Prerequisites

The MindLink Suite of products requires a series of pre-requisites to be in place both on the MindLink Application Server, and on the Lync Front End Server in order for the products to function correctly. This guide will help you to get your infrastructure into a state ready to accept the MindLink Product.


System requirements

Hardware

  • Dual or Quad core, 64-bit CPU (minimum 2.4 GHz)
  • Gigabit Ethernet connection
  • 4GB RAM
  • Minimum 1Gb disk space

Operating System

  • Windows Server 2008 R2, 2012, 2012 R2 or 2016
  • Domain Joined
  • Microsoft .Net Framework 4.8
  • C++ 2012 redistributable installation binary (for Lync 2013 only)
  • C++ 2013 redistributable installation binary (for Skype for Business only)
  • Domain Member Service Account

Network

  • Communication on Port 2195 for APNS Push Notifications(MindLink Mobile for iPhone/iPad)
  • If you enable Server Pooling functionality (available toMindLink Mobile only), you may use a High Availability / Resiliency strategy supported by Microsoft SQL Server

2012, 2014 or 2016 such as 'Mirroring' or 'Always on'

Lync/Skype For Business

  • Lync Front End must be able to resolve DNS Name
  • Persistent Chat must be enabled in your Lync Topology for Persistent Chat Room access. it is Not required for IM only.

The above is the minimum specification that supports approximately 2000 concurrent sessions. The administrator may co-locate all versions of MindLink (Anywhere, WebPart, Mobile and Integrations) onto a single server. However CPU, memory and disk resource will need to be scaled accordingly. Please contact our Support Team at support@mindlinksoft.com for assistance with capacity planning.

Prerequisite Software

Requirement Version
.NET Framework 4.8
C++ Redistributable 2012,2013
MindLink Server as Trusted Application on Front End N/A
SSL Certificate Locally or Publically Signed
For Server Poolin Microsoft SQL Server 2012, 2014 and 2016

Download Prerequisite Software

The Prerequisite software is readily available from the Official Microsoft Website:

.Net 4.8 https://dotnet.microsoft.com/download/dotnet-framework/net48
C++ Redistributable 2012 (for Lync 2013 and Prior) http://www.microsoft.com/en-us/download/details.aspx?id=30679
C++ Redistributable 2013 (for Skype for Business) http://www.microsoft.com/en-in/download/details.aspx?id=40784

.Net Framework Installation

.NET Framework

This pre-requisite is packaged as NDP47-KB3186500-Web.exe, it is recommended that this is installed on the MindLink Server first.
1 - Navigate to the location of the MindLink Software installers, and within the Pre-Reqs folder double click the NDP47-KB3186500-Web.exe file

2 - When Prompted, read and accept the license terms and click install

3 - When prompted, click Finish

Microsoft Visual C++2012 or C++ 2013 Redistributable

C++ 2012

This pre-requisite is packaged as vcredist_x64.exe, it is recommended that this is installed on the MindLink Server secondly.
1 - Navigate to the location of the MindLink Software installers, and within the Pre-Reqs folder double click the vcredist_x64.exe file

2 - When prompted, read and accept the License term and conditions and click Install

3 - When the application is successfully installed, click close.


Client Requirements

MindLink Anywhere:

  • Internet Explorer 10-11
  • Microsoft Edge
  • latest Firefox
  • Chrome, Opera
  • Safari

MindLink Mobile:

  • Android OS 6.0 or above
  • Apple iOS 11 or above


Certificates

For both MindLink Anywhere and MindLink Mobile it is essential that you provide appropriate certificates with the correct attributes in order to utilize the web authentication feature in the MindLink Anywhere Management Center, and to adhere to Apple's ATS requirements.

It is also a mandatory requirement that the key length is set to 2048 bit as by default this is the lowest level of encryption supported by the authentication token mechanism.

Generating a Certificate

If you are using a publically signed Certificate, signed by a Certificate Authority such as Geotrust or Verisign then it is suggested that you use the Lync Bootstrapper tool bundled as part of the Lync installation executable. If you are using a locally signed certificate then you will need to ensure that the Certificates Root-CA is authorised on the end-user's device. A certificate is required in each of the following cases:

  1. If MindLink is being served over HTTPS, a client-facing certificate is required.

  2. The subject name must match the DNS name of the URL by which MindLink is accessed.

  3. The issuer must be trusted by all client machines - i.e. a public CA may be required if clients are accessing via the internet.

