Anywhere Management Center
Configuration Sections
The MindLink Management Center will load with the logging configuration as its default page. The user can navigate through different configuration settings by using the navigation tree , which includes the following configuration sections:
Licence
The licence page ensures the products you are using are supported by MindLink and that only the correct products (as stated by contract) are in use. Once you install a product's management center the License tab will be the first tab you see. Each Management center requires a valid license file to be provided.
License File
The Browse for license file... button opens a file browser window, from which you select the licence file provided during your purchase of the MindLink Product(s); This will be the file you received within the correspondence with your account manager.
Once the file is selected the details will populate as long as the license is valid.
License errors If the license is not accepted there will be an error message that indicates the cause of the issue. Please contact your account manager to receive a current license within contract renewal.
License Details
Selecting a valid license file will populate the details section with the license information.
License holder: This field specifies the Company name the license is issued to and also the product owner at the time of purchase.
Expiry date: The date the product expires. At this time (grace period built in) the product will cease to function.
Details: This field contains the product/s that the license has been issued for. MindLink will not run with an incorrect product license (a single license can be issued for multiple products).
Enabled users
This capacity is based on the number of users who could log on, rather than the current number of users logged on.
The system periodically checks the number of users who could log on and starts rejecting new logins if it sees that the number of hypothetical users is larger than the licensed capacity.
Logging
The logging section enables the user to configure the logging level as well as the log file location for the Connector Service.
Please note that logging on the Connector Service is performed using the Microsoft Enterprise Library Logging Application Block.
MindLink Server
Logging Level
By default logging is configured as follows:
- Error level - Error class events
- Warning level - Warning class events (Recommended)
- Info level - Info class events
- Verbose level - All class events
Log file location can be set by Clicking on the Browse button, where an absolute path to a new log file location can be chosen, or you can manually edit the field to a path relative to the Connector Service install location.
The account used to run the Connector Service must have write access to the install location of the product in order to log to the rolling log file. By default, the file can be found at %ProgramFiles%\MindLink Software\MindLink Application\ConnectorService\Logs\Connector.log
Enable audit logging enables audit logs for every user interaction on the chat system.
Add advanced logging configuration to record user logins in a separate file The Advanced tab allows key/value pairs to be used to configure additional logging functionality
see the Advanced section for details
General
The General section lets the user configure the general settings that will be applied to the Connector Service.
Information Service
Information service port: The port number used when behind a load-balancer to provide a service heart-beat. Port can be tested with http://{server}:9007/InfoService/Status
File Transfers
Maximum concurrent downloads: The maximum number of allowed concurrent file download requests.
If an attempt is made to download a file when the number of active file downloads to the server is equal to the number specified, the download will fail with an error indicating that the server limit is currently exceeded and to try again later.
Maximum concurrent uploads: The maximum number of allowed concurrent file upload requests.
If an attempt is made to upload a file when the number of active file uploads to the server is equal to the number specified, the upload will fail with an error indicating that the server limit is currently exceeded and to try again later.
Maximum file size for file uploads: If the configured connector supports file posting, the maximum size of files in kilobytes allowed to be uploaded.
If an attempt is made to upload a file that is larger than the specified size, the server will return an error indicating that the file is too large to upload.
Features
Enable instant messaging: When set, allows connected clients to use one-to-one messaging. When not checked, user presence will not be published, instant messaging will be disabled, and the client will be limited to group messaging functionality. Any client that exposes instant messaging functionality when instant messaging is disabled will receive failure notifications from the server when an attempt is made to use such functionality.
MindLink Requires at least one chat modality - instant messaging or group chat - to be enabled
Enable group chat: When set, allows connected clients to use group chat. When not checked, group chat preferences are not loaded and users will not see any groups or chat rooms to which they are subscribed in their contacts list nor will they be able to search for and add groups.
MindLink Requires at least one chat modality - instant messaging or group chat - to be enabled
Allow user to disable instant messaging When set, allows users to specify whether they want to log on with or without the instant messaging capability enabled on their web or mobile client. When not checked, users will not be able to choose to enable/disable instant messaging upon login and the setting will default to the configuration in the management center .
