Eikon Networking Guide v2.11

THOMSON REUTERS EIKON NETWORKING GUIDE
THOMSON REUTERS EIKON NETWORKING GUIDE
Document Version 2.11 Date of issue: 27 March 2012
Thomson Reuters Eikon Networking Guide
REVISION HISTORY
DATE VERSION REVISION DETAILS
14 Jun 2010 6 Feb 2011
1.0 2.0
First Release version - Update and reformat document - Add Proxy and Firewall Policy - Update DNS table - Add Verisign and GeoTrust in Content Filtering Policy -Add Reuters Insider information -Add Certificate Management -Add Certificate Revocation concept in Appendix -Add Private Network Routing table -Add TCP/IP port 10240 for CFI -Update DNS table -Remove List of Thomson Reuters Eikon Host from Appendix -Add IP address divulge policy in DNS section -Correct DNS host name for Reuters Insider -Correct TCP/IP port for CFI -Add ia.thomsonreuters.com Domain -Add eikontest.thomsonreuters.com for System Test -Add Appendix E WinHTTP Proxy configuration -Add WPAD issue on Thomson Reuters Hosted -Correct information on Certificate Revocation through WinHTTP -Add Certificate Revocation list validation and WinHTTP -Add graphics.thomsonreuters.com for System Test -Add training.thomsonreuters.com for Knowledge network -Add saleforce.com and force.com for Knowledge Network -Add section 3.3 DACS Daemon services for RTIC connection -Add more information on service on Content filtering -Add customers.reuters.com not available on Savvis network -Correct on Certificate management typo mistake -Update BT routing table for Thomson Reuters Eikon and Thomson Reuters Eikon Wealth Management - Add Section Thomson Reuters Hosted Private deployment - Update DNS table for Eikon for Wealth Management due to the streaming service change in August 2011 -Update Savvis Private Network information -Add a new chapter, Thomson Reuters Eikon for Wealth Management -Change thomsonreuters.com DNS suffix to Internet -Add DNS table for Savvis -Change pdf.reuters.com domain to reuters.com domain as news content have multiple link e.g. pdf.reuters.com, link.reuters.com, r.reuters.com, blogs.reuters.com, www.reuters.com, etc. - Add Section 1.3Thomson Reuters Hosted Internet and Customer Managed -Add Jre.exe to Personal Firewall table in order to fix an issue on Aviva program -Provide some news URL instead of reuters.com -Correct Thomson Reuters Eikon for Wealth Management DNS table -Update Appendix A - Add the Internet DNS for Eikon 2.0
7 Feb 2011 23 Feb 2011
2.01 2.02
2 Mar 2011
2.03
21 Apr 2011
2.04
24 May 2011
2.05
14 July 2011
2.06
29 Sep 2011
2.07
4 Nov 2011
2.08
12 Dec 2011
2.09
Hihifrds.com loanpricing.com pointcarbon.com* ReutersRealEstate.com Streetsight.thomson.com tiles.virtualearth.net - Add Troubleshooting section in Appendix D - Combine Appendix E as a section in Appendix D -Update Certificate Revocation section - Move duplicate content to Chapter 5 and 6 - Add Internet Options in Chapter 5 - Remove Section 1.3 24 Feb 2012 2.10 - Add Eikon for Compliance Management content filtering policy in Chapter 5 - Add DNS rule for Thomson Reuters Hosted Private - Add Autex, breakingviews in Internet Service - Remove DNS Round Robin for TSP and SPX - Correct PAZW to PAWZ -Add new 75.124.118.0/24 for Thomson Reuters Platform -Add public.login.cp.thomsonreuters.net -Add port 8101 on SPX on Appendix A
27 Mar 2012
2.11
CONTENT
About this document ................................................................................................................................................. 6 Intended readership ...................................................................................................................................................... 6 In this guide ................................................................................................................................................................... 6 Glossary ..................................................................................................................................................................... 7 1. Thomson Reuters Hosted Deployment ................................................................................................................... 8 1.1 Thomson Reuters Hosted Internet ........................................................................................................................... 8 1.2 Thomson Reuters Hosted Private Network ............................................................................................................ 10 2. Thomson Reuters Managed Deployment ............................................................................................................. 13 2.1 BT infrastructure .................................................................................................................................................... 15 2.2 SAVVIS infrastructure ............................................................................................................................................ 16 3. Customer Managed Deployment ......................................................................................................................... 18 3.1 BT infrastructure .................................................................................................................................................... 20 3.2 SAVVIS infrastructure ............................................................................................................................................ 22 3.3 DACS Daemon service for RTIC Connection ........................................................................................................... 23 4. Thomson Reuters Eikon for Wealth Management ............................................................................................... 24 4.1 Thomson Reuters Eikon for Wealth Management Internet................................................................................... 24 4.2 Thomson Reuters Eikon for Wealth Management Private Network ..................................................................... 25 4.3 Proxy and Firewall Policy ....................................................................................................................................... 28 5. Internet Service for Thomson Reuters Eikon ........................................................................................................ 30 5.1 Internet Service DNS .............................................................................................................................................. 30 5.2 FIREWALL Policy .................................................................................................................................................... 31 5.3 Web Proxy Auto-Discovery Protocol (WPAD) ........................................................................................................ 33 5.4 Reuters Insider ....................................................................................................................................................... 33 5.5 Thomson Reuters Eikon for Compliance Management ......................................................................................... 33 5.6 Internet Options Setting ........................................................................................................................................ 34 6 Thomson Reuters Eikon Certificate Management ................................................................................................. 37 6.1 Thomson Reuters Eikon Certificates authorities .................................................................................................... 37 6.2 Thomson Reuters Eikon for Wealth Management Certificates authorities ........................................................... 38 6.3 Testing Trusted Root Certificate ............................................................................................................................ 38 Appendix A: List Of device TCP/IP Information ........................................................................................................ 39 Time Series Proxy TCP/IP Port .................................................................................................................................... 39 Streaming Proxy TCP/IP Port ...................................................................................................................................... 39
Reuters Insider Firewall Port allowed ........................................................................................................................ 40 BT Routing for Thomson Reuters Managed Device ................................................................................................... 40 Savvis Network Information for Thomson Reuters Managed Device ....................................................................... 40 Appendix B: List of switch allocation on BT Switch (VLAN) ....................................................................................... 42 Appendix C: Local DNS configuration to support network failover (Private Delivery to internet)* ........................... 43 Appendix D: Certificate Revocation Concept ............................................................................................................ 54
ABOUT THIS DOCUMENT

INTENDED READERSHIP
This document is intended for Thomson Reuters support personals; Field Engineers, Planning Engineers, Client Implementation Specialists, Technical Deployment Specialist, Technical Account Managers and Client Network engineers. It can also be useful for Thomson Reuters Eikon customers IT or Networking personnel to plan Thomson Reuters Eikon deployment.
IN THIS GUIDE
This guide provides an overview of the network set up requirement for Thomson Reuters Eikon, delivered globally using Thomson Reuters Platform that covers TCP/IP Standard ports, Network routing and DNS. The chapter is based on Customer Delivery mode. You can implement it following the deployment on site. Thomson Reuters Eikon requires some services that are available on Internet only. It is recommended that clients have Internet connection in order to get all services which are listed in Chapter 5.
GLOSSARY
Abbreviations and acronyms are listed here:
Abbreviation/Term BT CAS CFI CRL DNS DTS ePO FTA GMI HMDS HTTP HTTPS NGTX IP ISP OCSP PAZW PKI RSS RTMP RWS SIG SMF SNMP SSH TAM TCP TPM UDP WinHTTP WPAD
Definition British Telecom Central Authentication Service Contributor Frontend IP also known as the Open Contributor Front End Certificate Revocation List Domain Name Server Direct Technical Specialist, providing pre-sales support and service
management for all Direct customers.
McAfee Anti-Virus ePolicy Orchestrator File Transfer Application Global Management Infrastructure Hosted Market Data System Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Next Generation Transactions Internet Protocol Internet Service Provider Online Certificate Status Protocol Performance Analysis Web Zone Public key Infrastructure Reuters Site Server Real Time Messaging Protocol Reuters Workstation Server Secure Internet Gateway Server Management Foundation Simple Network Management Protocol Secure Shell Technical Account Manager Transmission Control Protocol Tivoli Provisioning Manager User Datagram Protocol Microsoft Windows HTTP Services Web Proxy Auto-Discovery
1. THOMSON REUTERS HOSTED DEPLOYMENT

