Accessing remote file shares with BES 5

One new feature made possible with the release of version 5 of the BlackBerry device software (when used in conjunction with a BES 5 server), is the ability to access and search remote file systems: both Windows and Samba-based.

To add the file share to the BES, log into the BlackBerry Web Administration Console (remember that if using the BAS' internal authentication mechanism, the default username is 'admin' rather than 'besadmin').

Browse to Servers and Components --> BlackBerry Domain --> Component View --> MDS Connection Service. Click on the File tab and select the option to Edit Component:

Enter a name for the share, this can be anything to identify the share to the administrator, as well as the UNC path to the file share [in the form \\(server)\file_share]
This share must be available to the BES, ideally on the same local network.
Enter the details of a domain user account to be used to access the share. This user account must naturally have permission to access the share.

Click Save All.

Click on the Configuration Sets tab:

Enter a name for the Configuration Set and add the file share created earlier.

Now browse to the specific MDS Connection Service instance you want to assign the component to and click on the Component Configuration Sets tab:

Add the Configuration Set you created earlier and click Save All.

Now click on the Instance Information tab and select the option to Restart Instance.

The file share has now been configured. To access the share from the handheld device, open the Applications folder and select the Files icon:

Select All Documents and enter in the name of the file if you know it, or a partial match to search for:

Activating BlackBerries via WiFi

I talked a customer through this today so thought it was worth a blog post. I've detailed the different methods by which a BlackBerry device can be activated in a previous post here - http://blog.brightpointuk.co.uk/bes-5-enterprise-activation
But it's probably worth re-visiting and also running through how you can test functionality using the BlackBerry Device Simulator.

As well as being able to activate BlackBerry devices against a BES via the cellular network using the Enterprise Activation feature, and also via the BlackBerry Web Desktop feature, it is also possible to activate devices via WiFi over the (W)LAN, not requiring that users have access to the mobile network or a PC to connect their device to.

This is particularly useful for companies that deploy BlackBerries for use only via WiFi within the confines of their business premises for access to email, calendaring and instant messaging services on a "local" basis only.

Configuring the BES

It's important from an administrative perspective to distinguish between "wireless" activations and "WiFi" activations: users are not to be trusted and will refer to anything not involving a cable as being "wireless", which is factually accurate but in terms of the BES software the two activation methods are worlds apart. "WiFi" activations need to be enabled and require additional configuration on the BES.

This feature is enabled and configured in the BlackBerry Server Configuration tool available under the Programs menu on the BES itself.
Launch the tool and select the OTA WIFI Activation tab:

Enable the option to permit wireless activation.

You will need to specify how the BlackBerry router service is to contact the mail server, this can either be done either via DNS by performing an MX Lookup on the domain specified in the email address entered in the Enterprise Activation wizard on the device itself, or manually by specifying the IP address of a suitable mail server or mail relay.
Authentication details will also need to be specified depending on your mail server's configuration to enable the BlackBerry Router service to successfully submit email to the mail server.

If all of this sounds wildly confusing, let me explain....

The way the BlackBerry Enterprise Activation feature works is by sending an email via SMTP to the BES directly from the device. This is why when you run through the feature on the device you are required to enter your email address as well as your enterprise activation password.
The BES, which is actively monitoring all BES user mailboxes, "sees" the activation email come in and "hoovers" it off and lo and behold your device is registered against your mailbox.
This all happens so quickly that you never see the email arrive or leave from your mailbox in your email client.

When activating over cellular the email is sent to your email address in the same way that all emails are sent to you - via DNS and MX lookups across the Internet to arrive in your mailbox for the BES to retrieve.
When activating over WiFi, the email is sent directly to the BES Router service, which confusingly then needs to be sent to email server for the BES to then retrieve again and do its thing. This is why the above configuration requires that the email server be specified and a user account be defined that has the ability to submit mail to the mail server.

Make sense?

IMPORTANT - for BlackBerry devices to be able to contact the BlackBerry Router service via WiFi, TCP port 4101 must be opened on any firewalls and routers between the wireless network and the BES.

Activate the user

As with all methods of activation, the user obviously needs to be added to the BES and assigned an activation password. This is done via either the BlackBerry Manager MMC console or the BES Administration web interface depending on what version of BES you're running:

Again, for more detailed articles on how to add users to the BES read the above articles or visit the BlackBerry section of the blog.

Configure the device

The Enterprise Activation feature of the BlackBerry device is accessed under Options --> Advanced Options --> Enterprise Activation (OS 5 or earlier) or Options --> Device --> Advanced System Settings --> Enterprise Activation (OS 6)

Unlike with cellular activations, where you simply need to enter an email address and password, with WiFi activations you also need to enter an Activation Server Address, which should be the DNS name or ideally the IP address of the server hosting the BlackBerry Router service (which will almost always be the BES itself):

On OS 6, if you don't see the option to enter an activation server address, press the menu button and select the option to Show Activation Server.

Enter in the required details and select the option to Activate. Your device will then (if all has been configured correctly), activate over the WiFi network:

Read the BlackBerry section of the blog for more information on the capabilities of the BES solution, or contact our technical support department via phone or via the email contact form for more information or assistance.

BES 4.1.x / 5.0 Exchange 2003 pre-requisites

Create a Domain User account called BesAdmin

On the Exchange Server, select Start → Programs → Microsoft Exchange → Active Directory Users and Computers

Browse to the Users container. Right click in the right-hand pane and select New → User

The following window will be displayed:

Enter BesAdmin in the First name and User logon name fields. Click Next. The following window will be displayed:

Enter a password for the account. Ensure that the options User cannot change password and Password never expires ARE TICKED. Click Next. The following window will be displayed:

Ensure that the option to Create an Exchange mailbox is ticked. Click Next and then click Finish.

Assign the BesAdmin user account local administrative rights

Once the BesAdmin user account has been created. On the BES server, right click on the My Computer icon on the desktop and select Manage. Browse to the Groups folder:

Double click the Administrators group.
Click on the Add button.
Set the Look in field to the domain of which the BES server is a member.
Select the BesAdmin user account and click Add.
Click OK and then OK again.

Assign "logon as service" rights on the BES server to the BesAdmin user account

On the BES Server, select Start → Settings → Control Panel.
Double click on the Administrative Tools icon
Double click on the Local Security Policy icon

Browse to Local Policies → User Rights Assignment in the left-hand menu.
In the right-hand pane scroll down and select Log on as service

Double click the entry, the following window will be displayed:

Click Add. The following window will be displayed:

Set the Look in field to the domain in which the BES server resides.
From the list of users select the BesAdmin account and click Add.
Click OK and then OK again.

Delegate administrative control to the BesAdmin user account

On the Exchange server, select Start → Programs → Microsoft Exchange → Exchange System Manager.

Right click on the Organisation name (at the root of the directory in the left-hand pane) and select Properties. The following window will be displayed:

Tick the options to Display routing groups and Display administrative groups. Click OK. If you receive a warning message indicating that the Exchange System Manager needs to be closed and re-opened for the changes to take effect, click OK.

Close the Exchange System Manager and then re-launch it again from the Start menu.

Right click on the first Administrative Group and select Delegate Control, as shown below:

The Administration Delegation Wizard will be displayed:

Click Next. The following window will be displayed:

Click Add. The following window will be displayed:

Set the Look in field to the domain in which the BES server resides. From the list of users select the BesAdmin account and click OK.

Click Next and then click Finish to complete the wizard.

Assign Send as, Receive as and Administer information store rights to the user account

Within the Exchange System Manager, right click on the entry for the Exchange server which the BES is going to communicate with and select Properties, as shown below:

Click on the Security tab. In the list of users select the BesAdmin user account. In the list of permissions, scroll down and tick the options to allow Administer information store, Receive As and Send As.

Click OK.

Now send an email to the BesAdmin user to initialise the mailbox!

Assign Send As rights on the Domain to the BesAdmin user account

On the Exchange Server, launch the Active Directory Users and Computers MMC snap-in:

Open the View menu and select the option to show Advanced Features.

Right click on the Domain root and select Properties. Click on the Security tab:

Click on the Advanced button. Select the option to Add a user:

Enter the alias of the BesAdmin account created earlier and click OK. In the Apply Onto drop-down menu select the option for User Objects:

In the Permissions section select the option to enable Send As:

Install Exchange System Manager on the BES server

Install the Exchange System Manager tool on the BES server from the Exchange CD.
Once installed, ensure that you update the installation so that the same service pack version is applied to the System Manager that is currently running on the Exchange server.

To verify the service pack version that is running on the Exchange server, open Windows Explorer on the Exchange server and browse to the folder where Exchange has been installed. By default this will be C:\Program Files\Exchsvr

Open the “BIN” folder and locate the file “store.exe”. Right click on the file and select Properties.

Click on the Version tab, the service pack version will be displayed in the Comments field as shown below:

Install the correct version of the CDO.DLL file

Windows 2000 Server requires that version 6.0.5770.16 or higher of the cdo.dll file be installed.
This file is installed by default with Service Pack 3 or later, however it has not been registered.

Windows 2003 Server requires that version 6.5.6944.0 or higher of the cdo.dll file be installed. This file is installed by default with Exchange 2003 System Manager, and also by Windows Server 2003 SP1, however it has not been registered.

By default the cdo.dll file will be located in the C:\Program Files\Exchsvr\Bin directory. To check the version of the file, right click on it and select Properties. Click on the Version tab:

Register the CDO.DLL file

The cdo.dll file needs to be registered, otherwise wireless calendar synchronisation will not function correctly between the Blackberry handheld and the server.

To register the file, copy it to the C:\WINNT\System32 directory.

Once the file has been copied, select Start → Run. Enter “cmd” in the dialogue and press OK.

A command prompt will be displayed. Change to the WINNT\System32 by typing cd winnt\system32 and pressing enter.

Type regsvr32 cdo.dll and press enter:

If the file is registered successfully, notification will be displayed as shown below:

Now log off as Administrator and log in to the BES server using the BesAdmin user account.

Launch the Exchange System Manager to finalise the installation and initialise the MAPI connection to Exchange.

You are now ready to begin installation of the BES 4.1.x software.

Adding Users

Launch the Blackberry Manager from the Start Menu.
Select Servers in the left-hand navigation pane. Select your server from the list.

In the bottom pane, select the option to Add Users. The Exchange Global Address List will be displayed:

Select your users and click OK.

Now click on the entry for the server in the left-hand pane:

Click on the Users tab. Select a user.

In the bottom pane, select the Service Access section. Select the option to Generate and Email Activation Password.
The user will receive an email from BesAdmin with their password. They can now use this password to complete the Enterprise Activation wizard on the Blackberry handheld.

BES 4.1.x / 5.0 Exchange 2007 pre-requisites

Create a Domain User account called BesAdmin

On the Exchange Server, select Start → Programs → Microsoft Exchange → Active Directory Users and Computers

Browse to the Users container. Right click in the right-hand pane and select New → User

The following window will be displayed:

Enter BesAdmin in the First name and User logon name fields. Click Next. The following window will be displayed:

Enter a password for the account. Ensure that the options User cannot change password and Password never expires ARE TICKED. Click Next. The following window will be displayed:

Click Finish.

Create an Exchange Mailbox for the BesAdmin User

On the Exchange Server, launch the Exchange Management Console.
Select Recipient Configuration → Mailbox and then New Mailbox:

The following window will be displayed:

Select User Mailbox and click Next. The following window will be displayed:

Select Existing User and then click Browse. Select the BesAdmin user. Click OK and then click Next. The following window will be displayed:

Click Next.
Click New and then Finish.

Assign the BesAdmin user account local administrative rights

Once the BesAdmin user account has been created. On the BES server, right click on the My Computer icon on the desktop and select Manage. Browse to the Groups folder:

Double click the Administrators group.
Click on the Add button.
Set the Look in field to the domain of which the BES server is a member.
Select the BesAdmin user account and click Add.
Click OK and then OK again.

Assign "logon as service" rights on the BES server to the BesAdmin user account

On the BES Server, select Start → Settings → Control Panel.
Double click on the Administrative Tools icon
Double click on the Local Security Policy icon

Browse to Local Policies → User Rights Assignment in the left-hand menu.
In the right-hand pane scroll down and select Log on as service

Double click the entry, the following window will be displayed:

Click Add. The following window will be displayed:

Set the Look in field to the domain in which the BES server resides.
From the list of users select the BesAdmin account and click Add.
Click OK and then OK again.

Assign Send as, Receive as and Administer information store rights to the BesAdminuser account

Unlike previous versions of Exchange. This needs to be done at the command line via the Exchange Management Shell.

Launch the command interface and enter the following command:

get-mailboxserver (servername) | add-adpermission –user (service account)-accessrights GenericRead, 
GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Where (servername) should be replaced with the name of the Exchange Server, and (service account) should be replaced with the Alias name of the BesAdmin user account (so ‘BesAdmin’ in this case)

If you are successful, you should see the following:

To verify the permissions of an existing account, type:

get-mailboxserver (servername) | getADpermission -user (service account) | Format-List

Now send an email to the BesAdmin user to initialise the mailbox!

Assign Send As rights on the Domain to the BesAdmin user account

On the Exchange Server, launch the Active Directory Users and Computers MMC snap-in:

Open the View menu and select the option to show Advanced Features.

Right click on the Domain root and select Properties. Click on the Security tab:

Click on the Advanced button. Select the option to Add a user:

Enter the alias of the BesAdmin account created earlier and click OK. In the Apply Onto drop-down menu select the option for User Objects:

In the Permissions section select the option to enable Send As:

Install Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1

Download the MAPI and CDO files from the Microsoft web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=E17E7F31-079A-4...

Once downloaded, run the EXE file and specify a location for the files to be extracted to. Once extracted, run the file named ‘ExchangeMapiCdo.MSI’. The following window will be displayed:

Click Next.
The License Agreement screen will be displayed. Read the terms and conditions and click Next if you agree.
Click Finish.

Now log off as Administrator and log in to the BES server using the BesAdmin user account.

You are now ready to begin installation of the BES 4.1.x software.

Adding Users

Launch the Blackberry Manager from the Start Menu.
Select Servers in the left-hand navigation pane. Select your server from the list.

In the bottom pane, select the option to Add Users. The Exchange Global Address List will be displayed:

Select your users and click OK.

Now click on the entry for the server in the left-hand pane:

Click on the Users tab. Select a user.

In the bottom pane, select the Service Access section. Select the option to Generate and Email Activation Password.
The user will receive an email from BesAdmin with their password. They can now use this password to complete the Enterprise Activation wizard on the Blackberry handheld.

BES 4.1.x Lotus Domino pre-requisites

Create a domino user called BesAdmin

Log into the Domino Administrator:

Register a new user account for the BesAdmin user:

Add the BesAdmin user to the LocalDomainServers Group

Browse to the Groups view in the Domino Administrator:

Double click the LocalDomainServers group:

Drop down the Members menu:

Select the domain directory and add the BesAdmin user to the group:

Click OK.
Save the changes to the group.

Stop the Domino Server

On the Domino server, browse to Start → Programs → Administrative Tools → Services. Locate the Lotus Domino Server service. Double click the entry to display the properties for the service.
Set the Startup Type to Manual:

Reboot the Domino server.

Create a local administrator account on the Domino server

Right click on the icon for My Computer and select Manage.
The Computer Management console will be displayed. Browse to Local Users and Groups → Users.

Create a new user account with a name of BesAdmin.
Set the password to never expire.

Browse to Local Users and Groups → Groups:

Open the Administrators Group and add the BesAdmin user account to the group.

Log off and then log back in as the new BesAdmin user on the Domino server.

You are now ready to install the BES software.

Add Users to the BES

Launch the Blackberry Manager from Start → Programs → Blackberry Enterprise Server → Blackberry Manager:

Browse to the Server entry from the left-hand navigation pane and select the Users tab:

Select the option to Add User. The Domino directory will be displayed:

Select the target user account and click Add then OK. The user will now be listed in the Blackberry Manager:

Set Activation Password

Right click on the entry for the user and select the option to Set Activation Password:

Enter a suitable password, ideally this should be 6 characters long and contain lower-case letters only:

Click OK.

The user is now ready to perform an Enterprise Activation on the handheld.

Perform Enterprise Activation

On the Blackberry handheld, from the main menu select Options → Advanced Options → Enterprise Activation.

In the Email field, the user should enter their full email address.
In the Password field, the user should enter the activation password set by the administrator (NOTE – this is NOT the user’s NT domain or Domino password, but the BES Activation Password that was set earlier).

If the user sees the option to enter an Activation Server Address, this field is only required if the handheld is being activated over WiFi via the local network. If the handheld is being activated via a cellular connection (GPRS or 3G) then leave this option blank.

Press the menu button and select the option to Activate.

After a few moments the handheld will display ‘Encryption Verified’ and then ‘Waiting for services’. This means that the connection to the BES was successful and mailbox data is now being downloaded to the device. This process can take up to 20 minutes to complete depending on the amount of data held in the user’s mailbox.

On the Domino Server itself, in the Domino Server Console, the activation process can be viewed in real time:

The activation process is now complete.

Repeat the above process for additional users as required.

BES 5 Enterprise Activation

Adding new users to BES 5 is now even easier than in previous versions. Once the user has been added to the BES server by the administrator and assigned an activation password, the user will then be able to activate their handheld in a number of ways:

• Over the cellular network using the Enterprise Activation feature on the handheld device
• Over a local WiFi network using the Enterprise Activation feature on the handheld device by specifying the IP address of the activation server
• Via the BlackBerry Web Desktop by connecting the handheld to their local PC via USB

This article assumes that the BES server has been installed correctly already. For detailed instructions on how to prepare the Microsoft Exchange environment for a BES deployment read these articles:

Exchange 2003
Exchange 2007 / 2010

For instructions on how to install the BES 5 software itself view this post:

http://blog.brightpointuk.co.uk/installing-blackberry-enterprise-server-...

Activating over the cellular network

Once an enterprise activation password has been assigned to the user, the Enterprise Activation feature on the handheld can be located under Options --> Advanced Options --> Enterprise Activation (on device software 5), or Options --> Device --> Advanced Options --> Enterprise Activation (on device software 6).
In here the user simply need enter their full email address, including domain, and the activation password assigned by the administrator.

For detailed information on how the Activation Process works, read this article:

http://blog.brightpointuk.co.uk/how-does-bes-wireless-activation-process...

Activating over the WiFi network

For those devices that have WiFi capability, provided that the local wireless network can route to the BES server, devices can be activated by completing the Enterprise Activation wizard as above, but with the additional step of completing the Activation Server Address, which needs to contain the IP address of the BES server.

NOTE - this feature needs to be enabled on the BES manually as it is not enabled by default. If the BES server has been deployed in a multiple-box deployment, it is the IP address of the BES Router component that needs to be entered on the handheld device, and the Router needs to be configured to be able to relay SMTP traffic to the Exchange Server. To do this, on the BES server open the BlackBerry Server Configuration utility from the Start Menu. Click on the WiFi OTA Activation tab:

Complete the details of the Exchange server as required.

Also note, to accept activation requests on Server 2008, the built-in firewall will need to be configured to accept incoming requests on TCP port 4101.

Activating via the BlackBerry Web Desktop

Users can browse to the Web Desktop URL (https://(bes_server)/webdesktop) from their Windows PC running IE6 or later:

When logging in for the first time they will be prompted to install the "RIMWebComponents", this will install the required USB drivers and device manager software onto the PC. Administrative rights will be required for this.

Once installed, the user will be able to login using the domain credentials:

The user can now connect their handheld device to the PC via the USB connection. The device manager software will detect the device automatically. The user will be prompted to enter their activation password within the browser.
If the feature has been enabled on the BES by the administrator, users can even set their own activation passwords and enable their own devices, without the IT department getting involved at all (provided that their user account has been added to the BES):

Once activated, the device will be listed in the properties of the user account:

Clicking on the device entry will display detailed information about that device:

and provide a list of tasks that can be performed on that device, including the ability to perform a 'remote kill':

BES 5.0 Web Desktop Manager

The Web Desktop Manager component was first released as a free update to BES 4.0 SP6 or later (http://blog.brightpointuk.co.uk/blackberry-web-desktop-manager)

Now the tool has been incorporated into BES 5.0 and enables users to manage their devices directly from the PC web browser (only Internet Explorer 6 or later is supported currently)

The tool is accessed by browsing to https://(BES_Server)/webdesktop:

From this interface users can, provided that the administrator has enabled the feature on the BES itself, edit their default signature as well as message re-direction settings.
Email filters can be created, defining what mails get delivered to the handheld device:

Available filter criteria include:

Which mailbox folders that are synchronised to the handheld device can be defined:

The Contacts that are synchronised to the handheld can be defined, including subfolders of the main Contacts folder:

The contents of the user's handheld device can be backed up to the user's PC via the tool:

Automatic, schedule-based, backups can also be configured:

Should a user be issued with a new device, they can simply connect that device to their PC, once logged into the tool, and switch their account details to the new device automatically:

BES 5.0.1 Exchange 2010 pre-requisites

Ensure that Exchange 2010 Update Rollup 1 is installed on the Exchange 2010 server. This package is available here - http://www.microsoft.com/downloads/details.aspx?FamilyID=371add31-d7a0-4...

Create a domain user account called BesAdmin

On the Exchange server, in the Active Directory Users and Computers console, create a domain user called "BesAdmin" and assign it an Exchange mailbox. Set the user account password to never expire.

Send an email to the BesAdmin user to initialise the Exchange mailbox.