  4. A certificate is needed to perform MTLS with the Lync frontend servers.

  5. The subject name must match the FQDN of the server on which MindLink is hosted.

  6. The issuer must be trusted by the Lync frontend - i.e. an enterprise internal CA will be acceptable providing both Lync and MindLink servers trust the same CA.

Each server certificate must include:

  • EKU property for "Server Authentication"
  • A CRL distribution point
  • Subject name should be the FQDN of the server
  • Private key

The same certificate may be used for both roles only if the issuing CA is trusted by all client computers and the Lync frontend server. The DNS name on which MindLink will be accessed via HTTP is the same as the FQDN of the machine, or the certificate has SANs for the public DNS name and the FQDN. These instructions are aimed at customers using an Internally Signed Certificate

1 - From the MindLink Server, Launch an instance of MMC (Start > Search 'mmc')

mmc

2 - Click File > Add /Remove Snap-In...

Console add/remove

3 - Click Certificates > Add > Computer Account > Next > Finish > OK

Snap ins

4 - Navigate to the Certificate folder within the Personal Store

Certificates

5 - Right Click in a Blank Area of the centre pain and select All Tasks > Request a New Certificate

Request certificate

6 - Click Next to begin the Wizard. Select Active Directory Enrollment Policy and click Next

Certificate enrollment

7 - Set Computer tickbox to True and click Enroll

Enroll

8 - Click Finish

9 - Right Click your newly created certificate and go to: All Tasks > Manage Private Keys. If this is not available the certificate has no Private key and will not work.

Private Keys

10 - In the dialogue Box that appears, click Add and add permissions for the Service Account that will run MindLink, and click Check Names. This step is only required for Email connector or Social connector, the other products will automatically assign permission

Permissions

11 - Click OK

12 - Ensure that the permissions are set to Full Control and click OK

Full Permissions


TLS

As of January 2017 Apple has stated that apps and their subsequent servers have to be ATS compliant, ensuring all traffic is encrypted. This means it is a pre-requisite that your Windows Server has been configured to utilise the TLS 1.2 protocol. Example for enabling TLS 1.2 on the MindLink Server

Manage ATS requirements (MindLink Mobile). for iOS 10.3+ devices, the initial callback on port 7074 must be HTTPS so the service needs to be secured by an SSL certificate. Certificate details

  • this is one way to enable TLS 1.2 , but please consult your local deployment administrators before proceeding **

the following link will run through how to set this up using the registry edit tool: https://technet.microsoft.com/en-us/library/dn786418%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_SchannelTR_TLS12

Server


Lync/Skype for Business

MindLink requires an existing Lync/SfB deployment in order to function. Before getting the MindLink Management centers installed and configured there are requirements that need to be in place.


Persistent Chat

Identify if you have Peristsent Chat enabled on your Lync/Skype for Buiness deployment.

Lync/SfB Administrator

An administrator can check the Topology of the installation and check if there is a Persistent Chat Pool created with at least one server in the Topology Builder tool.

pChat Topology

As an end User of Lync

Anyone within the organisation who may be Pchat-enabled will have this icon visible within the Lync/Skype client, allowing them to participate in Chat Rooms.

pchat enabled

Alternatively you can CTRL-SHIFT and Right-Click over the minimised tray icon of Lync/SFB to show Configuration Settings of the local client. The last line of output will show the value for pChat Enabled? which should be TRUE

Group Chat Disabled

As of 17.3 MindLink Mobile supports a Skype for Business/Lync topology that does not have PChat installed; this is achieved by enabling administrators and subsequently users to choose between modalities (if supported). Please note: this should be discussed during the planning phase.

Prerequisites:

  • Service account with read/write permissions to the preferences repository

  • Preferences repository stored locally or on a network drive. Default location for Local Preferences Repository is \Program Files\MindLink Software\MindLink Mobile\Connector Service\preferences. This can be changed to any local or network file location within the 'Lync/Skype for Business' tab within the MindLink Managment Center.


Auto-Provisioning Requirements (Optional)

Lync 2013/SFB auto provisioning is not necessary if you prefer to manually configure your Lync front end FQDN , but allows auto discovery in case topology changes. Install Lync Server Core Components from the Lync server ISO onto the MindLink Server :

  • Install or Update Lync Server System -> Install Local Configuration Store and Setup or Remove Lync Server Components
  • Enable Lync auto discover for DNS/SRV records , lyncdiscoverinternal. and sipinternal.
  • The MindLink service account must be a member of the ' RTC Component Local Group ' local group.
  • Set the certificate

Setting the Certificate

1. Launch Lync Server Management Shell which will now be installed on the MindLink Server On the Start menu, select All Programs > Microsoft Lync Server 2013 > right-click Lync Server Management Shell > click Run as administrator

