MCE Standalone Configuration
MCE standalone overview
MCE can be configured to run independently without the need for a Skype for Business (SfB) Topology. Running MCE as standalone currently requires HTTP header based authentication using the user's linked identity.
As Skype for Business and Communities of Interest are disabled via the Management Center, running MCE standalone will disable the integration of third-party attribute servers. Consequently, security contexts must be added using Active Directory OUs or Groups. The settings for synchronizing these attributes are included in the advanced debug keys below. Please refer to the PowerShell Management section for more information on how to manage the MCE deployment, including how to add security contexts and users.
For all other configurations see MCE Configurations.
Management center configuration
You must configure a standalone MindLink Anywhere installation before configuring the MCE system. Your must disable the following in your Management Center configuration:
- Disable instant messaging
- Disable content classification
- Disable communities of interest
- Disable instant messaging ethical wall
- Disable attribute based access control
- Enable pre-authenticated HTTP header
In the Skype for Business configuration, you must fill out required settings with dummy values. This means that you can enter any values that the Management Center considers valid input. These values will not be used by MCE but are required as the Management Center’s validation process does not yet support MCE standalone. The rest of the settings in the Management Center can be configured to the user's requirements following the Anywhere Management Center guide.
The configuration of MCE relies upon the advanced configuration section of the Management Center:
Required configuration
Once a MindLink Anywhere installation is deployed, the following configuration will host a MCE standalone configuration on a single machine:
| Key | Value | Description |
|---|---|---|
| global.service.modules | Web,Mce,MceAdmin | Enables Web, MCE and the MCE administration services respectively. |
| debug.mce.clientenabled | true | Enables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled. |
| debug.mce.databaseconnectionstring | Server=<ServerName>\<ServerInstance>; Database=<DatabaseName>;Integrated Security=true | Specifies the database connection for all MCE operations, including cluster membership. |
| debug.mce.file.server.path.<mce file server identifier> | C:\mce\files | The path to where file uploads should be stored when the specified <file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key |
| debug.mce.file.server.activeid | mcefileserver1 | The desired mce file server identifier, defined via using the debug.mce.file.server.path.<mce file server identifier> debug flag |
| debug.mce.clusterid | mce | Specifies the identity of the cluster. |
| debug.mce.clusteraddress | mce.company.com | Specifies the DNS name of the cluster, this is used for certificate |
| debug.mce.trustedaddresses | mce.company.com | A comma-separated list of subject names that are trusted. One or more SANs in the certificate used to connect to the cluster must appear in this list. |
| debug.connector.types.enabled | mce | Specifies the enabled connectors, accepted values are "mce" and "ucma". MCE is required for a standalone deployment with the omission of UCMA. |
| debug.connector.mce.groupsecuritycontextrequired | true | Enforces that a security context must be specified when creating a group |
| debug.connector.mce.groupclassificationrequired | false | Enforces that a classification must be specified when creating a group |
| debug.mceadmin.validissuers | AD | Specifies the issuers that can be used to specify COI attributes. Value AD = Active Directory. Alternatively, the value for your third-party attribute service can be used. |
| debug.mceadmin.coreuserattributeissuer | AD | Specifies the attribute issuer to use as the linked user identity. |
| debug.mceadmin.coreuserattributename | msRTCSIP-PrimaryUserAddress | Specifies the attribute to synchronize as the linked user identity. |
| debug.mce.user.attribute.name.emailaddress | The AD attribute name for the email address. | |
| debug.mce.user.attribute.name.displayname | displayName | The AD attribute name for the display name. |
| debug.mceadmin.synchronization.activedirectory.reminderintervalminutes | 240 | Specifies the reminder interval, in minutes, for synchronizing the Active Directory attributes. We recommend a value between 4-6 hours. |
| debug.mceadmin.synchronization.attributeprovider.reminderintervalminutes | 240 | Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes. We recommend a value between 4-6 hours. |
| debug.mceadmin.synchronization.activedirectory.properties | s, st, displayName, distinguishedName, mail, msRTCSIP-PrimaryUserAddress | Specifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported. |
| debug.mceadmin.synchronization.activedirectory.groupsandous.enabled | true | Enables Active Directory Groups and OUs for synchronization. |
| debug.mceadmin.admin.upn | user@domain.com | The UPN of an administrator account, used to connect with the Powershell and manage MCE. |
Optional configuration
| Key | Value | Description |
|---|---|---|
| debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
| debug.mce.clustercertificatethumbprint | ABCD...0123 | Specifies the certificate thumbprint of a certificate in the Windows Machine Certificate Store to use to secure TLS communication between the cluster nodes |
| debug.mce.orleansdashboard.enabled | true | Enables the monitoring dashboard for the MCE cluster |
| debug.mce.orleansdashboard.port | 8033 | Specifies the port to host the monitoring dashboard over HTTP |
| debug.mce.endpoint.advertisedipaddress | 127.0.0.1 | Specifies the IP address this cluster node can be reached on from other cluster nodes |
| debug.mce.endpoint.gatewayport | 30000 | Specifies the port this cluster node will accept client connections on |
| debug.mce.endpoint.siloport | 11111 | Specifies the port this cluster node will accept peer cluster node connections on |
| debug.mceadmin.admin.attribute | cois=Admins | The security attribute name=value of administrator accounts |
| debug.mceadmin.admin.adgroup | CN=MceAdministrators, DN=Groups, DC=company, DC=com | The Active Directory distinguished name of a Security Group for administrator accounts |
| debug.mceadmin.admin.tokenexpirationminutes | 15 | The number of minutes an administrator access token is valid |
| debug.mce.management.group.name.duplicationscope | None | The scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided. |