A firewall is a component of network security that defines what network traffic is and is not allowed in and out of your enterprise. Firewalls can be configured as extremely as to block all inbound and outbound traffic or to allow all inbound or outbound traffic, but the former makes networking communication impossible, and the latter is a significant security risk. More commonly, a firewall is either configured to allow traffic through specific ports except if explicitly blocked, or, for stricter security stances, to block traffic except if explicitly allowed.
Firewalls are configured to allow or block traffic in several ways, including by geographic source, by port, by domain/hostname, and by IP address. Box and Box applications require the traffic to and from specifically defined domains and IP addresses to be allowed through a corporate or personal firewall, as outlined in this topic.
Typically, you would include these domains/hostnames in your firewall's allowlist. See the instructions for your firewall hardware or software for details.
Firewall Allowlist Domains/Hostnames
The following sections list the domains/hostnames that must be allowlisted for Box and Box applications, integrations, and components to function properly.
Box
The core Box application requires the following domains to be allowed.
Configure hostnames to recognize any subdomain of:
*.box.com *.app.box.com *.ent.box.com # 'ent' only required if you are a Box Verified Enterprise account *.box.net *.boxcdn.net *.boxcloud.com
If you cannot allow the wildcard domains shown in the list above, allow these specific hostnames:
2.realtime.services.box.net
account.box.com
api.box.com
app.box.com
blog.box.com
box-test.com
captcha.boxcdn.net
cdn.amplitude.com
cdn01.boxcdn.net - cdn20.boxcdn.net
client-log.box.com
community.box.com
developer.box.com
dl.boxcloud.com
dl2.boxcloud.com - dl20.boxcloud.com
docs.box.com
e3.boxcdn.net
ent.box.com
images-captcha.boxcdn.net
newassets-captcha.boxcdn.net
notes.services.box.com
public.boxcloud.com
reportapi-captcha.boxcdn.net
rtg.services.box.com
sso.services.box.net
status.box.com
support.box.com
track.box.com
upload.app.box.com
upload.box.com
upload.box.net
upload.ent.box.com
www.box.com
www.box.net
box.demdex.net
dpm.demdex.net
sanalytics.box.com
pendo-data-prod.box.com
pendo-prod.box.com
{yourcustomsubdomain}.account.box.com
{yourcustomsubdomain}.app.box.com
{yourcustomsubdomain}.box.com
{yourcustomsubdomain}.ent.box.com
Port and connection details:
Enable HTTPS port 443 TCP for the domains above, and allow Web Socket protocol wss://.
To connect with HTTP/3 (QUIC), Box recommends you also optionally enable port 443 UDP.
*.box.com and *.boxcloud.com . Making these changes will help maintain the integrity and efficiency of data transfers.Alternatively, ZSTD Content-Encoding support can be disabled directly in a browser but this may lead to decreased performance on all sites using ZSTD:
- Chrome: Visit
chrome://flags/#enable-zstd-content-encodingand change to Disabled - Edge: Visit
edge://flags/#enable-zstd-content-encodingand change to Disabled - Opera: Visit
opera://flags/#enable-zstd-content-encodingand change to Disabled -
Firefox: Visit
about:config- Paste the following string into the top field:
network.http.accept-encoding.secure - Edit the value field to remove
zstd - The value field should show
gzip, deflate, brafter your edit.
- Paste the following string into the top field:
Excel Online Previewer
To use the Excel Online Previewer, you must allow the following specific hostnames:
*.cdn.office.net excel.officeapps.live.com fs.microsoft.com
Box for Office Integration
To use the Box for Office Online integration, please allow Microsoft's for Office 365 URLs and IP address ranges.
Box for Microsoft Teams
To use Box for Microsoft Teams, you must allow the following specific hostnames:
unpkg.com
cdn.jsdelivr.net
Box Captcha
To use the Box Captcha feature (used at login), you must allow the following specific hostnames:
captcha.boxcdn.net
newassets-captcha.boxcdn.net
Optionally, if using an IP allowlist, be sure to allow the IPs listed on https://www.cloudflare.com/ips/.
