REVISION HISTORY
DATE VERSION REVISION DETAILS
1.0 2.0
First Release version - Update and reformat document - Add Proxy and Firewall Policy - Update DNS table - Add Verisign and GeoTrust in Content Filtering Policy -Add Reuters Insider information -Add Certificate Management -Add Certificate Revocation concept in Appendix -Add Private Network Routing table -Add TCP/IP port 10240 for CFI -Update DNS table -Remove List of Thomson Reuters Eikon Host from Appendix -Add IP address divulge policy in DNS section -Correct DNS host name for Reuters Insider -Correct TCP/IP port for CFI -Add ia.thomsonreuters.com Domain -Add eikontest.thomsonreuters.com for System Test -Add Appendix E WinHTTP Proxy configuration -Add WPAD issue on Thomson Reuters Hosted -Correct information on Certificate Revocation through WinHTTP -Add Certificate Revocation list validation and WinHTTP -Add graphics.thomsonreuters.com for System Test -Add training.thomsonreuters.com for Knowledge network -Add saleforce.com and force.com for Knowledge Network -Add section 3.3 DACS Daemon services for RTIC connection -Add more information on service on Content filtering -Add customers.reuters.com not available on Savvis network -Correct on Certificate management typo mistake -Update BT routing table for Thomson Reuters Eikon and Thomson Reuters Eikon Wealth Management - Add Section Thomson Reuters Hosted Private deployment - Update DNS table for Eikon for Wealth Management due to the streaming service change in August 2011 -Update Savvis Private Network information -Add a new chapter, Thomson Reuters Eikon for Wealth Management -Change thomsonreuters.com DNS suffix to Internet -Add DNS table for Savvis -Change pdf.reuters.com domain to reuters.com domain as news content have multiple link e.g. pdf.reuters.com, link.reuters.com, r.reuters.com, blogs.reuters.com, www.reuters.com, etc. - Add Section 1.3Thomson Reuters Hosted Internet and Customer Managed -Add Jre.exe to Personal Firewall table in order to fix an issue on Aviva program -Provide some news URL instead of reuters.com -Correct Thomson Reuters Eikon for Wealth Management DNS table -Update Appendix A - Add the Internet DNS for Eikon 2.0
2.01 2.02
2 Mar 2011
2.03
21 Apr 2011
2.04
24 May 2011
2.05
14 July 2011
2.06
29 Sep 2011
2.07
4 Nov 2011
2.08
12 Dec 2011
2.09
Hihifrds.com loanpricing.com pointcarbon.com* ReutersRealEstate.com Streetsight.thomson.com tiles.virtualearth.net - Add Troubleshooting section in Appendix D - Combine Appendix E as a section in Appendix D -Update Certificate Revocation section - Move duplicate content to Chapter 5 and 6 - Add Internet Options in Chapter 5 - Remove Section 1.3 24 Feb 2012 2.10 - Add Eikon for Compliance Management content filtering policy in Chapter 5 - Add DNS rule for Thomson Reuters Hosted Private - Add Autex, breakingviews in Internet Service - Remove DNS Round Robin for TSP and SPX - Correct PAZW to PAWZ -Add new 75.124.118.0/24 for Thomson Reuters Platform -Add public.login.cp.thomsonreuters.net -Add port 8101 on SPX on Appendix A
27 Mar 2012
2.11
CONTENT
About this document ................................................................................................................................................. 6 Intended readership ...................................................................................................................................................... 6 In this guide ................................................................................................................................................................... 6 Glossary ..................................................................................................................................................................... 7 1. Thomson Reuters Hosted Deployment ................................................................................................................... 8 1.1 Thomson Reuters Hosted Internet ........................................................................................................................... 8 1.2 Thomson Reuters Hosted Private Network ............................................................................................................ 10 2. Thomson Reuters Managed Deployment ............................................................................................................. 13 2.1 BT infrastructure .................................................................................................................................................... 15 2.2 SAVVIS infrastructure ............................................................................................................................................ 16 3. Customer Managed Deployment ......................................................................................................................... 18 3.1 BT infrastructure .................................................................................................................................................... 20 3.2 SAVVIS infrastructure ............................................................................................................................................ 22 3.3 DACS Daemon service for RTIC Connection ........................................................................................................... 23 4. Thomson Reuters Eikon for Wealth Management ............................................................................................... 24 4.1 Thomson Reuters Eikon for Wealth Management Internet................................................................................... 24 4.2 Thomson Reuters Eikon for Wealth Management Private Network ..................................................................... 25 4.3 Proxy and Firewall Policy ....................................................................................................................................... 28 5. Internet Service for Thomson Reuters Eikon ........................................................................................................ 