MCE Standalone Configuration

MCE standalone overview#

MCE can be configured to run independently without the need for a Skype for Business (SfB) Topology. Running MCE as standalone currently requires HTTP header based authentication using the user's linked identity.

As Skype for Business and Communities of Interest are disabled via the Management Center, running MCE standalone will disable the integration of third-party attribute servers. Consequently, security contexts must be added using Active Directory OUs or Groups. The settings for synchronizing these attributes are included in the advanced debug keys below. Please refer to the PowerShell Management section for more information on how to manage the MCE deployment, including how to add security contexts and users.

For all other configurations see MCE Configurations.

Management center configuration#

You must configure a standalone MindLink Anywhere installation before configuring the MCE system. Your must disable the following in your Management Center configuration:

In the Skype for Business configuration, you must fill out required settings with dummy values. This means that you can enter any values that the Management Center considers valid input. These values will not be used by MCE but are required as the Management Center’s validation process does not yet support MCE standalone. The rest of the settings in the Management Center can be configured to the user's requirements following the Anywhere Management Center guide.

The configuration of MCE relies upon the advanced configuration section of the Management Center:

Required configuration#

Once a MindLink Anywhere installation is deployed, the following configuration will host a MCE standalone configuration on a single machine:

global.service.modulesWeb,Mce,MceAdminEnables Web, MCE and the MCE administration services respectively.
debug.mce.clientenabledtrueEnables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled.
debug.mce.file.server.path.\<mce file server identifier>C:\mce\filesThe path to where file uploads should be stored when the specified \<file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key
debug.mce.file.server.activeidmcefileserver1The desired mce file server identifier, defined via using the debug.mce.file.server.path.\<mce file server identifier> debug flag
debug.connector.types.enabledmceSpecifies the enabled connectors, accepted values are "mce" and "ucma". MCE is required for a standalone deployment with the omission of UCMA.
debug.connector.mce.groupclassificationrequiredfalseEnforces that a classification must be specified when creating a group
mce.attributesynchronization.validissuersADSpecifies the issuers that can be used to specify COI attributes. Value AD = Active Directory. Alternatively, the value for your third-party attribute service can be used.
mce.attributesynchronization.user.defaultissuerADSpecifies the default attribute issuer to use for user attribute synchronization
mce.attributesynchronization.user.linkedauthenticationidentity.issuerADSpecifies the attribute issuer to use as the linked authentication identity for users
mce.attributesynchronization.user.linkedauthenticationidentity.namemsRTCSIP-PrimaryUserAddressSpecifies the attribute to synchronize as the linked authentication identity. This is the property defined in the attribute issuer used to link users
mce.attributesynchronization.user.displayname.namedisplayNameSpecifies the attribute name used to synchronize the user display name.
mce.attributesynchronization.user.emailaddress.namemailSpecifies the attribute name used to synchronize the user email address.
mce.attributesynchronization.activedirectory.synchronizationreminderminutes240Specifies the reminder interval, in minutes, for synchronizing the Active Directory attributes. We recommend a value between 4-6 hours.
mce.attributesynchronization.attributeprovider.synchronizationreminderminutes240Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes. We recommend a value between 4-6 hours.
mce.attributesynchronization.user.activedirectory.propertiess, st, displayName, distinguishedName, mail, msRTCSIP-PrimaryUserAddressSpecifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported.
mce.attributesynchronization.activedirectory.groupsandous.enabledtrueEnables Active Directory Groups and OUs for synchronization.
debug.mceadmin.admin.upnuser@domain.comThe UPN of an administrator account, used to connect with the Powershell and manage MCE.

Optional configuration#

debug.mce.fileupload.disabledtrueDisabled file upload functionality in MCE groups
debug.mce.clusternode.advertisedipaddress127.0.0.1Specifies the IP address this cluster node can be reached on from other cluster nodes
mce.clusternode.gatewayport30000Specifies the port this cluster node will accept client connections on
mce.clusternode.siloport11111Specifies the port this cluster node will accept peer cluster node connections on
mce.attributesynchronization.user.emailaddress.issuerADSpecifies the attribute issuer used to synchronize the user email address, defaults to the specified default attribute issuer if omitted.
mce.attributesynchronization.user.displayname.issuerADSpecifies the attribute issuer used to synchronize the user display name, defaults to the specified default attribute issuer if omitted.
debug.mceadmin.admin.attributecois=AdminsThe security attribute name=value of administrator accounts
debug.mceadmin.admin.adgroupCN=MceAdministrators, DN=Groups, DC=company, DC=comThe Active Directory distinguished name of a Security Group for administrator accounts
debug.mceadmin.admin.tokenexpirationminutes15The number of minutes an administrator access token is valid scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided.

"Shadow account" setup for external users#

Shadow accounts are only required to allow users external to the local AD access to MCE.

A shadow account is a contact or disabled user object in Active Directory that is used to provide a directory resource for a person who is not an authenticated member of the directory - e.g. an external user to a system.

The AD administrator creates a contact object containing attributes such as display name / email etc. The person represented by that this object cannot authenticate to the AD server, but can have attributes setup for accessing MCE groups.

Configure "pre-authenticated" header so it injects the email as the header value when the external users logs into MindLink, and they should be able to log in and interact with any groups according to the attributes configured on the AD object like a regular internal AD user.