Web Security - Mimecast Security Agent for Windows Server

Updated
This article explains how to install, configure, and use the Mimecast Security Agent for Windows Server, and is intended for use by Administrators.

The Mimecast Security Agent for Windows Server supports Windows Server, including Remote Desktop Services (RDS), and Windows 10 Enterprise Multi-Session (Azure Only Virtual Desktop). This allows you to:

      • Protect your users on Windows Server or Azure Windows 10 Enterprise Multi-Session.
      • Have user-level policy application and granular reporting capabilities in multi-user mode.

Prerequisites

To protect your servers and users, you must have the following:

      • Administrator access allows application installation on machines where the Mimecast Security Agent needs to be installed.
      • Mimecast Security Agent v1.6 or later.
      • The latest Windows updates on one of the following supported server platforms:
        • Windows Server 2022.
        • Windows Server 2019.
        • Windows Server 2016.
        • Windows Server 2012 R2.
        • Azure Windows 10 Multi-Session (Virtual Desktop).
      • Administrator privileges to install and configure the Mimecast Security Agent.
      • Network Time Provider installed on your managed endpoint systems to ensure accurate system clocks.
      • Unblocked communication from the Mimecast Security Agent to Mimecast via the API URLs. See Prerequisites.
      • Windows Messaging Queue (MSMQ) feature enabled. The agent automatically attempts to enable this during installation.
      • .NET Framework version 4.5.2 or higher installed.

The Mimecast Security Agent installation may remove/disable the MSMQ in error. The workaround is to run the Windows Update service. See Microsoft Message Queuing (MSMQ) for more information.

Recommendations

When using the Mimecast Security Agent on Windows Server, we recommend the following:

      • Configure an exception for your local domain using Managing Exceptions. Unlike DNS forwarders, the Mimecast Security Agent sends all DNS traffic directly to Mimecast, bypassing any local DNS configuration (i.e., IP phones and print servers).
      • Configure your Mimecast Security Agent Settings.

        We recommend using a Transparent User ID; otherwise, users must manually log into the Mimecast Security Agent using a domain or cloud password.

      • The Mimecast Security Agent automatically installs the Mimecast SSL root certificate into the Windows Trust Store, as most browsers use this for Certificate of Authority. If you’re using Firefox, set it to use the Windows Trust Store by:
        • Typing about:config in the address bar.
        • Creating a Boolean Variable called "security.enterprise_roots.enabled".
        • Setting the Variable value to "True."

Modes of Operation

The Mimecast Security Agent for Windows Server offers two modes of operation:

        • Multi-User Mode for Windows RDS: This mode disables the Windows DNS cache and allows the Mimecast Security Agent to tag each DNS request in the user session and process it. This allows user-level policy application and granular reporting capabilities.

          Secure Dynamic Updates is not supported in multi-user mode. Ensure your RDS server has a static DNS record. Due to Azure Windows 10 Multi-Session updates, you may experience issues accessing local resources in the Azure environment if the agent is installed in the Multi-User mode. This is because of DNS cache dependencies. We recommend using Server Protection mode.

        • Server Protection Mode: This mode is designed for server configuration where applications or server roles require the Windows DNS cache for its functionality (e.g., DirectAccess VPN). A server with a DNS Server role should also use this mode. Consider this mode where multi-user support isn’t required, but you want to protect the server using Mimecast Web Security.
          • If a single user logs on, their account activity is logged during an active session.
          • If more than one user logs on concurrently, activity is reported as ‘Multiple Users,’ and the default ‘Location’ or ‘Everyone’ policy is enforced.

Mimecast Security Agent for Windows Server setup

Installing the Mimecast Security Agent on Windows Servers

You can install the Mimecast Security Agent on a Windows Server, by using the following steps:

  1. Log on to the Administration Console.
  2. Navigate to Web Security | Agent Settings.
  3. Click on the Download for Windows button. The installer file Mimecast Security Agent.ZIP downloads to your browser's download location. The ZIP package contains the elements listed below:

    Due to the large file size, allow time for the download to complete.

      • 32-bit and 64-bit MSI files (only the 64-bit file should be used).
      • A key is located in a Mimecast Security Agent Configuration folder.
  1. Copy the Mimecast Security Agent installer and CustomerKey to the target roaming system to be protected.
  2. Start the 64-bit Mimecast Security Agent Installer.