Assign the BesAdmin user local administrative rights

On the server that is to host the BES, make the BesAdmin domain user a member of the local administrator group. NOTE - the BES server will first need to have been added to the Domain if not done already.
To do this, on the BES Express server, right click on the icon for My Computer and select Manage. Browse to Local Users and Groups --> Groups --> Administrators and add the BesAdmin user:

Assign the BesAdmin user "log on as a service" rights

On the BES server, also assign the BesAdmin domain user account "log on as a service" rights. To do this, select Administrative Tools --> Local Security Policy --> User Rights Assignment --> Log on as a service and add the BesAdmin user:

Assign "Receive As" and "Administer Information Store" rights to the BesAdmin user

On the Exchange server, launch the Exchange PowerShell and issue the following command:

Get-MailboxDatabase | Add-ADPermission -User "BesAdmin" -AccessRights
 ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Assign Exchange View-Only Administrator rights to the BesAdmin user

Still within the Exchange PowerShell, now issue the following command:

Add -RoleGroupMember "View-Only Organization Management" -Member "BesAdmin"

Assign "Send As" rights on the domain to the BesAdmin user

Within the Active Directory Users and Computers console, open the View menu and select the option to display Advanced Features.

Right click on the domain and select Properties. Click on the Security tab:

Click on the Advanced button:

Click on Add and type in the name of the BesAdmin user:

Select the option to Apply Onto User Objects.
Scroll down to the bottom and tick the option to enable Send As rights:

For good measure, also enable Send As rights on the Exchange server itself within the Exchange PowerShell. Launch the console and issue the following command:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights
Send-As -User "BesAdmin" -Identity "CN=Users,DC=domain,DC=com"

(where "domain" and "com" should be substituted for your specific domain details, eg: DC=brightpoint,DC=co,DC=uk and so on)

To force all of the above changes to take effect on the domain, it may be worth running a group policy update. On the Exchange server click Start --> Run and issue the command "gpupdate /force"

Turn off Exchange 2010 Client Throttling

Exchange 2010 uses client throttling by default to protect the Exchange server from excessive user demands. RIM recommend turning off this feature as it can have an adverse affect on the performance of the BES solution. This is done within the Exchange PowerShell console.
Launch the console and issue the following command to get the "Identity" of the default throttling policy"

Get-ThrottlingPolicy | Where-Object {$_.IsDefault -eq "True"} | FL Identity

the Identity will be displayed:

Now issue the following command:

Set-ThrottlingPolicy -RCAMaxConcurrency $null

You will be prompted to enter the Identity to apply the policy to, enter the result returned above:

Increase the maximum number of connections to the Exchange Address Book Service

On the Exchange Server (or specifically the Client Access Server in a multi-box deployment), browse to C:\Program Files\Microsoft\Exchange Server\V14\Bin and locate the file "microsoft.exchange.addressbook.service.exe.config" and open it in NotePad:

Locate the line "MaxSessionsPerUser":

Increase the value to 100000. Save the file then restart the Address Book Service:

Install the Exchange MAPI CDO 1.2.1 package

The Microsoft Exchange MAPI CDO 1.2.1 package must be installed to provide the BesAdmin user a MAPI connection to Exchange mailboxes as well as access to calendaring information. This package is available for download from our FTP site HERE (Exchange 2010 only).

Run the installer and accept the license agreement:

Now you're ready to install the BES software.

BlackBerry Enterprise Transporter Tool

The BES Transporter Tool is a free utility from RIM that is designed to enable the administrator to easily migrate users from one BES server to another, or from one BlackBerry Domain to another, ideal for administrators who intend to run their existing BES 4 installation alongside an upgraded BES 5 server for a period of time before then decommissioning the older server.

The installation is simply a matter of running the MSI file and following the on-screen prompts. An icon will be added to the Start Menu automatically. Launching the application displays the following screen:

The first step in using the tool is to create a new configuration document. Click on the New button, enter a name for the new document and click Save. Now the rest of the fields will no longer be greyed out.

Now you need to specify the source and target BlackBerry database instances. Click on the Configure button:

In the SQL Server field enter the name of the server holding the BES SQL database.
In the Label field enter the name of the SQL instance running on that server.
In the Database field, enter the name of the BES database, normally BESMgmt by default.
Verify that a connection can be established to the database using the specified authentication details.
Click OK. Now complete the same details for the target BES database.

Now you can select the users that you want to migrate. Click on the Details button. Click on the Find Users button to view the users available on the source BES. Select the users as required.
Click Close.

Click the Preview button to view a report of the intended operation. Be sure to read and understand any errors that are returned.
Provided that no errors are reported, click the Migrate button to begin the operation. Your user accounts will now be migrated.

For details on how to install the BES 5.0 software read this article - http://blog.brightpointuk.co.uk/installing-blackberry-enterprise-server-...

BlackBerry Web Desktop Manager

The Blackberry Web Desktop Manager is a free download from the Blackberry web site and is a bolt-on to the Blackberry Enterprise Server enabling users to manage their handhelds via a web interface without the administrator needing to get involved.

Version 4.0 SP6 or later of the BES software is required, but it can also be used with the BES Express and Blackberry Professional Software versions. It has actually been available for a while now, but somehow slipped under my radar.

NOTE - the Web Desktop feature is built into BES 5.0, read this article for details on this version - http://blog.brightpointuk.co.uk/bes-50-web-desktop-manager

The installation process is straightforward and installs two additional services to the BES Server:

• Blackberry Administrative Service - AS
• Blackberry Administrative Service - NCC

The installation process does require that you configure an LDAP authentication source for connecting to the Exchange Server, but detailed information is included in the accompanying PDF installation guide.

Once installed, users can access the web interface by browsing to:

https://(BES_Server_Name)/webdesktop/login

NOTE - Internet Explorer 5.5 or later is required, Firefox is not supported. For users to access this web interface externally, the BES will need to be assigned a public IP address and port 443 opened on the firewall. The Administration Services can be installed on a machine other than the BES if external access directly to the BES itself is not permitted.

The initial web interface prompts the user to log in using their Active Directory domain credentials:

logging in for the first time, the browser will require that some ActiveX controls are installed, select the option to install them.

Once logged in, the following screen will be displayed:

The web interface allows users to activate and deactivate their own handhelds, setting their own activation passwords.

Users can also install, update or remove applications on the handheld.

Email filters can be applied, governing what mails are pushed to the handheld.

The entire data held on the device can also be backed up to the server and restored at a later date by the user via the web interface, or an automatic scheduled backup can be configured.

Finally, users can also edit the default signature via the web interface, rather than having to do it on the device.

This web interface approach is a precursor to the release of BES 5 which will provide full administrator access to the Blackberry Server via a web interface rather than via a WIN32 console application, and also removes the need for users to install the Blackberry Desktop Software on their PCs which is a major plus for network administrators.

Checking your BlackBerry Enterprise Server installation licence type

When ordering additional Client Access Licences (CALs) for your BlackBerry Enterprise Server, it is important to be aware of the different types of licence that are available: Small Business (SBE) and Enterprise.
Although there is no difference in functionality between an SBE BES and an Enterprise BES installation, the two CAL types are not interoperable: it is not possible to add SBE CALs to an Enterprise BES; neither is it possible to add Enterprise CALs to an SBE BES.
The type of BES installation that you have will be determine by the CAL you used when the software was first installed: if you use an SBE CAL when installing the BES, it will be an SBE installation.

To identify what type of installation you have, do the following.

BlackBerry Enterprise Server version 4.x

Launch the BlackBerry Manager and select BlackBerry Domain in the console root:

In the right hand pane expand Account and select License Management:

Your CALs and their type will be displayed. In the above example the installation is an Enterprise one.

BlackBerry Enterprise Server version 5.x

Log into the BlackBerry Administration Service.
In the Servers and Components section expand the Component View. Select the BlackBerry Administration Service:

CAL information will be displayed in the License Summary section. Again in the above example the installation is an Enterprise one.

Configuring BlackBerry Enterprise Server 5.0.3 for use with Microsoft Lync Server 2010

Version 5.0.3 of the BlackBerry Enterprise Server product added support for the Microsoft Lync Server 2010 unified messaging platform. In this article I shall look at how to configure your Lync infrastructure and the BES to support this integration.

For information on how to configure access to Office Communications Server 2007, read this article - http://blog.brightpointuk.co.uk/setting-blackberry-enterprise-server-acc...

Pre-Requisites

Add the BesAdmin user account to the RTCUniversalServerAdmins and RTCComponentUniversalServices groups

Within Active Directory, add the BesAdmin user account, the service account used to install the BES software, to the RTCUniversalServerAdmins group and also the RTCComponentUniversalServices group:

Install .NET Framework 3.5

On the server that is to host the BlackBerry Collaboration Service, install the .NET Framework 3.5 package. On Server 2008 this is done within the Server Manager under the Features section:

Install the Microsoft Office Communications Server 2007 R2 Core Components Runtime Package

On the server that is to host the BlackBerry Collaboration Service, download this package from http://www.microsoft.com/download/en/details.aspx?id=4070

Install this package. A folder will be created on the server under C:\Core Components Runtime Runtime Package. Browse to this folder and run the following installers:

• vcredist_x64 (Visual Studio 2008 Redistributable client)
• sqlncli_x64 (SQL Server Native Client)

Install the Microsoft Unified Communications Managed API 2.0 SDK Installer package

BES integration with a Lync 2010 server deployment relies on two components:

• Microsoft Office Communications Server 2007 R2 Core Components
• Microsoft Unified Communications Managed API 2.0 Core

On the server that is to host the BlackBerry Collaboration Service, download the Microsoft Unified Communications Managed API 2.0 SDK Installer package from http://www.microsoft.com/download/en/details.aspx?id=10842

Install this package. A folder will be created on the server under C:\Microsoft Unified Communications Managed API 2.0 SDK Installer package. Browse within this folder to "AMD64\Setup":

Install the files:

• OSCCore.msi
• UmcaRedist.msi

Enable access on port 5016 to the Lync server

On the Lync server, allow access from the server hosting the BlackBerry Collaboration Service on port 5016 within Windows Firewall if not enabled automatically:

Install a personal certificate on the BES Collaboration Server

On the server that is to host the BlackBerry Collaboration Service, issue a certificate request to the domain enterprise certificate authority.
This certificate will be assigned to the server itself, when raising the certificate request, be sure to log into the server using an account that has rights to enroll certificates. One option is to assign the computer itself these rights.
On the Certificate Authority, launch the CA MMC snap-in. Right click on Certificate Templates and select Manage.
Select the Web Server certificate template, right click and select Properties.
On the Security tab, add the server that is to host the Collaboration Service and assign it Enroll rights:

Click OK.

On the Collaboration Server, run MMC from the command prompt and add the Certificates snap-in. Select the option to add it for the Computer Account, and select Local Computer.

Right click on the Personal certificates container, select All Tasks and then Request New Certificate:

Click Next on the resulting wizard. Select the option to use Active Directory Enrollment Policy and click Next.

