Wednesday 4 March 2015

Blackberry Enterprise 12 (BES12) Using ActiveSync Certificate using SCEP


We recently undertook a project to upgrade our Blackberry Express 5 server to the Blackberry 12 server.  Whilst the big advantage of Blackberry 10 and Blackberry 12 is that it uses active sync directly over MAPI, one of the biggest disadvantages of  BES10 and BES12 is the fact that users need to enter their active directory passwords.  This feels like a step backwards from the earlier versions of Blackberry that never required this.  The users already having to enter a password to access their phone and potentially a second password to access their secure workspace, having to then remember to change their when it expires on the domain would possibly receive negative feedback from users.  One way to get around this is to use certificate authentication instead of user name and password.  This involves putting a certificate onto the Blackberry device that is associated with the user active directory account and presenting that certificate directly to exchange via the Blackberry tunnel.  The problem is that you cannot manually load certificates onto the phone and even if this was possible, the administrative overhead would be significant.  Because of this there is a process called SCEP.  This is a process in which a non-domain trusted device can automatically request a Certificate from the CA.  Because the CA does not trust the device, there has to be a broker service and this is called a SCEP server.  The process of the SCEP server is to trust the non-domain device and then to request the certificate on its behalf and also to manage the renewal of certificates as appropriate.  The process of setting up the SCEP requires three different configurations.

  • The first is to set up exchange active sync to allow it to accept certificates.
  • The second part is to set up the SCEP server and connect this to the domain CA.
  • The third part is to set up the Blackberry Enterprise server 12 to talk to the SCEP service, then finally to make it all work together.
During this process I found that there was no one complete article that explained the process from beginning to end and spent a long time looking at different white papers trying to understand the process.  As such, I have created a video that outlines the process from beginning to end with a full working example. 
 
In the videos there are two commands that need to be run when setting up the active sync certificates and as such, I have pasted those commands at the bottom of this article for ease of use.  If you have any comments please let me know.
Setting up SSL Host Headers
 
C:\Windows\System32\Inetsrv\
 
 appcmd set site /site.name:"Name of Website in IIS" /+bindings.[protocol='https',bindingInformation='*:443:Host Header']
Setting up Certificates on the virtual directory
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost
 
 
 

Wednesday 25 September 2013

BES 10.1 Part 2


So after spending many hours banging my head against a brick wall in trying to get the push notification working I eventually got it working. I found that the password that the push notification uses for the account that is associated with the accessing push notification cannot have any capital letters in it.

I have also read posts that certain special characters have problems so for example we found that password.1  worked well. (clearly a more secure version of this would be needed).  I then found a separate problem that exchange was not routing the responses to the push notification subscription to the BES server and was being routed via a proxy server.  Once this corrected the push notification worked.

 We have had a couple of weeks playing around with this and still have a number of concerns. The biggest concern is the amount of time it takes to get into the email where it has to connect to the secure workspace.  I found a number of issues specifically relating where the phone may have connected to a wireless but not have an internet connection such as Virgin tube wirelesses or BT captive portal type wirelesses.

 This seems to cause the application to crash or have it continually  "continuing to workspace". I have also found the app to crash  even despite having deleted it and reinstalled it.  Finally I have also found the app to be sluggish in that you will be writing an email and it will hang for a few second.  We will be shortly testing it with an iPhone 5 and while I have it on my iPad I have not used it in anger in the same way I have used it on the iPhone.  Currently I still feel that the BlackBerrys that use a MAPI connection are superior to the active synch and I also found the application to eat battery life from the phone.

Blackbery BES 10.1


Blackberry Universal Device Control

 

Recently Blackberry have released their secure workspace product which will allow the putting of emails into a sandbox application that can be installed on android and IOS devices.  This is integrated as part of the BES 10.1 Server

For people who have only ever run the BES 5 Servers you will be aware that the Blackberry Servers communicate with exchange through MAPI.  As of the  BES 10 both the connection for the non-Blackberry devices and the Blackberry 10 devices are all carried out directly through active sync.  Blackberry have stated that they are moving away from the MAPI connection and this in itself poses some interesting challenges.

With the current BES 5 Servers if we have any issues relating to emails being populated twice or emails not syncing then  Blackberry Support are responsible for identifying the issue, with active sync  Blackberry support have stated to us that they will ask us to refer problems in synchronisation to Microsoft.  For SMB firms that do not have a support contract with Microsoft they will be liable for additional costs on top of the Blackberry Support if such issue arise.

With the active sync technology users are required to present their network password on the end device, this is a significant change from the standard BES 5 in which the user’s password are not required.  In many organisations that follow Microsoft’s best practices passwords are changed every thirty days and this is an additional inconvenience and seems a step backwards for our users.  This problem can be overcome by using the SCEP technology but this requires additional configuration and again is something that would have to be supported in house and not part of the Blackberry infrastructure.

Blackberry heavily relies on certificate technology to carry out the authentication between the non-Blackberry device and its Blackberry infrastructure; and while it can be argued what Blackberry are providing could easily be provided with your own internal VPN infrastructure the added complication of certificates is handled very nicely through the Blackberry product and takes a significant learning curve away from smaller IT departments.

That said one of the biggest drawbacks on using IOS is that the Apple does not allow external parties to connect directly to the iPhones and therefore pushing out emails as they come in is not an option.  In order to allow push notification your internal Blackberry server will have to notify the Apple Notification Service (APN) which in turn will notify your device and your device will then request the latest emails from Blackberry.  We have had significant problems in getting this working (see part 2)

 We have been working with the Blackberry Team for a number of days and it has been escalated but from reading around on other blogs it appears that we are not the only people having this working.  It should also be understood that as of IOS 6 still do not allow multi-thread applications.

 During some real world testing we have seen a number of problems in using the secure workspace on the IPhone when you are moving in and out of networks.  For instance using the secure workspace on the underground as the iPhone was connecting to different wireless networks the connecting to secure workspace box kept flashing on and off making it impossible to compose or delete emails offline.  Furthermore we found when the iPhone was connecting to wireless networks but did not have internet connection on those wireless networks such as Virgin Media it was causing the App to crash. 

 So initial thoughts on the Blackberry Workspaces the secure workspace is clearly a Mark 1 product and will take a good twelve months to mature.  It is arguable whether die hard Blackberry users that have been used to the rock solid reliability and ease of use will be able to suffer the imperfections of using the software on a non-Blackberry device.  Where I see this being most useful is the occasional user that checks their emails once a day in the evening from their iPad then the solution would be more than adequate.  We still have a number of problems to iron out such as push notification on Apple and will blog back later when we have resolved these problems.

Friday 12 April 2013

Reinstall Systems Centre Operations Manager 2012 SP1 Issues (SCOM)


I recently had to reinstall Systems Centre Operations Manager 2012, the initial install was done on the candidate release had no problems however on removing and reinstalling from the SP1 one release I thought I would share with you a couple of issues that arose. 
 
 Firstly the databases that are selected need to have a trading slash otherwise the install will fail as show below
 
 
 
 
 Secondly I continue to have a problem where the date warehouse would not install properly on examining the logs there was an issue with the data access layer.  I found the solution to this was to change the data access account from a local user account to a domain user account.  After making these changes the install completed successfully. 

 
 
 [22:10:45]: Info: :Info:trying to connect with server xxxxx
[22:10:52]: Info: :Info:Error while connecting to management server: The Data Access service is either not running or not yet initialized. Check the event log for more information.
[22:10:52]: Error: :Couldn't connect to mgt server stack: : Threw Exception.Type: Microsoft.EnterpriseManagement.Common.ServiceNotRunningException, Exception Error Code: 0x80131500, Exception.Message: The Data Access service is either not running or not yet initialized. Check the event log for more information.
[22:10:52]: Error: :StackTrace:   at Microsoft.EnterpriseManagement.Common.Internal.ExceptionHandlers.HandleChannelExceptions(Exception ex)
   at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
 
 
 

Reinstalling SQL Reporting Services for Systems Centre Operations Manager 2012 (SCOM)


I recently had to reinstall the reporting component of Systems Centre Operations Manager. 

 
On uninstalling the reporting component I subsequently was unable to connect to the SQL instance of the reporting services that we were using for Systems Centre Operations Manager.  On examining the event log I came across the error message of

"Report Server (MSSQLSERVER_ cannon load the Windows extension"




  After some research I found the solution was the run the Resetsrs that can be found on the Systems Centre Operations Manager CD under SupportTools\AMD64\ResetSRS.exe

.  This resolved the reporting service instance problem and was able to re-install the reporting services module.

Friday 5 April 2013

Veeam Replication


VEEAM is a host-based backup solution requires snapshots to be taken at the guest level. This has a number of challenges as they should not be taken on high I/O servers and are also not supported by Microsoft. On the positive side of VEEAM it is a very good technology for taking multiple incremental backups. VEEAM works via a technology called reverse backup whereas traditional incremental backups using software such as Backup Exec we would have to restore a master backup and then create smaller incremental afterwards, VEEAM works by creating a master file when it then takes the next backup the master file is updated and the changes are pushed down to a smaller incremental file, when restoring a backup from VEEAM you are able to store the single backup file and not need to restore intermediate incremental backup, but in addition this allows you to roll back to previous versions and VEEAM will then apply the incremental to get a backup from whatever point in time you require.

The VEEAM technology uses change block tracking when used with VMware means that the underlying VMware hypervisor tracks the changes made vastly speeding up the time to take a
Incremental backup. VEEAM working at the hypervisor level also means that the load put on the host is uniform and does not impact any performance so if it wasn’t for the snapshot problem there would be no issue in running backups during the day. VEEAM is a byte level backup technology as opposed to a bit level, the amount of data that is replicated is more than the Doubletake solution. VEEAM has the ability to QueueSQ the underlying guest operating system before it takes a snapshot allowing it to make use of the built in shadow copy functionality of Windows to QS the exchange and SQL databases before the snapshot is taken.


As a backup technology VEEAM is able to save individual files to a hard disk and then this can either be copied onto a removable drive or transferred to tape by using a product such as Backup Exec. The disadvantage of doing this is that you are putting all your reliance into a single flat file. If that file becomes corrupt either through copying to tape or at the point of backup you will not know this and will not be able to restore any part of the VM. Therefore to be confident that these files are not corrupted we need to find a way of being able to mount them and test them in a lab environment to confirm a bootable backup.

VEEAM has a number of different ways of restoring data from a flat file backup in the event of recovery. VEEAM has a technology called instant restore that allows you to mount the backup in an emulated environment. While this allows for instant access to the VM it puts a significant load on the server as it is having to emulate the VMDKs.

VEEAM has a traditional restore that allows you to restore the flat file backup into the original VMDKs. This will take a significant amount of time depending on the size of the VMDK.

VEEAM also allows us single file restore. In a single file restore VEEAM will mount the VMDK behind the scenes and give an explorer style access to the available drives. This is a good technique for making sure that the flat file backup is not corrupt. As VEEAM takes multiple numbers of snapshots the further back you go in snapshots the more increments are need to be combined to produce the file.

VEEAM Enterprise has the ability for application level restores. This allows for restoring individual databases, individual exchange items and individual active directory objects. This product is great for less intense I/O Servers