
IT policy, instruct your users to configure the 1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
security settings in the Wi-Fi® profile on the
2. Click the Wi-Fi profile that you want to configure.
BlackBerry device.
3. Click Edit.
4. Set the Security Type field to PEAP.
5. Type your User name and User password for the messaging server.
6. In the CA certificate list, click the certificate for the authentication server.
7. Select the Inner link security type.
8. In the Token list, select the token type, if applicable. If you use EAP-MS-CHAPv2, you
require only a user name and password and cannot choose a token.
9. Specify the Server subject or Server SAN, or both, if applicable.
The Server subject and Server SAN fields provide additional identification information
from the server certificate (the server name and identifier, or alternative name, in the form
of a URL, such as server1.domain.com or server1.domain.net). If you leave these fields
blank, the BlackBerry device skips them during server authentication.
10. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS
is selected.
11. Verify that Allow inter-access point handover is selected.
12. Select the Prompt before connection check box, if applicable. If you do not select the
check box, the BlackBerry devices automatically connects to an available wireless access
point.
13. Select the Notify on authentication failure check box, if applicable.
14. Choose your VPN profile, if applicable.
44
Configure EAP-TLS authentication

Requirement Notes
Configure each wireless access point as a You must use the same version of EAP-TLS on clients and servers.
computer, you install the certificate on Installing the certificate on the BlackBerry device
the BlackBerry device. Instruct your users to complete the following tasks to install a root certificate on their
computers:
3. Click Next.
5. Click Browse.
7. Click OK.
8. Click Finish.
Instruct your users to complete the following tasks to synchronize the certificates:
Using a public or private certificate authority, The tasks are the same as the tasks for obtaining and installing a server certificate.
obtain and install a user certificate on the
BlackBerry device.
45
Requirement Notes
BlackBerry device.
3. Click Edit.
4. If a warning about a VPN profile appears, click OK. EAP-TLS does not require a VPN
profile.
5. Set the Security Type field to EAP-TLS.
6. Type your User name for the messaging server.
8. In the Client certificate list, click the user certificate.
10. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS is
selected.
check box, the BlackBerry device automatically connects to an available wireless access
point.
46
Configure EAP-TTLS authentication

Requirement Notes
Configure each wireless access point as a You must use the same version of EAP-TTLS on clients and servers.
computer, you install the certificate on the Installing the certificate on the BlackBerry device
BlackBerry device. Instruct your users to complete the following tasks to install a root certificate on their
computers:
3. Click Next.
5. Click Browse.
7. Click OK.
8. Click Finish.
Then instruct your users to complete the following tasks to synchronize the certificates:
47
Requirement Notes
BlackBerry device.
3. Click Edit.
4. Set the Security Type field to EAP-TTLS.
7. The Inner link security type is EAP-MS-CHAPv2.
9. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS
is selected.
check box, the BlackBerry device automatically connects to an available wireless access
point.
48
Configure EAP-FAST authentication

EAP-FAST is an authentication method that Cisco Systems developed. Like PEAP, it encrypts EAP transactions
within a TLS tunnel; however, where PEAP uses a server-side digital certificate to set up the TLS tunnel, EAP-FAST
uses a PAC file.
The PAC file, which is shared between the client and authentication server, contains secret keys that are unique to
the user. The PAC file is generated from the EAP-FAST master key on the authentication server. EAP-FAST uses the
PAC file to establish the encrypted tunnel and then authenticates the user credentials through the tunnel.
Requirement Notes
Use automatic PAC provisioning over a safe For more information about the automatic provisioning process, see the documentation for
network connection to distribute the PAC file your authentication server.
to the wireless client.
Configure each wireless access point to For more information, see the documentation for your access points.
connect to the access control server and a
DHCP server.
Verify that the DHCP server can provide the
following information to the wireless client:
• IP address or network
• default gateway
• DNS server IP address
Configure the access control server. For more information, see the documentation for your access control server.
Instruct your users to configure the security Instruct your users to complete the following task:
settings in the Wi-Fi® profile on the 1. On the BlackBerry device, in the device options, click Wi-Fi Connections.
BlackBerry® device.
3. Click Edit.
4. Set the Security Type field to EAP-FAST.
6. In the Inner link security list, click the security type.
7. In the Token list, select the token type, if applicable.
8. If you use dynamic IP addressing, verify that Automatically obtain IP address and DNS is
selected.
check box, the BlackBerry devices automatically connects to an available wireless access
point.
49
50
9
Using software tokens on the BlackBerry device
Preparing the RSA Authentication Manager for software token use
Synchronize the date and time on the BlackBerry device with the RSA Authentication Manager computer
Set the default WLAN connection parameters for the BlackBerry Domain
Set the default VPN connection parameters for the BlackBerry Domain
Set the user’s profile for software token use
Using software tokens on the BlackBerry device

BlackBerry® Enterprise Server Version 4.1 SP3 or later is designed to work with the RSA® Authentication Manager
to provide software token support for use with layer 2 and layer 3 authentication on supported BlackBerry devices.
Prerequisites: Minimum software versions for software token use

Software Minimum version
BlackBerry® Desktop Software 4.2.2
BlackBerry® Device Software 4.2.2
BlackBerry® Enterprise Server 4.1 SP3
RSA® Authentication Manager, installed and running in your environment 6.1
RSA Authentication Manager documentation resources

To complete tasks in the RSA® Authentication Manager, view the RSA Authentication Manager online help, the
RSA administration and installation guides, and the RSA SecurID Token for BlackBerry Handhelds Administrator’s
Guide.
Preparing the RSA Authentication Manager for software

token use
Configure PIN policies for software tokens
In the RSA® Authentication Manager, configure the following policies for the PINs of the software tokens in your
organization:
• whether a PIN is required for authentication
• whether a PIN is defined by the user or generated by the RSA Authentication Manager
• whether a PIN is alphanumeric or numeric only

• whether a PIN has a fixed length or a variable length, with a minimum of four characters and a maximum of
eight characters
Import the token seed file into the RSA Authentication Manager Database
The software token stores the token’s UID, which is also called a seed. You receive the software token seed files in
.sdtid format, packaged separately, when you receive the RSA® Authentication Manager installation package.
When you install the RSA Authentication Manager, you create an empty RSA Authentication Manager Database.
Import the seed file for each software token into this database. You can import either single or multiple seed files.
Create a user record in the RSA Authentication Manager Database

In the RSA® Authentication Manager Database, create a user record for each software token holder.
Issue a software token

In the RSA® Authentication Manager Database Administration application, configure the following parameters for
the software token seed file:
• serial number
• cryptographic algorithm
• user account to which the software token is assigned
• password to protect the software token seed file
If you configure a password to protect the token file, when you configure the user’s profile in the BlackBerry®
Manager for software token use, you must add the password to the user’s Software Tokens configuration set. You
must also communicate the password to the user.
Then assign the software token to a user.
Synchronize the date and time on the BlackBerry device with

the RSA Authentication Manager computer
The software token uses its UID and the current time to authenticate the BlackBerry® device to the RSA®
Authentication Manager. For that reason, you must synchronize the system time on the BlackBerry device with the
time on the RSA Authentication Manager, even though the RSA Authentication Manager is designed to
accommodate time differences of up to three minutes.
> Instruct your BlackBerry device users to use one of the following methods to synchronize the date, time, and
time zone setting on the BlackBerry device with the RSA Authentication Manager:
• manually adjust the time on the BlackBerry device using the Date/Time option
• use the BlackBerry® Desktop Manager to synchronize the date and time on the BlackBerry device with
the date and time on the user’s computer
52
9: Configuring software tokens
Set the default WLAN connection parameters for the

BlackBerry Domain
5. Click New.
7. Type a name for the new WLAN configuration profile.
9. In the right pane, double-click a WLAN configuration setting.
11. Repeat the preceding two steps for each additional WLAN setting.
12. Click Apply.
Set the default VPN connection parameters for the

BlackBerry Domain
5. Click New.
7. Type a name for the new VPN configuration profile.
9. In the right pane, double-click a VPN configuration setting.
11. Repeat the preceding two steps for each additional VPN setting.
12. Click Apply.
53
Set the user’s profile for software token use

Depending on the number of software token records you have available, you can configure up to three software
tokens for each BlackBerry® device user.
1. In the BlackBerry Manager, in the left pane, click the name of the BlackBerry® Enterprise Server that hosts the
user account.
2. On the Users tab, right-click the name of the user. Click Edit Properties.
4. In the WLAN Configuration Administration section, double-click Software Tokens.
5. Click New.
6. Type the serial number of the software token.
7. Double-click Seed.
8. Click Import from File.
9. Navigate to the software token seed file for the user. Click Open.
10. After you import the file, click OK.
11. If you configured a password in the RSA® Authentication Manager to encrypt the .sdtid file seed, type the
password.
12. To confirm the password, type it again.
13. Set a value for the length of time that the BlackBerry device caches the PIN, using one of the following
options:
• 0: The BlackBerry device does not cache the PIN and prompts the user to authenticate at each login.
• positive value (for example, 9): The BlackBerry device retains the PIN in the cache for the specified
number of minutes and then deletes it.
• negative value (for example, -1): The BlackBerry device caches the PIN until the seed is deleted or
changed.
If you do not configure a value, the PIN is always cached.
14. Click Apply.
54
10
Implementing BlackBerry devices
Minimum software requirements
Minimum software requirements

Software Minimum version
BlackBerry® Desktop Software 4.2.2
BlackBerry® Device Software 4.2.2

BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Add a user from the address book
Server Version 4.0.x Administration Guide Managing user properties and statistics
Define PIM application synchronization settings
Setting the default IT policy
Protect a handheld remotely
IBM® Lotus® Domino® BlackBerry Enterprise Server Add a user from a local or foreign domain
Novell® GroupWise® Administration Guide Managing message redirection
Managing PIM synchronization
Setting the default IT policy
Microsoft Exchange BlackBerry Enterprise Server Deploying handhelds
IBM Lotus Domino Handheld Management Guide Managing PIM synchronization
Novell GroupWise Setting the default IT policy
BlackBerry Enterprise Microsoft Exchange BlackBerry Enterprise Server Implementing BlackBerry devices
Novell GroupWise
56
11
Activating BlackBerry devices over the
enterprise Wi-Fi network
Using the BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network
Setting up the environment for BlackBerry device activations over the enterprise Wi-Fi network
Preparing to install a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi
network
Confirm the installation credentials
Configuring a BlackBerry Router for BlackBerry device activations over the enterprise Wi-Fi network
Prerequisites: Activating BlackBerry devices over the enterprise Wi-Fi network
Create and send activation information
Reactivate an existing BlackBerry device
Confirm that the activation is successful
In BlackBerry® Enterprise Server Version 4.1 SP3 and later, users can activate Wi-Fi® enabled BlackBerry devices
over the enterprise Wi-Fi network in environments where the following situations occur:
• BlackBerry devices can connect to the enterprise Wi-Fi network but cannot connect to the mobile network.
• Users do not have the BlackBerry® Desktop Manager installed on their computers.
• Administrators must deploy and activate a large number of BlackBerry devices.
Using the BlackBerry Router for BlackBerry device

activations over the enterprise Wi-Fi network
When you set up a BlackBerry® Router for BlackBerry device activations over the enterprise Wi-Fi® network, you
configure the BlackBerry Router as an SMTP client, which is also known as a Mail User Agent. As an SMTP client,
the BlackBerry Router communicates with an SMTP server, which sends the ETP message to the user. The
ETP message is the email message that the BlackBerry Router sends to the user’s mailbox at activation.
An organization can host the SMTP server, or the SMTP server might be hosted by Research In Motion.
Setting up the environment for BlackBerry device activations

over the enterprise Wi-Fi network
To set up the environment for users to activate BlackBerry® devices over the enterprise Wi-Fi® network, complete
the following tasks:
• Using the BlackBerry® Enterprise Server setup application, install and configure a BlackBerry Router whose
only purpose is to provide a connection to the BlackBerry® Infrastructure when users activate their BlackBerry
devices over the enterprise Wi-Fi network.
• Configure this BlackBerry Router to initiate a connection with the BlackBerry Enterprise Server that hosts
each user account associated with a Wi-Fi enabled BlackBerry device, or with the BlackBerry Enterprise Server
that you plan to use to host each user account.
• Configure one or more wireless access points to connect to this BlackBerry Router.
• Provide the credentials for each Wi-Fi enabled BlackBerry device to connect to the required wireless access
point.
• Create an email account and activation password on the BlackBerry Enterprise Server for each new user, if you
have not already done so.
• Provide the activation information, including the activation email address and login information, to users.
Follow your organization’s security policies for informing users of highly sensitive information.
To begin the activation, the user types the email address and password into the activation screen on the
BlackBerry device.
Preparing to install a BlackBerry Router for BlackBerry

device activations over the enterprise Wi-Fi network
You can install a BlackBerry® Router for BlackBerry device activations over the enterprise Wi-Fi® network inside or
outside the organization’s firewall.
You can install this BlackBerry Router in any of the following locations:
• on a remote computer as a standalone component
• on the same computer as the BlackBerry® Enterprise Server
• on the same computer as the BlackBerry Enterprise Server with BlackBerry MDS Services installed
You can complete the BlackBerry Router configuration as part of the initial installation of the BlackBerry
Enterprise Server, or after the initial installation through the BlackBerry Configuration Panel.
This BlackBerry Router must be able to initiate a connection to the BlackBerry Enterprise Server that you plan to
use to host the user account. More than one BlackBerry Enterprise Server can connect to this BlackBerry Router.
However, each BlackBerry Enterprise Server can connect to only one BlackBerry Router used for BlackBerry device
activations over the enterprise Wi-Fi network.
58
11: Activating BlackBerry devices over the enterprise Wi-Fi network
Confirm the installation credentials

You require the BlackBerry® Enterprise Server installation credentials for installation or configuration of the
BlackBerry Router.
> Confirm that you have the following credentials from the BlackBerry Enterprise Server installation media:
• client access license key
• SRP identifier
• SRP authentication key
• SRP host address
Configuring a BlackBerry Router for BlackBerry device

activations over the enterprise Wi-Fi network
Install and configure a new BlackBerry Router
1. In the BlackBerry® Enterprise Server installation media, double-click setup.exe.
2. Complete the instructions on the screen until you complete the WLAN SRP Setting step of the installation
process.
3. At the WLAN OTA Activation step, select the Permit wireless activation in your WLAN environment check
box.
4. Select the Prevent all serial bypass traffic through this router except WLAN activations check box.
This step is optional, but if you restrict the connections, this BlackBerry Router acts as a gateway only for
wireless activation over the enterprise Wi-Fi® network but not for other network traffic, such as email
messages or data and calendar synchronization.
5. In the Activation Gateway Settings area, select one of the following options to specify how the BlackBerry
Router locates the SMTP server:
• To allow the BlackBerry Router to determine which SMTP server to use for ETP traffic based on the mail
exchange record of the host domain, select Use MX Lookup to obtain SMTP server.
• To provide the SMTP server name and port, select Explicitly provide SMTP server name and port. Type
the server name and server port for the SMTP server.
6. If the SMTP server requires authentication, type the SMTP login name and SMTP password.
7. In the From address for ETP messages text box, type the email address to use as the From address. The
8. To restrict the domains that the BlackBerry Router accepts activation requests from, in the List of domains
that ETP messages can be sent to text box, specify one or more domains.
59
9. Click Next.
10. Complete the remaining instructions on the screen.
Configure an existing BlackBerry Router

1. On the computer that hosts the BlackBerry® Router, on the taskbar, click Start > Programs > BlackBerry
Enterprise Server > BlackBerry Server Configuration.
2. On the OTA Wi-Fi Activation tab, select the Permit wireless activation in your WLAN environment check
box.
3. Select the Prevent all serial bypass traffic through this router except WLAN activations check box.
This step is optional, but if you restrict the connections, this BlackBerry Router acts as a gateway only for
wireless activation over the Enterprise Wi-Fi® network but not for other network traffic, such as email
messages or data and calendar synchronization.
4. In the Activation Gateway Settings area, select one of the following options to specify how the BlackBerry
Router locates the SMTP server:
• To allow the BlackBerry Router to determine which SMTP server to use for ETP traffic based on the mail
exchange record of the host domain, select Use MX Lookup to obtain SMTP server.
• To provide the SMTP server name and port, select Explicitly provide SMTP server name and port. Type
the server name and server port for the SMTP server.
5. If the SMTP server requires authentication, specify the SMTP login name and SMTP password.
6. In the From address for ETP messages text box, type the email address to use as the From address. The
7. Click Apply.
Prerequisites: Activating BlackBerry devices over the

enterprise Wi-Fi network
Prerequisite Requirement
wireless access points • Verify that the required wireless access points can connect to the BlackBerry® Router that you
configured for BlackBerry device activations over the enterprise Wi-Fi® network.
• If users must authenticate to an access point, configure each access point to accept each new user’s
authentication credentials.
BlackBerry® Enterprise Server • Verify that the BlackBerry Enterprise Server can communicate with each access point that you plan
to use to activate BlackBerry devices over the enterprise Wi-Fi network.
user accounts • Create an email account and an activation password for each user, if you have not already done so.
• For each BlackBerry device that a user will activate over the enterprise Wi-Fi network, create a user
account on the BlackBerry Enterprise Server.
60
11: Activating BlackBerry devices over the enterprise Wi-Fi network
Create and send activation information

Communicate the activation information to the user in a manner that your organization determines is safe. You
might have to complete this task if the user is activating the BlackBerry® device for the first time, and you cannot
push IT policies and WLAN configuration settings to the BlackBerry device.
> Create an activation message that users receive in their email application on their computers. Include the
following information:
• activation password
• user credentials required for connection to the wireless access point
• BlackBerry® Enterprise Server access information
• instructions for activating the BlackBerry device
Reactivate an existing BlackBerry device

1. On the BlackBerry® device, in the device options, click Advanced Options.
2. Click Enterprise Activation.
3. Type the activation email address.
4. Type the activation password.
5. In the activation server address box, type the IP address of the BlackBerry Router that BlackBerry devices use
for activations over the enterprise Wi-Fi® network.
6. Click the trackball.
7. Click Activate.
Confirm that the activation is successful

1. In the BlackBerry® Manager, in the left pane, click the name of a BlackBerry® Enterprise Server.
2. In the Users list, click the user name.
61
62
12
Troubleshooting
Push settings to the BlackBerry device
Troubleshooting connection and configuration issues on a Wi-Fi enabled BlackBerry device
Troubleshooting connection issues on a Wi-Fi enabled BlackBerry device
Wi-Fi Diagnostics status indicators
Verify whether the BlackBerry device can reach an IP address
Resolve a host name to an IP address
Push settings to the BlackBerry device

