MCE Configuration
Currently you must correctly configure a MindLink Anywhere installation first, before configuring the MCE system.
You must configure the following integration features:
See Configuring MindLink Anywhere for further details.
Optional third-party attribute server
Using a third-party attribute server
MCE can integrate with a third-party external security attribute system to synchronize security attributes. The attribute server is configured in the "User attributes provider" tab of the MindLink Management Center. The optional attribute server is used if any of the "Content classification", "Communities of interest", or "IM ethical wall" features are enabled. To use "Content classification" in MCE, the "Communities of interest" feature must also be enabled.
Disabling the third-party attribute server
The optional attribute server is not used if the "Content classification", "Communities of interest", and "IM ethical wall" features are disabled in the MindLink Management Center.
Firefox configuration for encryption
Firefox by default does not include certificates from the local windows store, nor does it treat Preflight HTTPS requests in the same way as Chrome or Edge. Therefore additional configuration is required, this is done by opening up a new tab in Firefox and entering about:config as the URL. You should be presented with a text box to search advanced config, where we will set:
- security.enterprise_roots.enabled
- Set as:
true - Connects the local certificate store
- Set as:
- network.cors_preflight.allow_client_cert
- Set as:
true - Causes Firefox to behave like Chrome and Edge
- Set as:
The configuration of MCE relies upon the advanced configuration section of the MindLink Management Center and the respective MCE page in the management tool.
Management Center configuration
We must configure the settings of the MCE services through the appropriate page in the Management Center for all of the following scenarios.
Server
Enables the services that host the backend for the MindLink Chat Engine.
- Enable MCE backend services: Enables the configuration of the backend services that synchronize with existing infrastructure to host the MindLink Chat Engine.
- Please note the Management Center does not currently validate the input fields on the MCE configuration page if MCE backend services are not enabled.
Cluster configuration
Specify the identity used for the MCE cluster and the database connection used for all MCE operations, including cluster membership.
- Cluster ID: Specifies the identity of the cluster.
- Database connection string: Specifies the database connection for all MCE operations, including cluster membership.
Cluster node configuration
Specify the connection details for the local MCE cluster node.
- Advertised IP Address: Specifies the IP address this cluster node can be reached on from other cluster nodes (default
127.0.0.1) - Silo Port: Specifies the port this cluster node will accept peer cluster node connections on (default
11111) - Gateway Port: Specifies the port this cluster node will accept client connections on (default
30000)
Transport Security
Specify the addresses and certificate used to encrypt communication between MCE cluster clients and servers.
- Cluster address: Specifies the DNS name of the cluster.
- This is used by cluster clients to authenticate the server with which they are communicating.
- Cluster certificate: Specifies the certificate in the Windows Machine Certificate Store to use to secure TLS communication between the cluster nodes
- This is used by both cluster clients and servers to authenticate communication bi-directionally.
- This authentication is performed for both client-to-server and server-to-server communication.
- Trusted addresses: A comma-separated list of subject names that are trusted. One or more SANs in the certificate used to connect to the cluster must appear in this list
- Disable transport security: Disables secure communication between cluster clients and servers. This will disable the usage of the other fields in Transport Security.
- Warning! Communication within the cluster will be in plain text and therefore unprotected if transport security is disabled.
- It is strongly advised that transport security is enabled.
