cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 7
‎06-19-2019 05:28 AM

Sub-Policy by AD group

Jump to solution

Hello,

 

I have an issue using sub-policy by AD group... I can't manage to get working.

What is the format wanted in ePO policy to get the AD Group ?

 

I just put "Domain users" but doesn't seem to work

 

Could you help me ?

0 Kudos
Reply
1 Solution

Accepted Solutions
tlange
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7
‎06-21-2019 05:29 AM

Re: Sub-Policy by AD group

Jump to solution

with exchange 2016 you don't want to use ad groups when setting up the sub-policies.  the reason is that for every email that comes through, msme will have to take each email address and do a lookup to AD to verify the user is in the group.  if for any reason there is a delay getting a response back from the domain controller then mail flow will start to slow down and mail could start getting backed up in the submission queue. 

the recommended approach for sub-policies is to use the email address of the sender (if you filter for outbound mail) or the email address of the recipient (if it is inbound mail).  you can use wild cards in the filter as well. by doing this you allow msme to process emails more efficiently.  also the reason the approach is faster is that msme scans at the transport layer and by the time the email gets to msme the email address has been set in the header (especially for internal emails) so it is much easier for msme to get the email address over checking if a user is part of an ad group.

View solution in original post

0 Kudos
Reply
6 Replies
tlange
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7
‎06-20-2019 02:02 PM

Re: Sub-Policy by AD group

Jump to solution

what version of exchange is this?

what version of msme?

0 Kudos
Reply
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 7
‎06-20-2019 02:30 PM

Re: Sub-Policy by AD group

Jump to solution
Exchange 2016 CU 8

MSME 8.6.1
0 Kudos
Reply
tlange
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7
‎06-21-2019 05:29 AM

Re: Sub-Policy by AD group

Jump to solution

with exchange 2016 you don't want to use ad groups when setting up the sub-policies.  the reason is that for every email that comes through, msme will have to take each email address and do a lookup to AD to verify the user is in the group.  if for any reason there is a delay getting a response back from the domain controller then mail flow will start to slow down and mail could start getting backed up in the submission queue. 

the recommended approach for sub-policies is to use the email address of the sender (if you filter for outbound mail) or the email address of the recipient (if it is inbound mail).  you can use wild cards in the filter as well. by doing this you allow msme to process emails more efficiently.  also the reason the approach is faster is that msme scans at the transport layer and by the time the email gets to msme the email address has been set in the header (especially for internal emails) so it is much easier for msme to get the email address over checking if a user is part of an ad group.

View solution in original post

0 Kudos
Reply
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7
‎06-21-2019 06:00 AM

Re: Sub-Policy by AD group

Jump to solution
I had read in a help somewhere that AD Group scan was faster than SMTP.

But this was not logic to me, thanks for confirming this. We are filter by SMTP and Wildcard now.

Another question, we use URL Reputation scan, and some of the mail come to event log in ePO with Attack Name "Empty" or "Unknown" how do we manage does ?

I don't have any rule / setup available in URL Reputation policy for Unknown.
0 Kudos
Reply
tlange
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7
‎06-21-2019 06:33 AM

Re: Sub-Policy by AD group

Jump to solution

those events indicate the url scanner wasn't able to get info on the url being scanned.  either it caused an issue with the scanner or msme didn't get a proper reply back from the database.  the only way to see what is going on would be to look at debug logs when one of those emails comes through. 

with regards to handling the unknown/empty events.. msme would log the info and send the email to the next scanner.  there isn't a way to do anything further from the url scanner.

if you are getting alot of these events then i would suggest to open a support ticket so it can be looked into further

Reply
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 7
‎06-24-2019 05:17 AM

Re: Sub-Policy by AD group

Jump to solution
Ok thanks you
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC