Loading...
 

Stage 2 - Pre-Requisites

Version 17.4

Introduction

The MindLink Suite of products requires a series of pre-requisites to be in place both on the MindLink Application Server, and on the Lync Front End Server in order for the products to function correctly. This guide will help you to get your infrastructure into a state ready to accept the MindLink Product.

The Prerequisites required are:

Requirement Version
.NET Framework4.7.1
C++ Redistributable2012,2013
MindLink Server as Trusted Application on Front EndN/A
SSL CertificateLocally or Publically Signed
For Server PoolingMicrosoft SQL Server 2012, 2014 and 2016

1 System requirements

Hardware

  • Dual or Quad core, 64-bit CPU (minimum 2.4 GHz)
  • Gigabit Ethernet connection
  • 4GB RAM
  • Minimum 1Gb disk space

Operating System

  • Windows Server 2008 R2, 2012, 2012 R2 or 2016
  • Domain Joined
  • Microsoft .Net Framework 4.7.1
  • C++ 2012 redistributable installation binary (for Lync 2013 only) 
  • C++ 2013 redistributable installation binary (for Skype for Business only) 
  • Domain Member Service Account 

Network

  • Communication on Port 2195 for APNS Push Notifications (MindLink Mobile for iPhone/iPad)
  • If you enable Server Pooling functionality (available to MindLink Mobile only), you may use a High Availability / Resiliency strategy supported by Microsoft SQL Server

2012, 2014 or 2016 such as 'Mirroring' or 'Always on'

Lync/Skype For Business

  • Lync Front End must be able to resolve DNS Name
  • Persistent Chat must be enabled in your Lync Topology for Persistent Chat Room access. it is Not required for IM only.

The above is the minimum specification that supports approximately 2000 concurrent sessions. The administrator may co-locate all versions of MindLink (Desktop, WebPart, Mobile and Integrations) onto a single server. However CPU, memory and disk resource will need to be scaled accordingly. Please contact our Support Team at support at mindlinksoft.com for assistance with capacity planning.

 

1 Identify if you have Persistent Chat Enabled

1.1 As a Lync/SFB Administrator

An administrator can check the Topology of the installation and check there is a Persistent Chat Pool created with at least one server in the Topology Builder tool.

Image  

1.2 As an end User of Lync

Anyone within the organisation who may be Pchat enabled will have this icon visible allowing them to participate in Rooms

Image

Alternatively you can CTRL-SHIFT RightClick over the minimised tray icon of Lync/SFB which will show Configuration Settings of the local client. The last line of output will show the value for pChat Enabled? which should be TRUE

2 Client Requirements

 

  • Internet Explorer 6-11, Microsoft Edge, latest Firefox, Chrome, Opera, or Safari (MindLink Desktop v1/v2)
  • Internet Explorer 10-11, Microsoft Edge, latest Firefox, Chrome, or Safari (MindLink Desktop v3)
  • Android OS 6.0 or above (MindLink Mobile – Android)
  • iOS 10.3 or above (MindLink Mobile for iPhone/iPad)
  • Blackberry OS 4.6 or above (MindLink Mobile – Blackberry)

 

3 Lync 2013 or SFB Auto-Provisioning Requirements (Optional)

Lync 2013/SFB auto provisioning is not necessary if you prefer to manually configure your Lync front end FQDN , but allows auto discovery in case topology changes.

Install Lync Server Core Components from the Lync server ISO onto the MindLink Server :

  • Install or Update Lync Server System -> Install Local Configuration Store and Setup or Remove Lync Server Components
  • Enable Lync auto discover for DNS/SRV records ,   lyncdiscoverinternal.  and  sipinternal. 
  • The MindLink service account must be a member of the ‘ RTC Component Local Group ’ local group.

 

  • Set the certificate

 

3.1 Setting the Certificate

1. Launch Lync Server Management Shell  which will now be installed on the MindLink Server

On the Start menu, select All Programs > Microsoft Lync Server 2013 > right-click Lync Server Management Shell > click

Run as administrator

2. In Lync Server Management Shell , run the Set-CsCertificate cmdlet .

In the following example, a certificate with a thumbprint of 14b04424b8316d90c72438dfefdf83d1fd917d39 is bound to the trusted application server. e.g. Set-CsCertificate -Type Default –Thumbprint 14b04424b8316d90c72438dfefdf83d1fd917d39

4 Where do I get the Pre-Requisites?

The Pre-requisite software is readily available from the Official Microsoft Website.

.Net 4.7 can be foundhttps://www.microsoft.com/en-gb/download/details.aspx?id=55170
C++ Redistributable 2012 (for Lync 2013 and Prior) fromhttp://www.microsoft.com/en-us/download/details.aspx?id=30679
C++ Redistributable 2013 (for Skype for Business)http://www.microsoft.com/en-in/download/details.aspx?id=40784

 

5 .Net Framework Installation

Image This pre-requisite is packaged as NDP47-KB3186500-Web.exe, it is recommended that this is installed on the MindLink Server first.