1.1 THOMSON REUTERS HOSTED INTERNET
TCP/IP Standard Port for Thomson Reuters Hosted Internet
Product Profile Protocol Port Numbers Workstation Thomson Reuters 1024+ 80 1024+ 80 1024+ 443 1024+ 443 Thomson Reuters Servers Thomson Reuters Platform Use
Thomson Reuters Hosted
TCP
Administration Service Views Service Streaming Service Search &Navigation Service Time Series Service Messaging Service Trading Service Update Service Reuters Insider DNS server (no Internet Proxy)
TCP/UDP
1024+ 53 1024+ 53
DNS server
DNS Server for Thomson Reuters Eikon Hosted Internet

All Thomson Reuters Hosted deployment servers are able to resolve IP address through local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding DNS thomsonreuters.com cp.thomsonreuters.net reuters.com trading.thomsonreuters.net DNS Server Internet ISP Internet ISP Internet ISP Internet ISP Thomson Reuters Service Thomson Reuters Eikon Thomson Reuters Eikon Customer Zone and URL links in some news content, Trading Services, SDN, etc Trading Service, System Test
Additional Internet domains/services are listed in Chapter 5. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
Proxy Server: If clients implement an Internet proxy server on site, it is necessary that the proxy be able to solve the following domain correctly. Internet Explorer object will forward all request to the proxy server without resolving the domain name service.
Proxy and Firewall Policy

See information in Chapter 5.
Authentication Proxy
Thomson Reuters Eikon has been qualified with the following authenticated proxies:
PROXY AUTHENTICATION METHOD
Apache
Basic
Apache
DIGEST
Squid
Basic
Squid
DIGEST
MS ISA
NTLM
It is advisable to allow Reuters Insider URL to bypass NTLM authentication in Proxy, as we have experienced authentication timeouts with Flash-based applications with a number of clients when NTLM authentication is enabled.
Web Proxy Auto-Discovery Protocol (WPAD)

Thomson Reuters Eikon does not support the Web Proxy Auto-Discovery Protocol (WPAD). The Update Agent cannot connect to the dedicated proxy server indicated in the WPAD file; as a consequence, users are not able to install Thomson Reuters Eikon or upgrade to the latest Service Releases or Hotfixes. The issue is under investigation by our development teams.
EXE Download Policy

Thomson Reuters Eikon installation package is an EXE Wrapper file (MSI/MSP file wrap inside EXE file). These files are virus checked and signed by Thomson Reuters before they are published on Thomson Reuters Update Service. Your site (workstation) firewall must be set-up to allow the download of these packages. Thomson Reuters is using this file format to guarantee best compression rates for the downloaded packages. Firewall has to ALLOW the following servers to download EXE file through http protocol:
DOMAIN DOWNLOAD
customers.thomsonreuters.com
For installation bootstrap, system Test standalone over Internet
*.download.cp.thomsonreuters.net
For Thomson Reuters Eikon packages on Update Service
Internet Service for Thomson Reuters Eikon

See information on Chapter 5
Certificate Revocation List Validation

See the information on Chapter 6
1.2 THOMSON REUTERS HOSTED PRIVATE NETWORK

BT Service Package
The following Service Packages are mandatory: Thomson Reuters Platform with Real Time 2.0 Messaging Service Package NGTX service Package Contribution Service package (Optional for Contribution)
TCP/IP Standard Port for Thomson Reuters Hosted Private

Thomson Reuters Hosted Private Deliver over Private Network
TCP
Administration Service Views Service Streaming Service Search &Navigation Service Time Series Service Messaging Service Trading Service Update Service Contribution Service on CFI server through InsertLink, DNS
1024+ 10240 1024+ 10240
CFI server
TCP/UDP
1024+ 53 1024+ 53
DNS server
Reuters Insider is not available on this delivery mode.
DNS
See DNS suffices in Chapter 3.
The DNS server configuration are as following:

CLIENT CONFIGURATION Client workstation resolver DNS BT DNS COMMENT Clients use local resolver fall-through. This relies on
10
only (No Client Site DNS) Client site DNS using selective forwarding or conditional forwarding Client site DNS using zone delegation EDNS
SERVFAIL answer from BT DNS for invalid domains. BT DNS response time will be slower unless record is already in cache
EDNS
The EDNS and BT DNS are shown as in the table: EDNS London New York Singapore DNS IP Address 155.195.64.4 155.195.84.4 155.195.76.4 BT Extranet DNS FQDN edns02.uk.extranet.reuters.biz edns02.us.extranet.reuters.biz edns02.sg.extranet.reuters.biz
BT DNS London New York Singapore
IP Address 155.195.48.4 155.195.48.36 155.195.48.68
BT DNS FQDN londnsaa001.a.radianz.net hpggnsba001a.radianz.net sinsnsba001a.radianz.net
BT Private Network Routing

The client can set up as either: Set up BT Router as a default gateway or Set up the following routing to BT router IP Subnet 65.63.72.0 /22 and 75.124.118.0/24 65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24 67.56.184.0/21 Description / Used for EIKON Thomson Reuters Eikon Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.
Messaging Service over Private Network this is a mandatory component but the default is source from Internet BT DNS Customer Zone, Contribution (Insert Link) Trading Service over Private Network
155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21
11


12
2. THOMSON REUTERS MANAGED DEPLOYMENT

TCP/IP Standard Port for Thomson Reuters Managed
Product Profile Protocol Port Numbers Workstation Thomson Reuters 1024+ 14002 1024+ 14002 1024+ 80 1024+ 80 1024+ 80 1024+ 80 1024+ 443 1024+ 443 Thomson Reuters Servers Streaming Proxy Use
Thomson Reuters Managed Profile Deliver over Private Network
TCP
Streaming Service Update Service
Thomson Reuters Platform
1024+ 1024+ 1024+ 1024+
80 80 8082* 8082*
Time Series Proxy
Administration Service Views Service Search &Navigation Service Time Series Service Messaging Service Trading Service Time Series Service *port 8082 is for maintenance services.
1024+ 10240 1024+ 10240 TCP/UDP
CFI server
DNS server 1024+ 53 1024+ 53 Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.
Contribution Service on CFI server through InsertLink, Eikon Excel DNS
DNS
The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com extranet.thomsonreuters.biz cp.thomsonreuters.net public.login.cp.thomsonreuters.net customers.reuters.com trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com Authoritative DNS Server Internet Extranet DNS Extranet DNS Internet Extranet DNS/ Internet Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
13
* *These domains require NGTX Service package. If you have the NGTX Service package, the DNS MUST forward to the Extranet DNS rather than Internet DNS. Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
DNS resource name lookup

You need to add a host record entry for Thomson Reuters Platform services into your local DNS servers with your local server IP address. The entry should be put in the same DNS suffixes that set up on the Advanced TCP/IP settings on the workstation. Servers Streaming Proxy TimeSeries Proxy DNS entry tr-streaming-proxy tr-timeseries-proxy
E.g. If the first DNS Suffix Search List of the client workstation is xxx.company.com, you have to add the tr-timeseries-proxy host record entry added to the xxx.company.com domain. Thus the workstation is able to resolve IP address of the local Streaming Proxy by lookup tr-streaming-proxy upon Thomson Reuters Eikon application start-up. However, this new DNS entry name can be changed in the Thomson Reuters User Profile in Administration Service to reflect the new DNS hostname. Please contact your TAM or DTS and make a request.
FIREWALL Policy


EXE Download Policy

14
DOMAIN
DOWNLOAD
customers.extranet.thomsonreuters.biz
For installation bootstrap, system Test standalone over Private Network
tr-streaming-proxy
For Thomson Reuters Eikon packages on Streaming Proxy
2.1 BT INFRASTRUCTURE
Thomson Reuters Platform Service Package version 2.0 is a mandatory for all sites Messaging Service Package is needed unless you set up Collaboration Service over Internet Contribution Service Package is needed for InsertLink NGTX Service Package is needed unless you set up Trading Service over Internet
The recommended Extranet DNS server configurations are as following:

