CHI-LTD
asked on
BES 10 config for Active Sync
I assume this is how the devices route through to exchange:
device - wireless network - blackberry infrastructure - firewall - BDS - exchange...?
So, i see an Email profiles and manage SCEP profiles on the BES10 box.
Is there anything else i need to do with exchange in order for the new 10 devices to connect?
device - wireless network - blackberry infrastructure - firewall - BDS - exchange...?
So, i see an Email profiles and manage SCEP profiles on the BES10 box.
Is there anything else i need to do with exchange in order for the new 10 devices to connect?
You either are using BES which means installing the Blackberry server software or you are using Activesync, which means installing nothing and using the server as it is.
What version of Exchange do you have?
What do you plan to use for your BB10 devices? BES or Activesync?
What version of Exchange do you have?
What do you plan to use for your BB10 devices? BES or Activesync?
How to Configure ActiveSync on BlackBerry Z10 device
http://www.z10case.com/2013/03/how-to-configure-activesync-on-blackberry-z10-device.html
How to set up Outlook to wirelessly synchronize your contacts and calendar with a BlackBerry Z10 smartphone
http://helpblog.blackberry.com/2013/02/how-to-setup-outlook-to-wirelessly-synchronize-your-contacts-and-calendar-with-a-blackberry-z10-smartphone/
Active-Sync with BB is even like normal activesync but just few articles that can help you better with BB Z10 as its too new and not many know about its functions\features
- Rancy
http://www.z10case.com/2013/03/how-to-configure-activesync-on-blackberry-z10-device.html
How to set up Outlook to wirelessly synchronize your contacts and calendar with a BlackBerry Z10 smartphone
http://helpblog.blackberry.com/2013/02/how-to-setup-outlook-to-wirelessly-synchronize-your-contacts-and-calendar-with-a-blackberry-z10-smartphone/
Active-Sync with BB is even like normal activesync but just few articles that can help you better with BB Z10 as its too new and not many know about its functions\features
- Rancy
ASKER
Yes we have BES5 and just installed BES10 (BDS, MDS).
Exchange 2010
BES if possible. But i believe MPI has gone now for BES10..
Exchange 2010
BES if possible. But i believe MPI has gone now for BES10..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmm, so what's the point in having BES10 (MDM, UDS & BDS) as there is more to go wrong...?
Would make sense to use an MDM cloud provider no?
Would make sense to use an MDM cloud provider no?
Look if its Active sync its straight forward if otherwise you have kindof failover between BES Server functionality and ActiveSync
- Rancy
- Rancy
You are talking acronyms that I have no idea about. Blackberrys don't feature in my life and I only have one customer with them and one that went the BB route despite me advising them against it and they now use iPhones!
BB10's now have Activesync built in to them - finally - so you don't have to use their clunky software, install anything extra on the servers to get full mail, contacts, calendar sync etc.
Having said that, I have not seen a BB10 device or set one up for Activesync, but I know Activesyn very well and if the BB10 can implement Activesync, that would be my preferred method. Less software to screw up the server, less problems, less headaches and a simpler life in support.
BB10's now have Activesync built in to them - finally - so you don't have to use their clunky software, install anything extra on the servers to get full mail, contacts, calendar sync etc.
Having said that, I have not seen a BB10 device or set one up for Activesync, but I know Activesyn very well and if the BB10 can implement Activesync, that would be my preferred method. Less software to screw up the server, less problems, less headaches and a simpler life in support.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sophos?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Neither was I. But, i do see how BYOD and the android, MS, apple solution in some ways is a lot better than BES!
There are still more security risk. For example, Android is open source and per our security team, that is the mobile platform the most malware and viruses are being written for. Therefore, he will not allow any Android device to connect to our network. Apple devices can only be connected if the users signs an agreement to let us manage and control them. This requires an application placed on the device that allows us to control passcode requirements, applications, etc. Most do not like it because they are not convinced that we cannot see what is one or what they do on their device.
ASKER
Sure, we are going to adopt a BYOD policy should we use UDS.
We will also have a HYOD policy in place soon to cover blackberry devices....
We will also have a HYOD policy in place soon to cover blackberry devices....
Couldn't agree more about Androids - but a large portion of the world uses Apple devices happily and I haven't seen any security breaches as a result yet.
An Exchange administrator can control the Activesync policy that forces certain settings on the device, but as to what the users do with their devices - that is up to them beyond that.
I am sure that plenty of large corporates tie their devices down heavily, but not seen the need personally (yet).
Alan
An Exchange administrator can control the Activesync policy that forces certain settings on the device, but as to what the users do with their devices - that is up to them beyond that.
