Configuring your firewall to connect to the cloud service

In order for the cloud service to manage web traffic from your network, your firewall must allow TCP connections outbound to Forcepoint data centers on specific ports. The table below details the ports that may be used, depending on your configuration.

Port Required for
8081 Web browsing when using standard PAC file addresses.

8082

(default)

Retrieving cloud service PAC files (standard PAC file address).

8087

(default)

Retrieving cloud service PAC file over HTTPS (standard PAC file address).
8006 End user single sign-on authentication. See Configure End User Single Sign-On settings.
8089 Secure form authentication. See Access Control tab.
80
  • Retrieving cloud service PAC files via the alternate PAC file address.
  • Web browsing when using the alternate PAC file address.
443
  • Retrieving cloud service PAC files securely via the alternate HTTPS PAC file address.
  • Secure web browsing when using the alternate HTTPS PAC file address.
Tip:

To guarantee availability, Forcepoint ONE Web Security uses global load balancing to direct traffic across multiple geographic locations. In the event of localized connectivity issues, data center load balancing automatically routes requests to the next closest location. To make the most of the resilience offered by this infrastructure, users must be allowed to connect to the entire cloud network.

For details of the IP address ranges in use by cloud service data centers, see the article Cloud service IP addresses and port numbers in the Forcepoint Knowledge Base.

In addition to the above, ports 80 and 443 can be used by:

  • Block and notification page components, including stylesheets and images, served from a separate website used by the cloud infrastructure (not directly through the cloud proxy).
  • Non-proxied destinations. IP addresses and domains configured using the Proxy Bypass setting are configured to route directly to the origin server. Browsers will connect directly via port 80 (or 443 for HTTPS).
  • The roaming home page. Although this service is principally for remote users, you may choose to configure all browsers to use this as their home page. This page is always unproxied when using cloud service PAC files.
  • The proxy query page. Users can access a query page to find out whether their browser settings are correct for accessing the proxy.
Note: Remote users should use the alternate PAC file addresses (using port 80 or 443) if requesting access from networks that may have port 8081, 8082, or 8087 locked down.