> If Wi-Fi® connection settings do not appear on a BlackBerry® device but the BlackBerry device is supposed to
be Wi-Fi enabled, push the WLAN Allow Handheld Changes setting to the BlackBerry device using either an
IT policy or the WLAN configuration settings.
Troubleshooting connection and configuration issues on a

Wi-Fi enabled BlackBerry device
Using the Wi-Fi® Diagnostics screens on the Wi-Fi enabled BlackBerry® device, you can help users troubleshoot
configuration issues on the BlackBerry device, network connectivity or configuration issues, or infrastructure
issues that a user might have with a Wi-Fi enabled BlackBerry device.
Users can copy the diagnostic information and send it to you.
In addition, a user can ping network hosts from a BlackBerry device to check the availability and responsiveness of
network hosts. A user can perform a DNS lookup from a BlackBerry device to resolve network or domain host
names and IP addresses.
Troubleshooting connection issues on a Wi-Fi enabled

BlackBerry device
Verify that the Wi-Fi connection is turned on
1. On the BlackBerry® device, on the Home screen, click Manage Connections.
2. Click Wi-Fi Options.
3. Verify that a check mark appears beside Wi-Fi.
View basic diagnostic information on a Wi-Fi enabled BlackBerry device

1. On the BlackBerry® device, in the device options, click Wi-Fi Connections.
3. Click Wi-Fi Diagnostics.
View detailed diagnostic information on a Wi-Fi enabled BlackBerry device

5. Click Options.
6. Change Display Mode to Advanced.
7. Click Save.
Wi-Fi Diagnostics status indicators

Status indicator groups
The status indicators appear in the following groups:
• Wi-Fi®
• VPN
• UMA/GAN (if your mobile network provider supports UMA or GAN and you have subscribed for the service)
• BlackBerry Infrastructure
• Enterprise
Within the groups, the indicators follow a sequence that is typical for troubleshooting.
64
12: Troubleshooting
Status indicator states

The status indicators have four possible states:
• Not applicable: black filled circle
• Trying: yellow horizontal line in a filled circle
• Successful: green check mark in a filled circle
• Error: red X in a filled circle
Wi-Fi connection status indicators

Status indicator Description Troubleshooting suggestions
Current Profile This field displays the name of the WLAN profile that the • Verify that the Wi-Fi® connection on the BlackBerry®
user is currently using. device is turned on.
• Verify that the BlackBerry device has one or more
Wi-Fi profiles.
• Verify that the BlackBerry device is in coverage of a
wireless access point whose SSID is stored in one of
the profiles on the BlackBerry device.
SSID This field displays the identifier for the Wi-Fi network. • Verify that the SSID of the wireless access point is
When a value is displayed, you know that the BlackBerry configured on the BlackBerry device. The SSID is
device has connected to a network, and you know the case-sensitive.
name of the network. • Verify that the Wi-Fi settings were correctly
configured on the BlackBerry device or through the
BlackBerry® Enterprise Server, either manually or
through an IT policy.
• Verify that the BlackBerry device has successfully
authenticated.
• In the BlackBerry Manager, confirm that the user
account is enabled.
• In the BlackBerry Manager, verify that the user is
assigned to the correct BlackBerry device.
• Ping the BlackBerry device from the BlackBerry
Enterprise Server.
• In the BlackBerry Manager, verify that the values
configured through IT policies or in the WLAN
configuration settings have been successfully pushed
to the BlackBerry device.
65

AP MAC Address This field displays the MAC address of the wireless access • Verify that the access point is available and within
point with which the BlackBerry device is associated. range of the BlackBerry device.
When a value is displayed, you know that the BlackBerry • Verify that the BlackBerry device is on the same
device has successfully associated with the specified channel as the access point.
access point. • Use a device with wireless access, such as a laptop
computer, to test the association with the access
point. Use the same settings to configure the wireless
connection as the BlackBerry device uses.
• Use a device with wireless access, such as a computer,
to ping the BlackBerry Router. This tests whether the
BlackBerry Router is on the ACL of the access point.
• For more information, see the documentation for your
access points.
• If access point logs are available, view the logs to
determine the error that occurred.
Security Type This field displays the link security method. • Verify that the correct authentication method is
The options are as follows: configured.
• If a WEP key or PSK is required, verify that the key is
• No Security
configured correctly.
• WEP
• WEP: Verify that the wireless access point is
• Pre-Shared Key (PSK)
configured to not filter the MAC address of the
• PEAP BlackBerry device.
• LEAP • LEAP: Verify that the user’s authentication credentials
• EAP-TLS are correct.
• EAP-FAST • PEAP: Verify that the user’s authentication
• EAP-TTLS credentials are correct.
When the link security method is displayed, you know that • EAP-TLS: Verify that the EAP-TLS certificate for the
security on the Wi-Fi connection is turned on and active. user is correct.
Association This field shows the status of the connection with the
wireless access point. The status indicators are as follows:
• green check mark: The authentication key is
successfully applied, authentication is complete, and —
keys are used to decrypt packets.
• black filled circle: There is not a network connection,
or there is no profile for an association to a particular
access point.
Authentication This field shows the status of the authentication on the • Verify that the correct authentication method is
BlackBerry device. configured on the wireless access point and on the
BlackBerry device.
66
12: Troubleshooting

Local IP Address This field displays the IP address of the BlackBerry device. • If a static IP address is configured, verify that the
When a value is displayed, you know the network with parameters such as the subnet mask, the default
which the BlackBerry device is associated. gateway IP address, and the DNS IP address are
correctly configured.
• If DHCP is in use, verify that the BlackBerry device can
successfully obtain a valid IP configuration
(IP address, subnet mask, default gateway IP address,
and DNS IP address).
• Verify that a wireless device, such as a laptop
computer, can connect to the network using DHCP
and obtain an IP address.
• Verify in the DHCP logs, if available, that a DHCP was
granted to the BlackBerry device.
Signal Level The field displays the current signal strength. The value is Low signal strength might cause intermittent drops in
based on the signal percentage level, from none to data connectivity.
excellent.
Connection Data This field displays the data rate in Mbps; IEEE® 802.11b™ Low signal strength might cause intermittent drops in
Rate has a data rate of 11 Mbps, while IEEE® 802.11a™ and data connectivity.
IEEE® 802.11g™ have a data rate of 54 Mbps.
Status This field provides a descriptive status message, such as
“Status acquired.” It also displays warnings and errors
—
encountered when the user tried to establish a connection
to a wireless access point.
Network Type This field displays whether the wireless connection type is If no value displays, a Wi-Fi connection is not active, or the
IEEE 802.11a, IEEE 802.11b, or IEEE 802.11g. Wi-Fi network capability on the BlackBerry device is
turned off.
Network Channel This field displays the 802.11 channel that the wireless If no value displays, a Wi-Fi connection is not active, or the
access point uses. Wi-Fi network capability on the BlackBerry device is
turned off.
Pairwise Cipher This field displays information about how encryption keys
are managed for a single user on the network. You can
configure a wireless access point to support multiple —
pairwise ciphers. A pairwise cipher can be used with a
group cipher.
Group Cipher This field displays information about how encryption keys
are managed for all users on the network or locally. A
pairwise cipher can be used with a group cipher.
The options are as follows:
• None
• WEP 40
—
• WEP 104
• TKIP
• AES-CCMP
A wireless access point that you configure to support
multiple pairwise ciphers is only as strong as the weakest
pairwise cipher.
67

Gateway Address This field displays the IP address of the gateway that
routes any packets going outside the local network. In an
enterprise Wi-Fi network, it is the IP address of the
—
organization’s LAN gateway. In a personal Wi-Fi network,
it is the internal IP address of the personal network’s
router.
DHCP This field shows the status of the DHCP connection on the
BlackBerry device. When a check mark is displayed, DHCP —
is complete.
Primary DNS This field displays the address of an optional computer
—
that translates host names into IP addresses.
Secondary DNS This field displays the address of an optional computer
that translates host names into IP addresses. The
—
secondary DNS server is used if the primary DNS is not
available.
DNS Suffix This field displays the domain name suffix, such as .com
—
or .org.
Subnet Mask This field displays information about the subnet base for
—
the IP address that was assigned to the BlackBerry device.
Server Domain Suffix This field displays the domain name suffix for the network
—
with which the BlackBerry device has associated.
Certificate This field shows the certificate used for WLAN
—
authentication, if applicable.
Software Token If a software token is configured for the BlackBerry device,
—
this field displays the serial number of the software token.
VPN connection status indicators

Current Profile This field displays the name of the VPN profile that the
user is currently using.
Concentrator This field displays the IP address of the VPN concentrator. • Verify that the VPN is turned on.
Address • Ping the IP address of the VPN concentrator.
• Verify that the VPN concentrator host name resolves
to an IP address. If it does not, configure the VPN IP
address.
Contact This field shows the status of the BlackBerry® device
contact with the VPN concentrator. A green check mark
—
appears when the BlackBerry device has successfully
connected with the VPN concentrator.
Authentication This field shows the status of the authentication on the • Verify that the security parameters are supported.
BlackBerry device. If the last authentication attempt was • Verify that the user’s VPN login credentials are
unsuccessful, the field displays an error state. correct.
Secure Device IP This field shows the IP address of the BlackBerry device on
—
the private network that the VPN protects.
68
12: Troubleshooting

Status This field provides a descriptive current status message,
—
such as “Error: Link down.”
Resolving This field indicates that the IP address of the VPN
—
Concentrator concentrator has been verified.
Concentrator IP This field shows the IP address of the VPN concentrator. —
Primary DNS When a VPN session is established, this is the DNS
address that corresponds to the VPN primary DNS. If a
—
VPN session is not established, this value corresponds to
the configured WLAN address.
Secondary DNS This field shows the address of an optional computer that
translates host names into IP addresses. The secondary —
DNS server is used if the primary DNS is not available.
DNS Suffix This field shows the domain that the BlackBerry device
uses to resolve addresses on the enterprise Wi-Fi® —
network.
Secure Subnet Mask This field shows the subnet mask of the BlackBerry device
on the private network protected by the VPN. The subnet
—
mask and the IP address provide information about the
subnet to which the BlackBerry device has connected.
Retry at If a login attempt is unsuccessful, this field shows the next
date and time that the BlackBerry device can again try to —
log in.
Session Lifetime This field indicates the length of time in seconds that the
the VPN session is maintained before the BlackBerry —
device renegotiates the session.
Re-login at This field indicates the length of the periodic rollover or
new login period, which the BlackBerry device obtains —
from the VPN concentrator.
Failed Login Attempts This field displays the number of unsuccessful login
attempts. If a user logs in successfully, the value is cleared —
and reverts to 0 automatically.
Certificate This field displays the certificate used for VPN
—
authentication, if applicable.
Software Token If a software token is configured for the BlackBerry device,
—
this field displays the serial number of the software token.
69
UMA/GAN connection status indicators

If your mobile network provider supports UMA or GAN, and you have subscribed to this service, a UMA category is
present on the BlackBerry® device.