1 – Navigate to the location of the MindLink Software installers, and within the Pre-Reqs folder double click the NDP47-KB3186500-Web.exe file

2 – When Prompted, read and accept the license terms and click install

3 – When prompted, click Finish

6 Microsoft Visual C++2012 or C++2013 Redistributable

Image This pre-requisite is packaged as vcredist_x64.exe, it is recommended that this is installed on the MindLink Server secondly.

1 – Navigate to the location of the MindLink Software installers, and within the Pre-Reqs folder double click the vcredist_x64.exe file

2 – When prompted, read and accept the License term and conditions and click Install

3 – When the application is successfully installed, click close.

7 Configuring Lync/SFB Trusted Application Pools

1 - Log onto the Front End Server

2 - Launch the ‘Lync Server 2010/2013/SFB Topology Builder’

3 - In the left tree pane, right-click on the ‘Trusted application servers’ folder

4 - Select the option ‘New Trusted Application Pool…’ from the context menu

5 - Add the FQDN of the server (i.e. server.domain.com) where MindLink Desktop is installed

6 - Select ‘Single computer pool’ if MindLink Desktop is installed on a single instance, or ‘Multiple computer pool’ if MindLink Desktop is installed in a load balanced configuration

7 - Click the ‘Next’ button

8 - Select the next hop which will be the front end (for Standard Edition) or the pool (for Enterprise Edition), click the ‘Finish’ button

9 - Publish the topology with the changes you have just implemented

10 - Launch the ‘Lync Server Management Shell’ application and run the following command to create a trusted application:

New-CsTrustedApplication -ApplicationID -TrustedApplicationPoolFqdn -Port

eg : New-CsTrustedApplication -ApplicationID MindLinkMobile -TrustedApplicationPoolFqdn mindlinkserver.domain.com -Port 4096

1 ApplicationID : this is a string which describes the application, this can be anything (syntax requirements e.g. no spaces, no special characters etc.).

2 TrustedApplicationPoolFqdn : The FQDN of the trusted application pool that was just created above.

3 Port : Listen Port of the MindLink Server, each product has its own default port to allow collocation Default ports are

  • MindLink API is 4096
  • MindLink Desktop is 4097
  • MindLink Mobile is 4099

 

Image

11 - You will then be prompted to execute the Enable-CsTopology command to implement the changes. If the cursor moves to the next line without any errors, then the command has been executed successfully

12 - Launch the ‘Lync Server Control Panel’

13 - Under ‘Topology > Trusted Application’ you should now see the application you just added. If it is not there, just click on the ‘Refresh’ button and it should appear

Image  

8 Generating a Certificate

If you are using a publically signed Certificate, signed by a Certificate Authority such as Geotrust or Verisign then it is suggested that you use the Lync Bootstrapper tool bundled as part of the Lync installation executable. If you are using a locally signed certificate then you will need to ensure that the Certificates Root-CA is authorised on the end-user’s device.

A certificate is required in each of the following cases:

1. If MindLink is being served over HTTPS, a client-facing certificate is required.

  • a. The subject name must match the DNS name of the URL by which MindLink is accessed.
  • b. The issuer must be trusted by all client machines – i.e. a public CA may be required if clients are accessing via the internet.

2. A certificate is needed to perform MTLS with the Lync frontend servers.

  • a. The subject name must match the FQDN of the server on which MindLink is hosted.
  • b. The issuer must be trusted by the Lync frontend – i.e. an enterprise internal CA will be acceptable providing both Lync and MindLink servers trust the same CA.

Each server certificate must include:

  • a) EKU property for "Server Authentication"
  • b) A CRL distribution point
  • c) Subject name should be the FQDN of the server
  • d) Private key

The same certificate may be used for both roles only if the issuing CA is trusted by all client computers and the Lync frontend server. The DNS name on which MindLink will be accessed via HTTP is the same as the FQDN of the machine, or the certificate has SANs for the public DNS name and the FQDN.

These instructions are aimed at customers using an Internally Signed Certificate

1 – From the MindLink Server, Launch an instance of MMC (Start > Search ‘mmc’)

Image

2 – Click File > Add /Remove Snap-In…

Image

3 – Click Certificates > Add > Computer Account > Next > Finish > OK

Image

4 – Navigate to the Certificate folder within the Personal Store

Image

5 – Right Click in a Blank Area of the centre pain and select All Tasks > Request a New Certificate

Image

6 – Click Next to begin the Wizard. Select Active Directory Enrollment Policy and click Next

Image

7 – Set Computer tickbox to True and click Enroll

Image

8 – Click Finish

9 – Right Click your newly created certificate and go to: All Tasks > Manage Private Keys. If this is not available the certificate has no Private key and will not work.