I am sure that plenty of large corporates tie their devices down heavily, but not seen the need personally (yet).
Alan
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you do not currently have a BYOD policy or a solution in place, then using the UDS server would make sense. You already have the BDS and with one management console covering both, it would make management much easier. Also, if you are running Exchange 2010 or higher, then the device will be blocked by default. This is a feature added in 2010. You can create a default "allow" policy for this type of device so it will not block it. Otherwise, each time you add a user, even through the BDS, Exchange will block ActiveSync.
ASKER
Regardless i need to buy an SSL certificate for our exchange box?!
Yes - GoDaddy certs are about the cheapest certs available (or a GoDaddy reseller account works out even cheaper!).
Alan
Alan
You could use it without or use a self-signed cert (BB10 just prompts saying it's not trusted) but I wouldn't recommend it. If you just need one, you certainly don't need to buy it... https://cert.startcom.org/
ASKER
Isnt buying one the best bet?
That is my opinion. We always purchase our certs.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The z10 has StartCom pre-loaded.
ASKER
OWA used internally only.
Outlook anywhere not used.
How about both BES10 for BB devices and activesync for other non BB devices, as i'm going to need a SSL cert for active sync anyway.... So this way we have 2x ways to connect/manage?
Outlook anywhere not used.
How about both BES10 for BB devices and activesync for other non BB devices, as i'm going to need a SSL cert for active sync anyway.... So this way we have 2x ways to connect/manage?
ASKER
what cert do i need?
godaddy recommend:
I understand you would like to know pricing for an ssl for your 2010 Exchange server.
For Exchange servers we recommend the the Multiple Domains UCC with 10 domains.
Today's price for the ssl for 1 year is 164.99 plus taxes.
Thanks for your time
seems overkill?!
godaddy recommend:
I understand you would like to know pricing for an ssl for your 2010 Exchange server.
For Exchange servers we recommend the the Multiple Domains UCC with 10 domains.
Today's price for the ssl for 1 year is 164.99 plus taxes.
Thanks for your time
seems overkill?!
I don't know how they came up with a 10 name certificate.
If your external DNS provider supports SRV records then you can get away with a single name, standard SSL certificate.
Simon.
If your external DNS provider supports SRV records then you can get away with a single name, standard SSL certificate.
Simon.
ASKER
external DNS provider being our ISP?
Did they mean 10 certificates, or 10 names on one certificate. It all depends on your configuration or future uses. Items that require a certificate:
Outlook Web App
Exchange Control Panel
Exchange Web Services
Exchange ActiveSync
Outlook Anywhere
Autodiscover
Outlook Address Book distribution
We use all of these with various external names, but if I remember correctly, they are all on the same certificate as aliases (SAN). I will go ahead and tell you that personally, working with certificates is a pain. A necessary pain, but a pain. The requirements are explained in this MS link: http://technet.microsoft.com/en-us/library/dd351044(v=exchg.141).aspx
This also explains the alternative names. While I have not uses it, it describes a way of doing all of it with just one certificate.
http://www.cohesivelogic.com/2011/01/exchange-2010-single-name-ssl-certificates/
Outlook Web App
Exchange Control Panel
Exchange Web Services
Exchange ActiveSync
Outlook Anywhere
Autodiscover
Outlook Address Book distribution
We use all of these with various external names, but if I remember correctly, they are all on the same certificate as aliases (SAN). I will go ahead and tell you that personally, working with certificates is a pain. A necessary pain, but a pain. The requirements are explained in this MS link: http://technet.microsoft.com/en-us/library/dd351044(v=exchg.141).aspx
This also explains the alternative names. While I have not uses it, it describes a way of doing all of it with just one certificate.
http://www.cohesivelogic.com/2011/01/exchange-2010-single-name-ssl-certificates/
External DNS being whoever hosts your domain name. That may not be your ISP.
You can run all of the services with different host names if you like, but I only tend to do that in very large deployments where it makes log analysis more useful.
Using a single name SSL certificate is perfectly possible, supported and works well. It does mean running a split DNS system internally and require SRV records. If that isn't possible, then you can use a five name certificate as you only need two names - the external host name for the Exchange server (mail.example.com) and autodiscover.example.com.
Simon.
You can run all of the services with different host names if you like, but I only tend to do that in very large deployments where it makes log analysis more useful.
Using a single name SSL certificate is perfectly possible, supported and works well. It does mean running a split DNS system internally and require SRV records. If that isn't possible, then you can use a five name certificate as you only need two names - the external host name for the Exchange server (mail.example.com) and autodiscover.example.com.
Simon.