Connection This field shows how the BlackBerry device tries to • Under Options > Mobile Network, verify that the
Preference connect to the mobile network provider’s voice and data Connection Preference line displays.
services. Using the following settings, you or the user can If the Connection Preference line does not display, at
configure how the BlackBerry device gains access to the the Network line, type ALT-GANN to turn on UMA
to mobile network provider’s voice and data services: connectivity.
Wi-Fi Preferred: The BlackBerry devices uses a Wi-Fi®
connection when possible. When the user is not in a Wi-Fi
coverage area, the BlackBerry device uses a mobile
network connection.
Wi-Fi Only: The BlackBerry device uses only a Wi-Fi
connection.
Mobile Network Only: The BlackBerry device uses only a
mobile network connection to the mobile network
provider.
Mobile Network Preferred: The BlackBerry device uses a
mobile network connection, where possible, but can also
use a Wi-Fi connection.
UMA Wi-Fi Available This field shows whether the user has a UMA profile. • Under Options > UMA, verify whether a UMA profile
is set up.
You can safely ignore this status indicator.
Connection This field indicates whether the BlackBerry device is • Under Options > Mobile Network, verify that Wi-Fi
connected over UMA. Preferred is selected.
• Under Options > UMA, verify that at least one UMA
profile is available.
If a UMA profile does not exist, create one using the
credentials of the mobile network provider.
• Verify that under the currently selected UMA profile,
the mobile network provider’s security gateway
(SEGW) certificate field is not empty and is associated
with a certificate for the corresponding mobile
network provider.
• In the Wi-Fi Diagnostics screen, verify that the
BlackBerry device is connected to a Wi-Fi network.
• Connect a computer to the same wireless access
point.
• Verify the IP address of the BlackBerry device on
the Wi-Fi Diagnostics screen. Ping the device.
• If you do not receive a response, you have isolated
that the issue is on the Wi-Fi side.
• If all succeeds but nothing shows up, check the
Status field for the reason.
Status This field shows the status of the UMA connection. —
70
12: Troubleshooting

Registered UNC This field shows the address or FQDN of the UNC. A value displays only if the BlackBerry device has
Address successfully registered on the UNC.
If a value does not display, use the same steps that you use
for troubleshooting the Connection field.
Registration This field indicates that the BlackBerry device has A value displays only if the BlackBerry device has
registered with the UNC. successfully registered on the UNC.
Authentication This field indicates that the BlackBerry device has A value displays only if the BlackBerry device has
authenticated to the UNC. successfully registered on a UNC.
Serving UNC Address This field shows the UNC to which the BlackBerry device A value displays only if the BlackBerry device has
has connected. successfully registered on the UNC.
Security Gateway IP This field shows the IP address of the mobile network A value displays only if the BlackBerry device has
provider’s security gateway. successfully registered on the UNC.
Cellular information This field displays the GSM® cellular information as A value displays only if the BlackBerry device has
received from or sent to the UNC, MNC, MCC, the mobile successfully registered on the UNC.
network ID (Cell ID) of the BlackBerry device, and ARFCN.
Cellular handover to This field displays errors received during the transition
UMA failures from one network type to the other while the user is on a —
call.
Cellular rove-in This field displays errors received during the transition
failures from one network type to the other while the BlackBerry —
device is idle.
BlackBerry Infrastructure connection status indicators

The BlackBerry® Infrastructure connection status indicators appear on the BlackBerry device when the user either
makes a Wi-Fi® connection or tries to make a Wi-Fi connection.

Address Used This field indicates the host name or IP address and port
—
number used to connect to the SRP.
IP Used This field indicates the host name or IP address and port
—
Connecting This field indicates the IP address and port number used
—
to connect to the SRP.
Authenticating router This field displays the IP address of the server that
—
performs authentication, if applicable.
71

Authenticating server This field displays the IP address of the server that
—
performs authentication.
Last Contact At This field displays the time of the last BlackBerry device
contact with the BlackBerry Enterprise Server through the —
SRP.
Enterprise connection status indicators

UIDs This field indicates the SRP UID of the BlackBerry®
Enterprise Server that hosts the user account for the —
BlackBerry device.
Address Used This field indicates the host name or IP address and port
—
IP Used This field indicates the host name or IP address and port
—
Connecting This field indicates the IP address and port number used
—
to connect to the SRP.
Authenticating router This field displays the IP address of the server that
—
performs authentication, if applicable.
Authenticating server This field displays the IP address of the server that
—
performs authentication.
Last Contact At This field displays the time of the last BlackBerry device
contact with the BlackBerry Enterprise Server through the —
SRP.
Verify whether the BlackBerry device can reach an

IP address
5. Click Ping.
72
12: Troubleshooting
6. Complete the applicable fields:
Field Description
Ping Type The options are as follows:
• IP or Name
• Self
• WLAN Gateway
• VPN Concentrator
• UNC (mobile network provider)
• BBR (BlackBerry Router)
Ping to In this field, you specify the IP address to ping.
Number of Pings In this field, you specify the number of times to ping an IP address.
7. View the ping data:
Field Description
Device IP This field indicates the IP address of the BlackBerry device.
Last Time Used This field indicates the last time an IP address was pinged.
Results This field indicates what happened when the last IP address was pinged.
Resolve a host name to an IP address

5. Specify either a name or an IP address to look up.
7. Click DNS Lookup.
8. Click Lookup.
9. Select an option.
10. View the DNS lookup results:
Field Description
Primary DNS This field indicates the IP address of the primary computer that is used to resolve host names.
Secondary DNS This field indicates the IP address of an optional computer used between networks.
Last Time Used This field indicates the last time that the host was looked up.
Results This field indicates the result of the last lookup, and lists each IP address found to which the last lookup resolved.
73
74
13
IT policy rules and configuration settings
WLAN IT policy group
WLAN configuration settings
VPN IT policy group
VPN configuration settings

In BlackBerry® Enterprise Server Version 4.1 SP3 or later, you can configure the Wi-Fi® settings for the BlackBerry
device using the WLAN IT policy rules or a WLAN configuration set in the BlackBerry Manager.
• If you use only WLAN IT policy rules and not a WLAN configuration set, a BlackBerry device uses both global
WLAN settings and per-profile WLAN settings from the WLAN IT policy group.
• If you use both WLAN IT policy rules and a WLAN configuration set, a BlackBerry device takes the global
WLAN settings from the WLAN IT policy rules. However, the BlackBerry device ignores any WLAN profiles in
the WLAN IT policy and uses only the WLAN profiles from the WLAN configuration set.
As a result, if your WLAN IT policy rules include only the WLAN IT policy (which contains a WLAN profile), and you
are not using a WLAN configuration set, the BlackBerry device adds the WLAN profile contained in the WLAN
IT policy to the list of WLAN profiles.
If you make changes to a WLAN configuration set, or delete it, you must resend the IT policy for the changes to
take effect immediately.
WLAN IT policy group

