SEMblog

With the release of official support for Exchange 2010 and BES 5.0, I thought I would have another crack at getting Exchange 2010 to work directly with BES 4.1. This is instead of using an Exchange 2007 server somewhere in the mix.

I used Blackberry Professional Server in my testing, installed on Windows 2003 separate to Exchange 2010.

To my surprise, I have managed to get it working - with no interim servers used. A clean Exchange 2010 installation was used, along with BPS 4.1.3A (so not even the latest version).

In addition to the regular installation of the Blackberry Server software (so logged in to the machine as besadmin etc), to get things to work I had to do the following.

1. Install Exchange 2010 rollup 1 on the Exchange server.
2. Install the latest version of the CDO on the Blackberry server.
3. Set more permissions than normal (see below)

The server I was using also had a public folder store created and mounted. I have not tested it with Exchange 2010 without Public Folders.
During the installation there was an error about being unable to verify the permissions, which I ignored.
 
Tested Functionality

I have tested the following:

• Full over the air Enterprise activation. 
• Sending and receiving email from the device. 
• Lookup against the GAL and the personal address book
• Adding a task from the Blackberry and seeing sync to the account. 
• Adding a task from OWA and seeing it sync to the Blackberry
• Adding a calendar entry from the Blackberry and seeing sync to account.
• Adding a calendar entry from OWA seeing it sync to the Blackberry

Of course functionality that doesn't require Exchange - such as Blackberry Browser access to the intranet continues to work correctly.
 
Permissions

To get things to work, I had to set additional permissions. This may well be related to the change in the database model, which is now at the Org level rather than the server level.

Exchange 2010 View Only Exchange Admin.

This permission is no more, so the equivalent has to be set:

Add-RoleGroupMember "View-Only Organization Management" -member besadmin

Store  / Server level permissions

The usual permissions used with Exchange 2007 set via the following command didn't appear to work:

get-mailboxserver | add-adpermission –user BESAdmin –accessrights ExtendedRight –extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

I had to grant the permissions at the database level:

Get-MailboxDatabase |add-adpermission -user besadmin -accessrights ExtendedRight -extendedrights Receive-As, Send-As, ms-exch-store-admin

Get-PublicFolderDatabase |add-adpermission -user besadmin -accessrights ExtendedRight -extendedrights Receive-As, Send-As, ms-exch-store-admin

As the permission is being granted at the mailbox database level, if databases are changed/added/removed then the permission will need to be run again.
As always, the permission didn't take effect immediately, therefore I restarted the information store and the Blackberry services to get things to take effect.

CDO Installation

The latest version of CDO was used, which can be downloaded (At the time of writing) from this location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e17e7f31-079a-43a9-bff2-0a110307611e&DisplayLang=en

At last Microsoft have released the installation tool for Exchange 2007 SP2 on SBS 2008.
Looks fairly straight forward to use, download the service pack as normal, download the tool and then run the tool.

You can get more information about the tool and download it from this KB article:  http://support.microsoft.com/?kbid=974271

Exchange 2007 has been rock solid in my experience and if you were put off installing it on your SBS 2008 machine because this tool wasn't released, now is your chance.

I am pleased to announce that the domain exbpa.com has been saved for the Exchange community.
This was a domain that Microsoft first used a few years ago to point to their (at the time) recently released Exchange Best Practises Analyser. There are thousands of links to this domain across the internet as well as in books and magazines.

However Microsoft recently decided to allow the domain to lapse and early this morning it was finally deleted.

Fortunately I was able to register it myself through my consultancy company Sembee Ltd and therefore kept it out of the hands of a domain squatter. 

I have uploaded a slightly modified version of the list of Exchange resources that I maintain at Daniel Petri's forum, which as well as the links to the Exchange Best Practises Analyzer, also contains links to other Microsoft tools, blogs etc.

http://exbpa.com/

While it is not the best designed web site in the world, it does the job. Hopefully the Exchange community will find it of some use.