Orleans dashboard
- Enable Orleans Dashboard: Enables the monitoring dashboard for the MCE cluster
- Orleans Dashboard port: Specifies the port to host the monitoring dashboard over HTTP
Advanced Configuration Custom Settings
One-box configuration
Once a MindLink Anywhere installation is deployed, the following configuration will host all features on a single machine:
| Key | Value | Description |
|---|---|---|
| global.service.modules | Web,Mce,MceAdmin | Enables Web, MCE and the MCE administration services respectively |
| debug.mce.clientenabled | true | Enables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled |
| mce.attributesynchronization.validissuers | AD | Specifies the issuers that can be used to specify COI attributes. AD = Active Directory. The value for your third-party attribute service can also be used |
| mce.attributesynchronization.activedirectory.synchronizationreminderminutes | 1 | Specifies the reminder interval, in minutes, for synchronizing the Active Directory attributes |
| mce.attributesynchronization.attributeprovider.synchronizationreminderminutes | 1 | Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes |
| mce.attributesynchronization.user.defaultissuer | AD | Specifies the default attribute issuer to use for user attribute synchronization |
| mce.attributesynchronization.user.linkedauthenticationidentity.issuer | AD | Specifies the attribute issuer to use as the linked authentication identity for users |
| mce.attributesynchronization.user.linkedauthenticationidentity.name | msRTCSIP-PrimaryUserAddress | Specifies the attribute to synchronize as the linked authentication identity. This is the property defined in the attribute issuer used to link users |
| debug.connector.mce.groupclassificationrequired | true | Enforces that a classification must be specified when creating a group |
| debug.mce.file.server.path.\<mce file server identifier> | C:\mce\files | The path to where file uploads should be stored when the specified \<file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key |
| debug.mce.file.server.activeid | mcefileserver1 | The desired mce file server identifier, defined via using the debug.mce.file.server.path.\<mce file server identifier> debug flag |
| connector.ucma.custompreferencesrepository | C:\mce\preferences | The path to where user preferences should be stored, this should be a network path accessible to all MLA hosts. |
Optional configuration
| Key | Value | Description |
|---|---|---|
| debug.ucma.persistentchat.enabled | false | Determines whether the Skype for Business Persistent Chat connection is created. false => Persistent Chat should not be connected for user sessions, true => Persistent Chat should be connected. |
| debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
| mce.attributesynchronization.user.activedirectory.properties | s, st, displayName, distinguishedName, msRTCSIP-PrimaryUserAddress | Specifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported. |
| mce.attributesynchronization.activedirectory.groupsandous.enabled | false | Enables Active Directory Groups and OUs for synchronization. |
| debug.mceadmin.admin.upn | user@domain.com | The UPN of an administrator account. |
| debug.mceadmin.admin.attribute | cois=Admins | The security attribute name=value of administrator accounts |
| debug.mceadmin.admin.adgroup | CN=MceAdministrators, DN=Groups, DC=company, DC=com | The Active Directory distinguished name of a Security Group for administrator accounts |
| debug.mceadmin.admin.tokenexpirationminutes | 15 | The number of minutes an administrator access token is valid |
| debug.mce.management.group.name.duplicationscope | None | The scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided. |
| debug.connector.types.enabled | ucma, mce | Specifies the enabled connectors. MCE is required for a standalone deployment. |
| mce.attributesynchronization.user.displayname.name | displayName | Specifies the attribute name used to synchronize the user display name. |
| mce.attributesynchronization.user.emailaddress.name | Specifies the attribute name used to synchronize the user email address. | |
| mce.attributesynchronization.user.instantmessagingaddress.name | Specifies the attribute name used to synchronize the user instant messaging address. | |
| mce.attributesynchronization.user.country.name | c | Specifies the attribute name used to synchronize the user country. |
| mce.attributesynchronization.user.countrydivision.name | st | Specifies the attribute name used to synchronize the user country division or state. |
| mce.attributesynchronization.user.city.name | l | Specifies the attribute name used to synchronize the user city. |
| mce.attributesynchronization.user.street.name | streetAddress | Specifies the attribute name used to synchronize the user street. |
| mce.attributesynchronization.user.emailaddress.issuer | AD | Specifies the attribute issuer used to synchronize the user email address, defaults to the specified default attribute issuer if omitted. |
| mce.attributesynchronization.user.displayname.issuer | AD | Specifies the attribute issuer used to synchronize the user display name, defaults to the specified default attribute issuer if omitted. |
| mce.attributesynchronization.user.instantmessagingaddress.issuer | AD | Specifies the attribute issuer used to synchronize the user instant messagin address, defaults to the specified default attribute issuer if omitted. |
| mce.attributesynchronization.user.country.issuer | AD | Specifies the attribute issuer used to synchronize the user country, defaults to the specified default attribute issuer if omitted. |
