The BlackBerry Enterprise Server Express Edition offers businesses the ability to enable their staff to use BlackBerry devices to receive push-based email from an existing Microsoft Exchange installation – both standalone Exchange servers and the Microsoft Small Business Server product.
A free download from the BlackBerry web site, the solution is not limited to any set number of users and requires only that users have a BlackBerry data tariff on their SIM card with their network operator.
A 10,000 user CAL is supplied with the download by default:
Features
BES Express is based on the BES 5.0.1 MR1 code, and as such offers much (but not all) of the same functionality:
- Web-based administration
- 6 pre-defined administrative roles
- BlackBerry Web Desktop
- Over 35 IT policies for device management (see below), including device wipe
- HTML email support
- Flag emails for follow-up
- Mail folder management
- Remote email search
- Set out of office status and message
- Forward calendar appointments
- Open attachments in calendar appointments
- Free / Busy lookup
- Remote file access
- Support for audio (AWE, WAV, MP3, WMA) files
The following features are NOT available in BES Express:
- Cradle-less enterprise activation (when used with the BIS tariff on client devices)
- Ability to define multiple administrative roles
- BlackBerry Monitoring Service
- BlackBerry Enterprise Transporter Tool
- High Availability deployment options
- Support for BlackBerry Mobile Voice System (MVS)
- Support for enterprise instant messaging and social networking integration
At the time of writing, BES Express is only available in English.
BES Express is not compatible with Lotus Domino or Novell Groupwise installations.
System Requirements
Operating System
- Windows Server 2003 SP2 (32-bit or 64-bit)
- Windows Server 2003 R2 SP2 (32-bit or 4-bit)
- Windows Server 2008 SP2 (32-bit or 64-bit)
- Windows Small Business Server 2003
- Windows Small Business Server 2008
Microsoft Exchange Messaging Server
- Microsoft Exchange 2003 SP2
- Microsoft Exchange 2007 SP1
- Microsoft Exchange 2010 including Update Rollup 1
Microsoft Exchange System Tools
- (Exchange 2003) Microsoft Exchange 2003 SP2 System Manager or MAPI client and CDO 1.2.1 version 6.5.8039.0 or later
- (Exchange 2007) MAPI client and CDO 1.2.1 version 6.5.8067.0 or later
- (Exchange 2010) MAPI client and CDO 1.2.1 version 6.5.8146.0 or later
Hardware
- (Up to 200 users)
- Single processor, 2.0GHz Intel Xeon (2 processors recommended)
- 2GB memory
- 2 HDDs, RAID 1
(Up to 500 users)
- Two processors, 2.0GHz Intel Xeon
- 2GB memory
- 2 HDDs, RAID 1
(Up to 1000 users)
- Two processors, 2.0GHz Intel Xeon
- 3GB memory
- 2 HDDs, RAID 1
Database
Any of the following database management systems are supported:
- MSDE 2000 SP3
- Microsoft SQL Server 2005 SP3 (32-bit or 64-bit)
- Microsoft SQL Server 2005 Express Edition SP3
- Microsoft SQL Server 2008 SP1 (32-bit or 64-bit)
- Microsoft SQL Server 2008 Express Edition SP1 (32-bit or 64-bit)
If using a database system earlier than SQL 2005 SP3, the following hotfix should be installed on the database server – http://support.microsoft.com/?kbid=960082
Miscellaneous
In order to provide support for audio attachments, Windows Media Player 9 or later is required on the BES.
Internet Explorer 6 or later is required to access the web administration console.
Firewall
The BES requires outbound-initiated, bi-directional access to the Internet on TCP port 3101 as well as access to DNS.
RIM recommend operating up to a maximum of 75 users if the BES Express software is being installed directly onto the Exchange server itself. On a standalone server, BES Express can support up to 2,000 users. Multiple BES Express servers can be deployed in the same BlackBerry domain.
Preparing an Exchange 2010 environment
NOTE – this article assumes an Exchange 2010 installation only. Visit the BES Express section of the blog for details on installing the solution against Exchange 2003 or 2007.
