Forcepoint ONE Bypass Lists for Firewalls and Security Software
Ensure the following domains/URLs are permitted through your firewall to guarantee seamless service and functionality while using Forcepoint ONE SSE services. Unless explicitly specified, most requests are made to Forcepoint ONE Cloud Services via HTTPS on port 443.
Forcepoint ONE login and administrative pages
Both administrators and users traverse portal.us.bitglass.net (Trial Cloud), portal.bitglass.com (Commercial Cloud), and portal.eu.bitglass.net (EU Cloud) to different sub-sites, domains listed below are relevant for anyone logging into Forcepoint ONE. Only administrators will have access to the Forcepoint ONE support portal.
URL/Domain | Description |
---|---|
portal.bitglass.com | Login page |
looker.bitglass.com | Analytics page |
d35yjcem1gita5.cloudfront.net dmksmfp72wh99.cloudfront.net |
CSS/scrips for portal.bitglass.com |
ajax.aspnetcdn.com cdnjs.cloudflare.com |
Scripts for portal.bitglass.com |
s3.us-west-2.amazonaws.com | Images for custom apps |
*.sso.bitglass.com | Login client cert check |
www.btglss.net | Agentless / reverse proxied app access |
cdn.walkme.com s3.walkmeusercontent.com ec.walkme.com |
Walk-Me Portal Assistance |
URL/Domain | Description |
---|---|
portal.eu.bitglass.net | Login page |
www.eu.bitglass.net | Agentless / reverse proxied app access |
ajax.aspnetcdn.com cdnjs.cloudflare.com code.jquery.com |
Scripts for portal.eu.bitglass.net |
d2v4ojxgeuzgdy.cloudfront.net | portal.eu.bitglass.net page objects |
cdn.walkme.com playerserver.walkme.com ec.walkme.com |
Walk-Me Portal Assistance |
s3.eu-central-1.amazonaws.com | Images for custom apps |
bitglass-prodeu-agent-artifacts.s3.amazonaws.com | AD sync agent download |
<tenant domain>.sso.eu.bitglass.net | Login client cert check |
support.forcepoint.com | Forcepoint Support portal |
Forcepoint Security Manager DLP to Forcepoint ONE SSE
Each of the below domains will resolve to multiple IP addresses, and all should be included in any firewall Access Control Lists (ACLs).
Domain/URL |
---|
portal.us.bitglass.net |
proxyapi.us.bitglass.net |
Domain/URL |
---|
portal.bitglass.com |
proxyapi.bitglass.com |
Domain/URL |
---|
portal.eu.bitglass.net |
proxyapi.eu.bitglass.net |
ZTNA
URL/Domain | Description |
---|---|
ZTNA OVA: | |
ztnarouter.bitglass.com | OVA management connection |
bg-prod-ova.s3.amazonaws.com | ZTNA ISO |
github.com | GitHub |
download.docker.com | Docker |
cv.bitglass.com | Agent Configuration |
HTTP ZTNA: | |
www.ztna.bitglass.com | HTTP ZTNA |
<domain>-<id>.ztna.bitglass.com | HTTP ZTNA |
TCP ZTNA (SmartEdge Agent): | |
ztnarouter.bitglass.com | ZTNA Router |
ztnahaproxy-*.bitglass.com | ZTNA Load Balancer |
URL/Domain | Description |
---|---|
ZTNA OVA: | |
ztnarouter.eu.bitglass.net | OVA management connection |
ztnaserver-eu-central-1a-bank2.eu.bitglass.net ztnaserver-eu-central-1b-bank2.eu.bitglass.net ztnaserver-eu-central-1c-bank2.eu.bitglass.net |
OVA data connection |
096923413011.dkr.ecr.us-west-2.amazonaws.com prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com |
OVA docker container |
prodeu-ova-repo.s3.eu-central-1.amazonaws.com | Updates |
github.com | GitHub |
download.docker.com | Docker |
HTTP ZTNA: | |
www.ztna.eu.bitglass.net | HTTP ZTNA |
<domain>-<id>.ztna.eu.bitglass.net | HTTP ZTNA |
TCP ZTNA (SmartEdge Agent): | |
ztnarouter.eu.bitglass.net | ZTNA Router |
ztnahaproxy-*.eu.bitglass.net | ZTNA Load Balancer |
Reverse Proxy
- For Trial Cloud - login-box-com.us.bitglass.net
- For Commercial Cloud - login-box-com.btglss.net
- For EU Cloud - login-box-com.eu.bitglass.net
Domain/URL | Description |
---|---|
<tenant domain>.us.bitglass.net | Dataplane for Trial Cloud - Proxied app traffic domain |
<tenant domain>.btglss.net | Dataplane for Commercial Cloud - Proxied app traffic domain |
<tenant domain>.eu.bitglass.net | Dataplane for EU Cloud - Proxied app traffic domain |
Admin Portal | All portal page domains listed at the beginning of this article. |
Cloud API
Cloud API communication occurs between Forcepoint ONE Analytics/dataplane nodes to the application and is not initiated from on-premise. No special considerations are required for Firewall bypass lists aside from the portal page domains listed at the beginning of this article.
