This guide explains how you can use the Mimecast Synchronization Engine to synchronize your organization's Active Directory with Mimecast. This uses a secure outbound connection from your internal network to Mimecast. This article explains the data flow process for this feature, which contains the following stages:
- Extracting your Active Directory data.
- Transferring the data to the Mimecast Synchronization Engine.
- Applying the results.
Extracting your Active Directory Data
The Mimecast Synchronization Engine uses a combination of LDAP and Global Catalog queries to extract user, group, and group membership data from Active Directory. The initial query used is:
This returns any object with an email address OR group objects OR dynamic distribution list objects. Active Directory returns all results that the Mimecast Synchronization Engine service account user, or the user specified in the advanced settings in the Administration Console, has permission to read. Additionally, the Mimecast Synchronization Engine issues additional queries to extract more information about each object.
Transferring Data to the Mimecast Synchronization Engine
Once all the objects have been successfully extracted, they are securely transmitted from the Mimecast Synchronization Engine to Mimecast.
- Data is secured during transmission using HTTPS.
- The Mimecast API that receives this data:
- Uses an SSL certificate with a 2048 bit RSA key, issued by the Symantec Corporation.
- Supports several industry standard strong cipher suites with a minimum key length of 128 bits.
- Accepts connections using either the TLS 1.0, TLS 1.1, or TLS 1.2 protocols. If TLS 1.0 is disabled, TLS 1.2 must be configured with the following steps:
- .NET framework 4.5.1 must be installed.
- The Mimecast Synchronization Engine service must be stopped.
- Create a global.ini file in the "C:\ProgramData\Mimecast Synchronisation Engine\State" directory with the "Mse.Core.Bridge.SecurityProtocol=4032" string inside.
Applying the Results
Once the data is received, Mimecast commits the user and group information to your account.
- New users are added.
- Existing users are updated to Directory Generated users.
- Groups that contain objects with a mail or proxyAddresses attribute are added.
- Group membership is updated.
- Additional attributes specified for the synchronization are updated.
- If the Automatically Link Aliases setting is enabled, alias addresses are linked to their primary user / address.
- If the Acknowledge Disabled Accounts in Active Directory setting is enabled, disabled Active Directory users are disabled as Mimecast users.