Ensure that Exchange 2010 Update Rollup 1 is installed on the Exchange 2010 server. This package is available here – http://www.microsoft.com/downloads/details.aspx?FamilyID=371add31-d7a0-4…
If installing the BES Express software on the Exchange server itself, the Exchange server should NOT itself also be a domain controller.
Create a domain user account called BesAdmin
On the Exchange server, in the Active Directory Users and Computers console, create a domain user called “BesAdmin” and assign it an Exchange mailbox. Set the user account password to never expire.
Send an email to the BesAdmin user to initialise the Exchange mailbox.
Assign the BesAdmin user local administrative rights
On the server that is to host the BES Express, make the BesAdmin domain user a member of the local administrator group. NOTE – the BES Express server will first need to have been added to the Domain if not done already.
To do this, on the BES Express server, right click on the icon for My Computer and select Manage. Browse to Local Users and Groups –> Groups –> Administrators and add the BesAdmin user:
Assign the BesAdmin user “log on as a service” rights
On the BES Express server, also assign the BesAdmin domain user account “log on as a service” rights. To do this, select Administrative Tools –> Local Security Policy –> User Rights Assignment –> Log on as a service and add the BesAdmin user:
Assign “Receive As” and “Administer Information Store” rights to the BesAdmin user
On the Exchange server, launch the Exchange PowerShell and issue the following command:
Get-MailboxDatabase | Add-ADPermission -User "BesAdmin" -AccessRights
ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
Assign Exchange View-Only Administrator rights to the BesAdmin user
Still within the Exchange PowerShell, now issue the following command:
Add -RoleGroupMember "View-Only Organization Management" -Member "BesAdmin"
Assign “Send As” rights on the domain to the BesAdmin user
Within the Active Directory Users and Computers console, open the View menu and select the option to display Advanced Features.
Right click on the domain and select Properties. Click on the Security tab:
Click on the Advanced button:
Click on Add and type in the name of the BesAdmin user:
Select the option to Apply Onto User Objects.
Scroll down to the bottom and tick the option to enable Send As rights:
For good measure, also enable Send As rights on the Exchange server itself within the Exchange PowerShell. Launch the console and issue the following command:
Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights
Send-As -User "BesAdmin" -Identity "CN=Users,DC=domain,DC=com"
(where “domain” and “com” should be substituted for your specific domain details, eg: DC=brightpoint,DC=co,DC=uk and so on)
To force all of the above changes to take effect on the domain, it may be worth running a group policy update. On the Exchange server click Start –> Run and issue the command “gpupdate /force”
Turn off Exchange 2010 Client Throttling
Exchange 2010 uses client throttling by default to protect the Exchange server from excessive user demands. RIM recommend turning off this feature as it can have an adverse affect on the performance of the BES solution. This is done within the Exchange PowerShell console.
Launch the console and issue the following command to get the “Identity” of the default throttling policy”
Get-ThrottlingPolicy | Where-Object {$_.IsDefault -eq "True"} | FL Identity
the Identity will be displayed:
Now issue the following command:
Set-ThrottlingPolicy -RCAMaxConcurrency $null
You will be prompted to enter the Identity to apply the policy to, enter the result returned above:
Increase the maximum number of connections to the Exchange Address Book Service
On the Exchange Server (or specifically the Client Access Server in a multi-box deployment), browse to C:\Program Files\Microsoft\Exchange Server\V14\Bin and locate the file “microsoft.exchange.addressbook.service.exe.config” and open it in NotePad:
Locate the line “MaxSessionsPerUser”:
Increase the value to 100000. Save the file then restart the Address Book Service:
Install the Exchange MAPI CDO 1.2.1 package
The Microsoft Exchange MAPI CDO 1.2.1 package must be installed to provide the BesAdmin user a MAPI connection to Exchange mailboxes as well as access to calendaring information.
Download here: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=2714320D-C997-4DE1-986F-24F081725D36&displaylang=en
Run the installer and accept the license agreement:
Now you’re ready to install the BES Express software.
Installing the BlackBerry Enterprise Server Express software
LOG INTO THE BES EXPRESS SERVER AS THE BESADMIN USER!
