I will be covering the installation and initial configuration of Blackberry Express Server 5.0.3 on both Windows 2008 Server SP2 and Windows 2008 Server R2.  This particular scenario covers the installation of Blackberry Express Server 5.0.3 on the same server that hosts your Exchange 2010 installation, however depending on the size of your environment and how many BES Express users you are looking at supporting you may opt to have a dedicated member server to install BES Express onto.  The following guide will cover both scenarios.

This guide covers the installation on Exchange 2010 SP1, however most parts will be applicable to Exchange 2007 too.

Blackberry Express Server is an attractive option over running Blackberry Enterprise Server, particularly for small to medium business environments.  You will not require device CALS to hookup your Blackberries to the server, and you don’t need a server licence either!

If you plan on installing Blackberry Express Server on the same box as your Exchange 2010 installation, then you’ll be able to support a maximum of 75 BES users.  If you decide to go with a dedicated server, then that figure jumps up to 2000 BES users.   The main differences between Blackberry Enterprise Server and Blackberry Express Server are listed below

• Blackberry Monitoring Service
• High availability
• Custom administration roles
• Additional IT policies
• Support for Blackberry Mobile Voice System and Enterprise Instant Messaging

With the introduction covered, let’s proceed to the pre-requisites.

Pre-requisites

For the purposes of this guide, you will need the following:-

Operating System:  Windows 2008 Server SP2 or Windows 2008 Server R2

You will also need to have installed and configured Exchange 2010 with Service Pack 1 installed, however all parts of this guide will also be applicable to Exchange 2007 other than the section on Throttling Policies

If you plan to do OTA activations from outside your company network, you will need to ensure you open TCP port 3101 to your BES server.

Create The BES Express Administrator Account

Firstly login to your Exchange 2010 server and navigate to the Microsoft Exchange Management Console.  Once the management console loads, navigate to ‘Recipient Configuration’ and then click on ‘Mailbox’.  Create a new mailbox by clicking on the ‘New Mailbox’ button on the right hand side.

Once completed, choose to create a new user and mailbox, with the name BESAdmin, as per below:-

Once completed, we will need to ensure that the BESAdmin account is a local administrator on the server. Open ‘Server Manager’, and then ‘Configuration’ and finally select ‘Local Users & Groups’.  Double click on ‘Administrators’ and then click ‘Add’. Type in ‘BESAdmin’ and choose to ‘Check Names’ and click OK once AD resolves the name.

Once completed click ‘OK’ to finish.

Finally, we’ll need to ensure the BESAdmin account has permission to ‘Log On Locally’ and ‘Log On As A Service’. Click on ‘Start’ and then in the search box type ‘secpol.msc’ and hit enter.

In the Local Security Policy MMC navigate to ‘Local Policies’ and then ‘User Rights Management’ and scroll down to the policy ‘Log on as a service’ and double click to open.  Once opened add the BESAdmin account and click ‘OK’ to close.

Apply AD Permissions To BESAdmin Account

Now that we’ve setup our BESAdmin account correctly, we’ll need to assign it permissions within AD. Open up Microsoft Exchange Management Shell (Note: You’ll need to be logged into your Exchange 2010 server with an account that has permission to execute cmdlets from the Exchange Management Shell)

Once the Microsoft Exchange Management Shell has opened, type the following Power Shell commands (Hit return after each command):-

Add-RoleGroupMember “View-Only Organization Management” -Member “BESAdmin”

Followed by:-

Get-MailboxDatabase | Add-ADPermission -User “BESAdmin” -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Finally, we’ll need to apply the ‘Send As’ permission for our BESAdmin account, like so:-

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity “CN=Users,DC=www,DC=test,DC=com”

You will notice that the section DC=www,DC=test,DC=com will need to be replaced with your Active Directory domain name.  So, if your domain name was www.joebloggs.net, it would look like the following:-

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity “CN=Users,DC=www,DC=joebloggs,DC=net”

Likewise, if your AD domain is called joebloggs.local, it would look like the following:-

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity “CN=Users,DC=joebloggs,DC=local”

After entering the last command, you may receive the following, rather common error:-

Active Directory operation failed on Domain ***Controllor Name***. This error is not retriable. Additional information: Access is
denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission

To rectify this issue you’ll need to manually assign the ‘Send As’ permission for your BESAdmin account in AD.

