Tutorials

How to install BlackBerry Enterprise Express on a SBS 2003 Premium

This document assumes that you have downloaded the Black Berry Enterprise Express software from the BlackBerry website. Before we can install the BESExpress software there are several things we need to do on the SBS 2003 Server. Most import step is that we create a BES service account that will run the BlackBerry Enterprise server.

Assigning permissions for the BlackBerry Enterprise Server administration account

Before we can assign permissions to the BlackBerry Enterprise Server administration account 'BESAdmin' we have to create that account. The BESAdmin should be a normal Domain User account and NOT a domain administrator account. Reason for this is that domain administrator have explicit 'Send As' and 'Receive As' deny settings on the Exchange store. We have seen this before when using Exmerge in brick level backups. We could create a 'BlackBerry Enterprise Server administration account' that is a member of the Domain Administrators group and over rule the 'deny' settings in Exchange but there is really no reason for that.

To create the BlackBerry Enterprise Server administration account 'BESAdmin' open Active Directory Users and Computers from the Administrative Tools in the Start Menu on your SBS 2003 server:

1. Click on the button to create a new user
   
2. Fill in the first and lastname for our account BESAdmin.
   
3. Make sure you uncheck 'User must change password at next logon' and check 'Password never expires'. Choose a strong password! Click 'next'.
   
4. Create an Exchange mailbox for the 'BESAdmin' and click 'next'.
   
5. Review your newly created account and click 'finish'.
   

To assign Local Administrator rights to the 'BESAdmin' account, complete the following steps

1. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers and select the Builtin folder.
   
2. Double-click Administrators.
   
3. On the Members tab, click Add.
   
4. Select the 'BESAdmin' account and then click Add.
   
5. Click OK twice.

Set Send As permission to enable BlackBerry users to send messages

Visit www.support.microsoft.com/kb/907434/en-us for more information about the Send As permission.

1. On the taskbar, click Start > Administrative Tools > Active Directory Users and Computers.
   
2. On the View menu, click Advanced Features.
   
3. Right-click the root of the domain.
   
4. Click Properties.
   
5. On the Security tab, click Advanced.
   
6. Click Add.
   
7. Type BESAdmin.
   
8. Click Check Name and then click OK.
   
9. In the Apply Onto drop-down list, click User Objects.
   
10. In the Allow column, select the Send As check box. Click OK.
    
11. Click Apply and click OK.
    
12. Click OK.
    

Set Local Security Policy permissions for the service account

Enable the BESAdmin administrator to log in to the local computer, and run the BlackBerry Enterprise Server as a Microsoft Windows service.

1. On the taskbar, click Start > Administrative Tools > Domain Controller Security Policy.
   
2. In the Local Security Settings window, browse to Local Policies > User Rights Assignment.
   
3. In the right pane, double-click 'Allow Log on Locally'.
   
4. Click Add User or Group.
   
5. Add the BESAdmin service account to the list.
   
6. Click OK.
   
7. In the Local Security Settings window, double-click Log On As a Service.
   
8. Click Add User or Group.
   
9. Add the BESAdmin service account to the list and click OK.
   
10. Click OK.
    

Set Exchange View Only Administrator permission for the service account

Enable the BESAdmin administrator to manage users and groups.

1. On the taskbar, click Start > Programs > Microsoft Exchange > System Manager.
   
2. Expand Administrative Groups.
   
3. Right-click First Administrative Group and click 'Delegate control'.
   
4. In the Exchange Administration Delegation Wizard, click Next.
   
5. Click Add.
   
6. Click Browse.
   
7. Type 'BESAdmin' and click 'Check Names'. The result will be the full domain name of the BESAdmin.
   
8. Click OK.
   
9. In the Delegate Control window, in the Role drop-down list, click Exchange View Only Administrator. Click OK to add the BESAdmin service account to the Users and Groups list.
   
10. Click Next.
    
11. Click Finish.
    

Set Microsoft Exchange Server permissions for the BB service account

Enable the BlackBerry Enterprise Server to write information to the service account mailbox.

1. On the taskbar, click Start > Programs > Microsoft Exchange > System Manager.
   
2. Browse to Administrative Groups > First Administrative Group > Servers.
   
3. Right-click the Microsoft Exchange computer name and click Properties.
   
4. On the Security tab, click the BESAdmin service account.
   
5. In the Allow column, select the following check boxes:
   1. Administer Information Store
   2. Send As
   3. Receive As
      
6. Select Allow inheritable permissions from parent to propagate to this object. If this setting is already applied just leave it that way.
   
7. Click OK.
8. Click OK again.

Install a named SQL 2000 instance and set permissions

As I mentioned in the introduction of this article I will install a named full blown SQL 2000 instance that will run the BlackBerry databases. The reason I do this is that it will be easier for me to move these databases and BlackBerry Enterprise Software to a dedicated server if my client needs to connect more then 10-15 BlackBerry devices.

Logon to the server with the BESAdmin account and NOT any other account.

1. Start the SQL 2000 installer from your SBS 2003 Premium CD. You will see a warning but that can be ignored for now. We will later install SQL 2000 SP4 on the BlackBerry instance. Click 'continue'.
   
2. Click 'Next'..
   
3. Click 'Next'.
   
4. Choose to create a new SQL instance and click 'Next'.
   
5. Fill in your company name and your name and then click 'Next'.
   
6. Accept the license agreement.
   
7. Choose to install Server and Client tools, click 'next'.
   
8. Uncheck 'Default' and name the instance 'BLACKBERRY' and nothing else! Click next.
   
9. We choose 'Typical' for our installation options. If you need to move your database files to a different partition or array then it is NOW the time to do that. Click on browse to change to change the default location for your database. We choose to put the Data Files on our E-drive because that is the drive where all our other data is also stored. We don't want the SQL databases stored on our system partition. Click 'next' to continue.
   