When I am working with clients and their Blackberry devices, particularly on new deployments, one of the issues I frequently have is  discovering whether the device is enabled for the BES use. It is very common for the service providers to NOT enable the Blackberry device for BES correctly. As anyone who has dealt with mobile phone provider support, when it comes to Blackberry, most of them haven't got a clue.

For some time I have been aware that RIM have a tool available to people with a support contract which allows you to query their database, but none of my clients have a support contract. I actually considered getting a contract just to get access to that database!

However I discovered that recently RIM have released a new web tool, which is free to register and use, which allows you to check the status of the device. In RIM speak "Enterprise Activation Readiness".

It is free for all users of Blackberry Professional Server, Enterprise Server, Server Express and all the other names they have used for their software in the past. All you need is your identifier and CAL key for the server.

You also get a complimentary support incident which is also another good reason for signing up.

From the site itself:

"The BlackBerry Expert Support Center is a Web 2.0 application, which is designed to allow direct access to Enterprise grade tools and resources, and to give you the ability to manage your Technical support agreement and support related inquiries easily and independently.

• One Complimentary Support Incident to receive expert advice from a member of the BlackBerry Technical Support team at any time 
• Online self service tools and resources designed to help with installation and ongoing management of your BlackBerry solution including step-by-step demonstrations 
• All the relevant guides, articles and other resources to increase your BlackBerry solution know-how "

https://www.blackberry.com/besc/dashboard/

I have mentioned before the results I have received from Vamsoft ORF in the past, most recently using they honey pot feature http://blog.sembee.co.uk/archive/2009/09/26/108.aspx.

However recently I deployed the product with another client and the results are truly spectacular.
The client has approximately 300 users, and they noticed the results almost immediately.

It was deployed as I have written in the above blog posting, so running in test only for a day or two to build up a white list to begin with then it went live.

The proof is in the numbers, so here is a screenshot of the statistics. At the time this was taken, the system had been running for almost 12 days.

For those of you not believing their eyes, that is 8.8 million messages were attempted to be delivered.
Roughly 700,000 messages a day.
Of which 60,000 were not spam, so around 5,000 a day or 16 per user on average.
The spam ratio hovers at between 99% and 100% (there is some rounding going on there as it is to the nearest full percentage point).

The logs have been watched very carefully for false positives. There have been none.

So lets just go through what is working with that client.

First is DHA protection. Direct Harvest Attack. This is simply a large number of email messages coming from the same IP address to multiple email addresses in a short space of time. For some reason this client receives a lot of messages to invalid recipients. The software blocks the host from sending more messages. It works hand in hand with the honey pot test and recipient validation.

Next is the Honey pot test. I have talked about that before (link above), but in brief it is blocking hosts sending to known non-valid recipients. This feature is simply the most effective thing I have seen against spam for a long time.

Third is recipient validation. Dropping email that is simply sent to users who do not exist. This is a straight query against the AD.

A DNS blacklist is being used - Spamhaus ZEN, but it is only blocking a small percentage of email.

What the screenshot doesn't show is that the built in Exchange 2007 Content Filtering is also enabled, but the number of messages being received in to the quarantine mailbox is a handful a day.

We are not using Greylisting, reverse DNS or the SPF tests.

In short - the three tests that are getting the most results are based on two factors - non-valid recipients and blocking hosts that are sending to them.

The messages are blocked at the point of delivery, therefore the amount of bandwidth used is negligible. The messages do not come in and have to be processed by Exchange, scanned by AV and anti spam software

Due to the volume of email and the number of queries, this system will most likely be moved to an SQL backed database and the load on the domain controller that is used is being watched carefully and  the hardware of the DC increased if required.

If you haven't had a chance to try Vamsoft ORF, then I suggest that you do. The impact can be almost immediate. It is priced per server and because it is based on host and recipients, no definition files to be updated.

Works with all versions of Exchange, including Exchange 2010.

Vamsoft ORF: http://www.shareit.com/product.html?productid=169362&affiliateid=200023740