Allow user to disable group chat When set, allows users to specify whether they want to log on with or without the group chat capability enabled on their web or mobile client. When not checked, users will not be able to choose to enable/disable group chat upon login and the setting will default to the configuration in the management center .
Enable file transfers in 1-1 conversations - Allows users to upload files into IM conversations. This functions the same as file uploads into Group Chat conversations, supporting most file formats. Images, Text files, PowerPoint, videos, Excel files and .PDF files are all supported, among other file types. Any file upload must comply with the size restrictions configured in the File transfers section above.
Enable audio calls - Enables audio calls in MindLink. The call option will be available in IM conversations, as one-to-one calls, and in Multiparty conversations as a conference call. Both call types are cross-platform compatible with the native Skype for Business clients.
More information can be found on the Voice Troubleshooting page.
Enable setting profile pictures - Allows user to set profile pictures in the web client.
Users can add, change or remove profile pictures through the MindLink client itself. This functionality must be enabled in the management tool first and allows a user to make changes from their contact card. When configured, a 'Upload photo' button will be showing on the contact card.
When not check profile pictures can be view in the MindLink client, but users are not able to set a profile picture.
Message Constraints
Maximum message length: The number of characters that a single message can include.
If an attempt is made to send a message that is longer than the specified length, the server will not send the message and an information message will appear in the server logs.
Maximum story length: The maximum number of characters that a single story can include.
If an attempt is made to send a story that is longer than the specified length the server will not send the story and will return an error indicating that the story exceeded the allowed story length.
Add-Ins
These are special panels that appear below the chat input panel in chat rooms. The system administrator configures which panel appears in which chat room using the Group Chat Administration Tool.
Client Add-Ins are actually web pages hosted inside the Group Chat Console client, which communicate with the parent window using JavaScript.
MindLink Anywhere hosts each Client Add-In inside a Html IFRAME element within the MindLink Anywhere page. The Client Add-In can communicate with MindLink Anywhere using the same JavaScript calls as in the Group Chat Console client.
However, to enable this communication to happen, both MindLink Anywhere and the Client Add-In page must be served from the same domain and port address. This is a standard security requirement enforced by all browsers.
For instance, if MindLink Anywhere is served from http://www.MindLink.net/MindLink Anywhere, then for any Client Add-In to be shown in MindLink Anywhere it must also be served from a relative path on http://www.MindLink.net e.g. http://www.MindLink.net/myclientaddin
In an enterprise environment, it is often not the case that MindLink Anywhere and any Client Add-Ins will be served from the same actual machine. Hence, they will be served from different domains/ports and so Client Add-In/MindLink Anywhere communication will be forbidden. The use of a reverse-proxy is therefore required to mux requests to MindLink Anywhere and to any configured Client Add-Ins to the same domain. See the Prerequisites page to Configure Add-in Proxies
Skype for Business
The Adaptor section manages the selection of the underlying chat system to which to connect and the infrastructure DNS servers that define the chosen platform.
Topology
Server Version: Select the chat platform from the dropdown : Skype 2015 or Skype 2019
Autoprovision server information: Enable the auto detection of the Front End Server. This will allow the server to detect any server changes within the Topology and auto configure the new servers.
Autoprovisioning application ID: Enter the Application ID of the trusted application on the Front End. Only required if 'Autoprovision server information' is enabled
Local Server Name: Manually enter the FQDN of the local machine, if autoprovisioning will not be utilised.
Next hop connection
Server Name: Manually enter the FQDN of the Skype for Business front end or pool server. Only required if autoprovisioning is not used.
Trusted Application Server
Server/Listen Ports: The default communication port for Skype used by the Front End Server to listen on when using trusted authentication.
- MindLink Anywhere => 4097
Platform Certificate: The certificate to use for establishing an MTLS connection with the Skype for Business server.
Persistent Chat
Explicit Explicit connections involve specifying specific chat pools in the management tool. Only users within those specified persistent chat pools can login. A single chat pool can be specified in the Default Persistent Chat pool endpoint address field. Multiple chat pools are specified by clicking the Connect to multiple Persistent Chat pools checkbox. Entries added in the table can be removed by pressing the Delete key.
