Access Restriction


If a MindLink license has been purchased for a subset of the enabled Skype for Business users, it is possible to restrict access such that only the licensed users are able to log on.

It is necessary to restrict access as the license mechanism will periodically count the users who could log on to MindLink ('enabled for MindLink') and compare this against the licensed number of users.

If the number of users enabled for MindLink is greater than the licensed number, the MindLink Server will deny users logging on until the number of users enabled for MindLink is reduced.

The number of users with a logged-on mobile session is dynamically compared to the number of licensed users. When there are as many logged-on sessions as licensed users, further log-ons will be denied until one of the existing sessions is ended.

It may be necessary therefore to ensure that the number of active sessions never exceeds the licensed capacity, by restricting access to the set of users who are licensed to start a session.

Active Directory#

During log on, the MindLink Server queries Active Directory to map the credentials provided by the user to their SfB SIP address. This entails making an LDAP search for the SIP-enabled A/D object, given the Security Identifier of the logging on account.

The Management Center offers two ways in which this query can be altered to only succeed for users 'enabled' for MindLink.

Specifying an Active Directory Group#

Only SIP-enabled objects that are a member of this group will be allowed to log on. The group may be a Distribution or Security group, with scope such that membership is replicated to the directory server that MindLink will connect to.

Specifying a custom LDAP Search Filter#

Only SIP-enabled objects that match the given search filter will be allowed to log on. The default search filter may be augmented to only match users with a custom 'MindLinkEnabled' attribute, for example. In either case, users whose SIP-enabled objects do not meet the criteria will not be allowed to log on, and they will not be ignored during reconciliation of enabled/active users vs licensed capacity.

Skype for Business#

MindLink establishes a standard SfB endpoint for each user session and agent. All data - e.g. messages, presence changes etc - is routed into SfB in the same way as with a native Microsoft SfB endpoint. As such, standard SfB monitoring, reporting and archiving tools can be used to record user actions on a MindLink endpoint. MindLink endpoints are established with a 'MindLinkServer' SIP user agent string.