Web Security​ - Manage Exceptions

This article explains how to allow your trusted domains and IPs to bypass the Mimecast Web Security functionality by configuring exceptions, and is intended for use by Administrators.

PAGE CONTENTS

• Default Exceptions
• Considerations
• Direct IP Protection
• Managing Exceptions

Default Exceptions

To make your initial configuration process easier, a default exceptions list created in your account with the top-level domains (TLDs) listed below. You can modify the list of default exceptions as required:

• local
• internal
• lan
• home
• corp
• localdomain
• domain
• mail

If you want more granular control over the domains you allow users to access, we recommend adding top-level domains / sub-domains to your allow / block lists in a domain filtering policy. See Configuring a Block or Allow List Policy section of Managing Policies for full details.

You should consider your exceptions carefully; they should be domain areas that are frequently utilized and fully trusted (i.e. internal company sites).
Ensure you add your internal domains to the exceptions list, to ensure local resources are accessible when Mimecast Security Agent is installed.

Considerations

When configuring exceptions, consider the following:

• A domain added to your exceptions list won't connect with Mimecast if the Mimecast Security Agent is installed. This means any configured security policies are non-applicable and user activity is not logged.
• If the Mimecast Security Agent is not installed, then the request has to reach Mimecast and the activities are logged with a Reason on the Activity Report, and no configured policies will apply.
• An IP address added to your exception list works differently from a domain:
  • A DNS request which resolves to an IP address found in the exception list won't have any configured security policies applied.
  • If logging is enabled, the activity is logged.
  • This is intended for public server IPs that may have multiple or changing domains / hostname.
  • IPs in this list will bypass Direct IP Protection if enabled.

Direct IP Protection

Direct IP Protection blocks IP connections that are made without a known DNS request. For more information, see Direct IP Protection. You can add an IPv4 and IPv6 address to the exception list to bypass Direct IP Protection.

Managing Exceptions

To access your exceptions:

1. Log on to the Administration Console.
2. Navigate to Web Security | Exceptions.
3. To Add a new Exception:
   1. Click on the Add New Exception button.
   2. Complete the pop out panel as follows:
      • Name: Add a description for the exception (e.g. Internal Subsidiary Domain).
      • Type: Select whether the exception is a "Domain" or "IP Range" from the drop down list. The relevant field is displayed.
      • Domain: Specify a domain name.

        Note:

        Adding a domain as an exception also adds any of its subdomains as an exception. For example adding "acme.com" also adds "subdomain.acme.com".

      • IP Range: Specify the IP address / IP address range (in CIDR format) of a trusted domain.
   3. Click on the Add button.
4. To Edit an Exception:
   1. Click on an Exception, or click on the ellipsis "..." next to it, then select the Edit option.
   2. Amend the fields as required.
   3. Click on the Save button.
5. To Search for an Exception:
   1. Click on the All down arrow next to the search field.

       

      
   2. Select an option:
      • All: Searches all exceptions regardless of the type. This is the default.
      • Name: Searches for the exception name.
      • Domain: Searches for the domain name.
      • IP Address/Range: Searches the IP address range.
   3. Enter your search criteria in the Search field (e.g. Name, Domain, IP Address/Range).
   4. Press the Enter key, or click on the Search icon, to show the search results.
6. To Delete an Exception:
   1. Click on the ellipsis "..." to the right of the exception, then select the Delete option.
   2. Click on the Delete button in the confirmation dialog, to confirm the deletion.