Auto provision Auto provisioned connections allow users to login as any user located on the configured persistent chat pools on the server. The user does not need to specify any of the configured chat pools to login as users located on them.
Auto Provision Group Chat Information: Automatic discovery of the lookup address for querying Group Chat. Use this option to look at multiple chat pools.
Default Persistent Chat pool endpoint address: Manually enter the lookup address for querying Group Chat. This is the address created upon activation; use Get-csPersistentChatEndpoint to identify.
Connect to Multiple Persistent Chat pools
Users can connect to multiple persistent chat pools. This allows users to join chat rooms that are located on any of the specified persistent chat pools - within the limits of membership and permissions.
Troubleshooting
Use untrusted connection: To Debug the communication protocol and transport mechanism during debug mode.
Disable transport: The transport type between the Connector service and the SfB pool e.g. TLS or TCP during debug mode.
Authentication Protocol: Domain protocol set to either NTLM or Kerberos.
Conversation History
Conversation History: Enable conversation history saving and loading.
Preferences
Preferences: Sets the file repository for saving local preferences.
Private File Transfers
Private file transfer cache - Specified directory where private file transfers cache folders are kept
Sessions
Session timeout: This sets the timeout for MindLink Anywhere. The MindLink client will be set to an idle/away status after being disconnected from the network after the configured time has elapsed.
Active Directory
LDAP Connections
Autodiscover global catalogue
Skype for Business forest name: Select the relevant forest name in which platform is installed and base for AD operations for users.
Server name: Manually enter the FQDN of the LDAP server is Auto-Discover is not detecting correctly.
Use default port: Default port number of the Global Catalogue used to look-up user SIP addresses from Active Directory i.e. 3268.
Port number: To enter a custom port number to look-up user SIP addresses from Active Directory.
Timeout (seconds): Specify the time interval in seconds for Active Directory queries.
Use default naming context: Auto-discover the name of the root context of the directory. Use this is membership is not restricted.
Naming context: Manually enter full OU path if users are to be restricted to this AD OU object
Authentication
Search filter: Must be configured, responsible for retrieving a sip address for a user via Active Directory.
Default user domain: The default domain that will be used if a user does log specify a domain in their user name when logging on.
Restrict usage to members of a group. Restrict access to Members of this AD Group to be able to log in
Restricted group distinguished name: Select the Group from the dropdown (start typing the name to dynamically list) if users are to be restricted to this AD Group.
Exchange
Administrators can explicitly configure how the exchange server is resolved.
Exchange Web Services settings
Autodiscover Exchange Web Services Enable to automatically discover the exchange server for a user's email address.
Exchange Web Services URL: Manually provide the Exchange server URL.
Use default Exchange autodiscover URLs When enabled, the default Exchange autodiscover URLs will be used as recommended by the exchange installation.
Exchange autodiscover URLs Manually enter the Exchange autodiscover URLs. A list of well-known URLs can be added and the management center will look to resolve the exchange server name based on them.
Call routing
This section is for configuring connections to STUN/TURN servers for voice call routing.
Group Aliases
When enabled, per-room aliases can be set in chat rooms. This will replace the user name with a custom name of up to 50 characters. The user's actual name will still show below their alias name in smaller, grey text.
Enable group aliases This enables aliases in chat rooms.
Database connection string: Configure the connection string with the following syntax: Server=FQDN SQL server; Initial Catalogue=SQL catalogue; Integrated Security=SSPI
or if you wish to use a Failover SQL partner you could use the following syntax: Server=FQDN SQL server; Failover Partner=FQDN SQL partner; Initial Catalogue=SQL catalogue; Integrated Security=SSPI
Override credentials for this operation If the user running the management center does not have sufficient SQL permissions, then these can be overridden by a set of credentials that have sufficient permission by your SQL administrator.
After adding the credentials for the user, the connection to the database will need to be tested. The management center will display an error if the configuration is incorrect.
Test the connection To check the validity of a relevant SQL database connection string and the override credentials , select 'Test'. The following steps may differ and as such are outlined in the two scenarios listed below.
Once the database connection has been tested successfully, the MindLink service can be started.
