An Old Version of a Topic vs. the New Version

Topic Title: Configuring A Firewall For Box Applications

Old Topic

When configuring your firewall to allow Box as a trusted source, please use the steps outlined below:

1. Use our site's domain names instead of a particular site IP address, as IP addresses can change frequently and without notice. Please configure hostnames to recognize any subdomain of:

  • *.box.com
  • *.box.net
  • *.boxcdn.net
  • *.boxcloud.com

To use the Excel Online Previewer, you must allow the following specific hostnames:

  • *.cdn.office.net
  • excel.officeapps.live.com
  • fs.microsoft.com

To use the Box for Office Online integration, please allow Microsoft's for Office 365 URLs and IP address ranges.

To use Google's reCaptcha feature (used at login), you must allow the following specific hostnames:

To use Google's reCaptcha feature, be sure to allow its public IP addresses.

To use the Box for Google Workspace, please go to the Google support pages for the hostnames you must allow. (You can ignore the Google Drive/drive IP addresses because this Box integration does not have a dependency on Google Drive.)

To use the Box for iWork integration, you must allow access to Apple’s network at 17.0.0.0/8

To login to our support site to submit a support ticket you must allow:

  • box.zendesk.com 

To use Box Sign, you must allow the following specific hostnames:

  • fonts.gstatic.com
  • fonts.googleapis.com

If you cannot allow the wildcard domains shown in the list above, please allow these specific hostnames:

  • a.box.com
  • account.box.com
  • api.box.com
  • app.box.com
  • blog.box.com
  • captcha.boxcdn.net
  • cdn01.boxcdn.net - cdn20.boxcdn.net
  • community.box.com
  • developer.box.com
  • dl.boxcloud.com
  • dl2.boxcloud.com - dl20.boxcloud.com
  • docs.box.com
  • e3.boxcdn.net
  • ent.box.com
  • images-captcha.boxcdn.net
  • m.account.box.com
  • m.app.box.com
  • m.box.com
  • m.ent.box.com
  • newassets-captcha.boxcdn.net
  • notes.services.box.com
  • public.boxcloud.com
  • reportapi-captcha.boxcdn.net
  • sso.services.box.net
  • status.box.com
  • support.box.com
  • upload.app.box.com
  • upload.box.com
  • upload.box.net
  • upload.ent.box.com
  • www.box.com
  • www.box.net
  • {yourcustomsubdomain}.account.box.com
  • {yourcustomsubdomain}.app.box.com
  • {yourcustomsubdomain}.box.com
  • {yourcustomsubdomain}.ent.box.com
  • 2.realtime.services.box.net

2. Enable HTTPS (port 443) for the domains above.

In case of Enterprise account, the customer may need add additional specific hostname in allowlist.
Please create a Box Product Support case and request the additional hostnames that are used with Enterprise accounts.

Due to the numerous firewalls available, we cannot provide specific instructions for each firewall beyond what is listed above. If you are using a firewall or proxy such as Forcepoint/Websense, Blue Coat, and so on, please create a Box Product Support case and request the additional hostnames that are used with Enterprise accounts.

 

Creating Allow Lists for Box Zones

If you have configured a firewall, you can allow the following Box Zones domains.

Canada

  • fupload-ec2cac1.app.box.com
  • fupload-ec2cac1.ent.box.com
  • ec2cac1.boxcloud.com

Germany

  • fupload-ec2euc1.app.box.com
  • fupload-ec2euc1.ent.box.com
  • ec2euc1.boxcloud.com
  • ec2euw2.boxcloud.com

Japan

  • fupload-ec2apne1.app.box.com
  • fupload-ec2apne1.ent.box.com
  • ec2apne1.boxcloud.com

Sydney, Australia

  • fupload-ec2apse2.app.box.com
  • fupload-ec2apse2.ent.box.com
  • ec2apse2.boxcloud.com

UK

  • fupload-ec2euw2.app.box.com
  • fupload-ec2euw2.ent.box.com
  • ec2euw2.boxcloud.com

USA

  • fupload-ec2usw1.app.box.com
  • fupload-ec2usw1.ent.box.com
  • dl3.boxcloud.com

