Introduction

The MindLink Suite of products requires a series of pre-requisites to be in place both on the MindLink Application Server, and on the Lync Front End Server in order for the products to function correctly. This guide will help you to get your infrastructure into a state ready to accept the MindLink Product.

The Prerequisites required are:

Requirement Version
.NET Framework 4.8
C++ Redistributable 2012,2013
MindLink Server as Trusted Application on Front End N/A
SSL Certificate Locally or Publically Signed
For Server Poolin Microsoft SQL Server 2012, 2014 and 2016

System requirements

Hardware

  • Dual or Quad core, 64-bit CPU (minimum 2.4 GHz)
  • Gigabit Ethernet connection
  • 4GB RAM
  • Minimum 1Gb disk space

Operating System

  • Windows Server 2008 R2, 2012, 2012 R2 or 2016
  • Domain Joined
  • Microsoft .Net Framework 4.8
  • C++ 2012 redistributable installation binary (for Lync 2013 only)
  • C++ 2013 redistributable installation binary (for Skype for Business only)
  • Domain Member Service Account

Network

  • Communication on Port 2195 for APNS Push Notifications(MindLink Mobile for iPhone/iPad)
  • If you enable Server Pooling functionality (available toMindLink Mobile only), you may use a High Availability / Resiliency strategy supported by Microsoft SQL Server

2012, 2014 or 2016 such as 'Mirroring' or 'Always on'

Lync/Skype For Business

  • Lync Front End must be able to resolve DNS Name
  • Persistent Chat must be enabled in your Lync Topology for Persistent Chat Room access. it is Not required for IM only.

The above is the minimum specification that supports approximately 2000 concurrent sessions. The administrator may co-locate all versions of MindLink (Anywhere, WebPart, Mobile and Integrations) onto a single server. However CPU, memory and disk resource will need to be scaled accordingly. Please contact our Support Team at support@mindlinksoft.com for assistance with capacity planning.

Identify if you have Persistent Chat Enabled

Lync/SFB Administrator

An administrator can check the Topology of the installation and check there is a Persistent Chat Pool created with at least one server in the Topology Builder tool.

pChat Topology

As an end User of Lync

Anyone within the organisation who may be Pchat enabled will have this icon visible allowing them to participate in Rooms

pchat enabled

Alternatively you can CTRL-SHIFT Right Click over the minimised tray icon of Lync/SFB which will show Configuration Settings of the local client. The last line of output will show the value for pChat Enabled? which should be TRUE

Client Requirements

* MindLink Anywhere ; V1 & V2 - Web Browsers : Internet Explorer 6-11, Microsoft Edge, latest Firefox, Chrome, Opera, or Safari 
* MindLink Anywhere ; V3 - Web Browsers : Internet Explorer 10-11, Microsoft Edge,latest Firefox, Chrome, or Safari 
* MindLink Mobile ; Android - Android OS 5.0 or above 
* MindLink Mobile ; iPhone/iPad - iOS 10.3 or above

Lync 2013 or SFB Auto-Provisioning Requirements (Optional)

Lync 2013/SFB auto provisioning is not necessary if you prefer to manually configure your Lync front end FQDN , but allows auto discovery in case topology changes. Install Lync Server Core Components from the Lync server ISO onto the MindLink Server :

  • Install or Update Lync Server System -> Install Local Configuration Store and Setup or Remove Lync Server Components
  • Enable Lync auto discover for DNS/SRV records , lyncdiscoverinternal. and sipinternal.
  • The MindLink service account must be a member of the ' RTC Component Local Group ' local group.
  • Set the certificate

Setting the Certificate

1. Launch Lync Server Management Shell which will now be installed on the MindLink Server On the Start menu, select All Programs > Microsoft Lync Server 2013 > right-click Lync Server Management Shell > click Run as administrator

2. In Lync Server Management Shell , run the Set-CsCertificate cmdlet . In the following example, a certificate with a thumbprint of 14b04424b8316d90c72438dfefdf83d1fd917d39 is bound to the trusted application server. e.g. Set-CsCertificate -Type Default - Thumbprint 14b04424b8316d90c72438dfefdf83d1fd917d39

Where do I get the Pre-Requisites?

The Pre-requisite software is readily available from the Official Microsoft Website.

