Firewall and Proxy Server Configuration
This document describes how to enable eSignal application client machines behind corporate firewalls and proxy servers. It is intended for MIS personnel at corporate user sites. This document does not apply to users who access the Internet via a dial-up, DSL or Cable Modem connection. For a discussion on personal firewalls like Norton Internet Security or Zone Alarm, please review KB Article 1640.
Please note: Information in this document is subject to change without notice. Newer versions of these applications may be available and configuration settings may have changed.
Introduction
Internet security issues mandate the use of firewalls at corporate sites. eSignal applications require the use of specific configured ports for Internet access through firewalls, as well as proxy servers. The eSignal development staff has performed extensive on-site testing of the procedures in this document. eSignal can be integrated into your network environment without compromising security in any way.
eSignal requires an Internet connection to communicate with the eSignal servers. The communications between the client and server use both the “query-response” type and active/streaming technology (TCP).
Instructions
You may use a proxy server if it is SOCKS v4, v4.3A or v5 compliant.
Depending on the subscribed services, you may need to configure up to 6 outgoing ports on the firewall. Here are the port assignments:
Port 2189 – Connection Manager and Financial Quotes Server (required)
Port 2190 – News Server (required for News access)
Port 2192 – Intraday History Server (required for intraday and tick data)
Port 2193 – International Tick Server (required for International Intraday history data)
Port 2194 – Daily History Server (required for daily historical data)
Port 2196 – Market Depth Server (required for Market Depth data)
Port 4001 – Authentication (required for eSignal 11)
Port 80 – For general web services – used for eSignal File Sharing, Traders Toolbox and web links.
The Diagnostic Tool quickly checks the open ports on your network (may not work with all networks.) This utility will work to find the ports for both FutureSource Workstation and eSignal.
Key Items to Check on Your Network before Beginning
Check the connections table size in the firewall manager. Make sure it’s big enough to handle the entire population on the LAN. If it’s too small, your entire Internet interface will slow down. Although actual bandwidth can vary greatly based on which eSignal application features are used and by how many symbols are tracked, network administrators should allot approximately 45 KB** of bandwidth per workstation. If more accurate numbers for bandwidth estimates are needed, a good tool to use is DU Meter.
** Usage per workstation can vary significantly according to a number of variables. Please review KB Article 2632 for more information on bandwidth usage.
Check to make sure there are no additional firewall/proxy servers upstream from yours. This is quite common in large corporate networks that isolate zones within the company. If this is the case, you may need to trace the routing and make use of proxies and redirectors to get the IP packets from the user terminal to the Internet junction. The good news is that, in most cases, the MIS department has already done this and simply needs to add the eSignal application packets to its routing plan.
If your company uses DNS translation tables, update these with the IP addresses for cm*.esignal.com.
The IP address in the eSignal Data Manager should also be set to cm*.esignal.com
Please note: eSignal applications do not support authentication queries from the firewall/proxy server. It is strongly recommended that you use IP authentication instead of user authentication; otherwise, the eSignal application program on the client machine will not be able to access its Internet servers.
Firewall Server Configuration
As mentioned previously, eSignal servers listen on ports 2189, 2190, 2192, 2193, 2194 and 2196. To configure the eSignal application properly, it is imperative that you open the subscribed ports for (TCP) outbound transmissions and permissioned to the user. The ports need to be configured with no outbound limitations. To ensure full redundancy, we have many server farms located throughout the United States. As we grow, we expect the number of locations to continue to increase to maintain adequate redundancy. Because of this growth and other possible changes to our IP address ranges, we cannot furnish or support a list of specific IP ranges for each port **. However because the ports should be configured for (TCP) outbound traffic only, the lack of IP ranges will not increase security risks for your network.
** A list of IP addresses (a range including up to 1250 IP’s) for our Hayward and Boxborough ticker plants can be made available upon request to selected multi-unit customers. Due to security precautions, we don’t furnish this information for retail or individual use.
For Ping and Traceroute info click here.
Proxy Server Configuration
Client Application Configuration
You may use a proxy server if it is SOCKS v4, v4.3A or v5 compliant; Netscape Proxy, Microsoft Proxy 2.0 and WinGate are among those that meet this requirement. The SOCKS service must be turned on, a port specified for this traffic (i.e., 1080) for the workstations’ permitted IPs and the client authorized to use the SOCKS service.
During the installation of the eSignal application, you will have the opportunity to provide the address of your proxy server and the port used for SOCKS traffic. If your company uses multiple proxy servers upstream, provide the address of the first proxy server that the eSignal application traffic will encounter when proceeding out to the Internet.
