With the rapid evolution of the smartphone industry, IT administrators find themselves pulled in a few different directions -- ensuring compliance and security while staying flexible enough to support a diverse number of devices. Because it’s extremely difficult to physically secure and audit mobile devices, many administrators defer to BlackBerry devices, which provide granular security, compliance control and auditing capabilities through BlackBerry Enterprise Server (BES).
A defining characteristic of the BlackBerry security model is the user/device pairing. The relationship of the BlackBerry device to a BlackBerry-enabled user is 1:1, meaning that a user can only synchronize with one device at a time. While this may not be optimal for all users, it has benefits that go beyond administrative.
Users can configure BES 5.0.2 to translate their BlackBerry PIN to their network credentials. BES can then impersonate the user, allowing them access to Web-based apps, RIM apps and line-of-business applications without having to continually enter their credentials.
Environments with high-availability requirements benefit from BES’s built-in standby server configuration with a proprietary failover mechanism. There are no additional licensing costs for the standby server. BES also has a number of additional components that can be installed to its core component -- the BlackBerry Router -- that increase its value as an enterprise messaging product. Table 1 lists BES 5.x components.
|BlackBerry Router (core component)||Connects BES to the wireless network to allow BlackBerry devices to connect and transfer data|
|BlackBerry Administration Service||Web-based management tool for BES|
|BlackBerry Web Desktop Manager||Web-based tool allows users to manage their own BlackBerry device settings and change passwords|
|BlackBerry Monitoring Service||Monitors BES component activities and notifies administrators when activity is above or below an acceptable threshold|
|Blackberry MDS Integration Service||Enables BlackBerry Mobile Data System (MDS) Runtime Applications to interact with backend systems using Web services or direct database connections|
|Blackberry Collaboration Service||Connects an organization’s instant messaging server to the collaboration client on Blackberry devices|
|BlackBerry Attachment Service||Converts attachments into formats that users can view on devices|
|BlackBerry MDS Connection Service||Processes requests for Web content from the browser or Java applications on BlackBerry devices and manages TCP/IP and HTTP connections between applications on BlackBerry devices and applications that reside on an organization’s application servers, Web servers or databases behind firewalls|
Table 1. BlackBerry Enterprise Server components
Comparing on-premises BES editions
BlackBerry Enterprise Server Express, which has been available as a free download since March 2010, allows companies with up to 2,000 users leverage BES’s enterprise-class security and management features. But it does have some limitations (Table 2).
|BES Express||BlackBerry Enterprise Server|
|Description||Designed for small and large businesses with on-premises mail servers; secure option for connecting corporate-liable and individual-liable BlackBerry devices to company email||Designed for mobile users in large enterprises and government organizations; includes high availability features and supports premium add-on products|
• Compatible with any Internet-enabled BlackBerry data plan
• Free software and client access licenses (CALs)
• Enables businesses to expand the number of BlackBerry smartphone users while maintaining security and control over corporate liable and individual-liable users
• Installs directly on an existing email server
• Provides a high level of IT control and functionality
• Compatible with add-on products such as BlackBerry Mobile Voice System
|Supported platforms||Microsoft Exchange Server, Windows Small Business Server||Microsoft Exchange Server|
|Users supported||Up to 75 users on the email server or 2000+ with a dedicated server||Can support a large corporate group of 2,000+ users per server|
|Pricing||Any Internet-enabled BlackBerry data plan plus free BES software and CALs.||$3,999 for 20 users plus the BlackBerry enterprise data plan|
|Additional pricing per user||Data plan requirement only||1 CAL: $99
5 CAL: $429
10 CAL: $699
50 CAL: $3,299
Larger CAL packs are available
|Wireless email synchronization||Yes||Yes|
|Wireless calendar/contacts synchronization||Yes||Yes|
|PBX integration||No||Yes, with BlackBerry Mobile Voice System|
|Remote file access||Yes||Yes|
|Application support||BlackBerry App World, Web-based applications and client-server business applications||BlackBerry App World, Web-based applications and client-server business applications|
|Security||Enterprise-grade with 35+ IT policies and data encryption AES 256-bit||Enterprise-grade with 450+ IT policies and data encryption AES 256-bit|
|Setup||Can be installed on an existing mail server or a dedicated server||IT must install onto a dedicated server|
|Premium features||None||High availability and monitoring|
Table 2. Comparison of BlackBerry Enterprise Server Express and BES
BES Express does not support certain premium features available in the full version, such as Enterprise Instant Messaging, Enterprise Social Networking Solutions, Chalk Pushcast Software and BlackBerry Mobile Voice. Possibly the most compelling reason to deploy the full version of BES is its diverse security settings, which are available through more than 450 IT policies. From a scalability standpoint, environments with more than 2,000 BlackBerry users will be able to support them on a single full version BES. Still, BES Express marks the first free version of the server.