To accomplish this, open up ‘Active Directory Users & Computers’ and select ‘View’ and then ‘Show Advanced Features’.  Now right click on your domain on the left hand pane and choose ‘Properties’ and then navigate to the ‘Security’ tab.  On the ‘Permissions’ tab choose ‘Advanced’ and then click ‘Add’.  Add the BESAdmin account. When the permission entry dialog box appears, choose ‘Descendant User Objects’ on the ‘Apply To’ drop-down box.  Once completed, scroll down to ‘Send As’ and select ‘Allow’.

Once completed, click ‘OK’ to finish.

Create A New Exchange 2010 Client Throttling Policy For Blackberry Express Server

We’re now ready to create a new throttling policy.  This is required for Blackberry Express Server to operate correctly, as the default throttling policy in Exchange 2010 reduces available bandwidth for each respective mailbox automatically.

Open up the Microsoft Exchange Management Shell and type the following commands:-

New-ThrottlingPolicy BESEXPRESS -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Set-Mailbox “BESAdmin” -ThrottlingPolicy BESEXPRESS

Once completed, verify that the ‘BESEXPRESS’ policy has null values applied with respect to throttling, like so:-

Get-ThrottlingPolicy BESEXPRESS

You will need to scroll down and verify that the following policies have null values.

CPAMaxConcurrency

CPAPercentTimeInCAS

CPAPercentTimeInMailboxRPC

RCAMaxConcurrency

RCAPercentTimeInAD

RCAPercentTimeInCAS

RCAPercentTimeInMailboxRPC

EWSMaxConcurrency

EWSPercentTimeInAD

EWSPercentTimeInCAS

EWSPercentTimeInMailboxRPC

EWSMaxSubscriptions

EWSFastSearchTimeoutInSeconds

EWSFindCountLimit

I’d suggest also checking to see if the BESEXPRESS policy has been applied successfully to the BESAdmin account, by typing the following command:-

Get-Mailbox “BESAdmin” | fl Name,ThrottlingPolicy

You should get the following result, with the BESEXPRESS policy listed.

Create New Management Role For Exchange Web Services To Work Correctly With BES

Open up the Microsoft Exchange Management Console and type the following commands:-

New-ManagementRoleAssignment -Name “BES Admin EWS” -Role ApplicationImpersonation -User “BESAdmin”

Get-Mailbox -Server “<messaging_server_name>” | Set-CalendarProcessing -ProcessExternalMeetingMessages $true

Install Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1

We’re now ready to install the MAPI and CDO components required to run BES Express.  Navigate to the followinglink and download and run through the installation.

Install BES Express 5.0.3

We’re now ready to complete the actual installation of BES Express.  Firstly, login to your BES Express server using the BESAdmin account.  Once completed, launch your web browser and navigate to the following link

You’ll need to fill out some basic registration information, along with your email address.  When you have completed the registration form, you should receive an email with the download link for BES Express and your licence details.  I’d strongly recommend saving these licence details for future installations.

Once you have downloaded BES Express, extract the files to a folder of your choice and double click on ‘setup.exe’ to start.

During the installation you will want to make sure you choose the option to ‘Create a Blackberry Configuration Database’ and to ‘Install Microsoft SQL Server 2005 SP3′ when prompted.  When you are asked for your Windows account information, simply enter the BESAdmin username and password, and choose a name for your BES Server when asked.

After clicking ‘Install’ the installation process will begin and the server will reboot once before continuing.  After the restart, ensure you choose ‘Local’ for the database information screen.

When prompted for your Blackberry CAL and SRP information, use the licence details you received in the download request email.

