Mimecast Web Security: Installing the Mimecast Security Agent (Windows)

Document created by user.Yo2IBgvWqr Employee on Sep 11, 2018Last modified by user.m8lcBwVNwY on Jul 24, 2019
Version 31Show Document
  • View in full screen mode

This document provides instructions to deploy the Mimecast Security Agent (MSA) on roaming Windows PCs, to work in conjunction with the Mimecast Web Security feature. In addition, it covers how to:

  • Validate the agent installation.
  • Test policy blocking.
  • Enable / disable the agent.



To use the Mimecast Security Agent, you must have:

Mimecast Security Agent 1.2 and newer is certified for 'Citrix Virtual Apps and Desktop' v7 in persistent and non-persistent desktop configurations.


Supported Windows VersionEditionBit
Windows 10Pro/Enterprise32/64
Windows 8.1Pro/Enterprise32/64
Windows 7Pro/Enterprise32/64

Home edition of Windows isn't supported as it doesn't support enterprise features of MSMQ, resulting in the failure.

  • Have administrator privileges to install and setup the Mimecast Security Agent.
  • Have your managed endpoint systems using a Network Time Provider to ensure accurate system clocks.
  • Ensure communication from the Mimecast Security Agent to Mimecast via the API URLs isn't blocked. See the "Firewall" section above.
  • The Windows Messaging Queue (MSMQ) feature enabled. The MSA installation may remove / disable the MSMQ in error. The workaround is to run the Windows Update service. Refer to the Message Queuing (MSMQ) article on Microsoft's site for more information.
  • .Net Framework version 4.5.2 or higher.


Optionally we recommend the following:

  • Configuring an exception for your local domain. Unlike using DNS forwarders, when MSA is installed, all DNS traffic is sent to Mimecast bypassing any local DNS configuration (i.e. IP phones, print servers). See the Managing Exceptions page for further information.
  • Configuring your Mimecast Security Agent Settings. See the Mimecast Security Agent Settings page for further information.
  • We recommend your browser uses Windows Trust Store for Certificate of Authority. If using Firefox, set it to use the Windows Trust Store by:
    1. Typing about:config in the address bar.
    2. Creating a Boolean Variable called "security.enterprise_roots.enabled".
    3. Setting the "security.enterprise_roots.enabled" variable to True.
Mimecast Security Agent automatically installs the Mimecast SSL certificate into Firefox’s private certificate root. However if you aren't using the endpoint software, you'll need to install the Mimecast certificate for Network Level Protection.

Installing the Mimecast Security Agent on Standalone Windows PC


To install the MSA on a Windows PC:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A drop down menu is displayed.
  3. Windows WizardClick on the Web Security | Agent Settings menu item. The Mimecast Security Agent "Installation" tab displays by default.
  4. Click on the Download for PC button. The installer files download to your browser's download location with a file name of "Mimecast Security Agent.ZIP". The .ZIP package contains both 32bit and 64bit MSI files, with the key located in a "Mimecast Security Agent Configuration" folder.
    There can be a significant delay before the browser indicates the file download is complete.
  5. Copy the Mimecast Security Agent installer and the CustomerKey file to the target roaming system to be protected.
  6. Start the Mimecast Security Agent Installer
    The installer must be run as an administrator.
  7. Click on the Next button to continue.
  8. Select the CustomerKey License File that was part of the MSI download by either:
    • Clicking on the Browse button.
    • Copying the CustomerKey in the file separately and paste it into the Browse box.
  9. Click on the Next button once the authentication key has loaded.
  10. Select the Installation Folder into which the Mimecast Security Agent will be installed.
  11. Click on the Next button. The Mimecast Security Agent installation starts.
  12. Click on the Yes button to confirm that the installation can continue.
  13. Click on the Finish button to exit the installer.
  14. Select Yes when prompted to restart your computer. The Mimecast Security Agent is started on the system reboot, with the agent icon appearing in the Windows system tray.
During the installation process, you may be prompted and required to install additional software. The system will need to be rebooted after the completed MSA installation.

Silently Installing the Mimecast Security Agent


The command listed below can be used to silently install the Mimecast Security Agent, create a verbose install log, and inject the CustomerKey:

msiexec /i "<MSI_PATH>" /qn /l*v <LOG_PATH> licensefile="<CUSTOMER_KEY_PATH>"


  • <MSI_PATH> is the location of the MSI file.
  • <LOG_PATH> is the location where you want the log file created.
  • <CUSTOMER_KEY_PATH> is the location of your customer key.
A reboot is required for the Mimecast Security Agent to enter a "Protected" state.

Validating the Mimecast Security Agent Installation


After restarting the system, verify that the MSA has been installed correctly via the methods below. If any errors display, gather and send diagnostics data as outlined in the Mimecast Security Agent Diagnostic Data page.


MSA InterfaceConfirm the MSA User Interface is Running


To confirm the MSA User Interface is running:

  1. Check that the MSA icon MSA Icon is displayed in the Windows taskbar system tray.
  2. Click on the MSA icon to launch the home screen. Ensure the following:
    • A green tick displays on the Mimecast shield.
    • The status is ‘Protected’.
    • The 'Client ID' shows the machine name.
    • The 'Last sync’ time displays.


Checking the MSA Diagnostics


To check the MSA diagnostics:

  1. Click on the Diagnostics tab.

  2. Click on the Show Live Diagnostics button.
  3. Check that all the basic diagnostics checklist ticks display green.
  4. Click the Refresh button a few times and confirm that the Diagnostics Last update display times increment as expected.
  5. Check that the Additional information details contain valid entries for:
    • DNS Redirecting
    • DNS Server IPs
    • API Discovered grid
    • API Account Code
  6. Click on the Display the Certificate link next to DNS Root certificate. This displays the Windows Certificate dialog and allows you to confirm the root certificate has been correctly deployed.
  7. Click on the Display the Certificate link next to DNS TLS certificate. This displays the Windows Certificate dialog for the Mimecast Endpoint Certificate.
  8. Return to the Mimecast Security Agent Diagnostics console and select Advanced Diagnostics.
  9. Scroll down to the Mimecast.Dns section and confirm there is an entry for "Redirected Query 1".


Policy Configuration


Once the Mimecast Security Agent is installed, you can test it is working by:

  1. Creating a Block or Allow List Policy to:
    • Block a legitimate site (e.g. cnn.com). This avoids visiting a site that has been blocked by your IT administrator.
    • Apply the policy to a user or group. This ensures it takes precedence over a location or "everyone" policy.
  2. Either getting the user to:
    • Manually log in to the MSA.
    • Use the transparent user Id to identify domain users.
If a policy component is changed, the change will not take effect if the system DNS cache and browser DNS cache are not cleared. Cache clearing updates can take up to 20 minutes.

See the Mimecast Security Agent Policy Testing page for details.


See Also...