MCE Configuration
Currently you must correctly configure a MindLink Anywhere installation first, before configuring the MCE system.
You must configure the following integration features:
See Configuring MindLink Anywhere for further details.
Optional third-party attribute server
Using a third-party attribute server
MCE can integrate with a third-party external security attribute system to synchronize security attributes. The attribute server is configured in the "User attributes provider" tab of the MindLink Management Center. The optional attribute server is used if any of the "Content classification", "Communities of interest", or "IM ethical wall" features are enabled. To use "Content classification" in MCE, the "Communities of interest" feature must also be enabled.
Disabling the third-party attribute server
The optional attribute server is not used if the "Content classification", "Communities of interest", and "IM ethical wall" features are disabled in the MindLink Management Center.
Firefox configuration for encryption
Firefox by default does not include certificates from the local windows store, nor does it treat Preflight HTTPS requests in the same way as Chrome or Edge. Therefore additional configuration is required, this is done by opening up a new tab in Firefox and entering about:config
as the URL. You should be presented with a text box to search advanced config, where we will set:
- security.enterprise_roots.enabled
- Set as:
true
- Connects the local certificate store
- Set as:
- network.cors_preflight.allow_client_cert
- Set as:
true
- Causes Firefox to behave like Chrome and Edge
- Set as:
The configuration of MCE relies upon the advanced configuration section of the MindLink Management Center and the respective MCE page in the management tool.
Management Center configuration
We must configure the settings of the MCE services through the appropriate page in the Management Center for all of the following scenarios.
Server
Enables the services that host the backend for the MindLink Chat Engine.
- Enable MCE backend services: Enables the configuration of the backend services that synchronize with existing infrastructure to host the MindLink Chat Engine.
- Please note the Management Center does not currently validate the input fields on the MCE configuration page if MCE backend services are not enabled.
Cluster configuration
Specify the identity used for the MCE cluster and the database connection used for all MCE operations, including cluster membership.
- Cluster ID: Specifies the identity of the cluster.
- Database connection string: Specifies the database connection for all MCE operations, including cluster membership.
- Database Test: Allows for checking the database connection string's validity as well as checking if the server requires updating. See Database Updates.
Cluster node configuration
Specify the connection details for the local MCE cluster node.
- Advertised IP Address: Specifies the IP address this cluster node can be reached on from other cluster nodes (default
127.0.0.1
) - Silo Port: Specifies the port this cluster node will accept peer cluster node connections on (default
11111
) - Gateway Port: Specifies the port this cluster node will accept client connections on (default
30000
)
Transport Security
Specify the addresses and certificate used to encrypt communication between MCE cluster clients and servers.
- Cluster address: Specifies the DNS name of the cluster.
- This is used by cluster clients to authenticate the server with which they are communicating.
- Cluster certificate: Specifies the certificate in the Windows Machine Certificate Store to use to secure TLS communication between the cluster nodes
- This is used by both cluster clients and servers to authenticate communication bi-directionally.
- This authentication is performed for both client-to-server and server-to-server communication.
- Trusted addresses: A comma-separated list of subject names that are trusted. One or more SANs in the certificate used to connect to the cluster must appear in this list
- Disable transport security: Disables secure communication between cluster clients and servers. This will disable the usage of the other fields in Transport Security.
- Warning! Communication within the cluster will be in plain text and therefore unprotected if transport security is disabled.
- It is strongly advised that transport security is enabled.
Orleans dashboard
- Enable Orleans Dashboard: Enables the monitoring dashboard for the MCE cluster
- Orleans Dashboard port: Specifies the port to host the monitoring dashboard over HTTP
Database Updates
When installing a new version of MCE there may be SQL database updates that are required before MCE will run. This should be highlighted in release notes, however it is always worth visiting this page to check for updates after installing a new version regardless. Click the Test
button and the Management Tool will check the current state of the SQL Server database (specified by the connection string) and determine if any updates are required.
If there is no update required the following screen will be shown.
If an update is required the following screen will be shown. You can use the drop down Show details of changes
to see what updates are required. Clicking Update Now
will run the update script directly. Alternatively you can click Generate update script
which will show you the script that will run to perform the update.