Vendor- Specific Notes
Checkpoint Firewall-1
Checkpoint Firewall-1 is known to work with the eSignal application. Open the ports listed above for (TCP) outbound traffic,and list “ALL” for the destination address. Authorize the group of users who will be allowed to use the eSignal services.
Gauntlet Firewall 4.1+
The Gauntlet Firewall is known to work with eSignal applications. During the configuration, you may need to open sub-windows to perform these changes.
Create the plug-gw entries, one for each port listed above. Leave the “Source Address”, “Remote Host”, and “Remote Port” completely blank — not even a “*”.
Under Firewall Rules/Service Groups, define a new service group whose member services are the plug-gw’s from above and whose destinations are unrestricted.
Under Firewall Rules/Network Groups, if necessary, define a set of networks and/or hosts that you intend to allow access to the new service.
Under Firewall Rules/Rules, define a new rule with the desired Network Group allowed to use the service and the Service Group you want to associate with it.
Order the rules so that they make sense. Because the rules are checked in order, from top to bottom, make sure that this comes before any “deny all” rule, or anything that might disallow the service.
Save and apply the rules (you may need to reboot).
Raptor
The Raptor Proxy Server/Firewall is known to work with eSignal applications.
Create the GSP Services for the protocols/ports listed above.
Under Net Entities, create a group of users for the eSignal application Service.
Under Subnets, create a eSignal application group with unrestricted IP addresses listed.
Create a rule for the eSignal application group to use the eSignal application service
Microsoft Proxy Server 2.0
Microsoft Proxy Server is supported for use with eSignal applications in a SOCKS-enabled configuration only. Problems have been known to occur with the use of the Microsoft Proxy Client.
To use Microsoft Proxy 2.0 with the eSignal application, make sure the Microsoft Proxy SOCKS service is installed and started. In the permissions tab in the Service Control Manager, SOCKS proxy properties, add a rule to let clients out. This rule can be generic, “permit all GE 0”, which will allow all protocols to use the SOCKS proxy, or it can be specific. To make the specific rule, follow the TCP port ranges 2189-2196 above and make a rule that only lets those ports out.
In the eSignal application client, it will be necessary to point the Data Manager to the Microsoft Proxy SOCKS service. You will need to know the internal IP address of your Microsoft Proxy server. After starting the eSignal application, click on the Data Manager in the task bar. Pull down Receiver, select Communications, press the “Proxy” button and check the box marked “Use Proxy”. Fill in the INTERNAL IP address of your Microsoft Proxy server, along with the port number 1080. The SOCKS service in Microsoft Proxy Server always uses this well-known port number.
Make sure the Microsoft Proxy Client is not installed on the eSignal application client station. Use Control Panel and add/remove programs to uninstall the Microsoft Proxy Client if it exists. If you do not uninstall this client, the eSignal application software will not work properly and you may not be able to view charts and quotes.
The workstation on which the eSignal application is installed should be able to look up names from a DNS server. eSignal supports the freeware version of Bind 4.9.7 for Windows NT. You may obtain Bind from ftp://ftp.isc.org/isc/bind/contrib/ntbind/ntdns497relbin.zip. You may also use the Microsoft DNS server included with Windows NT Server.
If you use BIND as a DNS forwarder, specify your ISP’s name servers in the named.boot file with a keyword of FORWARDERS. Examples are provided. If you use the MS DNS service, the forwarders are entered into a zone file using the GUI management tool in the Administrative Tools folder.
Wingate
Currently, 2 versions of WinGate are in use today. The WinGate 2.1 software uses software called “GateKeeper” to configure firewall rules. In WinGate 2.1, make sure you add the DNS Forwarding Service and configure it correctly for your ISP. Make sure the SOCKS service is added as well.
WinGate 2.1 will not accept incoming connections if the SOCKS service is only bound to an external interface. If you accept connections from any interface, the network will not be secure. Please make sure that you specify ONLY the internal interface that connections will be accepted on in the SOCKS service.
WinGate 3.x comes with an optional Client that is installed on the workstation. eSignal applications are NOT supported for use through this proxy client. Follow the instructions above for a WinGate 3.x installation, and make sure the WinGate Client is NOT installed on the workstation.
Other Proxy Servers
The instructions contained herein can also be followed for most other proxy servers. We have noticed issues with packet-distributing proxy servers like Webramp and Midpoint. Generally, any proxy that uses multiple dialup lines that also does not use multilink ppp will not work. Please call for more specific troubleshooting information on these types of proxy servers. It may be necessary to supply eSignal with a copy of the specific proxy server software you are using to further justify support.