This article describes how to troubleshoot Mimecast Web Security and the Web Security Agent, and is intended for use by Administrators.
The following sections can be used to help Troubleshoot different aspects of Mimecast Web Security configuration, and the Mimecast Security Agent.
Cloud App Visibility and Control
| Issue | Troubleshooting Steps |
|---|---|
| The application you are using is not identified by Web Security. | Send an email to web-security-beta@mimecast.com requesting the application to be supported, and we'll review the request. |
| How to identify the domains associated with an application. | The Activity Report has information about domains for the accessed application. |
| Access to the application has been disabled, and you cannot access a different application. |
This may happen if the two applications share one or more domains. If this happens, allow the domain to which you want access via Managing Policies, in a Block or Allow List Policy. |
| Access to the application has been disabled, but you can still access domains associated with the application that should have been blocked. | Check if the domain is either part of the application or part of a larger service. If it is exclusive to the application, and we don't identify it as an application, raise a support case with us. In the meantime, block the domain via Managing Policies in a Block or Allow List Policy to fix the problem temporarily. |
|
Users are getting blocked by a domain, even though the application is allowed as part of an Application Control Policy, via Managing Policies. |
Check that the domain isn't part of the application you want to access. If you think the domain should be associated with the application, send an email to web-security-beta@mimecast.com, and we'll review the request. |
| An application is being reported in the wrong category. | Use Web Security | Domain and URL Category Lookup in Administration Console to report the application's incorrect categorization by adding the application's top domain (e.g., facebook.com, gmail.com). |
| An application (e.g., Tor) was blocked under the Anonymizer Category, but is still available for use. | Anonymizers are applications that attempt to make activity untraceable by using proxy servers that act as an intermediary and privacy shield between a client computer and the internet (e.g., https://2ip.io/anonim/). Application listed under the Anonymizers category cannot be completely blocked, as any device that already has the application installed will bring in traffic via an encrypted tunnel. However an attempt to download, install, or update Tor will be prevented. |
See Cloud App Visibility & Control.
Exceptions
| Issue | Troubleshooting Steps |
|---|---|
| You have a local DNS server managing internal resources. | If you have a local DNS, this must be set as an exception. |
| Your local DNS exceptions are not being logged. | This is correct; local DNS exceptions aren't logged. |
| You can no longer access local resources (e.g. IP Phones, Network Drives and internal servers). |
If you have Active Directory or a local DNS server managing your internal resources, you must define the local domain as an Exception. |
| You get blocked when trying to visit trusted sites (e.g. outlook.office365.com). | If you trust the site, add it to your Exception Policy, and it won't be checked. |
| How to find out when to define an Exception vs an Explicit Allow. | There are several considerations:
|
| How to find out if blocking a domain also blocks an application, and vice versa. | Blocking a domain will block traffic utilized by the application if they share a commonality. For example, blocking facebook.com will block specific traffic used by the Facebook application. However, blocking the Facebook application will not block facebook.com because that application often utilizes modified URLs or domains to access application services. |
| How to find out if a domain is in a blocked category, if it's possible to bypass that single domain. | When a category policy blocks a domain, an Allow policy can be utilized to override the block. This is because the Allow policy takes precedence over Block policy types. See the Policy Precedence / Specificity in Managing Policies |
Browsers
| Issue | Troubleshooting Steps |
|---|---|
| DNS Cache needs to be cleared in Windows. |
To flush the Windows DNS cache, do the following:
|
| DNS Cache needs to be cleared in Chrome. |
Chrome has a built-in DNS cache, which takes time to expire. To flush the Chrome DNS cache immediately, do the following:
|
| You need to prevent Mozilla Firefox from sending DNS requests to Cloudflare. |
To stop Firefox from sending your DNS requests to Cloudflare, do the following:
|
| How to find out about how Web Security works with DNS over HTTP settings enabled. |
See DNS over HTTPS. |
Policies
| Issue | Troubleshooting Steps |
|---|---|
| You've added or changed a policy, which isn't reflected in your DNS. |
Mimecast Web Security is DNS-based, and the DNS is cached in multiple places, including the client browser, operating system, and gateway devices (e.g., firewalls, NGFW, IDS, IPS). When Web Security blocks a site, we provide the IP address of the block page. When the site's DNS is cached, the cache needs to be refreshed before the IP address of the block page is available. The DNS cache refresh time is specific to the cache. Additionally, each domain owner can set the time to live (TTL) at their discretion, impacting how long the DNS records refresh. When you go from allowing to blocking a site, the time for the DNS cache to refresh varies, but, in general, it takes 10-30 minutes. |
| How to see a list of popular applications, in order to block or allow them. | See Managing Domains in Managing Policies |
| How to find out when Mimecast Web Security proxies a site. | Sites with a category of "Unknown" are proxied. |
| You get an error when attempting to import a CSV file of URLs into a Block / Allow policy. |
The most common reason for an error is that there is an entry in the file that already exists. Open the file in a text editor (e.g., Notepad) and check the following:
|
| You need a category be blocked, but with specific sites enabled. |
Enable the blocked site by adding all the domains it uses as Allow in the Block or Allow List policy. See Managing Domains in Managing Policies |
| A commonly used website is blocked, because it appears to be in the wrong category. |
Occasionally, sites can be mis-categorized. If you suspect this to be the case:
|