On the following screen ‘Administration Settings’ you will need to enter an SSL certificate password for the Blackberry Administration Service.  On the ‘Advanced Administration Settings’ page you can choose between Active Directory authentication and Blackberry authentication.  You can choose whichever you prefer, as this is purely for authenticating to the Blackberry Administration Service management site.  Unfortunately in my environment I was receiving an LDAP error when attempting to use AD authentication.  This turned out to be down to stale DNS records for a DC which had to be forcibly removed from AD after a hardware failure.

On the ‘Start Services’ page, simply click ‘Start Services’ to bring up all Blackberry services, thus completing the installation.

Add BES Users And Devices From The Blackberry Administration Service Console

We’re now ready to add our first user to the BES Express. There are multiple ways in which to add Blackberry phones to your BES Express, however for the purposes of this guide we will be adding our first user via USB.  However this would clearly not be an efficient way to setup multiple users. In these cases OTA (Over The Air) activations, via GPRS or WiFi are highly recommended.

In order to install the required Activex control for scanning for connected USB devices, you will need to use Internet Explorer 6 up to 9.  On Windows 2008 SP2 and Windows 2008 R2 you will need to edit the IE ESC settings to allow less restricted web browsing.

Firstly navigate to ‘Server Manager’ and then ‘Configure IE ESC’ and disable restricted browser settings for local administrators, like so:-

Once completed open up Internet Explorer and navigate to Tools > Internet Options > Security.  Click on ‘Trusted Sites’ and then choose ‘Sites’.  You will then need to type in the address of your Blackberry Express webconsole, as per below:-

https://bes.joebloggs.com:3443/webconsole/login

Replace the server name and domain with your own information.

Once completed, click ‘Close’.  Next, we will need to ensure that the required third-party Activex control can run for the Blackberry Administration Service console.  Click on ‘Trusted Sites’ again and then choose ‘Custom Level’.  Ensure the following options are set, as per below:-

Automatic prompting for ActiveX controls – Enabled

Download unsigned ActiveX controls – Prompt

Initialize and script ActiveX controls not marked as safe for scripting – Prompt

Run ActiveX controls and plug-ins – Enabled

Once completed, click ‘OK’ and ‘OK’ to finish.

Finally, in order to detect Blackberry smart phones, you will need to download and install the Blackberry USB and Modem drivers from the following link on the BES Express.

We’re now ready to login to the Blackberry Administration Service console.  Launch Internet Explorer and navigate tohttps://bes.joebloggs.com:3443/webconsole/login, ensuring you substitute with your server name.  At the login screen choose either Active Directory authentication or Blackberry authentication, depending on which option you chose during the BES installation.  If you are using Active Directory authentication, login using your BESAdmin account.  If you are using Blackberry authentication, the default username is ‘admin‘ and your password is the one which was specified during the installation.

When prompted to install the Blackberry Administration ActiveX control, choose ‘Yes’.

Once logged in you should be greeted by the following screen:-

We’re now ready to add our first user account.  Click ‘User’ and then ‘Create a user’.  On the next screen type in the Exchange 2010 email address for the user you’d like to add, and then click ‘Search’ at the bottom of the form.

Once the user account is resolved in AD, hit ‘Create a user with activation password’ and then on the following screen type an activation password. (Note: As we are performing the activation via USB, the activation password will not be used)

With the user created, we now need to associate a Blackberry smart phone.  I would strongly recommended performing a security wipe on the Blackberry device before proceeding with this step, as I found that the enterprise activation stage would fail at around 97% on devices that contained existing data.

Backing Up Blackberry Smartphone Data And Performing A Factory Reset

Before we hook up the Blackberry smart phone to the BES, we’ll backup user data and perform a full security wipe.  I am using a Blackberry 9700 for this stage, however the steps should be applicable for most Blackberry phone models.

Firstly download and install Blackberry Desktop Manager from here. Once completed, attach your Blackberry device via the USB cable and allow Blackberry Desktop Manager to pickup the device.

