Forcepoint Data Security Cloud Bypass Lists for Firewalls and Security Software
Ensure the following domains/URLs are permitted through your firewall to guarantee seamless service and functionality while using Forcepoint Data Security Cloud | SSE services. Unless explicitly specified, most requests are made to Forcepoint Data Security Cloud Cloud Services via HTTPS on port 443.
Forcepoint Data Security Cloud login and administrative pages
Both administrators and users traverse portal.bitglass.com (Commercial Cloud) to different sub-sites, domains listed below are relevant for anyone logging into Forcepoint Data Security Cloud. Only administrators will have access to the Forcepoint Data Security Cloud support portal.
| URL/Domain | Description |
|---|---|
| portal.bitglass.com | Login page |
| looker.bitglass.com | Analytics page |
|
d35yjcem1gita5.cloudfront.net dmksmfp72wh99.cloudfront.net |
CSS/scrips for portal.bitglass.com |
|
ajax.aspnetcdn.com cdnjs.cloudflare.com |
Scripts for portal.bitglass.com |
| s3.us-west-2.amazonaws.com | Images for custom apps |
| *.sso.bitglass.com | Login client cert check |
| www.btglss.net | Agentless / reverse proxied app access |
|
cdn.walkme.com s3.walkmeusercontent.com ec.walkme.com |
Walk-Me Portal Assistance |
Forcepoint Security Manager DLP to Forcepoint Data Security Cloud | SSE
Each of the below domains will resolve to multiple IP addresses, and all should be included in any firewall Access Control Lists (ACLs).
| Domain/URL |
|---|
| portal.bitglass.com |
| proxyapi.bitglass.com |
ZTNA
| URL/Domain | Description |
|---|---|
| ZTNA OVA: | |
| ztnarouter.bitglass.com | OVA management connection |
| bg-prod-ova.s3.amazonaws.com | ZTNA ISO |
| github.com | GitHub |
| download.docker.com | Docker |
| cv.bitglass.com | Agent Configuration |
| HTTP ZTNA: | |
| www.ztna.bitglass.com | HTTP ZTNA |
| <domain>-<id>.ztna.bitglass.com | HTTP ZTNA |
| TCP ZTNA (SmartEdge Agent): | |
| ztnarouter.bitglass.com | ZTNA Router |
| ztnahaproxy-*.bitglass.com | ZTNA Load Balancer |
Reverse Proxy
- For Commercial Cloud - login-box-com.btglss.net
| Domain/URL | Description |
|---|---|
| <tenant domain>.btglss.net | Dataplane for Commercial Cloud - Proxied app traffic domain |
| Admin Portal | All portal page domains listed at the beginning of this article. |
Cloud API
Cloud API communication occurs between Forcepoint Data Security Cloud Analytics/dataplane nodes to the application and is not initiated from on-premise. No special considerations are required for Firewall bypass lists aside from the portal page domains listed at the beginning of this article.
| URL/Domain | Description |
|---|---|
| Admin Portal | All portal page domains listed at the beginning of this article. |
CSPM
CSPM communication occurs between Forcepoint Data Security Cloud Analytics/dataplane nodes to the application and is not initiated from on-premise. No special considerations are required for Firewall bypass lists aside from the portal page domains listed at the beginning of this article.
| URL/Domain | Description |
|---|---|
| Admin Portal | All portal page domains listed at the beginning of this article. |
Discovery
Discovery involves navigation of the Forcepoint Data Security Cloud portal page as well as uploading logs, or downloading an OVA to stream logs out.
| URL/Domain | Description |
|---|---|
| bg-prod-ova.s3.amazonaws.com | Discovery OVA and ISO downloads |
| syslog.bitglass.com (TCP port 1999) | Syslog |
| *.dkr.ecr.us-west-2.amazonaws.com | Container download |
| Admin Portal | All portal page domains listed at the beginning of this article. |
| URL/Domain | Description |
|---|---|
| bg-prodeu-ova.s3.amazonaws.com | Discovery OVA and ISO downloads |
| 096923413011.dkr.ecr.us-west-2.amazonaws.com | OVA docker download |
| prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com | OVA docker container |
| syslog.bitglass.eu (TCP port 1999) | Syslog |
| Admin Portal | All portal page domains listed at the beginning of this article. |
IAM
Depending upon your unique deployment, you may need to allow a Forcepoint Data Security Cloud AD Agent or calls to create users in the Forcepoint Data Security Cloud cloud. See the information below on specific user source/destinations for bypasses.
AD Agent
| Domain/URL |
|---|
| cv.bitglass.com |
| dirsync.bitglass.com |
SCIM
SCIM uses communicates directly between Forcepoint Data Security Cloud servers in the cloud to Applications (Microsoft/Google/etc.) Servers to gather users and are not impacted by on-premise network firewalls.
User API
Requests to create a user via the Forcepoint Data Security Cloud user API are made using resources on portal.bitglass.com.
MFA
Requests from a user device to Forcepoint Data Security Cloud initiated MFA are done using resources on portal.bitglass.com and do not require additional bypass domains. If an administrator has selected third-party MFA such as Google or Duo and so on relevant domains for those entities will need to be allowed as needed.
Log Poll API
Requests to fetch log data are made to resources at portal.bitglass.com.
IP API
Requests to fetch Bitglass IP lists are made to resources at portal.bitglass.com.
ICAP
ICAP DLP initiates connections from Forcepoint Data Security Cloud Data planes to a server defined in the admin portal. The server listed will have to allow connection from external sources. These sources are listed in the Forcepoint Data Security Cloud | SSE datacenters and IPs.
Remote Browser Isolation (RBI) Exclusions
| Environment | Exception URL | Outbound Ports for Connection |
|---|---|---|
| Commercial Cloud | *.rbi.forcepoint.com | 30000 – 32767 |