What is a Blackberry Enterprise Server? Do I need one?

on 30 Mar 2010 01:03 PM

BES

Before we answer the second question, do I need one; let's look at what is a BES and how it works. First the BES is software; Research in Motion does not sell server boxes. In fact many businesses are installing the BES in a virtual server in order to reduce the number of physical server boxes. I've always thought that calling it a "server" was not a good idea; to me it brings up metal images of a new blade for the rack.

So why do companies buy a BES? The quick answer is security and control. The BES offers mind blowing control through 450+ IT policies that can be applied to all or selected handhelds in the corporate environment. Some of the policies control SMS, passwords, PIN to PIN, 3rd party apps & remote wipe.

That's great but how does it work? Without going to crazy here's the "message flow":
New message arrives in the user's Exchange mailbox; which the BES is monitoring using MAPI (Messaging Application Programing Interface)
The message is compressed to 2kb chunks and encrypted using 256-bit AES (Advanced Encryption Standard)
BES makes a secure connection to RIM NOC (Network Operations Center) over port 3101; the connection is an Outbound Initiated & Authenticated Bi-directional Connection. That means you always initiate the secure connection to RIM and an inbound connection is never accepted
At the front end of you encrypted message is your PIN in plain text so RIM knows where to direct the message. Essentially the NOC is a traffic cop
The message is sent to your handheld over the internet via either your wireless carrier or the Wi-Fi network
Once the message reaches the handheld only than is the encryption decrypted, as the only key to decrypt your messages is on the BES and your handheld

In a nutshell that is how the message flow works. Here's the RIM diagram of the full message flow. They love trotting this cartoon out at every opportunity during enterprise presentations. Pay attention there will be a test!

OK so now that we have that out of the way, what does it actually do?

As I touched on earlier here are some of the high points:

IT Policy management; allows corporate big brother decide what functions you can and can't use
Remote Wipe

Remote lock and password change
Push down software configurations
Wireless handheld firmware upgrades
PIM Sync (calendar, address book, tasks & memo pad
Full email sync (sent/received, filed, deleted, follow-ups)

Some more advanced enterprise applications:

Corporate communications tools - MS Office Communications Server, Lotus Sametime
Mobile Data Services - that will be the subject of a future post, this can't be summed up in a bullet point

Here is a shot of my BES console showing some of the many options available to the admin.

For me personally, the two coolest functions of a BES are the PIM sync and wireless backups. The BES does an entire consistent backup of your device; including fonts, messages, phone call logs, password keeper, and icon locations. So if you lose your device or need to wipe it, fear not! The SQL database on the BES will push all this data back to your handheld. This alone is worth the price of admission.

Speaking of price of admission; how much does a BES cost?

There are two flavors of BES.

Blackberry Enterprise Server (BES)
Blackberry Enterprise Server Express (BESx)

Pricing for BESx is the easy one. FREE - totally and completely. You just need the hardware to put it on. More details on what is BESx and all its coolness to come in another post.

BES on the other hand costs. Standard BES pricing (Cdn $)

BES Software with 20 client access licenses (CALs) $4,799.00
1 additional CAL $119.00
5 additional CAL $539.00
10 additional CAL $839.00

RIM & their carrier partners used to offer free BES promos but that has been cancelled to make way for BES express. These costs BTW are one-time costs. There is no fixed cost to maintain a BES. You can subscribe to RIM tech support which offers 24 x 7 support and free software upgrades. Service packs and maintenance release are free for all BES customers regardless whether they have T-Sup or not. If you don't subscribe to T-Sup than point releases (4.0 to 4.1 or 4.x to 5.0) will cost you approx. $1200.

Do you need a BES?

If you have an enterprise grade mail server like Exchange, Domino or GroupWise and use a Blackberry the answer is an unequivocal YES! If you don't have a mail server than the answer could still be YES provided you get Exchange - although I wouldn't run quickly into that decision. An alternative new solution hit the market late last year from Google when they launch the Blackberry Connector for Google Apps. I am a huge fan of Google Apps, my whole personal life has been migrated there. Calendar, mail, address book, docs & my website are all part of my Google Apps ecosystem. The only wrench in the whole Google Apps-BES marriage is that the Blackberry Connector doesn't support BES 5.x at this time. I've got an inquiry into the Google group looking for an update on when the will be supported. At the time I'm writing this article I have not received a reply from Google.

OK so that's the nickel tour of what a BES is. Upcoming will be more detailed info on the exiting world of Mobile Data Services (MDS), IT policies, as well as the differences between BES and BESx.