Select the option to add a Web Server certificate:

Select the option to Click here to configure settings.
On the next screen, complete the entries as shown below:

• Under the Subject Name section, change the Type to Common Name, and change the Value of the Fully Qualified Domain Name of the Microsoft Lync Server Pool, and then click Add.
• Under the Alternative Name Section, change the Type to DNS, and change the Value to the Fully Qualified Domain Name of the Microsoft Lync Server Pool, and then click Add.
• Again, under the Alternative Name Section, leave the Type specified as DNS, and change the Value to the Fully Qualified Domain Name of the server hosting the BlackBerry Collaboration Service.
  Click Add.
• Click the General tab.
• Type OCSConnector for the Friendly Name, then click Apply, and OK.

On the Certificate Enrollment window, click Enroll.

Install the BlackBerry Enterprise Server Collaboration Service

Run the BES installer and select the option to install the BlackBerry Collaboration Service component

Select the option to install the Lync Server 2010 component:

Enter the pool name of your Lync server (FQDN name if you're not sure)

Ensure that all installation checks are passed by the installer wizard:

Once installed, your BlackBerry Smartphones will need the Lync client installed, available here - https://swdownloads.blackberry.com/Downloads/entry.do?code=24E01830D213D...

View this article for details on how to install and configure the Enterprise Messenger client software - http://blog.brightpointuk.co.uk/setting-blackberry-enterprise-server-acc...

Customising the default BlackBerry Enterprise Activation email

The BlackBerry Enterprise Activation feature is undoubtedly one of the principle selling points of the BES solution and makes remote device activation for corporate usage by users themselves as simple as any user-driven process can be - but it is possible to make the process even simpler, and more tailored to your BlackBerry deployment, by customising the default Enterprise Activation password received by users containing their Enterprise Activation password.

By default, the email contains the user's activation password and brief instructions as to where to put it on the device itself:

For existing BES installations these instructions refer specifically to the BlackBerry Device OS 5 and earlier: the location of the Enterprise Activation wizard on OS 6 devices is different, therefore it may be worth amending the default message to contain instructions for newer devices, such as the 9800 Torch.

Read on for instructions on how to customise this message.

BES 4.x

Launch the BlackBerry Manager console.
Select the BlackBerry Domain and click on the option to Edit Properties, the following window will be displayed:

Select General --> Custom Activation Email Message. Edit the message as required, using strings such as "$n" for username, "$p" for password and "$x" for the password expiration time. To enter a custom subject use the "+" sign before the subject line at the beginning of the text box on a separate line:

Save the changes. Any new activation passwords will now contain the revised text:

BES 5.x

Access the BlackBerry Administration web interface. Browse to Devices --> Wireless Activations --> Device Activation Settings:

Enter the same text using the same wildcard settings for username, password and expiration settings.

This message could also include instructions on configuring the BES OCS client if desired - http://blog.brightpointuk.co.uk/setting-blackberry-enterprise-server-acc...

Deploying applications wirelessly with BES 5.0

Although not a new feature to version 5.0 of the BlackBerry Enterprise Server solution, the procedure is slightly different now that the product is administered through a web browser using the BlackBerry Administration Service (BAS).

To deploy an application to a handheld device over the air, the procedure is as follows.

Create a shared application repository

Create a shared folder on the BES itself or somewhere on the LAN that the BES has access to.
Assign the BESAdmin user full read and write access to the share:

Add the repository to the BAS

Launch the BlackBerry Administration Service within a web browser and log in.
Browse to Servers and Components --> Component View --> BlackBerry Administration Service

Add the folder's UNC share path within the Software Management section and set the deployment to be managed by the BAS:

Be sure to click on the Save All entry to apply the changes.

Publish an application to the repository

ZIP up the component files of the application you wish to deploy and copy and paste the ZIP file to the shared directory you created earlier.

Within the BlackBerry Administration Service, browse to BlackBerry Solution Management --> Software --> Applications --> Add or update applications:

Browse to the ZIP file you created earlier and click Next, the package will be read and details imported:

Select the option to Publish the application.

Create a Software Configuration

Within the BAS, browse to BlackBerry Solution Management --> Software --> Create A Software Configuration:

Enter a name for the configuration and Save it.
Edit the Configuration and click on the Applications tab.
Click on the option to Add applications to software configuration
Click on the Search option to display a list of available packages:

Select the target package and click on the option to Add to software configuration

Select the deployment method (either wired, if being deployed using the Desktop Web Manager across the LAN, or wireless if being deployed over the air) and whether the package is optional or required.

Select the option to Save All.

Assign the Software Configuration to a user or a group

Open the properties of a user account or group, and click on the Software Configuration tab:

Add the software configuration to the user account and click Save All.

The package will now be deployed to the user's device.

NOTE - it is also possible for users to install applications themselves locally using the BlackBerry Web Desktop Manager if permitted by the administrator.

Disable Static Mailbox Agent on BlackBerry Enterprise Server

If a BlackBerry user is not able to send email messages, but other users on the same BlackBerry server are not affected, there are a number of things to check.

The first thing to do is to simply remove the battery from the BlackBerry, leave it 60 seconds and then reinsert it, this may resolve the problem.

If the problem persists, can the user send emails from Outlook? If not, and they receive an error message along the lines of “you have exceeded your mailbox size limit”, then this is not a BlackBerry issue and must be looked at by the Exchange administrator – if over their mailbox size limit they will either need their limit increased, or will need to delete or archive some email.

If this is not the problem, there is one thing to check on the BlackBerry Server.

BlackBerry Server 4

Open the BlackBerry Manager. Open the properties for the affected user. Click On Advanced:

Ensure that the option for “Enable Static Mailbox Agent” is set to False. If set to True, change it to False and click OK.

BlackBerry Server 5

Log into the Administration web site. Open the properties for the affected user. Click on the Component Information tab:

Ensure that the option for “Turn on static mailbox agent” is set to No. If set to Yes, click on the option to Edit, set to No and save the changes.

If this is not the problem, then wiping the BlackBerry and re-activating it would be the next sensible troubleshooting step.

How does the BES Wireless Activation process work?

What is it?

In a nutshell, the Enterprise Activation feature of the Blackberry Enterprise Server links a specific Blackberry handheld to a user account on the BES: it is the equivalent of connecting a handheld to the BES server via a USB or RS232 cable. Once activated, the contents of that user’s mailbox are wirelessly synchronised to the handheld. The beauty of the feature is that the Blackberry doesn’t need to be physically connected to the BES before it can be used. In fact, it doesn’t even need to ever set foot on the company premises – it can be activated wirelessly over the cellular network, in theory from anywhere in the world!

Before I describe how this process works, it is first necessary to explain how the end-to-end Blackberry solution works.
Research In Motion, the company that develops the Blackberry solution, has deployed in different parts of the globe, elements of hardware accessible to each mobile network operator that offers Blackberry service: the RIM Relay. This device acts as a proxy server, proxying requests from the handheld devices and the BES servers deployed throughout the world. It is this proxy-based architecture that is the reason why the BES server itself does not require a public IP address, unlike other remote email solutions, but it does also mean that you are dependent upon a third-party’s hardware for your messaging solution to operate.
Each Blackberry handheld device has a unique identifying number assigned to it – its PIN number. When the handheld registers on the cellular network, it sends this PIN number to the RIM Relay so that the Relay ‘knows’ that the device is available and ready to send and receive data. The BES server also has a unique identifier: the SRP key entered during the installation process. Provided that the BES has a connection to the Internet, when the Blackberry services are started, the server also registers with the Relay.

What does the process involve?

Before a handheld can be activated wirelessly, the administrator of the BES first needs to add the user to the BES and then assign an activation password to the user via the Blackberry Manager on the BES itself:

The Administrator selects the entry for the user account, and then clicks on the option to Generate and Email Activation Password within the Service Access task.

This causes an email to be sent to the target user, from the BESAdmin user account, containing the activation password. A typical email would look something like this:

The user now has all they need to activate the handheld.

On Blackberry handheld devices, if you open the Options menu and then select Advanced Options, in this menu you will see an option for Enterprise Activation.
If you select this option, depending on which version of the handheld software you are running, you will see either two or three fields:

• Email
• Password
• Activation Server

The Activation Server field does not need to be completed if the device is being activated via a cellular connection, I will look at this option later.

The user needs to enter their full email address, and their activation password that they were emailed by the BESAdmin user. NOTE – it is important that the user does not get confused and use their NT domain password; it must be the Blackberry enterprise activation password. Also note, if the password contains capital letters, the password IS case-sensitive.

Once the Email and Password fields have been completed, press the jogwheel and select Activate from the menu.
If the phone element of the handheld is currently turned off, you will be prompted to enable it, and the activation process will then proceed.

How does it work?

On the handheld device, when the option to Activate is selected, the handheld examines the email address that has been entered in the Email field. It identifies the domain (the text after the @ sign in the email address), and performs an MX-lookup on that domain, using DNS, to locate the mail server for that domain. Once located, it then sends an email to the email address containing specific text in the subject and body of the message. A typical email might look something like this:

When a user is added to the BES server, the BESAdmin user account monitors the user’s mailbox from that moment on, looking for changes that need to be mirrored on the handheld device.
When this email from the handheld is delivered to the mailbox, the BES detects it, and knows from the text in the subject and body fields that it is a command message, and acts on it accordingly, linking the PIN number of the handheld to that user account. This information is then updated to the Relay so that it ‘knows’ that the PIN of the handheld is linked to the SRP key of the BES server, and that data should be relayed between the two whenever both are online and authenticated. Once this process has completed, the email is then automatically deleted from the user’s mailbox.
This process usually occurs so quickly that the user never actually sees the email arrive or disappear again.
The contents of the user’s mailbox is then synchronised to the handheld. The length of time this process can take will vary depending on the amount of data that is held in the user’s mailbox, but 10 minutes is a normal figure.

What might cause this process to fail?

Mobile Network Operator

The handheld device itself will clearly need to be registered on the cellular network: the user should see the signal strength indicated on the screen, and should also see the type of service indicated: ideally the user should see GPRS or EDGE on the handheld. If the user is out of coverage then the process will fail.

The SIM in the handheld will also need to be enabled for the Blackberry service with the network operator: it is not sufficient to be merely enabled for GPRS or 3G service. If the user receives an error on the handheld along the lines of ‘service connection not available’, despite indicating GPRS service, then the SIM is not enabled correctly for Blackberry service.

DNS

For the enterprise activation process to succeed, the handheld must be able to resolve the MX record for the domain from the email address entered.
MX records are Mail eXchange records, they are the email equivalent of DNS entries for web sites that map, say ‘wwww.bbc.co.uk’ to ‘212.58.253.67’.
The DNS entries for your domain must be configured correctly.
To be honest, this is unlikely to be the cause of the problem as, if your DNS entries were not configured correctly, it is likely that you would not be receiving ANY email, not just emails from Blackberry handhelds. But this worth taking into consideration when troubleshooting the activation process in case your email delivery architecture has anything ‘funny’ in it.