CLIENT CONFIGURATION Client workstation resolver only (No Client Site DNS) Client site DNS using selective forwarding or conditional forwarding Client site DNS using zone delegation DNS BT DNS COMMENT Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains. BT DNS response time will be slower unless record is already in cache
EDNS
EDNS
BT DNS
IP Address
BT DNS FQDN
15
London New York Singapore
155.195.48.4 155.195.48.36 155.195.48.68
londnsaa001.a.radianz.net hpggnsba001a.radianz.net sinsnsba001a.radianz.net
The recommended DNS search ordering is based on the client location as following:
REGION EMEA AMERICA ASIA
FIRST DNS SERVER London New York Singapore
SECOND DNS SERVER New York London New York
THIRD DNS SERVER Singapore Singapore London

IP Subnet 65.63.72.0/22 and 75.124.118.0/24 65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24 67.56.184.0/21 Description / Used for EIKON Thomson Reuters Eikon Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.
*Messaging Service over Private Network this is a mandatory component but the default is source from Internet BT DNS Optional DNS Service on EDNS, Customer Zone, **Contribution (Insert Link) ***Trading Service over Private Network
155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21 Note:
* Messaging Service Package is needed ** Contribution Service package is needed ***NGTX service Package is needed
2.2 SAVVIS INFRASTRUCTURE

Note: The following services are not available on SAVVIS Private Network. Customers have to set up on Internet only: Messaging Service Package NGTX Service Package
16
Customers Zone for customers.reuters.com
DNS Server
EDNS Nutley Hazelwood Savvis Extranet DNS IP Address 192.155.142.4 192.155.141.196 Savvis Extranet DNS FQDN edns03.us.extranet.reuters.biz edns04.us.extranet.reuters.biz
DNS
The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com extranet.thomsonreuters.biz cp.thomsonreuters.net customers.reuters.com trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com Authoritative DNS Server Internet Extranet DNS Extranet DNS Internet Internet Internet Internet Internet Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services.
Savvis Private Network Routing

IP Subnet 192.155.137.0/25 192.155.138.0/25 159.220.80.0/27 192.155.142.0/28 192.155.141.192/28 Description / Used for EIKON Thomson Reuters Eikon Customer Zone on Extranet (customers.extranet.thomsonreuters.biz) DNS service
17
3. CUSTOMER MANAGED DEPLOYMENT

TCP/IP Standard Port for Customer Managed
Protocol Port Numbers Workstation Thomson Reuters 1024+ 14002 1024+ 14002 1024+ 8101 1024+ 8101 1024+ 8261 1024+ 8261 1024+ 80 1024+ 80 1024+ 443 1024+ 443 Thomson Reuters Servers RMDS 6, ADS RMDS 5, RMDS 6, ADS RMDS 5, RMDS 6 , ADS Thomson Reuters Platform Use
Customer Managed Profile Deliver over Private Network
TCP
Realtime Data Service (RSSL) Realtime Data Service (SSL) Permission Proxy Administration Service Views Service Search &Navigation Service TimeSeries Service Messaging Service Trading Service Update Service TimeSeries Service *port 8082 is for maintenance services.
1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ TCP/UDP Update Proxy TCP 1024+ 1024+ 1024+ 1024+ 1024+ 1024+
80 80 8082* 8082* 2400 2400 8302 8302 80 80 443 443 10240 10240 53 53 80 80 443 443
Time Series Proxy
DBU (Optional) DACS server Update Proxy
TimeSeries Data for 3 party feed Permission Service DACS Daemon Update Service
rd
CFI server
DNS server Thomson Reuters Platform
Contribution Service on CFI server through InsertLink, Eikon Excel DNS Update Service
Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.
18
DNS
The following domains must be selected forwarding or delegating toward authorities DNS server.
DNS thomsonreuters.com extranet.thomsonreuters.biz
Authoritative DNS Server Internet Extranet DNS
Thomson Reuters Service Thomson Reuters Eikon, Collaboration, Reuters Insider over Internet Thomson Reuters Eikon, Thomson Reuters Eikon for Wealth Management Customer Zone, Collaboration Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
cp.thomsonreuters.net public.login.cp.thomsonreuters.net customers.reuters.com trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com
Extranet DNS Internet Extranet DNS/ Internet Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet**
** These domains require NGTX Service package. If you have the NGTX Service package, the DNS MUST forward to the Extranet DNS rather than Internet DNS. Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
DNS resource name lookup

You need to add a host record entry for Thomson Reuters Platform services into your local DNS servers with your local server IP address. The entry should be put in the same DNS suffixes that set up on the Advanced TCP/IP settings on the workstation. Deployed Services TimeSeries Proxy Update Proxy Configuration Proxy DNS entry tr-timeseries-proxy tr-update-proxy tr-config-proxy
E.g. If the default lookup domain of the client workstation is xxx.company.com where xxx is the host being resolved then you need the tr-timeseries-proxy host record entry added to the company.com domain. However, this new DNS entry name can be changed in the Thomson Reuters User Profile in Administration Service to reflect the new DNS hostname. Please contact your TAM or DTS and make a request.
19
FIREWALL Policy


EXE Download Policy

DOMAIN DOWNLOAD
customers.extranet.thomsonreuters.biz
For installation bootstrap, system Test standalone over Private Network
<Update Proxy>
For Thomson Reuters Eikon package on Customer Managed
3.1 BT INFRASTRUCTURE
Thomson Reuters Platform Service Package version 2.0 is a mandatory for all sites Messaging Service Package is needed unless you set up Collaboration Service over Internet Contribution Service Package is needed for Contribution product e.g. InsertLink NGTX Service Package is needed unless you set up Trading Service over Internet
The recommended Extranet DNS server configurations are as following:
20
CLIENT CONFIGURATION Client workstation resolver only (No Client Site DNS) Client site DNS using selective forwarding or conditional forwarding Client site DNS using zone delegation
DNS BT DNS
COMMENT Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains. BT DNS response time will be slower unless record is already in cache
EDNS
EDNS
IP Address 155.195.48.4 155.195.48.36 155.195.48.68

IP Subnet 65.63.72.0/22 and 75.124.118.0/24 Description / Used for EIKON Thomson Reuters Eikon
21
65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24
Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.
67.56.184.0/21
*Messaging Service over Private Network this is a mandatory component but the default is source from Internet BT DNS Optional DNS Service on EDNS, Customer Zone, **Contribution (Insert Link) ***Trading Service over Private Network
155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21 Note: * Messaging Service Package is needed ** Contribution Service package is needed ***NGTX service Package is needed
3.2 SAVVIS INFRASTRUCTURE

Note: The following services are not available on SAVVIS Private Network. Customers have to set up on Internet only: Messaging Service Package (collaboration) NGTX Service Package Customers Zone for customers.reuters.com
DNS Server
EDNS Nutley Hazelwood Savvis Extranet DNS IP Address 192.155.142.4 192.155.141.196 Savvis Extranet DNS FQDN edns03.us.extranet.reuters.biz edns04.us.extranet.reuters.biz
DNS
The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com extranet.thomsonreuters.biz cp.thomsonreuters.net customers.reuters.com Authoritative DNS Server Internet Extranet DNS Extranet DNS Internet Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon Customer Zone
22
trading.thomsonreuters.net Internet Trading Service fitrading.reuters.com Internet Trading Service fxtrading.reuters.com Internet Trading Service rtextrading.reuters.com Internet Trading Service Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services.
Savvis Private Network Routing

IP Subnet 192.155.137.0/25 192.155.138.0/25 159.220.80.0/27 192.155.142.0/28 192.155.141.192/28 Description / Used for EIKON Thomson Reuters Eikon Customer Zone on Extranet (customers.extranet.thomsonreuters.biz) DNS service
3.3 DACS DAEMON SERVICE FOR RTIC CONNECTION

