BES 10 config for Active Sync

I dont think for active sync it will go through BB infrastructure as its more like ActiveSync for Iphone\Other devices

- Rancy

You either are using BES which means installing the Blackberry server software or you are using Activesync, which means installing nothing and using the server as it is.

What version of Exchange do you have?

What do you plan to use for your BB10 devices?  BES or Activesync?

How to Configure ActiveSync on BlackBerry Z10 device
http://www.z10case.com/2013/03/how-to-configure-activesync-on-blackberry-z10-device.html

How to set up Outlook to wirelessly synchronize your contacts and calendar with a BlackBerry Z10 smartphone
http://helpblog.blackberry.com/2013/02/how-to-setup-outlook-to-wirelessly-synchronize-your-contacts-and-calendar-with-a-blackberry-z10-smartphone/

Active-Sync with BB is even like normal activesync but just few articles that can help you better with BB Z10 as its too new and not many know about its functions\features

- Rancy

Yes we have BES5 and just installed BES10 (BDS, MDS).

Exchange 2010

BES if possible.  But i believe MPI has gone now for BES10..

Hmm, so what's the point in having BES10 (MDM, UDS & BDS) as there is more to go wrong...?  
Would make sense to use an MDM cloud provider no?

Look if its Active sync its straight forward if otherwise you have kindof failover between BES Server functionality and ActiveSync

- Rancy

You are talking acronyms that I have no idea about.  Blackberrys don't feature in my life and I only have one customer with them and one that went the BB route despite me advising them against it and they now use iPhones!

BB10's now have Activesync built in to them - finally - so you don't have to use their clunky software, install anything extra on the servers to get full mail, contacts, calendar sync etc.

Having said that, I have not seen a BB10 device or set one up for Activesync, but I know Activesyn very well and if the BB10 can implement Activesync, that would be my preferred method.  Less software to screw up the server, less problems, less headaches and a simpler life in support.

sophos?

Neither was I.  But, i do see how BYOD and the android, MS, apple solution in some ways is a lot better than BES!

There are still more security risk. For example, Android is open source and per our security team, that is the mobile platform the most malware and viruses are being written for. Therefore, he will not allow any Android device to connect to our network. Apple devices can only be connected if the users signs an agreement to let us manage and control them. This requires an application placed on the device that allows us to control passcode requirements, applications, etc. Most do not like it because they are not convinced that we cannot see what is one or what they do on their device.

Sure, we are going to adopt a BYOD policy should we use UDS.
We will also have a HYOD policy in place soon to cover blackberry devices....

Couldn't agree more about Androids - but a large portion of the world uses Apple devices happily and I haven't seen any security breaches as a result yet.

An Exchange administrator can control the Activesync policy that forces certain settings on the device, but as to what the users do with their devices - that is up to them beyond that.

I am sure that plenty of large corporates tie their devices down heavily, but not seen the need personally (yet).

Alan

If you do not currently have a BYOD policy or a solution in place, then using the UDS server would make sense. You already have the BDS and with one management console covering both, it would make management much easier. Also, if you are running Exchange 2010 or higher, then the device will be blocked by default. This is a feature added in 2010. You can create a default "allow" policy for this type of device so it will not block it. Otherwise, each time you add a user, even through the BDS, Exchange will block ActiveSync.

Regardless i need to buy an SSL certificate for our exchange box?!

Yes - GoDaddy certs are about the cheapest certs available (or a GoDaddy reseller account works out even cheaper!).

Alan

You could use it without or use a self-signed cert (BB10 just prompts saying it's not trusted) but I wouldn't recommend it.  If you just need one, you certainly don't need to buy it... https://cert.startcom.org/

Isnt buying one the best bet?

That is my opinion. We always purchase our certs.

The z10 has StartCom pre-loaded.

OWA used internally only.
Outlook anywhere not used.

How about both BES10 for BB devices and activesync for other non BB devices, as i'm going to need a SSL cert for active sync anyway....   So this way we have 2x ways to connect/manage?

what cert do i need?

godaddy recommend:

I understand you would like to know pricing for an ssl for your 2010 Exchange server.

For Exchange servers we recommend the the Multiple Domains UCC with 10 domains.

Today's price for the ssl for 1 year is 164.99 plus taxes.

