Tuesday 30 November 2010

BES 5.0.2 & Exchange 2010 SP1 /Hosting

Before installing BES for multi-tenant Exchange 2010 SP1 /hosting you should read the following resources. You should also have deployed Exchange 2010 SP1 RU1.
This is a work in progress (so I don’t forget), so please check back for updates and corrections. Feel free to add comments or give me your experiences. There is also a forum running here, http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Server/Cross-organisation-user-search-exch-2010-sp1-hosted/m-p/659071#M7052.
BES 5.0.2 & Exchange 2010 SP1 RU1 /hosting:
BESX 5.0.2 & Exchange 2010 SP1 RU1 /hosting:
Post installation there are some other changes to make.
There is an additional step to configure BES 5.0.2 to work without public folders:
To restrict lookups follow this guidance:
You may also want to consider using LDAP instead of MAPI to lookup users, this will require a common attribute unique to users within each tenant organisation:
Using the above information, plus the standard installation guidance I have been able to install BES and add users.
Hopefully BES 5.0.3 will help us all out, maybe even an interim hotfix. I also recall that an MS update was required, but have a feeling this is included in Exchange 2010 SP1 RU1 - I could be wrong though.
Daniel Noakes

Exchange 2010 SP1 with BES 5.0.2

If you are deploying Exchange 2010 SP1 and have BES you should head over and read the Installation and Configuration Guide - http://docs.blackberry.com/en/admin/deliverables/14347/Configuring_Exchange_2010_environ_962756_11.jsp.

The guide covers most steps including configuring BES to run without public folders. There is one additional step to allow BAS to retrieve user information and is described in KB24470, Cannot add users to the BlackBerry Enterprise Server 5.0 in an environment that includes Microsoft Exchange 2010 SP1 - http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB24470.

The workaround for now is to set the CONNECT_IGNORE_NO_PF flag in the MAPI profile used by the BlackBerry Mail Store Service in the following registry key.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\BlackBerryServer\13dbb0c8aa05101a9bb000aa002fc45a

Locate the key 00036604 and change the second byte value to 80.

The examples provided are:

  • If the value is currently set to 04 00 00 00, change it to 04 80 00 00 (see screen shot for example)
  • If the value is currently set to 02 00 00 00, change it to 02 80 00 00

A restart of the BlackBerry Mail Store Service completes the workaround.

Daniel Noakes

Thursday 11 November 2010

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930): November 9, 2010

A critical vulnerability for Outlook has been reported, http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx. It appears to affect All Outlook versions including Outlook 2011 for Mac and Entourage.

A specially crafted RTF email message when previewed or opened could allow an attacker to gain the same rights as the logged on user. If you have followed best practice and segregated administrative roles out the risk is somewhat reduced.

Microsoft have recommended to apply the update immediately.

Sunday 7 November 2010

BES Express for Microsoft Exchange 5.0.2 MR 1

If you are using BES Express for Exchange Server you should check out, BlackBerry Enterprise Server Express for Microsoft Exchange Version 5.0 Service Pack 2 Maintenance Release 1.

This maintenance release should be tested and installed on to computers hosting BES Express, BlackBerry Administration Service, BlackBerry Attachment Service, BlackBerry MDS Connection Service or the BlackBerry Router.


Fixed Issues

“(DT 838289) In the initial release of BlackBerry® Enterprise Server Express 5.0 SP2, users with BlackBerry® devices running
BlackBerry® 6 are not be able to browse to their organization's intranet sites. This occurs because BlackBerry 6 handles browser
transport selection using a different method than previous versions of the BlackBerry® Device Software.”

“In BlackBerry Enterprise Server Express 5.0 SP2 MR1, the MDS Browser Domains IT policy rule has been added. You can use
this IT policy rule to specify the domain of your organization's intranet sites. After you apply the IT policy to BlackBerry devices,
users with devices running BlackBerry 6 can browse to the domains that you specified.”

Wednesday 3 November 2010

Using Autodiscover During a Migration

I came across the Autodiscover and Migration Issues post on the Migrationwiz.com Blog. It discusses a few options for working around Autodiscover issues when migrating between Exchange Orgs, typically to and from Hosted providers.


For some time now I have been using another method, which works very well and is great for longer term co-existence.

The Procedure

1. Setup DNS (private and public) for a sub domain on target Exchange Org and mailboxes. E.G. mail2.noak.es; autodiscover.mail2.noak.es; and daniel@mail2.noak.es.

2. Migrate the data.

3. Convert daniel@noak.es to a Mail User (strip the mailbox, retain proxyaddress etc) in the source Exchange Org.

4. Add the targetaddress (“External E-mail Address”) and proxyaddress Daniel@mail2.noak.es to Daniel@noak.es in the source Exchange Org.

This works because Autodiscover will fail on SCP records, but continue with other steps until it uses the targetaddress and will successfully connect to autodiscover.mail2.noak.es.


Below: Outlook 2010 using Autodiscover to resolve on an premise AD user to Hosted Exchange mailbox.



Below: Outlook 2010 configuration complete resolve to Hosted Exchange.



It is often easier to script this and working with the right suppliers this can be done. Both Cobweb and Migrationwiz.com have API’s available which we can use to automate most of the work. When combined with taking multiple passes (initial + delta) results in minimal disruption to end users.


With Exchange 2010 SP1 Hosting editions beginning to appear all of this will be taken care of natively with the addition of remote PowerShell using New-RemoteMoveRequest and user federation.