Step2: Firewall and network access prerequisites

Describes firewall and network access prerequisites.

Forcepoint Data Security Cloud | SSE CASB and Forcepoint DLP integration is based on the following HTTPS network connections:

  • FSM to the Forcepoint Data Security Cloud | SSE
    Each of the below domains will resolve to multiple IP addresses, and all should be included in any firewall Access Control Lists (ACLs).
    • Commercial Cloud:
      • portal.bitglass.com
      • proxyapi.bitglass.com
    • EU Cloud:
      • portal.eu.bitglass.net
      • proxyapi.eu.bitglass.net
    • Trial Cloud:
      • portal.us.bitglass.net
      • proxyapi.us.bitglass.net
  • FSM to DPS (if you need to configure the connections through your proxy, open a support case so that support team can share the procedure with you).

If the FSM is behind your network firewall or any other network access control system, you must allow connections on port 443.

If you want to allow specific Forcepoint Data Security Cloud | SSE IP addresses for security reasons, see the list of IP addresses in Forcepoint Data Security Cloud | SSE Bypass Lists for Firewalls and Security Software.

Along with the Forcepoint Data Security Cloud | SSE IP addresses, you also need to add following URLs to bypass lists to allow access from the Forcepoint Security Manager DLP to the corresponding Forcepoint Data Security Cloud | SSE tenants:
  • Common URLs for every customer:
    • "dps_object_store_service_url": https://oss.prd01.us-east-1.dps.forcepoint.io
    • "dps_object_store_service_url_async_inspection": https://oss-async-inspection.prd01.us-west-2.default.dps.forcepoint.io
    • "neo_auth_service_url": https://auth-service.prd01.us-east-1.dup.forcepoint.io
    • "auth_service_url": https://auth-service.prd01.us-east-1.dup.forcepoint.io
  • Unique domain for every DPS instance *.forcepoint.io. However, each of these URLs will have the Tenant ID information. Check your JSON file for these specific URLs.
    • "dps_url": https://<tenant_id>.dps.forcepoint.io
    • "dps_url_async_email": https://email-<tenant_id>.dps.forcepoint.io
    • "dps_url_async_casb": https://casb-<tenant_id>.dps.forcepoint.io
    • "dps_ping_url": https://<tenant_id>.dps.ip.forcepoint.io/ping
  • Relevant AWS IP addresses for your DPS hosted region.

    You can determine the AWS region in which your DPS tenant is hosted by referring to the "primary_region" and “dps_service_location” values from your JSON file. To know AWS IP addresses for your DPS hosted region, refer to AWS IP address ranges.

  • Additional Object Store Service S3 (policy and object uploads)
    When Forcepoint Security Manager (FSM) uploads policies and related objects to the Data Protection Service Object Store Service (OSS), it connects to additional AWS S3 URL, depending on your DPS region. These URLs must be allowed on your firewall (port 443) and exempt from SSL inspection:
    • https://oss-prd01-<region>-production.s3.amazonaws.com
    • https://oss-prd01-<region>-production.s3.<region>.amazonaws.com

    Example for EU Central (Frankfurt):

    • https://oss-prd01-eu-central-1-production.s3.eu-central-1.amazonaws.com

      These endpoints are used by the OSS backend for storing policies, events, and forensics data associated with your DPS tenant.

      Note: You do not need to allow the generic *.s3.amazonaws.com domain. Instead, allow only the specific oss-prd01-<region>-production.s3[.<region>].amazonaws.com endpoints that correspond to your DPS region.

      Optionally, tie it to the JSON file:

      You can determine your DPS region from the primary_region and dps_service_location values in your DPS JSON file. Use this region value to identify the corresponding oss-prd01-<region>-production.s3[.<region>].amazonaws.com endpoints that should be allowed