30 5.1 Internet Service DNS .............................................................................................................................................. 30 5.2 FIREWALL Policy .................................................................................................................................................... 31 5.3 Web Proxy Auto-Discovery Protocol (WPAD) ........................................................................................................ 33 5.4 Reuters Insider ....................................................................................................................................................... 33 5.5 Thomson Reuters Eikon for Compliance Management ......................................................................................... 33 5.6 Internet Options Setting ........................................................................................................................................ 34 6 Thomson Reuters Eikon Certificate Management ................................................................................................. 37 6.1 Thomson Reuters Eikon Certificates authorities .................................................................................................... 37 6.2 Thomson Reuters Eikon for Wealth Management Certificates authorities ........................................................... 38 6.3 Testing Trusted Root Certificate ............................................................................................................................ 38 Appendix A: List Of device TCP/IP Information ........................................................................................................ 39 Time Series Proxy TCP/IP Port .................................................................................................................................... 39 Streaming Proxy TCP/IP Port ...................................................................................................................................... 39
Reuters Insider Firewall Port allowed ........................................................................................................................ 40 BT Routing for Thomson Reuters Managed Device ................................................................................................... 40 Savvis Network Information for Thomson Reuters Managed Device ....................................................................... 40 Appendix B: List of switch allocation on BT Switch (VLAN) ....................................................................................... 42 Appendix C: Local DNS configuration to support network failover (Private Delivery to internet)* ........................... 43 Appendix D: Certificate Revocation Concept ............................................................................................................ 54
IN THIS GUIDE
This guide provides an overview of the network set up requirement for Thomson Reuters Eikon, delivered globally using Thomson Reuters Platform that covers TCP/IP Standard ports, Network routing and DNS. The chapter is based on Customer Delivery mode. You can implement it following the deployment on site. Thomson Reuters Eikon requires some services that are available on Internet only. It is recommended that clients have Internet connection in order to get all services which are listed in Chapter 5.
GLOSSARY
Abbreviations and acronyms are listed here:
Abbreviation/Term BT CAS CFI CRL DNS DTS ePO FTA GMI HMDS HTTP HTTPS NGTX IP ISP OCSP PAZW PKI RSS RTMP RWS SIG SMF SNMP SSH TAM TCP TPM UDP WinHTTP WPAD
Definition British Telecom Central Authentication Service Contributor Frontend IP also known as the Open Contributor Front End Certificate Revocation List Domain Name Server Direct Technical Specialist, providing pre-sales support and service
management for all Direct customers.
McAfee Anti-Virus ePolicy Orchestrator File Transfer Application Global Management Infrastructure Hosted Market Data System Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Next Generation Transactions Internet Protocol Internet Service Provider Online Certificate Status Protocol Performance Analysis Web Zone Public key Infrastructure Reuters Site Server Real Time Messaging Protocol Reuters Workstation Server Secure Internet Gateway Server Management Foundation Simple Network Management Protocol Secure Shell Technical Account Manager Transmission Control Protocol Tivoli Provisioning Manager User Datagram Protocol Microsoft Windows HTTP Services Web Proxy Auto-Discovery
TCP
Administration Service Views Service Streaming Service Search &Navigation Service Time Series Service Messaging Service Trading Service Update Service Reuters Insider DNS server (no Internet Proxy)
TCP/UDP
1024+ 53 1024+ 53
DNS server
Additional Internet domains/services are listed in Chapter 5. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
Proxy Server: If clients implement an Internet proxy server on site, it is necessary that the proxy be able to solve the following domain correctly. Internet Explorer object will forward all request to the proxy server without resolving the domain name service.
Authentication Proxy
Thomson Reuters Eikon has been qualified with the following authenticated proxies:
PROXY AUTHENTICATION METHOD
Apache
Basic
Apache
DIGEST
Squid
Basic
Squid
DIGEST
MS ISA
NTLM
It is advisable to allow Reuters Insider URL to bypass NTLM authentication in Proxy, as we have experienced authentication timeouts with Flash-based applications with a number of clients when NTLM authentication is enabled.
customers.thomsonreuters.com
*.download.cp.thomsonreuters.net
TCP
Administration Service Views Service Streaming Service Search &Navigation Service Time Series Service Messaging Service Trading Service Update Service Contribution Service on CFI server through InsertLink, DNS
CFI server
TCP/UDP
1024+ 53 1024+ 53
DNS server
DNS
See DNS suffices in Chapter 3.