Spam filters & anti-virus software

The activation confirmation email generated from the handheld needs to arrive in the end user’s mailbox, for it to be picked up by the BES server.
If the mail is identified as being spam by a filtering system and ‘quarantined’ the process will fail. Ideally the RIM Relay will need to be added as a ‘safe sender’ to the whitelist. How this is done depends on the filtering system in place – adding the entire domain ‘blackberry.net’ as a safe sender would be one solution.
If the mail does arrive in the user’s mailbox, but has been altered in some way, the process will fail. The text contained in the subject and body of the message is specifically intended for the BES server, therefore if an anti-virus system prefixes the word [SCANNED] to the subject of a message, this will cause the BES to not recognise the mail correctly as being a command message and will ignore it, causing the process to fail.

User permissions

If the command email is not able to be read by the BESAdmin user, then the process will fail. This is normally indicated by the fact that the command email appears in the user’s mailbox, but then never disappears again.
The BESAdmin user needs to be a ‘View-Only Exchange Administrator’, and needs ‘Send As’, ‘Receive As’ and ‘Administer Information Store’ rights on the Exchange Server to be able to properly send and receive emails from user mailboxes to the remote handhelds.

Outlook or desktop email client configuration

If the user's desktop email client is configured to download mails from the user's Exchange mailbox and then remove them - either via POP or to a local PST file, then this can cause the process to fail as the BES won't be able to retrieve the mail if it has already been removed from the user's mailbox.

User error, or ‘ the MD Factor’

Network Administrators out there – if you have verified all of the above and are still at a loss to explain why the process isn’t working, don’t be afraid to suggest that your user is a numpty!

So what is the Activation Server?

I mentioned above that on newer handheld devices, the Enterprise Activation wizard allows for the entry of an activation server address. This field is not required if the device is being activated over a cellular connection, as the device locates the address of the BES by sending the command email to the domain’s mail server for the BES to detect and act on.
The Activation Server field is designed to be used if the handheld is being activated locally via a WiFi connection – provided that activations via WiFi are permitted on the BES itself. This can be configured within the Blackberry Manager.

Installing BlackBerry Enterprise Server 5.0 for Microsoft Exchange

BES 5.0.0 has landed. The administration of this version of the software is radically different from previous versions - the BlackBerry Manager MMC snap-in component having been replaced by a web-based administration service. In this post I will run through the installation procedure which should be relevant to those both familiar with the solution and those accessing it for the first time.
Due to the number of screenshots I shall tackle the installation process only in this post, watch this space for further posts on how to handle routine administrative tasks.

Preparing the Microsoft Exchange environment

I have detailed the procedure for preparing a Microsoft Exchange environment in separate articles:

Exchange 2003
Exchange 2007 / 2010

The steps to run through are as follows:

• Create a domain user account and mailbox for the BesAdmin user account
• Assign the BesAdmin user account local admin rights on the BES server
• Assign the BesAdmin user account "log on as a service" rights on the BES server
• Assign Send As, Receive As and Administer Information Store rights to the BesAdmin user account on the Exchange server
• Assign Send As rights on the Domain to the BesAdmin user account
• Install Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 on the BES server

Installing the BES 5.0 software

In this post I shall be installing all BES components on the same server. Read the Deployment Guide for details on all deployment scenarios. I shall be using Server 2008 64-bit in this example.

Extract the contents of the self-extracting EXE installation package. Browse to the folder where the contents have been extracted to and run the setup.exe file:

Verify that you have followed the above article and configured the correct permissions on the BesAdmin user account. Click Continue Installation

Select your Country/Region, read the license agreement and select the option to Agree if you accept the terms and conditions. Click Next:

If this is a new installation rather than an upgrade, select the option to create a new database (watch this space for instructions on the procedure for upgrading an existing installation):

Select the components of the BES solution that you wish to install on this server. In this post I shall be installing all BES services on the same server. Click Next:

The BES installation package will install an instance of the Apache web server as well as several Java packages. Read the license agreement and select the option to Agree if you accept the terms and conditions. Click Next:

The installation wizard will determine that all pre-requisite components are present and indicate what corrective action needs to be taken:

Click Next. You will be prompted to specify the database server to use. If you have a separate Microsoft SQL Server available, select that option and complete the required details. In this post I will be installing the database locally on the BES server itself:

Click Next. Enter the password for the BesAdmin account and enter a name for the BES server itself:

Click Next:

Click Install:

The required components and program files will be copied to the local machine. This may take a few minutes. Once complete you will be prompted to reboot the server:

Click Yes. Once rebooted, the installation procedure will resume automatically:

Click Next. You will be prompted to create the BES Management database:

Click Yes. This may take a few minutes. Click OK once complete:

You will be given the option of specifying which TCP port the database service should access the database on:

Click Next. Enter the CAL (Client Access License) and SRP details:

Click Next. The MAPI component will now be invoked and will prompt for the details of the Exchange server to be accessed:

Complete the fields as required and verify that the Check Name function can resolve both the server and mailbox. Click OK:

Enter a name for the Mobile Data Service application pool as well as passwords for the default admin and publisher user account roles. Click Next:

You will be prompted to create the required database. Click Yes.

Click OK once complete.

You will be prompted to verify that the MDIS service has bee configured, consult the accompanying documentation for more information if required. Click OK.

If you selected the option to install the Monitoring Service you will be prompted to enter the database server details. Click Next:

You will be prompted to create the required database, click Yes:

Click OK when complete:

If you selected the option earlier, you will be prompted to specify your instant messaging environment. Make the appropriate selection and click Next:

Enter the details of the BlackBerry Administration Service web pool and enter the password for the SSL certificate for the admin web site. Click Next:

You will be prompted to enter details of the LDAP account used to access the Exchange Global Address List. Use the BesAdmin domain user account unless required otherwise. Click Next:

Enter the default password for the admin account that should be used to access the web administration web site. Click Next:

The installation wizard is now complete. Click the option to Start Services and verify that all services start successfully. Click Next:

Details of the web admin tool and the web desktop tool will be displayed, make a note of these addresses. Click Close.

The installation is now complete. The web-based admin tool can be accessed from the Start menu:

Launch the BlackBerry Administration Service:

Set the "login using" field to the BlackBerry Administration Service. Enter "admin" as the user name and the password you specified earlier:

You will be prompted to install an ActiveX component, select the option to install:

And again when prompted select the option to Install:

Once complete, you will be prompted to restart the BES server again. Select Yes.

Once rebooted, launch the Admin Tool again and log in using the same credentials as before, remembering to set the "Login using" field to the BlackBerry Administration Service. The BES Admin tool interface will be displayed:

NOTE - on my fully patched Server 2008 installation, which includes IE8, the Admin tool did not display until I enabled the Compatibility View mode.

You can now finalise your BES configuration and add users as required. Watch this space for more information on how to add users and perform routine admin tasks.

Firewall Rules

NOTE - on Server 2008 you will need to configure the built-in firewall to allow connections to the Apache web server instance on port 443 from all desired hosts before they will be able to access either the Administrator or Web Desktop tools.

Outbound SMTP access on TCP port 25 will need to be enabled between the BES and the Exchange server for activation and administrator mails to be delivered successfully.

If the SQL Server being used is external to the BES, SQL access on port 1433 will need to be configured (or the static port specified during the installation process).

Outbound access on TCP port 3101 to the BES Relay will need to be enabled.

Adding Users

To add users to the BES 5 server, log into the Administration Web Tool.
Browse to User --> Create A User:

To search for available users click on the Search link:

Select the target user and click Continue:

Select the BES server that the user should be added to and click Continue:

Enter the Activation Password for the user and click Create User:

An email will now be sent to the user containing the Activation Password:

The user will now be able to activate their handheld in a number of ways:

• Over the cellular network using the Enterprise Activation feature on the handheld device
• Over a local WiFi network using the Enterprise Activation feature on the handheld device by specifying the IP address of the activation server
• Via the BlackBerry Web Desktop by connecting the handheld to their local PC via USB

Activating over the cellular network

Once an enterprise activation password has been assigned to the user, the Enterprise Activation feature on the handheld can be located under Options --> Advanced Options --> Enterprise Activation.
In here the user simply need enter their full email address, including domain, and the activation password assigned by the administrator.

For detailed information on how the Activation Process works, read this article:

http://blog.brightpointuk.co.uk/how-does-bes-wireless-activation-process...

Activating over the WiFi network

For those devices that have WiFi capability, provided that the local wireless network can route to the BES server, devices can be activated by completing the Enterprise Activation wizard as above, but with the additional step of completing the Activation Server Address, which needs to contain the IP address of the BES server.

NOTE - this feature needs to be enabled on the BES manually as it is not enabled by default. If the BES server has been deployed in a multiple-box deployment, it is the IP address of the BES Router component that needs to be entered on the handheld device, and the Router needs to be configured to be able to relay SMTP traffic to the Exchange Server. To do this, on the BES server open the BlackBerry Server Configuration utility from the Start Menu. Click on the WiFi OTA Activation tab:

Complete the details of the Exchange server as required.

Also note, to accept activation requests on Server 2008, the built-in firewall will need to be configured to accept incoming requests on TCP port 4101.

Activating via the BlackBerry Web Desktop

Users can browse to the Web Desktop URL (https://(bes_server)/webdesktop) from their Windows PC running IE6 or later:

When logging in for the first time they will be prompted to install the "RIMWebComponents", this will install the required USB drivers and device manager software onto the PC. Administrative rights will be required for this.

Once installed, the user will be able to login using the domain credentials:

The user can now connect their handheld device to the PC via the USB connection. The device manager software will detect the device automatically. The user will be prompted to enter their activation password within the browser.
If the feature has been enabled on the BES by the administrator, users can even set their own activation passwords and enable their own devices, without the IT department getting involved at all (provided that their user account has been added to the BES):

Once activated, the device will be listed in the properties of the user account:

Clicking on the device entry will display detailed information about that device:

and provide a list of tasks that can be performed on that device, including the ability to perform a 'remote kill':

Locating your BlackBerry Enterprise Server SRP Key

The SRP Key of a BlackBerry Enterprise Server installation is the unique identifier assigned to the BES which it uses to access the RIM Relay. If you need to locate this key for support or migration purposes, it can be located as follows.

BlackBerry Enterprise Server version 4.x / BlackBerry Professional Software

Launch the BlackBerry Server Configuration Utility from Start --> Programs --> BlackBerry Enterprise Server.
Click on the BlackBerry Server tab:

The SRP Identifier and authentication key will be displayed.

BlackBerry Enterprise Server version 5.x

Log into the BlackBerry Administration Service.
In the Servers and Components section expand the Server View.
Select the named entry of your BlackBerry Server:

The SRP Identifier and authentication key will be displayed in the SRP Information section.

New Features in BES 5.0

BES 5.0 is finally here and the Brightpoint GB Tech Blog have installed it in their test lab. In this post I shall run through some of the new features you can expect to find in this release. The solution has been re-engineered considerably 'under the hood', with support for Windows Server 2008 included and all server administration now being web-based. Major changes have been made the individual component services that make up the BES solution allowing for a wide range of deployment topologies as well as fault-tolerance, making it an attractive solution for both the Enterprise and SMB markets.

