Setting up Blackberry Enterprise Server BES with Exchange 2007
The BlackBerry has become a standard business tool for any size of business. The latest devices, like the Bold, have become ever more capable, able to edit Microsoft Office documents at the same time as giving you an almost desktop-like Web experience.
That’s where BlackBerry Enterprise Server comes in. It’s a tool for connecting your clients’ networks up to RIM’s secure network, piping mail straight from an Exchange (or Notes or GroupWise) server straight into a BlackBerry. RIM was one of the first companies to succeed with push email, and it’s made it a key piece of its strategy. Once a BES is in place, it will just sit there, handing mail over to devices – as well as giving you the tools to manage a small fleet of BlackBerrys.
Setting up BES isn’t that easy. It’s a complex piece of software, which needs to interact with a Windows network at a very deep level. You’re not just installing software: you’re creating new users that need administrator-level access to your email server. With so much at stake, it’s important to take care at each step of the process – which differs for different versions of Windows Server and Exchange. You’ll also need to set up a new server, with at least 2GB of RAM to host BES, as its software that’s best hosted on its own.
A BES server doesn’t need to be big; for a small business a low-end Xeon or an AMD Athlon server with 2GB of RAM is sufficient. It’s important to note that the current version of BES doesn’t install on Windows Server 2008, so you’ll need to work with Windows Server 2003 R2 or earlier. There is 64-bit support, so you can take advantage of the full capabilities of the latest hardware. These instructions are for Exchange Server 2007 SP1 running on a 64-bit install of Windows Server 2003 R2, in a network with a Windows Server 2008 domain controller: the steps are similar for Exchange Server 2003 though the there are some differences in how you create the BESAdmin user, because of the different way Exchange Server 2007 works with Active Directory.
For smaller customers, consider the wizard-driven BlackBerry Professional Software, which can run on the existing email server and support up to 30 users.
BES from scratch
BES can be delivered in several different ways. You can get a CD from a reseller, or a download from RIM’s Web site. You’ll also need a set of product keys – BES needs not just CALs, but also a set of keys to handle
its connection to RIM’s private network.
You’ll need to start the install over on the Exchange server. The first step is to create a new mailbox account for the default BES service BESAdmin account. You can do this using the Exchange Management Console wizard, which will create an Active Directory account for the BES service. Don’t forget to give it a password, as you’ll need to log on with the account to install BES.
Once you’ve created the account, make it an Exchange administrator with view only rights. In the Exchange Management Shell use the following PowerShell command to set the role:
add-exchangeadministrator “BESAdmin” –role ViewOnlyAdmin
Check the user has the correct role using
this PowerShell statement:
get-exchangeadministrator | Format-List
You’ll next need to use PowerShell to give the BESAdmin account additional rights to send and receive mail as any user. Replace <mailserver> with the name of your server:
get-mailboxserver <mailserver> | add-adpermission –user “BESAdmin” –accessrights ExtendedRight –extendedrights Send-As, Receive-As, ms-Exch-Store-Admin
Again check the result with some more PowerShell.
get-mailboxserver <mailserver> | get-ADpermission -user BESAdmin | Format-List
You can now switch to the server you’re planning to install BES on. Log on as a domain administrator and give your BESAdmin account local administration rights before you start the install. BES needs to be installed by the service account it will use in order to ensure that all its components and databases are set up with the correct permissions, so log out and log in with your BESAdmin account.
To install BES, if you’re using a CD, run the Setup.exe programme you’ll find in the root directory. If you’re working with a download you can run the self-extracting archive you downloaded from RIM: once the archive has extracted all its files it will launch the setup program automatically. If you have any problems, launch it from the Research In Motion directory in the root of C:/ created
by the archive.
Selecting the location for the install defines the licence you’ll need to agree to, and the servers that the BES will connect to transfer mail to and from your clients’ BlackBerrys. Once you’ve chosen a licence, you can then choose the type of install you want to use. BES is a modular system (each BES supports up to 2,000 users), and there are install options that let you build a multi-server scalable enterprise-grade system. That’s not what’s needed for an SME – so just choose the single server options. You can install BES purely as a mail server, or you can set it up
to work with internal applications using MDS, the BlackBerry Mobile Data System. If your clients are using tools like Microsoft’s Office Communications Server you can use the collaboration tools to link their BlackBerrys into their internal instant messaging and presence service.