Default Minimum requirements
Setting Description Use
value
BlackBerry BlackBerry
Device Enterprise
Software Server
software
WLAN Allow Specify whether to allow users to True 4.0.0 4.0.1 Set to False to permit users to change
Handheld change all WLAN policy rules on the only the user-specific WLAN rules on
Changes BlackBerry® device. the BlackBerry device.
WLAN Link Specifies the type of security required Open (0) 4.0.0 4.0.1 If you do not specify a security type,
Security for WLAN access (Open, WEP, PSK, Open is used.
EAP-PEAP, EAP-LEAP, EAP-TLS, EAP-
FAST, EAP-TTLS).
Setting Description Default Minimum requirements Use

value
Device Enterprise
Software Server
software
WLAN SSID Type the network name of the WLAN 4.0.0 4.0.1 Do not use the default SSID.
and its wireless access points. —
The SSID is case-sensitive.
WLAN Default Type the Default WEP Key ID. 1 4.0.0 4.0.1 The WEP Key ID must match the desired
Key ID WEP access point ID and the
corresponding WEP key.
WLAN WEP Type the password for WEP key 1 using 4.0.0 4.0.1 Allowable values are either 5 or 13
Key 0 the format xx:xx:xx:xx:xx. pairs of hexadecimal digits (0 to 9 and
A to F) separated by a colon.
—
For example, “AB:CD:EF:01:23” or
"AB:CD:EF:01:23:45:67:89:AB:CD:EF:0
1:23" are acceptable values.
WLAN WEP Type the password for WEP key 2 4.0.0 4.0.1 Allowable values are either 5 or 13
Key 1 using the format xx:xx:xx:xx:xx. pairs of hexadecimal digits (0 to 9 and
—
For example, “AB:CD:EF:01:23” or
"AB:CD:EF:01:23:45:67:89:AB:CD:EF:0
—
For example, "AB:CD:EF:01:23" or
"AB:CD:EF:01:23:45:67:89:AB:CD:EF:0
—
"AB:CD:EF:01:23:45:67:89:AB:CD:EF:0
WLAN Type the PSK. 4.0.0 4.0.1 Type the PSK if you specified PSK as the
—
Preshared Key WLAN Link Security type.
76
13: IT policy rules and configuration settings

value
Device Enterprise
Software Server
software
WLAN User Type the user name for EAP-PEAP or 4.0.0 4.0.1 Set this value as a per-user IT policy
Name EAP-LEAP security access on the rule, or within an IT policy that applies
BlackBerry device. to only one user unless you want to set
a default value for all users.
If the user manually types a user name
— value on the BlackBerry device, IT policy
updates overwrite or delete that value.
To retain the user-specified value on
the BlackBerry device, set the updated
IT policy to use the same value for this
IT policy rule.
WLAN User Type the user password for EAP-PEAP 4.0.0 4.0.1 Set this value as a per-user IT policy
Password or EAP-LEAP security access on the rule, or within an IT policy that applies
BlackBerry device. to only one user unless you want to set
If the user manually types a user
— password value on the BlackBerry
device, IT policy updates overwrite or
delete that value. To retain the
user-specified value on the BlackBerry
device, set the updated IT policy to use
the same value for this IT policy rule.
WLAN DHCP Specify whether DHCP is used for True 4.0.0 4.0.1 DHCP is turned on by default.
Configuration dynamic network configuration. (enabled) If you are implementing a subnetted
WLAN, turn on DHCP to permit roaming
between subnets.
WLAN IP Type the IP address in IP address 4.0.0 4.0.1 Warning: If the WLAN DHCP
Address format (for example,10.0.0.1) for use if Configuration rule is set to True, do not
DHCP is turned off on the BlackBerry set this rule to True.
—
device (in other words, if the WLAN
DHCP Configuration rule is set to
False).
WLAN Subnet Type the subnet mask in IP address 4.0.0 4.0.1 Warning: Do not apply this rule if DHCP
Mask format (for example, 10.0.0.1) for use if is turned on.
—
DHCP is turned off on the BlackBerry
device.
WLAN Primary Type the primary DNS in IP address 4.0.0 4.0.1 Warning: Do not apply this rule if DHCP
DNS format (for example, 10.0.0.1) if DHCP — is turned on.
is turned off.
77

value
Device Enterprise
Software Server
software
WLAN Type the secondary DNS in IP address 4.0.0 4.0.1 Warning: Do not apply this rule if DHCP
Secondary DNS format (for example, 10.0.0.1) if DHCP — is turned on.
is turned off.
WLAN Default Type the default gateway in 4.0.0 4.0.1 Warning: Do not apply this rule if DHCP
Gateway IP address format (for example, — is turned on.
10.0.0.1) if DHCP is turned off.
WLAN Minimal Specify the minimum security level for 1 4.0.0 4.0.1 If you do not specify a security level, the
EAP-TLS private keys used by EAP methods (obsolete in value 1 (low security) is used.
Certificate employing client certificates (for 4.1.4) If you do not set this rule, a default
Encryption Key example, EAP-TLS). value of 1 (low security) is used.
Security Level
Low security: The BlackBerry device
prompts the user only once for the key
store password to retrieve the private
key for encrypting messages. The
BlackBerry device stores the
unencrypted private key with the WLAN
profile.
Medium security: The BlackBerry
device prompts the user only once for
the key store password to retrieve the
private key for encrypting messages,
and subsequently only after a device
reset. The BlackBerry device caches the
private key in memory but does not
store it with the WLAN profile.
High security: The BlackBerry device
always prompts the user for the key
store password when accessing the
private key for encrypting messages.
The BlackBerry device does not store
the unencrypted private key with the
WLAN profile.
WLAN Enable Specify whether the WLAN Login False 4.0.0 4.0.1 Set to True to permit users to log in to a
Authentication browser is available on the (obsolete in captive portal using the BlackBerry
Page BlackBerry® 7270 smartphone. 4.1.4) device.
Disable WLAN Specify whether users can access the False 4.2.1 4.1.3 Set to True to prevent the use of WLAN
WLAN capability on the BlackBerry on the BlackBerry device.
device.
78

value
Device Enterprise
Software Server
software
WLAN Password Specify whether the WLAN password False 4.2.1 4.1.3 Set to True to mask the password that
Hidden on Input is masked as the user types it. the BlackBerry device user types.
Set to False to allow the BlackBerry
device to display the password that the
BlackBerry device user types.
Disable Specify whether to prevent users from False 4.2.1 4.1.3 Set to True to prevent the use of the
WAN-Only selecting WAN-only mode from the WAN capabilities of the BlackBerry
Mode GAN selection modes on the device.
BlackBerry device.
WAN-Preferred selecting WAN-Preferred mode from WAN-Preferred mode in the GAN
Mode the GAN selection modes on the selection modes on the BlackBerry
BlackBerry device. device.
GAN-Only selecting GAN-Only mode from the GAN-Only mode in the GAN selection
Mode GAN selection modes on the modes on the BlackBerry device.
BlackBerry device.
Disable Specify whether to prevent users from False 4.2.1 4.1.3 Set to True to prevent the use of GAN-
GAN-Preferred selecting GAN-Preferred mode from Preferred mode in the GAN selection
Mode the GAN selection modes on the modes on the BlackBerry device.
BlackBerry device.
Disable GAN Specify whether to prevent users from False 4.2.1 4.1.3 Set to True to prevent users from
Selection Mode changing the GAN selection mode on changing the GAN selection mode on
Editing the BlackBerry device. the BlackBerry device.
WLAN Disable Specify whether to turn off the prompt False 4.2.1 4.1.3 Set to True if you do not want to prompt
Prompt for for users to re-enter WLAN users to re-enter WLAN credentials
Credentials credentials after authentication is after authentication is unsuccessful.
Re-Entry unsuccessful.
Disable WLAN Specify whether a user can create new False 4.2.1 4.1.3 Set to True to prevent the user from
User Profiles WLAN profiles on the BlackBerry creating new WLAN profiles on the
device. BlackBerry device.
79

value
Device Enterprise
Software Server
software
GAN WLAN Specify the WLAN signal quality 4.2.1 4.1.3 If you do not specify a value for this
Threshold threshold for changing from GAN to setting, the BlackBerry device chooses
WAN. If the WLAN signal quality drops a suitable value (possibly specified by
below this threshold in the mobile network provider).
GAN-preferred mode, then the Possible values are as follows:
BlackBerry device tries to hand over or
— Low: Use GAN mode unless the Wi-Fi®
changing to the WAN, if an acceptable
cell is available. signal quality is very low.
Medium: Use GAN mode if the Wi-Fi
signal quality is high or medium.
High: Use GAN mode only if the Wi-Fi
signal quality is high.
GAN Signal Specify the signal strength threshold 4.2.1 4.1.3 In WAN-preferred mode, if the signal
Strength for rove-in from WAN to GAN. strength of the serving cell drops below
Threshold this value, the BlackBerry device uses
the GAN cell, if one is available.
This value is specified in RXLEV units,
described in 3GPP 5.08 8.1.4:
—
• 0: -111 dBm
• 63: -48 dBm
If you do not specify a value for this
setting, the BlackBerry device chooses
a suitable value (possibly specified by
the mobile network provider).
GAN Signal Specify the signal quality threshold 4.2.1 4.1.3 In WAN-preferred mode, if the signal
Quality for handover from WAN to GAN. quality drops below this level, the
Threshold BlackBerry device tries a handover to
GAN, if possible. The signal quality is
related to bit error rate and is described
in 3GPP 5.08 8.2.4:
—
• 0: good quality
• 7: worst quality
If you do not specify a value for this
setting, the BlackBerry device chooses
a suitable value (possibly specified by
the mobile network provider).
Disable WLAN Specify whether a user’s BlackBerry 4.2.1 4.1.3 Set to True to deny access to the
Access to BES device can connect to the BlackBerry Enterprise Server from a
BlackBerry® Enterprise Server using a — Wi-Fi network.
Wi-Fi connection. The default value might vary by mobile
network provider.
80
WLAN configuration settings

value
Device Enterprise
Software Server
software
WLAN Allow Specify whether to allow users to change True 4.0.0 4.0.1 Set to False to permit users to change
Handheld all WLAN policy rules on the BlackBerry® (obsolete in only the user-specific WLAN rules on
Changes device. 4.1.3) the BlackBerry device.
WLAN Link Specifies the type of security required Open (0) 4.0.0 4.0.1 If you do not specify a security type,
Security for WLAN access (Open, WEP, PSK, EAP- Open is used.
PEAP, EAP-LEAP, EAP-TLS, EAP-FAST,
EAP-TTLS).
WLAN SSID Type the network name of the WLAN and 4.0.0 4.0.1 Do not use the default SSID.
its wireless access points. —
The SSID is case-sensitive.
WLAN Default Type the Default WEP Key ID. 1 4.0.0 4.0.1 The WEP Key ID must match the
Key ID desired WEP access point ID and the
corresponding WEP key.
Key 0 the format xx:xx:xx:xx:xx. pairs of hexadecimal digits
(0 to 9 and A to F) separated by a
— colon.
"AB:CD:EF:01:23:45:67:89:AB:CD:EF
:01:23" are acceptable values.
— colon.
"AB:CD:EF:01:23:45:67:89:AB:CD:EF
— colon.
"AB:CD:EF:01:23:45:67:89:AB:CD:EF
81