The first time that you perform the database installation, or an upgrade from a version prior to v23.5, you will need permissions to perform an ALTER DATABASE
operation used to set some optimization parameters on the MCE database. Subsequent upgrades will not require the permission.
If you cannot get the database installation to work via the management tool, generate the script and run it using a user with the right permissions on the database. Once done, run the test again in the management tool to verify.
It is possible to override this manual behavior and revert to automatically updating the MCE SQL Database.
This is not recommended. However, if necessary you can set the following debug key and MCE Hosts will automatically upgrade. This is equivalent to the behavior in v23.4 and earlier.
Key | Value | Description |
---|---|---|
debug.mce.db.autoupgrade | false | Specifies whether MCE Host will automatically update the MCE SQL Database |
Advanced Configuration Custom Settings
One-box configuration
Once a MindLink Anywhere installation is deployed, the following configuration will host all features on a single machine:
Key | Value | Description |
---|---|---|
global.service.modules | Web,Mce,MceAdmin | Enables Web, MCE and the MCE administration services respectively |
debug.mce.clientenabled | true | Enables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled |
mce.attributesynchronization.validissuers | AD | Specifies the issuers that can be used to specify COI attributes. AD = Active Directory. The value for your third-party attribute service can also be used |
mce.attributesynchronization.activedirectory.synchronizationreminderminutes | 1 | Specifies the reminder interval, in minutes, for synchronizing the Active Directory attributes |
mce.attributesynchronization.attributeprovider.synchronizationreminderminutes | 1 | Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes |
mce.attributesynchronization.user.defaultissuer | AD | Specifies the default attribute issuer to use for user attribute synchronization |
mce.attributesynchronization.user.linkedauthenticationidentity.issuer | AD | Specifies the attribute issuer to use as the linked authentication identity for users |
mce.attributesynchronization.user.linkedauthenticationidentity.name | msRTCSIP-PrimaryUserAddress | Specifies the attribute to synchronize as the linked authentication identity. This is the property defined in the attribute issuer used to link users |
debug.connector.mce.groupclassificationrequired | true | Enforces that a classification must be specified when creating a group |
debug.mce.file.server.path.\<mce file server identifier> | C:\mce\files | The path to where file uploads should be stored when the specified \<file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key |
debug.mce.file.server.activeid | mcefileserver1 | The desired mce file server identifier, defined via using the debug.mce.file.server.path.\<mce file server identifier> debug flag |
connector.ucma.custompreferencesrepository | C:\mce\preferences | The path to where user preferences should be stored, this should be a network path accessible to all MLA hosts. |
Optional configuration
Key | Value | Description |
---|---|---|
debug.ucma.persistentchat.enabled | false | Determines whether the Skype for Business Persistent Chat connection is created. false => Persistent Chat should not be connected for user sessions, true => Persistent Chat should be connected. |
debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
mce.attributesynchronization.user.activedirectory.properties | s, st, displayName, distinguishedName, msRTCSIP-PrimaryUserAddress | Specifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported. |
mce.attributesynchronization.activedirectory.groupsandous.enabled | false | Enables Active Directory Groups and OUs for synchronization. |
mce.attributesynchronization.attributeprovider.allowedattributes | attributeName1, attributeName2, ... | Specifies an attribute whitelist for synchronization with the configured attribute provider. All other attributes will be ignored during attribute synchronization. Note: Cannot be specified alongside mce.attributesynchronization.attributeprovider.deniedattributes. |
mce.attributesynchronization.attributeprovider.deniedattributes | attributeName1, attributeName2, ... | Specifies an attribute blacklist for synchronization with the configured attribute provider. The specified attributes will be ignored during attribute synchronization. Note: Cannot be specified alongside mce.attributesynchronization.attributeprovider.allowedattributes. |
debug.mceadmin.admin.upn | user@domain.com | The UPN of an administrator account. |
debug.mceadmin.admin.attribute | cois=Admins | The security attribute name=value of administrator accounts |
debug.mceadmin.admin.adgroup | CN=MceAdministrators, DN=Groups, DC=company, DC=com | The Active Directory distinguished name of a Security Group for administrator accounts |
debug.mceadmin.admin.tokenexpirationminutes | 15 | The number of minutes an administrator access token is valid |