10
only (No Client Site DNS) Client site DNS using selective forwarding or conditional forwarding Client site DNS using zone delegation EDNS
SERVFAIL answer from BT DNS for invalid domains. BT DNS response time will be slower unless record is already in cache
EDNS
The EDNS and BT DNS are shown as in the table: EDNS London New York Singapore DNS IP Address 155.195.64.4 155.195.84.4 155.195.76.4 BT Extranet DNS FQDN edns02.uk.extranet.reuters.biz edns02.us.extranet.reuters.biz edns02.sg.extranet.reuters.biz
Messaging Service over Private Network this is a mandatory component but the default is source from Internet BT DNS Customer Zone, Contribution (Insert Link) Trading Service over Private Network
11
12
TCP
80 80 8082* 8082*
Administration Service Views Service Search &Navigation Service Time Series Service Messaging Service Trading Service Time Series Service *port 8082 is for maintenance services.
CFI server
DNS server 1024+ 53 1024+ 53 Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.
DNS
The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com extranet.thomsonreuters.biz cp.thomsonreuters.net public.login.cp.thomsonreuters.net customers.reuters.com trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com Authoritative DNS Server Internet Extranet DNS Extranet DNS Internet Extranet DNS/ Internet Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
13
* *These domains require NGTX Service package. If you have the NGTX Service package, the DNS MUST forward to the Extranet DNS rather than Internet DNS. Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
E.g. If the first DNS Suffix Search List of the client workstation is xxx.company.com, you have to add the tr-timeseries-proxy host record entry added to the xxx.company.com domain. Thus the workstation is able to resolve IP address of the local Streaming Proxy by lookup tr-streaming-proxy upon Thomson Reuters Eikon application start-up. However, this new DNS entry name can be changed in the Thomson Reuters User Profile in Administration Service to reflect the new DNS hostname. Please contact your TAM or DTS and make a request.
FIREWALL Policy
See information on Chapter 6
14
DOMAIN
DOWNLOAD
customers.thomsonreuters.com
customers.extranet.thomsonreuters.biz
*.download.cp.thomsonreuters.net
tr-streaming-proxy
2.1 BT INFRASTRUCTURE
Thomson Reuters Platform Service Package version 2.0 is a mandatory for all sites Messaging Service Package is needed unless you set up Collaboration Service over Internet Contribution Service Package is needed for InsertLink NGTX Service Package is needed unless you set up Trading Service over Internet
EDNS
EDNS
The EDNS and BT DNS are shown as in the table: EDNS London New York Singapore DNS IP Address 155.195.64.4 155.195.84.4 155.195.76.4 BT Extranet DNS FQDN edns02.uk.extranet.reuters.biz edns02.us.extranet.reuters.biz edns02.sg.extranet.reuters.biz
BT DNS
IP Address
BT DNS FQDN
15
The recommended DNS search ordering is based on the client location as following:
*Messaging Service over Private Network this is a mandatory component but the default is source from Internet BT DNS Optional DNS Service on EDNS, Customer Zone, **Contribution (Insert Link) ***Trading Service over Private Network
* Messaging Service Package is needed ** Contribution Service package is needed ***NGTX service Package is needed
16
DNS Server
EDNS Nutley Hazelwood Savvis Extranet DNS IP Address 192.155.142.4 192.155.141.196 Savvis Extranet DNS FQDN edns03.us.extranet.reuters.biz edns04.us.extranet.reuters.biz
DNS
The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com extranet.thomsonreuters.biz cp.thomsonreuters.net customers.reuters.com trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com Authoritative DNS Server Internet Extranet DNS Extranet DNS Internet Internet Internet Internet Internet Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services.
17
TCP
Realtime Data Service (RSSL) Realtime Data Service (SSL) Permission Proxy Administration Service Views Service Search &Navigation Service TimeSeries Service Messaging Service Trading Service Update Service TimeSeries Service *port 8082 is for maintenance services.
1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ TCP/UDP Update Proxy TCP 1024+ 1024+ 1024+ 1024+ 1024+ 1024+
80 80 8082* 8082* 2400 2400 8302 8302 80 80 443 443 10240 10240 53 53 80 80 443 443
TimeSeries Data for 3 party feed Permission Service DACS Daemon Update Service
rd
CFI server
Contribution Service on CFI server through InsertLink, Eikon Excel DNS Update Service
Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.
18
DNS
The following domains must be selected forwarding or delegating toward authorities DNS server.