Prerequisites for running BES 5.0.2
There are a number of preliminary steps you must take before installing BES in an Exchange Server 2010 environment. The best step you can take to eliminate deployment problems is to review RIM’s online compatibility guide. Under the BlackBerry Enterprise Server for Microsoft Exchange Compatibility Matrix, you’ll find a list of components, including:
BES 5.0.2 and Enterprise Server elements:
- Windows Server 2008 R2 (32 bit)
- Windows Server 2008 R2 (64 bit)
Server virtualization (optional):
- VMware vSphere4
- Windows Server 2008 Hyper-V (supported)
- Exchange Server 2010
- Exchange Server 2010 SP1 (supported with limitations)
Although BES 5.0.2 supports Exchange Server 2010, you could encounter some issues connecting users. BlackBerry KB24470 details a workaround. There is also a known functional limitation with the Remote Search capability on handhelds.
- MAPI/CDO 6.5.8165.0 -- you will need to download and install CDO 1.2.1 on your BES server prior to installation. The current version available for download from Microsoft is 6.5.8190.0. Although this version is listed on the compatibility matrix, it is only identified as recommended, not supported. However, the 6.5.8190.0 version of CDO 1.2.1 is needed to support Exchange 2010 SP1.
- Microsoft SQL 2005 Express SP3 (32-bit)
- Microsoft SQL Server 2008 SP1 (32-bit)
- Microsoft SQL Server 2008 SP1 (64-bit)
Web browser for accessing BlackBerry Enterprise Server administration (BAS-WC) and BlackBerry Monitoring Service:
- Microsoft Internet Explorer v8.0 -- Firefox 3.6, Chrome 4.0 and Safari 4 for MAC are supported, but you won’t be able to manage USB devices via the BlackBerry Administration Service Web Console (BAS-WC).
- .NET v2.0 and higher
You’ll need to download and install CDO 1.2.1 on your BES server prior to installation. The current version available for download from Microsoft is 6.5.8190.0. While this version is listed on the compatibility matrix, it is identified as recommended -- not supported. The 6.5.8190.0 version of CDO 1.2.1, however, is needed to support Exchange 2010 SP1.
If your environment doesn’t exactly match the recommended configuration, you’re not necessarily out of luck. Thoroughly review the compatibility matrix so you understand what incompatibilities and limitations to expect.
Once you have confirmed that your environment will support BES 5.0.2, you’ll need to complete the following tasks:
- Create a Windows account that has a Microsoft Exchange 2010 mailbox.The most typical name used for this account is BESAdmin. If you use public folders, this account will need “Owner” permissions for each public folder you want to access from BlackBerry devices with a cmdlet such as: Add-PublicFolderClientPermission –Identity “\<Public Folder>” –User
BESAdmin –AccessRights Owner
- Add the BESAdmin account to the local Administrators group on the BES server.
- Configure Allow Log on Locally and Log On As a Service permissions in the Local Security Policy for the BES server using the following steps:
- Run Secpol.msc.
- Navigate to Local Policies -> User Rights Assignment.