Box for Google Workspace
To use the Box for Google Workspace, please go to the Google support pages for the hostnames you must allow. (You can ignore the Google Drive/drive IP addresses because this Box integration does not have a dependency on Google Drive.)
Box for iWork Integration
To use the Box for iWork integration, you must allow access to Apple’s network at 17.0.0.0/8
Box Sign
To use Box Sign, you must allow the following specific hostnames:
fonts.gstatic.com
fonts.googleapis.com
Box Support Site and Product Documentation
To log in to our support site to submit a support ticket you must allow:
box.zendesk.com
For all other inbound traffic, you must allow the list of ingress and egress IP addresses found at the following:
https://box.zendesk.com/ips
The URL doesn’t require authentication. You can copy this URL and paste it into the address bar of any browser. You may want to set up a scheduled request periodically to determine if the IP addresses listed in the request response change.
Box Web Analytics
sanalytics.box.com
*.demdex.net
pendo-data-prod.box.com
pendo-prod.box.com
No personally identifiable information will be collected. Any data collected is anonymous. See Box Analytics Product Announcement for more details.
Creating Allow Lists for Box Zones
If you have configured a firewall, you can allow the following Box Zones domains. Note: the domains containing ".ent." are only required if your are a Box Verified Enterprise account.
ane1.boxcloud.com
as1.boxcloud.com
ase.boxcloud.com
ause1.boxcloud.com
dl3.boxcloud.com
euc1.boxcloud.com
euw1.boxcloud.com
euw2.boxcloud.com
euw9.boxcloud.com
nane1.boxcloud.com
sae1.boxcloud.com
usw1.boxcloud.com
fupload-ane1.app.box.com
fupload-ane1.ent.box.com
fupload-as1.app.box.com
fupload-as1.ent.box.com
fupload-ase.app.box.com
fupload-ase.ent.box.com
fupload-ause1.app.box.com
fupload-ause1.ent.box.com
fupload-euc1.app.box.com
fupload-euc1.ent.box.com
fupload-euw1.app.box.com
fupload-euw1.ent.box.com
fupload-euw2.app.box.com
fupload-euw2.ent.box.com
fupload-euw9.app.box.com
fupload-euw9.ent.box.com
fupload-nane1.app.box.com
fupload-nane1.ent.box.com
fupload-sae1.app.box.com
fupload-sae1.ent.box.com
fupload-usw1.app.box.com
fupload-usw1.ent.box.com
Alternatively, you can allow any subdomains of:
*.app.box.com
*.ent.box.com
*.boxcloud.com
Box Desktop Applications' Proxy Support
Box Drive, Box Sync, Box Tools, and Box for Office are desktop applications that must connect to Box's data centers to function. The apps utilize the same domains outlined above. The apps detect and use the proxy configured for the local machine via:
- Automatic Proxy Detection
- Proxy Auto-Configuration (PAC file)
- Windows does not support local file path schemas for the .pac file location such as
file://C:\proxy.pac
Use a URL to configure the .pac file location.
- Windows does not support local file path schemas for the .pac file location such as
- Or manually setting the proxy server address for HTTPS protocols
For proxy authentication support:
- Windows apps support NTLMv1 or NTLMv2 authentication
- Box for Office, Box Tools (machine-wide build), and Box Sync use a Windows Service that needs to connect to Box's data centers to check for new versions. The Windows Services run as the SYSTEM user, which may be unable to authenticate using NTLM. We recommend allowing SYSTEM run Services to connect through your proxy without authentication.
- Mac apps support NTLMv1 authentication only.
- HTTP Basic authentication (BA) is not supported.
Testing Connectivity to Box Domains
To test whether your browser can connect to various Box domains, go to our Connectivity Testing page. Each test image is hosted on a different Box URL.
Configuring Email for Box Notifications