Thomson Reuters Service Thomson Reuters Eikon, Collaboration, Reuters Insider over Internet Thomson Reuters Eikon, Thomson Reuters Eikon for Wealth Management Customer Zone, Collaboration Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
Extranet DNS Internet Extranet DNS/ Internet Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet**
** These domains require NGTX Service package. If you have the NGTX Service package, the DNS MUST forward to the Extranet DNS rather than Internet DNS. Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
E.g. If the default lookup domain of the client workstation is xxx.company.com where xxx is the host being resolved then you need the tr-timeseries-proxy host record entry added to the company.com domain. However, this new DNS entry name can be changed in the Thomson Reuters User Profile in Administration Service to reflect the new DNS hostname. Please contact your TAM or DTS and make a request.
19
FIREWALL Policy
See information on Chapter 5
customers.thomsonreuters.com
customers.extranet.thomsonreuters.biz
*.download.cp.thomsonreuters.net
<Update Proxy>
3.1 BT INFRASTRUCTURE
Thomson Reuters Platform Service Package version 2.0 is a mandatory for all sites Messaging Service Package is needed unless you set up Collaboration Service over Internet Contribution Service Package is needed for Contribution product e.g. InsertLink NGTX Service Package is needed unless you set up Trading Service over Internet
20
CLIENT CONFIGURATION Client workstation resolver only (No Client Site DNS) Client site DNS using selective forwarding or conditional forwarding Client site DNS using zone delegation
DNS BT DNS
COMMENT Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains. BT DNS response time will be slower unless record is already in cache
EDNS
EDNS
The EDNS and BT DNS are shown as in the table: EDNS London New York Singapore DNS IP Address 155.195.64.4 155.195.84.4 155.195.76.4 BT Extranet DNS FQDN edns02.uk.extranet.reuters.biz edns02.us.extranet.reuters.biz edns02.sg.extranet.reuters.biz
The recommended DNS search ordering is based on the client location as following:
21
Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.
67.56.184.0/21
*Messaging Service over Private Network this is a mandatory component but the default is source from Internet BT DNS Optional DNS Service on EDNS, Customer Zone, **Contribution (Insert Link) ***Trading Service over Private Network
155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21 Note: * Messaging Service Package is needed ** Contribution Service package is needed ***NGTX service Package is needed
DNS Server
EDNS Nutley Hazelwood Savvis Extranet DNS IP Address 192.155.142.4 192.155.141.196 Savvis Extranet DNS FQDN edns03.us.extranet.reuters.biz edns04.us.extranet.reuters.biz
DNS
The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com extranet.thomsonreuters.biz cp.thomsonreuters.net customers.reuters.com Authoritative DNS Server Internet Extranet DNS Extranet DNS Internet Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon Customer Zone
22
trading.thomsonreuters.net Internet Trading Service fitrading.reuters.com Internet Trading Service fxtrading.reuters.com Internet Trading Service rtextrading.reuters.com Internet Trading Service Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services.
dacs_lib
8211/tcp
#dacs_snkd.exe #dacs_snkd.exe
dacs_perm 8250/tcp
23
TCP
Administration Service Views Service News Service Streaming Service Search &Navigation Service Time Series Service Update Service Reuters Insider
Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.
DNS Server
All Thomson Reuters Hosted deployment servers are able to resolve IP address through local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding
DNS thomsonreuters.com
Thomson Reuters Service Thomson Reuters Eikon for Wealth Management, Reuters Insider, Customer Zone Thomson Reuters Eikon for Wealth Management Customer Zone and some URL link in some news content, e.g. pdf.reuters.com, link.reuters.com, www.reuters.com Migration tools (Knowledge Network) Reuters Insider Migration tools (Knowledge Network) Securitised Derivative Network Insider Thomson Reuters E-Learning Remote Support
cp.thomsonreuters.net reuters.com
Internet Internet
Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
24
BT Service Package
The following BT Service Packages are needed: Thomson Reuters Platform with Real Time 2.0
Thomson Reuters Eikon for Wealth Management Private Network Deliver over Private Network
TCP
Administration Service Views Service News Service Streaming Service Search &Navigation Service Time Series Service Update Service Customer Zone DNS
TCP/UDP
1024+ 53 1024+ 53
DNS server
DNS Server