ASKER
i think 10 names in one cert..
ASKER
10 names on the certs i think.. we only have 2x exchange boxes, one of which hosts live mailboxes the other doesn't...
all im interested in is active sync. i assume we can use a certificate (from 3rd party co.) and assign it to IIS only without affecting existing local certificates that we have in place for outlook via GPO?
all im interested in is active sync. i assume we can use a certificate (from 3rd party co.) and assign it to IIS only without affecting existing local certificates that we have in place for outlook via GPO?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i thought this helped, but clearly not.
http://exchangeserverpro.com/exchange-2010-ssl-certificates/
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010
wish BES used mapi....
http://exchangeserverpro.com/exchange-2010-ssl-certificates/
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010
wish BES used mapi....
It doesn't use mapi for several reasons. One being that mapi was one reason why it was limited to 1 device per user. By moving to ActiveSync, this enable BES to control multiple devices per user.
ASKER
fair enough.
think i will use an it company for this...
think i will use an it company for this...
ASKER
But i am sure i can do this.... I think, without breaking anything!?
SImply buy this: Multiple Domains UCC - $89.99/yr
http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039
follow this: http://www.it-book.co.uk/1881/install-a-uccsan-ssl-certificate-for-exchange-2010
import the cert into GPO for outlook clients as well?
SImply buy this: Multiple Domains UCC - $89.99/yr
http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039
follow this: http://www.it-book.co.uk/1881/install-a-uccsan-ssl-certificate-for-exchange-2010
import the cert into GPO for outlook clients as well?
Yes. Those steps should work. And you can add it as a trusted cert in a GPO.
ASKER
is it worth assigning to the 5x services..?
That depends on your future uses. If you think at anytime in the future (and whether you think you will or not, you probably will) I would go ahead and do it all now.
You don't have to do anything with GPO for the SSL certificates.
The whole point of using a trusted SSL certificate is so the clients do not have to be touched.
Therefore all you have to do is install the certificate on to the server and adjust the Exchange configuration if required.
Simon.
The whole point of using a trusted SSL certificate is so the clients do not have to be touched.
Therefore all you have to do is install the certificate on to the server and adjust the Exchange configuration if required.
Simon.
ASKER
okay so the local server certs we have in GPO to stop outlook clients from prompting will still work as they are.
the SSL cert i buy will simply work, providing the SVR record on our domain is supported?
the SSL cert i buy will simply work, providing the SVR record on our domain is supported?
ASKER
I am following http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/#comment-16964 as a guide
we have 2x exchange servers (one live, the other not doing much) - both have all roles installed.
domain.local
do-main.co.uk (our main website/domain) a numebr of other unused external domains...
Can someone please verify the exact steps required:
buy a standard UCC cert 5x domain or wildcard cert? (we only have one local domain, but many external domains) from http://www.godaddy.com/ssl/ssl-certificates.aspx?isc=cjc599s
import this into exchange
configure the following services/names
CAS - (activesync) = activesync.do-main.co.uk. service already enabled with default policy.
CAS - (OWA) = disabled for external. enabled for internal (current) = exchange.domain.local
CAS - (web, outlook anywhere, autodiscover) = disable web & anywhere. enable autodiscover? autodiscover.do-main.co.uk , autodiscover.domain.local
HUB - (use TLS) = tls.do-main.co.uk
Legacy = disabled.
Then;
On assigning the cert tick IIS only?
Thanks
we have 2x exchange servers (one live, the other not doing much) - both have all roles installed.
domain.local
do-main.co.uk (our main website/domain) a numebr of other unused external domains...
Can someone please verify the exact steps required:
buy a standard UCC cert 5x domain or wildcard cert? (we only have one local domain, but many external domains) from http://www.godaddy.com/ssl/ssl-certificates.aspx?isc=cjc599s
import this into exchange
configure the following services/names
CAS - (activesync) = activesync.do-main.co.uk. service already enabled with default policy.
CAS - (OWA) = disabled for external. enabled for internal (current) = exchange.domain.local
CAS - (web, outlook anywhere, autodiscover) = disable web & anywhere. enable autodiscover? autodiscover.do-main.co.uk
HUB - (use TLS) = tls.do-main.co.uk
Legacy = disabled.
Then;
On assigning the cert tick IIS only?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is for active sync only?
This process is still required first, no?
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/#comment-16964
This process is still required first, no?
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/#comment-16964
yes, you still need to go through the configuring and request process and then apply the certificate.
ASKER
ok, buying it now.... :)
ASKER
Got there in the end with Activesync. Also running BDS which is useful to manage the HYOD Blackberries.
- Rancy