Ensure that the personal firewall does not block those services on the client machine. And the following services are valid in the file C:\Windows\System32\etc\services
dacs_lib
8211/tcp
#dacs_snkd.exe #dacs_snkd.exe
dacs_perm 8250/tcp
23
4. THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT

4.1 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT INTERNET
TCP/IP Standard Port for Thomson Reuters Eikon Wealth Management Internet
Thomson Reuters Eikon for Wealth Management Internet
TCP
Administration Service Views Service News Service Streaming Service Search &Navigation Service Time Series Service Update Service Reuters Insider
Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.
DNS Server
All Thomson Reuters Hosted deployment servers are able to resolve IP address through local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding
DNS thomsonreuters.com
Authorized DNS Server Internet
Thomson Reuters Service Thomson Reuters Eikon for Wealth Management, Reuters Insider, Customer Zone Thomson Reuters Eikon for Wealth Management Customer Zone and some URL link in some news content, e.g. pdf.reuters.com, link.reuters.com, www.reuters.com Migration tools (Knowledge Network) Reuters Insider Migration tools (Knowledge Network) Securitised Derivative Network Insider Thomson Reuters E-Learning Remote Support
cp.thomsonreuters.net reuters.com
Internet Internet
force.com reutersinsider.com saleforces.com sdn.reuters.com Thomson.112.2o7.net training.thomsonreuters.com trainingportal.us webex.com
Internet Internet Internet Internet Internet Internet Internet
Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
24
4.2 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT PRIVATE NETWORK

It is strongly recommended that client have both Private network and Internet connection
BT Service Package
The following BT Service Packages are needed: Thomson Reuters Platform with Real Time 2.0
TCP/IP Standard Port for Thomson Reuters Hosted Private

Thomson Reuters Eikon for Wealth Management Private Network Deliver over Private Network
TCP
Administration Service Views Service News Service Streaming Service Search &Navigation Service Time Series Service Update Service Customer Zone DNS
TCP/UDP
1024+ 53 1024+ 53
DNS server
Reuters Insider requires Internet connection.
DNS Server
All Thomson Reuters Hosted deployment servers are able to resolve IP address through BT DNS and local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding
DNS cp.thomsonreuters.net extranet.thomsonreuters.biz thomsonreuters.com customers.reuters.com force.com geotrust.com verisign.com reutersinsider.com reuters.com
Authorized DNS Server Extranet Extranet Internet Internet/ Extranet Internet Internet Internet Internet
Thomson Reuters Service Thomson Reuters Eikon for Wealth Manager Thomson Reuters Eikon for Wealth Manager, Customer Zone Customer Zone, Reuters Insider Customer Zone Migration tools (Knowledge Network) Certificate Validation Reuters Insider URL link in some news content, e.g. pdf.reuters.com, blogs.reutes.com, www.reuters.com Migration tools Securitized Derivative Network
salesforce.com sdn.reuters.com
Internet Internet
25
thomson.112.2o7.net trainingportal.us webex.com webtrendslive.com Note*: NGTX service package is required
Internet Internet Internet Internet
Reuters Insider Thomson Reuters E-Learning Remote Support Migration tools
Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
Uses BT DNS as shown in the table: BT DNS London New York Singapore IP Address 155.195.48.4 155.195.48.36 155.195.48.68 BT DNS FQDN londnsaa001.a.radianz.net hpggnsba001a.radianz.net sinsnsba001a.radianz.net

The client can set up as either: Set up BT Router as a default gateway or Set up the following routing to BT router
DNS BT DNS COMMENT Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains. Clients with dedicated Extranet workstations can use the EDNS to take advantage of faster response BT DNS response time will be slower unless record is already in cache
CLIENT CONFIGURATION Client workstation resolver only (No Client Site DNS)
Client site DNS using selective forwarding or conditional forwarding Client site DNS using zone delegation
EDNS
EDNS
26
IP Address 155.195.48.4 155.195.48.36 155.195.48.68
REGION EMEA ASIA
FIRST DNS SERVER London Singapore
SECOND DNS SERVER New York New York
THIRD DNS SERVER Singapore London

IP Subnet 65.62.0.0/15 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 155.195.48.0/22 155.195.64.0/18 Note: *NGTX service Package is needed Description / Used for EIKON Thomson Reuters Eikon for Wealth Management
BT DNS Optional DNS Service on EDNS, Customer Zone
Thomson Reuters Eikon for Wealth Management Internet and Thomson Reuters Eikon Customer Managed on Private Network
The Administration service over Private Network is able to authenticate the Internet Services. If clients have Thomson Reuters Eikon for Wealth Management over Internet and Thomson Reuters Eikon over Private network on the same site, set up the additional DNS on DNS server: DNS download.cp.thomsonreuters.net DNS Server Internet ISP/ Extranet DNS* Thomson Reuters Service Update Service
27
cp.thomsonreuters.net extranet.thomsonreuters.biz
Extranet DNS Extranet DNS
Administration Service Thomson Reuters Platform Service
* Thomson Reuters Eikon Excel for Wealth Management installation files, Hotfixes, Add-ons are downloaded from the domain download.cp.thomsonreuters.net. Clients are able to download packages from either Internet or Private network.
4.3 PROXY AND FIREWALL POLICY

Authentication Proxy
Thomson Reuters Eikon for Wealth Management does not support Authentication Proxy. Streaming Services is not able to be established streaming service through HTTP authentication process. Reuters Insider always has slow response with Authentication Proxy.
Certificate Management
See Chapter 6
FIREWALL Policy
Thomson Reuters Eikon Excel is a part of Thomson Reuters Eikon for Wealth Management. See Section 5.2 for more information.
Content filtering Policy

DNS Suffixes cp.thomsonreuters.net cp.thomsonreuters.com ia.thomsonreuters.com eikon.thomsonreuters.com eikon.extranet.thomsonreuters.biz cp.extranet.thomsonreuters.biz ia.extranet.thomsonreuters.biz customers.reuters.com customers.extranet.thomsonreuters.biz customers.thomsonreuters.com eikontest.thomsonreuters.com graphics.thomsonreuters.com reuters.com breakingviews.com sdn.reuters.com force.com salesforce.com webtrendslive.com Thomson Reuters Service Thomson Reuters Eikon for Wealth Management
Customer Zone
Thomson Reuters Eikon Excel System Test URL link in some news content e.g. pdf.reuters.com, www.reuters.com, blogs.reuters.com, www.breakingviews.com Securitized Derivatives Network Migration tools
(Knowledge network)
28
insider.thomsonreuters.com reutersinsider.com thomson.112.2o7.net

(used for analytic and report of user interactions)
Reuters Insider
training.thomsonreuters.com trainingportal.us geotrust.com verisign.com Webex.com
Thomson Reuters E-learning Certificate Validation Remote Support
29
5. INTERNET SERVICE FOR THOMSON REUTERS EIKON

5.1 INTERNET SERVICE DNS
The following DNS Suffixes are able to be resolved on internet only. It is strongly recommended that clients have Internet Connection in order to get the services. DNS public.login.cp.thomsonreuter.net blogs.reuters.com breakingviews.com link.reuters.com pdf.reuters.com r.reuters.com today.reuters.com topnews.reuters.com uk.reuters.com www.reuters.com thomsonreuters.com trainingportal.us training.thomsonreuters.com reutersinsider.com thomson.112.2o7.net force.com salesforce.com webtrendslive.com webex.com emaxx.reuters.com sdn.reuters.com autex.com autexnow.com db.dealwatch.jp europrospectus.com fixedincomelabs.com Hihifrds.com Intindex.com Lipperweb.com loanpricing.com pointcarbon.com* ReutersRealEstate.com rts.scanrate.dk Streetsight.thomson.com Stormpulse.com** tiles.virtualearth.net** Tubemogul.com tradeweb.com Geotrust.com Verisign.com Digicert.com complinet.com DNS Server Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Thomson Reuters Service Thomson Reuters Administrative Services News URL link News URL link News URL link News URL link News URL link News URL link News URL link News URL link News URL link Thomson Reuters web services Thomson Reuters E learning Thomson Reuters E learning Reuters Insider Reuters Insider Thomson Reuters Eikon Migration Tools Thomson Reuters Eikon Migration Tools Thomson Reuters Eikon Migration Tools Remote Support Bond Holdings Securitized Derivatives Network Autex Autex Deal watch Euro Prospectus Fixed Income in Thomson Reuters Eikon Treasury Community Tools International Index Company Lipper Market Insight Load Pricing Eikon Point Carbon C&E Thomson Reuters Real Estate Danish MBS Street Sight Stormpulse Weather Service Aerial and Satellite image for Interactive Map component Stormpulse Weather Service Tradeweb Certificate Management Certificate Management Certificate Management Thomson Reuters Accelus***
30
tta.thomson.com globalrelay.com
Internet ISP Internet ISP
Thomson Reuters Transacation Analytics*** Thomson Reuters Messaging Compliance***
* Eikon Point Carbon will be integrated in Q1, 2012. **Interactive Map component, a new object will be available early 2012 ***Thomson Reuters Eikon for Compliance Management services only Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
5.2 FIREWALL POLICY

