How to get IMAPS configured on your EBS network (as in BlackBerry Storm)

Okay, I got a phone call that the owner’s son at a customer site has picked up a BlackBerry Storm and is traveling across the country tomorrow and needs it configured.  How do you do it?  Like this:

All you need to do to get IMAPS (TCP Port 993) to work for external clients is create a TMG rule.  You’ll want to use IMAPS only, not IMAP, so you’ll keep your email and credentials secure.  Once you create the following rule in TMG, you can go to your cellular provider’s BIS site ( for example) and drop your email address and password in.  You’ll be setup in no time. By the way, the reason we’re not using the OWA interface for this is that RIM has not figured out how to get around the way TMG handles the OWA page.  RIM’s support doc ID: KB04804 states that they can’t get through because of the CookieAuth.dll it puts in the Web address.

Example steps to create a new TMG Publishing Rule:
1. Create new “Non-Web Server Protocol Publishing Rule.”
2. Name it something similar to : Allow incoming email by publishing IMAPS Mail Server – “Your name here.”
    As a side note, it is always good to sign your rules in TMG so you can track what is default and who created what.
3. Input your MSG Server IP address (or browse to it in the interface and it will put the IP in for you).
4. Under Selected Protocol choose IMAPS Server from the drop down menu.
5. Listen from External.
6. Select Finish.
For placement in the ISA, I mean Forefront Threat Management Gateway, Firewall Policy list, I placed right below the default “Allow incoming email
by publishing SMTP Mail Server” rule.
7. Select Apply and you’ll be ready to go with your IMAPS external clients.

Hope this helps save someone else the hours I spent figuring it out (don’t publish to the SEC server for example).  😉

2 thoughts on “How to get IMAPS configured on your EBS network (as in BlackBerry Storm)

  1. Awesome post.
    how can I find out if my rule is actually applied?
    My Nextel BB cannot connect. I used a site mxlookup and did a port scan on my and does not see port 993 open. I see 80 442 25 3389 open

  2. Hi Sam,

    Try restarting the Microsoft Firewall Service to ensure the rule gets applied. If you are doing this via remote access, be sure to use the following from an elevated command shell: net stop fwsrv && net start fwsrv
    If you attempt to restart it from the Management Console using the GUI, it will shut it off, but needs to be turned back on from the console (not a good deal if you are remote).

    From the Forefront TMG Management Console, select “Monitoring” in the left column, then select “Logging” (farthest right tab). From there you can start a new query and set your filters as needed. Alternative methods of checking are to use telnet to access the WAN connection of the Security Server (telnet 993) from an external connection and see what you get (should answer without any text). Or use an IMAPS client on a PC (versus the BlackBerry).

Leave a Reply

Your email address will not be published. Required fields are marked *