Administration - Managing Connectors

Updated

This guide explains how to configure different types of connectors.

image

Introduction

This article contains information on configuring Mimecast's Email Security Setup Wizard, including steps for account setup, mail routing, directory integration, anti-spoofing, journaling, and tenant domain validation, providing a streamlined onboarding experience for secure email management.These connections are required by certain Mimecast services, including: 

      • Continuity
      • Directory Synchronization (Microsoft Azure AD only)
      • Mimecast Archive for Microsoft Teams
      • Mimecast Essentials for Outlook (MEO)
      • O365 SimplyMigrate
      • Remediation
      • Sync & Recover 

This guide covers the following:

      • Configuring connectors to cloud service providers 
      • Configuring connectors to an on-premises Exchange server 
      • Network and other considerations for EWS connectors 
      • Editing and/or deleting connectors 
      • Multi-tenancy considerations 
      • Hybrid environment considerations

Configuring a Connector to a Cloud Service Provider 

Mimecast connectors use OAuth 2.0 for authentication, providing greater security and allowing administrators to apply the cybersecurity Principle of Least Privilege (PoLP) to their service accounts. A separate connector is required for each Mimecast product, replacing the previous practice of sharing a single connector across all Mimecast services. Each connector takes approximately five minutes to create.

Prerequisites 

      • The appropriate permissions to connect to your third-party provider.
      • An Administration Console role that provides access to the Services | Connectors page.
      • Use Exchange Web Services with full access to all mailboxes permission has been granted, when prompted. This is needed, because the app needs full access via Exchange Web Services to all mailboxes.

To Configure a Cloud Connector

  1. Log in to the Mimecast Administration Console
  2. Navigate to Integrations | Connectors.
  3. Click on the Create New Connector button.
  4. Select the Mimecast product you want to connect to a third-party provider and click on the Next button.
  5. Select the third-party provider from the list and click on the Next button. 
  6. Click on the login button to begin the OAuth 2.0 authorization process with the third-party provider.
  7. Review and grant the requested permissions. 
  8. Once the permissions have been successfully granted, click on the Next button.
  9. Enter a connector Name and an optional Description, and click on the Next button.
  10. Review the connector summary and click on the Create Connector button.

Configuring a Connector to On-Premise Exchange

Prerequisites and Network Considerations

  • Exchange 2013 or later
  • A Mimecast Trusted SSL Certificate installed on your Exchange Client Access server(s)
  • The Exchange Web Services must be accessible inbound using HTTPS on port 443 from the Mimecast IP range
  • Proxy Server Considerations: If you use a reverse proxy server (e.g., Microsoft's Threat Management Gateway) to publish your Exchange Client Access Server(s) to the internet, a direct connection from the Mimecast IP Range is required to the Exchange Web Services (EWS) URL, bypassing the standard forms-based authentication page that is typically presented.
  • Application Impersonation permission is required for the Service Account. This is needed so that the app can act on behalf of users in your organization. See Application Impersonation role for more information.

If a forms-based authentication page is presented when a client connects to the EWS URL, Server Connections will fail as this configuration is not supported.

  • Load Balancing Considerations: If you use load balancing, all connections to the Exchange Web Services (EWS) from the Mimecast IP range must be routed to the same Client Access Server. This is due to the challenge-response nature of the authentication process. For example, suppose the first request from the client is directed to one Client Access Server, and the second is directed to another. In that case, the second server receiving the challenge response token will not be aware of the first connection, resulting in the connection attempt failing.
  • Using Exchange Server On-Premises and Exchange Web Services: If you're using an On-Premises Exchange server and Exchange Web Services (EWS), you must enable basic authentication.

To enable Basic Authentication on a Client Access Server

  1. Open the Internet Information Services (IIS) Manager administrative tool on the Exchange Server hosting EWS 
  2. Navigate to Server | Sites | Default Web Site | EWS 
  3. Select the Authentication icon from the feature view 
  4. Ensure that Basic Authentication is enabled. If not, enable it here 
  5. Repeat this for all Exchange Servers in the organization 

If using UPNs with the account you're authorizing for the server connection, or the "Master Mailbox" accessing the other mailboxes through EWS; we recommend not using a local UPN. For example, if using user@domain.local, ensure you're allowing the @emaildomain.user UPN. This may be already configured for Microsoft 365 access but may need configuration with On-Premises environments.

