MCE Configuration

Currently you must correctly configure a MindLink Anywhere installation first, before configuring the MCE system.

You must configure the following integration features:

See Configuring MindLink Anywhere for further details.

Optional third-party attribute server#

Using a third-party attribute server#

MCE can integrate with a third-party external security attribute system to synchronize security attributes. The attribute server is configured in the "User attributes provider" tab of the MindLink Management Center. The optional attribute server is used if any of the "Content classification", "Communities of interest", or "IM ethical wall" features are enabled. To use "Content classification" in MCE, the "Communities of interest" feature must also be enabled.

Disabling the third-party attribute server#

The optional attribute server is not used if the "Content classification", "Communities of interest", and "IM ethical wall" features are disabled in the MindLink Management Center.

Firefox configuration for encryption#

Firefox by default does not include certificates from the local windows store, nor does it treat Preflight HTTPS requests in the same way as Chrome or Edge. Therefore additional configuration is required, this is done by opening up a new tab in Firefox and entering about:config as the URL. You should be presented with a text box to search advanced config, where we will set:

  • security.enterprise_roots.enabled
    • Set as: true
    • Connects the local certificate store
  • network.cors_preflight.allow_client_cert
    • Set as: true
    • Causes Firefox to behave like Chrome and Edge

The configuration of MCE relies upon the advanced configuration section of the MindLink Management Center and the respective MCE page in the management tool.

Management Center configuration#

We must configure the settings of the MCE services through the appropriate page in the Management Center for all of the following scenarios.

Management tool page

Server
Enables the services that host the backend for the MindLink Chat Engine.

  • Enable MCE backend services: Enables the configuration of the backend services that synchronize with existing infrastructure to host the MindLink Chat Engine.
    • Please note the Management Center does not currently validate the input fields on the MCE configuration page if MCE backend services are not enabled.

Cluster configuration
Specify the identity used for the MCE cluster and the database connection used for all MCE operations, including cluster membership.

  • Cluster ID: Specifies the identity of the cluster.
  • Database connection string: Specifies the database connection for all MCE operations, including cluster membership.

Cluster node configuration
Specify the connection details for the local MCE cluster node.

  • Advertised IP Address: Specifies the IP address this cluster node can be reached on from other cluster nodes (default 127.0.0.1)
  • Silo Port: Specifies the port this cluster node will accept peer cluster node connections on (default 11111)
  • Gateway Port: Specifies the port this cluster node will accept client connections on (default 30000)

Transport Security
Specify the addresses and certificate used to encrypt communication between MCE cluster clients and servers.

  • Cluster address: Specifies the DNS name of the cluster.
    • This is used by cluster clients to authenticate the server with which they are communicating.
  • Cluster certificate: Specifies the certificate in the Windows Machine Certificate Store to use to secure TLS communication between the cluster nodes
    • This is used by both cluster clients and servers to authenticate communication bi-directionally.
    • This authentication is performed for both client-to-server and server-to-server communication.
  • Trusted addresses: A comma-separated list of subject names that are trusted. One or more SANs in the certificate used to connect to the cluster must appear in this list
  • Disable transport security: Disables secure communication between cluster clients and servers. This will disable the usage of the other fields in Transport Security.
    • Warning! Communication within the cluster will be in plain text and therefore unprotected if transport security is disabled.
    • It is strongly advised that transport security is enabled.

Orleans dashboard

  • Enable Orleans Dashboard: Enables the monitoring dashboard for the MCE cluster
  • Orleans Dashboard port: Specifies the port to host the monitoring dashboard over HTTP

Advanced Configuration Custom Settings#

One-box configuration#

Once a MindLink Anywhere installation is deployed, the following configuration will host all features on a single machine:

KeyValueDescription
global.service.modulesWeb,Mce,MceAdminEnables Web, MCE and the MCE administration services respectively
debug.mce.clientenabledtrueEnables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled
mce.attributesynchronization.validissuersADSpecifies the issuers that can be used to specify COI attributes. AD = Active Directory. The value for your third-party attribute service can also be used
mce.attributesynchronization.activedirectory.synchronizationreminderminutes1Specifies the reminder interval, in minutes, for synchronizing the Active Directory attributes
mce.attributesynchronization.attributeprovider.synchronizationreminderminutes1Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes
mce.attributesynchronization.user.defaultissuerADSpecifies the default attribute issuer to use for user attribute synchronization
mce.attributesynchronization.user.linkedauthenticationidentity.issuerADSpecifies the attribute issuer to use as the linked authentication identity for users
mce.attributesynchronization.user.linkedauthenticationidentity.namemsRTCSIP-PrimaryUserAddressSpecifies the attribute to synchronize as the linked authentication identity. This is the property defined in the attribute issuer used to link users
debug.connector.mce.groupclassificationrequiredtrueEnforces that a classification must be specified when creating a group
debug.mce.file.server.path.\<mce file server identifier>C:\mce\filesThe path to where file uploads should be stored when the specified \<file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key
debug.mce.file.server.activeidmcefileserver1The desired mce file server identifier, defined via using the debug.mce.file.server.path.\<mce file server identifier> debug flag
connector.ucma.custompreferencesrepositoryC:\mce\preferencesThe path to where user preferences should be stored, this should be a network path accessible to all MLA hosts.

