Web Security - Mimecast Security Agent for Windows

Updated
This article how to deploy, configure, disable/enable and uninstall the Mimecast Security Agent for Windows on roaming Windows PCs, to work in conjunction with the Mimecast Web Security feature, and is intended for use by Administrators.

Prerequisites

The Mimecast Security Agent is certified for Citrix Virtual Apps and Desktop v7 in persistent and non-persistent desktop configurations.

To use the Mimecast Security Agent, you must have:

      • Windows 11 (Pro / Enterprise) 64 bit
      • Windows 10 (Pro / Enterprise) 32 or 64 bit
      • Windows 7 / 8.1 (Pro / Enterprise) 32 or 64 bit

The Home edition of Windows isn't supported, as it doesn't support enterprise features of MSMQ.

Additionally you must:

      • Have an Administrator role, with permission to access the Web Security section, in the Administration Console.
      • Have administrator privileges to install and setup the Mimecast Security Agent.
      • Have your managed endpoint systems using a Network Time Provider to ensure accurate system clocks.
      • Unblocked communication from the Mimecast Security Agent to Mimecast via the API URLs. See Prerequisites.
      • Have the Windows Messaging Queue (MSMQ) feature enabled. It is recommended to run the Window Update service for the latest version. Refer to the Message Queuing (MSMQ) page on Microsoft's site for more information.
      • Have .Net Framework version 4.5.2 or higher.

Optionally we recommend the following:

      • Configuring an Exception for your local domain. Unlike using DNS forwarders, when Mimecast Security Agent is installed, all DNS traffic is sent to Mimecast bypassing any local DNS configuration (i.e. IP phones, print servers).
      • Configuring your Mimecast Security Agent Settings.

The Mimecast Security Agent automatically installs the Mimecast SSL root certificate into the Windows Trust Store, as most browsers use this for Certificate of Authority. If you’re using Firefox, set it to use the Windows Trust Store by:

  •  Typing about:config in the address bar.
  • Creating a Boolean Variable called "security.enterprise_roots.enabled".
  • Setting the Variable value to True.

Considerations

The Mimecast Security Agent for Windows is incompatible with devices configured to use the Chinese language.

Installing the Mimecast Security Agent for Windows

Downloading the installer files

You can download the installer files for the Mimecast Security Agent for Windows, by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Web Security | Agent Settings. The Installation tab displays by default.
  3. Click on the Download for Windows.
  4. The installer file downloads to your browser's download location, as Mimecast Security Agent.zip.
  5. Unzip the downloaded file.
  6. The ZIP package contains:
      • 32 bit and 64 bit MSI files.
      • A configuration file CustomerKey, located in a Mimecast Security Agent Configuration folder.

        There can be a significant delay before the browser indicates the file download is complete.

Installing the Mimecast Security Agent for Windows

You can install the Mimecast Security Agent for Windows, by using the following steps:

  1. Copy the following to the Target Roaming System to be protected:
      • Mimecast Security Agent Installer.
      • CustomerKey File.
  1.   Start the Mimecast Security Agent Installer.

    The installer must be run as an administrator.

  2. Click on the Next button to continue.
  3. Select the CustomerKey License File that was part of the MSI download by either:
      • Clicking on the Browse button.
      • Copying the CustomerKey in the file separately and paste it into the Browse box.
  1.   Click on the Next button once the authentication key has loaded.
  2. Select the Installation Folder into which the Mimecast Security Agent will be installed.
  3. Click on the Next button. The Mimecast Security Agent installation starts.
  4. Click on the Yes button to confirm that the installation can continue.
  5. Click on the Finish button to exit the installer.

During the installation process, you may be prompted and required to install additional software. A system reboot is not required for the Mimecast Security Agent for Windows, unless you’re upgrading from v1.3, or if the additional software resources are in use.

Silently installing the Mimecast Security Agent for Windows

Most application deployment applications supports a command line script such as SCCM, PDQ, etc. Check the vendor’s documentation for more details, or see  Installing the Mimecast Security Agent for Windows using Group Policy Object.


