Allowing domains for SmartEdge Agents
The SmartEdge agent downloads the configuration and then proxies all user traffic. Reputation and web/app category are looked up for the URL, then an appropriate web browsing policy is applied to the traffic.
Traffic can be blocked, proxied to Forcepoint ONE SSE cloud servers for DLP, or allowed to go direct to the end application server. Aside from the portal page, the below domains, file paths, and registry entries need to be allowed for the Security tool and Antivirus exclusions.
To ensure the smooth operation of the SmartEdge agent and prevent potential issues like blue screen errors, it is essential to configure exclusions for Antivirus and other security tools along with the domains and IPs mentioned below.
Mac OS Exclusions
File Paths | Description |
---|---|
/Applications/Bitglass/ | Program Location |
/tmp/bgtray-<username>.log | Logging |
/Library/Logs/Bitglass/ | Logging |
/Library/Preferences/Bitglass/ | Control plane Configurations |
/Library/Application Support/Bitglass/ | Dataplane Configurations |
/Library/LaunchDaemons/com.bitglass.smartedgeagent.plist | Bitglass Control plane Service |
/Library/LaunchDaemons/com.bitglass.seproxy.plist | Bitglass Dataplane Service |
/Library/LaunchDaemons/com.bitglass.sedns.plist | Bitglass DNS Service |
/Library/LaunchDaemons/com.bitglass.smartedge.autoinstaller.plist | Bitglass Auto installer Service |
/Library/Keychains/seproxy.keychain | Bitglass CA installation |
Processes | Description |
---|---|
/Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgptray | Tray Icon |
/Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgpagent | ControlPlane |
/Applications/Bitglass/seproxy.app/Contents/MacOS/seproxy | DataPlane |
/Applications/Bitglass/sedns.app/Contents/MacOS/sedns | DNS Server |
Windows OS Exclusions
File Paths | Description |
---|---|
C:\Program Files\Bitglass | Logs and Program |
C:\ProgramData\Bitglass | Logs |
C:\Users\<Username>\AppData\Local\Temp\ | Tech Support data path |
C:\Windows\System32\drivers\PacketFilterDriver.sys | packetfilter Driver for ZTNA |
C:\Windows\system32\DRIVERS\bgprotect.sys | Filter driver for uninstallation monitoring |
Access to the current user Trusted Root CA Store | Bitglass CA installation |
Processes | Description |
---|---|
bgptray.exe | Tray icon |
bgpagent.exe | Controlplane |
seproxysvc.exe | Dataplane |
dnsserver.exe | DNS Server |
autoinstallersvc.exe | Autoinstaller |
Registry Paths |
---|
HKLM\SOFTWARE\BitGlass |
HKLM\SOFTWARE\Microsoft\Cryptography\Services\bitglass_seproxy\SystemCertificates\MY\Certificates |
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
HKLM\SYSTEM\ControlSet001\Services\bgprotect |
HKLM\SYSTEM\ControlSet001\Services\bgSmartEdge |
HKLM\SYSTEM\ControlSet001\Services\bitglass_seproxy |
HKEY_CURRENT_USER\Software\Bitglass\SEProxy |
Outbound IP Exclusions
URL/Domain | Description |
---|---|
cv.us.bitglass.net | Agent configuration |
cvr.us.bitglass.net | Agent configuration |
icap-service.btglss.net | Agent Download DLP |
saseagent.bgsecure.net | Agent Dataplane Traffic |
bitglass-prod-agent-artifacts.s3.amazonaws.com | Agent auto update |
d3loxeqnrcs4xe.cloudfront.net | Agent PAC file |
direct.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net | Health check port 80 and 443 |
proxy.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net | Health check port 80 and 443 |
a1bettfbvtfzb-ats.iot.us-east-1.amazonaws.com | Agent Notifications |
a1bettfbvtfzb-ats.iot.eu-west-2.amazonaws.com | Agent Notifications |
swgpolicy.apigateway.bitglass.com, d1lrg2q2l2g9t3.cloudfront.net | Agent Configurations |
profile.bitglass.com | Profile Agent configuration |
kinesis.us-west-2.amazonaws.com | Agent Logs uploading to Kinesis for both Trial Cloud and Commercial Cloud. |
* | Generally, any site allowed direct access |
URL/Domain | Description |
---|---|
cv.bitglass.com | Agent configuration |
cvr.bitglass.com | Agent configuration |
icap-service.btglss.net | Agent Download DLP |
saseagent.bgsecure.net | Agent Dataplane Traffic |
bitglass-prod-agent-artifacts.s3.amazonaws.com | Agent auto-update |
d3loxeqnrcs4xe.cloudfront.net | Agent PAC file |
direct.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net | Health check port 80 and 443 |
proxy.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net | Health check port 80 and 443 |
a2j7y6458wz48c-ats.iot.us-east-1.amazonaws.com | Agent Notifications |
a2j7y6458wz48c-ats.iot.us-east-2.amazonaws.com | Agent Notifications |
a2j7y6458wz48c-ats.iot.us-west-2.amazonaws.com | Agent Notifications |
a2j7y6458wz48c-ats.iot.ap-southeast-1.amazonaws.com | Agent Notifications |
a2j7y6458wz48c-ats.iot.ap-southeast-2.amazonaws.com | Agent Notifications |
a2j7y6458wz48c-ats.iot.eu-west-2.amazonaws.com | Agent Notifications |
a2j7y6458wz48c-ats.iot.eu-central-1.amazonaws.com | Agent Notifications |
swgpolicy.apigateway.bitglass.com, d1lrg2q2l2g9t3.cloudfront.net | Agent Configurations |
profile.bitglass.com | Profile Agent configuration |
kinesis.us-west-2.amazonaws.com | Agent Logs uploading to Kinesis for both Trial Cloud and Commercial Cloud. |
* | Generally, any site allowed direct access |
URL/Domain | Description |
---|---|
bitglass-prodeu-agent-artifacts.s3.amazonaws.com | Agent auto update |
d1l23iwzt3tksu.cloudfront.net | Agent PAC file |
cv.eu.bitglass.net | Agent Configuration (Policy and API calls) |
proxy.smartedgehealth.com direct.smartedgehealth.com |
Agent Health check On Port 80 and 443 |
d2pbup0tl6y1pd.cloudfront.net | Web Reputation Lookup |
saseagent.secure.eu.bitglass.net | Agent Dataplane Traffic |
<tenantdomain>-prodeu.rbi.forcepoint.net <cluster name>.rbi.forcepoint.net |
RBI On Ports 30000–32767 |
kinesis.eu-central-1.amazonaws.com | Agent Logs uploading to Kinesis |
icap-service.eu.bitglass.net | Agent Download DLP |
aowd3xchomdxc-ats.iot.eu-central-1.amazonaws.com | Agent IOT Notifications |
smartedge-agent-svcs-apigw.eu.bitglass.net | Explicit Proxy - Proxy Chain API |
* | Generally, any site allowed direct access |