Launch the BES Express installer, you will be prompted to confirm that you are indeed logged in as the correct user:
Click Continue Installation:
Choose your country and read the license agreement. Select the option to accept if you agree to the terms and conditions:
Select the option to Create a BlackBerry Configuration Database:
Select the option to install a BlackBerry Enterprise Server:
Verify that all pre-requisite checks are completed successfully, paying attention to any warnings or failures:
In this article I am allowing the BES Express installer to install a local copy of SQL Server Express, if you intend to use a dedicated SQL Server, select this option and enter the details of the server address:
Enter the password for the BesAdmin account and enter in a name for the BES Express server: this name can be a ‘friendly’ one and is used to identify it in the Web Administration interface:
If you are warned that the server does not have sufficient free disk space available, free up some space before continuing:
A summary of the installation options will be displayed:
Click Install, the required components will now be installed, this process may take a while. When complete you will be prompted to reboot the server:
Click Yes. Once rebooted, log back in as the BesAdmin user. The installation will resume automatically:
Enter a name for the Configuration Database – this should ideally be left at the default unless specifically required. Click Next:
You will be prompted to create the database, click Yes:
When created, click OK:
Enter in the 10,000-user CAL, SRP key and SRP authentification key you were supplied along with the BES Express download. Verify connectivity to the RIM Relay on TCP port 3101. Click Next:
The MAPI connection settings will now be required, enter in the name of the Exchange server as well as the BesAdmin user account mailbox. Click OK:
Enter in the name you wish to use for the Administration web site. Again this should be left at the default if you are unsure as to what this means. Any name you choose should be resolvable via DNS if not using the default option.
Enter in a password for the SSL certificate – this is generated automatically by the installer and assigned to the Apache-based administration web site (the site does not run within IIS). The certificate is generated based on the name entered.
By default the administration web site runs on port 3443 – this can be altered if desired but again leave this value at the default unless specifically required. Click Next:
Enter in the details of the BesAdmin user account again and click Next:
Specify whether you wish access to the administration web site to be authenticated based on Active Directory credentials, or whether you want to use the built-in BlackBerry Administration Service authentication. If you select the second option, enter in a password for the default admin account.
NOTE – if you select BlackBerry Administration Service authentication, the default admin username is “ADMIN”, NOT “BESADMIN”.
Click Next:
Select the option to Start Services and verify that all services start successfully:
Click Next:
You will be reminded what the address is to access the administration web site. Click Finish.
The software is now installed and ready to use. To access the web administration site, a link will have been added to the Programs folder on the Start menu:
Selecting the link will launch the default browser on the server (which needs to be Internet Explorer 6 or later):
Log in ether as the BesAdmin user (using Windows authentication) or as the Admin user (using BlackBerry authentication):
Add the web site to the Trusted Sites group in the Internet Explorer security options area:
And add the web site certificate to the trusted certificate authority folder:
Adding Users
In the Administration web site, select the option to Create a user:
Selecting Search will display a list of all available users:
Tick the user(s) you want to add and click Continue:
Select the BES Server the users should be added to (you’ll only have one option) and click Next. The users will now be added to the BES Server.
To associate a device to a user, the BlackBerry handheld itself can be connected directly to the BES Express server via USB. In the Administration web site browse to Devices –> Attached Devices –> Overview:
When the device is connected, its PIN details will be displayed:
Select the option to Assign current device to a user. Select the user you want to associate the device with:
The device will now be associated to the user and will automatically activate itself and begin to download user mailbox data.
Troubleshooting
If you encounter any problems adding or activating users, first verify that all BlackBerry services have started and are running correctly:
Exchange Permissions
The commonest cause of problems when troubleshooting issues with a BES installation is that the correct permissions have not been assigned to the BesAdmin user on the domain and the Exchange server as detailed above.
Included with the BES Express software is a utility called “IEMSTEST” which can verify the BesAdmin user’s access to specific user mailboxes.
The utility lives in the C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility folder and needs to be run at the command line:
Select the BlackBerryServer MAPI profile when prompted:
Select the user account you wish to query:
The permissions will be tested:
As you can see from the above screenshot this test has indicated that the BesAdmin account does not have Send As rights on my James Liddiard user account. Once I verify my permissions, re-running the test indicates that all test have passed successfully: