> ## Documentation Index
> Fetch the complete documentation index at: https://docs.box.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Configuring A Firewall For Box Applications and Services
export const TranslatableCodeBlock = ({children, lang = "auto", language, ...props}) => {
const raw = Array.isArray(children) ? children.join("") : String(children ?? "");
const lines = raw.split("\n");
const indent = Math.min(...lines.filter(line => line.trim() !== "").map(line => line.match(/^[ \t]*/)[0].length));
const code = lines.map(line => line.slice(indent)).join("\n").replaceAll("", "").replaceAll("", "");
const resolvedLanguage = language ?? lang;
return {code};
};
A firewall is a part of network security that controls which network traffic can enter or leave your business. Firewalls can be set to block all traffic, allow or block specific types, or permit all traffic. In most cases, a firewall is set up to allow traffic through specific ports unless explicitly blocked, or for more stringent security measures, to block traffic unless explicitly allowed.
Firewalls are configured to allow or block traffic in several ways, including by geographic source, by port, by domain/hostname, and by IP address. Box and Box applications require the traffic to and from specifically defined domains to be allowed through a corporate or personal firewall, as outlined in this topic.
Typically, you would include these domains/hostnames in your firewall's allowlist. Please refer to the instructions for your particular firewall hardware or software for details.
## 1. Firewall Allowlist Domains/Hostnames
Here are the domains/hostnames that need to be allowlisted for Box and its applications, integrations, and components to work correctly. Box will notify you of any changes in this list through [product announcements](/en/announcements). Box recommends regularly checking this page to stay updated. It is important to update your firewall whenever there are any changes.
Configure firewall allowlist with any **subdomain** and **Hosts** of **Box Core domains** and **any other related services.**
### 1a. Box Core Domains
**Note:**
Best practice is to use our site's **domain names** instead of a particular site IP address. IP addresses can change frequently and without notice.
Configure hostnames to recognize any subdomain of:
{`
*.box.com
*.app.box.com
*.ent.box.com # "ent" only required if you are a Box Verified Enterprise account
*.box.net
*.boxcdn.net
*.boxcloud.com
*.services.box.com
`}
### 1b. Other related service Domains/Hosts
{`
# Box Test
*.box-test.com
# Box for Microsoft Teams
app.boxenterprise.net
cdn.jsdelivr.net
unpkg.com
# Box Sign
fonts.gstatic.com
fonts.googleapis.com
# Box Support Site and Product Documentation
support.box.com
docs.box.com
leaves.mintlify.com
hcaptcha.com
*.hcaptcha.com
# To log in to our support site to submit a support ticket you must allow:
box.zendesk.com
support.box.com
# For all other inbound traffic, you must allow the list of ingress and egress IP addresses found at the following:
https://support.box.com/ips
# The URL doesn’t require authentication. You can copy this URL and paste it into the address bar of any browser.
# You may want to set up a scheduled request periodically to determine if the IP addresses listed in the request response change.
# Box Education
*.brightcove.com
*.brightcove.services
*.zencdn.net
*.boltdns.net
*.akamaihd.net
*.yext.com
training.box.com
# Box Web Analytics
# No personally identifiable information will be collected. Any data collected is anonymous. See Box Analytics Product Announcement for more details.
*.demdex.net
`}
**Other integrations:**
* **Box for Office Integration**: To use the [Box for Office Online integration](https://support.box.com/hc/en-us/articles/360044196433-Box-for-Office-Integrations#bfo_officeonline) and [Excel Online Previewer](https://support.box.com/hc/en-us/articles/360043695314-Excel-Online-Previewer), allow [Office 365 URLs and IP address ranges](https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-gb%252farticle%252foffice-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
* **Box for Google Workspace**: To use the [Box for Google Workspace](https://support.box.com/hc/en-us/articles/360043696994-Introducing-Box-for-G-Suite), please go to [the Google support pages](https://support.google.com/a/answer/2589954) for the hostnames you must allow. (You can ignore the Google Drive/drive IP addresses because this Box integration does not have a dependency on Google Drive.)
* **Box for iWork Integration**: To use the [Box for iWork integration](https://support.box.com/hc/en-us/articles/360043696654-iWork-Integration), you must allow access to Apple’s network at `17.0.0.0/8`
* Optionally, if using an IP allowlist, be sure to allow the IPs listed on [https://www.cloudflare.com/ips/](https://www.cloudflare.com/ips/)
**IMPORTANT:**
If above Domains / Host names are not allowed, related functions or services will not work. Use the section below.
### 1c. Specific hostnames
If you cannot allow the wildcard domains shown in the two lists above, allow these **specific hostnames:**
{`
# Box core features
2.realtime.services.box.net
account.box.com
api.box.com
app.box.com
ent.box.com
captcha.boxcdn.net
cdn01.boxcdn.net - cdn20.boxcdn.net
client-log.box.com
developer.box.com
dl.boxcloud.com
dl2.boxcloud.com - dl20.boxcloud.com
public.boxcloud.com
docs.box.com
e3.boxcdn.net
newassets-captcha.boxcdn.net
notes.services.box.com
rtg.services.box.com
sso.services.box.net
support.box.com
track.box.com
upload.app.box.com
upload.ent.box.com
upload.box.com
upload.box.net
{yourcustomsubdomain}.account.box.com
{yourcustomsubdomain}.app.box.com
{yourcustomsubdomain}.box.com
{yourcustomsubdomain}.ent.box.com
# Box for Microsoft Teams
unpkg.com
cdn.jsdelivr.net
app.boxenterprise.net
# Box Captcha feature (used at login), you must allow the following:
captcha.boxcdn.net
images-captcha.boxcdn.net
newassets-captcha.boxcdn.net
reportapi-captcha.boxcdn.net
# Box Sign
fonts.gstatic.com
fonts.googleapis.com
# Box Support Site and Product Documentation
box.zendesk.com
support.box.com
docs.box.com
leaves.mintlify.com
hcaptcha.com
*.hcaptcha.com
# Box Education
edge.api.brightcove.com
gallery.assets.brightcove.com
interactivity-collector.metric.brightcove.com
interactivity.viewer.api.brightcove.com
metrics.brightcove.com
player.interactivity.brightcove.com
players.brightcove.net
cdn.vee.brightcove.services
reflector.brightcove.services
resources.interactivity.brightcove.com
simulive-license-service.brightcove.services
vjs.zencdn.net
cf-images.us-east-1.prod.boltdns.net
cbolt446c5271-a.akamaihd.net
training.box.com
liveapi-cached.yext.com
liveapi.yext.com
realtimeanalytics.yext.com
# Box Web Analytics
# No personally identifiable information will be collected. Any data collected is anonymous. See Box Analytics Product Announcement for more details.
sanalytics.box.com
box.demdex.net
dpm.demdex.net
pendo-data-prod.box.com
pendo-prod.box.com
# Box SFTP
sftp.services.box.com
# Box SFTP for Zones
sftp-ane1.services.box.com
sftp-ausse1.services.box.com
sftp-euw2.services.box.com
sftp-euw3.services.box.com
# Box Test
box-test.com
# Box Zones
upload.app.box.com
upload.ent.box.com
dl.boxcloud.com
fupload-nane1.app.box.com
fupload-nane1.ent.box.com
nane1.boxcloud.com
fupload-euw2.app.box.com
fupload-euw2.ent.box.com
euw2.boxcloud.com
fupload-euc1.app.box.com
fupload-euc1.ent.box.com
euc1.boxcloud.com
fupload-ane1.app.box.com
fupload-ane1.ent.box.com
ane1.boxcloud.com
fupload-ause1.app.box.com
fupload-ause1.ent.box.com
ause1.boxcloud.com
# AWS Marketplace Purchases
fupload-usw1.app.box.com
fupload-usw1.ent.box.com
usw1.boxcloud.com
# Box Website, Community, Blog, and Service Status
assets.box.com
www.box.com
www.box.net
status.box.com
blog.box.com
community.box.com
`}
**Other integrations**
* **Box for Office Integration:** To use the [Box for Office Online integration](https://support.box.com/hc/en-us/articles/360044196433-Box-for-Office-Integrations#bfo_officeonline) and [Excel Online Previewer](https://support.box.com/hc/en-us/articles/360043695314-Excel-Online-Previewer), allow [Office 365 URLs and IP address ranges](https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-gb%252farticle%252foffice-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
* **Box for Google Workspace:** To use the [Box for Google Workspace](https://support.box.com/hc/en-us/articles/360043696994-Introducing-Box-for-G-Suite), please go to [the Google support pages](https://support.google.com/a/answer/2589954) for the hostnames you must allow. (You can ignore the Google Drive/drive IP addresses because this Box integration does not have a dependency on Google Drive.)