2. In Lync Server Management Shell , run the Set-CsCertificate cmdlet . In the following example, a certificate with a thumbprint of 14b04424b8316d90c72438dfefdf83d1fd917d39 is bound to the trusted application server. e.g. Set-CsCertificate -Type Default - Thumbprint 14b04424b8316d90c72438dfefdf83d1fd917d39


Trusted Application Pools

1 - Log onto the Front End Server

2 - Launch the 'Lync Server 2013/SfB Topology Builder'

3 - In the left tree pane, right-click on the 'Trusted application servers' folder

4 - Select the option 'New Trusted Application Pool...' from the context menu

5 - Add the FQDN of the server (i.e. server.domain.com) where MindLink Anywhere is installed

6 - Select 'Single computer pool' if MindLink Anywhere is installed on a single instance, or 'Multiple computer pool' if MindLink Anywhere is installed in a load balanced configuration

7 - Click the 'Next' button

8 - Select the next hop which will be the front end (for Standard Edition) or the pool (for Enterprise Edition), click the 'Finish' button

9 - Publish the topology with the changes you have just implemented

10 - Launch the 'Lync Server Management Shell' application and run the following command to create a trusted application:

New-CsTrustedApplication -ApplicationID -TrustedApplicationPoolFqdn-Port eg : New-CsTrustedApplication -ApplicationID MindLinkMobile -TrustedApplicationPoolFqdn mindlinkserver.domain.com -Port 4096

1 - ApplicationID : this is a string which describes the application, this can be anything (syntax requirements e.g. no spaces, no special characters etc.).

2 - TrustedApplicationPoolFqdn : The FQDN of the trusted application pool that was just created above.

3 - Port : Listen Port of the MindLink Server,each product has its own default port to allow collocation Default ports are

  • MindLink API is 4096
  • MindLink Anywhere is 4097
  • MindLink Mobile is 4099

Lync server shell

11 - You will then be prompted to execute the Enable-CsTopology command to implement the changes. If the cursor moves to the next line without any errors, then the command has been executed successfully

12 - Launch the 'Lync Server Control Panel'

13 - Under 'Topology > Trusted Application' you should now see the application you just added. If it is not there, just click on the 'Refresh' button and it should appear

Lync 2013 control panel


Conversation History

Enabling Server Side Conversation History (up to Server 17.2)

When enabling the Skype for Business's Server Side Conversation History feature a user's IM history can be exported from MindLink to the user's Conversation History folder using Exchange. In order to utilise this feature in conjunction with MindLink the following minimum pre-requisites must be met.

  • Server Side Conversation History is supported by MS Exchange 2013 or above
  • Server Side Conversation History is supported by Skype for Business 2015 server or above.
  • MindLink Anywhere and MindLink Mobile version needs to be 17.1 or above.
  • Integration between Skype for Business 2015 and Skype for Business 2019 and MS Exchange needs to be enabled buy creating a OAuth partnership between these applications.
  • Server Side Conversation History needs to be enabled in your Skype for Business environment.

After enabling the above, the MindLink administrator simply needs to enable conversation history through the management tool, by clicking the checkbox, save the configuration and restart the MindLink service. Please consult the administration guide for more details.

Enabling Conversation History (Skype for Business)

For conversation history to be saved to the users Conversation History folder within Exchange the following minimum criteria need to be met.

  • Server Side Conversation History is supported by MS Exchange 2013 or above.

  • Server Side Conversation History is supported by Skype for Business 2015 server or above.

  • Server Side Conversation History is supported by Skype for Business Online.

  • MindLink Anywhere and MindLink Mobile version needs to be 17.1 or above.

  • Integration between Skype for Business 2015/Skype for Business 2019 and MS Exchange needs to be enabled buy creating a OAuth partnership between these applications. A guide to create this integration can be found here : https://technet.microsoft.com/en-us/library/jj688151.aspx?f=255&MSPPError=-2147217396

  • Server Side Conversation History needs to be enabled in your Skype for Business environment. Documentation to enable this setting can be found here: https://technet.microsoft.com/en-us/library/dn985897.aspx


Skype for Business Online Configuration

Compatibility:

  • Multiparties are compatible with SfBO

  • Conversation history is conpatible with SfBO

In the Windows powershell change the directory to either the MLA or MLM directory

For Anywhere - Set-Location –Path “C:\Program Files\MindLink Software\MindLink Anywhere\ManagementTool”

For Mobile - Set-Location –Path “C:\Program Files\MindLink Software\MindLink Mobile\ManagementTool”

The below command imports the Skype for Businss Online module

import-module ".\SkypeForBusinessConfigurationModule.psm1"

The management tool will need to be saved with group chat disabled after importing the Skype for Business Online module.