    The installer must be run as an administrator.

  3. Click on the Next button to continue.
  4. Click on the Next button to continue again.
  5. Select the CustomerKey License File that was part of the MSI download. Either:
      • Click on the Browse button.
      • Copy the CustomerKey in the file separately and paste it into the Browse box.
  1. Click on the Next button once the authentication key has loaded.
  2. Select the Installation Folder where the Mimecast Security Agent is to be installed.
  3. Click on the Next button.
  4. Select the Operation Mode. See Modes of Operation.
  5. Click on the Next button.
  6. Click on the Yes button to confirm that the installation can continue.
  7. Click on the Finish button to exit the installer. 

During the installation process, you may be prompted and required to install additional software. A system reboot is not required for the Mimecast Security Agent. However, a reboot might be required if additional software resources are installed.

Silently Installing the Mimecast Security Agent

The command listed below can be used to:

      • Silently install the Mimecast Security Agent.
      • Create a verbose install log.
      • Inject the CustomerKey.
msiexec /i "<MSI_PATH>" /qn /l*v <LOG_PATH> OPERATING_MODE=multi licensefile= <CUSTOMER_KEY_PATH>"

Where:

      • <MSI_PATH> is the location of the MSI file.
      • <LOG_PATH> is where the log file will be created.
      • <OPERATING_MODE> Use:
        • (multi) for Multi-User mode for RDS.
        • (single) for Single user mode for Server Protection.
      • <CUSTOMER_KEY_PATH> is the customer key location.

Policies and Reporting

The Mimecast Security Agent needs to identify the user’s email address to apply policies. This can be achieved:

      • Automatically using the Transparent User ID feature (when the user logs into the server).
      • By asking users to manually log in to the Mimecast Security Agent.

Specific policies are enforced if they match the user’s email address. Otherwise, the location or everyone policy is applied by default.

See Activity Report to learn more about viewing individual user activity and Protected Devices for more information about listing your protected devices and active users.

Disabling the Mimecast Security Agent

You can disable the Mimecast Security Agent for either a:

      • Standard user
      • Administrator

Disabling the Mimecast Security Agent for a Standard User

A standard user with a disabler password can only disable the Mimecast Security Agent for themselves. See Uninstalling the Mimecast Security Agent for Windows section of Mimecast Security Agent for Windows.

Disabling MSA for an Administrator (Multi-User Mode):

Account members of the following Active Directory groups are identified as Administrator in the Mimecast Security Agent:

      • Domain administrators.
      • Enterprise administrators.
      • Account administrators.
      • Built-in administrators.

Mimecast Security Agent preferences provide administrators with the following options:

      • Disable Protection: Disables protection for the logged-in user.
      • Disable Agent System-wide: Disables the Mimecast Security Agent for all users.
      • Re-Enable Protection: This enables protection for all users, including those previously disabled.
Mimecast Security Agent for Windows Server preferences

Mimecast Security Agent Diagnostics Data

You can check the Mimecast Security Agent diagnostics as either a:

      • Standard user
      • Administrator

Diagnostics for Standard Users

To check the Mimecast Security Agent diagnostics as a standard user:

  1. Click on the Diagnostics tab.
  2. Click on the Show Live Diagnostics button.
  3. Ensure all the Basic Diagnostics Checklist Ticks display green.
  4. Click the Refresh button a few times and confirm the Diagnostics Last update display times increment as expected.
  5. Check that the Additional Information Details contain valid entries for:
      • DNS Redirecting.
      • DNS Server IPs.
      • API Discovered grid.
      • API Account Code.
  1. Click on the Display the Certificate link next to the:
      • DNS Root certificate: This displays the Windows Certificate dialog, and allows you to confirm the root certificate has been correctly deployed.
      • DNS TLS certificate: This displays the Windows Certificate dialog for the Mimecast Endpoint Certificate. 
    • Diagnostics details

Diagnostics for Administrators

An administrator has access to basic and advanced diagnostics. See Mimecast Security Agent Diagnostic Data section of Mimecast Security Agent for Windows.

Diagnostics for Administrators

 

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.