DOC-3506 - Add firewall whitelist instructions to AI and Doc Converters documentation

modules/ROOT/pages/editor-and-features.adoc

@@ -54,17 +54,17 @@ include::partial$misc/premium-plugin-list.adoc[]
 
 include::partial$misc/admon-cloud-configured-options.adoc[]
 
-=== Step 4: Forward proxy configuration
+=== Step 4: Forward proxy and firewall configuration
 
-Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet.
+If the network has a firewall or forward proxy that controls access to the internet, ensure that the following URLs are accessible:
 
 * All URLs where the editor is deployed.
 * All URLs where the plugins are deployed.
-* +https://imageproxy.tiny.cloud+
-* +https://hyperlinking.tiny.cloud+
-* +https://spelling.tiny.cloud+
+* `+*.tiny.cloud+` — covers all {cloudname} services, including the image proxy, link checker, spell checker, AI, and document converters.
 
-Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the list of above URLs.
+Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the above URLs.
+
+For the full list of {cloudname} service domains and required headers, see xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting].
 
 === Step 5: Specifying a translation
 

modules/ROOT/pages/exportpdf.adoc

@@ -55,6 +55,7 @@ For more infomation on the exportpdf_token_provider option, see xref:exportpdf.a
 
 include::partial$misc/admon-jwt-authentication-requirements.adoc[]
 
+include::partial$misc/admon-cloud-firewall.adoc[]
 
 == Basic setup using the self-hosted service
 

modules/ROOT/pages/exportword.adoc

@@ -54,6 +54,7 @@ For more infomation on the exportword_token_provider option, see xref:exportword
 
 include::partial$misc/admon-jwt-authentication-requirements.adoc[]
 
+include::partial$misc/admon-cloud-firewall.adoc[]
 
 == Basic setup using the self-hosted service
 

modules/ROOT/pages/features-only.adoc

@@ -55,14 +55,14 @@ The following is a complete example, where:
 <html>
 ----
 
-== Step 3: Forward proxy configuration
+== Step 3: Forward proxy and firewall configuration
 
-Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet.
+If the network has a firewall or forward proxy that controls access to the internet, ensure that the following URLs are accessible:
 
 * All URLs where the editor is deployed.
 * All URLs where the plugins are deployed.
-* +https://imageproxy.tiny.cloud+
-* +https://hyperlinking.tiny.cloud+
-* +https://spelling.tiny.cloud+
+* `+*.tiny.cloud+` — covers all {cloudname} services, including the image proxy, link checker, spell checker, AI, and document converters.
 
-Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the list of above URLs.
+Ensure the `+tiny-api-key+` and `+tinymce-api-key+` headers are retained while requesting the above URLs.
+
+For the full list of {cloudname} service domains and required headers, see xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting].

modules/ROOT/pages/importword.adoc

@@ -47,6 +47,7 @@ For more infomation on the importword_token_provider option, see xref:importword
 
 include::partial$misc/admon-jwt-authentication-requirements.adoc[]
 
+include::partial$misc/admon-cloud-firewall.adoc[]
 
 == Basic setup using the self-hosted service
 

modules/ROOT/pages/tinymce-and-csp.adoc

@@ -1,10 +1,45 @@
-= The TinyMCE Content Security Policy guide
+= {productname} Content Security Policy and allowed domains
 :navtitle: Content Security Policies (CSP)
-:description: Information and options related to using TinyMCE with a Content Security Policy (CSP)
-:keywords: security, csp
+:description: Content Security Policy directives, firewall allowlisting, and proxy configuration for {productname} and {cloudname} services
+:keywords: security, csp, firewall, allowlist, proxy, whitelist
 
 include::partial$misc/general-csp.adoc[]
 
+[[firewall-and-proxy-allowlisting]]
+== Firewall and proxy allowlisting
+
+Organizations operating behind a firewall or forward proxy that restricts outbound internet access must allowlist {cloudname} domains. {productname} cloud-hosted features require the browser to make outbound HTTPS requests to these domains; no inbound access from {cloudname} is required.
+
+[[required-domains]]
+=== Required domains
+
+Allowlist the following wildcard domain to cover all {cloudname} services:
+
+`+*.tiny.cloud+`
+
+This single entry covers all cloud-hosted services, including but not limited to:
+
+* Editor loading and plugin delivery (`+cdn.tiny.cloud+`)
+* xref:tinymceai.adoc[TinyMCE AI] (`+tinymceai.api.tiny.cloud+`)
+* xref:importword.adoc[Import from Word] (`+importdocx.api.tiny.cloud+`)
+* xref:exportword.adoc[Export to Word] (`+exportdocx.api.tiny.cloud+`)
+* xref:exportpdf.adoc[Export to PDF] (`+exportpdf.api.tiny.cloud+`)
+* Image proxy (`+imageproxy.tiny.cloud+`)
+* Link checking (`+hyperlinking.tiny.cloud+`)
+* Spell checking (`+spelling.tiny.cloud+`)
+
+NOTE: Self-hosted deployments that do not connect to any {cloudname} services do not require this allowlisting. For self-hosted services such as on-premises document converters or AI, allowlist the domain where the self-hosted service is running instead.
+
+[[required-http-headers]]
+=== Required HTTP headers
+
+Ensure the proxy retains (does not strip) the following HTTP headers on requests to `+*.tiny.cloud+` domains:
+
+* `+tiny-api-key+`
+* `+tinymce-api-key+`
+
+These headers are required for API key validation and service authentication.
+
 == Content Security Policy related options
 
 include::partial$configuration/content_security_policy.adoc[leveloffset=+1]

modules/ROOT/pages/tinymceai.adoc

@@ -27,6 +27,8 @@ To set up the {pluginname} plugin in {productname}:
 * configure the `tinymceai_token_provider` option to provide authentication tokens (must return `+{ token: string }+`). During a {cloudname} trial, the xref:tinymceai-jwt-authentication-intro.adoc#trial-demo-identity-service[demo identity service] can supply JWTs so a custom token endpoint is not required;
 * when the `toolbar` option is omitted or left at the default, the Silver theme toolbar already includes the AI toolbar buttons once the plugin is enabled: `+tinymceai-chat+` image:icons-premium/ai-assistant.svg[Chat icon,24px], `+tinymceai-quickactions+` image:icons/ai-prompt.svg[Quick Actions icon,24px], and `+tinymceai-review+` image:icons-premium/ai-review.svg[Review icon,24px]. When a custom `toolbar` string is set, add those button ids to the string explicitly.
 
+include::partial$misc/admon-cloud-firewall.adoc[]
+
 [[minimal-setup]]
 === Minimal setup
 

modules/ROOT/partials/misc/admon-cloud-firewall.adoc

@@ -0,0 +1 @@
+NOTE: When using the cloud-hosted service behind a firewall or forward proxy, ensure `+*.tiny.cloud+` is allowlisted and that required HTTP headers are not stripped. See xref:tinymce-and-csp.adoc#firewall-and-proxy-allowlisting[Firewall and proxy allowlisting] for details.