Mimecast Synchronization Engine - Site Binding

This guide describes how to use the site configuration utility to configure and view information about your Mimecast Synchronization Engine (MSE) site.

STEP 1 - Configuring the Microsoft Mailbox

The Mimecast Synchronization Engine uses a single mailbox with elevated permissions to access the mailboxes in your organization; this is referred to as the Microsoft Mailbox. The Microsoft Mailbox requires Impersonation permissions to access other mailboxes. For full details on these requirements, read the following:

• Directory Synchronization for Active Directory synchronization.
• Configure Open Auth with Microsoft.

To set up the Microsoft Mailbox:

1. Open the Site Configure utility on the server where MSE is installed.
2. Click the Accounts tab.
3. Complete as follows:

4. Click the Apply button.
5. Start the Site Bind process described below.

STEP 2 - Configuring Application Impersonation

Application Impersonation is used when a single account needs to access many mailboxes. It allows an application (e.g., Mimecast Synchronization Engine) to use a dedicated service account to access multiple users' mailboxes and their respective data. The following Microsoft KB Article describes configuring Application Impersonation in your environment to allow Mimecast to access your mailboxes as a named user.

• Microsoft Article: How to Configure Application Impersonation

Exchange 2016 or Later

For Exchange 2016 or later, the user selected as the master mailbox must:

• Have you enabled the Microsoft Mailbox? (configured in Step 1)
• Have you assigned the Microsoft Mailbox user the Application Impersonation Management Role? To configure this permission:

1. Open an Exchange Management Shell with a logon containing the Organization Management role.
2. Run the following command:

   New-ManagementRoleAssignment -Name:exchangeImpersonation -Role:ApplicationImpersonation -User:User1

   User1 is the account selected to run the Mimecast Synchronization Engine or Sync & Recover service.
3. Check that the user has been successfully added to the Management role by running the following command:

   Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers | Where { $_.EffectiveUserName -Eq "User1" }

   Where the same User1 and the same 'name' value (exchangeImpersonation) is used from Step 2.

Microsoft 365 Hybrid Environments

In a Microsoft 365 hybrid environment:

• On-premises Exchange: The Mimecast Services for Exchange (MSE) service account requires the Application Impersonation role to process mailboxes.
• Exchange Online: The MSE OAuth application needs Exchange.ManageAsApp, EWS full_access_as_app permissions, and the Exchange Administrator Role.
• Permissions must be configured in both environments to ensure the MSE can operate seamlessly across the hybrid setup.

STEP 3 - The Binding Process

In the context of the MSE, a binding is a security association between the application and Mimecast. The binding is created when a user with the required permissions successfully authenticates using the site Bind process on the server where the MSE is installed. You need a binding to view the MSE site in the Administration Console and apply scheduled tasks.

Binding Requirements

• Outbound connectivity using HTTPS (port 443) from the server where the MSE is installed to Mimecast.
• Access to the server where the MSE is installed.
• The email address and password for the Mimecast account. See the Mimecast Administration Console - Administrator Role Permissions and Administration - Managing Administrator Roles pages for creating, adding, and setting the role and permissions.
• The user account used must have the "Synchronization Engine Administrator" role.
• Before binding via Open Auth, a single-tenant application must be created. To do this, follow the instructions in this article: How to Configure an Open Authentication Register.

Binding Process

1. Open Mimecast Synchronization Engine.
2. Configure the Accounts tab according to your environment using the supported configurations below.
• Bind Office 365 using OAuth
• Bind On-Prem & Hybrid On-Prem using OAuth
• Bind On-Prem using Basic Auth
• On-Premise Active Directory

Microsoft 365 Using OAuth

1. Follow the OAuth steps in the article Configuring OAuth to Configure the Azure App, Set Permissions, Account Roles, and Generate the Certificate and Thumbprint.
2. Then, complete the Accounts tab section as shown below.

To use Open Authentication for O365, you only need to check the Open Auth option. Enter the Microsoft O365 mailbox SMTP address. The Host Address should be prefilled with the Office 365 EWS address. Complete the following details. Tenant ID Client ID Client Secret Cert. Thumbprint Organization Ensure the Directory Type is set to Microsoft Office 365 Directory. Click Apply.