value
Device Enterprise
Software Server
software
— colon.
"AB:CD:EF:01:23:45:67:89:AB:CD:EF
WLAN Type the PSK. 4.0.0 4.0.1 Type the PSK if you specified PSK as
—
Preshared Key the WLAN Link Security type.
WLAN User Type the user name for EAP-PEAP or 4.0.0 4.0.1 Set this value as a per-user IT policy
Name EAP-LEAP security access on the rule, or within an IT policy that
BlackBerry device. applies to only one user, unless you
want to set a default value for all
users.
If the user manually types a user
— name value on the BlackBerry device,
IT policy updates overwrite or delete
that value. To retain the
user-specified value on the
BlackBerry device, set the updated IT
policy to use the same value for this
IT policy rule.
WLAN User Specify the user password for EAP-PEAP 4.2.0 4.1.2 Set this value as a per-user IT policy
Password or EAP-LEAP security access on the rule, or within an IT policy that
BlackBerry device. applies to only one user, unless you
users.
If the user manually types a User
— password value on the BlackBerry
BlackBerry device, set the updated
IT policy to use the same value for
this IT policy rule.
WLAN DHCP Specify whether DHCP is turned on for True 4.2.0 4.1.2 Turn on DHCP to simplify WLAN
Configuration dynamic network configuration. (turned configuration.
on)
WLAN IP Specify the IP address of the BlackBerry 4.2.0 4.1.2 Set this value only if you set the
Address device if DHCP is unavailable. WLAN DHCP Configuration policy
—
rule to False (made DHCP
unavailable).
82

value
Device Enterprise
Software Server
software
WLAN Subnet Specify the IP address of the subnet 4.2.0 4.1.2 Set this value only if you set the
Mask mask if DHCP is unavailable. — WLAN DHCP Configuration value to
False (made DHCP unavailable).
WLAN Primary Specify the IP address of the primary 4.2.0 4.1.2 Set this value only if you set the
DNS DNS if DHCP is unavailable. — WLAN DHCP Configuration value to
WLAN Specify the IP address of the secondary 4.2.0 4.1.2 Set this value only if you set the
Secondary DNS if DHCP is unavailable. — WLAN DHCP Configuration value to
DNS False (made DHCP unavailable).
WLAN Default Specify the IP address of the default 4.2.0 4.1.2 Set this value only if you set the
Gateway gateway. — WLAN DHCP Configuration value to
WLAN Minimal Specify the minimum security level for 1 4.0.0 4.0.1 If you do not specify a security level,
EAP-TLS private keys used by EAP methods (obsolete in the value 1 (low security) is used.
Certificate employing client certificates (for 4.1.4) If you do not set this rule, a default
Encryption Key example, EAP-TLS). value of 1 (Low security level) is used.
Security Level
Low security: The BlackBerry device
prompts the user only once for the
key store password to retrieve the
The BlackBerry device stores the
unencrypted private key with the
WLAN profile.
Medium security: The BlackBerry
device prompts the user only once for
the key store password to retrieve the
private key for encrypting messages,
and subsequently only after a device
is reset. The BlackBerry device
caches the private key in memory but
does not store it with the WLAN
profile.
High security: The BlackBerry device
always prompts the user for the key
store password when accessing the
The BlackBerry device does not store
the unencrypted private key with the
WLAN profile.
WLAN Enable Specify whether the WLAN Login False 4.0.0 4.0.1 Set to True to permit users to log in to
Authentication browser is available on the BlackBerry® (obsolete in an organization’s captive portal using
Page 7270 smartphone. 4.1.4) the BlackBerry device.
83

value
Device Enterprise
Software Server
software
WLAN Hard Specify whether a hard token is required False 4.2.1 4.1.3 Set to True if a hard token (for
Token for authentication. example, RSA SecurID®) is required
Required as part of the password for
authentication.
WLAN Token If a software token is required as part of 4.2.1 4.1.3
Serial Number the password for authentication, specify
— —
the serial number of the software token
provisioned to the BlackBerry device.
WLAN Profile Specify whether the user can view the 0 4.2.1 4.1.3 The options are as follows:
Visibility settings of this WLAN profile. Full visibility (0): The user can view
all settings in this profile.
Restricted visibility (1): The user can
view only the profile name.
Credentials visibility (2): The user
can view only the profile name and
user credentials.
WLAN Profile Specify whether the user can change the 0 4.2.1 4.1.3 The options are as follows:
Editability settings of this WLAN profile. Full editability (0): The user can
change all settings in this profile.
No editability (1): The user cannot
change any settings in the profile.
Credentials editability (2): The user
can change only the user credentials.
WLAN Allow Specify whether the user can save WLAN True 4.2.1 4.1.3 The default value permits users to
Password Save passwords on the BlackBerry device. save WLAN passwords on the
BlackBerry device.
WLAN The roaming threshold determines how 0 4.2.1 4.1.3 The values are as follows:
Roaming often the Wi-Fi® transceiver scans for Auto (0): The device selects roaming
Threshold neighboring wireless access points and thresholds automatically.
roams to one of them if the signal quality
is better than the signal of the current Low (1): The device roams only when
signal quality is very low.
access point.
Medium (2): The device roams when
the signal quality is medium to low.
High (3): The device roams
aggressively to access points with
better signal strength.
WLAN Server Type the contents of the Subject field of 4.2.1 4.1.3 If you do not specify a server
Subject the server’s certificate. — certificate, any valid server
certificate is accepted.
84

value
Device Enterprise
Software Server
software
WLAN Server Type the contents of the 4.2.1 4.1.3 If you do not specify a server
SAN SubjectAltName (SAN) field of the — certificate, any valid server
server certificate. certificate is accepted.
WLAN Inner Specify the authentication mode for 0 4.2.1 4.1.3 The options are as follows:
Authentication tunneled EAP security. • None (0)
Mode • EAP-MS-CHAPv2 (1)
• EAP-GTC (2)
• PAP (3)
• CHAP (4)
• MS-CHAP (5)
• MS-CHAPv2 (6)
• EAP-MD5 (7)
WLAN Specify the PAC key used for EAP-FAST. 4.2.1 4.1.4
Protected
— —
Access
Credential Key
WLAN Domain Specify the internal domain name suffix 4.2.1 4.1.3 Set this value only if you set the
Suffix using the FQDN format. — WLAN DHCP Configuration value to
WLAN Allow Specify whether WLAN handovers True 4.2.1 4.1.3 The default value permits handovers
AP to AP between access points are permitted for between access points in an
Handover this profile. enterprise Wi-Fi network.
Set to False to disallow access point
handovers.
WLAN Band Specify the band type or types that the 0 4.2.2 4.1.4 The options are as follows:
Type wireless access points of a particular (IEEE® • IEEE 802.11a/IEEE 802.11b/
SSID are configured to operate on. 802.11a™/ IEEE 802.11g
IEEE®
• IEEE 802.11b/IEEE 802.11g
802.11b™/
• IEEE 802.11a
IEEE®
• IEEE 802.11b
802.11g™)
Associated This is a hidden property that the 4.1.2
VoIP BlackBerry® 7270 smartphone uses. The
— — —
Configuration property contains the name of the
associated VoIP configuration profile.
Associated This is a hidden property that contains 4.2.0 4.1.2
VPN the name of the associated VPN — —
Configuration configuration profile.
85
VPN IT policy group

value
Device Enterprise
Software Server
software
Enable VPN Specify whether the VPN client on the False 4.0.0 4.0.1 Set to True if the BlackBerry device
BlackBerry® device is turned on. (obsolete in requires the use of a VPN server to
4.1.3) access a WLAN.
Set to False to turn off the VPN client
on the BlackBerry device.
If you turn off the VPN client on the
BlackBerry device, the BlackBerry
device might not be able to use a
WLAN that requires VPN access, or it
might require the use of an
alternative form of access control.
VPN Allow Specify whether users can change all True 4.0.0 4.0.1 If this rule is set to False, BlackBerry
Handheld VPN policy rules on the BlackBerry (obsolete in device users can still change their
Changes device. 4.1.3) VPN user name and VPN password
on a BlackBerry device.
VPN Vendor Specify the type of VPN client that the 4.0.0 4.0.1 If you select a VPN client, verify that
—
Type BlackBerry device VPN client emulates. the Enable VPN value is set to True.
VPN Gateway Type the IP address or the FQDN of the 4.0.0 4.0.1
— —
Address VPN server.
VPN Group Type the VPN server group name. 4.0.0 4.0.1 Specify the group name only if the
—
Name VPN client type requires it.
VPN Group Type the VPN server group password. 4.0.0 4.0.1 Specify the group password only if
—
Password the VPN client type requires it.
VPN User Type the default user name that the 4.0.0 4.0.1 If you specify a user name, you must
Name BlackBerry device uses to log in to the set the Enable VPN rule to True.
VPN server. Set this value as a per-user IT policy
rule, or within an IT policy that
applies to only one user, unless you
users.
— If the user manually types a user
name value on the BlackBerry device,
IT policy updates overwrite or delete
that value. To retain the
policy to use the same value as you
specify for this setting.
86