Filed Under: Help, How-To & Tips; Tags: BES, BESX

44 Comments

Posted by ridesno159 Tuesday, Mar 30, 2010 787 days ago

Fantastic article, I'm on BIS, but owning a Blackberry I've always wanted to know a little about BES. This is very interesting, and I look forward to your follow up articles. I've already learned something cool today, and it's only 12:30. Thanks

Posted by thegoodboy66 Tuesday, Mar 30, 2010 787 days ago

Excellent explanation, nay single user is able to know what is the difference in BES and BIS.

Thanks

Posted by webmastir Tuesday, Mar 30, 2010 787 days ago

thanks, Isaac.

Posted by Turk54 Tuesday, Mar 30, 2010 787 days ago

I really want to thank you for this post, and for the upcoming posts as well on BES and BESX. I think the overall concept of BES is great, but as a person who works for a small company, BES has been out of our reach until the recent announcement of BESX. We recently downloaded it and hope to install it on our server later this week and begin enjoying some (most) of the benefits of BES. I am really curious about the change in philosphy of pricing BESX for free, especially in light of the fact that now almost all of the features of BES are available to a small/medium sized business with users only having to have a BIS data plan and without having to opt for a BES data plan. I wonder what the carriers perspective on this will be?

Posted by Kevin Michaluk Tuesday, Mar 30, 2010 787 days ago

Great first post. Keep em coming!!

Posted by Anguish Tuesday, Mar 30, 2010 787 days ago

BES is really the embodiment of the difference between a Blackberry and any other phone. While iPhones and Android devices do IMAP to reach into almost whatever mailbox you might have, and while they might sync with gmail or yahoo or whatnot, they don't have BES.

In a corporate environment, device security is legally mandated in a lot of circumstances. If any employee is taking e-mail in the field, BES is essential to protect that information. In an R&D environment, phones with cameras are frequently not allowed. With BES an IT admin can set a policy with a few clicks and absolutely prevent use of the camera. And so on.

Wireless backup is so much more useful than it sounds. If I've got a customer who loses their phone, or it's damaged or destroyed, I can walk them through an Enterprise Activation and 100% of their STUFF comes back, wirelessly, painlessly, and quickly. The only thing they need is their e-mail address and a password I set. (You CAN set up DIY EA by the way.)

BES isn't for Joe Average, and it isn't even useful for Joe Average. But for business, it's really handy. I've been deploying BES for years now, because of this.

Posted by findthisfunny Tuesday, Mar 30, 2010 787 days ago

According to this article, the communication initiation is always outbound to RIMs NOC. So if a change is made on the handset does it not replicate back to the server in real time?

I'm contemplating installing BESX on my server. Thanks in advance.

Great article by the way.

Posted by Logvin Tuesday, Mar 30, 2010 787 days ago

BES servers communicate on an outbound initiated port, but maintain a constant connection to RIM's NOC. Once the connection is initiated, RIM's NOC can talk back to the BES.

Posted by redbadger Tuesday, Mar 30, 2010 787 days ago

For an END USER, it there is a way to create a separate e-mail folder/icon (associated just with work e-mail/BES managed mailbox)?

Posted by Logvin Tuesday, Mar 30, 2010 787 days ago

On the newer versions of OS 5.0 you can! I think you have to have BES 5.0+ also.

Posted by jmurra Tuesday, Mar 30, 2010 787 days ago

Super article, but what about:

that Google can't store Tasks and Memo's that are on a Blackberry, like the Desktop Manager does with Outlook software.

I wish you could explain the immediate PUSH of emails via a BES, versus the 15 minute delay that the standard BIS uses until the arrival of an email. And if a BESx might help us users of company email that are not on their BES?

Posted by crazy canuck Tuesday, Mar 30, 2010 787 days ago

@jmurra

BES uses event notifications versus a polling mechanism
that BIS uses. That is why your email arrives almost instantly with BES versus a delay with BIS.

With BIS, RIM takes your gmail,hotmail,yahoo or whatever username and password and logins to your ISP on your behalf and checks if there is new mail.(yes you read this correctly all 25 million BIS users login and passwords are sitting on a server(s) inside RIM for any RIM employee to potentially see. Nobody who babbles on about how 'secure' RIM is every thinks about this fact) If there is new email
on your ISP server it pops it and sends it to the NOC which delivers it to your BB device.

The reason for the delay is every x number of minutes say 15 min RIM is logging into 25 million accounts and polling for new mail. If they decrease the poll rate say down to a minute, RIM would require a lot more servers and infrastructure to do this plus yahoo,gmail, hotmail etc. would likely view the RIM connections as a denial of service attack and shut it down.