.Net 4.8 https://dotnet.microsoft.com/download/dotnet-framework/net48
C++ Redistributable 2012 (for Lync 2013 and Prior) http://www.microsoft.com/en-us/download/details.aspx?id=30679
C++ Redistributable 2013 (for Skype for Business) http://www.microsoft.com/en-in/download/details.aspx?id=40784

.Net Framework Installation

.NET Framework

This pre-requisite is packaged as NDP47-KB3186500-Web.exe, it is recommended that this is installed on the MindLink Server first.
1 - Navigate to the location of the MindLink Software installers, and within the Pre-Reqs folder double click the NDP47-KB3186500-Web.exe file

2 - When Prompted, read and accept the license terms and click install

3 - When prompted, click Finish

Microsoft Visual C++2012 or C++ 2013 Redistributable

C++ 2012

This pre-requisite is packaged as vcredist_x64.exe, it is recommended that this is installed on the MindLink Server secondly.
1 - Navigate to the location of the MindLink Software installers, and within the Pre-Reqs folder double click the vcredist_x64.exe file

2 - When prompted, read and accept the License term and conditions and click Install

3 - When the application is successfully installed, click close.

Configuring OCS/Lync/SFB Trusted Application Pools

1 - Go to the OCS server management MMC snap-in on a Front End Server {img src="wiki_files%5Cpre-req_files/image003.png"}

2 - Add the Office Communication Server Management snap-in {img src="wiki_files%5Cpre-req_files/image004.png"}

3 - Bring the Front End Properties window up {img src="wiki_files%5Cpre-req_files/image005.png"}

4 - In the Front End Properties window add the connector service host and make sure Treat As Authenticated is set to Yes (30).

This will allow MindLink Anywhere to establish a MTLS connection with the OCS servers and login on behalf of users who have a valid SSO token. {img src="wiki_files%5Cpre-req_files/image006.jpg"}{img src="wiki_files%5Cpre-req_files/image007.jpg"}

1 - Log onto the Front End Server

2 - Launch the 'Lync Server 2013/SFB Topology Builder'

3 - In the left tree pane, right-click on the 'Trusted application servers' folder

4 - Select the option 'New Trusted Application Pool...' from the context menu

5 - Add the FQDN of the server (i.e. server.domain.com) where MindLink Anywhere is installed

6 - Select 'Single computer pool' if MindLink Anywhere is installed on a single instance, or 'Multiple computer pool' if MindLink Anywhere is installed in a load balanced configuration

7 - Click the 'Next' button

8 - Select the next hop which will be the front end (for Standard Edition) or the pool (for Enterprise Edition), click the 'Finish' button

9 - Publish the topology with the changes you have just implemented

10 - Launch the 'Lync Server Management Shell' application and run the following command to create a trusted application:

New-CsTrustedApplication -ApplicationID -TrustedApplicationPoolFqdn-Port eg : New-CsTrustedApplication -ApplicationID MindLinkMobile -TrustedApplicationPoolFqdn mindlinkserver.domain.com -Port 4096

1 - ApplicationID : this is a string which describes the application, this can be anything (syntax requirements e.g. no spaces, no special characters etc.).

2 - TrustedApplicationPoolFqdn : The FQDN of the trusted application pool that was just created above.

3 - Port : Listen Port of the MindLink Server,each product has its own default port to allow collocation Default ports are

  • MindLink API is 4096
  • MindLink Anywhere is 4097
  • MindLink Mobile is 4099

Lync server shell

11 - You will then be prompted to execute the Enable-CsTopology command to implement the changes. If the cursor moves to the next line without any errors, then the command has been executed successfully

12 - Launch the 'Lync Server Control Panel'

13 - Under 'Topology > Trusted Application' you should now see the application you just added. If it is not there, just click on the 'Refresh' button and it should appear

Lync 2013 control panel

Generating a Certificate

If you are using a publically signed Certificate, signed by a Certificate Authority such as Geotrust or Verisign then it is suggested that you use the Lync Bootstrapper tool bundled as part of the Lync installation executable. If you are using a locally signed certificate then you will need to ensure that the Certificates Root-CA is authorised on the end-user's device. A certificate is required in each of the following cases:

  1. If MindLink is being served over HTTPS, a client-facing certificate is required.

  2. The subject name must match the DNS name of the URL by which MindLink is accessed.

  3. The issuer must be trusted by all client machines - i.e. a public CA may be required if clients are accessing via the internet.

  4. A certificate is needed to perform MTLS with the Lync frontend servers.

  5. The subject name must match the FQDN of the server on which MindLink is hosted.

  6. The issuer must be trusted by the Lync frontend - i.e. an enterprise internal CA will be acceptable providing both Lync and MindLink servers trust the same CA.

