If you're unable to access the Mimecast Administration Console due to IP address restrictions, follow this guide to regain access, understand why lockouts occur, and implement best practices to prevent future issues.
Overview
IP whitelisting policies are security features designed to limit Administration Console access to specific, trusted IP addresses. However, these restrictions can inadvertently lock out legitimate administrators when IP addresses are misconfigured, changed, or not properly documented. This article explains how to identify IP restriction issues, regain access when locked out, and maintain effective IP restriction policies.
Considerations
- Only users with active Administration Console access can modify IP restriction settings
- You will need assistance from another authorized administrator or Mimecast support to regain access if locked out
- IP restriction configurations should balance security requirements with operational accessibility
- For remote or traveling administrators, consider whether IP restrictions are the most appropriate security measure given your operational needs
Prerequisites
- Knowledge of your current IP address
- Access to an administrator who currently has console access, or contact with Mimecast support
- A list of all authorized administrator IP addresses for your organization
Understanding IP Restriction Lockouts
IP address restrictions can lock out legitimate administrators in the following situations:
- Incorrect IP addresses were configured in your Admin IP Ranges.
- Your current IP address is not included on the allowlist.
- IP restrictions were accidentally applied without proper planning.
- Your IP address changed and the allowlist wasn't updated.
How to Regain Access
Step 1: Contact Someone with Console Access
- Reach out to your Mimecast support team or another authorized administrator who currently has access to the console.
- Explain that you're locked out due to IP address restrictions.
- Provide your current IP address that should be granted access.
This step is critical because IP restriction settings can only be modified by someone who is already logged into the Administration Console.
Step 2: Review Current IP Configuration
The administrator or support team member with access should:
- Log into the Mimecast Administration Console.
- Navigate to the IP restrictions settings.
- Review which IP addresses are currently configured in the allowlist.
- Verify whether the restrictions are intentional and contain correct addresses for all authorized administrators.
Step 3: Identify and Correct the Issue
| Issue | Solution |
| Missing IP address | If your legitimate IP address is not on the allowlist, request that it be added immediately |
| Incorrect IP address | If wrong IP addresses were added by mistake, have them removed from the whitelist |
| Changed IP address | If your IP address has changed, ensure the old one is removed and the new one is added |
Step 4: Test Access
- After the IP restrictions have been corrected, attempt to log into the Administration Console.
- Ensure you're connecting from the IP address that was added to the allowlist.
- Verify that you can access all necessary console functions.
Before Implementing IP Restrictions
- Document all authorized IP addresses: Create a comprehensive list of all IP addresses that require console access.
- Communicate with your team: Inform all administrators about planned IP restriction changes before implementation.
- Verify IP addresses: Double-check that all IP addresses are correct before adding them to the allowlist.
- Test incrementally: If possible, test restrictions with a single user before rolling out to the entire team.
Maintaining IP Restrictions
- Maintain redundancy: Ensure at least two authorized administrators always have access from different IP addresses.
- Regular reviews: Periodically audit your IP allowlist to ensure it remains accurate and up-to-date.
- Document changes: Keep a log of when IP addresses are added or removed and the reason for each change.
- Emergency access plan: Establish a procedure for regaining access if all administrators are locked out.
Additional Tips
| Q: | What should I do if my administrators frequently work from different locations? |
| A: | If your administrators frequently work from different locations, consider whether IP restrictions are the most appropriate security measure, or if additional exceptions need to be configured. |
| Q: | How do I handle IP address changes when moving offices or changing ISP? |
| A: |
If you're moving to a new office or changing internet service
providers, update your IP allowlist before the change takes effect
to maintain uninterrupted access.
You may also want to consider a Virtual Private Network (VPN) if you have staff who frequently work outside of the network as an option. |
Comments
Please sign in to leave a comment.