Server Features

Web-based Administration

The first and most apparent change in this release of the software is how the solution is administered. The MMC-based BlackBerry Manager application has been replaced with a web-based admin tool which enables the BlackBerry domain, user accounts, devices and device features to be managed from any PC with access to the BES.
The Mobile Data Service (MDS) and the Software Configuration areas are also managed via this web-based tool.
The Admin tool is accessed by browsing to https://(server)/webconsole/app/
The MDS Admin tool is accessed at https://(server)/mdsisconsole/app/
Internet Explorer 6 or later is required to access the tool.
Separate administrative logins to the web-based tool with varying permission levels can be configured.

NOTE - on my fully patched Server 2008 installation, which includes IE8, the Admin tool did not display until I enabled the Compatibility View mode.

BlackBerry Web Desktop Manager

The Web Desktop Manager has been available as an optional download for BES 4.1.x, which I posted about here (http://blog.brightpointuk.co.uk/node/95). This feature is now built into the BES 5.0 release and enables users to manage their BlackBerry devices from a web browser. This tool removes the need for the BlackBerry Desktop software to be installed on users' PCs and allows users to activate and deactivate their own handhelds, set their own activation passwords as well as install, update or remove applications on the handheld. Email filters can be applied, governing what mails are pushed to the handheld.
The entire contents of the device can also be backed up to the server and restored at a later date by the user via the web interface, or an automatic scheduled backup can be configured.
Finally, users can also edit the default signature via the web interface, rather than having to do it on the device.
The above features can be restricted by the administrator if desired, or made available or on a per-user or per-group basis.
The Web Desktop is accessed by browsing to https://(server)/webdesktop
Internet Explorer 6 or later is required to access the tool.
When logging into the Web Desktop Manager for the first time, the web site will prompt users to download and install a client application which contains the required handheld USB drivers and the BlackBerry Device Manager application which is used to install applications and certificates onto handhelds. Local administrative rights on the PC will be required to install this component.
Alternatively, the component is available in an MSI package, "RIMWebComponents.msi" that can be installed onto client PCs separately or via Active Directory Group Policy.

BlackBerry Enterprise Server High Availability

This is a new deployment scenario supported by BES 5.0 which provides for 2 BES servers to be deployed in a clustered environment with the BlackBerry database replicated between both servers, meaning that no single point of failure exists in the solution. When running the solution in an Active / Passive cluster, failover can be configured to occur automatically based on pre-defined thresholds which are continually monitored by the BlackBerry Monitoring Server (see below).

Support for Microsoft Windows Server 2008

BES 5.0 can now be installed on Windows Server 2008, both 32-bit and 64-bit versions.

Support for Microsoft SQL Server 2005 Express Edition

BES 5.0 now uses Microsoft SQL Server 2005 Express Edition as its default database back-end rather than the older Microsoft SQL Server Desktop Engine (MSDE). SQL Server 2005 Express Edition will be installed automatically during the BES installation unless you specify an alternate database server manually.

BlackBerry Monitoring Service

The Monitoring Service records up to 57 weeks worth of performance information on specific individual BES components as well as the connection status of the solution which can be reported on by the administrator. Thresholds and alerts can also be configured.

Support for IBM Lotus Domino 8.5 and Lotus Notes 8.5

BES 5.0 now supports the latest versions of both Lotus Domino and Lotus Notes. Lotus Notes Links are also supported. In Lotus Notes, users can include document links, view links or database links (also known as application links) in their email messages. Any links received in email messages on the BlackBerry handheld can be viewed in the BlackBerry handheld browser. Users may be prompted to enter the username and password if the target document is stored in a secure area.

Handheld Features

(When using device software v5.0 in conjunction with BES 5.0)

• Calendar
  • Ability to forward calendar appointments and view attachments saved to meeting invitations
  • Pop-up reminders containing conference call information will enable users to dial the number directly from the reminder
• Contacts
  • Ability to view subfolders of the personal Contacts folder
  • Ability to specify which subfolders of the Contacts folder should be synchronised to the device via the Web Desktop Manager
  • Ability to view contacts within Public Folders
  • Ability to specify which Public Folder contact lists are synchronised to the device via the Web Desktop Manager
• Browser
  • Support for Google Gears
  • Support for in-line video streaming
• Miscellaneous
  • Support for email follow-up flags
  • Support for the .wma audio file format
  • Ability to add, remove, move and rename personal folders
  • Improvements to BlackBerry Maps performance
  • Ability to set default download folder, wallpaper and icon layout from 'Homescreen Preferences'
  • Access the Application Switcher by pressing and holding the Menu key

RIM add BlackBerry support for Exchange 2010 to BES 5

RIM have officially added support for Exchange 2010 to BlackBerry Enterprise Server 5. Following hot on the heels of SP1 for BES 5 (http://blog.brightpointuk.co.uk/service-pack-1-bes-5-released), both RIM and Microsoft have released updates for BES 5 and Exchange 2010 to enable compatibility.
The pre-prequisites are therefore:

• BES 5.0.1 MR1 (ie BES 5 with Service Pack 1 and Maintenance Release 1)
• Rollup Update 1 for Exchange 2010 - http://www.microsoft.com/downloads/details.aspx?FamilyID=371add31-d7a0-4...
• Microsoft MAPI CDO 1.2.1 - http://www.microsoft.com/downloads/details.aspx?familyid=e17e7f31-079a-4...

For detailed information on how to configure Exchange 2007 / 2010 for a BES deployment, read this article - http://blog.brightpointuk.co.uk/bes-41x-50-exchange-2007-pre-requisites

The Exchange 2010 area of the BlackBerry web site can be found here - http://na.blackberry.com/eng/services/server/exchange/2010support.jsp

Removing the BlackBerry MDS Integration Service from BES 5

The new Service Pack 3 release for BlackBerry Enterprise Server 5 does not support the MDS Integration Service, which is no longer in production and has been phased out by RIM.
If your existing BES server has the MDS-IS role installed, it must be removed before you will be able to upgrade to Service Pack 3:

In this article I am running BES 5 SP2.

In order to remove the MDS-IS service prior to upgrading to BES 5 SP3, if you are not already, you must install BES 5 SP2 Maintenance Release 2 or higher, and then reboot the server.

Once the Maintenance Release has been installed, launch the BlackBerry Administration Service and expand the Server View in the BlackBerry Solution Topology section. Select the entry for the MDSSx.
Click on the Supported Dispatcher Instances tab and remove all Dispatcher entries from the right hand column:

Save the change.

Now exit the BlackBerry Administration Service.

Launch the BES SP2 installer package by running the setup.exe file. Run through the installer wizard until you see the list of installed services:

Untick the option to use the BlackBerry MDS Integration Service. Run through the rest of the installation leaving all of the other values at their existing setting. A reboot will be required.

Once rebooted and the installation completed, launch the BlackBerry Administration Service and log back in.

In the BlackBerry Solution Topology section click on the Component View:

You will see that the MDS Integration Service is uninstalled. Click on the icon of the red bin to remove the service from the configuration database:

Select the option Yes - Delete this instance

The MDS Integration Service will now be removed from the BES and you will be able to run through the BES 5 SP3 installer wizard.

Service Pack 1 for BlackBerry Enterprise Server 5 released

Service Pack 1 for BlackBerry Enterprise Server 5 is now available, bringing the version number up to 5.0.1

The update, which weights in at 657MB for Exchange and 667MB for Domino, is available for download from the BlackBerry web site - https://www.blackberry.com/Downloads/browseSoftware.do

New features in this release include:

• BlackBerry Device Dashboard

  Using this feature, BES administrators can keep track of the BlackBerry Monitoring Service directly from their handheld. Alarms, Messages and the status of the BES can be viewed.

• Administration Service Enhancements

  Administrators can now access right-click context menus on user accounts to perform common administrative actions.

  

  When creating user accounts, you can add users to groups and software configurations.

• Import WiFi and VPN configuration profiles

  You can add, delete or update the WiFi and VPN profiles that you assign to users by importing a CSV file.

• Support for Exchange Web Services

  If you are running Exchange 2007 SP1 or later, it is now possible to configure the BES to access Exchange calendaring information using Exchange Web Services rather than CDO.

• Support for odp and ods file formats

  BES 5.0.1 provides support for the OpenOffice file formats odp (presentation) and ods (Spreadsheet)

  

• Support for SQL Server 2008
• Support for Internet Explorer 8

  The BlackBerry Administration Service web site can now be accessed from the IE8 web browser.

Service Pack 2 for BlackBerry Enterprise Server 5.0 available

RIM have released SP2 for BES 5 for both Microsoft Exchange and Lotus Domino flavours. Weighing in at 668MB (for Exchange) and 678MB (for Domino), the update is a complete copy of the BES software.

Both updates can be downloaded free of charge from the BlackBerry web site - http://blackberry.com/go/serverdownloads

New features for Microsoft Exchange deployments include:

• Automatic discovery of Exchange Web Services - The BlackBerry Messaging Agent can discover Microsoft Exchange Web Services automatically and use it to synchronise calendar data (replacing the now deprecated MAPI CDO API)
• MDS Connection Service Integrated Authentication - When BlackBerry device users need to access internal network resources from their devices, the MDS Connection Service can be configured to authenticate users using their Windows account credentials
• Administrative Groups - The BlackBerry Administration Service includes new default groups that have preconfigured roles that you can add different types of administrative accounts to. The default groups help make sure that users without administrative privileges cannot escalate their permissions.
• Enhancements to activation and prepopulation - The BlackBerry Messaging Agent now monitors the Junk Mail folder as well as the Inbox for activation messages. You can now configure the BES to prepopulate a maximum count of 3000 email messages and a maximum message age of 30 days
• Enhancements to S/MIME encryption - If users configure S/MIME encryption on their devices, you are no longer required to turn on S/MIME encryption on the BES before the BES can begin processing S/MIME protected messages
• Enhancements to SRP connections - When you install a BES or start the BlackBerry Dispatcher Service, the BES verifies whether the SRP ID is currently in use by another BES already. If it is in use, the BES does not open the SRP connection
• Enhancements to the synchronisation of email message content - The BES forwards the full content of email messages that are sent from email applications to the device, rather than just the message header and subject
• Enhancements to the BlackBerry Administration Service - If an administrator enters their password for the BAS incorrectly 10 times in succession, the administrative account is locked for 15 minutes and the administrator cannot log in
• Enhancements to the BlackBerry Web Desktop - If you configure the appropriate option in the BlackBerry Administration Service, the BlackBerry Web Desktop Manager permits users to perform the following self-service tasks: specify a new device password and lock the device; delete all device data and disable device
• Support for Single Sign On authentication - Access to both the BlackBerry Administration Service and the BlackBerry Web Desktop can be managed automatically using Windows credentials
• Microsoft SQL Server 2008 R2 is now supported
• The default body size of calendar entries that the BES synchronises with devices is now larger
• Support for web browsers - The BlackBerry Administration Service can now be accessed from web browsers other than Internet Explorer, including Safari, Firefox and Chrome - NOTE Internet Explorer is still required for management of devices locally via USB
• Microsoft Windows Server 2008 R2 is now supported

View the release notes for full details of all the new features and bug fixes included in the Service Pack.