| mce.attributesynchronization.user.countrydivision.issuer | AD | Specifies the attribute issuer used to synchronize the user country division or state, defaults to the specified default attribute issuer if omitted. |
| mce.attributesynchronization.user.city.issuer | AD | Specifies the attribute issuer used to synchronize the user city, defaults to the specified default attribute issuer if omitted. |
| mce.attributesynchronization.user.street.issuer | AD | Specifies the attribute issuer used to synchronize the user street, defaults to the specified default attribute issuer if omitted. |
| advanced.management.externalsfbgroupmanagementurl | http://domain.com | Specifies the URL used for external Skype for Businesss management |
| advanced.mce.connector.attributeprincipals.disabled | false | Determines whether searching by attribute principals is disabled. With this setting disabled, searching during group management will only match on users |
MCE-only configuration
Once a MindLink Anywhere installation is deployed, the following configuration will host only the MCE workload:
| Key | Value | Description |
|---|---|---|
| global.service.modules | Mce | Enables MCE services |
| mce.attributesynchronization.validissuers | AD | Specifies the issuers that can be used to specify COI attributes. Value AD = Active Directory. Alternatively, the value for your third-party attribute service can be used. |
| mce.attributesynchronization.user.defaultissuer | AD | Specifies the default attribute issuer to use for user attribute synchronization |
| mce.attributesynchronization.user.linkedauthenticationidentity.issuer | AD | Specifies the attribute issuer to use as the linked authentication identity for users |
| mce.attributesynchronization.user.linkedauthenticationidentity.name | msRTCSIP-PrimaryUserAddress | Specifies the attribute to synchronize as the linked authentication identity. This is the property defined in |
| mce.attributesynchronization.attributeprovider.synchronizationreminderminutes | 1 | Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes. |
Optional configuration
| Key | Value | Description |
|---|---|---|
| global.service.modules | Mce,MceAdmin | Enables MCE services and the MCE administration web services (for PowerShell management) |
| debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
| mce.attributesynchronization.user.activedirectory.properties | s, st, displayName, distinguishedName, msRTCSIP-PrimaryUserAddress | Specifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported. |
| mce.attributesynchronization.activedirectory.groupsandous.enabled | false | Enables Active Directory Groups and OUs for synchronization. |
| debug.mceadmin.admin.upn | user@domain.com | The UPN of an administrator account. |
| debug.mceadmin.admin.attribute | cois=Admins | The security attribute name=value of administrator accounts |
| debug.mceadmin.admin.adgroup | CN=MceAdministrators, DN=Groups, DC=company, DC=com | The Active Directory distinguished name of a Security Group for administrator accounts |
| debug.mceadmin.admin.tokenexpirationminutes | 15 | The number of minutes an administrator access token is valid |
| debug.attributeserver.requesttimeoutmilliseconds | 10000 | The number of miliseconds for the attribute server request to timeout |
| debug.mce.synchronizationmanager.bypasscoregroupreadmodel | true | Determines whether to ignore the GroupReadModel in the Synchronization Manager or not. |
| debug.mce.management.group.name.duplicationscope | None | The scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided. Name duplication will only be validated against newly created/edited groups |
| debug.mce.enableinappmcegroupmanagement | true | Enables the ability to manage MCE groups from the in-app group management page. |
| debug.connector.mce.management.environmentname | MCE | The name to display in the in-app group management page for MCE groups. |
| debug.connector.types.enabled | mce | Specifies the enabled connectors. MCE is required for a standalone deployment. |
| debug.connector.mce.encryption.enabled | false | Determines whether encryption is enabled or not. |
Web-only configuration
Once a MindLink Anywhere installation is deployed, the following configuration will host MindLink Anywhere with connectivity to a running MCE cluster:
| Key | Value | Description |
|---|---|---|
| debug.mce.clientenabled | true | Enables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled |
| debug.connector.ucma.management.enableinappgroupmanagement | true | Switches the in-app group management to target UCMA |
| debug.connector.mce.groupclassificationrequired | true | Enforces that a classification must be specified when creating a group |
| debug.mce.file.server.path.\<mce file server identifier> | C:\mce\files | The path to where file uploads should be stored when the specified \<file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key |
| debug.mce.file.server.activeid | mcefileserver1 | The desired mce file server identifier, defined via using the debug.mce.file.server.path.\<mce file server identifier> debug flag |
| connector.ucma.custompreferencesrepository | C:\mce\preferences | The path to where user preferences should be stored, this should be a network path accessible to all MLA hosts |
Optional configuration
| Key | Value | Description |
|---|---|---|
| debug.ucma.persistentchat.enabled | false | Determines whether the Skype for Business Persistent Chat connection is created. false => Persistent Chat should not be connected for user sessions, true => Persistent Chat should be connected. |
| debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
| debug.mobile.apns.token.offsetintervalminutes | 5...55 | Specifies the offset of a valid APNs token. Set to 5 minutes by default. |