In the Validation window, enter your Mimecast Sync Engine Administrator address and the Cloud Password associated with that account. See Authentication - Cloud Password Reset - Configurations and Administrator Roles for more information. After entering the credentials, click Apply at the bottom of the screen. Failure to provide correct credentials for the authentication type or using a user with insufficient permissions results in the site bind failing. If the screen to the right is presented, the MSE has been bound successfully. If any errors appear, please see the latest Mimecast Bind Logs in...%ProgramData%\Mimecast Synchronisation Engine\Logs\Site Configure\

On-Premise Exchange & On-Premises Exchange with O365 Hybrid Using OAuth

1. Follow the OAuth steps in the article Configuring OAuth to Configure the Azure App, Set Permissions, Account Roles, and Generate the Certificate and Thumbprint.
2. Then, complete the Accounts tab section as shown below.

To use Open Authentication with an On-Premises and Hybrid exchange setup, check the Basic Authentication and Open Auth boxes. Complete the SMTP Address for the On-Prem Microsoft Mailbox, enter the password, and check the Use Exchange Impersonation fields. Enter the SMTP for the Microsoft Mailbox for O365. The Host Address should be prefilled with the Office 365 EWS address. Complete the remaining fields with the following details. Tenant ID Client ID Client Secret Cert. Thumbprint Organization Ensure the Directory Type is set to Microsoft Active Directory, and enter your Exchange Server authentication details... Server - The on-premises Active Directory Server Name or FQDN you want to connect to. User Name - The MSE service account Password - MSE service account domain credentials are only used for MSE AD Sync. Click Apply.
In the Validation window, enter your Mimecast Sync Engine Administrator address and the Cloud Password associated with that account. See Authentication - Cloud Password Reset - Configurations and Administrator Roles for more information. After entering the credentials, click Apply at the bottom of the screen. Failure to provide correct credentials for the authentication type or using a user with insufficient permissions results in the site bind failing. If the screen to the right is presented, the MSE has been bound successfully. If any errors appear, please see the latest Mimecast Bind Logs in...%ProgramData%\Mimecast Synchronisation Engine\Logs\Site Configure\

On-Premise Exchange using Basic Auth

To configure and bind to an on-prem exchange, complete the Accounts tab section as shown below.
 

To use the Basic Authentication on-premises exchange setup, you must only check the Basic Authentication box. Complete the SMTP Address for the Microsoft Mailbox, enter the password, and check the Use Exchange Impersonation fields. Ensure the Directory Type is set to Microsoft Active Directory, and enter your Exchange Server authentication details... Server - The on-premises Active Directory Server Name or FQDN you want to connect to. User Name - The MSE service account Password - MSE service account domain credentials are only used for MSE AD Sync. Click Apply.

In the Validation window, enter your Mimecast Sync Engine Administrator address and the Cloud Password associated with that account. See Authentication - Cloud Password Reset - Configurations and Administrator Roles for more information. After entering the credentials, click Apply at the bottom of the screen. Failure to provide correct credentials for the authentication type or using a user with insufficient permissions results in the site bind failing. If the screen to the right is presented, the MSE has been bound successfully. If any errors appear, please see the latest Mimecast Bind Logs in...%ProgramData%\Mimecast Synchronisation Engine\Logs\Site Configure\

On-Premise Active Directory

To configure and bind to an on-premises Active Directory method, complete the Accounts tab section as shown below.

To configure for On-Premise Active Directory, leave both Auth boxes unchecked. Ensure the Directory Type is set to Microsoft Active Directory, and enter your Exchange Server authentication details... Server - The on-premises Active Directory Server Name or FQDN you want to connect to. User Name - The MSE service account Password - MSE service account domain credentials are only used for MSE AD Sync. Click Apply.

In the Validation window, enter your Mimecast Sync Engine Administrator address and the Cloud Password associated with that account. See Authentication - Cloud Password Reset - Configurations and Administrator Roles for more information. After entering the credentials, click Apply at the bottom of the screen. Failure to provide correct credentials for the authentication type or using a user with insufficient permissions results in the site bind failing. If the screen to the right is presented, the MSE has been bound successfully. If any errors appear, please see the latest Mimecast Bind Logs in...%ProgramData%\Mimecast Synchronisation Engine\Logs\Site Configure\

Next Steps

Select and proceed to the relevant Exchange Task(s) articles you would like the MSE client software to perform and implement according to your environment.

>> Exchange Tasks >>