Webhook URL Requirements and Verification

Ensure the Forcepoint DSPM DDR webhook endpoint is publicly accessible and uses a valid, widely trusted HTTPS certificate so that remote data sources can deliver events reliably. This topic applies to on-premises deployments only.

Overview

For DDR streaming to function with remote data sources such as SharePoint Online, OneDrive, and Google Drive, the Forcepoint DSPM webhook endpoint must be reachable from the respective cloud provider's datacenters. If the URL is inaccessible or presents an untrusted TLS certificate, event delivery will fail silently - DDR will not detect file changes in near real time.

Important: This topic applies to on-premises deployments only. Multi-tenant SaaS customers do not need to perform these steps; the webhook endpoint is fully configured and publicly accessible out of the box.

This topic is intended for network administrators and IT engineers responsible for deploying and maintaining on-premises installations of Forcepoint DSPM.

Autogenerated DDR Webhook Endpoint

The dedicated DDR notification endpoint is autogenerated during installation. No manual URL creation is required. The endpoint is available immediately after installation and follows this path pattern: 

https://${HOST_DOMAIN}/scan-manager/external/webhooks/notification/${WEBHOOK_ID}
Where:

  • ${HOST_DOMAIN} is the host domain of your Forcepoint DSPM installation.

  • ${WEBHOOK_ID} is a unique identifier that is autogenerated when DDR streaming is enabled for a particular data source configuration. Each configured data source receives its own distinct webhook ID.

Example of an actual webhook URL: 
https://acme.example.com/scan-manager/external/webhooks/notification/a42f511f0e94c77cfcf4a0f8e16f60ed649dc9947abd81410fa50cec7c5b366c

The trailing segment is a unique identifier per webhook and will differ for each configured data source.

When configuring firewall rules or URL allowlists, allow the following URL prefix - this covers all webhook IDs generated for your deployment:
https://${HOST_DOMAIN}/scan-manager/external/webhooks/notification/

Requirements

Before configuring DDR streaming for any remote data source, verify that all of the following requirements are met.

  1. Publicly Accessible URL: The webhook URL must be reachable from Microsoft Azure or Google Cloud infrastructure, depending on which data sources are configured. Accessibility from within your corporate network or via a workstation browser is not sufficient - the URL must be reachable from cloud provider datacenters.
  2. HTTPS with a Valid, Widely Trusted Certificate: The endpoint must use HTTPS. The TLS certificate must be issued by a widely trusted Certificate Authority (CA). Self-signed certificates or certificates issued by private/internal CAs will be rejected by cloud providers such as Microsoft and Google, preventing event delivery.

    If your deployment uses a custom or internal CA certificate, import it into Forcepoint DSPM.

  3. Correct DNS Resolution and Firewall Rules: The hostname in the webhook URL must resolve correctly from external DNS. Firewall rules must permit inbound HTTPS traffic (port 443) from the relevant cloud provider IP ranges to the webhook path prefix /scan-manager/external/webhooks/notification/. Only this path prefix should be exposed — all other application paths should remain blocked.

Verification Steps

Follow these steps to confirm the webhook URL is accessible and trusted before configuring streaming for any data source.

Warning: Do not test using a local browser or from within your corporate network. Browser traffic may bypass firewalls or be subject to different proxy and network policies than requests originating from Microsoft or Google cloud datacenters. A successful browser test does not confirm that cloud providers can reach the endpoint and may produce false-positive results.
  1. Test connectivity without enabling streaming (test endpoint)
    Before enabling DDR streaming for any data source, use the built-in test endpoint to verify that the webhook URL is publicly reachable and the TLS certificate is trusted. Run the following command from a server or VM located outside your corporate network - for example, a cloud VM in the same region as the data source:
    curl -v https://${HOST_DOMAIN}/scan-manager/external/webhooks/notification/test
    A successful response is an HTTP 204 No Content. This confirms the URL is reachable and the TLS certificate is accepted by the client. The following is an example of a successful response:
    < HTTP/2 204
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< strict-transport-security: max-age=15552000; includeSubDomains
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block

    A curl: (60) SSL certificate error or a connection timeout indicates a misconfiguration that must be resolved before proceeding.

  2. Test connectivity from a server-side tool or external node

    Run the following command from a server or VM that is located outside your corporate network. Do not run this from a local workstation. Replace the test path segment with an actual webhook ID once streaming is enabled:

    curl -v https://${HOST_DOMAIN}/scan-manager/external/webhooks/notification/${WEBHOOK_ID}
  3. Validate the TLS certificate

    Use an external SSL validation tool such as SSL Labs Server Test to verify all of the following:

    • The certificate is issued by a widely trusted CA.
    • The certificate chain is complete with no missing intermediates.
    • The certificate has not expired.
    • The certificate hostname matches the DDR webhook URL.
    • No known protocol vulnerabilities (such as TLS 1.0 or weak ciphers) are present.
  4. (Optional) - Test from a node in the relevant cloud region

    For the highest confidence, provision a temporary VM in the relevant cloud region and run the curl command from Step 2 from that node. This closely simulates the actual network path that cloud provider webhooks will use to deliver events.

    • For SharePoint Online and OneDrive: use an Azure VM in the same region as your Microsoft 365 tenant.
    • For Google Drive: use a Google Cloud VM in the appropriate region.

Best Practices

Follow these recommendations to maintain a secure, reliable DDR webhook endpoint.
  • Expose only the webhook path prefix: Use a reverse proxy or Web Application Firewall (WAF) to expose only the /scan-manager/external/webhooks/notification path prefix publicly. All other application paths should remain inaccessible from the internet. This minimizes the attack surface of your deployment.
  • Monitor your TLS certificate for expiry: Set up automated alerts for TLS certificate renewal well in advance of the expiry date. An expired certificate will immediately stop event delivery from all remote data sources without warning, causing DDR streaming to fail silently.
  • Align firewall rules with cloud provider IP ranges: Where possible, restrict inbound access to the webhook path to only the published IP ranges of the relevant cloud providers (Microsoft Azure, Google Cloud) rather than permitting all inbound internet traffic. Refer to your cloud provider's documentation for the current list of IP ranges used for webhook delivery.
  • Do not manually create the webhook endpoint: The DDR webhook endpoint is autogenerated during installation. No manual configuration of the URL is required or supported.