 

Box Desktop Applications' Proxy Support

Box Drive, Box Sync, Box Tools, Box for Office, and Box Notes Desktop are desktop applications that must connect to Box's data centers to function. The apps utilize the same domains outlined above. The apps detect and use the proxy configured for the local machine via:

  • Automatic Proxy Detection
  • Proxy Auto-Configuration (PAC file)
    • Windows does not support local file path schemas for the .pac file location such as file://C:\proxy.pac. Use a URL to configure the .pac file location.
  • Or manually setting the proxy server address for HTTP and HTTPS protocols
For proxy authentication support:
  • Windows apps support NTLMv1 or NTLMv2 authentication
    • Box for Office, Box Tools (machine-wide build), and Box Sync use a Windows Service that needs to connect to Box's data centers to check for new versions. The Windows Services run as the SYSTEM user, which may be unable to authenticate using NTLM. We recommend allowing SYSTEM run Services to connect through your proxy without authentication.
  • Mac apps support NTLMv1 authentication only.
  • Basic Authentication is not supported.

Testing Connectivity to Box Domains

To test whether your browser can connect to various Box domains, go to our Connectivity Testing page. Each test image is hosted on a different Box URL.

 

Configuring Email for Box Notifications

Box uses an email service provider to deliver notification messages, such as invitations to collaborate on content when a file has been shared. To ensure your organization can receive notifications from Box, you may need to update your filters to allow email notifications to reach your users. Read Configuring Email for Box Notifications for more details.

New Topic

A firewall is a component of network security that defines what network traffic is and is not allowed in and out of your enterprise. Firewalls can be configured as extremely as to block all inbound and outbound traffic or to allow all inbound or outbound traffic, but the former makes networking communication impossible and the latter is a significant security risk. More commonly, a firewall is either configured to allow traffic through specific ports except if explicitly blocked, or, for stricter security stances, to block traffic except if explicitly allowed.

Firewalls are configured to allow or block traffic in several ways, including by geographic source, by port, by domain/hostname, and by IP address. Box and Box applications require the traffic to and from specifically defined domains and IP addresses to be allowed through a corporate firewall, as outlined in this topic.

Typically, you would list these domains/hostnames and IP addresses in your firewall's allowlist. See the instructions for your firewall hardware or software for details.

Note

Some Enterprise accounts may need additional specific hostnames beyond what are listed in this topic. If you are using a firewall or proxy such as Forcepoint/Websense or Blue Coat, create a Box Product Support case and request additional hostnames that may be necessary for Enterprise accounts.

Firewall Allowlist Domains/Hostnames and IP Addresses

The following sections list the domains/hostnames and IP addresses that must be allowlisted for Box and Box applications, integrations, and components to function properly.

Box

The core Box application requires the following domains to be allowed.

Note

Use our site's domain names instead of a particular site IP address. IP addresses can change frequently and without notice.

Configure hostnames to recognize any subdomain of:

  • *.box.com
  • *.box.net
  • *.boxcdn.net
  • *.boxcloud.com

If you cannot allow the wildcard domains shown in the list above, allow these specific hostnames:

  • a.box.com
  • account.box.com
  • api.box.com
  • app.box.com
  • blog.box.com
  • captcha.boxcdn.net
  • cdn01.boxcdn.net - cdn20.boxcdn.net
  • community.box.com
  • developer.box.com
  • dl.boxcloud.com
  • dl2.boxcloud.com - dl20.boxcloud.com
  • docs.box.com
  • e3.boxcdn.net
  • ent.box.com
  • images-captcha.boxcdn.net
  • m.account.box.com
  • m.app.box.com
  • m.box.com
  • m.ent.box.com
  • newassets-captcha.boxcdn.net
  • notes.services.box.com
  • public.boxcloud.com
  • reportapi-captcha.boxcdn.net
  • sso.services.box.net
  • status.box.com
  • support.box.com
  • upload.app.box.com
  • upload.box.com
  • upload.box.net
  • upload.ent.box.com
  • www.box.com
  • www.box.net
  • {yourcustomsubdomain}.account.box.com
  • {yourcustomsubdomain}.app.box.com
  • {yourcustomsubdomain}.box.com
  • {yourcustomsubdomain}.ent.box.com
  • 2.realtime.services.box.net

In addition, enable HTTPS (port 443) for the domains above.