- Double-click Allow Log on Locally and add BESAdmin.
- Double-click Log On As a Service and add BESAdmin.
- Close Local Security Policy window.
Run the following cmdlets from theExchange Management Shell to configure Microsoft Exchange 2010 permissions for the Windows account.
Note: Apply Send-As permissions to each organizational unit (OU) into which you plan to place BlackBerry users. The cmdlets are:
Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -
AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
Add-RoleGroupMember "View-Only Organization Management" -
Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "OU=<organizational_unit>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>"
You must use the OU’s exact LDAP name or you will get an “Insuff_Access_Rights” error. If this does not work with the exact distinguished name, you may have a permission inheritance problem.
Follow these steps to apply Send-As permissions to all user objects in an entire domain (Figure 1):
- Open Active Directory Users and Computers and select the Advanced Features option from the View menu.
- Right-click the appropriate domain and then click Properties.
- Under the Security tab, click Advanced.
- Click Add, select the BESAdmin account and click OK.
- Select User Objects in the Applies Onto list. Note: If the Domain Controller is Windows Server 2008, select Descendant User Objects.
- Check the Send As box, click Apply and then OK.
- Close the Properties window and then close Active Directory Users and Computers.
Turn off client throttling in Microsoft Exchange 2010 using the following cmdlets (Figure 2):
Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -
RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -
RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -
EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -
EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -
EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null
Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy
Exchange 2010 marks a decisive move away from WebDAV and multiple programmatic interfaces to Exchange server. Exchange 2010 includes a single programming interface called Exchange Web Services (EWS). To configure a management role for Microsoft Exchange Web Services, use the following EMS command:
New-ManagementRoleAssignment -Name "BES Admin EWS" -Role
ApplicationImpersonation -User "BESAdmin"
If your Exchange 2010 organization does not have any public folder databases, follow these steps to configure BES to run without public folders using Regedit:
- If you are running a 32-bit version of Windows, navigate to: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\CDO.
- If you are running a 64-bit version of Windows, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Messaging Subsystem.
- If the CDO registry key does not exist, create a registry key called CDO.
- In the CDO registry key, if the DWORD value does not exist, create a DWORD value and call it Ignore No PF.
- Change the DWORD value to 1.
- Click OK.
If Exchange 2010 SP1 servers don’t have public folder databases, perform the workaround outlined in the BlackBerry KB24470. This fix requires that you edit the registry on the BES server to ignore that fact that public folders are missing when connecting to Exchange 2010 SP1, as shown in Figure 3.You need to set the CONNECT_IGNORE_NO_PF flag.
Enabling audio attachments
Add the blackberry.net domain to the Allow Lists in your antivirus and antispam applications so that Exchange won’t filter wireless activation messages. Then enable Desktop Experience on BES so that it supports audio attachments. To do this, open Windows PowerShell, select Import-Module ServerManager and then choose Add-WindowsFeature Desktop-Experience-Restart.
The Desktop Experience feature will load a number of components found on the Windows 7 desktop that are not installed by default on Windows Server 2008 or Windows Server 2008 R2. The specific feature needed to support audio attachments is Media Player. You’ll need to restart the server to allow Windows to install all of the Desktop Experience components; this will take several minutes and two additional automatic restarts to complete.
Now that you’ve learned about differences between BES and BES Express and have prepared to deploy it in your Exchange 2010 SP1 environment, follow the steps to install and verify BES 5.0.2.
ABOUT THE AUTHOR:
Richard Luckett is president of SYSTMS of NY, Inc., a Microsoft Gold Partner providing professional services, managed services and training solutions. He is an MCSE, MCITP and MCTS with security and messaging specializations, and an MCT with nine years of Exchange training experience. Richard is an Exchange MVP award recipient, co-author of Administering Exchange 2000 Server and Exchange Server 2007: The Complete Reference, course director and author of seven Microsoft Exchange courses, and resident email security expert for SearchExchange.com Contact him at [email protected].