Minimal deployment walkthrough

This page walks through a hypothetical deployment of a 3 node "one-box" cluster.

Topology#

As each node in the cluster will be deployed with both the MindLink Anywhere and MCE roles, we will form a fully connected network.

Our example environment is as follows:

Server FQDNServer IP(s)Function
dc.domain.local192.168.0.3The AD domain controller
sql.domain.local192.168.0.5The SQL always-on cluster
files.domain.local192.168.0.6The network file share
attributes.domain.local192.168.0.7The security attribute server
sfb.domain.local192.168.0.10, 192.168.0.11, 192.168.0.12The Skype-for-Business pool
mindlink1.domain.local192.168.0.21The first MCE/MLA server
mindlink2.domain.local192.168.0.22The second MCE/MLA server
mindlink3.domain.local192.168.0.23The third MCE/MLA server
minlink.domain.local192.168.0.30The web load balancer

Walkthrough domain diagram

We will assume the default port configuration for the following dependent services:

ServicePortFunction
Active Directory global catalogTCP 3289Performing authentication / synchronizing user security attributes
Attribute serverTCP 443Synchronizing user security attributes
SQL serverTCP 1433MCE persistence layer
SfB serverTCP 5061MindLink Anywhere SfB backend communication
Network file share serverTCP 135-139, UDP 135-139MCE file upload repository

We will assume the default port configuration for the MindLink server roles as follows:

PortDirectionFunction
11111Bi-directional (from other MCE cluster members)The MCE silo-to-silo communication port
30000Bi-directional (from other MCE cluster members)The MCE client-to-silo gateway port
9080Inbound (from anywhere)The MLA web port (and MCE admin port)

Therefore each MindLink server will need Firewall rules to allow the following:

PortDirectionTarget
TCP 3289Outbounddc.domain.local
TCP 443Outboundattributes.domain.local
TCP 1433Outboundsql.domain.local
TCP 5061Outboundsfb.domain.local
TCP 135-139Outboundfiles.domain.local
UDP 135-139Outboundfiles.domain.local
TCP 11111Inbound/Outboundmindlink1.domain.local, mindlink2.domain.local, mindlink3.domain.local
TCP 30000Inbound/Outboundmindlink1.domain.local, mindlink2.domain.local, mindlink3.domain.local
TCP 9080Inboundmindlink.domain.local

The network interactions can then be visualized as follows:

Walkthrough network diagram

Active Directory#

We will assume that the Active Directory server has a security group defined for MCE administrators:

AD DNPurpose
CN=MceAdministrators, DN=Groups, DC=domain, DC=localA security group containing MCE administrator users

SQL Server#

We will assume that the SQL server has been configured with a database for MCE and has had the pre-requisite SQL scripts already executed against it:

SQL Server Connection String
Server=sql.domain.local;Database=Mce;Integrated Security=true

Certificates#

We will need certificates to secure communication between MindLink servers and dependency services, MindLink servers and MindLink clients and between MindLink cluster members.

In order to secure the MindLink cluster we need to settle on a cluster address that all servers within the cluster (and any server connecting into the cluster) require as a SAN on any certificate they present. In this example we will use the following:

Cluster address
mce.domain.local

In order to secure the MindLink Anywhere services, we will assume that there is an SSL-terminating load balancer in front of the MindLink Anywhere services and so the MindLink servers themselves present internal server certificates to the load balancer.

The following certificates are then required to secure the MindLink services:

Certificate IDCertificate UseSubject/SANScope
SfB MTLS CertificateSecure MTLS SfB connectivitymindlink1.domain.local, mindlink2.domain.local, mindlink3.domain.localper-machine or per-cluster
MCE MTLS CertificateSecure MTLS MCE connectivitymce.domain.localper-machine or per-cluster
MLA Web CertificateMLA web service certificatemindlink1.domain.local, mindlink2.domain.local, mindlink3.domain.localper-machine or per-cluster
MLA Auth CertificateAuthentication token certificate<anything> e.g. mindlink.domain.localper-cluster

We will use the certificate identities above, assuming the simplest certificate configuration where all certificates contain SANs for all cluster server FQDNs.

Configuration#

First, we must configure the following integration features:

See Configuring MindLink Anywhere for further details.

The configuration of MCE relies upon the advanced configuration section of the MindLink Management Center.

All cluster members#

Most of the configuration across servers in the MindLink cluster must be the same in order for them to be considered members of the same cluster. In fact, the only configuration that should differ is the advertised IP address of the cluster members and possibly the certificates (if a per-machine certificate is used instead of per-cluster):

KeyValue
global.service.modulesWeb,Mce,MceAdmin
debug.mce.clientenabledtrue
debug.mce.databaseconnectionstringServer=sql.domain.local;
Database=Mce;Integrated Security=true
debug.mce.clusteridmce
debug.mce.clusteraddressmce.domain.local
debug.mceadmin.validissuersAD
debug.mceadmin.coreuserattributeissuerAD
debug.mceadmin.coreuserattributenamemsRTCSIP-PrimaryUserAddress
debug.mce.enableinappmcegroupmanagementtrue
debug.connector.mce.groupsecuritycontextrequiredtrue
debug.connector.mce.groupclassificationrequiredtrue
debug.mce.basefileuploadpath\\files.domain.local\mce\files
connector.ucma.custompreferencesrepository\\files.domain.local\mce\preferences
debug.ucma.persistentchat.enabledfalse
debug.mce.clustercertificatethumbprintMCE MTLS Certificate
debug.mce.orleansdashboard.enabledtrue
debug.mce.orleansdashboard.port8033
debug.mceadmin.admin.adgroupCN=MceAdministrators, DN=Groups, DC=domain, DC=local

mindlink1.domain.local#

The following advanced configuration is required for the MindLink server mindlink1.domain.local in addition to the common configuration above:

KeyValue
debug.mce.endpoint.advertisedipaddress192.168.0.21

mindlink2.domain.local#

The following advanced configuration is required for the MindLink server mindlink2.domain.local in addition to the common configuration above:

KeyValue
debug.mce.endpoint.advertisedipaddress192.168.0.22

mindlink3.domain.local#

The following advanced configuration is required for the MindLink server mindlink3.domain.local in addition to the common configuration above:

KeyValue
debug.mce.endpoint.advertisedipaddress192.168.0.23

Running#

Each service should be started one-at-a-time to avoid a temporary split-cluster:

  • Start the MindLink Anywhere service on mindlink1.domain.local
  • Start the MindLink Anywhere service on mindlink2.domain.local
  • Start the MindLink Anywhere service on mindlink3.domain.local

This deployment will continue to operate in the face of a single node failure.

The configuration in this walkthrough enabled the administration services on each server. This means that you can connect the MCE PowerShell module to any one of the servers in order to manage the MCE cluster.

The configuration in this walkthrough enabled the Orleans dashboard on each server. This means that you can browse to https://mindlink1.domain.local:8033, https://mindlink2.domain.local:8033 or https://mindlink3.domain.local:8033 in order to monitor the health of the cluster depending on the Firewall configuration.