10. Choose to use the Local System account and click 'Next'.
    
11. Choose Mix Mode and set a strong password for 'sa'. Click 'next'.
    
12. Click 'next' to start the installation of your BLACKBERRY SQL 2000 instance.
    
13. Click 'finish'.
    
14. Boot the server and logon again as BESAdmin and NOT as the default Administrator.

Apply SQL 2000 Service Pack 4 to your BlackBerry instance

1. Start the installation of SQL 2000 Service Pack 4 and click 'next'.
   
2. Accept the terms and click 'next'.
   
3. Choose the instance 'BlackBerry' and choose 'next'.
   
4. Choose the defaults and click 'next'.
   
5. Choose the defaults and click 'continue'.
   
6. Accept the defaults and click 'ok'.
   
7. Click 'next'.
   
8. Click 'ok'.
   
9. Click 'finish'.
   
10. Reboot the server and logon with your BESAdmin account.

Install BlackBerry Enterprise Server Software on your server

Logon to the server with the BESAdmin account and NOT any other account.

1. Fill in your customer information, choose the country, accept the agreement and click 'next'.
   
2. Again accept the license agreement and click 'next'.
   
3. The installer checks if you made the correct settings for BESAdmin and other prerequisites. If all is well click 'next'.
   
4. Fill in the BESAdmins account password. If you need to move the location of BES then it is now the time to do that. Or accept the defaults and click 'next'.
   
5. Read the installation summary and click 'next'.
   
6. The installation is ready but the server needs to restart. Click 'Continue'.
   
7. The server needs to reboot. Click 'Yes' to reboot the server and after the server has been restarted you MUST login with the BESAdmin account and NO other account.
   
8. After the server has been restarted and you logon using the BESAdmin account the installer continues. We have previously installed a SQL 2000 instance called BLACKBERRY and that instance will be used. Fill in the netbios name of your server followed by the instance name. All other settings can remain default. Click 'next'.
   
9. Setup has found that there is no BES Management Database in the SQL instance and wants to install it. Click 'yes'.
   
10. After awhile setup informs you that the database was created successfully. If it could not create the database you need to check permissions on your SQL instance. Click 'ok'.
    
11. Fill in your CAL Key and click 'next'.
    
12. Fill in the SRP Authentication Information. If you click to validate the information it will fail because ISA 2004 will block the request. Click 'next'.
    
13. Fill in the netbios name of your server and click 'Check Name'. If all is well click 'Apply' and then 'OK'.
    
14. Keep the defaults checked and click 'Start Service'.
    
15. I like it when I see a wizard that tells me I have successfully completed the installation. Click 'Finish'.
    

Change the listening port of the BES MDS service

In our setup we use ISA 2004 Server. As you probably know the ISA proxy runs on port 8080 and that will cause a conflict with the ISA web proxy service. We don't want to change the ISA ports so open the BES admin console.

1. From the start menu open the BES administrator console and choose the tab Connection service.
   
2. Choose 'Edit connection service properties'.
   
3. Set both Web Listener Port and the Web Server SSL lListener port to another port. I choose 9080 and 9443. You can choose another port but you have to make sure that the port is not used by some service running on your server.
   

How to configure ISA 2004 to allow traffic from and to the BlackBerry server

Because I could not find a lot of good information about ISA 2004 configuration for BlackBerry servers I decided to analyze this traffic in ISA 2004 life monitoring. I started a tool from the command prompt to test the connection and it failed. I found that I needed to create a new Protocol and Access Rule that will allow traffic to flow from and to the BlackBerry server. Here we go...start ISA 2004 Manager from the Start Menu.

1. Start ISA 2004 Manager and choose the hive 'Firewall Policy'. Click 'Create Access Rule'.
   
2. Give the new Access Rule a name. Click 'Next'.
   
3. We need to choose 'Allow' for this rule. Click 'Next'.
   
4. We only want to allow 'Selected Protocols'. Choose 'Add'.
   
5. There is no Protocol listed for our BlackBerry server so we have to create a new one. Choose New -> Protocol from the tiny menu.
   
6. Give a name to the new protocol.
   
7. Click 'New' to create a new Primary Connection for this Protocol.
   
8. Set this primary connection to Outbound traffic on port 3101 to 3101. Click 'OK'.
   
9. There is the Primary Connection listed. Click 'Next'.
   
10. We need to add a secondary connection. Click 'New'.
    
11. The secondary connection needs to be set to 'Inbound' and also from port 3101 to 3101. Click 'OK'
    
12. There is the secondary connection listed. Click 'Next'.
    
13. We have successfully completed our new protocol called 'BlackBerry Server'. Click 'Finish'.
    
14. From 'All Protocols' you can now choose the protocol 'BlackBerry Server'. Click 'Add' and then 'Close'.
    
15. Click 'Next'.
    
16. Click 'Add' to add the Network where the source from this traffic is.
    
17. Highlight 'Localhost' and choose 'Add'.  Then choose 'Close' and click on 'Next'.
    
18. Choose 'Add' to add the destination of our BlackBerry traffic.
    
19. Highlight 'External' and choose 'Add'. Then choose 'Close' and click on 'Next'.
    
20. Accept the defaults and choose 'Next'.
    
21. The new Access Rule is completed and click 'Finish'.
    
22. Click 'Apply' to save the changes.
    

Test the connection

Open a Command prompt and browse to the Utility folder in BlackBerry installation folder. There you will find a tool called BBsrpTest.exe. The output of that test should look like this: