Allowing domains for SmartEdge Agents
The SmartEdge agent downloads the configuration and then proxies all user traffic. Reputation and web/app category are looked up for the URL, then an appropriate web browsing policy is applied to the traffic.
Traffic can be blocked, proxied to Forcepoint Data Security Cloud | SSE cloud servers for DLP, or allowed to go direct to the end application server. Aside from the portal page, the below domains, file paths, and registry entries need to be allowed for the Security tool and Antivirus exclusions.
To ensure the smooth operation of the SmartEdge agent and prevent potential issues like blue screen errors, it is essential to configure exclusions for Antivirus and other security tools along with the domains and IPs mentioned below.
Mac OS Exclusions
| File Paths | Description |
|---|---|
| /Applications/Bitglass/ | Program Location |
| /tmp/bgtray-<username>.log | Logging |
| /Library/Logs/Bitglass/ | Logging |
| /Library/Preferences/Bitglass/ | Control plane Configurations |
| /Library/Application Support/Bitglass/ | Dataplane Configurations |
| /Library/LaunchDaemons/com.bitglass.smartedgeagent.plist | Bitglass Control plane Service |
| /Library/LaunchDaemons/com.bitglass.seproxy.plist | Bitglass Dataplane Service |
| /Library/LaunchDaemons/com.bitglass.sedns.plist | Bitglass DNS Service |
| /Library/LaunchDaemons/com.bitglass.smartedge.autoinstaller.plist | Bitglass Auto installer Service |
| /Library/Keychains/seproxy.keychain | Bitglass CA installation |
| Processes | Description |
|---|---|
| /Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgptray | Tray Icon |
| /Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgpagent | ControlPlane |
| /Applications/Bitglass/seproxy.app/Contents/MacOS/seproxy | DataPlane |
| /Applications/Bitglass/sedns.app/Contents/MacOS/sedns | DNS Server |
Windows OS Exclusions
| File Paths | Description |
|---|---|
| C:\Program Files\Bitglass | Logs and Program |
| C:\ProgramData\Bitglass | Logs |
| C:\Users\<Username>\AppData\Local\Temp\ | Tech Support data path |
| C:\Windows\System32\drivers\PacketFilterDriver.sys | packetfilter Driver for ZTNA |
| C:\Windows\system32\DRIVERS\bgprotect.sys | Filter driver for uninstallation monitoring |
| Access to the current user Trusted Root CA Store | Bitglass CA installation |
| Processes | Description |
|---|---|
| bgptray.exe | Tray icon |
| bgpagent.exe | Controlplane |
| seproxysvc.exe | Dataplane |
| dnsserver.exe | DNS Server |
| autoinstallersvc.exe | Autoinstaller |
| Registry Paths |
|---|
| HKLM\SOFTWARE\BitGlass |
| HKLM\SOFTWARE\Microsoft\Cryptography\Services\bitglass_seproxy\SystemCertificates\MY\Certificates |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKLM\SYSTEM\ControlSet001\Services\bgprotect |
| HKLM\SYSTEM\ControlSet001\Services\bgSmartEdge |
| HKLM\SYSTEM\ControlSet001\Services\bitglass_seproxy |
| HKEY_CURRENT_USER\Software\Bitglass\SEProxy |
Outbound IP Exclusions
| URL/Domain | Description |
|---|---|
| bitglass-prodeu-agent-artifacts.s3.amazonaws.com | Agent auto update |
| d1l23iwzt3tksu.cloudfront.net | Agent PAC file |
| cv.eu.bitglass.net | Agent Configuration (Policy and API calls) |
|
proxy.smartedgehealth.com direct.smartedgehealth.com |
Agent Health check On Port 80 and 443 |
| d2pbup0tl6y1pd.cloudfront.net | Web Reputation Lookup |
| saseagent.secure.eu.bitglass.net | Agent Dataplane Traffic |
|
<tenantdomain>-prodeu.rbi.forcepoint.net <cluster name>.rbi.forcepoint.net |
RBI On Ports 30000–32767 |
| kinesis.eu-central-1.amazonaws.com | Agent Logs uploading to Kinesis |
| icap-service.eu.bitglass.net | Agent Download DLP |
| aowd3xchomdxc-ats.iot.eu-central-1.amazonaws.com | Agent IOT Notifications |
| smartedge-agent-svcs-apigw.eu.bitglass.net | Explicit Proxy - Proxy Chain API |
| * | Generally, any site allowed direct access |