| You need to block all web-based clients apart from one, and need rot know which policy type to use. | A Category Filtering policy may best fit, but an Application Category policy is more appropriate. Set it to filter on all web-based email clients, with all clients blocked apart from the one for whom you want to make an exception. See Configuring an Application Control Policy in Managing Policies. |
Mimecast Security Agent
| Issue | Troubleshooting Steps |
|---|---|
|
The Mimecast Security Agent previously protected your device, but now you can't access a web page. |
A protected device must have your Mimecast Security Agent key installed on it. |
| You have installed the Mimecast Security Agent on your Mac, but you did not authorize the kernels when prompted. You need to know if the device is still protected. |
Your device is not protected. All the kernels must be authorized on your Mac for the Mimecast Security Agent to protect your device. |
| The Mimecast Security Agent installer keeps failing. | Verify that the correct Mimecast Security Agent installer is being used, and that it is being run on the correct platform. See Prerequisites. |
| You are having problems with the Mimecast Security Agent and can't understand why. | Collect the MSA logs and contact our Support Team. See the Diagnostics sections of Mimecast Security Agent for iOS, Mimecast Security Agent for Mac, and Web Security - Mimecast Security Agent for Windows. |
| You see a prompt for an update, but Mimecast Security Agent isn't auto-updating. | If you receive a notification indicating a new version of Mimecast Security Agent is available, this does not auto-update. You must either install the new Mimecast Security Agent version manually, or IT can deploy using their software deployment solution. |
| Your browser hangs and you can't access the internet, after installing the Mimecast Security Agent. | This is caused by the Mimecast Security Agent not having access to Mimecast, due to firewall rules blocking it. Check the MSA live diagnostics for errors, and ensure that ports 80 and 443 are open to Mimecast. |
| You can't see user activity where the Mimecast Security Agent isn't installed. | As all traffic is routed through your Egress IP(s) from your corporate network, there is no way to identify an individual user's traffic. The Mimecast Security Agent allows us to retrieve user information and apply user or group-based policies, as well as retrieve statistics on a user level. |
| You need to know an uninstaller (e.g. Microsoft Uninstall) takes precedence over the Uninstaller Password for the Mimecast Security Agent. | It does not take precedence. The disabler/uninstaller password is used to ensure that neither a user nor malware can remove the protection of the Mimecast Security Agent and, therefore, requires an Administrator to provide the password in the Administration Console to perform those actions. |
| When Mimecast Security Agent (MSA) and Zscaler Endpoint are both installed on a device, users may encounter DNS resolution failures due to Zscaler’s packet filtering interfering with MSA’s DNS lookups. | To resolve this conflict, adjust Zscaler to use router-based filtering rather than packet-based filtering. This adjustment prevents interference and allows both solutions to function together seamlessly.
The issue may have been resolved by switching from packet-based to router-based filtering, but this may not be the final solution for similar issues. |
Reporting
| Issue | Troubleshooting Steps |
|---|---|
| The Activity Report has log entries with blank users. |
Users are only recognized when they log into the Mimecast Security Agent. |
| The Activity Report has log entries with blank categories. | Log entries with blank Categories are often reverse DNS lookups and are expected. Reverse lookups almost always contain a Request, which contains "in- addr.arpa". |
| You don't see a user listed in the Activity Report, or Security Report. | Location-based protection doesn't display the user. With agent-based protection, the user must log into the Mimecast Security Agent for their information to be displayed in the reports. |
| You wish to know what Usage Count is, in the App Visibility and Control Dashboard. | This is the total number of DNS requests, including application and browser-based DNS requests for the services and domains. More user-based application usage logs are available in the Activity Report. |
Installation
| Issue | Troubleshooting Steps |
|---|---|
| How to perform a slient MSI install. | It is possible to specify switches to the msiexec.exe to control the installation and specify parameters to the underlying MSI install program. In this case, we simply tell the MSI where the customer token file is. Here is a PowerShell example: msiexec.exe /i "Mimecast Security Agent (64) 1.0.522.msi" /quiet /qn /l*v msiinstall.log licensefile=token.txt
The customer token is in the file token.txt in the same directory as the installer.Additionally, it is possible to specify the token directly rather than use the file. Replace the license file parameter with the license key and then include the key itself after the = sign. |
| You can't reach local devices (e.g. printers) after installing the Mimecast Security Agent. | Your local DNS service manages local resources (e.g., a print server). Web Security doesn't use your local DNS service to locate these devices. Add your local domain as an exception. See Managing Exceptions. |
| How to find out if Egress IPs can be dynamic. | When defining Egress IPs, you can specify a range (maximum CIDR range of /24). However, that traffic must come from an IP in that range, and must not be shared with other companies or Mimecast customers. |
| How to find out why the Mimecast SSL Certificate has to be installed. |
The certificate must be installed for Mimecast to show the block page and ensure no certificate errors occur in the user's browser. Without the certificate, users may receive errors when loading HTTPS pages. The certificate must be installed on all user devices, not the domain controller. |
Other
| Issue | Troubleshooting Steps |
|---|---|
| How to find out your Egress IP. | The egress IP is your network's registered public IP address. Some customers have told us they have successfully used WhatIsMyIP.com to verify their egress IP, referenced on the site as Your Public IPv4. Mimecast does not endorse or support WhatIsMyIP.com; use this site at your own risk. |
| Your dashboard is not showing up-to-date data. | The dashboard displays summary data rolled up and processed every 30 min. The dashboard does not show real-time data. For real-time data, refer to the Activity Logs. |
For detailed information on how to configure, optimize, integrate, and troubleshoot, see the Web Security Knowledge Hub.
Comments
Please sign in to leave a comment.