If you use Thomson Reuters Messaging 8.x and Thomson Reuters Eikon on the same machine, see the Thomson Reuters Messaging 8 Firewall/IP Guide in https://customers.reuters.com/a/support/paz/pazDocs.aspx?dId=389804
Content Filtering Policy

If you set up a policy for Content Filtering on the Internet Proxy or Firewall, the following DNS suffixes must be set to ALLOW for Thomson Reuters Eikon. DNS Suffixes thomsonreuters.com thomsonreuters.net reuters.com autex.com autexnow.com breakingviews.com collab.thomsonreuters.com cp.thomsonreuters.com cp.thomsonreuters.net customers.reuters.com customers.thomsonreuters.com db.dealwatch.jp digicert.com eikon.thomsonreuters.com eikontest.thomsonreuters.com europrospectus.com fitrading.reuters.com fixedincomelabs.com force.com fxtrading.reuters.com geotrust.com graphics.thomsonreuters.com hihifrds.com Thomson Reuters Service Thomson Reuters Web Services Thomson Reuters Web Services Thomson Reuters Web Services Autex Autex Breaking News Collaboration Service Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Customer Zone Customer Zone Internet ISP Certificate Revocation Validation Thomson Reuters Eikon and Thomson Reuters Eikon Wealth management System Test Internet ISP Trading Service, System Test Fixed Income tools Thomson Reuters Eikon Migration tools
(Knowledge network)
Trading Service, System Test GeoTrust Certificate Revocation Validation System Test Treasury Community Tools
31
ia.thomsonreuters.com insider.thomsonreuters.com Intindex.com Lipperweb.com loanpricing.com pointcarbon.com reutersinsider.com ReutersRealEstate.com rtextrading.reuters.com rts.scanrate.dk salesforce.com stormpulse.com streetsight.thomson.com thomson.112.2o7.net tiles.virtualearth.net tradeweb.com trading.thomsonreuters.net trainingportal.us traininig.thomsonreuters.com Tubemogul.com verisign.com webex.com
Thomson Reuters Eikon Wealth Management Reuters Insider International Index Company Lipperweb Loan Pricing Eikon Point Carbon Reuters Insider Thomson Reuters Real Estate Trading Service, System Test Internet ISP Thomson Reuters Eikon Migration tools
(Knowledge network)
Strom Pulse Thomson Street sight Reuters Insider

(used for analytic and report of user interactions)
Aerial and Satellite image for Interactive Map component Trade web Trading Service, System Test Thomson Reuters E-learning Thomson Reuters E-learning Internet ISP Verisign Certificate Revocation Validation Remote Support
Note: Customers can use thomsonreuters.com and reuters.com instead of adding multiple entries from the table. The multimedia news service, Reuters Insider, uses the Akamai Content Delivery Network (CDN), the 3 party service provider, to cache and distribute dynamic and static content through thousands of Edge servers. Due to the dynamic nature of the Akamai CDN, the user is dynamically directed to the Akamai Edge servers that offer the best performance. Therefore please allow content for Content-Type =application/x-fcs for Reuters Insider.
rd
Personal Firewall
If you use a personal firewall, please ensure that the Firewall allows those processes:
PROCESS NAME SERVICES
Kobra.exe
Thomson Reuters Eikon Desktop
Excel.exe
Thomson Reuters Eikon Excel
Rdmc.exe
System Test
Agent.exe
Thomson Reuters Update Services
32
Isdm.exe
Thomson Reuters Update Services
Jre.exe
Trading Services
Note: Kobra.exe and Jre.exe are not available on Thomson Reuters Eikon for Wealth Management
5.3 WEB PROXY AUTO-DISCOVERY PROTOCOL (WPAD)

Thomson Reuters Eikon does not support the Web Proxy Auto-Discovery Protocol (WPAD). The Update Agent cannot connect to the dedicated proxy server indicated in the WPAD file; as a consequence, users are not able to install Thomson Reuters Eikon or upgrade to the latest Service Releases or Hotfixes. The issue is under investigation by our development teams.
5.4 REUTERS INSIDER

Reuters Insider does not support delivery over Private Delivery connections because internet delivery offers greater scalability, is more cost effective for clients and it's not prudent for video streaming to share the same connection as time-critical data. Many proxy and enterprise network monitoring tools allow bandwidth management of video internet traffic and these can be used to control quality and quantity risks associated with the internet delivery method. Reuters Insider uses the Akamai Content Delivery Network (CDN), the 3 party service provider, to cache and distribute dynamic and static content through thousands of Edge servers. Due to the dynamic nature of the Akamai CDN, the user is dynamically directed to the Akamai Edge servers that offer the best performance. Therefore please allow content for Content-Type =application/x-fcs for Reuters Insider.
rd
NTLM Authentication
It is advisable to allow Reuters Insider to bypass NTLM authentication, as we have experienced authentication timeouts with Flash-based applications with a number of clients when NTLM authentication is enabled. For additional information, visit https://kb.bluecoat.com/index?page=content&id=KB3243&actp=LIST
Timeouts or Disconnections
If Reuters Insider video streams occasionally time out or disconnect and it does not appear to be an issue with your proxy, the problem might be caused by: A default setting in Internet Explorer versions 6 or 7 that limits the user to two concurrent connections to a server. As Reuters Insider is a feature rich multimedia platform, it sometimes requires more than two concurrent connections. This is a known limitation of these versions of Internet Explorer; the Microsoft article at the following URL explains how to increase this value: http://support.microsoft.com/kb/282402.
5.5 THOMSON REUTERS EIKON FOR COMPLIANCE MANAGEMENT

Content Filtering
For Thomson Reuters Eikon for Compliance Management, it is necessary that client allow the additional DNS suffix from section 5.2
DNS SUFFIX SERVICES
complinet.com
Thomson Reuters Accelus
33
tta.thomson.com compliance.collab.thomsonreuters.com ecm-archiver.globalrelay.com
Thomson Reuters Transaction Analytics Thomson Reuters Messenger Compliance Administration Portal Thomson Reuters Messenger Compliance Global Relay Reviewer Portal
5.6 INTERNET OPTIONS SETTING

Advanced Option
Enable Use HTTP1.1 Enable Use HTTP 1.1 through proxy connections
Disable Do not save encrypted pages to disk
34
Check Certificate Revocation

Web installation is will fail if certificate revocation check is turned on and Internet cannot be reached. Refer to the following table for recommended actions.
CLIENT SITE Client without Internet access and Thomson Reuters Hosted Private
ADVISE Advise to disable the following IE options Check for publishers certificate revocation Check for server certificate revocation Check for signatures on downloaded programs
35
Note: the setting is per-user, unless locked by IT policies. Client with Internet access For security reason, client should enable those options.
36
6 THOMSON REUTERS EIKON CERTIFICATE MANAGEMENT

