This document describes how to enable eSignal application client machines behind corporate firewalls and proxy servers. It is intended for MIS personnel at corporate user sites.

Note: This document does not apply to individual or home users who access the Internet via dial-up Internet Service Provider (ISP) accounts.

Information in this document is subject to change without notice.

Introduction

Internet security issues mandate the use of firewalls at corporate sites. eSignal applications require the use of specific configured ports for Internet access through firewalls, as well as proxy servers. The eSignal application development staff has performed extensive on-site testing of the procedures in this document. The eSignal application can be integrated into your network environment without compromising security in any way.

The eSignal application requires an Internet connection to communicate with the eSignal servers. The communications between the client and server use both the "query-response" type and active/streaming technology (TCP).

Instructions

You may use a proxy server if it is SOCKS v4, v4.3A or v5 compliant.

Depending on the subscribed services, you may need to configure up to 6 outgoing ports on the firewall. Here are the port assignments:

• Port 2189 - Connection Manager and Financial Quotes Server (required)
• Port 2190 - News Server (required for News access)
• Port 2192 - Intraday History Server * (required for intraday data)
• Port 2193 - International Tick Server (required for International Intraday history data)
• Port 2194 - Daily History Server (required for historical data)
• Port 2196 - Nasdaq Level II Server (required for Nasdaq Level 2 access)
  
  * This is a required port if using version 7.01 (build 438). The problem was resolved in version 7.02 (build 451) and will not occur in later versions.
  

  Key Items to Check on Your Network before Beginning

  • Check the connections table size in the firewall manager. Make sure it's big enough to handle the entire population on the LAN. If it's too small, your entire Internet interface will slow down. Although actual bandwidth varies based on which eSignal application features are used, network administrators should allot approximately 24 KB of bandwidth per workstation.

  • Check to make sure there are no additional firewall/proxy servers upstream from yours. This is quite common in large corporate networks that isolate zones within the company. If this is the case, you may need to trace the routing and make use of proxies and redirectors to get the IP packets from the user terminal to the Internet junction. The good news is that, in most cases, the MIS department has already done this and simply needs to add the eSignal application packets to its routing plan.

  • If your company uses DNS translation tables, update these with the IP addresses for cm1.esignal.com.

   

Please note: eSignal applications do not support authentication queries from the firewall/proxy server. It is strongly recommended that you use IP authentication instead of user authentication; otherwise, the eSignal application program on the client machine will not be able to access its Internet servers.

Firewall Server Configuration

eSignal servers listen on ports 2189, 2190, 2192, 2193, 2194 and 2196. To configure the eSignal application properly, it is imperative that you open the subscribed ports for (TCP) outbound transmissions and permissioned to the user. The ports need to be configured with no outbound limitations. To ensure full redundancy, we have many server farms located throughout the United States. As we grow, we expect the number of locations to continue to increase to maintain adequate redundancy. Because of this growth and other possible changes to our IP address ranges, we cannot furnish or support a list of specific IP ranges for each of the ports to be opened. However because the ports should be configured for (TCP) outbound traffic only, the lack of IP ranges will not increase security risks for your network.

Proxy Server Configuration

Client Application Configuration

You may use a proxy server if it is SOCKS v4, v4.3A or v5 compliant; Netscape Proxy, Microsoft Proxy 2.0 and WinGate are among those that meet this requirement. The SOCKS service must be turned on, a port specified for this traffic (i.e., 1080) for the workstations' permitted IPs and the client authorized to use the SOCKS service.

During the installation of the eSignal application, you will have the opportunity to provide the address of your proxy server and the port used for SOCKS traffic. If your company uses multiple proxy servers upstream, provide the address of the first proxy server that the eSignal application traffic will encounter when proceeding out to the Internet.

Vendor- Specific Notes

Checkpoint Firewall-1

Checkpoint Firewall-1 is known to work with the eSignal application.

Open the ports listed above for (TCP) outbound traffic,and list "ALL" for the destination address.

Authorize the group of users who will be allowed to use the eSignal services.

Gauntlet Firewall 4.1+

The Gauntlet Firewall is known to work with eSignal applications. During the configuration, you may need to open sub-windows to perform these changes.

Create the plug-gw entries, one for each port listed above. Leave the "Source Address", "Remote Host", and "Remote Port" completely blank -- not even a "*".

Under Firewall Rules/Service Groups, define a new service group whose member services are the plug-gw's from above and whose destinations are unrestricted.

Under Firewall Rules/Network Groups, if necessary, define a set of networks and/or hosts that you intend to allow access to the new service.

Under Firewall Rules/Rules, define a new rule with the desired Network Group allowed to use the service and the Service Group you want to associate with it.

Order the rules so that they make sense. Because the rules are checked in order, from top to bottom, make sure that this comes before any "deny all" rule, or anything that might disallow the service.

Save and apply the rules (you may need to reboot).

Raptor

The Raptor Proxy Server/Firewall is known to work with eSignal applications.

Create the GSP Services for the protocols/ports listed above.

Under Net Entities, create a group of users for the eSignal application Service.

Under Subnets, create a eSignal application group with unrestricted IP addresses listed.

Create a rule for the eSignal application group to use the eSignal application service

Microsoft Proxy Server 2.0

Microsoft Proxy Server is supported for use with eSignal applications in a SOCKS-enabled configuration only. Problems have been known to occur with the use of the Microsoft Proxy Client.

To use Microsoft Proxy 2.0 with the eSignal application, make sure the Microsoft Proxy SOCKS service is installed and started. In the permissions tab in the Service Control Manager, SOCKS proxy properties, add a rule to let clients out. This rule can be generic, "permit all GE 0", which will allow all protocols to use the SOCKS proxy, or it can be specific. To make the specific rule, follow the TCP port ranges 2189-2196 above and make a rule that only lets those ports out.

In the eSignal application client, it will be necessary to point the Data Manager to the Microsoft Proxy SOCKS service. You will need to know the internal IP address of your Microsoft Proxy server. After starting the eSignal application, click on the Data Manager in the task bar. Pull down Receiver, select Communications, press the "Proxy" button, check the checkbox marked "Use Proxy". Fill in the INTERNAL IP address of your Microsoft Proxy server, along with the port number 1080. The SOCKS service in Microsoft Proxy Server always uses this well-known port number.

Make sure the Microsoft Proxy Client is not installed on the eSignal application client station. Use Control Panel and add/remove programs to uninstall the Microsoft Proxy Client if it exists. If you do not uninstall this client, the eSignal application software will not work properly and you may not be able to view charts and quotes.

The workstation on which the eSignal application is installed should be able to look up names from a DNS server. eSignal supports the freeware version of Bind 4.9.7 for Windows NT. You may obtain Bind from ftp://ftp.isc.org/isc/bind/contrib/ntbind/ntdns497relbin.zip. You may also use the Microsoft DNS server included with Windows NT Server.

If you use BIND as a DNS forwarder, specify your ISP's name servers in the named.boot file with a keyword of FORWARDERS. Examples are provided. If you use the MS DNS service, the forwarders are entered into a zone file using the GUI management tool in the Administrative Tools folder.

Wingate

Currently, 2 versions of WinGate are in use today. The WinGate 2.1 software uses software called "GateKeeper" to configure firewall rules. In WinGate 2.1, make sure you add the DNS Forwarding Service and configure it correctly for your ISP. Make sure the SOCKS service is added as well.

WinGate 2.1 will not accept incoming connections if the SOCKS service is only bound to an external interface. If you accept connections from any interface, the network will not be secure. Please make sure that you specify ONLY the internal interface that connections will be accepted on in the SOCKS service.

WinGate 3.x comes with an optional Client that is installed on the workstation. eSignal applications are NOT supported for use through this proxy client. Follow the instructions above for a WinGate 3.x installation, and make sure the WinGate Client is NOT installed on the workstation.

Other Proxy Servers

The instructions contained herein can also be followed for most other proxy servers. We have noticed issues with packet-distributing proxy servers like Webramp and Midpoint. Generally, any proxy that uses multiple dialup lines that also does not use multilink ppp will not work. Please call for more specific troubleshooting information on these types of proxy servers. It may be necessary to supply eSignal with a copy of the specific proxy server software you are using to further justify support.