Posted by Theme Wednesday, Mar 31, 2010 786 days ago

I just wanted to say that I am on BIS and I get my mail instantly. That is the entire purpose of the PUSH service. The notification is pushed, your BB doesn't have to go look for it. That is why battery life is good. You can "reconcile" a mailbox, but that is not necessary.

Also, my gmail syncs well, I don't use the gmail pluggin, I use the native email settings account with my cell provider. I am in Canada.

I know a friend who got a BB just recently has a 120second delay on hotmail emails, but the gmail syncs right on the spot. All my emails though (gmail and hotmail (including live)) sync instantly.

That is why RIM has their "own" servers unlike every other company.

Posted by Pelvir Tuesday, Mar 30, 2010 787 days ago

GREAT article! Looking forward to the follow ups... Especially the BES vs BESx

Posted by robmtx Tuesday, Mar 30, 2010 787 days ago

I think you should add one other important thing about BES - all wireless providers charge an additional fee on top of your unlimited data plans to add BES. Pricing ranges from $15 to $40 a month, and if you're responsible for paying your employee's cell phone charges, this could add up fast, and continues to recur every month.

Even if you don't pay their bills, your end users are still stuck with an added fee every month on their bill. We've had users switch from BES to BIS or even to non Blackberry's to save $30 a month.

Just a hidden cost I thought I'd bring to the attention of non BES Users reading this article.

Posted by jsn204 Tuesday, Mar 30, 2010 787 days ago

enjoyed the article very much, Isaac.

I know in the past when i always argue for and stick up for blackberry against my friends, i always brought up BES... how its so awesome for companies/businesses. at least now i have some actual knowledge to backup my claims haha.

BES can make a corporate environment much more cohesive and synergized while at the same time offering top notch security. A very worthy investment.

Posted by jryker Tuesday, Mar 30, 2010 787 days ago

Good overview. I would suggest adding that BESX only has the 35 IT policies, not the 450. Could give a false impression.

Posted by haadah Tuesday, Mar 30, 2010 787 days ago

Great article, i'm looking forward to your explanation of BESx

Posted by leeburns Tuesday, Mar 30, 2010 787 days ago

Isaac, very informative article – well done! Inasmuch as you seem very knowledgeable about the operation of BES/BESX, I would like to ask you a question specific to BESX. Have you had any experience with the BlackBerry Enterprise Express software in a clustered Microsoft Exchange Server environment? Thanks in advance… Lee

Posted by Logvin Tuesday, Mar 30, 2010 787 days ago

BES/BESX doesnt care at all. I've set up multiple environments with Clustering (2003 Exch) before. When you fail over you will get some warning emails, but your BES will recover within 5-10 minutes.

Posted by leeburns Tuesday, Mar 30, 2010 787 days ago

Provided the BES/BESX in running on a separate server, it should not cause any conflicts with the exchange server environment in the event of a BES failure, correct?

Posted by aris20 Tuesday, Mar 30, 2010 787 days ago

Thanks isaac, and welcome to CB, I guess ur new, or at least a new admin, keep up the good work

Posted by CrackberryBrandon Tuesday, Mar 30, 2010 787 days ago

Good little refresher course right there.

Posted by folgrz Tuesday, Mar 30, 2010 787 days ago

Great article, helps me understand it a bit more, but I was upset to find out that BESx does not work with microsoft sbs 2008. Just bought a new server for my office and was excited to get BES and my IT guys said that BES will not work with the microsoft small business server 2008, said hes tried it on numerous other clients, apparently everyone is waiting on a service pack to come out to fix this problem.

Posted by Isaac Kendall Tuesday, Mar 30, 2010 787 days ago

Hey folgrz thanks for the feedback. According the specs at http://www.blackberry.com/besexpress
SBS 2008 is supported.

Isaac

Posted by rcasanova Tuesday, Mar 30, 2010 787 days ago

Awesome article Isaac. And congrats on joining CrackBerry, they couldn't have chosen a better contributor!

Posted by elpizzi Tuesday, Mar 30, 2010 787 days ago

First of all thank you for the work that you are doing, it is appreciated. I am interested in the BESx. I own a small recruiting firm with on 3 employees and therefore can not justify the cost for a BES. How ever we all have the blackberry world phones on Boost mobile service and the are not able to use the full functionality of the blackberry. Please advise on what we can do. Thanks

Posted by mfeliciano Tuesday, Mar 30, 2010 787 days ago

This a great article. Thanks so much for the effort. I've known this info for quite sometime but it's nice to get a refresher. And so... I was quite surprised when my friends company decided to switch from blackberry's and BES to iphones and their system. It didn't make any sense, considering the great security that BES offers. Could you tell me what are the differences in the iphone environment? And why a company would even consider and make such a change?

