Prerequisites

Pre-requisites for installing the agent.

Note: Before installing the agent, ensure your AV/EDR policies allow the installer and agent runtime to run and create outbound connections. The agent connects to AWS Cloud Services using mutual TLS (mTLS); TLS inspection or certificate substitution must be disabled. The AWS IoT connection uses MQTT over WebSockets (WSS) on TCP 443, so WebSocket traffic must be allowed and not intercepted.

Anti-Virus Software

Some anti virus software may flag the agent. If installing alongside other 3rd party security tools, then you will need to consider adding the following executables and exclusions to the allow list of your antivirus software to ensure there are no cross conflicts.

Note: In all cases ensure that:
  • The specified file or folder is bypassed from all scans.
  • Include any child processes when specifying .exe

For Windows

Filename Folder
Dserui.exe %programfiles%\Forcepoint\Forcepoint Agent\
ProxyUI.exe %programfiles%\Forcepoint\Forcepoint Agent\
remediate.exe %programfiles%\Forcepoint\Forcepoint Agent\
TSUI.exe %programfiles%\Forcepoint\Forcepoint Agent\
WDEUtil.exe %programfiles%\Forcepoint\Forcepoint Agent\
WEPDiag.exe %programfiles%\Forcepoint\Forcepoint Agent\
wepsvc.exe %programfiles%\Forcepoint\Forcepoint Agent\
Clientinfo.exe %programfiles%\Forcepoint\Forcepoint Agent\tools\
EndPointClassifier.exe %programfiles%\Forcepoint\Forcepoint Agent\CPS\
PAEXT.EXE %programfiles%\Forcepoint\Forcepoint Agent\CPS\
PaisOOP.exe %programfiles%\Forcepoint\Forcepoint Agent\CPS\
extract_kvoop.exe %programfiles%\Forcepoint\Forcepoint Agent\CPS\FilterSDK\
filter.exe %programfiles%\Forcepoint\Forcepoint Agent\CPS\FilterSDK\
filter_kvoop.exe %programfiles%\Forcepoint\Forcepoint Agent\CPS\FilterSDK\
kvoop.exe %programfiles%\Forcepoint\Forcepoint Agent\CPS\FilterSDK\
tstxtract.exe %programfiles%\Forcepoint\Forcepoint Agent\CPS\FilterSDK\
qip.sys %systemroot%\system32\drivers\
nep.sys %systemroot%\system32\drivers\
wfpredir.sys %systemroot%\system32\drivers\
wsnetflt.sys %systemroot%\system32\drivers\
wsomflt.sys %systemroot%\system32\drivers\

In addition to the above files, Forcepoint recommends that the following file folders are also bypassed:

Folder
%programfiles%\Forcepoint\Forcepoint Agent\
%programdata%\Forcepoint\
The log locations should be added into scanning exclusions for any anti virus or third-party monitoring software. The following is the list of log locations:
  • Collecting logs: %programfiles%\Forcepoint\Forcepoint Agent\tools\Clientinfo.exe
  • Installation logs: %temp%\Forcepoint_Agent_xx.xx.xx_xxx

Bypasses for Security Filtering and/or Firewalls

The agent communicates with Amazon Web Services (AWS) Cloud Services using mutual TLS (mTLS) for secure, end-to-end authentication and encryption. TLS/SSL inspection, interception, or certificate validation by intermediary security tools must be completely disabled for these connections.

The agent must perform its own validation of the original AWS server certificates. Any re-signing, substitution, or modification of the certificate chain — including validation or termination by a proxy or inspection device — will prevent the agent from connecting.

In addition, the connection to AWS IoT uses MQTT over WebSockets (WSS) on TCP port 443, therefore WebSocket communication must be permitted through firewalls and proxies. Blocking WebSocket upgrades or performing TLS termination will prevent the agent from establishing communication.

Ensure that the agent can connect to the following URLs based on the tenant region. You can find the tenant region using the Forcepoint Agent > user icon > Tenant information > Region.
Note: If the endpoint must communicate through a Proxy then add the Proxy settings for your profile via General > Endpoint connectivity to Forcepoint Data Security Cloud > Add proxy in Endpoint management. The Proxy setting must be added before downloading the agent installation package to ensure it will contain the updated configuration.

List of Regions

Table 1. United States: us-east-1
Endpoint TCP Port Description
register-device.prd01.us-east-1.dup.forcepoint.io 443 Endpoint registration with the cloud back end
c1c2sj3lm55h1g.credentials.iot.us-east-1.amazonaws.com 443 AWS IoT credentials provider endpoint. Used to obtain temporary AWS credentials
a8wj55vrq7x0p-ats.iot.us-east-1.amazonaws.com 443

AWS IoT Core message endpoint (data-plane).