Translation
Message translation is an optional feature that allows users to translate messages in a conversation from any foreign language into their target language, which they configure on the Logon page.
Enable translation will activate the translation configuration in the following section:
Translation service
Translation service-based URL: This is the URL of the translation service you are using.
API key: This is the key to your translation service used to provide the functionality.
API key HTTP header name: This is the HTTP header name for the API key.
Configuring message translation will show the language picker on the log in page. From here users can select their language preference from the languages provided by the translation service.
Custom Preferences
The administrator is able to keep a repository of user preferences. This enables the continuation of preferences across group chat sessions. This also allows for the ability to read preferences across nodes.
An example of such a deployment could be a file share across a network. This allows an administrator to store preferences across multiple machines within a network (if required) meaning that changes made on one machine persist across multiple nodes when the same file store is referenced. In this sense, preferences can be stored cross-site.
Custom preferences repository location: The pathway in which the preferences are written to, which can be anywhere that is capable of being read and written to; including across networks. If you don't know where to put it the MindLink install directory can be used, as shown in the screenshot.
Test is a button that will test access to the pathway. In the event the file pathway referenced is not accessible it is possible to either A) change location (in the event it is invalid) OR B) Provision access rights to the service account running MindLink Anywhere, which is a prerequisite to utilising the custom preferences repository. If successful the message "Custom preferences repository location is available" will show.
Also worth noting is the possibility of having preferences persist during an outage such as in an active-passive disaster recovery scenario. If two machines are connected properly and preferences are shared it is possible that in the event machine 1 falls, machine 2 can pick the preferences up without any outage on the user side. Please note that a batch job would have to be setup to facilitate this transference of preferences across the machines
Content classification
Content classification settings
Enable conversation and message classification: The master setting used to enable/disable classification functionality.
Scheme file path: The path to the Classification schema .XAML file
Attribute mapping file path: The path to the user attributes mapping .XML file
Enable global classification banner: When enabled a banner is displayed at the top and bottom of the MLA client, displaying the users highest attribute clearance level.
Enable default classification: A default classification pre-populates the classification builder with the configured attributes. Without a default classification set, users will need to select a classification from the picker before being able to send a message.
Default marking IDs: ID(s) of attribute(s) are configured and will be used as the default classification for the picker when users have not already set their own classification.
Test Harness
The test harness allows a test file to be run, returning success and failure results of the configuration.
The XML you provide will be run against the classification system to return results.
Tests Source
Tests file location: the path to the test XML file the Browse button will allow a file to be selected
Execute tests button will run the XML and return the results
Test Results
Here, results from the XML are returned. A pass/fail result will be shown against each test.
Community of Interest
Enable communities of interest This setting enables/disables communities of interest
Attribute name This is where attributes are defined
Metadata configuration file path: Path to the CommunitiesOfInterestConfig.xml
IM Ethical Wall
Enable instant messaging ethical wall The setting enables/disables the ethical wall
Ruleset configuration file path Path to the EthicalWallConfiguration.xml
User attributes provider
Server settings
- Pre-v23.2
- Server URL: The server url needs to follow the format of https://authorizationserver.net:8443/api/entity/{0}&issuerDN={1}&abbreviate=false&specification=Sept2020
v23.2+
Server URL:
When the "User attribute provider type" is set to HWAC, the server url needs to follow the format of: https://attribute.service.com:8443/api/entity/{0}&issuerDN={1}&abbreviate=false&specification=Sept2020
When set to SLAM, the server url needs to follow the format of: https://attribute.service.com:8443/rest/v3/users/{dn}/infoplus
User attribute provider type: Determines the type of attribute service being used.
Client certificate: The client certificate required to authenticate against the Attribute Server.
Cache settings
Disable caching Disables Caching of user attributes
Cache timeout (minutes): If caching is enabled a timeout interval can be configured.
Attribute based access control
Enable attribute-based access control This setting enables/disables the ethical wall
Attribute name Attribute names are specified here
Attribute value Attribute values are specified here.
Advanced
You can add debug keys (such as configuring Exchange Online or enable pre-release features) and you can also override existing configuration value. A key requires a value, creating a key/value pair. Some configuration changes require several dependant key/value pairs such as the record user logins in a separate file scenario below to complete the configuration.