Each server certificate must include:

  • EKU property for "Server Authentication"
  • A CRL distribution point
  • Subject name should be the FQDN of the server
  • Private key

The same certificate may be used for both roles only if the issuing CA is trusted by all client computers and the Lync frontend server. The DNS name on which MindLink will be accessed via HTTP is the same as the FQDN of the machine, or the certificate has SANs for the public DNS name and the FQDN. These instructions are aimed at customers using an Internally Signed Certificate

1 - From the MindLink Server, Launch an instance of MMC (Start > Search 'mmc')

mmc

2 - Click File > Add /Remove Snap-In...

Console add/remove

3 - Click Certificates > Add > Computer Account > Next > Finish > OK

Snap ins

4 - Navigate to the Certificate folder within the Personal Store

Certificates

5 - Right Click in a Blank Area of the centre pain and select All Tasks > Request a New Certificate

Request certificate

6 - Click Next to begin the Wizard. Select Active Directory Enrollment Policy and click Next

Certificate enrollment

7 - Set Computer tickbox to True and click Enroll

Enroll

8 - Click Finish

9 - Right Click your newly created certificate and go to: All Tasks > Manage Private Keys. If this is not available the certificate has no Private key and will not work.

Private Keys

10 - In the dialogue Box that appears, click Add and add permissions for the Service Account that will run MindLink, and click Check Names. This step is only required for Email connector or Social connector, the other products will automatically assign permission

Permissions

11 - Click OK

12 - Ensure that the permissions are set to Full Control and click OK

Full Permissions

Kerberos Authentication

Kerberos operates using "principles" which are identifiers for users and services for which Kerberos tickets can be generated. So that a client can create a ticket readable by a service, it looks up the service principal name and asks the Kerberos server to produce a ticket that can be given to the service. Clearly if the service has no registered principal name, or an incorrect principal name is used (for instance falling back to a default service name) then the ticket will be incorrect and authentication will fail. Windows authentication can be implemented by running the following command as a domain administrator: - setspn -U -A http/ e.g. setspn - U - A http/mindlink.domain.com domain\srv_mindlink

NTLM Authentication (Desktop Only)

For the SSO functionality of MindLink Anywhere to work correctly, the MindLink Address will need to be treated as a trusted site section of the End-Users Web Browser. This can be configured by Group Policy or manually. These Instructions are based on Manual configuration using Internet Explorer - other Browsers may vary.

1 - From within Internet Explorer go to Tools > Internet Options

Internet options

2 - In the dialogue box that launches, select the securitytab

3 - Select the Trusted Sites icon and click the Sites button

Trusted sites

URL

4 - Insert the address of the MindLink Anywhere instance,andclick Add.

5 - Click Close, Click OK

Close

Certificates

For both MindLink Anywhere and MindLink Mobile it is essential that you provide an appropriate certificate with the correct attributes in order to utilize the web authentication feature in the MindLink Anywhere Management Center, and to adhere to Apple's ATS requirements.

For user authentication in V3 look at the Authentication tab of the MindLink Anywhere Management Center under 'Token Issuing Certificate:' It is also a mandatory requirement that the key length is set to 2048 bit as by default this is the lowest level of encryption supported by the authentication token mechanism. Please note that as of 17.2 MindLink Mobile also requires a token issuing certificate. As explained previously, the key length must be set to 2048 bit.

Manage ATS requirements (MindLink Mobile). for iOS 10.3+ devices, the initial callback on port 7074 must be HTTPS so the service needs to be secured by an SSL certificate.

Certificate details

TLS

As of January 2017 Apple has stated that apps and their subsequent servers have to be ATS compliant, ensuring all traffic is encrypted. This means it is a pre-requisite that your Windows Server has been configured to utilise the TLS 1.2 protocol. Example for enabling TLS 1.2 on the MindLink Server

  • this is one way to enable TLS 1.2 , but please consult your local deployment administrators before proceeding **

the following link will run through how to set this up using the registry edit tool: https://technet.microsoft.com/en-us/library/dn786418%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_SchannelTR_TLS12

Server

Conversation History

Enabling Server Side Conversation History (up to Server 17.2)

When enabling the Skype for Business's Server Side Conversation History feature a user's IM history can be exported from MindLink to the user's Conversation History folder using Exchange. In order to utilise this feature in conjunction with MindLink the following minimum pre-requisites must be met.

  • Server Side Conversation History is supported by MS Exchange 2013 or above
  • Server Side Conversation History is supported by Skype for Business 2015 server or above.
  • MindLink Anywhere and MindLink Mobile version needs to be 17.1 or above.
  • Integration between Skype for Business 2015 and Skype for Business 2019 and MS Exchange needs to be enabled buy creating a OAuth partnership between these applications.
  • Server Side Conversation History needs to be enabled in your Skype for Business environment.

