Allowing domains for SmartEdge Agents
The SmartEdge agent downloads the configuration and then proxies all user traffic. Reputation and web/app category are looked up for the URL, then an appropriate web browsing policy is applied to the traffic.
Traffic can be blocked, proxied to Forcepoint ONE SSE cloud servers for DLP, or allowed to go direct to the end application server. Aside from the portal page, the below domains, file paths, and registry entries need to be allowed for the Security tool and Antivirus exclusions.
To ensure the smooth operation of the SmartEdge agent and prevent potential issues like blue screen errors, it is essential to configure exclusions for Antivirus and other security tools along with the domains and IPs mentioned below.
Note: Unless explicitly specified, most requests are made to Forcepoint ONE Cloud Services via HTTPS on port 443.
Mac OS Exclusions
| File Paths | Description |
|---|---|
| /Applications/Bitglass/ | Program Location |
| /tmp/bgtray-<username>.log | Logging |
| /Library/Logs/Bitglass/ | Logging |
| /Library/Preferences/Bitglass/ | Control plane Configurations |
| /Library/Application Support/Bitglass/ | Dataplane Configurations |
| /Library/LaunchDaemons/com.bitglass.smartedgeagent.plist | Bitglass Control plane Service |
| /Library/LaunchDaemons/com.bitglass.seproxy.plist | Bitglass Dataplane Service |
| /Library/LaunchDaemons/com.bitglass.sedns.plist | Bitglass DNS Service |
| /Library/LaunchDaemons/com.bitglass.smartedge.autoinstaller.plist | Bitglass Auto installer Service |
| /Library/Keychains/seproxy.keychain | Bitglass CA installation |
| Processes | Description |
|---|---|
| /Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgptray | Tray Icon |
| /Applications/Bitglass/SmartEdge Agent.app/Contents/MacOS/bgpagent | ControlPlane |
| /Applications/Bitglass/seproxy.app/Contents/MacOS/seproxy | DataPlane |
| /Applications/Bitglass/sedns.app/Contents/MacOS/sedns | DNS Server |
Windows OS Exclusions
| File Paths | Description |
|---|---|
| C:\Program Files\Bitglass | Logs and Program |
| C:\ProgramData\Bitglass | Logs |
| C:\Users\<Username>\AppData\Local\Temp\ | Tech Support data path |
| C:\Windows\System32\drivers\PacketFilterDriver.sys | packetfilter Driver for ZTNA |
| C:\Windows\system32\DRIVERS\bgprotect.sys | Filter driver for uninstallation monitoring |
| Access to the current user Trusted Root CA Store | Bitglass CA installation |
| Processes | Description |
|---|---|
| bgptray.exe | Tray icon |
| bgpagent.exe | Controlplane |
| seproxysvc.exe | Dataplane |
| dnsserver.exe | DNS Server |
| autoinstallersvc.exe | Autoinstaller |
| Registry Paths |
|---|
| HKLM\SOFTWARE\BitGlass |
| HKLM\SOFTWARE\Microsoft\Cryptography\Services\bitglass_seproxy\SystemCertificates\MY\Certificates |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKLM\SYSTEM\ControlSet001\Services\bgprotect |
| HKLM\SYSTEM\ControlSet001\Services\bgSmartEdge |
| HKLM\SYSTEM\ControlSet001\Services\bitglass_seproxy |
| HKEY_CURRENT_USER\Software\Bitglass\SEProxy |
Outbound IP Exclusions
| URL/Domain | Description |
|---|---|
| cv.bitglass.com | Agent configuration |
| cvr.bitglass.com | Agent configuration |
| icap-service.btglss.net | Agent Download DLP |
| saseagent.bgsecure.net | Agent Dataplane Traffic |
| bitglass-prod-agent-artifacts.s3.amazonaws.com | Agent auto-update |
| d3loxeqnrcs4xe.cloudfront.net | Agent PAC file |
| direct.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net | Health check port 80 and 443 |
| proxy.smartedgehealth.com, d1r2dt8m1uujih.cloudfront.net | Health check port 80 and 443 |
| a2j7y6458wz48c-ats.iot.us-east-1.amazonaws.com | Agent Notifications |
| a2j7y6458wz48c-ats.iot.us-east-2.amazonaws.com | Agent Notifications |
| a2j7y6458wz48c-ats.iot.us-west-2.amazonaws.com | Agent Notifications |
| a2j7y6458wz48c-ats.iot.ap-southeast-1.amazonaws.com | Agent Notifications |
| a2j7y6458wz48c-ats.iot.ap-southeast-2.amazonaws.com | Agent Notifications |
| a2j7y6458wz48c-ats.iot.eu-west-2.amazonaws.com | Agent Notifications |
| a2j7y6458wz48c-ats.iot.eu-central-1.amazonaws.com | Agent Notifications |
| swgpolicy.apigateway.bitglass.com, d1lrg2q2l2g9t3.cloudfront.net | Agent Configurations |
| profile.bitglass.com | Profile Agent configuration |
| kinesis.us-west-2.amazonaws.com | Agent Logs uploading to Kinesis for both Trial Cloud and Commercial Cloud. |
| * | Generally, any site allowed direct access |