value
Device Enterprise
Software Server
software
VPN User Type the default user password that the 4.0.0 4.0.1 If you set this rule, you must set the
Password BlackBerry device uses to log in to the Enable VPN rule to True.
rule, or within an IT policy that
applies to only one user, unless you
users.
— If the user manually types a User
password value on the BlackBerry
policy to use the same value as you
specify for this setting.
VPN DNS Specify the VPN DNS configuration. True 4.0.0 4.0.1 If you set this rule, you must set the
Configuration Enable VPN rule to True.
If this value is set to True, the DNS
settings are retrieved automatically
from the VPN gateway.
If this value is set to False, the static
settings specified in the VPN Primary
DNS, VPN Secondary DNS, and VPN
Domain Name policy rules are used.
VPN Primary Type the static setting for the IP address 4.0.0 4.0.1 If you set this rule, set the VPN DNS
DNS for the primary DNS server. — Configuration policy rule to False,
and set the Enable VPN rule to True.
VPN Type the static setting for the IP address 4.0.0 4.0.1 If you set this rule, set the VPN DNS
Secondary for the secondary DNS server. — Configuration policy rule to False,
DNS and set the Enable VPN rule to True.
VPN Domain Specify the internal domain name suffix 4.0.0 4.0.1 If you set this rule, set the VPN DNS
Name using the FQDN format. Configuration value to False, and set
the Enable VPN rule to True.
—
When the VPN DNS Configuration
rule is set to False, this setting is
used.
Use VPN Specify whether the client should use False 4.0.0 4.0.1 If you set this rule, you must set the
Xauth Xauth certificates to authenticate to the Enable VPN rule to True.
VPN gateway.
87

value
Device Enterprise
Software Server
software
VPN Xauth Specify the type of user-level 0 4.0.0 4.0.1 If you set this rule, you must set the
Type authentication that the VPN server uses. Enable VPN rule to True.
If you do not set an authentication
type, the value 0 (user name and
password is required) is used.
VPN IKE DH Specify the Diffie-Hellman group used to 7 4.0.0 4.0.1 Use Group 7 (elliptic curve
Group generate key material. cryptography).
If you set this rule, you must set the
Enable VPN rule to True.
VPN IKE Specify the encryption algorithm that the 0 4.0.0 4.0.1 Use AES-128.
Cipher BlackBerry device uses to authenticate If you do not specify an encryption
the IKE exchanges. type, the value 0 (DES) is used.
VPN IKE Hash Specify the hash method authentication 0 4.0.0 4.0.1 Use SHA-1.
code to use. If you do not set a value, the value 0
(MD5 128 bits) is used.
VPN PFS Specify whether Perfect Forward Secrecy True 4.0.0 4.0.1 Leave this value set to True.
is turned on.
VPN IPSEC Specify the encryption algorithm and 3 4.0.0 4.0.1 Use SHA-1 with AES-128 Cipher.
Cipher and hash for IPSec Security Associations.
Hash
VPN Allow Specify whether the user can save the True 4.0.0 4.0.1 If you set this value to False
Password VPN password on the BlackBerry device. (password not saved), the user must
Save type a password each time the
BlackBerry device connects to the
VPN concentrator.
VPN NAT Type the NAT “keep-alive” frequency. 1 4.0.0 4.0.1 Specify the interval in minutes at
Keep Alive which the BlackBerry device sends a
keep-alive packet to maintain the
connection to the VPN concentrator.
The range is from 1 to 1439 minutes.
VPN Password Specify whether the VPN password is False 4.2.1 4.1.3 Set to True to hide the VPN password
Hidden on masked as the user types it. as the user types it.
Input
VPN Disable Specify whether to turn off the prompt False 4.2.1 4.1.3 Set to True if you do not want to
Prompt for for a user to re-enter VPN credentials prompt a user to re-enter VPN
Credentials after authentication is unsuccessful. credentials after authentication is
Re-Entry unsuccessful.
Disable VPN Specify whether a user can create new False 4.2.1 4.1.3 Set to True to prevent the user from
User Profiles VPN profiles on the BlackBerry device. creating new VPN profiles on the
BlackBerry device.
88

value
Device Enterprise
Software Server
software
VPN Minimal Specify the minimum security level for 1 4.2.2 4.1.4 The options are as follows:
Certificate private keys used by methods that (low Low security (1): The user is prompted
Encryption require client certificates. security) only once for the key store password.
Key Security The private key is then retrieved and
Level stored, unencrypted, with the VPN
profile. The user is never again
prompted for the key store password.
High security (2): The user is always
prompted for the key store password
when access to the private key is
required. This might happen
frequently, even if the user has
recently typed the password. Private
keys are not stored with the VPN
profile.
Medium security (3): The user is
initially prompted for the key store
password and, from that point
forward, is only prompted again after
a device reset. Private keys are
cached in memory but are not stored
with the VPN profile.
VPN configuration settings

Default Minimum requirements
Setting Description value Use
Device Enterprise
Software Server
software
Enable VPN Specify whether the VPN client on the False 4.2.0 4.1.2 If you turn off the VPN client on the
BlackBerry® device is turned on. (VPN (obsolete in BlackBerry device, the BlackBerry
client on 4.1.3) device might not be able to use a
BlackBerry WLAN that requires VPN access, or it
device is might require the use of an alternative
turned off) form of access control.
Set this rule to True if the BlackBerry
device requires the use of a VPN server
to access a WLAN.
89

value
Device Enterprise
Software Server
software
VPN Allow Specify whether users can change all True 4.2.0 4.1.2 The default setting allows the
Handheld VPN policy rules on the BlackBerry (obsolete in BlackBerry device user to configure
Changes device. 4.1.3) VPN settings for remote
troubleshooting purposes.
VPN Vendor Specify the type of VPN client that the 4.2.0 4.1.2 If you select a VPN client, verify that
—
Type BlackBerry device VPN client emulates. the Enable VPN value is set to True.
VPN Gateway Type the IP address or the FQDN of the 4.2.0 4.1.2
— —
Address VPN Server.
VPN Group Type the VPN server group name. 4.2.0 4.1.2 Specify this value only if the VPN client
—
Name type requires it.
VPN Group Type the VPN server group password. 4.2.0 4.1.2 Specify this value only if the VPN client
—
Password type requires it.
VPN User Type the default user name that the 4.2.0 4.1.2 If you specify this value, you must set
Name BlackBerry device uses to log in to the the Enable VPN rule to True.
rule, or within an IT policy that applies
to only one user, unless you want to set
— If the user manually types a user name
value on the BlackBerry device, IT
policy updates overwrite or delete that
value. To retain the user-specified
value on the BlackBerry device, set the
updated IT policy to use the same value
as you specify for this setting.
VPN User Type the default user password that the 4.2.0 4.1.2 If you set this value, you must set the
Password BlackBerry device uses to log in to the Enable VPN rule to True.
rule, or within an IT policy that applies
to only one user, unless you want to set
— If the user manually types a user
password value on the BlackBerry
user-specified value on the BlackBerry
device, set the updated IT policy to use
the same value as you specify for this
setting.
90

value
Device Enterprise
Software Server
software
VPN DNS Specify the VPN DNS configuration. True 4.2.0 4.1.2 If you set this rule, you must set the
Configuration Enable VPN rule to True.
If this value is set to True, the DNS
settings are retrieved automatically
from the VPN gateway.
If this value is set to False, the static
settings specified in the VPN Primary
DNS, VPN Secondary DNS, and VPN
Domain Name settings are used.
VPN Primary Type the static setting for the IP address 4.2.0 4.1.2 If you specify this value, set the VPN
DNS for the primary DNS server. DNS Configuration value to False, and
set the Enable VPN rule to True.
—
value is set to False, this setting is
used.
VPN Type the static setting for the IP address 4.2.0 4.1.2 If you specify this value, set the VPN
Secondary for the secondary DNS server. DNS Configuration value to False, and
DNS set the Enable VPN rule to True.
—
value is set to False, this setting is
used.
VPN Domain Specify the internal domain name suffix 4.2.0 4.1.2 If you set this rule, set the VPN DNS
Name using the FQDN format. Configuration value to False, and set
— the Enable VPN rule to True.
When the VPN DNS Configuration rule
is set to False, this setting is used.
Use VPN Specify whether the client should use False 4.2.0 4.1.2 Enable this setting to identify the user
Xauth Xauth certificates to authenticate to the who requests the VPN (IPSec)
VPN gateway. connection.
If you set this value to True, you must
VPN Xauth Specify the type of user-level 0 4.2.0 4.1.2 If you do not set an authentication
Type authentication that the VPN server uses. type, the value 0 (user name and
password is required) is used.
You must also set the Enable VPN rule
to True.
VPN IKE DH Specify the Diffie-Hellman group used to 7 4.2.0 4.1.2 Use Group 7 (elliptic curve
Group generate key material. cryptography).
If you do not set a value, the value 7
(elliptic curve cryptography) is used.
You must also set the Enable VPN rule
to True.
91

