Friday, August 19, 2011

Handling BIS (Blackberry Internet Service) users who access their corporate email via OWA when transitioning from Exchange 2003 to 2010

I ran into an interesting challenge a few months ago during a project where I was migrating users from Exchange 2003 to 2010.  These migrations are usually very straight forward but what was different for this project was that there were several users using BIS (Blackberry Internet Service) to retrieve their corporate email because of the lack of a BES server available. 

Problem #1 – Re-directly OWA requests

The challenge here was that during the coexistence phase, all legacy or regular OWA requests always hits the Exchange 2010 CAS server first, then if the user is in the legacy Exchange 2003 environment, Exchange 2010’s CAS server will redirect the traffic over. 

image

This causes a problem for users who retrieve corporate email via their Blackberry’s BIS service because it will not work if you point it to an Exchange 2010’s OWA and have it redirect requests to the Exchange 2003 front-end or mailbox server. 

Problem #2 – Authentication configuration requirements for BIS

The next challenge is that we were not able to simply modify all of the BIS servers to use the legacy Exchange’s new URL such as: https://legacy.contoso.com/Exchange because when we did so, the Blackberries were not able to establish a connection.  This was strange because as per the following KB: http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB23361 the configuration we had for the Exchange 2003 OWA should be supported.  What’s even more interesting was that when I turned off Form Based authentication for the Exchange 2003 OWA:

image

https://legacy.contoso.com/exchange worked for the BIS service.  This obviously contradicts what the KB says and even though disabling the feature would get BIS to work, we would end up breaking the Exchange 2010 redirect for legacy users.  Since we were pressed for time and needed a solution, what I ended up doing was the following:

1. Purchased another certificate named blackberry.contoso.com.
2. Added a new public DNS record for blackberry.contoso.com.
3. Modified our firewall to accept blackberry.contoso.com traffic and redirect it to the backend mailbox server.
4. Configured the backend mailbox server to have Form Based authentication disabled.
5. Configured the users’ BIS account to use blackberry.contoso.com as the OWA URL.

This interim solution worked during the transition and while it’s not perfect, it’s a viable solution if you happen to come across the same issues I had.

No comments: