Firewall Configuration

ICE Data Services -

This document describes how to enable eSignal application client machines behind corporate firewalls and proxy servers. It is intended for MIS personnel at corporate user sites. This document does not apply to users who access the Internet via a dial-up, DSL or Cable Modem connection. 

Please note: Information in this document is subject to change without notice. Newer versions of these applications may be available and configuration settings may have changed.

Internet security issues mandate the use of firewalls at corporate sites. eSignal applications require the use of specific configured ports for Internet access through firewalls, as well as proxy servers. The eSignal development staff has performed extensive on-site testing of the procedures in this document. eSignal can be integrated into your network environment without compromising security in any way.

eSignal requires an Internet connection to communicate with the eSignal servers. The communications between the client and server use both the "query-response" type and active/streaming technology (TCP).

You may use a proxy server if it is SOCKS v4, v4.3A or v5 compliant.

Depending on the subscribed services, you may need to configure up to 6 outgoing ports on the firewall. Here are the port assignments:

Port 2189 - Connection Manager and Financial Quotes Server (required)
Port 2190 - News Server (required for News access)
Port 2192 - Intraday History Server  (required for intraday and tick data)
Port 2193 - International Tick Server (required for International Intraday history data)
Port 2194 - Daily History Server (required for daily historical data)
Port 2196 - Market Depth Server (required for Market Depth data)
Port 4001 - Authentication (required for eSignal)
Port 443 - For general web services - used for eSignal File Sharing, Traders Toolbox and web links.

Key Items to Check on Your Network before Beginning
Check the connections table size in the firewall manager. Make sure it's big enough to handle the entire population on the LAN. If it's too small, your entire Internet interface will slow down. Although actual bandwidth can vary greatly based on which eSignal application features are used and by how many symbols are tracked, network administrators should allot approximately 45 KB** of bandwidth per workstation. If more accurate numbers for bandwidth estimates are needed, a good tool to use is DU Meter.

** Usage per workstation can vary significantly according to a number of variables. Click here for more information on bandwidth usage.

Check to make sure there are no additional firewall/proxy servers upstream from yours. This is quite common in large corporate networks that isolate zones within the company. If this is the case, you may need to trace the routing and make use of proxies and redirectors to get the IP packets from the user terminal to the Internet junction. The good news is that, in most cases, the MIS department has already done this and simply needs to add the eSignal application packets to its routing plan.

If your company uses DNS translation tables, update these with the IP addresses for cm*

The IP address in the eSignal Data Manager should also be set to cm*

Please note: eSignal applications do not support authentication queries from the firewall/proxy server. It is strongly recommended that you use IP authentication instead of user authentication; otherwise, the eSignal application program on the client machine will not be able to access its Internet servers.

Firewall Server Configuration
As mentioned previously, eSignal servers listen on ports 2189, 2190, 2192, 2193, 2194 and 2196. To configure the eSignal application properly, it is imperative that you open the subscribed ports for (TCP) outbound transmissions and permissioned to the user. The ports need to be configured with no outbound limitations. To ensure full redundancy, we have many server farms located throughout the United States. As we grow, we expect the number of locations to continue to increase to maintain adequate redundancy. Because of this growth and other possible changes to our IP address ranges, we cannot furnish or support a list of specific IP ranges for each port **. However because the ports should be configured for (TCP) outbound traffic only, the lack of IP ranges will not increase security risks for your network.