The command listed below can be used to silently install the Mimecast Security Agent, create a verbose install log, and inject the CustomerKey.

msiexec /i "<MSI_PATH>" /quiet /l*v <LOG_PATH> licensefile="<CUSTOMER_KEY_PATH>"

Where:

      • <MSI_PATH> is the location of the MSI file.
      • <LOG_PATH> is the location where you want the log file created.
      • <CUSTOMER_KEY_PATH> is the location of your customer key.

During the installation process, you may be prompted and required to install additional software. A system reboot is not required for the Mimecast Security Agent for Windows, unless you’re upgrading from v1.3, or if the additional software resources are in use.

Alternatively, you can use the following install command:

msiexec /I “<MSI_PATH>” /quiet /l*v <LOG_PATH> licensekey=CUSTOMER_KEY

Where:

      • <MSI_PATH> is the location of the MSI file.
      • <LOG_PATH> is the location where you want the log file created.
      • <CUSTOMER_KEY> paste the full customer key (i.e Lwhdgdetbjghgbjklk).

Confirming that the Mimecast Security Agent is running

You can confirm that the Mimecast Securing Agent user interface is running, by using the following steps:

  1. Ensure that the Mimecast Securing Agent icon is displayed in the Windows taskbar system tray.
  2. Click on the Mimecast Securing Agent icon to launch the home screen.
  3. Ensure the following are displayed:
      • A Green Tick is shown on the Mimecast shield.
      • The status is Protected.
      • The Client ID shows the machine name.
      • The Last sync time displays.

You can view details for the Protected Device via Protected Devices, where and entry is displayed for your protected machine.
To gather diagnostic data, view Mimecast Security Agent Diagnostics Data.

Once the Mimecast Security Agent for Windows is installed, you can test it is working, by using the following steps:

  1. Create a Block or Allow List Policy using Managing Policies, to:
      • Block a legitimate site (e.g. cnn.com). This avoids visiting a site that has been blocked by your IT administrator.
      • Apply the policy to a user or group. This ensures it takes precedence over a location or everyone policy.
  1. Ensure you have logged in users, via:
      • Manual log in to the Mimecast Security Agent for Windows.
      • Use of Transparent User ID to identify domain users.

If a policy component is changed, the change will not take effect if the system DNS cache and browser DNS cache are not cleared. Cache clearing updates can take up to 20 minutes. See Testing Polices.

Disabling/Enabling the Mimecast Security Agent for Windows

You can disable/enable the Mimecast Security Agent for Windows, by using the following steps:

  1. Click on the Mimecast Security Agent icon from the system tray.

    MSA for Windows icon

  2. Click on the Preferences button.
  3. Enter the Disabler Password provided to you by your administrator.
  4. Click on either the:
      • Disable button to disable security on the agent.
      • Enable button to enable security on the agent.

        Disabling the Mimecast Security Agent for Windows requires users to have a password provided by their administrator. You can find this at Web Security | Agent Settings, by clicking on the Passwords tab. See Managing Mimecast Security Agent Settings.

Uninstalling the Mimecast Security Agent for Windows

Uninstalling the Mimecast Security Agent for Windows from a device requires the use of the Uninstall Password defined in the agent's settings. We do not recommend providing this password to end users, therefore the uninstall should be performed by an Administrator. See Managing Mimecast Security Agent Settings.

Uninstalling on a Standalone PC

You can uninstall the Mimecast Security Agent for Windows, by using the following steps

  1. Open the Start menu.
  2. Click on Settings.
  3. Click on the System Icon.
  4. Select the Apps & Features app.
  5. Click on the Mimecast Security Agent.
  6. Click on the Uninstall button.
  7. Enter the Uninstall Password.