URL/Domain | Description |
---|---|
Admin Portal | All portal page domains listed at the beginning of this article. |
CSPM
CSPM communication occurs between Forcepoint ONE Analytics/dataplane nodes to the application and is not initiated from on-premise. No special considerations are required for Firewall bypass lists aside from the portal page domains listed at the beginning of this article.
URL/Domain | Description |
---|---|
Admin Portal | All portal page domains listed at the beginning of this article. |
Discovery
Discovery involves navigation of the Forcepoint ONE portal page as well as uploading logs, or downloading an OVA to stream logs out.
URL/Domain | Description |
---|---|
bg-prod-ova.s3.amazonaws.com | Discovery OVA and ISO downloads |
syslog.bitglass.com (TCP port 1999) | Syslog |
*.dkr.ecr.us-west-2.amazonaws.com | Container download |
Admin Portal | All portal page domains listed at the beginning of this article. |
URL/Domain | Description |
---|---|
bg-prodeu-ova.s3.amazonaws.com | Discovery OVA and ISO downloads |
096923413011.dkr.ecr.us-west-2.amazonaws.com | OVA docker download |
prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com | OVA docker container |
syslog.bitglass.eu (TCP port 1999) | Syslog |
Admin Portal | All portal page domains listed at the beginning of this article. |
IAM
Depending upon your unique deployment, you may need to allow a Forcepoint ONE AD Agent or calls to create users in the Forcepoint ONE cloud. See the information below on specific user source/destinations for bypasses.
AD Agent
Domain/URL |
---|
cv.bitglass.com |
dirsync.bitglass.com |
Domain/URL |
---|
cv.eu.bitglass.net |
dirsync.eu.bitglass.net |
SCIM
SCIM uses communicates directly between Forcepoint ONE servers in the cloud to Applications (Microsoft/Google/etc.) Servers to gather users and are not impacted by on-premise network firewalls.
User API
Requests to create a user via the Forcepoint ONE user API are made using resources on portal.us.bitglass.net, portal.bitglass.com, and portal.eu.bitglass.net.
MFA
Requests from a user device to Forcepoint ONE initiated MFA are done using resources on portal.us.bitglass.net, portal.bitglass.com, or portal.eu.bitglass.net and do not require additional bypass domains. If an administrator has selected third-party MFA such as Google or Duo and so on relevant domains for those entities will need to be allowed as needed.
Log Poll API
Requests to fetch log data are made to resources at portal.us.bitglass.net, portal.bitglass.com, or portal.eu.bitglass.net.
IP API
Requests to fetch Bitglass IP lists are made to resources at portal.us.bitglass.net, portal.bitglass.com, or portal.eu.bitglass.net.
ICAP
ICAP DLP initiates connections from Forcepoint ONE Data planes to a server defined in the admin portal. The server listed will have to allow connection from external sources. These sources are listed in the Forcepoint ONE SSE datacenters and IPs.
Remote Browser Isolation (RBI) Exclusions
Environment | Exception URL | Outbound Ports for Connection |
---|---|---|
Trial Cloud | *.rbi.poc.forcepoint.com | 30000 – 32767 |
Commercial Cloud | *.rbi.forcepoint.com | 30000 – 32767 |
EU Cloud | *.rbi.forcepoint.com | 30000 – 32767 |