Enable-MlSfboConnector - This enables an SfBO connection to the server

Get-MlConnectorConfiguration - This will display what connection has been configured.

The command will need to copied and pasted into MindLink.Core.host.exe file in the directory MindLink Software\MindLink Anywhere\Connector Service. This will need to be pasted under the O365 settings.

- <add key="connector.sfbo.applicationid" value="1e468961-eb5a-433d-b541-301226afaf72" /><add key="connector.sfbo.autodiscoveryurl" value="https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root" /><add key="connector.sfbo.authenticationcontexturltemplate" value="https://login.windows.net/{0}" /><add key="connector.sfbo.clientsecret" value="RFMyug51XBPsMa1Tj4AhbbLOoj5Ooa73jZMMNA5Vxwc=" /><add key="connector.sfbo.commonoauthendpointurl" value="https://login.windows.net/common/oauth2/token?x-client-Ver=2.2.5" /><add key="connector.sfbo.microsoftapplicationid" value="d3590ed6-52b3-4102-aeff-aad2292ab01c" /><add key="connector.sfbo.oauthurltemplate" value="https://login.windows.net/{0}/oauth2/token" /><add key="connector.sfbo.tenantname" value="mindlinkdev.onmicrosoft.com" /><add key="connector.sfbo.exchangeservicesurl" value="https://outlook.office365.com/ews/Exchange.asmx" />

Reset-MlConnectorConfiguration - This resets the conection back to the Skype for Business On Premise


Configuring Add-in proxies.

In an enterprise environment, it is often not the case that MindLink Anywhere and any Client Add-Ins will be served from the same actual machine. Hence, they will be served from different domains/ports and so Client Add-In/MindLink Anywhere communication will be forbidden. The use of a reverse-proxy is therefore required to mux requests to MindLink Anywhere and to any configured Client Add-Ins to the same domain. This can be achieved by configuring the reverse-proxy with forwarding rules based on the relative-path of the incoming HTTP request. The reverse-proxy is not a component of MindLink Anywhere and must be sourced from a third-party vendor.

It may also be the case that a Client Add-In's URL as loaded by Group Chat Console clients is not that which is exposed by the MindLink Anywhere reverse-proxy. In this case, the Add-In should be configured using the Group Chat MindLink Management Center as the URL that the Group Chat Console should load. MindLink Anywhere should then be configured using the add-in re-write rules configuration key, to convert the Add-Ins URL into the URL that the reverse-proxy exposes it as.

The add-in re-write rules configuration setting is a set of key/value pairs. The "key" is a regular expression to test any Client Add-In URLs against. If the regex matches, the Client Add-In URL is transformed using the "value" string. The value string supports regex style group placeholders (e.g. $1) to re-use elements of the original matched URL.

For instance: to re-write an internal Client Add-In URL of:

  • http://addins.MindLink.net/ to the external address of http://MindLink Anywhere.MindLink.net/addins/

the regular expression would be http://addins.MindLink.net/(.*), and the replacement would be http://MindLink Anywhere.MindLink.net/addins/$1 In the MindLink Management Center, this would be typed in the add in re write rules config box as:

  • http://addins.MindLink.net/(.*), http://MindLink Anywhere.MindLink.net/addins/$1;

Note that the literal special characters in the regular expression "key" string are escaped with a backslash.

An example Client Add-In configuration is shown below.

MLM

Figure 113: Example proxy and MindLink Anywhere configuration

The enable an add-in, a check box can be used to disable Client Add-In support across the whole system in all chat rooms, if needed.


Secure Deployment

The following diagram shows the configuration necessary for a secure deployment. We make the following assumptions:

The Challenge Response Service and Host Identification Service listen on the same port.

Security on the File Transfer Service, Socket Service and MDS push communication is either globally enabled or disabled.

The same certificate is used to secure the Socket Service and the File Transfer Service.

MLM

Figure 18: Secure Deployment for Android

MLM

Figure 19: Secure Deployment for iPhone

The management centre is used to configure the socket service port, the port of the file transfer web service, and the shared port of the Challenge Response Service and Host Location Service.

By default, the management centre configures the socket service host name as the FQDN of the server. This value is customizable in the management centre if the organization has its network infrastructure setup, so that clients can make connections to a different address.

If security is enabled, the certificate used to secure the file transfer service and socket service must also be configured. The subject must be the host name of the broker service, and it must be issued by an authority trusted by the device.