debug.mce.management.group.name.duplicationscope | None | The scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided. |
debug.connector.types.enabled | ucma, mce | Specifies the enabled connectors. MCE is required for a standalone deployment. |
mce.attributesynchronization.user.displayname.name | displayName | Specifies the attribute name used to synchronize the user display name. |
mce.attributesynchronization.user.emailaddress.name | Specifies the attribute name used to synchronize the user email address. | |
mce.attributesynchronization.user.instantmessagingaddress.name | Specifies the attribute name used to synchronize the user instant messaging address. | |
mce.attributesynchronization.user.country.name | c | Specifies the attribute name used to synchronize the user country. |
mce.attributesynchronization.user.countrydivision.name | st | Specifies the attribute name used to synchronize the user country division or state. |
mce.attributesynchronization.user.city.name | l | Specifies the attribute name used to synchronize the user city. |
mce.attributesynchronization.user.street.name | streetAddress | Specifies the attribute name used to synchronize the user street. |
mce.attributesynchronization.user.emailaddress.issuer | AD | Specifies the attribute issuer used to synchronize the user email address, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.displayname.issuer | AD | Specifies the attribute issuer used to synchronize the user display name, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.instantmessagingaddress.issuer | AD | Specifies the attribute issuer used to synchronize the user instant messaging address, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.country.issuer | AD | Specifies the attribute issuer used to synchronize the user country, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.countrydivision.issuer | AD | Specifies the attribute issuer used to synchronize the user country division or state, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.city.issuer | AD | Specifies the attribute issuer used to synchronize the user city, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.street.issuer | AD | Specifies the attribute issuer used to synchronize the user street, defaults to the specified default attribute issuer if omitted. |
advanced.management.externalsfbgroupmanagementurl | http://domain.com | Specifies the URL used for external Skype for Business management |
advanced.mce.connector.attributeprincipals.disabled | false | Determines whether searching by attribute principals is disabled. With this setting disabled, searching during group management will only match on users |
mce.contentretention.enabled | false | Determines whether global group chat content retention is enabled. Will default to 'false' if omitted. |
mce.contentretention.purge.interval.hours | 1 | Determines the interval at which messages are either soft or hard deleted. |
mce.contentretention.sync.interval.hours | 1 | Determines the interval at which hard or soft deletion policies are synchronized. |
mce.attributesynchronization.wellknown.attributes | [{"Issuer": "issuer ID", "Name": "attribute-name", "Value": "attribute-value"}] | Determines the list of well known attributes as a JSON. Each entry requires the issuer ID, the attribute name and value. |
mce.attributesynchronization.issuers.directoryservice.id | AD | Determines the issuer ID for the directory service. |
mce.attributesynchronization.issuers.attributeservice.id | ID | Determines the issuer ID for the attribute provider service. |
debug.mce.database.logging.enabled | true | Enables detailed logging of all database operations. |
debug.mce.database.operationretry.enabled | true | Enables automatic retry of database operations when transient failures occur. Note: Many errors will be considered transient by default and will cause retries. |
debug.mce.database.operationretry.maxretries | 1 | Determines the maximum number of times a database operation can be retried under transient failure. Note: If not specified, and debug.mce.database.operationretry.enabled is set to true , a default value of 1 will be used. |
debug.mce.database.operationretry.maxdelayseconds | 1 | Determines the maximum delay (in seconds) between successive retries of failed database operations. The delay between successive retries follows a backoff pattern, limited by this maximum value. Note: If not specified, and debug.mce.database.operationretry.enabled is set to true , a default value of 5 will be used. |
debug.mce.database.operationretry.transienterrors | errorNumber1, errorNumber2, ... | Specifies any additional error numbers which should be considered transient for database operations, and should therefore cause retries. These are in addition to those already considered transient by default which do not need to be specified here. |
Setting 'mce.attributesynchronization.issuers.directoryservice.id' and 'mce.attributesynchronization.issuers.attributeservice.id' must not be changed once set. Updating once set may compromise security policies.