For security purposes, servers, Thomson Reuters Eikon package and Thomson Reuters Eikon Excel for Wealth Management package requires up to date certificates at installation, update and start-up. To ensure access to Thomson Reuters at all time, it is crucial that you validate the Certificate Management approach most appropriate to your network. With the SSL certificate, it is required to validate the status of the certificates used when performing authentication, signing or encryption operations. Failures to validate the certificates prevent the product working. The validation can be either CRL or OCSP based on the client Operating System. See more information in Appendix D. It is necessary the certificates be validated through Internet or Internal Certificate Infrastructure, Microsoft Online Responder, OCSP Proxy and etc., unless delegated to an internal certificate management system You have to ensure that the certificate validation process can be updated from both *.geotrust.com *.verisign.com
Microsoft provides a number of white papers how to set trust relationship within a closed network. Starting point is here: Certificate Status and Revocation Checking (Windows XP): http://social.technet.microsoft.com/wiki/contents/articles/certificate-status-and-revocationchecking.aspx How Certificate Revocation Work (Windows 7, Windows 2008) http://technet.microsoft.com/engb/library/ee619754(WS.10).aspx Windows root Certificate Program: http://support.microsoft.com/kb/931125
6.1 THOMSON REUTERS EIKON CERTIFICATES AUTHORITIES

Thomson Reuters Eikon uses root certificates are shown as
TRUSTED ROOT CERTIFICATE AUTHORITIES Verisign Verisign: Class 3 Public Primary Certificate Authority G2 Verisign Class 3 Public Primary Certificate Authority G5 Equifax* GeoTrust Thawte DigiCert** Equifax Secure Certificate Authority GeoTrust Glocal CA Thawte Timestamping CA DigiCert High Assurance EV Root CA DigiCert High Assurance CA-3 GeoTrust SSL CA INTERMEDIATE CERTIFICATE AUTHORITIES Verisign Class 3 Secure Server CA- G2
http://crl.verisign.com/SVRSecureG2.cer http://crl.verisign.com/SVRSecureG3.cer
VeriSign Class 3 Secure Server CA-G3
Note: *Equifax Secure Certificate Authority is replacing by GeoTrust Global CA **DigiCert is used for Eikon Carbon Point which will be integrated in Eikon by Q1, 2012. The Trusted root certificates that are required by Microsoft Windows is listed in KB 293781, http://support.microsoft.com/kb/293781 It is necessary that all of them are available on the machine.
37
6.2 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT CERTIFICATES AUTHORITIES

Thomson Reuters Eikon for Wealth Management uses root certificates as
TRUSTED ROOT CERTIFICATE AUTHORITIES Verisign Verisign: Class 3 Public Primary Certificate Authority G2 Verisign Class 3 Public Primary Certificate Authority G5 Equifax* GeoTrust Thawte Equifax Secure Certificate Authority GeoTrust Glocal CA Thawte Timestamping CA GeoTrust SSL CA INTERMEDIATE CERTIFICATE AUTHORITIES Verisign Class 3 Secure Server CA- G2
http://crl.verisign.com/SVRSecureG2.cer http://crl.verisign.com/SVRSecureG3.cer
VeriSign Class 3 Secure Server CA-G3
Note: *Equifax Secure Certificate Authority is replacing by GeoTrust Global CA
The Trusted root certificates, required by Microsoft Windows, are listed in Microsoft KB 293781, http://support.microsoft.com/kb/293781 It is necessary that all of them are available on the machine.
6.3 TESTING TRUSTED ROOT CERTIFICATE

The Trusted Root can be tested from the following URL
TRUSTED ROOT CERTIFICATE Verisign: Class 3 Public Primary Certificate Authority G2 Verisign Class 3 Public Primary Certificate Authority G5 Equifax Secure Certificate Authority GeoTrust Glocal CA DigiCert High Assurance EV Root CA TEST URL https://ssltest24.bbtest.net https://ssltest2.bbtest.net https://ssltest11.bbtest.net https://ssltest15.bbtest.net https://ev-root.digicert.com/testroot/
38
APPENDIX A: LIST OF DEVICE TCP/IP INFORMATION

This Appendix shows all device information.
TIME SERIES PROXY TCP/IP PORT

Services Management SNMP Thomson Reuters Eikon Time Series Service Network Port TCP/UDP: 8082, 8085 SSH: 22 161/ UDP HTTP HTTP Note
STREAMING PROXY TCP/IP PORT

Network components Network components connect to the ports on Streaming Proxy Dynamic Dynamic Dynamic TCP: 14002 TCP: 8603, 7011 TCP: 8603, 7011 TCP: 80 TCP: 8101 Ports to be opened in Streaming Proxy 22, 9510, 9514, 9515 / TCP Streaming Proxy connects to the ports on the network components TCP: 2000, 8801 TCP: 14002 TCP: 8101 Dynamic TCP: 8603, 7011 TCP: 8603, 7011 TCP: 80 Dynamics Ports to be opened in other devices Note
RSS HMDS RWS Thomson Reuters Eikon Application Console SMF Update Proxy Dealing Key station GMI components SSH Traffic, CAS Agent Manager Traffic CAS Agent Manager Traffic; Inventory Collector Traffic SNMP Gets SNMP Traps Precision / IP Traffic ICMP SSH Traffic Probe Rule Traffic Syslog Message Data/File Retrieval from PAWZ Agent / PAWZ Agent Profile Update PAWZ Real Time Agent Data FTA
Note TPM Server
9511, 9512, 9513, 9080 /TCP 161 / UDP 3306, 4100, 7600, 32972 / TCP ICMP 22 / TCP 162 / UDP 3306, 4100, 7600, 32972 / TCP ICMP 80 / TCP 514 / TCP, 514 / UDP 1661 / TCP
TPM Server NetCool Server NetCool Server NetCool Server NetCool Server NerCool Server NetCool Server NetCool Server PAWZ Server
2102 / TCP 1661 / TCP
PAWZ Server FTA Server
39
ePO Microsoft Windows Server Activation
8902, 8903 / UDP Ports to be opened in Streaming Proxy
8900 / UDP Ports to be opened in other devices 1688/ TCP
ePO Server Note KMS Server
REUTERS INSIDER FIREWALL PORT ALLOWED

HTTP 80 HTTPS 443 One of these ports (80, 443, 1935) must be open for RTMP to live.flash.insider.thomsonreuters.com
BT ROUTING FOR THOMSON REUTERS MANAGED DEVICE
IP SUBNET 65.62.0.0 / 15
DOMAIN/SYSTEM Spring Servers (Ex Client WAN Range) Super net (Aggregated Prefix)
DESCRIPTION/USED FOR TR EIKON Spring Server Ex Client WAN Range contains - 65.62.64.0/22 Range1 - 65.62.68.0/22 Range 2 - 65.63.72.0/22 Range 3 Reuters server range 3 Contain (Spring Servers (Ex Client WAN range 4, Reuters servers CAA18 Reuters servers range 01 Reuters servers range 01 Global Management Infrastructure (GMI) Spring Reuters Servers Range 2 (198.206.86.0/23), Reuters client range 06 FCE clients range 04 Spring Reuters servers range 3
67.56.0.0 / 15 75.124.0.0 / 16
Reuters servers range 03 Reuters servers CAA15
75.96.96.0 / 20 155.195.48.0 / 22 155.195.64.0 / 18 159.220.192.0 /20
Reuters servers CAA18 Reuters servers range 01 Reuters servers range 01 Global Management Infrastructure (GMI) Reuters client range 10 Reuters client range 06 FCE clients range 04 Spring Reuters servers range 3
198.206.64.0 /18 198.210.128.0 /17 204.109.128.0 /17 206.60.0.0 /16
SAVVIS NETWORK INFORMATION FOR THOMSON REUTERS MANAGED DEVICE

IP Subnet 159.220.0.0/16 192.155.40.64/30 Note Thomson Reuters Managed NTP Server
40
192.155.136.0/21
Thomson Reuters Platform Services, DNS
SERVICES NTP Server
HOST NAME NTCP-NTP201 NTCP-NTP202
IP ADDRESS 192.155.40.64 192.155.40.66 192.155.129.54
EPO Server
DTCP-EPO0001.session.rservices.com
41
APPENDIX B: LIST OF SWITCH ALLOCATION ON BT SWITCH (VLAN)

