Firewall and Proxy Server Configuration
This document describes how to enable eSignal application client machines behind corporate firewalls and proxy servers. It is intended for MIS personnel at corporate user sites. This document does not apply to users who access the Internet via a dial-up, DSL or Cable Modem connection.
Please note: Information in this document is subject to change without notice. Newer versions of these applications may be available and configuration settings may have changed.
Introduction
Internet security issues mandate the use of firewalls at corporate sites. QCharts require the use of specific configured ports for Internet access through firewalls, as well as proxy servers. The eSignal development staff has performed extensive on-site testing of the procedures in this document. QCharts can be integrated into your network environment without compromising security in any way.
An internet connection is required to communicate with the eSignal servers. The communications between the client and server use both the "query-response" type and active/streaming technology (TCP).
Instructions
You may use a proxy server if it is SOCKS v4, v4.3A or v5 compliant.
Depending on the subscribed services, you may need to configure up to 6 outgoing ports on the firewall. Here are the port assignments:
Port 2189 - Connection Manager and Financial Quotes Server (required)
Port 2190 - News Server (required for News access)
Port 2192 - Intraday History Server (required for intraday and tick data)
Port 2193 - International Tick Server (required for International Intraday history data)
Port 2194 - Daily History Server (required for daily historical data)
Port 2196 - Market Depth Server (required for Market Depth data)
Port 24150 - Breadthalizer Stats
Port 80 - For general web services - used for eSignal File Sharing, Traders Toolbox and web links.
Key Items to Check on Your Network before Beginning
Check the connections table size in the firewall manager. Make sure it's big enough to handle the entire population on the LAN. If it's too small, your entire Internet interface will slow down. Although actual bandwidth can vary greatly based on which the QCharts application features are used and by how many symbols are tracked, network administrators should allot approximately 45 KB** of bandwidth per workstation. If more accurate numbers for bandwidth estimates are needed, a good tool to use is DU Meter.
** Usage per workstation can vary significantly according to a number of variables. Please review KB Article 2632 for more information on bandwidth usage.
Check to make sure there are no additional firewall/proxy servers upstream from yours. This is quite common in large corporate networks that isolate zones within the company. If this is the case, you may need to trace the routing and make use of proxies and redirectors to get the IP packets from the user terminal to the Internet junction. The good news is that, in most cases, the MIS department has already done this and simply needs to add the eSignal application packets to its routing plan.
If your company uses DNS translation tables, update these with the IP addresses for cm*.esignal.com.
The IP address in the eSignal Data Manager should also be set to cm*.esignal.com
Please note: eSignal applications do not support authentication queries from the firewall/proxy server. It is strongly recommended that you use IP authentication instead of user authentication; otherwise, the eSignal application program on the client machine will not be able to access its Internet servers.
Firewall Server Configuration
As mentioned previously, QCharts servers listen on ports 2189, 2190, 2192, 2193, 2194 and 2196. To configure the QCharts application properly, it is imperative that you open the subscribed ports for (TCP) outbound transmissions and permissioned to the user. The ports need to be configured with no outbound limitations. To ensure full redundancy, we have many server farms located throughout the United States. As we grow, we expect the number of locations to continue to increase to maintain adequate redundancy. Because of this growth and other possible changes to our IP address ranges, we cannot furnish or support a list of specific IP ranges for each port **. However because the ports should be configured for (TCP) outbound traffic only, the lack of IP ranges will not increase security risks for your network.
** A list of IP addresses (a range including up to 1250 IP's) for our Hayward and Boxborough ticker plants can be made available upon request to selected multi-unit customers. Due to security precautions, we don't furnish this information for retail or individual use.
Proxy Server Configuration
Client Application Configuration
You may use a proxy server if it is SOCKS v4, v4.3A or v5 compliant; Netscape Proxy, Microsoft Proxy 2.0 and WinGate are among those that meet this requirement. The SOCKS service must be turned on, a port specified for this traffic (i.e., 1080) for the workstations' permitted IPs and the client authorized to use the SOCKS service.
During the installation of the QCharts application, you will have the opportunity to provide the address of your proxy server and the port used for SOCKS traffic. If your company uses multiple proxy servers upstream, provide the address of the first proxy server that the eSignal application traffic will encounter when proceeding out to the Internet.