It handles all real-time communication between the agent and the Cloud back end — such as publishing telemetry, receiving policy and publishing Alerts.
store-forensic.prd01.us-east-1.dup.forcepoint.io 443 Used to upload forensic data.
tenants-t01-prd01-d5ejd7inrqqqspw4t89bsfnhqj684use1a-s3alias.s3.us-east-1.amazonaws.com 443 Used to upload or retrieve tenant-specific data such as policy documents or endpoint profiles.
crl.sca1b.amazontrust.com/sca1b.crl 443 Certificate revocation checking
crl.rootca1.amazontrust.com/rootca1.crl 443
ocsp.sca1b.amazontrust.com 443
ocsp.rootca1.amazontrust.com 443
ocsp.comodoca.com 80
crt.sectigo.com 80
Table 2. Germany: eu-central-1
Endpoint TCP Port Description
register-device.prd01.eu-central-1.dup.forcepoint.io 443 Endpoint registration with the cloud back end
c1c2sj3lm55h1g.credentials.iot.eu-central-1.amazonaws.com 443 AWS IoT credentials provider endpoint. Used to obtain temporary AWS credentials
a8wj55vrq7x0p-ats.iot.us-east-1.amazonaws.com 443

AWS IoT Core message endpoint (data-plane).

It handles all real-time communication between the agent and the Cloud back end — such as publishing telemetry, receiving policy and publishing Alerts.
store-forensic.prd01.eu-central-1.dup.forcepoint.io 443 Used to upload forensic data.
tenants-t01-prd01-m5g5n75bpb8yrofozxzdbyrxko47seuc1a-s3alias.s3.eu-central-1.amazonaws.com 443 Used to upload or retrieve tenant-specific data such as policy documents or endpoint profiles.
crl.sca1b.amazontrust.com/sca1b.crl 443 Certificate revocation checking
crl.rootca1.amazontrust.com/rootca1.crl 443
ocsp.sca1b.amazontrust.com 443
ocsp.rootca1.amazontrust.com 443
ocsp.comodoca.com 80
crt.sectigo.com 80
Table 3. India: ap-south-1
Endpoint TCP Port Description
register-device.prd01.apsouth-1.dup.forcepoint.io 443 Endpoint registration with the cloud back end
c1c2sj3lm55h1g.credentials.iot.apsouth-1.amazonaws.com/ 443 AWS IoT credentials provider endpoint. Used to obtain temporary AWS credentials
a8wj55vrq7x0p-ats.iot.apsouth-1.amazonaws.com 443

AWS IoT Core message endpoint (data-plane).

It handles all real-time communication between the agent and the Cloud back end — such as publishing telemetry, receiving policy and publishing Alerts.
store-forensic.prd01.apsouth-1.dup.forcepoint.io 443 Used to upload forensic data.
tenants-t01-prd01-664qkd1b8n55mhrhqhreemkqpm14eaps3a-s3alias.s3.apsouth-1.amazonaws.com 443 Used to upload or retrieve tenant-specific data such as policy documents or endpoint profiles.
crl.sca1b.amazontrust.com/sca1b.crl 443 Certificate revocation checking
ocsp.sca1b.amazontrust.com 443
ocsp.rootca1.amazontrust.com 443
ocsp.comodoca.com 80
crt.sectigo.com 80
Table 4. Singapore: ap-southeast-1
Endpoint TCP Port Description
register-device.prd01.apsoutheast-1.dup.forcepoint.io 443 Endpoint registration with the cloud back end
c1c2sj3lm55h1g.credentials.iot.apsoutheast-1.amazonaws.com 443 AWS IoT credentials provider endpoint. Used to obtain temporary AWS credentials
a8wj55vrq7x0p-ats.iot.apsoutheast-1.amazonaws.com 443

AWS IoT Core message endpoint (data-plane).

It handles all real-time communication between the agent and the Cloud back end — such as publishing telemetry, receiving policy and publishing Alerts.
store-forensic.prd01.apsoutheast-1.dup.forcepoint.io 443 Used to upload forensic data.
tenants-t01-prd01-wkkfydbjxcnutg4saeg6akejid7kgaps1a-s3alias.s3.apsoutheast-1.amazonaws.com 443 Used to upload or retrieve tenant-specific data such as policy documents or endpoint profiles.
crl.sca1b.amazontrust.com/sca1b.crl 443 Certificate revocation checking
crl.rootca1.amazontrust.com/rootca1.crl 443
ocsp.sca1b.amazontrust.com 443
ocsp.rootca1.amazontrust.com 443
ocsp.comodoca.com 80
crt.sectigo.com 80
Table 5. United Arab Emirates: me-central-1
Endpoint TCP Port Description
register-device.prd01.me-central-1.dup.forcepoint.io/ 443 Endpoint registration with the cloud back end
c1c2sj3lm55h1g.credentials.iot.me-central-1.amazonaws.com/ 443 AWS IoT credentials provider endpoint. Used to obtain temporary AWS credentials
a8wj55vrq7x0p-ats.iot.me-central-1.amazonaws.com 443

AWS IoT Core message endpoint (data-plane).

It handles all real-time communication between the agent and the Cloud back end — such as publishing telemetry, receiving policy and publishing Alerts.
store-forensic.prd01.me-central-1.dup.forcepoint.io 443 Used to upload forensic data.
tenants-t01-prd01-gnp76d8n3cprksbstaq5wr6ddyxermec1a-s3alias.s3.me-central-1.amazonaws.com 443 Used to upload or retrieve tenant-specific data such as policy documents or endpoint profiles.
crl.sca1b.amazontrust.com/sca1b.crl 443 Certificate revocation checking
crl.rootca1.amazontrust.com/rootca1.crl 443
ocsp.sca1b.amazontrust.com 443
ocsp.rootca1.amazontrust.com 443
ocsp.comodoca.com 80
crt.sectigo.com 80