Recommended IP address for Streaming Proxy Server and Time Series Proxy on Private Delivery managed VLAN switch These are recommended IP Address for Streaming Proxy Server and Time Series Proxy devices connecting to the BT Managed VLAN Switch. A different network range should only be used if the suggested IP address range conflicts with your internal network.
IP Address (Option A) 172.31.11.1 /24 172.31.11.11 /24 172.31.11.12 /24 172.31.11.13 /24 172.31.11.14 /24 172.31.11.15 /24 172.31.11.10 /24 172.31.12.1 /24 172.31.12.11 /24 172.31.12.12 /24 172.31.12.13 /24 172.31.12.14 /24 172.31.12.15 /24 172.31.12.10 /24 172.25.10.1 /24 172.25.10.11 /24 172.25.10.13 /24 172.25.10.15 /24 172.25.10.9 /24 172.25.10.2 /24 172.25.10.12 /24 172.25.10.14 /24 172.25.10.16 /24 172.25.10.10 /24 IP Address (Option B) 192.168.11.1 /24 192.168.11.11 /24 192.168.11.12 /24 192.168.11.13 /24 192.168.11.14 /24 192.168.11.15 /24 192.168.11.10 /24 192.168.12.1 /24 192.168.12.11 /24 192.168.12.12 /24 192.168.12.13 /24 192.168.12.14 /24 192.168.12.15 /24 192.168.12.10 /24 192.168.20.1 /24 192.168.20.11 /24 192.168.20.13 /24 192.168.20.15 /24 192.168.20.9 /24 192.168.20.2 /24 192.168.20.12 /24 192.168.20.14 /24 192.168.20.16 /24 192.168.20.10 /24
Device SPX / TSP (No Converge-VLAN130) Switch 1 - IDN-DAF VLAN Sub Interface Address Switch 1 port 9 1st client SPX / TSP Switch 1 port 10 3rd client SPX / TSP Switch 1 port 11 5th client SPX / TSP Switch 1 port 12 7th client SPX / TSP Switch 1 port 13 9th client SPX / TSP Switch 1 port 14 Network Monitor SPX / TSP (No Converge-VLAN130) Switch 2 - IDN-DAF VLAN Sub Interface Address Switch 2 port 9 2nd client SPX / TSP Switch 2 port 10 4th client SPX / TSP Switch 2 port 11 6th client SPX / TSP Switch 2 port 12 8th client SPX / TSP Switch 2 port 13 10th client SPX / TSP Switch 2 port 14 Network Monitor SPX / TSP (Standard Converge-VLAN160) Switch 1 - IDN-SAF VLAN Sub Interface Address Switch 1 port 17 1st client SPX / TSP Switch 1 port 18 3rd client SPX / TSP Switch 1 port 19 5th client SPX / TSP Switch 1 port 14 - Network Monitor SPX / TSP (Standard Converge-VLAN160) Switch 2 - IDN-SAF VLAN Sub Interface Address Switch 2 port 17 2nd client SPX / TSP Switch 2 port 18 4th client SPX / TSP Switch 2 port 19 6th client SPX / TSP Switch 2 port 14 - Network Monitor
VLAN HSRP N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 172.25.10.3 /24
VLAN HSRP N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 192.168.20.3 /24
172.25.10.3 /24
192.168.20.3 /24
42
APPENDIX C: LOCAL DNS CONFIGURATION TO SUPPORT NETWORK FAILOVER (PRIVATE DELIVERY TO INTERNET)*
*This configuration should only apply in case of BT MPLS failover i.e. not something to setup by default.
Configuration Microsoft Windows 2003 Server DNS for Selective Forwarding

NOTE: Microsoft refers to this as Conditional Forwarding For Forwarders tab, all other DNS domains, the forwarder IP Address list is containing eDNS and Internet DNS. As figure below (155.195.76.4 is eDNS server and 203.144.207.29 is Internet ISP DNS).
For the cp.thomsonreuters.net suffix, The forwarder IP address list needs add both eDNS and Internet ISP DNS. Add both DNS Providers because when the primary (Private Delivery) Infrastructure is fail, it will use Internet ISP DNS to resolve instead.
43
For the extranet.thomsonreuters.biz suffix, The forwarder IP address list needs add both eDNS only.
For the thomsonreuters.com suffix, The forwarder IP address list needs add both Internet ISP DNS only.
44
Configuration Microsoft Windows 2003 Server DNS for Delegation For the extranet.thomsonreuters.biz suffix
To Delegate this domain create a new Forward Lookup Zone (Standard Primary) called thomsonreuters.biz as the step showing below: 1. Right Click on Forward Lookup Zone to create new zone
2. Click next
45
3. Select Primary zone and Click Next
4. Input zone name thomsonreuters.biz and Click next
46
5. Create a new file with file name (default) and Click next
6. Select Do not allow dynamic updates and Click next
47
7. Click Finish
8. The domain thomsonreuters.biz is created
48
9. Create New Delegation by Right Click on thomsonreuters.biz domain
10. Windows Wizard pop up and Click next
49
11. Enter extranet in the Delegated domain and Click next
12. Click Add to add the DNS server
50
13. Enter the eDNS server name into the FQDN, Click Resolve to get the IP Address and Click OK
14. Click next
51
15. Click Finish
Repeat create cp.thomsonreuters.com domain for delegated domain.
The Local DNS server has two delegated domains as below
52
Forwarding DNS for cp.thomsonreuters.net domain
NOTE: It is not recommended to delegate the Universal Domains and Global Universal Domains, cp.thomsonreuters.net, since this breaks failover from MPLS to Internet. Please use forwarding DNS for cp.thomsonreuters.net
53
APPENDIX D: CERTIFICATE REVOCATION CONCEPT

Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists (CRL), and certification authorities (CA). ). In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), and smart cards, is required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status. Time. Certificates are issued for a fixed period of time and considered valid as long as the expiration date of the certificate is not reached, unless revoked before that date. Revocation status. Certificates can be revoked before their expiration date because of multiple reasons such as key compromise or suspension. Before performing any operation, applications often validate that the certificate was not revoked. Windows XP and Windows 2003 support only CRL. Windows Vista, Windows 7 and the Windows 2008 support both CRL and OCSP as a method of determining certificate status. The OCSP support includes both the client component as well as the Online Responder, which is the server component.
Certificate Revocation Checking