All Thomson Reuters Hosted deployment servers are able to resolve IP address through BT DNS and local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding
DNS cp.thomsonreuters.net extranet.thomsonreuters.biz thomsonreuters.com customers.reuters.com force.com geotrust.com verisign.com reutersinsider.com reuters.com
Authorized DNS Server Extranet Extranet Internet Internet/ Extranet Internet Internet Internet Internet
Thomson Reuters Service Thomson Reuters Eikon for Wealth Manager Thomson Reuters Eikon for Wealth Manager, Customer Zone Customer Zone, Reuters Insider Customer Zone Migration tools (Knowledge Network) Certificate Validation Reuters Insider URL link in some news content, e.g. pdf.reuters.com, blogs.reutes.com, www.reuters.com Migration tools Securitized Derivative Network
salesforce.com sdn.reuters.com
Internet Internet
25
Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
Uses BT DNS as shown in the table: BT DNS London New York Singapore IP Address 155.195.48.4 155.195.48.36 155.195.48.68 BT DNS FQDN londnsaa001.a.radianz.net hpggnsba001a.radianz.net sinsnsba001a.radianz.net
The recommended DNS search ordering is based on the client location as following:
CLIENT CONFIGURATION Client workstation resolver only (No Client Site DNS)
Client site DNS using selective forwarding or conditional forwarding Client site DNS using zone delegation
EDNS
EDNS
26
The EDNS and BT DNS are shown as in the table: EDNS London New York Singapore DNS IP Address 155.195.64.4 155.195.84.4 155.195.76.4 BT Extranet DNS FQDN edns02.uk.extranet.reuters.biz edns02.us.extranet.reuters.biz edns02.sg.extranet.reuters.biz
The recommended DNS search ordering is based on the client location as following:
Thomson Reuters Eikon for Wealth Management Internet and Thomson Reuters Eikon Customer Managed on Private Network
The Administration service over Private Network is able to authenticate the Internet Services. If clients have Thomson Reuters Eikon for Wealth Management over Internet and Thomson Reuters Eikon over Private network on the same site, set up the additional DNS on DNS server: DNS download.cp.thomsonreuters.net DNS Server Internet ISP/ Extranet DNS* Thomson Reuters Service Update Service
27
cp.thomsonreuters.net extranet.thomsonreuters.biz
* Thomson Reuters Eikon Excel for Wealth Management installation files, Hotfixes, Add-ons are downloaded from the domain download.cp.thomsonreuters.net. Clients are able to download packages from either Internet or Private network.
Certificate Management
See Chapter 6
FIREWALL Policy
Thomson Reuters Eikon Excel is a part of Thomson Reuters Eikon for Wealth Management. See Section 5.2 for more information.
Customer Zone
Thomson Reuters Eikon Excel System Test URL link in some news content e.g. pdf.reuters.com, www.reuters.com, blogs.reuters.com, www.breakingviews.com Securitized Derivatives Network Migration tools
(Knowledge network)
28
Reuters Insider
29
30
tta.thomson.com globalrelay.com
* Eikon Point Carbon will be integrated in Q1, 2012. **Interactive Map component, a new object will be available early 2012 ***Thomson Reuters Eikon for Compliance Management services only Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
Trading Service, System Test GeoTrust Certificate Revocation Validation System Test Treasury Community Tools
31
ia.thomsonreuters.com insider.thomsonreuters.com Intindex.com Lipperweb.com loanpricing.com pointcarbon.com reutersinsider.com ReutersRealEstate.com rtextrading.reuters.com rts.scanrate.dk salesforce.com stormpulse.com streetsight.thomson.com thomson.112.2o7.net tiles.virtualearth.net tradeweb.com trading.thomsonreuters.net trainingportal.us traininig.thomsonreuters.com Tubemogul.com verisign.com webex.com
Thomson Reuters Eikon Wealth Management Reuters Insider International Index Company Lipperweb Loan Pricing Eikon Point Carbon Reuters Insider Thomson Reuters Real Estate Trading Service, System Test Internet ISP Thomson Reuters Eikon Migration tools
(Knowledge network)
Aerial and Satellite image for Interactive Map component Trade web Trading Service, System Test Thomson Reuters E-learning Thomson Reuters E-learning Internet ISP Verisign Certificate Revocation Validation Remote Support
Note: Customers can use thomsonreuters.com and reuters.com instead of adding multiple entries from the table. The multimedia news service, Reuters Insider, uses the Akamai Content Delivery Network (CDN), the 3 party service provider, to cache and distribute dynamic and static content through thousands of Edge servers. Due to the dynamic nature of the Akamai CDN, the user is dynamically directed to the Akamai Edge servers that offer the best performance. Therefore please allow content for Content-Type =application/x-fcs for Reuters Insider.