Optional configuration#

KeyValueDescription
debug.ucma.persistentchat.enabledfalseDetermines whether the Skype for Business Persistent Chat connection is created. false => Persistent Chat should not be connected for user sessions, true => Persistent Chat should be connected.
debug.mce.fileupload.disabledtrueDisabled file upload functionality in MCE groups
mce.attributesynchronization.user.activedirectory.propertiess, st, displayName, distinguishedName, msRTCSIP-PrimaryUserAddressSpecifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported.
mce.attributesynchronization.activedirectory.groupsandous.enabledfalseEnables Active Directory Groups and OUs for synchronization.
debug.mceadmin.admin.upnuser@domain.comThe UPN of an administrator account.
debug.mceadmin.admin.attributecois=AdminsThe security attribute name=value of administrator accounts
debug.mceadmin.admin.adgroupCN=MceAdministrators, DN=Groups, DC=company, DC=comThe Active Directory distinguished name of a Security Group for administrator accounts
debug.mceadmin.admin.tokenexpirationminutes15The number of minutes an administrator access token is valid
debug.mce.management.group.name.duplicationscopeNoneThe scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided.
debug.connector.types.enableducma, mceSpecifies the enabled connectors. MCE is required for a standalone deployment.
mce.attributesynchronization.user.displayname.namedisplayNameSpecifies the attribute name used to synchronize the user display name.
mce.attributesynchronization.user.emailaddress.namemailSpecifies the attribute name used to synchronize the user email address.
mce.attributesynchronization.user.instantmessagingaddress.namemailSpecifies the attribute name used to synchronize the user instant messaging address.
mce.attributesynchronization.user.country.namecSpecifies the attribute name used to synchronize the user country.
mce.attributesynchronization.user.countrydivision.namestSpecifies the attribute name used to synchronize the user country division or state.
mce.attributesynchronization.user.city.namelSpecifies the attribute name used to synchronize the user city.
mce.attributesynchronization.user.street.namestreetAddressSpecifies the attribute name used to synchronize the user street.
mce.attributesynchronization.user.emailaddress.issuerADSpecifies the attribute issuer used to synchronize the user email address, defaults to the specified default attribute issuer if omitted.
mce.attributesynchronization.user.displayname.issuerADSpecifies the attribute issuer used to synchronize the user display name, defaults to the specified default attribute issuer if omitted.
mce.attributesynchronization.user.instantmessagingaddress.issuerADSpecifies the attribute issuer used to synchronize the user instant messagin address, defaults to the specified default attribute issuer if omitted.
mce.attributesynchronization.user.country.issuerADSpecifies the attribute issuer used to synchronize the user country, defaults to the specified default attribute issuer if omitted.
mce.attributesynchronization.user.countrydivision.issuerADSpecifies the attribute issuer used to synchronize the user country division or state, defaults to the specified default attribute issuer if omitted.
mce.attributesynchronization.user.city.issuerADSpecifies the attribute issuer used to synchronize the user city, defaults to the specified default attribute issuer if omitted.
mce.attributesynchronization.user.street.issuerADSpecifies the attribute issuer used to synchronize the user street, defaults to the specified default attribute issuer if omitted.
debug.mce.emailnotifications.enabledtrueDetermines whether email notifications are enabled, therefore decides if it is included in the MCE cluster or not
debug.mce.emailnotifications.senderaliasalias@domain.comSpecifies the email address alias used to send emails via the SMTP email server.
debug.mce.emailnotifications.basepathhttp://domain:123/Specifies the base URL used to create group links for email notifications, defaults to the web client base URL if omitted.
debug.mce.emailnotifications.prefix<p><span style="background: yellow;"> Hello </span></p>Optionally specifies a template for the header of the email as HTML.
debug.mce.emailnotifications.suffix<p> Disclaimer </p>Optionally specifies a template for the footer of the email as HTML.
debug.mce.emailnotifications.subjectNew GroupSpecifies the subject of the email.
debug.mce.emailnotifications.minimumnotificationintervalminutes1Specifies the minimum time, in minutes, that an email notification will be sent after a user can join a group.
debug.mce.emailnotifications.notificationtimeoutminutes60Specifies the maximum time, in minutes, to wait before attempting to send an email notification with the currently synched user and group data.
debug.email.server.authenticationmodePasswordSpecifies the authentication used to connect to the SMTP email server. Accepted values are "Password" or "None", defaults to "None" if ommitted.
debug.email.server.securesocketoptionsAutoSpecifies the SSL and/or TLS encryption used to connect to the SMTP email server. Can be "None", "Auto", "SslOnConnect", "StartTls" or "StartTlsWhenAvailable". Defaults to "Auto" if ommitted.
debug.email.server.addressemail.server.comSpecifies the address of the SMTP email server.
debug.email.server.port123Specifies the port of the SMTP email server.
debug.email.server.usernameusernameSpecifies the username used to connect to the SMTP email server.
debug.email.server.passwordpass123Specifies the password used to connect to the SMTP email server
debug.email.server.sender.emailaddressuser@domain.comSpecifies the sender address used to send emails via the SMTP email server.
debug.email.server.trustinsecurecertificatesfalseSpecifies a value indicating whether the connection to the SMTP server should accept insecure certificates
debug.email.server.protocolheaders{ "X-Classification": "U", "X-Application": "MindLink Anywhere"}Specifies a collection of protocol-level email headers.
advanced.management.externalsfbgroupmanagementurlhttp://domain.comSpecifies the URL used for external Skype for Businesss management
advanced.mce.connector.attributeprincipals.disabledfalseDetermines whether searching by attribute principals is disabled. With this setting disabled, searching during group management will only match on users
advanced.mce.group.securecontentexport.enabledfalseDetermines whether securely exporting group content is enabled by default
advanced.mce.group.contentcopying.enabledtrueDetermines whether group content copying is enabled by default. Note that this only applies for MCE groups. SfB groups have content copying always enabled.