You’ll then need to accept a range of licences for components that RIM is using in BES, including the Apache Web server, before you can start with the actual install. The installer will first check on the state of your system, making sure you have the appropriate pre-requisites. BES will install many of these for you – including the Java runtime and Microsoft’s XML components. However, there is one key set of components it won’t install – the software needed to handle the connection to your client’s Exchange server.
These are Microsoft’s Exchange Server MAPI Client and Collaboration Data Objects. They used to be bundled with Exchange, but Exchange 2007 makes them a separate download. If you’ve not already installed them, download the Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 from www.microsoft.com/downloads/details.aspx?FamilyID=E17E7F31-079A-43A9-BFF2-0A110307611E&displaylang=en. If you’re installing a recent version of BES you’ll get the following message in the pre-installation check list: “Exchange server is not detected. A newer version of mapi32.dll may need to be installed”.
There’s no need to worry about this error message, all you need to do is click Next. There’s a mismatch between latest version of Microsoft’s components and the version numbers used by the BES installation files. The version you’ve downloaded and installed is correct, and BES will use it happily.
The rest of the install is relatively painless, and won’t take that long. You’ll need the password for your BESAdmin account, as well as the name of the server that you’re installing BES on. You can also change the install and log file folders. You have the choice of installing a local copy of MSDE for BES to store configuration information, or connecting to a remote copy of SQL Server. For most SMEs there’s no need for a large database, and you should go ahead and install MSDE.
It’s a good idea to check the install summary over (and also to make a copy for future reference). The installer will install BES and the third-party tools it needs on your server and reboot when the first stage of the install is complete. You’ll need to log on to the server with the same account to complete the install, which will first set up your BES database, creating the database if a new one is required. Next you need to fill in the keys that BES will use to define how many BlackBerry devices can connect and to authenticate its connection to RIM’s BlackBerry network.
Once you’ve filled in the CALs, you can test a connection to the BlackBerry network. Check the server is trying to connect to the regional SRP server. In the UK you should be connecting to srp.uk.blackberry.net. (For other regions you can find a list of servers at www.blackberry.com/SRPAddressLookup/). Click Test Network Connection to complete the test. You can now add your BES’s identifiers: the SRP ID and the SRP authentication key. These will have been given to you by RIM or your supplier, either with the download or in a .SRP file. These need to be validated before you can complete your install. BES is now ready to be connected to your Exchange server. As you installed Microsoft’s connection tools, you’ll find the connect dialog box very familiar! Fill in the Exchange server details and check the BESAdmin account can connect. Much like setting up an Outlook account, all you need to do is click the Check Name button – if the name and server are correct they will be underlined. You’ve now connected BES to Exchange, and are very nearly ready to start setting up devices.
The next few screens are optional. One option lets you switch to using BlackBerry data only over WLAN connections – something you’ll only want to do if your clients aren’t using their carrier’s data plans. If you don’t want to use a carrier, you can allow WLAN access only. In most cases you won’t want to do this. Similarly you can also configure the server to allow WLAN OTA activation. Again this isn’t usually necessary. Another option lets you set up your own secure password for the connection between your BES and the built-in communication components like MDS: it’s not necessary, as BES will automatically generate a password. You’ll also be given the option to use a proxy server if your client’s firewall won’t let external applications through.
Finally you can start the service. Click Finish to leave the installer. You can now log off the BESAdmin account and log on with a standard administrative account to run the BlackBerry Manager. Use this to activate devices and add users, picking them from your client’s Active Directory. You can provision devices directly over a USB connection to the BES server, or you can just send your users an email with their activation password. All they need to do is choose the built-in Enterprise Activation tool in their BlackBerrys, fill in their password and email address to activate their devices and connect them to BES. Run through the process with a test device to ensure that users are provisioned correctly and can connect to your network.
BES Manager also gives you the tools you need to send IT policies to mobile devices – in the BlackBerry Domain view, open the Global Tab, choose Edit Properties and then click through to open and edit the IT Policy settings. You can push policies directly to devices, controlling password strength, timeout locks and other key settings to protect your clients’ data.
RIM provides plenty of support tools for anyone setting up a BES, including a tool kit full of helpful videos:
If you’re having problems with BES, it’s well worth spending some time in the community forums, where you’ll see plenty of tips from BES administrators all over the world: http://supportforums.blackberry.com/rim/board?board.id=BlackBerryEnterpriseSolution
If you are looking for a Blackberry Enterprise Server installation specialist in London you should consider either Network Fish or Wavex.
Another source of useful community-driven information is the BlackBerry Forums site – especially its BES Admin Corner: