cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Reliable Contributor jmcg
Reliable Contributor
Report Inappropriate Content
Message 1 of 7

Sub-Policy by AD group

Jump to solution

Hello,

 

I have an issue using sub-policy by AD group... I can't manage to get working.

What is the format wanted in ePO policy to get the AD Group ?

 

I just put "Domain users" but doesn't seem to work

 

Could you help me ?

1 Solution

Accepted Solutions
McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Sub-Policy by AD group

Jump to solution

with exchange 2016 you don't want to use ad groups when setting up the sub-policies.  the reason is that for every email that comes through, msme will have to take each email address and do a lookup to AD to verify the user is in the group.  if for any reason there is a delay getting a response back from the domain controller then mail flow will start to slow down and mail could start getting backed up in the submission queue. 

the recommended approach for sub-policies is to use the email address of the sender (if you filter for outbound mail) or the email address of the recipient (if it is inbound mail).  you can use wild cards in the filter as well. by doing this you allow msme to process emails more efficiently.  also the reason the approach is faster is that msme scans at the transport layer and by the time the email gets to msme the email address has been set in the header (especially for internal emails) so it is much easier for msme to get the email address over checking if a user is part of an ad group.

View solution in original post

6 Replies
McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Sub-Policy by AD group

Jump to solution

what version of exchange is this?

what version of msme?

Reliable Contributor jmcg
Reliable Contributor
Report Inappropriate Content
Message 3 of 7

Re: Sub-Policy by AD group

Jump to solution
Exchange 2016 CU 8

MSME 8.6.1
McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Sub-Policy by AD group

Jump to solution

with exchange 2016 you don't want to use ad groups when setting up the sub-policies.  the reason is that for every email that comes through, msme will have to take each email address and do a lookup to AD to verify the user is in the group.  if for any reason there is a delay getting a response back from the domain controller then mail flow will start to slow down and mail could start getting backed up in the submission queue. 

the recommended approach for sub-policies is to use the email address of the sender (if you filter for outbound mail) or the email address of the recipient (if it is inbound mail).  you can use wild cards in the filter as well. by doing this you allow msme to process emails more efficiently.  also the reason the approach is faster is that msme scans at the transport layer and by the time the email gets to msme the email address has been set in the header (especially for internal emails) so it is much easier for msme to get the email address over checking if a user is part of an ad group.

View solution in original post

Reliable Contributor jmcg
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: Sub-Policy by AD group

Jump to solution
I had read in a help somewhere that AD Group scan was faster than SMTP.

But this was not logic to me, thanks for confirming this. We are filter by SMTP and Wildcard now.

Another question, we use URL Reputation scan, and some of the mail come to event log in ePO with Attack Name "Empty" or "Unknown" how do we manage does ?

I don't have any rule / setup available in URL Reputation policy for Unknown.
McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Sub-Policy by AD group

Jump to solution

those events indicate the url scanner wasn't able to get info on the url being scanned.  either it caused an issue with the scanner or msme didn't get a proper reply back from the database.  the only way to see what is going on would be to look at debug logs when one of those emails comes through. 

with regards to handling the unknown/empty events.. msme would log the info and send the email to the next scanner.  there isn't a way to do anything further from the url scanner.

if you are getting alot of these events then i would suggest to open a support ticket so it can be looked into further

Reliable Contributor jmcg
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: Sub-Policy by AD group

Jump to solution
Ok thanks you
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community