I'm still fighting with mine, but I think its because my Blackberry is going straight to the net, not via MDS.
A couple things to keep in mind:
You'll need to use a different surrogate for stuff coming from the BES server. Otherwise the WSA will map the IP to the first user that logs in.
Create an identity based on the IP its coming from (the BES box) and pick a cookie surrogate so that when users are required to auth, there's something that "sticks"
Config the BES with a policy to force the handhelds to accept cookies.