Service Pack 3 for BlackBerry Enterprise Server 5 released

Service Pack 3 for BlackBerry Enterprise Server 5 for both Microsoft Exchange and Lotus Domino is now available to download from http://blackberry.com/go/serverdownloads

New features include:

• Device software updates - administrators can choose to make device software updates available to users. Users can also optionally roll back to an earlier device software version following an update if desired

  

• Instant Messaging integration - Service Pack 3 adds support for Microsoft Office Communications Server 2007 R2 and Microsoft Lync Server 2010

  

• Media downloads - the default size limit for downloading media files via the device browser has been increased
• Device Wipe - it is now possible to remove only "organization data" from devices when performing a remote wipe from the BES.

  

  Note - this feature needs to be supported by the device

  

• New IT Policies - it is now possible to enforce the following from the BES:
  • Disable forwarding of work contents over personal channels
  • Require work resources for conducting work activities

    

  • Disable Amazon MP3
  • Disable Geo-location in social networking applications
  • Prevent media sync over a WiFi connection

    

  • Allow wireless software updates
  • Allow third-party apps to access screen contents
• Office 2010 - SP3 provides support for Office 2010 file attachment formats

The above IT policies referring to Work and Personal channels relate to a forthcoming device software update called BlackBerry Balance that will allow you to create home and work profiles on your device, and grant access to the company IT administrator only to the work area of the device, and similarly the IT administrator will only allow the work area of the device access to company resources.

The Release Notes and the updated Policy Reference Guide for BES 5 SP3 are attached to this article below.

Policy Reference Guide

Release Notes

Setting up BlackBerry Enterprise Server for access to Office Communicator Server

The BlackBerry Enterprise Server (BES) product supports both OCS 2005 and 2007 versions, but uses the Communicator Web Access (CWA) component of the solution, so this feature needs to be installed on the OCS server itself.

For details on how to configure a Microsoft Lync 2010 deployment, read this article - http://blog.brightpointuk.co.uk/configuring-blackberry-enterprise-server...

Verify that the CWA web site can be accessed from the browser on the BES server, ensuring that DNS is correctly configured and installing any SSL certificates if required:

And verify that a sample user account is able to log in via the browser:

The CWA web site itself should be enabled for Forms-based authentication: which is the default configuration, as well as Integrated Windows Authentication:

Run the BES installation wizard. Whether this is a clean install, or you're adding the instant messaging functionality to an existing installation, the first screen will prompt you to select your Instant Messaging platform:

NOTE - if this is an existing installation, you should run the installer as the same user account that was used to first install the solution originally (ie the BesAdmin account).

Select the appropriate version of OCS. Run through the rest of the installation steps - for detailed information on how to install the BES solution from scratch, visit the BlackBerry section of the blog (http://blog.brightpointuk.co.uk/blackberry). Even on an existing installation you will be prompted to run through all installation steps and reboot the server.
Following a reboot the installation will resume and you will be prompted to enter in the address of the Communicator Web Access server:

Enter in the server address minus the /cwa suffix, so if your CWA login address is https://ocsweb.domain.com/cwa just enter 'ocsweb.domain.com'

Specify whether the server is accessed via HTTP or HTTPS and enter the port number if not using the standard 80 or 443 ports.

Complete the installation. When finished, within the list of BlackBerry services will be one named 'BlackBerry Collaboration Service', ensure that it has started successfully:

Setting up BlackBerry Smartphone devices

The BES is now configured. In order to use the BlackBerry device, you will first need to ensure that the BlackBerry Instant Messaging (BBIM) service book is present on the device.
To do this, on the device itself browse to Menu --> Options --> Advanced Options --> Service Books and ensure that BBIM is listed. If not, it may be necessary to re-send services books from the BES within the BlackBerry Manager.

Next, the OCS client software itself will need to be installed onto the handheld. One way of doing this is to use the BlackBerry Desktop Manager application.
The OCS client software can be downloaded from the BlackBerry web site - http://na.blackberry.com/eng/support/downloads/im.jsp

Download the file to your PC and extract the contents. The BlackBerry Desktop Manager software can be downloaded from the BlackBerry web site here - https://www.blackberry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E...

Once installed, connect the BlackBerry to your PC and launch the Desktop Manager application. If prompted to select an Outlook profile, simply press Cancel. The following window will be displayed:

Click on the Application Loader and select the option to Add/Remove Applications.
The wizard will read details from the device about installed software, this process may take a few minutes. When prompted, click on the option to Browse and navigate to where you saved the extracted OCS client:

Select the OfficeCommunicator2007.alx file and click Open.
Tick the option to Install ‘Enterprise Messenger’ and click Next. The software will then be installed onto the device. When complete you can disconnect the device from the PC.

On the device itself, in the main menu should now be a folder called ‘Instant Messaging’:

Within this folder will be an icon for Enterprise Messenger:

Tap the icon to launch the OCS client:

You can now sign in using your domain username and password. If you have any contacts saved to your address book already, they will be displayed together with their status:

Once logged in, your status will also be updated:

You are now connected to the OCS server from your BlackBerry.

Troubleshooting BlackBerry Enterprise Server synchronisation issues

In this article I shall look at what to check when your BlackBerry users are unable to either receive mail, send mail, or both.
This article will only examine how to troubleshoot BES when deployed against an Exchange server rather than Domino or Groupwise.

Regardless of which version of the BES software you are running, the way in which it access Exchange is essentially the same - a system account is granted read and write access to user's mailboxes and manages their mailbox on their behalf. In the event of a problem, the specific troubleshooting steps will vary depending on the version of Exchange you are running, but the basic elements to verify are common to all:

• Number of users affected
• Device network connectivity
• User mailbox status
• Message filters
• BES server services
• BES server network connectivity
• BesAdmin Exchange permissions
• Event Viewer
• Log files

This article also assumes that users have already successfully activated their devices and have been able to both send and receive mail before, and have only now started experiencing problems. For details on how to troubleshoot the Enterprise Activation procedure, view this article - http://blog.brightpointuk.co.uk/how-does-bes-wireless-activation-process...

This article is not intended as an exhaustive troubleshooting guide. Should all of the steps outlined in this article appear to be passed by your BES deployment, and yet you continue to experience difficulty, then detailed examination of the BES log files and use of the BES Resource Kit may be required to isolate and rectify the cause of the problem. Brightpoint's technical support staff are fully-versed in all aspects of the BES solution and able to provide expert support.

BlackBerry Architecture

When troubleshooting BES issues, it is important to understand how the end-to-end BlackBerry architecture works and the components involved.

RIM deploy and maintain what is referred to as the BlackBerry Infrastructure (BBI). BES servers are assigned unique SRP IDs, which are used to authenticate against and register with the BBI using the Server Router Protocol (SRP). Connections are initiated from the BES to the BBI on a single TCP port, number 3101. This is the reason why BES servers are not required to be "Internet-facing" and do not require public IP addresses.
Client devices also register with the BBI, using unique PIN numbers. Messages sent from the BES are encrypted and then routed over the Internet to the BBI, including the target device's PIN number in the header information. Similarly, messages sent from handhelds are encrypted and sent to the BBI using the BES server's unique SRP key in the header.

Typically, the ability to receive email but not send is either due to Active Directory permission issues, or an exception to the Exchange mailbox size limit policy. If mail is being received then it is relatively safe to assume that both client device and BES are operating correctly. If mail is not being received (or sent), then a sensible troubleshooting procedure would include the following.

NOTE - the same troubleshooting procedure applies to the BlackBerry Professional Software (BPS).

Number of users affected

If only one user is reporting problems, then it is advisable to verify the status of the client device and that specific user's Exchange mailbox before you worry about the server. If all users, or an administratively-significant number of users are reporting problems then the server status should be examined. As the administrator, if you have a device yourself, is yours working?

Device Network Connectivity

If you believe the issue to be unique to a specific user, then verify that the device itself is correctly configured.

Is the cellular element of the device enabled? By default when powering on devices all networks are disabled. If the device has been used in a location that requires cellular devices be deactivated, has the user remembered to reactive the radio?

Can the device be used to make voice calls (if voice is enabled on the SIM and the IT policy allows use of the phone)? If the user receives a recorded message indicating that a call to customer services is required....then a call to customer services may be required to rectify an account issue.
Is the device registered with the cellular operator and indicating a packet data connection (either "GPRS", "EDGE" or "3G")? If not, the user may not be in a suitable coverage area or the operator may be experiencing a localised network fault.
Does the user definitely have the BES subscription on the SIM they are using in the BlackBerry device?

To force a device to register with the BlackBerry Infrastructure, select Menu --> Options --> Advanced Options --> Host Routing Table --> Menu --> Register Now

In many cases, simply removing the battery from the device and reinserting it after a couple of seconds may resolve the issue.

You can verify that the device is correctly registered on both the cellular network and with the BlackBerry infrastructure by sending a PIN message from the device to itself: within the Inbox on the device select the option to Compose PIN and send a message to yourself. This will cause a message to be sent from the device back to itself via the BlackBerry Infrastructure independently from the Exchange server.

New to version 5.0 of the device handheld software is a mobile network diagnostic test utility. Should you want to perform more detailed diagnostics, select the Options icon from the main menu. Select the Mobile Network menu entry:

The following screen will be displayed:

Press the menu button and select the entry for Diagnostics Test. The following window will be displayed:

Press the menu button and select the Run option:

Verify that all tests are completed successfully:

• BlackBerry Registration
• Connected to BlackBerry
• BlackBerry PIN-PIN

User Mailbox Status

If the user's device appears to be operating correctly, can the user access their mailbox via Outlook or Outlook Web Access? If the user's account has been disabled for any reason the administrator will need to ascertain why and whether the account can be reactivated.
If the user has exceeded their Exchange mailbox size limit, the ability to receive new mail may have been disabled and the user will need to free up some space in their mailbox before any new mails will be delivered.

Message Filters

If a user is receiving some email messages but not all, or is not receiving any messages but troubleshooting so far indicates that everything appears to be functioning correctly, verify what messages filters have been applied to the user's account: it may simply be the case that the user has inadvertently applied a rule that prohibits certain or all mails from being forwarded to their BlackBerry device:

BES services

Should more than one user have reported problems, and your own device not be receiving mail, verify the status the BES. Ensure that all required BlackBerry services are running and check the Application log in the Event Viewer for any warning or critical error messages.
Restarting the BlackBerry Controller service will cause all BlackBerry services to be refreshed.

BES network connectivity

If no messages are being received by handhelds, either email or PIN messages, verify that the BES is connected to the BlackBerry Infrastructure. You can verify whether the BES or BPS server is successfully connected to the SRP infrastructure by launching the BlackBerry Server Configuration utility from the Start menu and selecting the BlackBerry Router tab:

Click the Test Network Connection button and verify that the test is successful. Should the test fail verify that the server has outbound Internet access on TCP port 3101 on any firewalls between the BES and the outside world.

