Allowing domains for SmartEdge Agents

The SmartEdge agent downloads the configuration and then proxies all user traffic. Reputation and web/app category are looked up for the URL, then an appropriate web browsing policy is applied to the traffic.

Traffic can be blocked, proxied to Forcepoint ONE SSE cloud servers for DLP, or allowed to go direct to the end application server. Aside from the portal page, the below domains, file paths, and registry entries need to be allowed for the Security tool and Antivirus exclusions.

To ensure the smooth operation of the SmartEdge agent and prevent potential issues like blue screen errors, it is essential to configure exclusions for Antivirus and other security tools along with the domains and IPs mentioned below.

Note: Unless explicitly specified, most requests are made to Forcepoint ONE Cloud Services via HTTPS on port 443.

Mac OS Exclusions

Table 1. File Paths
File Paths	Description
/Applications/Bitglass/	Program Location
/tmp/bgtray-<username>.log	Logging
/Library/Logs/Bitglass/	Logging
/Library/Preferences/Bitglass/	Control plane Configurations
/Library/Application Support/Bitglass/	Dataplane Configurations
/Library/LaunchDaemons/com.bitglass.smartedgeagent.plist	Bitglass Control plane Service
/Library/LaunchDaemons/com.bitglass.seproxy.plist	Bitglass Dataplane Service
/Library/LaunchDaemons/com.bitglass.sedns.plist	Bitglass DNS Service
/Library/LaunchDaemons/com.bitglass.smartedge.autoinstaller.plist	Bitglass Auto installer Service
/Library/Keychains/seproxy.keychain	Bitglass CA installation

Table 2. Processes
Processes	Description
/Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgptray	Tray Icon
/Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgpagent	ControlPlane
/Applications/Bitglass/seproxy.app/Contents/MacOS/seproxy	DataPlane
/Applications/Bitglass/sedns.app/Contents/MacOS/sedns	DNS Server

Windows OS Exclusions

Table 3. File Paths
File Paths	Description
C:\Program Files\Bitglass	Logs and Program
C:\ProgramData\Bitglass	Logs
C:\Users\<Username>\AppData\Local\Temp\	Tech Support data path
C:\Windows\System32\drivers\PacketFilterDriver.sys	packetfilter Driver for ZTNA
C:\Windows\system32\DRIVERS\bgprotect.sys	Filter driver for uninstallation monitoring
Access to the current user Trusted Root CA Store	Bitglass CA installation

Table 4. Processes
Processes	Description
bgptray.exe	Tray icon
bgpagent.exe	Controlplane
seproxysvc.exe	Dataplane
dnsserver.exe	DNS Server
autoinstallersvc.exe	Autoinstaller

Table 5. Registry Paths
Registry Paths
HKLM\SOFTWARE\BitGlass
HKLM\SOFTWARE\Microsoft\Cryptography\Services\bitglass_seproxy\SystemCertificates\MY\Certificates
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SYSTEM\ControlSet001\Services\bgprotect
HKLM\SYSTEM\ControlSet001\Services\bgSmartEdge
HKLM\SYSTEM\ControlSet001\Services\bitglass_seproxy
HKEY_CURRENT_USER\Software\Bitglass\SEProxy

Outbound IP Exclusions

Table 6. Trial Cloud
URL/Domain	Description
cv.us.bitglass.net	Agent configuration
cvr.us.bitglass.net	Agent configuration
icap-service.btglss.net	Agent Download DLP
saseagent.bgsecure.net	Agent Dataplane Traffic
bitglass-prod-agent-artifacts.s3.amazonaws.com	Agent auto update
d3loxeqnrcs4xe.cloudfront.net	Agent PAC file
direct.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net	Health check port 80 and 443
proxy.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net	Health check port 80 and 443
a1bettfbvtfzb-ats.iot.us-east-1.amazonaws.com	Agent Notifications
a1bettfbvtfzb-ats.iot.eu-west-2.amazonaws.com	Agent Notifications
swgpolicy.apigateway.bitglass.com, d1lrg2q2l2g9t3.cloudfront.net	Agent Configurations
profile.bitglass.com	Profile Agent configuration
kinesis.us-west-2.amazonaws.com	Agent Logs uploading to Kinesis for both Trial Cloud and Commercial Cloud.
*	Generally, any site allowed direct access

Table 7. Commercial Cloud
URL/Domain	Description
cv.bitglass.com	Agent configuration
cvr.bitglass.com	Agent configuration
icap-service.btglss.net	Agent Download DLP
saseagent.bgsecure.net	Agent Dataplane Traffic
bitglass-prod-agent-artifacts.s3.amazonaws.com	Agent auto-update
d3loxeqnrcs4xe.cloudfront.net	Agent PAC file
direct.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net	Health check port 80 and 443
proxy.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net	Health check port 80 and 443
a2j7y6458wz48c-ats.iot.us-east-1.amazonaws.com	Agent Notifications
a2j7y6458wz48c-ats.iot.us-east-2.amazonaws.com	Agent Notifications
a2j7y6458wz48c-ats.iot.us-west-2.amazonaws.com	Agent Notifications
a2j7y6458wz48c-ats.iot.ap-southeast-1.amazonaws.com	Agent Notifications
a2j7y6458wz48c-ats.iot.ap-southeast-2.amazonaws.com	Agent Notifications
a2j7y6458wz48c-ats.iot.eu-west-2.amazonaws.com	Agent Notifications
a2j7y6458wz48c-ats.iot.eu-central-1.amazonaws.com	Agent Notifications
swgpolicy.apigateway.bitglass.com, d1lrg2q2l2g9t3.cloudfront.net	Agent Configurations
profile.bitglass.com	Profile Agent configuration
kinesis.us-west-2.amazonaws.com	Agent Logs uploading to Kinesis for both Trial Cloud and Commercial Cloud.
*	Generally, any site allowed direct access

Table 8. EU Cloud
URL/Domain	Description
bitglass-prodeu-agent-artifacts.s3.amazonaws.com	Agent auto update
d1l23iwzt3tksu.cloudfront.net	Agent PAC file
cv.eu.bitglass.net	Agent Configuration (Policy and API calls)
proxy.smartedgehealth.com direct.smartedgehealth.com	Agent Health check On Port 80 and 443
d2pbup0tl6y1pd.cloudfront.net	Web Reputation Lookup
saseagent.secure.eu.bitglass.net	Agent Dataplane Traffic
<tenantdomain>-prodeu.rbi.forcepoint.net <cluster name>.rbi.forcepoint.net	RBI On Ports 30000–32767
kinesis.eu-central-1.amazonaws.com	Agent Logs uploading to Kinesis
icap-service.eu.bitglass.net	Agent Download DLP
aowd3xchomdxc-ats.iot.eu-central-1.amazonaws.com	Agent IOT Notifications
smartedge-agent-svcs-apigw.eu.bitglass.net	Explicit Proxy - Proxy Chain API
*	Generally, any site allowed direct access