MCE Standalone Configuration
MCE standalone overview
MCE can be configured to run independently without the need for a Skype for Business (SfB) Topology. Running MCE as standalone currently requires HTTP header based authentication using the user's linked identity.
As Skype for Business and Communities of Interest are disabled via the Management Center, running MCE standalone will disable the integration of third-party attribute servers. Consequently, security contexts must be added using Active Directory OUs or Groups. The settings for synchronizing these attributes are included in the advanced debug keys below. Please refer to the PowerShell Management section for more information on how to manage the MCE deployment, including how to add security contexts and users.
For all other configurations see MCE Configurations.
Management center configuration
You must configure a standalone MindLink Anywhere installation before configuring the MCE system. Your must disable the following in your Management Center configuration:
- Configure MCE platform
- Disable instant messaging
- Disable content classification
- Disable communities of interest
- Disable instant messaging ethical wall
- Disable attribute based access control
- Enable pre-authenticated HTTP header
In the Skype for Business configuration, you must fill out required settings with dummy values. This means that you can enter any values that the Management Center considers valid input. These values will not be used by MCE but are required as the Management Center’s validation process does not yet support MCE standalone. The rest of the settings in the Management Center can be configured to the user's requirements following the Anywhere Management Center guide.
The configuration of MCE relies upon the advanced configuration section of the Management Center:
Required configuration
Once a MindLink Anywhere installation is deployed, the following configuration will host a MCE standalone configuration on a single machine:
Key | Value | Description |
---|---|---|
global.service.modules | Web,Mce,MceAdmin | Enables Web, MCE and the MCE administration services respectively. |
debug.mce.clientenabled | true | Enables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled. |
debug.mce.file.server.path.\<mce file server identifier> | C:\mce\files | The path to where file uploads should be stored when the specified \<file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key |
debug.mce.file.server.activeid | mcefileserver1 | The desired mce file server identifier, defined via using the debug.mce.file.server.path.\<mce file server identifier> debug flag |
debug.connector.types.enabled | mce | Specifies the enabled connectors, accepted values are "mce" and "ucma". MCE is required for a standalone deployment with the omission of UCMA. |
debug.connector.mce.groupclassificationrequired | false | Enforces that a classification must be specified when creating a group |
mce.attributesynchronization.validissuers | AD | Specifies the issuers that can be used to specify COI attributes. Value AD = Active Directory. Alternatively, the value for your third-party attribute service can be used. |
mce.attributesynchronization.user.defaultissuer | AD | Specifies the default attribute issuer to use for user attribute synchronization |
mce.attributesynchronization.user.linkedauthenticationidentity.issuer | AD | Specifies the attribute issuer to use as the linked authentication identity for users |
mce.attributesynchronization.user.linkedauthenticationidentity.name | msRTCSIP-PrimaryUserAddress | Specifies the attribute to synchronize as the linked authentication identity. This is the property defined in the attribute issuer used to link users |
mce.attributesynchronization.user.displayname.name | displayName | Specifies the attribute name used to synchronize the user display name. |
mce.attributesynchronization.user.emailaddress.name | Specifies the attribute name used to synchronize the user email address. | |
mce.attributesynchronization.activedirectory.synchronizationreminderminutes | 240 | Specifies the reminder interval, in minutes, for synchronizing the Active Directory attributes. We recommend a value between 4-6 hours. |
mce.attributesynchronization.attributeprovider.synchronizationreminderminutes | 240 | Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes. We recommend a value between 4-6 hours. |
mce.attributesynchronization.user.activedirectory.properties | s, st, displayName, distinguishedName, mail, msRTCSIP-PrimaryUserAddress | Specifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported. |
mce.attributesynchronization.activedirectory.groupsandous.enabled | true | Enables Active Directory Groups and OUs for synchronization. |
debug.mceadmin.admin.upn | user@domain.com | The UPN of an administrator account, used to connect with the Powershell and manage MCE. |
Optional configuration
Key | Value | Description |
---|---|---|
debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
debug.mce.clusternode.advertisedipaddress | 127.0.0.1 | Specifies the IP address this cluster node can be reached on from other cluster nodes |
mce.clusternode.gatewayport | 30000 | Specifies the port this cluster node will accept client connections on |
mce.clusternode.siloport | 11111 | Specifies the port this cluster node will accept peer cluster node connections on |
mce.attributesynchronization.user.emailaddress.issuer | AD | Specifies the attribute issuer used to synchronize the user email address, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.displayname.issuer | AD | Specifies the attribute issuer used to synchronize the user display name, defaults to the specified default attribute issuer if omitted. |
debug.mceadmin.admin.attribute | cois=Admins | The security attribute name=value of administrator accounts |
debug.mceadmin.admin.adgroup | CN=MceAdministrators, DN=Groups, DC=company, DC=com | The Active Directory distinguished name of a Security Group for administrator accounts |
debug.mceadmin.admin.tokenexpirationminutes | 15 | The number of minutes an administrator access token is valid |
debug.mce.management.group.name.duplicationscope | None | The scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided. |
"Shadow account" setup for external users
Shadow accounts are only required to allow users external to the local AD access to MCE.
A shadow account is a contact or disabled user object in Active Directory that is used to provide a directory resource for a person who is not an authenticated member of the directory - e.g. an external user to a system.
The AD administrator creates a contact object containing attributes such as display name / email etc. The person represented by that this object cannot authenticate to the AD server, but can have attributes setup for accessing MCE groups.
Configure "pre-authenticated" header so it injects the email as the header value when the external users logs into MindLink, and they should be able to log in and interact with any groups according to the attributes configured on the AD object like a regular internal AD user.