Custom Settings
Configuration Key | Configuration setting value |
---|---|
Key | Value |
global.message.maxlength | 200 |
Key | Value |
Notes when using custom settings:
- Custom key/value pairs are configured
- Invalid keys cause the host to crash
- Rows are mutually exclusive: while some changes require multiple key/value pairs to get set up, you can add other keys on rows above/below
Add advanced logging configuration to record user logins in a separate file
Several debug keys can be applied that will make the authentication flow log with a context and report authentication success/failure :
- The identity that was authenticating
- The success/failure result
- The reason for the failure
Copy the Key / value pairings into the Advanced configuration table to set up your deployment to utilise a separate file that filters authentication requests. Your advanced tab should look like this:
After saving and starting the service, a log file that outputs authentication results is created and utilised in a default path (C:\Program Files\MindLink Software\MindLink Anywhere\logging.log).
MindLink Anywhere
This section manages MindLink Anywhere settings that affect the way the web client is hosted and displayed to a user.
Server
Web client port number: The port number at which the web client will be available. For example, if the port number is 9080 and HTTPS is enabled, then navigating to "https://{fqdn}:9080/ will display the web client.
Use HTTPS: When set, hosts the web client over HTTPS. A valid certificate must be specified in order for the configuration to save successfully.
Certificate: A valid certificate must be specified in order for the configuration to save successfully.
Base Path: Appended text to the URL i.e. https://FQDN:port/yourbasepath .
Session Timeout: The session timeout period assigned to manage the session when long polling stops.
Long Polling Session Timeout: Defines when long polling will stop.
Disconnect grace period: Defines the duration of the grace period.
Disclaimer
Custom disclaimers can now be configured that will display when connecting to the web client.
Enable Disclaimers will enable the functionality.
Disclaimer: Set the default disclaimer in the text box. This disclaimer will show for all users connecting to the web client, unless a client connects with a discriminating request header
Enable different disclaimers based on request headers will allow Request Headers to be set up that show different disclaimer content.
Discriminating Header Name will be the universal header name applied. One value is set and all Discriminated Disclaimers are nested within.
Discriminated Disclaimers is where the different disclaimers are set up. The Discriminator is the request header value, while the Disclaimer is the message content to display. Multiple disclaimers can be configured at once, as long as the Discriminator is unique.
Custom Branding
Custom branding configurations allow administrators to configure custom application header and strap line strings to personalize their MindLink Anywhere deployment.
Brand Name
Configure the brand name for the MindLink Anywhere client
Brand strap line (optional)
Configure a strap line for the application, shown on the MLA home page (if a custom home page is not used)
Custom Header and Footer
A header and footer section can be configured in the MindLink Anywhere client. This banner shows at the top and bottom of the client respectively.
Custom Header: The header is shown at the top of the client
A URL will need to be set
The height of each region can be set separately.
An invalid URL format will display a warning message
Custom Footer: The footer shows at the bottom of the client.
A URL will need to be set
The height of each region can be set separately.
An invalid URL format will display a warning message
Custom URLs
19.5 introduces a management tool configuration to Customize URL links for the homepage and a help link
Custom Homepage URL: When a custom Homepage URL is configured, the MindLink icon in the top-left will redirect to the configured URL instead of to MindLink's default page.
This new URL will be displayed within the MindLink client, rather than a new tab.
Help link URL: Providing a valid URL will introduce a new icon in the header of the web app.
Clicking the icon will open the URL in a new tab.
If an invalid URL is used the icon will not show.
SfB Group Administration
SfB Group administration allows users to manage Skype for Business groups from the MLA client. To manage groups a few prerequisites will need to be met.
The group administration is enabled on the MindLink Anywhere page in the management tool.
In the dropdown three options are available:
Disabled - Disables group administration
Integrated inside the application - This adds group management as an options in the users profile menu.
External website - This allows users to use an external website for SfB group management.
- Clicking the Manage Skype for Business groups externally option in the users profile will direct them to the website specified via the SfB Group Management URL option.