rd
Personal Firewall
If you use a personal firewall, please ensure that the Firewall allows those processes:
PROCESS NAME SERVICES
Kobra.exe
Excel.exe
Rdmc.exe
System Test
Agent.exe
32
Isdm.exe
Jre.exe
Trading Services
Note: Kobra.exe and Jre.exe are not available on Thomson Reuters Eikon for Wealth Management
NTLM Authentication
It is advisable to allow Reuters Insider to bypass NTLM authentication, as we have experienced authentication timeouts with Flash-based applications with a number of clients when NTLM authentication is enabled. For additional information, visit https://kb.bluecoat.com/index?page=content&id=KB3243&actp=LIST
Timeouts or Disconnections
If Reuters Insider video streams occasionally time out or disconnect and it does not appear to be an issue with your proxy, the problem might be caused by: A default setting in Internet Explorer versions 6 or 7 that limits the user to two concurrent connections to a server. As Reuters Insider is a feature rich multimedia platform, it sometimes requires more than two concurrent connections. This is a known limitation of these versions of Internet Explorer; the Microsoft article at the following URL explains how to increase this value: http://support.microsoft.com/kb/282402.
complinet.com
33
Thomson Reuters Transaction Analytics Thomson Reuters Messenger Compliance Administration Portal Thomson Reuters Messenger Compliance Global Relay Reviewer Portal
34
CLIENT SITE Client without Internet access and Thomson Reuters Hosted Private
ADVISE Advise to disable the following IE options Check for publishers certificate revocation Check for server certificate revocation Check for signatures on downloaded programs
35
Note: the setting is per-user, unless locked by IT policies. Client with Internet access For security reason, client should enable those options.
36
Microsoft provides a number of white papers how to set trust relationship within a closed network. Starting point is here: Certificate Status and Revocation Checking (Windows XP): http://social.technet.microsoft.com/wiki/contents/articles/certificate-status-and-revocationchecking.aspx How Certificate Revocation Work (Windows 7, Windows 2008) http://technet.microsoft.com/engb/library/ee619754(WS.10).aspx Windows root Certificate Program: http://support.microsoft.com/kb/931125
Note: *Equifax Secure Certificate Authority is replacing by GeoTrust Global CA **DigiCert is used for Eikon Carbon Point which will be integrated in Eikon by Q1, 2012. The Trusted root certificates that are required by Microsoft Windows is listed in KB 293781, http://support.microsoft.com/kb/293781 It is necessary that all of them are available on the machine.
37
The Trusted root certificates, required by Microsoft Windows, are listed in Microsoft KB 293781, http://support.microsoft.com/kb/293781 It is necessary that all of them are available on the machine.
38
RSS HMDS RWS Thomson Reuters Eikon Application Console SMF Update Proxy Dealing Key station GMI components SSH Traffic, CAS Agent Manager Traffic CAS Agent Manager Traffic; Inventory Collector Traffic SNMP Gets SNMP Traps Precision / IP Traffic ICMP SSH Traffic Probe Rule Traffic Syslog Message Data/File Retrieval from PAWZ Agent / PAWZ Agent Profile Update PAWZ Real Time Agent Data FTA
9511, 9512, 9513, 9080 /TCP 161 / UDP 3306, 4100, 7600, 32972 / TCP ICMP 22 / TCP 162 / UDP 3306, 4100, 7600, 32972 / TCP ICMP 80 / TCP 514 / TCP, 514 / UDP 1661 / TCP
TPM Server NetCool Server NetCool Server NetCool Server NetCool Server NerCool Server NetCool Server NetCool Server PAWZ Server
39
IP SUBNET 65.62.0.0 / 15
DOMAIN/SYSTEM Spring Servers (Ex Client WAN Range) Super net (Aggregated Prefix)
DESCRIPTION/USED FOR TR EIKON Spring Server Ex Client WAN Range contains - 65.62.64.0/22 Range1 - 65.62.68.0/22 Range 2 - 65.63.72.0/22 Range 3 Reuters server range 3 Contain (Spring Servers (Ex Client WAN range 4, Reuters servers CAA18 Reuters servers range 01 Reuters servers range 01 Global Management Infrastructure (GMI) Spring Reuters Servers Range 2 (198.206.86.0/23), Reuters client range 06 FCE clients range 04 Spring Reuters servers range 3
67.56.0.0 / 15 75.124.0.0 / 16
Reuters servers CAA18 Reuters servers range 01 Reuters servers range 01 Global Management Infrastructure (GMI) Reuters client range 10 Reuters client range 06 FCE clients range 04 Spring Reuters servers range 3
40
192.155.136.0/21
EPO Server
DTCP-EPO0001.session.rservices.com
41