Thanks again for the post!

Posted by leeburns Tuesday, Mar 30, 2010 787 days ago

Posted by fatobx Tuesday, Mar 30, 2010 787 days ago

Isaac - Very well written article! As an IT Admin, I find it refreshing when someone can take a technical discussion and explain it for everyone to understand! I look forward to your article about BESx; as it is new I don't have nearly the knowledge that I do with BES. Thanks again!

-Troy

Posted by jadias Tuesday, Mar 30, 2010 787 days ago

Does a BES allow internet browsing? This article describes message handling, but not internet browsing.

I'm sorry, I'm a noob. However, in a few months I will have the opportunity to go to BES if I so desire. Will I lose the ability to surf the net?

Posted by cgiglia Wednesday, Mar 31, 2010 786 days ago

You still have Internet browsing (through your carrier), but also get "BES" browsing to sites that are inside your firewall that are not accessible from the public network. This capability is fully secure (encrypted with the same AES encrytion standard that secures your email) and is only available to devices registered on your BES. You can even lock out the carrier's browsing capability so all browsing must go through your BES, thereby forcing your BB users to have the same restrictions as if they were browsing from their PC inside your firewall - blocked sites are honored by the BES route.

This capability is handled by the MDS side of the BES and allows you to securely mobilize applications used by your staff when in the office.

Posted by Raistlin1 Tuesday, Mar 30, 2010 787 days ago

Don't forget that almost everything you do on your Blackberry connected to a BES can be seen. I am pretty sure PIN to PIN can be saved, internet sites visited, your calls are even listed (not recorded, but listed) on a BES. There are some more but you get the point.

Posted by ericchamoff Tuesday, Mar 30, 2010 787 days ago

I use Godaddy. If you purchase mobile exchange, it includes hosted BES. It starts at 9.99 per month and you can usually find a coupon to save as much as 30% off. You do not get the control as you would if you were running your own server but it is much less money if you dont have tons of BB's.

Posted by Gibbyoh Tuesday, Mar 30, 2010 787 days ago

I know its over kill but everything about my Home network is over kill. I am currently running BES 4.1.6 in a VM. It runs great and the security it provides with S/MIME my wife and I can pass secure bank account number and SSN via our blackberry connected emails. I am currently in the process of moving from Ohio to Virgina to work as a Blackberry Engineer and once I get settled I will upgrade my Echange to 2010 and my BES environment 5.0.1.

Posted by minpinisland Wednesday, Mar 31, 2010 786 days ago

Okay, I have a BESX question. Our hired out tech guy is telling my manager it will take 2-3 hours to install BESX onto our exchange server. Is that typically how long it will take? I am trying to convince my employer to buckle down and pay him to do it but there isn't that many of us at the company using blackberries yet, only about 5 of us.
I have emailed them the online demo from the bb website and articles from cb about besx and made my case as to how it would make communication and scheduling so much easier and efficient, not to mention the opening email attachment ability which I currently struggle with while using redirector.

Any help or advice related to BESX install would be greatly appreciated.

Thanks

Posted by jletendre Wednesday, Mar 31, 2010 786 days ago

If they know what they are doing and have the access to make the needed changes it should take about 2 hours.

- Service account creation in AD / mailbox
- Open needed port on firewall
- Assign needed permissions in Exchnage / AD
- Install BESX

Are you putting BESX on it's own server be it physical or virtual? SQL DB available or local SQL? What is the expected load and scaled out environment look like? So will you have 5 users or hundreds at some point?

Posted by ewap Wednesday, Mar 31, 2010 786 days ago

Excellent article, well explained and good detail. Awaiting more from you.

Posted by Jimmer55 Wednesday, Mar 31, 2010 786 days ago

I definately have a better grasp on how the BES works now...thank you.

Posted by keithngo Wednesday, Mar 31, 2010 786 days ago

i have BES on my blackberry and i use it for work

Posted by Skier87 Thursday, Apr 01, 2010 785 days ago

Great first article!

Posted by duncan.leung Thursday, Apr 01, 2010 785 days ago

I've always wondered how the BES worked. This cleared up a lot of questions!

Posted by bbrobman99 Friday, May 20, 2011 371 days ago

what does a 20 user cal cost? i have seen a wide range online of prices for 10pak - is it better to add 2 x 10's or 1 x 20?