Thursday, April 7, 2011

Lync BES 5 SP3 Integration Guide

Now that RIM has released Service Pack 3 for the Blackberry Enterprise Server (BES) 5 we can now have Lync connectivity on our Blackberries. Let me tell you it works well. It took awhile to get it functioning properly but it was worth it. So if you don't already have the Service Pack, go here and get it.

Lync integration with the BES requires the the UCAPI 2.0, SQL Native Client, and OCS Core components be installed. That's right RIM uses the OCS 2007 R2 components to accomplish the connectivity. If you ask me, this is very smart since the Lync has backward compatibility for OCS 2007 R2 components. This is a two for one deal for RIM. They can support OCS 2007 R2 and Lync using same interfaces.

Once you have the prerequisite packages installed (the installer will tell you it needs them) you can then make a decision on which provisioning method you wish to use. There are two methods and they are described in detail here. I choose to use the automatic method which worked perfectly.

Now go ahead and install the BES or upgrade it. This is out of the scope of this blog; follow the RIM documentation on how to do this.

Next, you'll have to generate a certificate for the BES. More information can be found in RIM's knowledge base. Here is the article you'll want to review. Now you're probably thinking great. I know what I need in the certificate but how do I create the request? I have a standalone CA in my environment it was quite simple once you know the syntax to use in the certificate request inf file. Here is a sample certificate request inf file for the BES.


[Version] 
Signature="$Windows NT$"


[NewRequest]
Subject = "CN=lyncpool.example.com" 
Exportable = TRUE
KeyLength = 1024  
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC


[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1


[RequestAttributes]
SAN="dns=lyncserver.example.com&dns=besserver.example.com"


A few notes on the above inf file:

  1. Subject must be set to the FQDN of the Lync pool that you will be connecting to in the same format as above.
  2. Setting Exportable to TRUE allows you to export and transport the certificate with the private key to another server later if required or to export it and back it up. Set it to FALSE to disallow this.
  3. SAN must contain the FQDNs of the servers hosting the Lync pool and of the BES server that is providing the Collaboration service. The format must be the same as above.
  4. The sample file is for a standalone or external Certificate Authority. If you are using an Enterprise CA or need more information in general, take a look at this Microsoft knowledge base article. 
Once you have your inf file ready and are ready to submit the request to your CA run the following command the server hosting your BES:
certreq -new "path to your inf file" "path to the request file to generate" If you are running this on a 2008 or 2008 R2 server you will need to run this as an administrator. This should now generate the request file. You can then send that to your CA to have a certificate issued. 

Once you get the certificate back from your CA. You can install it. The easiest way to do this is to open up the MMC and add in the Certificates snap-in, select "Computer account"  and point it the "Local Computer" or another computer so long as it is the server hosting the BES. Now, open Personal, right click and select "All Tasks" and then "Import..." and follow the wizard through and be sure to select the file your CA gave you when prompted. Once the certificate has been imported, click on Certificates under Personal and then right click on the certificate you just imported and hit properties. Now, enter in OCSConnector as the "Friendly Name". Click OK and you're done with the certificate set up. The friendly name is essential, the BES seems to look for this so it knows which certificate to use.


Now here is where things went awry for me. I could log into Lync with the Enterprise IM client on my Blackberry and I could send messages but could I receive them or updated presence information? The answer was a resounding no. People that tried to send me messages got a 504 error reported to them in their Lync clients. To begin troubleshooting this, after covering all the basics, I fired up the Lync Logger and logged everything for SIP Stack. The SIP Stack log quickly showed there was a problem communicating with the BES Collaboration Service. The error I was seeing in the Log Analyzer was SIPPROXY_E_CONNECTION_FAILED.

Then I remembered, OCS 2007 R2 has problems running on Server 2008 R2! Our brand new BES was running on Server 2008 R2 no less. I quickly searched my bookmarks for all those KB articles I had saved knowing I would need them again one day. The first one that everyone should review is the OCS 2007 R2 on Server 2008 R2 Supportability document. In there it makes reference to requiring a hot fix for Windows. This is not required if you're running Server 2008 R2 with Service Pack 1 on your BES server. Next, you need to update the OCS 2007 R2 components on the server. I suggest using the ServerUpdateInstaller package which can be found here. It will automatically detect which updates you need, download them and install them.

After all this, Lync/Enterprise IM on the Blackberry connectivity worked flawlessly. One last thing, if you need the Enterprise IM client for your Blackberry, grab it from RIM here. Enjoy your brand new Lync connectivity!