- BlackBerry 10 OS
- BlackBerry Device Service
- JI 196541
- JI 197209
- JI 203654
- JI 443624
After a proxy profile which utilizes a Proxy Auto-Configuration (PAC) file is applied to the BlackBerry Device Service instance, all requests which should use the PAC to determine routing are instead routed direct (no proxy), leading to one of the following scenarios when requesting resources that reside outside the company network.
Scenario 1 - No DIRECT route to external resources
When no DIRECT route to access external resources exists, the request will fail.
These failures will take different forms depending on the application used or the resource requested. For example, opening the Browser in the Work perimeter and attempting to browse to a web site outside the company domain, such as http://www.blackberry.com, displays the following result:
Unknown Network Error
Server returned nothing (no headers, no data)
Scenario 2 - DIRECT route exists to access external resources
When a DIRECT route to access external resources exists, requests will succeed, but will bypass the proxy servers specified in the PAC file. As a result, there will be few to no symptoms on the BlackBerry device, but any security, logging, or routing functions handled by the proxy server will not be performed.
When the BlackBerry 10 smartphone receives a proxy profile which utilizes a PAC, the PAC is downloaded and stored locally on the BlackBerry 10 smartphone. The PAC is then parsed locally prior to a request being sent to the BlackBerry Device Service MDS Connection Service for processing.
While BlackBerry 10 smartphones support many common functions utilized in PAC files, certain functions are not supported when the proxy profile is assigned at the BlackBerry Device Service instance level. The functions include, but may not be limited to, the following:
When a PAC containing a non-supported function is parsed by the BlackBerry 10 smartphone, the PAC lookup fails, defaulting to the DIRECT (no proxy) routing option.
Connections over an Enterprise Wi-Fi profile or utilizing a VPN profile utilize PAC profiles differently, such that a proxy profile assigned to one of these connection types may be able to use a PAC file containing functions which would fail to parse correctly when assigned to the BlackBerry Device Service instance.
Two options exist to work around this issue.
Remove the unsupported function call from the PAC file specified in the proxy profile.
Manually specify a specific proxy server to be used instead of utilizing a PAC to decide routing on a per-host basis.
Note: This may restrict access to resources within the company network if the proxy specified does not allow internal requests. Confirm the settings on the proxy server prior to implementing this workaround.
The BlackBerry Device Service Administration Guide found at http://docs.blackberry.com/ contains more information regarding the configuration of proxy profiles, under the "Managing proxy profiles" heading.
Differences between the BlackBerry Device Service and BlackBerry Enterprise Server
The behavior described above differs from the data flow used by BlackBerry Enterprise Server, where requests from the connected BlackBerry smartphones are passed to the MDS Connection Service on the BlackBerry Enterprise Server, and the MDS Connection Service is responsible for parsing the PAC file to route the request correctly. In this scenario, myIpAddress() would return the IP address of the server hosting the MDS Connection Service, which can be correctly used by the PAC file.
As a result, a PAC which functions as expected for a BlackBerry Enterprise Server proxy configuration may not work properly for a BlackBerry Device Service instance.
This article contains information previously documented in KB33676 and KB33446.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.