To configure an Exchange Connector

  1. Log in to the Administration Console.
  2. Navigate to Integrations | Connectors 
  3. Click on the EWS Connectors tab.
  4. Click on Create New Server Connection button.
  5. Enter a Server Connection Name for the server connection.
  6. Complete the fields:
Field / Option Description
Exchange Web Services URL
 		 Specify the URL that Exchange uses to communicate with Exchange Web Services.
Security Mode
 		 Select a security mode for the connection from the dropdown list. Strict is the default value.
Master Mailbox Address
 		 Specify the email address and password of the master mailbox.

If you've got a password policy to age passwords, either exempt the Master Mailbox from this policy or add a reminder to change the password configured in Mimecast.
Master Mailbox Password
 
Mailbox Check Specify a known email address on your domain (e.g., usera@yourdomain.com) to verify authentication to your server connection. When you are ready, click on the Test Connection button.

For Exchange Web Services, you must configure Application Impersonation to enable us to access your mailboxes. See Configuring Application Impersonation.
  1. Click on the Create Connection button to create the new server connection.

Configuring a Google Workspace Connector

This is only applicable for Mimecast IEP Threat Remediation.

Prerequisites

      • Administrative access to Google Workspace.
      • Google Customer ID - found on the Administrator panel in the Google account or via this link.
      • For Google Workspace, the Threat Remediation Connector requires permission for "OAuth 2.0 scope https://mail.google.com/ ". This is needed, because the app needs full access to all mailboxes. See OAuth 2.0 Scopes for Google APIs for more information.

To Configure a Google Workspace Connector

  1. Log in to the Mimecast Administration Console
  2. Navigate to Integrations | Connectors
  3. Click on the Create Connector button
  4. Select the Remediation option
  5. Click on the Next button
  6. Select the Google Workspace icon
  7. Click on the Next button
  8. Read the Configuration Guide on how to configure your Google Workspace account and click on the Next button
  9. Enter your Google Customer ID and an existing Google email address hosted on your mail server
  10. Click on the Next button
  11. Your Mimecast Client ID and OAuth Scopes are displayed
  12. Navigate to Domain Wide Delegation in your Google Administration Console by clicking on this URL 
  13. Create a new API client entry in the Domain Wide Delegation page
  14. Copy your Mimecast Client ID and OAuth Scopes from your Mimecast account into your new API Client on your Google account and authorize the access 

gws remedition.png

  1. Navigate back to your Mimecast Administration Console and click on the Next button
  2. Enter a connector Name and an optional Description 
  3. Click on the Next button
  4. Review the connector summary and click on the Create Connector button

The task is now complete, and the new connector will be visible in the Connectors tab.

Deleting a Connector

A connector can only be deleted if it is not used by a Mimecast service. If you attempt to delete a connector that is in use by a Mimecast service, a notification is displayed informing you that you can't. 

To Delete a Cloud Connector

  1. Click on the image.png icon to the right of the connector to be deleted
  2. Click on the Delete button
  3. A confirmation pop-up appears 
  4. To confirm the deletion of the connector, click on the Delete button

If you want to remove the imported application from your Azure tenant or remove the domain wide delegation from your Google Workspace instance after you have deleted the associated connector from your Mimecast account, see  Mimecast Connectors - Applications imported via consent workflow.

To Delete an Exchange Web Services Connector

  1. Click on the image.png icon to the right of the server connection to be deleted
  2. Click on the Delete Connection button

Editing a Connector

Only the name and description of a connector can be edited. To adjust any other options, create a new connector with the relevant adjustments and delete the original connector. 

To Edit a Connector's Name and Description

  1. Click on the image.png icon to the right of the connector to be edited.
  2. Click on the Edit option
  3. Enter the new Name or Description
  4. Click on the Save button

Multi-tenancy Environments

If your organization's cloud-based email environment consists of multiple tenants, for example, to segregate data among multiple country jurisdictions, you will need to create one connector per Mimecast product per tenant.

An example would be an organization with three Microsoft 365 tenants protected by Mimecast's Sync & Recover. In this instance, three separate Sync & Recover connectors would be required, each configured to authorize a different Microsoft tenant. If the organization also uses Threat Remediation and Continuity, nine connectors would be required to connect all three tenants to all three Mimecast services. 

Hybrid Environments

You will need to set up connector(s) as required, depending on your environment:

Environment Connectors required
Hybrid on-premises and cloud environments (where mailboxes are still on-premises) One connector per Mimecast product for the cloud infrastructure, plus one Exchange server connector (that can still service all your Mimecast products). 
Hybrid on-premises and cloud environments (where mailboxes are on the cloud) Only one connector is required.
On-premises Exchange Currently, only one connector is required.

See Also...

Related to

Was this article helpful?
2 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.