value
Device Enterprise
Software Server
software
VPN IKE Specify the encryption algorithm that the 0 4.2.0 4.1.2 Use AES-128.
Cipher BlackBerry device uses to authenticate If you do not specify an encryption
the IKE exchanges. type, the value 0 (DES) is used.
VPN IKE Hash Specify the hash method authentication 0 4.2.0 4.1.2 Use SHA-1 160 bits.
code to use. If you do not set a value, the value 0
(MD5 128 bits) is used.
VPN PFS Specify whether Perfect Forward Secrecy True 4.2.0 4.1.2 Leave this value set to True.
is turned on.
VPN IPSEC Specify the encryption algorithm and 3 4.2.0 4.1.2 Use SHA-1 with AES-128 Cipher.
Cipher and hash for IPSec Security Associations.
Hash
VPN Allow Specify whether the user can save the True 4.2.0 4.1.2
Password VPN password on the BlackBerry device. —
Save
VPN NAT Type the NAT “keep-alive” frequency. 1 4.2.0 4.1.2 Specify the interval in minutes at
Keep Alive which the BlackBerry device sends a
keep-alive packet to maintain the
connection to the VPN concentrator.
The range is from 1 to 1439 minutes.
VPN Hard Specify whether a hard token is required False 4.2.1 4.1.3 Set to True if a hard token (for example,
Token for authentication. RSA SecurID®) is required as part of
Required the password for authentication.
VPN Token If a software token is required as part of 4.2.1 4.1.3
Serial Number the password for authentication, specify
—
the serial number of the software token
provisioned to the BlackBerry device.
92

value
Device Enterprise
Software Server
software
VPN Minimal Specify the minimum security level for 1 4.2.1 4.1.3 If you do not set this rule, a default
Certificate private keys used by methods that (obsolete in value of 1 (low security level) is used.
Encryption require client certificates. 4.1.4) The options are as follows:
Key Security
Level Low security (1): The user is prompted
only once for the key store password.
The private key is then retrieved and
stored, unencrypted, with the VPN
profile. The user is never again
prompted for the key store password.
High security (2): The user is always
prompted for the Key Store password
when access to the private key is
required. This might happen
frequently, even if the user has
recently typed the password. Private
keys are not stored with the VPN
profile.
Medium security (3): The user is
initially prompted for the key store
password and, from that point forward,
is only prompted again after a device
reset. Private keys are cached in
memory but are not stored with the
VPN profile.
VPN Profile Specify whether the user can view the 0 4.2.1 4.1.3 The options are as follows:
Visibility settings of this VPN profile. Full visibility (0): The user can view all
settings in this profile.
Restricted visibility (1): The user can
view only the profile name.
Credentials visibility (2): The user can
view only the profile name and user
credentials.
VPN Profile Specify whether the user can change the 0 4.2.1 4.1.3 The options are as follows:
Editability settings of this VPN profile. Full editability (0): The user can
change all settings in this profile.
No editability (1): The user cannot
change any settings in the profile.
Credentials editability (2): The user
can change only the user credentials.
VPN IP Type the IP address of the VPN. 0 4.2.1 4.1.3 If you set this rule, set the VPN DNS
Address Configuration policy rule to False and
93

value
Device Enterprise
Software Server
software
VPN Subnet Type the IP address of the subnet mask of 4.2.1 4.1.3 If you set this rule, set the VPN DNS
Mask the VPN. — Configuration policy rule to False and
Suppress VPN Specify whether the VPN banner displays True 4.2.1 4.1.3 The default value suppresses the VPN
Banner on the BlackBerry device. banner.
Set to False to display the VPN banner
after the BlackBerry device connects to
the VPN.
94
Glossary
3GPP
Third Generation Partnership Project
802.11a
IEEE® 802.11a™ is a standard for a wireless network that operates at 5 GHz, with transmission speeds of up to
54 Mbps.
802.11b
IEEE® 802.11b™ is a standard for a wireless network that operates at 2.4 GHz, with transmission speeds of up
to 11 Mbps.
802.11g
IEEE® 802.11c™ is a standard for a wireless network that operates at 2.4 GHz, with transmission speeds of up to
54 Mbps.
802.11i
IEEE® 802.11i™ is a standard that adds Quality of Service features and multimedia support to IEEE® 802.11a™,
IEEE® 802.11b™, and IEEE® 802.11g™ standards.
ACL
An access control list (ACL) specifies the permissions for users or groups associated with an object, such as a
service, file, or folder. An ACL is sometimes referred to as a whitelist.
AES
Advanced Encryption Standard
AES-CCMP
AES-Counter Mode CBC-MAC Protocol
ARFCN
absolute radio frequency channel number
CBC
cipher block chaining
DES
Data Encryption Standard (DES)
DHCP
Dynamic Host Configuration Protocol
DMZ
The demilitarized zone (DMZ) is a neutral subnetwork between the organization’s trusted LAN and the
untrusted external mobile network and public Internet.
DNS
Domain Name System
EAP
Extensible Authentication Protocol
EAP-FAST
Extensible Authentication Protocol Flexible Authentication via Secure Tunneling
EAP-GTC
Extensible Authentication Protocol Generic Token Card
EAP-TLS
Extensible Authentication Protocol Transport Layer Security
EAP-TTLS
Extensible Authentication Protocol Tunneled Transport Layer Security
FQDN
fully qualified domain name
GAN
Generic Access Network
GANC
GAN controller
GSM
Global System for Mobile communications
handover
A handover refers to moving from a mobile network to a Wi-Fi® network, or from a Wi-Fi network to a mobile
network while messages are transferring to or from a BlackBerry® device.
HTTP
The Hypertext Transfer Protocol
96
1: Glossary
IBM DB2 UDB

IBM® DB2 Universal Database™
IEEE
Institute of Electrical and Electronics Engineers
IKE
Internet Key Exchange
IP
Internet Protocol
IPSec
IP Security
ISP
Internet service provider
LAN
local area network
LEAP
Lightweight Extensible Authentication Protocol
MAC
message authentication code
MCC
mobile country code
MD5
Message-Digest Algorithm, version 5
MNC
mobile network code
MS-CHAP
Microsoft Challenge Handshake Authentication Protocol
MX record
mail exchange record
NAT
network address translation
97
PAC
Protected Access Credential
PEAP
Protected Extensible Authentication Protocol
PFS
Perfect Forward Secrecy
PIN
personal identification number
PKI
Public Key Infrastructure
PMK
pairwise master key
PSK
preshared key
RADIUS
Remote Authentication Dial In User Service
RFC
Request for Comments
RXLEV
Received Signal Level
SEGW
mobile network provider’s security gateway
SAN
server alternative name
SRP
Server Routing Protocol
SSID
The service set identifier (SSID) is the name of a Wi-Fi® network.
SSL
Secure Sockets Layer
98
1: Glossary
TKIP
Temporal Key Integrity Protocol
TLS
Transport Layer Security
TTLS
Tunneled Transport Layer Security
UID
unique identifier
UMA
Unlicensed Mobile Access
UNC
UMA controller
VPN
virtual private network
WEP
Wired Equivalent Privacy
WLAN
wireless local area network
WPA
Wi-Fi Protected Access™
99
100
©2008 Research In Motion Limited
Published in Canada.

Wi Fi Implementation

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wi Fi Implementation

Uploaded by

Copyright:

Available Formats

Wi-Fi Implementation Supplement

Wi-Fi Implementation Supplement

Last modified: 16 May 2008

Document ID: 10626870 Version 26

2 Technical overview .............................................................................................................................................. 11

3 Installation and configuration overview .........................................................................................................17

4 Configuring security in your environment..................................................................................................... 19

6 Setting up user accounts on the BlackBerry Enterprise Server ................................................................. 27

7 Configuring WLAN and VPN settings .............................................................................................................29

9 Configuring software tokens.............................................................................................................................51

10 Implementing BlackBerry devices...................................................................................................................55

11 Activating BlackBerry devices over the enterprise Wi-Fi network ............................................................57

13 IT policy rules and configuration settings .....................................................................................................75

Required BlackBerry Enterprise Server documentation

BlackBerry Enterprise Server administrative roles

BlackBerry Enterprise Server architecture overview

Wi-Fi environment overview

Wi-Fi coverage types

Enterprise Wi-Fi networks

Personal Wi-Fi networks

Wi-Fi connection options

Wi-Fi connection without a VPN connection or direct BlackBerry Router connection

Supported IEEE 802.11 wireless networking standards

Architecture: Options for Mobile and Wi-Fi connections

Wi-Fi connection Internet

BlackBerry Enterprise Server remote components

BlackBerry Enterprise Server support for Wi-Fi enabled BlackBerry devices

BlackBerry Enterprise Server version

Wireless access points

Types of wireless access points

Wireless access points and NAT

BlackBerry Enterprise Server process flows

Security for Wi-Fi enabled BlackBerry devices

Prerequisites: Configuring layer 2 access security

Prerequisites: Configuring layer 3 VPN access security

Configuring software tokens

Configuring MAC access control lists

Configuring service-specific access security

Configuring a captive portal

Verifying that you are ready to install the BlackBerry

Configuring the BlackBerry Enterprise Server environment

Preparing to support Wi-Fi enabled BlackBerry devices

Installing the BlackBerry Enterprise Server

Adding administrators to roles

Setting up the BlackBerry Enterprise Server environment

Setting up user accounts

Adding user accounts

BlackBerry® Enterprise Microsoft® Exchange BlackBerry Enterprise Server Add a user

Adding user groups

Customizing organizer data synchronization

WLAN and VPN profiles

Configuring WLAN and VPN profiles

Configure a WLAN profile

7. Type a name for the new WLAN configuration profile.

Configure a WLAN profile based on an existing profile

Configure a VPN profile

9. Select or specify a value for the setting.

Configure a VPN profile based on an existing profile

Associate a VPN profile with a WLAN profile

Assign a VPN profile to a user account

5. Double-click the profile that you want to change.

Change a setting in a VPN profile

Delete a WLAN profile