Once the application has completed, choose ‘Backup & Restore’. I would suggest completing a full backup, which will backup all user data on the phone to a single file.  Once completed, remove the Blackberry smart phone and on the phone itself navigate to ‘Options’ > ‘Security Options’ > ‘Security Wipe’ and click the middle button on the phone.  When prompted which data to remove, choose all options, leaving the ‘Media Card’ option unticked.

You’ll be prompted for a password, enter blackberry.  After 5-10 minutes the phone will be reset back to factory defaults.

Add A Blackberry Smartphone And Associate With A User

We’re now ready to get our first user up and running on the BES Express.  Firstly launch the Blackberry Administration Web Console and login. (Note: I often found that attaching the Blackberry smart phone to the BES Server BEFORE launching the administration console would result in the device not being detected)

Once logged in, attach your security wiped phone via the USB cable to the BES Server (Note: Good luck if your server only has USB 1.1 ports!) You should see the Blackberry loader appear in the system tray, and the ‘Attached Devices’ drop-down box should then populate with four options.

If this does not occur, the problem is almost always related to the required ActiveX control not loading correctly due to Internet Explorer settings. You’ll want to head back to ‘Internet Options’ and lower your ActiveX security settings again.

From the ‘Attached Devices’ menu, choose ‘Manage Device’.  On the following screen you should see your Blackberry smart phone information, including the PIN and model number.  Choose to ‘Associate device to a user’ button and then select the user we added earlier.  Once completed, you’ll received a notification telling you that the Blackberry services are being delivered to the device.

After a few minutes you should see the Enterprise Activation process start on your phone.  This can take anywhere between 5-30 minutes, depending on the amount of data that is being synchronised.

Your device will now be activated and the user’s Exchange 2010 Calendar, Notes, Tasks and Email should sync successfully.

For subsequent activations, I would recommend creating the BES users as we did previously, and then performing an OTA enterprise activation.  (Note: You’ll need TCP port 3101 open to the outside world to achieve this)

Restore Blackberry Smartphone Data Using Blackberry Desktop Manager

We can now restore any user data back to our Blackberry smart phone.  Launch Blackberry Desktop Manager, and choose ‘Backup & Restore’ and then choose to restore from the file we created earlier.  You may notice that the majority of the user data is greyed out and cannot be restored.

To rectify this issue, on the Blackberry phone navigate to ‘Options’ > ‘Advanced Options’ > ‘Service Book’ and scroll down to ‘Desktop [SYNC]‘ and hit the Blackberry key and choose ‘Delete’.  If you now close ‘Backup & Restore’ in Blackberry Desktop Manager and then re-open it, you should now be able to restore all data.  Once you have completed the restoration process, on the Blackberry smart phone head back to ‘Service Books’ and hit the Blackberry key and choose ‘Undelete’  The ‘Desktop [SYNC]‘ entry should re-appear.

Finishing Up & Disabling Automatic Java Updates

I would strongly recommend disabling automatic Java updates, as JRE is essentially fundamental to the smooth operation of the Blackberry Administration Web Console, and I found that applying JRE updates prevented the BAS-AS service from starting.

On the BES Express server you will need to open the registry and create the following DWORD value, as per below:-

[HKEY_LOCAL_MACHINESOFTWAREJavaSoftJava UpdatePolicy] "EnableAutoUpdateCheck"=dword:00000000

This should disable automatic Java updates for all users on the server.   This can also be achieved by creating a GPO and applying it to the applicable OU for your BES Express servers, in cases where you have multiple servers.

Conclusion

We have now successfully setup a Blackberry Enterprise Express Server.  I have not covered some of the more advanced features of the Blackberry Administration Web Console, such as IT Policies, however I would strongly recommend checking out the official documentation on the Blackberry site to get to grips with the other features.

In a future guide, I will be covering some of the troubleshooting techniques you can employ to diagnose server side issues as well as Blackberry smart phone activation issues.