In order to use the BlackBerry Enterprise Server product with a Microsoft Exchange 2013 deployment, version 5.0.4 Maintenance Release 2 or later will be required.
Also required will be the Microsoft MAPI/CDO package, version 6.5.8289.0 or later - available for download from the Microsoft web site.
There are a number of pre-installation requirement tasks which also need to be completed in the Exchange environment. The procedure is as follows.
Create an Active Directory user account
An AD service account will be required, typically named "BesAdmin". This user should NOT be a domain administrator. The user account will require an Exchange mailbox, which should be located on an Exchange 2013 mailbox server.
Assign the BesAdmin account Exchange View-Only Administrator rights
Launch the Exchange PowerShell and assign the BesAdmin user account Exchange View-Only Administrator permissions with the following command:
Add-RoleGroupMember "View-Only Organization Management" -Member BesAdmin
Assign the BesAdmin account Receive As and Administer Information Store rights
Still within the Exchange PowerShell, assign the BesAdmin account Receive As and Administer Information Store rights with the following command:
Get-MailboxDatabase | Add-ADPermission -User BesAdmin -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin
Assign the BesAdmin account Send As rights on domain user objects
Now assign the BesAdmin account Send As rights on all user objects in the domain, with the following command:
Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User BesAdmin -Identity "CN=Users,DC=Domain,DC=com"
(where Domain should be substituted for the details of your AD domain)
Assign Application Impersonation rights to the BesAdmin user
Now create a new Exchange management role and assign the BesAdmin user Application Impersonation rights, required to access Exchange web services:
New-ManagementRoleAssignment -Name BesAdmin -Role:ApplicationImpersonation -User BesAdmin
Enable processing of external calendar items
By default Exchange does not process meeting requests received from external domains via web services, this needs to be enabled:
Get-Mailbox -Server [Server] -ResultSize Unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Set-CalendarProcessing -ProcessExternalMeetingMessages $true
The Exchange PowerShell can now be closed.
Assign permissions on the Exchange Web Services web application
Launch the IIS Manager and expand the Default Web Site container and locate the EWS web application. Right click on the entry and select Edit Permissions
Click on the Security tab and then on the Edit button:
Add the BesAdmin user account and tick the options to allow "Read & execute", "List folder contents" and "Read":
Save and apply all changes. Still within the IIS Manager, with the EWS web application selected, on the right hand side locate the Authentication icon:
Set Windows Authentication to Enabled:
Close the IIS Manager. Now we can focus on the server that is to have the BES software installed on it.
Assign the BesAdmin user administrator rights on the BES
On the server that is to host the BlackBerry Enterprise Server, assign the BesAdmin domain account local administrator rights on the machine:
Assign Log on as a Service rights to the BesAdmin user
Now launch the Local Security Policy console and add the BesAdmin user account to the Log on as a service permitted group:
Now log off and log in as the BesAdmin user account.
Install MAPI/CDO package
Logged in as the BesAdmin user (IMPORTANT, be sure to run this as the BesAdmin user and not local administrator), install the MAPI/CDO package you downloaded earlier.
Once installed, launch the Registry Editor.
Navigate to folder HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem.
On the left hand side, right-click on Windows Messaging Subsystem, expand New, select String Value.
Enter RPCHTTPProxyMap_BES in the Name field.
Double click the RPCHTTPProxyMap_BES registry value.
Type *=https://[FrontEndPoolFQDN] in the value field.
(where [FrontEndPoolFQDN] should be substituted for the fully qualified domain name of the Exchange client access server):
Navigate to folder HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem.
On the left hand side, right-click on Windows Messaging Subsystem, expand New, select String Value.
Enter RPCHTTPProxyMap_BES in the Name field.
Double click the RPCHTTPProxyMap_BES registry value.
Type *=https://[FrontEndPoolFQDN] in the value field.
(where [FrontEndPoolFQDN] should be substituted for the fully qualified domain name of the Exchange client access server):
Click OK, and then close the Windows Registry Editor.
Install the SSL certificate for the Exchange Client Access Server
In Windows Internet Explorer, access the Microsoft CAS through the (default) URL: https://[CAS Server Address]
Select Tools and then Internet Options.
Select the Security tab and then click Trusted Sites.
Click on Sites and add the current site.
Click OK.
Close and then re open Windows Internet Explorer.
Access the Microsoft CAS through the (default) URL: https://[CAS Server Address]
Should an error relating to the certificate be displayed, click on the Certificate Error section of the address bar.
Click on View the certificate.
Click the Install Certificate button.
Click Next.
Click on the radio button Place all certificates in the following store.
Click Browse.
Select Trusted Root Certification Authorities.
Click OK.
Click Next.
Click Finish.
Click Yes if prompted to install the certificate representing the CAS server.
Click on The import was successful prompt.
Select Tools and then Internet Options.
Select the Security tab and then click Trusted Sites.
Click on Sites and add the current site.
Click OK.
Close and then re open Windows Internet Explorer.
Access the Microsoft CAS through the (default) URL: https://[CAS Server Address]
Should an error relating to the certificate be displayed, click on the Certificate Error section of the address bar.
Click on View the certificate.
Click the Install Certificate button.
Click Next.
Click on the radio button Place all certificates in the following store.
Click Browse.
Select Trusted Root Certification Authorities.
Click OK.
Click Next.
Click Finish.
Click Yes if prompted to install the certificate representing the CAS server.
Click on The import was successful prompt.
You are now ready to install the BES software.
Install BlackBerry Enterprise Server 5.0.4
Launch the BES installer and choose your desired language:
Confirm that you are logged in as the desired BesAdmin service account that the BES software will run under:
Read and accept the license agreement:
Select the option to create a BlackBerry configuration database:
Select the desired BES components that you wish to install - leave these values at their default if you are installing all components on the same server:
Verify that all pre-requisite checks pass, correcting any errors as required:
Specify whether you wish to install SQL Express edition locally on the server or use another SQL source:
Enter your SRP and CAL information:
Review your selections and Install the component software:
Once all components have been installed, click Continue:
Verify the SQL server information and enter a name for the Configuration Database if desired:
You will be prompted to confirm creation of the database, select Yes:
And acknowledge when it has been created:
You will now be prompted to enter the address of the Exchange server and the name of the BesAdmin user account:
Now enter a name for the web site which will be used to administer the BlackBerry server, and enter a passkey for the SSL certificate that will be generated and assigned to the web site:
Enter details of an AD account that will be used to lookup BlackBerry users within Active Directory, this can be the same BesAdmin account:
Specify whether the BlackBerry management web site should be accessed using AD or local internal BlackBerry authentication:
Select the option to Start Services and verify that all BlackBerry services start successfully:
Finally make a note of the administrator and user web management site addresses and exit the installer.
Install Maintenance Release 2
Now install the BlackBerry Enterprise Server 5.0.4 Maintenance Release 2 update package.
Enable Exchange Web Services
Locate the BlackBerry Enterprise Server Trait Tool, this is normally located on the Tools directory in the BES 5.0.4 installation media, by default created at
C:\Research In Motion\BlackBerry Enterprise Server 5.0.4\bundle0038\tools
Open a Command Prompt and navigate to this folder, then enable use of Exchange web services with the following command:
TraitTool -global -trait EWSEnable -set true
Now restart the BES server.
Your BlackBerry Enterprise Server has been installed.
Hi Evyn
ReplyDeleteWe have Exchange 2013 & BES 5.0.4 and noticed our BES service account is part of DomainAdmins since build state, shall I remove the account from domain admins groups directly or need to do any check before removing ? Is there any valid reason to have the BES service account as member of domainadmins