Thanks for your time

seems overkill?!

I don't know how they came up with a 10 name certificate.
If your external DNS provider supports SRV records then you can get away with a single name, standard SSL certificate.

Simon.

external DNS provider being our ISP?

Did they mean 10 certificates, or 10 names on one certificate. It all depends on your configuration or future uses. Items that require a certificate:

Outlook Web App
Exchange Control Panel
Exchange Web Services
Exchange ActiveSync
Outlook Anywhere
Autodiscover
Outlook Address Book distribution

We use all of these with various external names, but if I remember correctly, they are all on the same certificate as aliases (SAN). I will go ahead and tell you that personally, working with certificates is a pain. A necessary pain, but a pain. The requirements are explained in this MS link: http://technet.microsoft.com/en-us/library/dd351044(v=exchg.141).aspx

This also explains the alternative names. While I have not uses it, it describes a way of doing all of it with just one certificate.

http://www.cohesivelogic.com/2011/01/exchange-2010-single-name-ssl-certificates/

External DNS being whoever hosts your domain name. That may not be your ISP.
You can run all of the services with different host names if you like, but I only tend to do that in very large deployments where it makes log analysis more useful.

Using a single name SSL certificate is perfectly possible, supported and works well. It does mean running a split DNS system internally and require SRV records. If that isn't possible, then you can use a five name certificate as you only need two names - the external host name for the Exchange server (mail.example.com) and autodiscover.example.com.

Simon.

i think 10 names in one cert..

10 names on the certs i think..  we only have 2x exchange boxes, one of which hosts live mailboxes the other doesn't...

all im interested in is active sync.  i assume we can use a certificate (from 3rd party co.) and assign it to IIS only without affecting existing local certificates that we have in place for outlook via GPO?

i thought this helped, but clearly not.
http://exchangeserverpro.com/exchange-2010-ssl-certificates/
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010 


wish BES used mapi....

It doesn't use mapi for several reasons. One being that mapi was one reason why it was limited to 1 device per user. By moving to ActiveSync, this enable BES to control multiple devices per user.

fair enough.

think i will use an it company for this...

But i am sure i can do this....   I think, without breaking anything!?

SImply buy this: Multiple Domains UCC - $89.99/yr
http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039

follow this: http://www.it-book.co.uk/1881/install-a-uccsan-ssl-certificate-for-exchange-2010

import the cert into GPO for outlook clients as well?

Yes. Those steps should work. And you can add it as a trusted cert in a GPO.

is it worth assigning to the 5x services..?

That depends on your future uses. If you think at anytime in the future (and whether you think you will or not, you probably will) I would go ahead and do it all now.

You don't have to do anything with GPO for the SSL certificates.
The whole point of using a trusted SSL certificate is so the clients do not have to be touched.
Therefore all you have to do is install the certificate on to the server and adjust the Exchange configuration if required.

Simon.

okay so the local server certs we have in GPO to stop outlook clients from prompting will still work as they are.

the SSL cert i buy will simply work, providing the SVR record on our domain is supported?

I am following http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/#comment-16964 as a guide

we have 2x exchange servers (one live, the other not doing much) - both have all roles installed.  

domain.local
do-main.co.uk (our main website/domain) a numebr of other unused external domains...

Can someone please verify the exact steps required:

buy a standard UCC cert 5x domain or wildcard cert? (we only have one local domain, but many external domains) from http://www.godaddy.com/ssl/ssl-certificates.aspx?isc=cjc599s 

import this into exchange
configure the following services/names

CAS - (activesync) = activesync.do-main.co.uk.  service already enabled with default policy.
CAS - (OWA) = disabled for external.  enabled for internal (current) = exchange.domain.local
CAS - (web, outlook anywhere, autodiscover) = disable web & anywhere.  enable autodiscover? autodiscover.do-main.co.uk, autodiscover.domain.local

HUB - (use TLS) = tls.do-main.co.uk
Legacy = disabled.

Then;

On assigning the cert tick IIS only?

Thanks

This is for active sync only?

This process is still required first, no?
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/#comment-16964

yes, you still need to go through the configuring and request process and then apply the certificate.

ok, buying it now.... :)

Got there in the end with Activesync.  Also running BDS which is useful to manage the HYOD Blackberries.