Device SPX / TSP (No Converge-VLAN130) Switch 1 - IDN-DAF VLAN Sub Interface Address Switch 1 port 9 1st client SPX / TSP Switch 1 port 10 3rd client SPX / TSP Switch 1 port 11 5th client SPX / TSP Switch 1 port 12 7th client SPX / TSP Switch 1 port 13 9th client SPX / TSP Switch 1 port 14 Network Monitor SPX / TSP (No Converge-VLAN130) Switch 2 - IDN-DAF VLAN Sub Interface Address Switch 2 port 9 2nd client SPX / TSP Switch 2 port 10 4th client SPX / TSP Switch 2 port 11 6th client SPX / TSP Switch 2 port 12 8th client SPX / TSP Switch 2 port 13 10th client SPX / TSP Switch 2 port 14 Network Monitor SPX / TSP (Standard Converge-VLAN160) Switch 1 - IDN-SAF VLAN Sub Interface Address Switch 1 port 17 1st client SPX / TSP Switch 1 port 18 3rd client SPX / TSP Switch 1 port 19 5th client SPX / TSP Switch 1 port 14 - Network Monitor SPX / TSP (Standard Converge-VLAN160) Switch 2 - IDN-SAF VLAN Sub Interface Address Switch 2 port 17 2nd client SPX / TSP Switch 2 port 18 4th client SPX / TSP Switch 2 port 19 6th client SPX / TSP Switch 2 port 14 - Network Monitor
VLAN HSRP N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 172.25.10.3 /24
VLAN HSRP N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 192.168.20.3 /24
172.25.10.3 /24
192.168.20.3 /24
42
APPENDIX C: LOCAL DNS CONFIGURATION TO SUPPORT NETWORK FAILOVER (PRIVATE DELIVERY TO INTERNET)*
*This configuration should only apply in case of BT MPLS failover i.e. not something to setup by default.
For the cp.thomsonreuters.net suffix, The forwarder IP address list needs add both eDNS and Internet ISP DNS. Add both DNS Providers because when the primary (Private Delivery) Infrastructure is fail, it will use Internet ISP DNS to resolve instead.
43
For the extranet.thomsonreuters.biz suffix, The forwarder IP address list needs add both eDNS only.
For the thomsonreuters.com suffix, The forwarder IP address list needs add both Internet ISP DNS only.
44
Configuration Microsoft Windows 2003 Server DNS for Delegation For the extranet.thomsonreuters.biz suffix
To Delegate this domain create a new Forward Lookup Zone (Standard Primary) called thomsonreuters.biz as the step showing below: 1. Right Click on Forward Lookup Zone to create new zone
2. Click next
45
46
5. Create a new file with file name (default) and Click next
47
7. Click Finish
48
49
50
13. Enter the eDNS server name into the FQDN, Click Resolve to get the IP Address and Click OK
51
52
NOTE: It is not recommended to delegate the Universal Domains and Global Universal Domains, cp.thomsonreuters.net, since this breaks failover from MPLS to Internet. Please use forwarding DNS for cp.thomsonreuters.net
53
CRL
A CRL is a file, created and signed by a CA that contains serial numbers of certificates that have been issued by that CA and are revoked. In addition to the serial number for the revoked certificates, the CRL also contains the revocation reason for each certificate and the time the certificate was revoked. Currently, two types of CRL exist: base CRL and delta CRL. Base CRL maintain a complete list of revoked certificates while delta CRL maintain only those certificates that have been revoked since the last publication of a base CRL. The major drawback of CRL is their potentially large size, which limits the scalability of the CRL approach. The large size adds significant bandwidth and storage burdens to the CA and relying party, and therefore limits the ability of the system to distribute the CRL. Bandwidth, storage space, and CA processing capacity
54
can also be negatively affected if the publishing frequency gets too high. Numerous attempts have been made to solve the CRL size issue through the introduction of partitioned CRL, delta CRL, and indirect CRL. All these approaches have added complexity and cost to the system without providing an ideal solution to the underlying problem. Another drawback of CRL is latency; because the CRL publishing period is predefined, information in the CRL might be out of date until a new CRL or delta CRL is published.
OCSP
OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. This returns a definitive, digitally signed response indicating the certificate status. The amount of data retrieved per request is constant regardless of the number of revoked certificates in the CA. Most OCSP responders get their data from published CRL and are therefore reliant on the publishing frequency of the CA. Some OCSP responders can, however, receive data directly from the CA's certificate status database and consequently provide near real-time status. Scalability is the major drawback of the OCSP approach. Since it is an online process and is designed to respond to single certificate status requests, it results in more server hits, requiring multiple and sometimes geographically dispersed servers to balance the load. The response signing and signature verification processes also take time, which can adversely affect the overall response time at the relying party. Finally, since the integrity of the signed response depends on the integrity of the OCSP responder's signing key, the validity of this key must also be verified after a response is validated by the client.
