Mimecast Web Security: Installing the Mimecast Security Agent (Windows)

Document created by user.Yo2IBgvWqr Employee on Sep 11, 2018Last modified by user.oxriBaJeN4 on Nov 27, 2018
Version 21Show Document
  • View in full screen mode

This document provides instructions to deploy the Mimecast Security Agent (MSA) on roaming Windows PCs, to work in conjunction with the Mimecast Web Security feature. In addition, it covers how to:

  • Validate the agent installation.
  • Test policy blocking.
  • Enable / disable the agent.

Prerequisites

 

Before installing the Mimecast Security Agent on Windows PCs, ensure the following requirements are met:

  • Administration privileges are available on the Windows PC.

     

  • Locations are defined as the egress IP address of a network. View the Mimecast Web Security: Configuring Locations page for further information.

  • The local DNS resources have "Exceptions" defined as required so that your trusted domains and IPs bypass the Mimecast Web Security functionality. View the Mimecast Web Security: Managing Exceptions page for further information.

    An exception for your local domain must be created if you have Active Directory or a Local DNS server. If the local domain is not included as an exception you won't be able to access local resources such as IP Phones and Print Servers etc.
  • Mimecast Web Security policies have been configured. View the "Policy Configuration Recommendations" section below and the Mimecast Web Security: Configuring Policies page for further information.

  • Mimecast Security Agent Settings have been configured. View the Mimecast Web Security: Mimecast Security Agent Settings page for further information.
  • For proper function of the Mimecast Security Agent, ensure that the managed endpoint systems are using a Network Time Provider, resulting in accurate system clocks.

 

Browser Recommendations

 

We recommend the browser uses Windows Trust Store for Certificate of Authority. If using a Firefox browser, set it to use the Windows Trust Store by:

  1. Typing "about:config" in the Firefox address bar.
  2. Creating a new boolean variable called 'security.enterprise_roots.enabled'.
  3. Setting 'security.enterprise_roots.enabled' to 'true'.
The security agent software will automatically install the Mimecast SSL Certificate into Firefox’s private certificate root. However if you aren't using the endpoint software, you'll need to install the Mimecast certificate for ‘Network Level Protection’. 

Policy Configuration Recommendations


You'll need to ensure that Mimecast Web Security policies are defined and ready. Your current policy configuration will be used during testing to block a known collection of domains. Location based policies are never applied to an MSA protected endpoint, even if it's on a protected network.

Do not test with explicit sites, which when viewed are against your company policy. We recommend blocking with a safe site such as cnn.com during testing.

Policy type recommendations include: 

  • A Domain Filtering policy with explicit blocks and allows set.
  • A Category Filtering policy with known categories blocked and allowed. This policy should apply as follows:
    MSA AuthenticationApplies To
    User logs into the MSA
    • Individual Users 
    • Groups containing the User
    • Everyone
    User does not log into the MSA
    • Everyone
When a policy component is changed, if the system DNS cache and browser DNS cache are not cleared, the policy change will not take effect. Cache clearing updates can take up to 20 minutes, therefore you won't see the policy change take effect until this completes. 

Installing the Mimecast Security Agent on Windows

For the endpoint to work correctly, the Messaging Queue (MSMQ) feature in Windows needs to be configured correctly. During installation, the MSMQ may be removed from the system or disabled in error. The workaround is to run the Windows Update service. Refer to the Message Queuing (MSMQ) article on Microsoft's site for more information.

To install the security agent on a Windows PC:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A drop down menu is displayed.
  3. Windows WizardClick on the Web Security | Agent Settings menu item. The Mimecast Security Agent "Installation" tab displays by default.
  4. Click on the Download for PC button. The installer files download to your browser's download location with a file name of "Mimecast Security Agent.ZIP". The .ZIP package contains both 32bit and 64bit MSI files, with the key located in a "Mimecast Security Agent Configuration" folder.
    There can be a significant delay before the browser indicates the file download is complete. 
  5. Copy the Mimecast Security Agent installer and the CustomerKey file to the target roaming system to be protected.
  6. Launch the Mimecast Security Agent installer to start the setup wizard. 
    The installer must be run as an administrator.
  7. Click on the Next button to continue.
  8. Click on the Browse button.
  9. Navigate to the file containing the CustomerKey which was part of the MSI download and select it. Alternatively, you can copy the CustomerKey in the file separately and paste it into the “Browse” box.
  10. Once the authentication key has loaded, click on the Next button.
  11. Click on the Browse button.
  12. Select the folder on the local system for the installation of the Mimecast Security Agent software.
  13. Click on the Next button.
  14. Install the Mimecast Security Agent onto the local system.
  15. Click on the Yes button to allow the installation to complete.
  16. Click on the Finish button to exit the Mimecast Security Agent Setup wizard.
  17. Once the MSA installer completes, select Yes when prompted to restart your computer. The Mimecast Security Agent is started on the system reboot, with the agent icon appearing in the Windows system tray.
During the installation process, you may be prompted and required to install additional software including Visual C++. It isn't necessary to reboot after the installation of Visual C++, because the system will need to be rebooted after the completed MSA installation.