Image

9 – In the dialogue Box that appears, click Add and add permissions for the Service Account that will run MindLink, and click Check Names. This step is only required for Email connector or Social connector, the other products will automatically assign permission

Image

10 – Click OK

11 – Ensure that the permissions are set to Full Control and click OK

Image  

9 Configuring your MindLink Desktop / API environment for SSO

9.1 Kerberos Authentication

Kerberos operates using “principles” which are identifiers for users and services for which Kerberos tickets can be generated. So that a client can create a ticket readable by a service, it looks up the service principal name and asks the Kerberos server to produce a ticket that can be given to the service. Clearly if the service has no registered principal name, or an incorrect principal name is used (for instance falling back to a default service name) then the ticket will be incorrect and authentication will fail.

Windows authentication can be implemented by running the following command as a domain administrator:

· setspn -U -A http/

e.g. setspn –U –A http/mindlink.domain.com domain\srv_mindlink

9.2 NTLM Authentication (Desktop Only)

For the SSO functionality of MindLink Desktop to work correctly, the MindLink Address will need to be treated as a trusted site section of the End-Users Web Browser. This can be configured by Group Policy or manually. These Instructions are based on Manual configuration using Internet Explorer – other Browsers may vary.

1 – From within Internet Explorer go to Tools > Internet Options

Image

2 – In the dialogue box that launches, select the

security tab

3 – Select the Trusted Sites icon and click the Sites button

Image  

Image

4 – Insert the address of the MindLink Desktop

instance, and click Add.

5 – Click Close, Click OK

Image  

10 Certificates

For both MindLink Desktop and MindLink Mobile it is essential that you provide an appropriate certificate with the correct attributes in order to utilize the web authentication feature in the MindLink Desktop Management Center, and to adhere to Apple's ATS requirements.

For user authentication in V3 look at the Authentication tab of the MindLink Desktop Management Center under 'Token Issuing Certificate:' It is also a mandatory requirement that the key length is set to 2048 bit as by default this is the lowest level of encryption supported by the authentication token mechanism. Please note that as of 17.2 MindLink Mobile also requires a token issuing certificate. As explained previously, the key length must be set to 2048 bit.

Manage ATS requirements (MindLink Mobile). for iOS8+ devices, the initial callback on port 7074 must be HTTPS so the service needs to be secured by an SSL certificate.

Image  

11 TLS 1.2

As of January 2017 Apple has stated that apps and their subsequent servers have to be ATS compliant, ensuring all traffic is encrypted. This means it is a pre-requisite that your Windows Server has been configured to utilise the TLS 1.2 protocol.

Example for enabling TLS 1.2 on the MindLink Server

          • this is one way to enable TLS 1.2 , but please consult your local deployment administrators before proceeding ******

the following link will run through how to set this up using the registry edit tool: https://technet.microsoft.com/en-us/library/dn786418%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_SchannelTR_TLS12

Image  

12 Conversation History

12.1 Enabling Server Side Conversation History (up to Server 17.2)

  When enabling the Skype for Business's Server Side Conversation History feature a user's IM history can be exported from MindLink to the user's Conversation History folder using Exchange. In order to utilise this feature in conjunction with MindLink the following minimum pre-requisites must be met.  

  • Server Side Conversation History is supported by MS Exchange 2013 or above
  • Server Side Conversation History is supported by Skype for Business 2015 server or above.
  • MindLink Desktop and MindLink Mobile version needs to be 17.1 or above.
  • Integration between Skype for Business 2015 and MS Exchange needs to be enabled buy creating a OAuth partnership between these applications.
  • Server Side Conversation History needs to be enabled in your Skype for Business environment.

  After enabling the above, the MindLink administrator simply needs to enable conversation history through the management tool, by clicking the checkbox, save the configuration and restart the MindLink service. Please consult the administration guide for more details.  

12.2 Enabling Saving and Loading Conversation History (Server 17.3 or later)

  Saving and Loading (Persistent IM) : Conversation history saving and loading works in tandem with your Microsoft Exchange Server mail service. The Conversation History feature within Outlook/Exchange is used as the conversation repository. So this drives the mechanism for the persistence element of IMs within MindLink's Mobile and Desktop products. To enable Conversation History Saving and Loading, the following must be configured:  

  • Every user is required to have their own personal mail box
  • Unified Contact Store(UCS) must be enabled on Exchange
  • On the Exchange Server, the administrator must grant the MindLink Service account impersonation rights on Exchange using the following powershell script: New-ManagementRoleAssignment –name:MindLinkImpersonation –Role:ApplicationImpersonation -User:ML_SERVICE_ACCOUNT_NAME
  • Once MindLink Mobile or Desktop has been installed, administrators must launch the MindLink Management Center, check the "Enable Conversation History Saving" and/or "Enable Conversation History Loading" on the 'Lync/Skype for Business' tab

Image

13 Mobile Autodiscovery (17.6+)

13.1 DNS requirements

As of 17.6 it is possible to configure your mobile deployment to accept users domain email addresses i.e. test1 at testdomain.local as a means of initializing against a MindLink Mobile deployment. However there a few pre-requisite steps that will be discussed to make this possible. Firstly, ensure that a CNAME (alias) record is setup in your forward lookup zone. Once this is done you will want to choose a target host, this will be the server hosting the MindLink Mobile service.