Troubleshooting
Thomson Reuters Eikon uses Microsoft Crypto API to check and download Certificate Revocation (CRL) from a CRL distribution point. The Crypto API internally uses the WinHTTP API to download the HTTP based URL for the CRL distribution point. If the proxy is not reachable or is incorrect, WinHTTP will not be able to download the CRL. The certificate revocation check will fail. Thomson Reuters Eikon does not create any secure connection to the platform which causes the program shutdown or get an error message. The logic to discover a Proxy server is as following: 1. Check the static proxy settings.
WINDOWS Windows XP Windows Vista, Windows 7 COMMAND Proxycfg.exe Netsh.exe winhttp show proxy
2. If there is no static proxy setting, API tries to retrieve the Internet Explorer setting on the following order. The following registry locations are queried based on the executing identity:
REGISTRY KEY Current User NETWORK SERVICE LOCAL SYSTEM LOCAL SERVICE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings
55
3. If the Internet Explorer proxy settings are not present for the executing user or if the Internet Explorer settings as indicate in - Automatically detect settings - Use automatic configuration script The Crypto API will try to automatically discover a proxy for the CRL. This will either return specific proxy information or return 'no proxy' if the automatic proxy discovery fails or if the URL does not require a proxy. More information, see Microsoft KB 2623724 as in http://support.microsoft.com/kb/2623724
Usage
The following examples show the syntax use for various commands in the proxycfg.exe utility.
COMMAND LINE Proxycfg Proxycfg d Proxycfg u Proxycfg p proxy-server-list optional-by-pass-list DESCRIPTION Display the current WinHTTP proxy settings Set direct access Import proxy setting from current users Internet Explorer manual settings Specify one or more proxy server and optional list of hosts that should be accessed directly.
The following examples show the syntax use for various commands for Windows Vista and Windows Seven
COMMAND LINE Netsh winhttp show proxy Netsh winhttp reset proxy Netsh winhttp import proxy source=ie Netsh winhttp set proxy proxy-server bypass-list= optional-by-pass-list Netsh winhttp set proxy proxy-server= proxy-server-list bypass-list= optional-by-pass-list DESCRIPTION Display the current WinHTTP proxy settings Set direct access Import proxy setting from current users Internet Explorer manual settings Specify one proxy server and optional list of hosts that should be accessed directly. Specify one or more proxy server and optional list of hosts that should be accessed directly.
56
PARAMETER Proxy-server-list
DESCRIPTION OF USE Proxy are list in a specific protocol as Windows XP: protocol=http://proxy_name:port Windows Vista and Seven: protocol=proxyname:port; where protocol is either http or https and proxy_name is the name of the proxy server.
Optional-bypass-list
The list contains host names or IP address that is locally known. This list can contain wildcards, "*", that cause the application to bypass the proxy server for addresses that fit the specified pattern. For example, both "*.microsoft.com" and "*.org" are acceptable wildcard patterns. Wildcard characters must be the left-most characters in the list, so "myserver.*" is not supported. To list multiple addresses and host names, separate them with blank spaces or semicolons in the proxy bypass string. If the "<local>" macro is specified, the function bypasses any host name that does not contain a period.
Example on Windows XP
Import the current Internet Proxy setting to WinHTTP (for manual setting on Internet Explorer only)
C:\> proxycfg -u Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
Set up proxy1.test.com as a proxy for WinHTTP and bypass proxy for the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net
c:\>proxycfg -p proxy1.test.com "<local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
57
Set up Proxy1.test.com for a http protocol on port 80 and Proxy2.test.com for https protocol on port 3128 . And direct access to the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net
C:\> proxycfg -d "http=proxy1.test.com:8080 https=proxy2.test.com:3128" <local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
58
Set up proxy1.test.com as a proxy for WinHTTP and bypass proxy for the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net
c:\>netsh winhttp set proxy proxy1.test.com bypass-list ="<local>; *.extranet.thomsonreuters.biz;*.thomsonreuters.net" Current WinHTTP proxy settings under: Proxy Server(s) : proxy1.test.com Bypass List : <local>;*.extranet.thomsonreutes.biz;*.thomsonreutes.net
Set up Proxy1.test.com for a http protocol on port 80 and Proxy2.test.com for https protocol on port 3128 . And direct access to the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net
C:\>netsh winhttp set proxy proxy-server="http=proxy1.test.com:8080; https=proxy2.test.com:3128" bypass-list= <local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Current WinHTTP proxy settings under: Proxy Server(s) : http=proxy1.test.com:8080; https=proxy2.test.com:3128 Bypass List : <local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net
59
60