- The text on the Manage Skype for Business groups externally button can be modified by setting the SfB Group Management button description value. Leaving this value blank will mean the default value is used.
Authentication
Password authentication is the default mechanism, where users manually provide their usernames and password.
MindLink also supports Single Sign-On which allows a user to log onto related systems once and not have to re-enter their credentials for each system. Enabling SSO involves the configuring of the adaptor, and may involve extra configuration depending on the type of connector. For all connectors, the client must be told to connect via SSO by checking the Enable SSO box.
There are two protocols which support Single Sign-On:
- 1. Windows Authentication
- 2. HTTP Header Authentication
General
Token Issuing Certificate: Select the certificate to use for the Token Issuing Service. It is mandatory that you provide a token issuing certificate, as this is used to manage user authentication. Ensure that the certificate has a key length of 2048 bits and is set up for the digital signing.
Allow users to select the preferred authentication mechanism: Gives the user the ability to select their preferred authentication mechanism. This is only available when more than one mechanism is configured. If more than one authentication mechanism is enabled and the authentication fails then the mechanism will attempt to authenticate with the next mechanism, until all have been attempted.
Password Authentication
Enable password authentication: Enabled by default. When enabled, connecting to the MLA server simply presents a web version of the MindLink Anywhere username and password screen.
Windows authentication (NTLM/Kerberos)
MindLink Anywhere Single Sign-On supports both Windows Integrated Authentication and NTLM mechanisms.
Windows Integrated Auth is supported in all browsers except for Safari. If Kerberos is not available, Single Sign-On automatically resorts to NTLM.
For Kerberos to be supported, the MLA URL must be registered as a Service Principal Name.
These are windows authentication mechanisms to authenticate using SSO. SSO (Single Sign-on) allows users to sign in once with their details and be automatically authenticated each time they visit the MindLink site.
NTLM: For the SSO functionality of MindLink Anywhere to work correctly, the MindLink Address will need to be treated as a trusted site section of the End-Users Web Browser. This can be configured by Group Policy or manually. These Instructions are based on Manual configuration using Internet Explorer - other Browsers may vary.
From within Internet Explorer go to Tools > Internet Options
In the dialogue box that launches, select the Security tab
Select the Trusted Sites icon and click the Sites button
Insert the address of the MindLink Anywhere instance, and click Add.
Click Close, Click OK
Kerberos: operates using "principles" which are identifiers for users and services for which Kerberos tickets can be generated. So that a client can create a ticket readable by a service, it looks up the service principal name and asks the Kerberos server to produce a ticket that can be given to the service. If the service has no registered principal name, or an incorrect principal name is used (for instance falling back to a default service name) then the ticket will be incorrect and authentication will fail.
Windows Authentication: Windows authentication can be implemented by running the following command as a domain administrator:
setspn -U -A http://<server_fqdn> <server_fqdn>
e.g.
setspn -U -A http://machine.domain.com machine.domain.com
Note this only affects Windows Authentication, NTLM does not use SPNs.
Bypass SSO By appending a query string to the URL the SSO mechanism can be bypassed, allowing the client to automatically utilise the configured authentication mechanism to log on directly without prompting. Windows configuration needs to be configured to use the bypass feature. The query string to bypass SSO is below:
- ?bypassLogOnConfiguration=true#/ The first request will require the user to enter credentials, even when using the bypass query string. Every login after the initial will login automatically.
HTTP header authentication
- SfB deployments require the users full sip address. For example: sip:testuser@domain
This allows the client to be authenticated using a configured pre-authenticated header. Enabling this option allows HTTP headers to be passed to an external authentication module, for example a proxy server.
Example: User credentials can be read from the relevant attributes within the HTTP header of the user's security certificate. These attributes are then authenticated against an authentication module such as a proxy. Once authenticated successfully, a session is then established.
External URL Redirection
External URL redirection allows the MLA client to redirect to a specified URL in the event of authentication failure or the user logging out.
Authentication failure redirect URL will redirect the user to the configured URL if they fail to authenticate.
Log out redirect URL will redirect the user to the configured URL when they log out. If a user is unable to authenticate i.e. enters the wrong credentials, it is possible to have them redirected to an external URL i.e. www.google.com