BlackBerry Enterprise Server Express (BESE) Continued…

31 Mar

In a previous post, I talked a little about BlackBerry Enterprise Server Express. In the end I opted to install it on its own server (A VM on Hyper-V) rather than on the Exchange server, as I didn’t want to risk causing any issue with Exchange.

So, once I got the email from Blackberry giving me the download link, I proceeded to download the file (BESX_express_5.0.1) and then extract the contents to a local folder (c:\Research in Motion\Blackberry Enterprise Server 5.0.1).

The software then ran and the setup was pretty straight forward:

I also installed the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1.

Also, make sure that IIS is installed.

Then on with the basic setup, again, all pretty straight forward stuff so I won’t go into too much detail and bore you all.

Once installed, I had to open up the firewall (Port 3443 for the Web interface) on the box I had installed it on, but then I could access the 2 admin sites:

The admin interface (create and add users, groups and policies etc)


The users portal (users can login to set signatures, pretty basic, im not sure I’ll advertise this though)


There were a few ActiveX controls I had to install on my machine (which would only run under IE – Note: The BlackBerry Administration Service requires Microsoft® Internet Explorer® Version 6.0 or greater with JavaScript® turned on.)

I then added and external DNS entry for the BESE and changed the firewall to pass through and NAT all traffic on TCP/UDP port 3101 to the BES server. That’s pretty much the setup complete.

I then went into the Admin portal and created myself a user (and PIN number) and a test group. I then created a Policy and assigned it to that group. I just set it to disable the Camera to test whether it would work or not.

On the Phone I borrowed (a BlackBerry 8900) I then set it up by going to Menu -> Setup -> Setup Wizard -> “I want to use a work email account with a BlackBerry Enterprise Server”.

I then entered my email address, password (that I created earlier) and also the server address (again, the Public DNS entry that I created earlier, Then click Active and it should hopefully display the following:

Enterprise Activation

Activating [email protected] (at this point an email popped up on my screen – below)

Verifying encryption…
Encryption verified
Waiting for services…
Services received

Then Activation will run through from 0% to 100%, for me this took about 4 minutes to sync everything and then I was up and running.

(If you don’t get this far, check that your spam filter isn’t stopping the blackberry messages getting to your inbox)

As the phone I was using phone was inherited, it was full of old stuff, so I decided to wipe the phone and start from scratch (I should have done this at the start really)

To wipe the phone:

• Options menu
• Security Options
• General Settings
• Press BlackBerry Button
• Wipe handheld
• Enter the word “blackberry” – I guess just incase you sat on your phone and managed to get that far with your bum cheek.

After that I ran through the above process again and it all worked, perfectly, way cool! More free coolness.

The beauty of using BESE over the standard T-Mobile and Orange BlackBerry portals is the fact that users no longer have to update that portal each time their Windows password changes (Group Policy sets passwords to expire every 90 days). They also don’t lose connectivity if there is an issue with the mail server and then there’s a whole host of options to lock down the phones and deploy applications etc, but i have little need for that right now – all in good time however.

I’ve only had the blackberry for a day, and already I’m fairly competent in using it and BES and now I have to hand it back. I just need to persuade management that I too need a Blackberry, although, my missus’s one never stops going off, so perhaps I don’t need one after all.

Update: I recently re-installed BESx on a 2k8 R2 box. In the BBAS-AS log file i was getting the error:

(12/14 11:52:39:276):{http-******.**.****.***%2F**.**.**.***-3443-6} [com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean] [INFO] [ADAU-1000] {u=SystemUser, t=2081} loginAsLDAPUser failed to authenticate LDAP user=administrator, realm=**.****.***, KDC=*******.**.****.*** KDC has no support for encryption type (14)

To resolve this, I upgraded the fuctional level of my domain to Server 2008 R2.