Uninstalling by using a script

You can uninstall the Mimecast Security Agent for Windows using a script, by using the following steps:

  1. Prompt Restart 
    msiexec /x "Mimecast Security Agent (64) 1.1.1054.msi" /quiet REMOVAL_PASS=UninstallPasswordAdcon
  2. No Restart 
    msiexec /x "Mimecast Security Agent (32) 1.1.1054.msi" /qr REMOVAL_PASS=UninstallPasswordAdcon /norestart
  3. Using IdentifyingNumber from uninstallkey:
      • Get the IdentifyingNumber through PowerShell: 
        Powershell get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name e.g. {90E2DA99-DABD-4FE0-ACA1-9629F33D7CD2} Mimecast Security Agent
      • Based on the Identifying number, the MSI uninstall cli could be used as below: 
        msiexec /x {90E2DA99-DABD-4FE0-ACA1-9629F33D7CD2} /qr REMOVAL_PASS=Keypss /norestartmsiexec /x {90E2DA99-DABD-4FE0-ACA1-9629F33D7CD2} /qr REMOVAL_PASS=keypass
      • This prompt a restart, to which you should respond Yes.

Silently uninstalling the Mimecast Security Agent for Windows

To silently uninstall the Mimecast Security Agent for Windows, you can use the following command:

msiexec /x "<MSI_PATH>" /quiet /l*v “<LOG_PATH>” REMOVAL_PASS=<UNINSTALLER_PASS>

Where:

      • <MSI_PATH> is the location of the MSI file.
      • <LOG_PATH> is the location where you want the log file created.
      • <UNINSTALLER_PASS> is the numeric uninstaller password from the Agent Settings.

After restarting the system, verify that the Mimecast Security Agent for Windows has been uninstalled correctly via Mimecast Security Agent Diagnostics Data. If any errors display, gather and send diagnostic data as outlined there.

Mimecast Security Agent Diagnostics Data

Viewing diagnostic information

  1. Click on the Diagnostics tab.
  2. Click on the Show Live Diagnostics button.
  3. Check that all the basic diagnostics checklist ticks display green.
  4. Click the Refresh button a few times and confirm that the Diagnostics Last update display times increment as expected.
  5. Check that the Additional Information Details contain valid entries for:
      • DNS Redirecting.
      • DNS Server IPs.
      • API Discovered grid.
      • API Account Code.
  1.   Click on the Display the Certificate link next to DNS Root certificate. This displays the Windows Certificate dialog, and allows you to confirm the root certificate has been correctly deployed.
  2. Click on the Display the Certificate link next to DNS TLS certificate. This displays the Windows Certificate dialog for the Mimecast Endpoint Certificate.
  3. Return to the Mimecast Security Agent Diagnostics console.
  4. Select Advanced Diagnostics.
  5. Scroll down to the Mimecast DNS section and confirm there is an entry for Redirected Query 1.

Gathering diagnostic information

You can gather diagnostic information for the Mimecast Security Agent for Windows, by using the following steps:

  1. Click on the Mimecast Security Agent icon from the system tray.
  2. Click on the Diagnostics button.

    MSA for Windows diagnostics

      • Upload: This sends a log file to Mimecast. The log file is retrievable by the Mimecast Support Team and cannot be accessed by you. This option is helpful if the diagnostics file is too large to send via email.
        • If required, click on the OK button to confirm your acceptance to the diagnostics data being gathered.
        • Click on the OK button in the confirmation dialog that the file has been sent.
      • Export: This exports the log file to a location of your choice. This is useful if raising a support case with Mimecast that requires us to see additional diagnostic data.
        • If required, click on the OK button to confirm your acceptance to the diagnostics data being gathered.
        • Locate a folder for the exported log file and click on the Select Folder button. A timestamped ZIP file is created in the selected folder (e.g. MSA-2018.09.21-09.54.50.zip).
      • Show Live Diagnostics: Displays a dialog listing both basic and advanced diagnostics. The data can be:
        • Refreshed by clicking the Refresh button.
        • Copied to your clipboard by clicking on the Copy to Clipboard button at the bottom of the dialog.

About the diagnostic information gathered

Unlike macOS, Windows OS only collects and returns the product log files.

Related to

Was this article helpful?
1 out of 4 found this helpful

Comments

0 comments

Please sign in to leave a comment.