MCE-only configuration
Once a MindLink Anywhere installation is deployed, the following configuration will host only the MCE workload:
Key | Value | Description |
---|---|---|
global.service.modules | Mce | Enables MCE services |
mce.attributesynchronization.validissuers | AD | Specifies the issuers that can be used to specify COI attributes. Value AD = Active Directory. Alternatively, the value for your third-party attribute service can be used. |
mce.attributesynchronization.user.defaultissuer | AD | Specifies the default attribute issuer to use for user attribute synchronization |
mce.attributesynchronization.user.linkedauthenticationidentity.issuer | AD | Specifies the attribute issuer to use as the linked authentication identity for users |
mce.attributesynchronization.user.linkedauthenticationidentity.name | msRTCSIP-PrimaryUserAddress | Specifies the attribute to synchronize as the linked authentication identity. This is the property defined in |
mce.attributesynchronization.attributeprovider.synchronizationreminderminutes | 1 | Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes. |
Optional configuration
Key | Value | Description |
---|---|---|
global.service.modules | Mce,MceAdmin | Enables MCE services and the MCE administration web services (for PowerShell management) |
debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
mce.attributesynchronization.user.activedirectory.properties | s, st, displayName, distinguishedName, msRTCSIP-PrimaryUserAddress | Specifies the active directory properties to synchronize for users (ensure the distinguished name and primary user address are synchronized). Only string type AD properties are supported. |
mce.attributesynchronization.activedirectory.groupsandous.enabled | false | Enables Active Directory Groups and OUs for synchronization. |
debug.mceadmin.admin.upn | user@domain.com | The UPN of an administrator account. |
debug.mceadmin.admin.attribute | cois=Admins | The security attribute name=value of administrator accounts |
debug.mceadmin.admin.adgroup | CN=MceAdministrators, DN=Groups, DC=company, DC=com | The Active Directory distinguished name of a Security Group for administrator accounts |
debug.mceadmin.admin.tokenexpirationminutes | 15 | The number of minutes an administrator access token is valid |
debug.attributeserver.requesttimeoutmilliseconds | 10000 | The number of milliseconds for the attribute server request to timeout |
debug.mce.synchronizationmanager.bypasscoregroupreadmodel | true | Determines whether to ignore the GroupReadModel in the Synchronization Manager or not. |
debug.mce.management.group.name.duplicationscope | None | The scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided. Name duplication will only be validated against newly created/edited groups |
debug.mce.enableinappmcegroupmanagement | true | Enables the ability to manage MCE groups from the in-app group management page. |
debug.connector.mce.management.environmentname | MCE | The name to display in the in-app group management page for MCE groups. |
debug.connector.types.enabled | mce | Specifies the enabled connectors. MCE is required for a standalone deployment. |
Web-only configuration
Once a MindLink Anywhere installation is deployed, the following configuration will host MindLink Anywhere with connectivity to a running MCE cluster:
Key | Value | Description |
---|---|---|
debug.mce.clientenabled | true | Enables the MCE connector for Web, overridden to true when the "MceAdmin" module is enabled |
debug.connector.ucma.management.enableinappgroupmanagement | true | Switches the in-app group management to target UCMA |
debug.connector.mce.groupclassificationrequired | true | Enforces that a classification must be specified when creating a group |
debug.mce.file.server.path.\<mce file server identifier> | C:\mce\files | The path to where file uploads should be stored when the specified \<file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key |
debug.mce.file.server.activeid | mcefileserver1 | The desired mce file server identifier, defined via using the debug.mce.file.server.path.\<mce file server identifier> debug flag |
connector.ucma.custompreferencesrepository | C:\mce\preferences | The path to where user preferences should be stored, this should be a network path accessible to all MLA hosts |
Optional configuration
Key | Value | Description |
---|---|---|
debug.ucma.persistentchat.enabled | false | Determines whether the Skype for Business Persistent Chat connection is created. false => Persistent Chat should not be connected for user sessions, true => Persistent Chat should be connected. |
debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
debug.mobile.apns.token.offsetintervalminutes | 5...55 | Specifies the offset of a valid APNs token. Set to 5 minutes by default. |