  • The relative paths of each HTTP service are hardcoded constants.

  • The Host Location Service returns the details of the socket service and Challenge Response Service to the device.

File download links are sent in-band with the chat history as direct download links to the file transfer service. Hence, the client must only be configured with the load-balanced URL of the Host Identification Service.

HTTP Proxy

Given that the client connects to the proxy and not directly to the hostname, port or even potentially the relative path of the actual broker service when using an HTTP proxy, the actual URLs to connect to must be made configurable.

Since the client connects to the URL in its own IT policy or local configuration for the Host Location Service, only the URLs of the Challenge Response Service and the File Transfer Service must be configured on the server via the management centre/app config.

MLM

Figure 20: HTTP Proxy Configuration for iPhone

  • The Challenge Response Proxy URL and File Transfer Proxy URL are configured on the server via the management centre/app config.

  • The proxy URL of the Challenge Response Service is sent to the client in the response from the Host Location Service.

  • The File Transfer Proxy URL is used to form file download links sent to the client in messages.

Note: the security protocol on the proxied URLs is not necessarily linked to whether security is enabled on the server, as the HTTP proxy may be configured to perform HTTPS communication and/or offloading between itself and the client, or itself and the Mobile Broker.

The client is configured with the proxied URL of the load balanced Host Location Service.


Profile Pictures (18.6+)

As of 18.6 MindLink supports user profile pictures. These will be displayed in the web client and can be configured through several sources.

Sources

User photos in SfB/Lync can be specified in three ways:

  • URL
  • Exchange
  • Active Directory

MindLink will attempt to resolve a user's photo in the order that these types are listed, so if you have a photo set in Exchange and have also configured a user photo image URL through the native client, the URL image will be shown in MindLink.

Setting User Photos in MLA (18.7+)

  • MindLink Client

MindLink also offers the ability to set your user photo directly through the client. This feature is provided by Exchange server (version 15.1 and above) which must be configured correctly to work along-side MindLink.

When a user uploads a new user photo from the client, the MindLink server acts on their behalf using its service account domain credentials to authorize a request against the Exchange Web Services. This single Active Directory service account is therefore responsible for accessing Exchange information for all users, and as such, requires special elevated permissions.

Exchange administration is restricted by Role-Based Access Control (RBAC), a system whereby rights to certain administrative operations and features are defined by distinct "management roles" and granted to users/groups in Active Directory either directly, via a Universal Security Group or via a role group assignment.

Exchange installs with a large set of pre-defined roles out-of-the-box; these typically cover all the different access scenarios administrators are likely to require.

One such role is the Mail Recipients role which includes (but is not limited to) the following entry:

  • SetUserPhoto

It is also configured with the appropriate scopes that MindLink requires to access all user accounts across the organization. For the simplest way of granting these permissions, you can assign this role directly to the service account user:

  • New-ManagementRoleAssignment –Role "Mail Recipients" –User "YourServiceAccountName"

The preferred approach would be to create a new admin role group, assign the role, and then add the service account as a member of the group. This can be easily acheived through the Exchange Admin Center. If you already have MindLink configured with Exchange to enable private conversation history then you may have already already created a new admin role group to apply the ApplicationImpersonation role to the service account. If this is the case, then you can simply add the Mailbox Recipients role to this group too; otherwise, create a new role.

The Mail Recipients role comes with a lot of other entries that aren't directly relevant to configuring user photos. If security is a consideration, then it may be desirable to restrict the service account access to only those commands that are directly releveant. This can be be done quite easily by creating a new management role that only contains the role entry above. We can do this by "cloning" the Mail Recipients role and removing all other role entries:

  • New-ManagementRole -Name “Set User Photos” -Parent "Mail Recipients"
  • Get-ManagementRoleEntry "Set User Photos\*" | Where {$_.Name -NotLike "SetUserPhoto"} | Remove-ManagementRoleEntry

We now have a new management role "Set User Photos" with all the same scopes as Mail Recipients but that only contains the entry relevant to configuring user photos. This should be assigned to the service account using either of the methods described previously.


Mobile Autodiscovery (17.6+)

DNS requirements

As of 17.6 it is possible to configure your mobile deployment to accept users domain email addresses i.e. test1@testdomain.local as a means of initializing against a MindLink Mobile deployment. However there a few pre-requisite steps that will be discussed to make this possible. Firstly, ensure that a CNAME (alias) record is setup in your forward lookup zone. \

Once this is done you will want to choose a target host. This will be the server hosting the MindLink Mobile service.