Silently Installing the Mimecast Security Agent

 

The following command can optionally be used to:

  • Silently install the Mimecast Security Agent.
  • Create a verbose install log.
  • Inject the CustomerKey.
msiexec /i "<MSINAME>.msi" /qn /l*v <PATH TO LOG>\MSA-install.log licensefile=CustomerKey

Assuming the MSI file and CustomerKey exist in the same folder, you'll need to amend:

  • <MSINAME> to the file name in your environment.
  • <PATH TO LOG> to the location you want the log to be created in.

 

Validating the Mimecast Security Agent Installation

 

After restarting the system, verify that the MSA has been installed correctly via the methods below. If any errors display, gather and send diagnostics data as outlined in the Mimecast Security Agent Diagnostic Data page.

 

Check Internet Connectivity

 

To confirm internet connectivity and ensure that unblocked sites can be reached:

  1. Open a new browser.
  2. Navigate to a domain which isn't blocked (e.g. your corporate site or bbc.co.uk).

MSA InterfaceConfirm the MSA User Interface is Running

 

To confirm the MSA User Interface is running:

  1. Check that the MSA icon MSA Icon is displayed in the Windows taskbar system tray. 
  2. Click on the MSA icon to launch the home screen. Ensure the following:
    • A green tick displays on the Mimecast shield.
    • The status is ‘Protected’.
    • The 'Client ID' shows the machine name.
    • The 'Last sync’ time displays.

 

Check the MSA Diagnostics

 

To check the MSA diagnostics:

  1. Click on the Diagnostics tab.

  2. Click on the Show Live Diagnostics button.

  3. Check that all of the basic diagnostics checklist ticks display green.

  4. Click the Refresh button a few times and confirm that the Diagnostics Last update display times increment as expected.

  5. Check that the Additional information details contain valid entries for:

    • DNS Redirecting
    • DNS Server IPs
    • API Discovered grid
    • API Account Code
  6.  Click on the Display the Certificate link next to DNS Root certificate. This displays the Windows Certificate dialog and allows you to confirm the root certificate has been correctly deployed.
  7. Click on the Display the Certificate link next to DNS TLS certificate. This displays the Windows Certificate dialog for the Mimecast Endpoint Certificate.
  8. Return to the Mimecast Security Agent Diagnostics console and select Advanced Diagnostics.
  9. Scroll down to the Mimecast.Dns section and confirm there is an entry for "Redirected Query 1".

 

View the Protected Device

 

Protected DevicesTo view the newly protected device:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A drop down menu is displayed.
  3. Click on the Web Security | Protected Devices menu item. 
  4. Confirm the view shows an entry for the protected machine name.

 

Testing Policy Blocking

 

With the Mimecast Security Agent installed and running correctly, the next step is to test that your configured policies work to block or allow sites as expected.

 

Machine Level Testing

 

Machine level blocking occurs when:

  • The MSA is not logged into by an authenticated user.
  • Configured policy definitions apply to "Everyone".

 

To test machine level blocking:

  1. Ensure you aren't logged into the MSA. 
  2. Confirm that a Mimecast block page is properly displayed by browsing to a domain where:
    • The policy you're testing defines a block.
    • The policy you're testing applies to "Everyone".
  3.  Navigate to a domain which should be allowed and ensure that it's accessible and does not generate a block page.

 

User Level Testing

 

User level blocking occurs when:

  • The MSA is logged into by an authenticated user.
  • Configured policy definitions apply to "Groups" or "Users".

 

To test user level blocking:

  1. Click on the MSA Icon from the system tray to display the user interface.
  2. Click on the Log In button. User level blocking only occurs when the MSA is logged into by an authenticated user.
  3. Enter the Email Address of the user specified during the policy setup.
  4. Test User Level BlockingClick on the Next button.
  5. Select BasicAd from the available authentication methods. This enables authentication with the user's Active Directory credentials.
    'BasicCloud' is based on a user's Mimecast credentials. 'BasicAd' is based on a user's local Active Directory credentials.
  6. Click on the Next button.
  7. Enter the user's credentials.
  8. Click on the Log In button.
  9. Once authenticated, you're taken back to the MSA home page. Confirm that the:
    • Client ID displays the user’s email.
    • Status is still 'Protected'.
  10. Confirm the Administration Console now shows an entry for the associated user, by navigating to the Web Security | Protected Devices menu item.

 

Disabling / Enabling the Security Agent

 

Tamper Protection PasswordTo control your agent settings on Windows OS:

  1. Click on the Mimecast Security Agent icon from the system tray.
  2. Click on the Preferences button.
  3. Enter the Tamper Protection password to log into the Protection user interface. To obtain the password:
    1. Log on to the Administration Console.
    2. Select the Web Security | Agent Settings menu item.
    3. Click on the Settings tab.
    4. Click on the Copy Password button under Tamper Protection to copy the password. Alternatively, click on the Generate Password button if one does not exist.
  4. Click on either the:

    • Enable button to enable security on the agent.
    • Disable button to disable security on the agent.

 

See Also...

 

Attachments

    Outcomes