Alternatively you can run the bbsrptest.exe utility at the command line. On the BES server open a command prompt and navigate to the directory where the BES software has been installed to - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility by default.
Run the following command:

bbsrptest.exe

If the test is successful the following will be displayed:

Alternatively, if you have a BlackBerry Technical Support subscription, you can view the status of a specific BES SRP key and re-enable it should it have been disabled for any reason:

Verify whether the company Internet feed may be congested or have insufficient bandwidth to accommodate the volume of traffic being generated using SNMP monitoring tools such as MRTG (http://blog.brightpointuk.co.uk/mrtg)

Should the SRP connectivity test be successful, you can also verify end-to-end connectivity between the BES and the handheld by sending the user a PIN message from the BES:

BesAdmin Exchange permissions

Should PIN messages be delivered end-to-end successfully, then this would indicate that both BES and devices are operating correctly. Should Exchange emails not be being delivered, then the permissions of the BesAdmin account (or the user account used to install the BES server) should be verified. This step is essential when troubleshooting issues whereby emails are being received by users, but no emails are able to be sent.

In any Exchange BES installation, the BesAdmin will need the following rights in order to be able to both send and receive emails successfully:

• Exchange View Only Administer privileges
• "Send As", "Receive As" and "Administer Information Store" privileges on the Exchange server
• "Send As" permissions on User Objects on the Active Directory domain

The steps to verify that these permissions have been correctly applied are as follows:

Exchange 2003

Delegate administrative control to the BesAdmin user account

On the Exchange server, select Start → Programs → Microsoft Exchange → Exchange System Manager.

Right click on the Organisation name (at the root of the directory in the left-hand pane) and select Properties. The following window will be displayed:

Tick the options to Display routing groups and Display administrative groups. Click OK. If you receive a warning message indicating that the Exchange System Manager needs to be closed and re-opened for the changes to take effect, click OK.

Close the Exchange System Manager and then re-launch it again from the Start menu.

Right click on the first Administrative Group and select Delegate Control, as shown below:

The Administration Delegation Wizard will be displayed:

Click Next. The following window will be displayed:

Click Add. The following window will be displayed:

Set the Look in field to the domain in which the BES server resides. From the list of users select the BesAdmin account and click OK.

Click Next and then click Finish to complete the wizard.

Assign Send as, Receive as and Administer information store rights to the BesAdmin user account

Within the Exchange System Manager, right click on the entry for the Exchange server which the BES is going to communicate with and select Properties, as shown below:

Click on the Security tab. In the list of users select the BesAdmin user account. In the list of permissions, scroll down and tick the options to allow Administer information store, Receive As and Send As.

Click OK.

For full details on how to prepare Exchange 2003 for a BES installation, read this article - http://blog.brightpointuk.co.uk/bes-41x-50-exchange-2003-pre-requisites

Exchange 2007

Assign Send as, Receive as and Administer information store rights to the BesAdminuser account

Unlike previous versions of Exchange. This needs to be done at the command line via the Exchange Management Shell.

Launch the command interface and enter the following command:

get-mailboxserver (servername) | add-adpermission –user (service account)-accessrights GenericRead, 
GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Where (servername) should be replaced with the name of the Exchange Server, and (service account) should be replaced with the Alias name of the BesAdmin user account (so ‘BesAdmin’ in this case)

If you are successful, you should see the following:

To verify the permissions of an existing account, type:

get-mailboxserver (servername) | getADpermission -user (service account) | Format-List

For full details on how to prepare Exchange 2007 for a BES installation, read this article - http://blog.brightpointuk.co.uk/bes-41x-50-exchange-2007-pre-requisites

Exchange 2010

Assign "Receive As" and "Administer Information Store" rights to the BesAdmin user

On the Exchange server, launch the Exchange PowerShell and issue the following command:

Get-MailboxDatabase | Add-ADPermission -User "BesAdmin" -AccessRights
 ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Assign Exchange View-Only Administrator rights to the BesAdmin user

Still within the Exchange PowerShell, now issue the following command:

Add -RoleGroupMember "View-Only Organization Management" -Member "BesAdmin"

Assign "Send As" rights to the BesAdmin user

This is done on the Exchange server itself within the Exchange PowerShell. Launch the console and issue the following command:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights
Send-As -User "BesAdmin" -Identity "CN=Users,DC=domain,DC=com"

(where "domain" and "com" should be substituted for your specific domain details, eg: DC=brightpoint,DC=co,DC=uk and so on)

To force all of the above changes to take effect on the domain, it may be worth running a group policy update. On the Exchange server click Start --> Run and issue the command "gpupdate /force"

Turn off Exchange 2010 Client Throttling

Exchange 2010 uses client throttling by default to protect the Exchange server from excessive user demands. RIM recommend turning off this feature as it can have an adverse affect on the performance of the BES solution. This is done within the Exchange PowerShell console.
Launch the console and issue the following command to get the "Identity" of the default throttling policy"

Get-ThrottlingPolicy | Where-Object {$_.IsDefault -eq "True"} | FL Identity

the Identity will be displayed:

Now issue the following command:

Set-ThrottlingPolicy -RCAMaxConcurrency $null

You will be prompted to enter the Identity to apply the policy to, enter the result returned above:

Increase the maximum number of connections to the Exchange Address Book Service

On the Exchange Server (or specifically the Client Access Server in a multi-box deployment), browse to C:\Program Files\Microsoft\Exchange Server\V14\Bin and locate the file "microsoft.exchange.addressbook.service.exe.config" and open it in NotePad:

Locate the line "MaxSessionsPerUser":

Increase the value to 100000. Save the file then restart the Address Book Service:

For full details on how to prepare an Exchange 2010 environment for a BES installation, read this article - http://blog.brightpointuk.co.uk/bes-501-exchange-2010-pre-requisites

All versions of Exchange

Assign Send As rights on Domain User Objects to the BesAdmin user account

On the Exchange Server, launch the Active Directory Users and Computers MMC snap-in:

Open the View menu and select the option to show Advanced Features.

Right click on the Domain root and select Properties. Click on the Security tab:

Click on the Advanced button. Select the option to Add a user:

Enter the alias of the BesAdmin account created earlier and click OK. In the Apply Onto drop-down menu select the option for User Objects:

In the Permissions section select the option to enable Send As:

Calendar Issues

Should email messages be sent and received successfully between the BES and handheld devices, but calendar appointments not be synchronised, a common step missed when installing the BES solution is to register the CDO.dll file on the BES server.
This only applies to versions of Exchange prior to 2007. When installing BES against Exchange 2003 and earlier, usual practice is to install the Exchange System Manager on the BES server. This installs the required MAPI components, but does not install the files required for calendaring.
The CDO.dll file needs to be located on the Exchange server, copied to the System32 directory on the BES server and registered:

By default the cdo.dll file will be located in the C:\Program Files\Exchsvr\Bin directory. To check the version of the file, right click on it and select Properties. Click on the Version tab:

The cdo.dll file needs to be registered, otherwise wireless calendar synchronisation will not function correctly between the Blackberry handheld and the server. To register the file, copy it to the C:\WINNT\System32 directory.

Once the file has been copied, select Start → Run. Enter “cmd” in the dialogue and press OK.

A command prompt will be displayed. Change to the WINNT\System32 by typing cd winnt\system32 and pressing enter.

Type regsvr32 cdo.dll and press enter:

If the file is registered successfully, notification will be displayed as shown below:

This procedure is not required for BES installations against versions of Exchange later than 2003 as the MAPI CDO package is used rather than the Exchange System Manager.

Troubleshooting BesAdmin user account permissions

The commonest cause of problems when troubleshooting issues with a BES installation is that the correct permissions have not been assigned to the BesAdmin user on the domain and the Exchange server as detailed above.
Included with the BES 5 software is a utility called "IEMSTEST" which can verify the BesAdmin user's access to specific user mailboxes.

The utility lives in the C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility folder and needs to be run at the command line:

Select the BlackBerryServer MAPI profile when prompted:

Select the user account you wish to query:

The permissions will be tested:

As you can see from the above screenshot this test has indicated that the BesAdmin account does not have Send As rights on my James Liddiard user account. Once I verify my permissions, re-running the test indicates that all test have passed successfully:

General Troubleshooting

Should you be unsure as to whether the server running the BES server meets the requirements of the software, or has all the components necessary for integration with Exchange, you can run the BlackBerry System Requirements Tool, part of the BlackBerry Enterprise Server Resource Kit:

This information will be required by Technical Support should you wish to escalate an issue.
The BlackBerry Enterprise Server Resource Kit (BRK) can be downloaded free of charge from the BlackBerry web site.

Upgrading a BES 5.0.2 MSDE installation to BES 5.0.3

With the release of BlackBerry Enterprise Server 5 Service Pack 3 (5.0.3), RIM have dropped support for the Microsoft SQL Desktop Engine (MSDE).
If you have upgraded a previous version 4.x BlackBerry server to version 5.x and wish to upgrade to 5.0.3, you will receive an error message stating that you do not have a supported database platform and the upgrade will not proceed any further.

The MSDE installation must be upgraded to SQL Server 2005 Express or later in order to install BES 5.0.3
In this article I shall run through how I installed SQL Server Express 2008 in order to upgrade from BES 5.0.2 and MSDE to BES 5.0.3 - note this is not an official RIM solution.

Stop and disable all BlackBerry services

Open the Service Control Manager (Start --> Run --> "services.msc").
Stop all running BlackBerry services.
Edit the properties of all BlackBerry services that have a Startup Type of "Automatic", and set them to "Disabled".

Download and install SQL Server Express 2008

NOTE - you will also need to download and install Windows Installer 4.5 in order to run the SQL installer.
Install a new SQL instance rather than upgrading the existing installation. Select the option to install the management tools (selected by default).

Backup the BESMgmt Database

Open the SQL Management Studio and connect to the MSDE instance (normally the servername).
Take a full backup of the BESMgmt database to a file location.

If you receive an error that the file is in use, stop the running MSDE instance.

Restore the BESMgmt Database

Still within the SQL Management Studio, disconnect from the MSDE instance and connect to the SQL 2008 instance (normally servername\sqlexpress)
Right click on Databases and select the option to Restore Database.
Enter a name for the new database, such as BESMgmt2
Select the option to restore from Device, and add the backup file you created earlier.

Ensure the restore operation completes successfully and then close the SQL Management Studio.

Enable SQL TCP/IP connectivity

Open the SQL Configuration Manager. Browse to SQL Server Network Configuration --> Protocols for SQLExpress.
Right click on TCP/IP and Enable it.

Close the SQL Configuration Manager.
Stop the MSDE instance from running at startup.

Reboot the server.

Re-enable BlackBerry services

Open the Service Control Manager and change the Startup type for all BlackBerry services we disabled earlier back to Automatic. Do not start the services at this time.

Install BES 5.0.3

Start the MSDE SQL instance.
Now launch the BES 5.0.3 installer.
Set the database server to the SQL 2008 instance (servername\sqlexpress)
Set the name of the configuration database to the database you created earlier from the backup.
Set the Port configuration to "Dynamic"

The installation will now proceed.