After enabling the above, the MindLink administrator simply needs to enable conversation history through the management tool, by clicking the checkbox, save the configuration and restart the MindLink service. Please consult the administration guide for more details.

Enabling Saving and Loading Conversation History (Server 17.3 or later)

Saving and Loading (Persistent IM) : Conversation history saving and loading works in tandem with your Microsoft Exchange Server mail service. The Conversation History feature within Outlook/Exchange is used as the conversation repository. So this drives the mechanism for the persistence element of IMs within MindLink's Mobile and Desktop products. To enable Conversation History Saving and Loading, the following must be configured:

  • Every user is required to have their own personal mail box
  • Unified Contact Store(UCS) must be enabled on Exchange
  • On the Exchange Server, the administrator must grant the MindLink Service account impersonation rights on Exchange using the following powershell script: New-ManagementRoleAssignment - name:MindLinkImpersonation - Role:ApplicationImpersonation -User:ML_SERVICE_ACCOUNT_NAME
  • Once MindLink Mobile or Desktop has been installed, administrators must launch the MindLink Management Center, check the "Enable Conversation History Saving" and/or "Enable Conversation History Loading" on the 'Lync/Skype for Business' tab

Conversation

User Photos (18.6+)

Sources

User photos in SfB/Lync can be specified in three ways:

  1. URL
  2. Exchange
  3. Active Directory

MindLink will attempt to resolve a user's photo in the order that these types are listed, so if you have a photo set in Exchange and have also configured a user photo image URL through the native client, the URL image will be shown in MindLink.

Setting User Photos (18.7+)

MindLink also offers the ability to set your user photo directly through the client. This feature is provided by Exchange server (version 15.1 and above) which must be configured correctly to work along-side MindLink.

When a user uploads a new user photo from the client, the MindLink server acts on their behalf using its service account domain credentials to authorize a request against the Exchange Web Services. This single Active Directory service account is therefore responsible for accessing Exchange information for all users, and as such, requires special elevated permissions.

Exchange administration is restricted by Role-Based Access Control (RBAC), a system whereby rights to certain administrative operations and features are defined by distinct "management roles" and granted to users/groups in Active Directory either directly, via a Universal Security Group or via a role group assignment.

Exchange installs with a large set of pre-defined roles out-of-the-box; these typically cover all the different access scenarios administrators are likely to require.

One such role is the Mail Recipients role which includes (but is not limited to) the following entry:

  • SetUserPhoto

It is also configured with the appropriate scopes that MindLink requires to access all user accounts across the organization. For the simplest way of granting these permissions, you can assign this role directly to the service account user:

  • New-ManagementRoleAssignment –Role "Mail Recipients" –User "YourServiceAccountName"

The preferred approach would be to create a new admin role group, assign the role, and then add the service account as a member of the group. This can be easily acheived through the Exchange Admin Center. If you already have MindLink configured with Exchange to enable private conversation history then you may have already already created a new admin role group to apply the ApplicationImpersonation role to the service account. If this is the case, then you can simply add the Mailbox Recipients role to this group too; otherwise, create a new role.

The Mail Recipients role comes with a lot of other entries that aren't directly relevant to configuring user photos. If security is a consideration, then it may be desirable to restrict the service account access to only those commands that are directly releveant. This can be be done quite easily by creating a new management role that only contains the role entry above. We can do this by "cloning" the Mail Recipients role and removing all other role entries:

  • New-ManagementRole -Name “Set User Photos” -Parent "Mail Recipients"
  • Get-ManagementRoleEntry "Set User Photos\*" | Where {$_.Name -NotLike "SetUserPhoto"} | Remove-ManagementRoleEntry

We now have a new management role "Set User Photos" with all the same scopes as Mail Recipients but that only contains the entry relevant to configuring user photos. This should be assigned to the service account using either of the methods described previously.

Mobile Autodiscovery (17.6+)

DNS requirements

As of 17.6 it is possible to configure your mobile deployment to accept users domain email addresses i.e. test1@testdomain.local as a means of initializing against a MindLink Mobile deployment. However there a few pre-requisite steps that will be discussed to make this possible. Firstly, ensure that a CNAME (alias) record is setup in your forward lookup zone. Once this is done you will want to choose a target host, this will be the server hosting the MindLink Mobile service.


This content is licensed under the terms of the Terms of Service