MCE-only configuration#

Once a MindLink Anywhere installation is deployed, the following configuration will host only the MCE workload:

KeyValueDescription
global.service.modulesMceEnables MCE services
mce.attributesynchronization.validissuersADSpecifies the issuers that can be used to specify COI attributes. Value AD = Active Directory. Alternatively, the value for your third-party attribute service can be used.
mce.attributesynchronization.user.defaultissuerADSpecifies the default attribute issuer to use for user attribute synchronization
mce.attributesynchronization.user.linkedauthenticationidentity.issuerADSpecifies the attribute issuer to use as the linked authentication identity for users
mce.attributesynchronization.user.linkedauthenticationidentity.namemsRTCSIP-PrimaryUserAddressSpecifies the attribute to synchronize as the linked authentication identity. This is the property defined in
mce.attributesynchronization.attributeprovider.synchronizationreminderminutes1Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes.

Optional configuration#

KeyValueDescription
global.service.modulesMce,MceAdminEnables MCE services and the MCE administration web services (for PowerShell management)
debug.mce.fileupload.disabledtrueDisabled file upload functionality in MCE groups
mce.attributesynchronization.user.activedirectory.propertiess, st, displayName, distinguishedName, msRTCSIP-PrimaryUserAddressSpecifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported.
mce.attributesynchronization.activedirectory.groupsandous.enabledfalseEnables Active Directory Groups and OUs for synchronization.
debug.mceadmin.admin.upnuser@domain.comThe UPN of an administrator account.
debug.mceadmin.admin.attributecois=AdminsThe security attribute name=value of administrator accounts
debug.mceadmin.admin.adgroupCN=MceAdministrators, DN=Groups, DC=company, DC=comThe Active Directory distinguished name of a Security Group for administrator accounts
debug.mceadmin.admin.tokenexpirationminutes15The number of minutes an administrator access token is valid
debug.attributeserver.requesttimeoutmilliseconds10000The number of miliseconds for the attribute server request to timeout
debug.mce.synchronizationmanager.bypasscoregroupreadmodeltrueDetermines whether to ignore the GroupReadModel in the Synchronization Manager or not.
debug.mce.management.group.name.duplicationscopeNoneThe scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided. Name duplication will only be validated against newly created/edited groups
debug.mce.enableinappmcegroupmanagementtrueEnables the ability to manage MCE groups from the in-app group management page.
debug.connector.mce.management.environmentnameMCEThe name to display in the in-app group management page for MCE groups.
debug.connector.types.enabledmceSpecifies the enabled connectors. MCE is required for a standalone deployment.
debug.connector.mce.encryption.enabledfalseDetermines whether encryption is enabled or not.

Web-only configuration#

Once a MindLink Anywhere installation is deployed, the following configuration will host MindLink Anywhere with connectivity to a running MCE cluster:

KeyValueDescription
debug.mce.clientenabledtrueEnables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled
debug.connector.ucma.management.enableinappgroupmanagementtrueSwitches the in-app group management to target UCMA
debug.connector.mce.groupclassificationrequiredtrueEnforces that a classification must be specified when creating a group
debug.mce.file.server.path.\<mce file server identifier>C:\mce\filesThe path to where file uploads should be stored when the specified \<file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key
debug.mce.file.server.activeidmcefileserver1The desired mce file server identifier, defined via using the debug.mce.file.server.path.\<mce file server identifier> debug flag
connector.ucma.custompreferencesrepositoryC:\mce\preferencesThe path to where user preferences should be stored, this should be a network path accessible to all MLA hosts

Optional configuration#

KeyValueDescription
debug.ucma.persistentchat.enabledfalseDetermines whether the Skype for Business Persistent Chat connection is created. false => Persistent Chat should not be connected for user sessions, true => Persistent Chat should be connected.
debug.mce.fileupload.disabledtrueDisabled file upload functionality in MCE groups
debug.mobile.apns.token.offsetintervalminutes5...55Specifies the offset of a valid APNs token. Set to 5 minutes by default.