Allowing domains for SmartEdge Agents

The SmartEdge agent downloads the configuration and then proxies all user traffic. Reputation and web/app category are looked up for the URL, then an appropriate web browsing policy is applied to the traffic.

Traffic can be blocked, proxied to Forcepoint ONE SSE cloud servers for DLP, or allowed to go direct to the end application server. Aside from the portal page, the below domains, file paths, and registry entries need to be allowed for the Security tool and Antivirus exclusions.

To ensure the smooth operation of the SmartEdge agent and prevent potential issues like blue screen errors, it is essential to configure exclusions for Antivirus and other security tools along with the domains and IPs mentioned below.

Note: Unless explicitly specified, most requests are made to Forcepoint ONE Cloud Services via HTTPS on port 443.

Mac OS Exclusions

Table 1. File Paths
File Paths Description
/Applications/Bitglass/ Program Location
/tmp/bgtray-<username>.log Logging
/Library/Logs/Bitglass/ Logging
/Library/Preferences/Bitglass/ Control plane Configurations
/Library/Application Support/Bitglass/ Dataplane Configurations
/Library/LaunchDaemons/com.bitglass.smartedgeagent.plist Bitglass Control plane Service
/Library/LaunchDaemons/com.bitglass.seproxy.plist Bitglass Dataplane Service
/Library/LaunchDaemons/com.bitglass.sedns.plist Bitglass DNS Service
/Library/LaunchDaemons/com.bitglass.smartedge.autoinstaller.plist Bitglass Auto installer Service
/Library/Keychains/seproxy.keychain Bitglass CA installation

Table 2. Processes
Processes Description
/Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgptray Tray Icon
/Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgpagent ControlPlane
/Applications/Bitglass/seproxy.app/Contents/MacOS/seproxy DataPlane
/Applications/Bitglass/sedns.app/Contents/MacOS/sedns DNS Server

Windows OS Exclusions

Table 3. File Paths
File Paths Description
C:\Program Files\Bitglass Logs and Program
C:\ProgramData\Bitglass Logs
C:\Users\<Username>\AppData\Local\Temp\ Tech Support data path
C:\Windows\System32\drivers\PacketFilterDriver.sys packetfilter Driver for ZTNA
C:\Windows\system32\DRIVERS\bgprotect.sys Filter driver for uninstallation monitoring
Access to the current user Trusted Root CA Store Bitglass CA installation

Table 4. Processes
Processes Description
bgptray.exe Tray icon
bgpagent.exe Controlplane
seproxysvc.exe Dataplane
dnsserver.exe DNS Server
autoinstallersvc.exe Autoinstaller

Table 5. Registry Paths
Registry Paths
HKLM\SOFTWARE\BitGlass
HKLM\SOFTWARE\Microsoft\Cryptography\Services\bitglass_seproxy\SystemCertificates\MY\Certificates
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SYSTEM\ControlSet001\Services\bgprotect
HKLM\SYSTEM\ControlSet001\Services\bgSmartEdge
HKLM\SYSTEM\ControlSet001\Services\bitglass_seproxy
HKEY_CURRENT_USER\Software\Bitglass\SEProxy

Outbound IP Exclusions

Table 6. Trial Cloud
URL/Domain Description
cv.us.bitglass.net Agent configuration
cvr.us.bitglass.net Agent configuration
icap-service.btglss.net Agent Download DLP
saseagent.bgsecure.net Agent Dataplane Traffic
bitglass-prod-agent-artifacts.s3.amazonaws.com Agent auto update
d3loxeqnrcs4xe.cloudfront.net Agent PAC file
direct.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net Health check port 80 and 443
proxy.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net Health check port 80 and 443
a1bettfbvtfzb-ats.iot.us-east-1.amazonaws.com Agent Notifications
a1bettfbvtfzb-ats.iot.eu-west-2.amazonaws.com Agent Notifications
swgpolicy.apigateway.bitglass.com, d1lrg2q2l2g9t3.cloudfront.net Agent Configurations
profile.bitglass.com Profile Agent configuration
kinesis.us-west-2.amazonaws.com Agent Logs uploading to Kinesis for both Trial Cloud and Commercial Cloud.
* Generally, any site allowed direct access

Table 7. Commercial Cloud
URL/Domain Description
cv.bitglass.com Agent configuration
cvr.bitglass.com Agent configuration
icap-service.btglss.net Agent Download DLP
saseagent.bgsecure.net Agent Dataplane Traffic
bitglass-prod-agent-artifacts.s3.amazonaws.com Agent auto-update
d3loxeqnrcs4xe.cloudfront.net Agent PAC file
direct.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net Health check port 80 and 443
proxy.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net Health check port 80 and 443
a2j7y6458wz48c-ats.iot.us-east-1.amazonaws.com Agent Notifications
a2j7y6458wz48c-ats.iot.us-east-2.amazonaws.com Agent Notifications
a2j7y6458wz48c-ats.iot.us-west-2.amazonaws.com Agent Notifications
a2j7y6458wz48c-ats.iot.ap-southeast-1.amazonaws.com Agent Notifications
a2j7y6458wz48c-ats.iot.ap-southeast-2.amazonaws.com Agent Notifications
a2j7y6458wz48c-ats.iot.eu-west-2.amazonaws.com Agent Notifications
a2j7y6458wz48c-ats.iot.eu-central-1.amazonaws.com Agent Notifications
swgpolicy.apigateway.bitglass.com, d1lrg2q2l2g9t3.cloudfront.net Agent Configurations
profile.bitglass.com Profile Agent configuration
kinesis.us-west-2.amazonaws.com Agent Logs uploading to Kinesis for both Trial Cloud and Commercial Cloud.
* Generally, any site allowed direct access

Table 8. EU Cloud
URL/Domain Description
bitglass-prodeu-agent-artifacts.s3.amazonaws.com Agent auto update
d1l23iwzt3tksu.cloudfront.net Agent PAC file
cv.eu.bitglass.net Agent Configuration (Policy and API calls)

proxy.smartedgehealth.com

direct.smartedgehealth.com

Agent Health check

On Port 80 and 443

d2pbup0tl6y1pd.cloudfront.net Web Reputation Lookup
saseagent.secure.eu.bitglass.net Agent Dataplane Traffic

<tenantdomain>-prodeu.rbi.forcepoint.net

<cluster name>.rbi.forcepoint.net

RBI

On Ports 30000–32767

kinesis.eu-central-1.amazonaws.com Agent Logs uploading to Kinesis
icap-service.eu.bitglass.net Agent Download DLP
aowd3xchomdxc-ats.iot.eu-central-1.amazonaws.com Agent IOT Notifications
smartedge-agent-svcs-apigw.eu.bitglass.net Explicit Proxy - Proxy Chain API
* Generally, any site allowed direct access