* **Box for iWork Integration:** To use the [Box for iWork integration](https://support.box.com/hc/en-us/articles/360043696654-iWork-Integration), you must allow access to Apple’s network at `17.0.0.0/8`
* Optionally, if using an IP allowlist, be sure to allow the IPs listed on [https://www.cloudflare.com/ips/](https://www.cloudflare.com/ips/)
**IMPORTANT:**
If above Domains / Host names are not allowed, related functions or services will not work.
## 2. Port and connection details:
Enable **HTTPS port 443 TCP** for the domains above, and allow Web Socket protocol **wss\://**.\
To connect with **HTTP/3 (QUIC)**, Box recommends you also optionally enable **port 443 UDP**.
**Note:**
Box is integrating [ZSTD](https://facebook.github.io/zstd/) (Zstandard) compression ([rfc8878](https://www.rfc-editor.org/rfc/rfc8878)) to improve performance and reduce bandwidth usage when supported by the client's browser (see [Product Announcement](/en/announcements/uploads-and-downloads/performance-enhancements-with-zstd-compression)). ZSTD is a lossless data compression technique that accelerates page loading from Box. By default, the browsers Chrome, Edge, Firefox, and Opera enable ZSTD compression. It is important to be aware that ZSTD previously encountered compatibility issues with FortiGate and Zscaler but are now resolved. Although unlikely, other firewalls that perform *deep packet inspection* (DPI) may encounter issues with Box's ZSTD implementation. To ensure optimal functionality, we recommend that network administrators either upgrade their firewall/proxy systems to versions that support ZSTD compression, or to disable HTTPS packet inspection in your firewall/proxy for the domains `*.box.com` and `*.boxcloud.com` . Making these changes will help maintain the integrity and efficiency of data transfers.
Alternatively, ZSTD Content-Encoding support may be disabled directly in a browser but this may lead to decreased performance on all sites using ZSTD:
* **Chrome**: Visit [https://chromeenterprise.google/policies/#ZstdContentEncodingEnabled](https://chromeenterprise.google/policies/#ZstdContentEncodingEnabled)
* **Edge**: Visit [https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies?source=recommendations#zstdcontentencodingenabled](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies?source=recommendations#zstdcontentencodingenabled)
* **Opera**: Visit `opera://flags/#enable-zstd-content-encoding` and change to Disabled
* **Firefox**: Visit `about:config`
* Paste the following string into the top field: `network.http.accept-encoding.secure`
* Edit the value field to remove `zstd`
* The value field should show `gzip, deflate, br` after your edit.
If you need further assistance, please [contact Box Product Support](https://support.box.com/hc/en-us/requests/new).
## 3. Box Desktop Applications' Proxy Support
Box Drive, Box Sync, Box Tools, and Box for Office are desktop applications that must connect to Box's data centers to function. The apps utilize the same domains outlined above. The apps detect and use the proxy configured for the local machine via:
* Automatic Proxy Detection
* Proxy Auto-Configuration (PAC file)
* Windows does not support local file path schemas for the .pac file location such as `file://C:\proxy.pac`\
Use a URL to configure the .pac file location.
* Or manually setting the proxy server address for **HTTPS** protocols
For proxy authentication support:
* Windows apps support NTLMv1 or NTLMv2 authentication
* Box for Office, Box Tools (machine-wide build), and Box Sync use a Windows Service that needs to connect to Box's data centers to check for new versions. The Windows Services run as the SYSTEM user, which may be unable to authenticate using NTLM. We recommend allowing SYSTEM run Services to connect through your proxy without authentication.
* Mac apps support NTLMv1 authentication only.
* HTTP Basic authentication (BA) is not supported.
## 4. Testing Connectivity to Box Domains
To test whether your browser can connect to various Box domains, go to our [**Connectivity Testing**](https://support.box.com/hc/en-us/articles/360043694474-Box-Connectivity-Tests) page. Each test image is hosted on a different Box URL.
## 5. Configuring Email for Box Notifications
Box uses an email service provider to deliver notification messages, such as invitations to collaborate on content when a file has been shared. To ensure your organization can receive notifications from Box, you may need to update your filters to allow email notifications to reach your users. Read [Configuring Email for Box Notifications](/en/box-fundamentals/for-users/user-login-and-settings/configuring-email-for-box-notifications) for more details.