Mimecast Synchronization Engine: Enabling Active Directory Synchronization

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on Jun 15, 2017
Version 21Show Document
  • View in full screen mode

This article provides general guidance to enable Active Directory synchronization using the default settings of the Mimecast Synchronization Engine.

Active Directory synchronization using the Mimecast Synchronization Engine doesn't synchronize passwords. It is also not a method to allow Active Directory domain authentication with Mimecast applications. The EWS or ADFS domain authentication features are required to enable that capability.

What You'll Need

 

  • An Active Directory user with read permissions to your organization's Active Directory.
  • A Mimecast Administration Console account with edit permissions to the Administration | Services | Directory Synchronization menu item.

 

Step 1: Create a User to Connect to Active Directory

 

As part of the configuration of Active Directory synchronization you'll need to supply the credentials of a user with read permissions. This will be the user that connects to Active Directory to synchronize data with Mimecast.

In order to replicate the email addresses of Exchange mail enabled public folders, this user must also be a member of the Exchange Organization Administrators group in Exchange 2007 or before. The Organization Management role group is synonymous with the Exchange Full Administrator role in Exchange 2003 and the Exchange Organization Administrators role in Exchange 2007. Membership of this management role group gives the user the ability to perform pretty much any task in Exchange 2010, with the main missing task being the ability to perform mailbox searches. That itself is achieved via the Discovery Management role group. See the Exchange 2010 Role Based Access Control (Part 1) - TechGenix page for further details.

Step 2: Download and Install the Mimecast Synchronization Engine

 

The Mimecast Synchronization Engine installer can be downloaded from the Application Downloads space. When run, a wizard guides you through the installation.

 

It is important to consider these points when installing the Mimecast Synchronization Engine for Active Directory synchronization:

  • The Mimecast Synchronization Engine must be installed on a Windows Server operating system with the .Net Framework version 4.
  • Windows Server 2003 through to Windows Server 2012 R2 are fully supported.
  • The server hosting the Mimecast Synchronization Engine must be on the same LAN and domain as your Active Directory Domain Controllers to ensure the best performance.
  • The Mimecast Synchronization Engine must be able to connect outbound using HTTPS (port 443) to the URLs listed below.

 

Mimecast Synchronization Engine v4.x

 

  • Mimecast Synchronization Engine v4 must be able to communicate externally from your network to the Mimecast platform over HTTPS.
  • The global discovery and regional service endpoints must be accessible from the server hosting Mimecast Synchronization Engine v4.
  • Mimecast Synchronization Engine v4 must be able to communicate with the:

  

Mimecast Synchronization Engine v3.x

 

MSE communicates from your network using HTTPS outbound to the Mimecast platform. Depending on the region where your Mimecast account is hosted, it is critical that the server where MSE is installed has outbound HTTPS access to the following hosts:

 

 

Configure your Mimecast Synchronization Engine Site

 

To configure your Mimecast Synchronization Engine site:

  1. Open the Site Configure utility on the server where the Synchronization Engine site is installed.
  2. Select the Accounts tab.

    MSE Accounts Tab
  3. Complete the dialog as follows:

    Field / OptionDescription
    Primary Email AddressEnter the email address of the user you want to use to access your Active Directory.
    This user must have read permissions to Active Directory.
    PasswordEnter the Primary Email Address user's password.
    Use Exchange ImpersonationSelect this option. Although this is not used for Active Directory synchronization, it is used if you ever plan to use any of the Exchange related Synchronization Engine tasks as described in the Mimecast Synchronization Engine space.
    Directory TypeSelect the "Microsoft Active Directory" option.
  4. Click on the Apply button to start the Site Bind process (see below).

 

Binding your Mimecast Synchronization Engine site to Mimecast

 

In the context of the Mimecast Synchronization Engine, a binding is a security association between the application and Mimecast. The binding is created, when a user with the required permissions successfully authenticates using the Site Bind process on the server where the Mimecast Synchronization Engine in installed. This binding is required for you to view the Synchronization Engine site in the Administration Console, and start applying scheduled tasks such as Active Directory Sync.

 

Requirements

 

To successfully create a binding you will need:

  • Outbound connectivity using HTTPS (port 443) from the server where the Mimecast Synchronization Engine is installed to Mimecast.
  • Access to the server where the Mimecast Synchronization Engine is installed.
  • The email address and password for a Mimecast administrator.

 

Mimecast Administrator Requirements

 

If you are using the built in Mimecast administrator roles, the user you use to create the binding must be a member of the Synchronization Engine Administrator role. See the "managing Super Administrators section of the Understanding Administrator Roles page how to ensure the user has this role.

 

To complete the site bind process:

  1. Complete the steps in the "Configure your Mimecast Synchronization Engine Site" section above.
  2. Complete the Validation dialog by specifying the Email Address and Password of the Mimecast administrator.
  3. Click on the Bind button. The utility automatically runs through the following steps:
    • Find the Mimeacst account associated with the domain name of the email address entered.
    • Register (bind) the site with the discovered account.
    • Validate that the Microsoft Mailbox can successfully query the specified Directory Type.
    • Saves the binding information to local storage.

 

After a successful site bind the following text is displayed in the dialog box:

[+] ALL SETTINGS ARE VALID, close this window to save the settings

 

You can view your installation in the Administration Console. See the Listing Synchronization Engine Sites for further details.

 

Step 3: Enable Active Directory Synchronization

 

Required Settings

 

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Directory Synchronization menu item.
  4. Click on the New Directory Connector button.
  5. Enter a Description for your connection.
  6. Select Active Directory (using Synchronization Engine) in the Type field.
  7. Select the site where Active Directory synchronization should run from the Synchronization Engine Sites drop down list.
  8. Click Save and Exit to apply your changes.

 

Optional Settings

 

NameDescription
Acknowledge Disabled Accounts in Active DirectoryThis setting uses the userAccountControl Active Directory attribute to determine the status of a user. When enabled, users that are disabled in Active Directory will also be disabled in Mimecast.
Domains

This setting defines which of your organization's internal email domains will be included in the sync. If left empty, all email domains registered as a Mimecast Internal Domain will be considered. To limit the synchronization to only consider specific domains, add a comma separated list without spaces to this field. For example:

mimecast.com,mimecast.co.uk

 

Advanced Settings

 

The Advanced Settings are designed to be used for very large and / or multi domain Active Directory Forests. These settings cannot be used in isolation, if you want to use one of them, then all settings must be configured. The table below describes each of the available settings.

 

NameDescription
Hostname / IP AddressOverride the internal hostname or IP address that Active Directory Sync should connect to.
Connection PortOverride the port that Active Directory Sync should use for connections to the specified host.
User Name

Override the user name used to connect to Active Directory to synchronize data.

 

Use DOMAIN\user format, for example, MIMECAST\administrator

PasswordOverride the password for the user specified in the User Name field.
Root Distinguished NameSpecify a filter to use when synchronizing data from Active Directory, for example, OU=london,DC=mimecast,dc=local.

 

Next Steps

 

Checking that the Mimecast Synchronization Engine has Applied the Configuration

 

Within two minutes of saving the configuration in the Administration Console, your Mimecast Synchronization Engine server should pickup the new configuration and schedule Active Directory Sync. To check this:

  1. Log in in to the Mimecast Synchronization Engine server that the Active Directory synchronization connection is configured to use.
  2. Navigate to the Service Log Directory. By default  this is %ProgramData%\Mimecast Synchronisation Engine\logs\
  3. Open the current's day's Log File.
  4. Search for the string "calling siteConfig."
  5. Following this should be a line similar to the one below showing Active Directory synchronization being applied and the next time the synchronization is scheduled to start:

    DEBUG|02062015 08:46:37,319| 4|mseservice|AntiCorruptionScheduler|+ event taskId: 2972, name: Task Description, next occurrence: 02/06/2015 13:00:00

 

If you don't see this line, you should see an error message indicating why Active Directory synchronization cannot be applied. Typically this is caused by a networking issue preventing the Mimecast Synchronization Engine connecting to the Mimecast API.

 

If you would like to run a synchronization before the next scheduled execution:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Directory Synchronization menu item.
  4. Click on the Sync Directory Data button.

 

Checking the Status of Active Directory Synchronization

 

By default the Mimecast Synchronization Engine will synchronize your Active Directory every five hours, starting at 8am local server time, and with the last execution of the day starting at 11pm local server time.

 

Most of the processing for Active Directory Sync happens on the Mimecast Synchronization Engine server. Once the required data has been extracted from Active Directory it is submitted to Mimecast to be committed to your service.

 

At this stage the status of the Directory Connection is updated. The status of the last sync can be viewed in the Administration Console from the Administration | Services | Directory Synchronization menu.

1 person found this helpful

Attachments

    Outcomes