Excel Online Previewer

To use the Excel Online Previewer, you must allow the following specific hostnames:

  • *.cdn.office.net
  • excel.officeapps.live.com
  • fs.microsoft.com

Box for Office Integration

To use the Box for Office Online integration, please allow Microsoft's for Office 365 URLs and IP address ranges.

Google reCaptcha

To use Google's reCaptcha feature (used at login), you must allow the following specific hostnames:

To use Google's reCaptcha feature, be sure to allow its public IP addresses.

Box for Google Workspace

To use the Box for Google Workspace, please go to the Google support pages for the hostnames you must allow. (You can ignore the Google Drive/drive IP addresses because this Box integration does not have a dependency on Google Drive.)

Box for iWork Integration

To use the Box for iWork integration, you must allow access to Apple’s network at 17.0.0.0/8

Box Sign

To use Box Sign, you must allow the following specific hostnames:

  • fonts.gstatic.com
  • fonts.googleapis.com

Box Support Site and Product Documentation

To log in to our support site to submit a support ticket you must allow:

  • box.zendesk.com 

For all other inbound traffic, you must allow the list of ingress and egress IP addresses found at the following endpoint: 

https://box.zendesk.com/ips

The endpoint doesn’t require authentication. You can copy this URL and paste it into the address bar of any browser. You may want to set up a scheduled request periodically to determine if the IP addresses listed in the request response change.

Creating Allow Lists for Box Zones

If you have configured a firewall, you can allow the following Box Zones domains.

Canada

  • fupload-ec2cac1.app.box.com
  • fupload-ec2cac1.ent.box.com
  • ec2cac1.boxcloud.com

Germany

  • fupload-ec2euc1.app.box.com
  • fupload-ec2euc1.ent.box.com
  • ec2euc1.boxcloud.com
  • ec2euw2.boxcloud.com

Japan

  • fupload-ec2apne1.app.box.com
  • fupload-ec2apne1.ent.box.com
  • ec2apne1.boxcloud.com

Sydney, Australia

  • fupload-ec2apse2.app.box.com
  • fupload-ec2apse2.ent.box.com
  • ec2apse2.boxcloud.com

UK

  • fupload-ec2euw2.app.box.com
  • fupload-ec2euw2.ent.box.com
  • ec2euw2.boxcloud.com

USA

  • fupload-ec2usw1.app.box.com
  • fupload-ec2usw1.ent.box.com
  • dl3.boxcloud.com

 

Box Desktop Applications' Proxy Support

Box Drive, Box Sync, Box Tools, Box for Office, and Box Notes Desktop are desktop applications that must connect to Box's data centers to function. The apps utilize the same domains outlined above. The apps detect and use the proxy configured for the local machine via:

  • Automatic Proxy Detection
  • Proxy Auto-Configuration (PAC file)
    • Windows does not support local file path schemas for the .pac file location such as file://C:\proxy.pac. Use a URL to configure the .pac file location.
  • Or manually setting the proxy server address for HTTP and HTTPS protocols
For proxy authentication support:
  • Windows apps support NTLMv1 or NTLMv2 authentication
    • Box for Office, Box Tools (machine-wide build), and Box Sync use a Windows Service that needs to connect to Box's data centers to check for new versions. The Windows Services run as the SYSTEM user, which may be unable to authenticate using NTLM. We recommend allowing SYSTEM run Services to connect through your proxy without authentication.
  • Mac apps support NTLMv1 authentication only.
  • Basic Authentication is not supported.

Testing Connectivity to Box Domains

To test whether your browser can connect to various Box domains, go to our Connectivity Testing page. Each test image is hosted on a different Box URL.

 

Configuring Email for Box Notifications

Box uses an email service provider to deliver notification messages, such as invitations to collaborate on content when a file has been shared. To ensure your organization can receive notifications from Box, you may need to update your filters to allow email notifications to reach your users. Read Configuring Email for Box Notifications for more details.