When an application performs a certificate evaluation, the validation is performed on all certificates in that certificate's chain. This includes every certificate from the end-entity certificate presented to the application to the root certificate. When the first certificate in the chain is validated, the following process takes place: 1. The certificate chaining engine attempts to build the chain for the certificate inspected by querying the local certificate store or by downloading from one of the URLs available in the inspected certificate's authority information access extensions. 2. For all certificate chains that end in a trusted root, all certificates in the chain are validated. This involves the following steps: - Verify that each certificate's signature is valid. - Verify that the current date and time fall within each certificate's validity period. - Verify that each certificate is not corrupt or malformed. 3. Each certificate in the certificate chain is checked for revocation status. Revocation checking is performed either by using a CRL or OCSP, based on the certificate configuration. After the validation check is completed, the certificate chaining engine returns the results of the validation check to the application that originated the validation request. The results will indicate if all certificates in the chain are valid, if the chain terminates at a non-trusted root CA, if any certificates in the chain are not valid, or if the revocation status for any of the certificates in the chain cannot be determined. For more information, see Certificate Revocation and Status Checking in http://go.microsoft.com/fwlink/?LinkID=27081
CRL
A CRL is a file, created and signed by a CA that contains serial numbers of certificates that have been issued by that CA and are revoked. In addition to the serial number for the revoked certificates, the CRL also contains the revocation reason for each certificate and the time the certificate was revoked. Currently, two types of CRL exist: base CRL and delta CRL. Base CRL maintain a complete list of revoked certificates while delta CRL maintain only those certificates that have been revoked since the last publication of a base CRL. The major drawback of CRL is their potentially large size, which limits the scalability of the CRL approach. The large size adds significant bandwidth and storage burdens to the CA and relying party, and therefore limits the ability of the system to distribute the CRL. Bandwidth, storage space, and CA processing capacity
54
can also be negatively affected if the publishing frequency gets too high. Numerous attempts have been made to solve the CRL size issue through the introduction of partitioned CRL, delta CRL, and indirect CRL. All these approaches have added complexity and cost to the system without providing an ideal solution to the underlying problem. Another drawback of CRL is latency; because the CRL publishing period is predefined, information in the CRL might be out of date until a new CRL or delta CRL is published.
OCSP
OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. This returns a definitive, digitally signed response indicating the certificate status. The amount of data retrieved per request is constant regardless of the number of revoked certificates in the CA. Most OCSP responders get their data from published CRL and are therefore reliant on the publishing frequency of the CA. Some OCSP responders can, however, receive data directly from the CA's certificate status database and consequently provide near real-time status. Scalability is the major drawback of the OCSP approach. Since it is an online process and is designed to respond to single certificate status requests, it results in more server hits, requiring multiple and sometimes geographically dispersed servers to balance the load. The response signing and signature verification processes also take time, which can adversely affect the overall response time at the relying party. Finally, since the integrity of the signed response depends on the integrity of the OCSP responder's signing key, the validity of this key must also be verified after a response is validated by the client.
Troubleshooting
Thomson Reuters Eikon uses Microsoft Crypto API to check and download Certificate Revocation (CRL) from a CRL distribution point. The Crypto API internally uses the WinHTTP API to download the HTTP based URL for the CRL distribution point. If the proxy is not reachable or is incorrect, WinHTTP will not be able to download the CRL. The certificate revocation check will fail. Thomson Reuters Eikon does not create any secure connection to the platform which causes the program shutdown or get an error message. The logic to discover a Proxy server is as following: 1. Check the static proxy settings.
WINDOWS Windows XP Windows Vista, Windows 7 COMMAND Proxycfg.exe Netsh.exe winhttp show proxy
2. If there is no static proxy setting, API tries to retrieve the Internet Explorer setting on the following order. The following registry locations are queried based on the executing identity:
REGISTRY KEY Current User NETWORK SERVICE LOCAL SYSTEM LOCAL SERVICE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings
55
Any Other user
HKEY_USERS\<<SID of that user>> \Software\Microsoft\Windows\CurrentVersion\ Internet Settings
3. If the Internet Explorer proxy settings are not present for the executing user or if the Internet Explorer settings as indicate in - Automatically detect settings - Use automatic configuration script The Crypto API will try to automatically discover a proxy for the CRL. This will either return specific proxy information or return 'no proxy' if the automatic proxy discovery fails or if the URL does not require a proxy. More information, see Microsoft KB 2623724 as in http://support.microsoft.com/kb/2623724
WinHTTP Proxy Configuration

The WinHTTP proxy configuration utility, proxycfg.exe, configures WinHTTP to access HTTP and HTTPS servers through a proxy server on Windows XP. An administrator can use the proxycfg.exe utility as part of the deployment and installation process of an application that uses WinHTTP. The administrator who runs proxycfg.exe must have local administrator privileges so that proxycfg.exe can update the registry of the local computer. WinHTTP proxy settings are per-machine, not per-user. For Windows Vista, Windows 2008 and Windows 7, use Netsh.exe winhttp instead of proxycfg.exe. Netsh.exe requires administrative rights to modify machine configuration.
Usage
The following examples show the syntax use for various commands in the proxycfg.exe utility.
COMMAND LINE Proxycfg Proxycfg d Proxycfg u Proxycfg p proxy-server-list optional-by-pass-list DESCRIPTION Display the current WinHTTP proxy settings Set direct access Import proxy setting from current users Internet Explorer manual settings Specify one or more proxy server and optional list of hosts that should be accessed directly.
The following examples show the syntax use for various commands for Windows Vista and Windows Seven
COMMAND LINE Netsh winhttp show proxy Netsh winhttp reset proxy Netsh winhttp import proxy source=ie Netsh winhttp set proxy proxy-server bypass-list= optional-by-pass-list Netsh winhttp set proxy proxy-server= proxy-server-list bypass-list= optional-by-pass-list DESCRIPTION Display the current WinHTTP proxy settings Set direct access Import proxy setting from current users Internet Explorer manual settings Specify one proxy server and optional list of hosts that should be accessed directly. Specify one or more proxy server and optional list of hosts that should be accessed directly.
56
PARAMETER Proxy-server-list
DESCRIPTION OF USE Proxy are list in a specific protocol as Windows XP: protocol=http://proxy_name:port Windows Vista and Seven: protocol=proxyname:port; where protocol is either http or https and proxy_name is the name of the proxy server.
Optional-bypass-list
The list contains host names or IP address that is locally known. This list can contain wildcards, "*", that cause the application to bypass the proxy server for addresses that fit the specified pattern. For example, both "*.microsoft.com" and "*.org" are acceptable wildcard patterns. Wildcard characters must be the left-most characters in the list, so "myserver.*" is not supported. To list multiple addresses and host names, separate them with blank spaces or semicolons in the proxy bypass string. If the "<local>" macro is specified, the function bypasses any host name that does not contain a period.
Example on Windows XP
Import the current Internet Proxy setting to WinHTTP (for manual setting on Internet Explorer only)
C:\> proxycfg -u Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
Proxy Server(s) : 10.42.72.142:8080
Set up proxy1.test.com as a proxy for WinHTTP and bypass proxy for the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net
c:\>proxycfg -p proxy1.test.com "<local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\
57
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
Proxy Server(s) : proxy1.test.com Bypass List : <local>;*.extranet.thomsonreutes.biz;*.thomsonreutes.net
Set up Proxy1.test.com for a http protocol on port 80 and Proxy2.test.com for https protocol on port 3128 . And direct access to the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net
C:\> proxycfg -d "http=proxy1.test.com:8080 https=proxy2.test.com:3128" <local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Proxy Server(s) : http=proxy1.test.com:8080 https=proxy2.test.com:3128 Bypass List : <local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net
Clear the WinHTTP configuration

C:\> proxycfg -d Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Direct access (no proxy server).
58
Example on Windows Vista and Windows 7

Import the current Internet Proxy setting to WinHTTP (for manual setting on Internet Explorer only)
C:\> netsh winhttp import proxy source=ie Current WinHTTP proxy settings under: Proxy Server(s) : 10.42.72.142:8080 Bypass List: <local>
Set up proxy1.test.com as a proxy for WinHTTP and bypass proxy for the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net
c:\>netsh winhttp set proxy proxy1.test.com bypass-list ="<local>; *.extranet.thomsonreuters.biz;*.thomsonreuters.net" Current WinHTTP proxy settings under: Proxy Server(s) : proxy1.test.com Bypass List : <local>;*.extranet.thomsonreutes.biz;*.thomsonreutes.net
Set up Proxy1.test.com for a http protocol on port 80 and Proxy2.test.com for https protocol on port 3128 . And direct access to the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net
C:\>netsh winhttp set proxy proxy-server="http=proxy1.test.com:8080; https=proxy2.test.com:3128" bypass-list= <local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Current WinHTTP proxy settings under: Proxy Server(s) : http=proxy1.test.com:8080; https=proxy2.test.com:3128 Bypass List : <local>;*.extranet.thomsonreuters.biz;*.thomsonreuters.net
Clear the WinHTTP configuration

C:\> netsh winhttp reset proxy Current WinHTTP proxy settings: Direct access (no proxy server).
59
60

Eikon Networking Guide v2.11

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Eikon Networking Guide v2.11

Diunggah oleh

Hak Cipta:

Format Tersedia

THOMSON REUTERS EIKON NETWORKING GUIDE

THOMSON REUTERS EIKON NETWORKING GUIDE

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

14 Jun 2010 6 Feb 2011

7 Feb 2011 23 Feb 2011

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

ABOUT THIS DOCUMENT

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

1. THOMSON REUTERS HOSTED DEPLOYMENT

Thomson Reuters Hosted

DNS Server for Thomson Reuters Eikon Hosted Internet

Proxy and Firewall Policy

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

Web Proxy Auto-Discovery Protocol (WPAD)

EXE Download Policy

For installation bootstrap, system Test standalone over Internet

For Thomson Reuters Eikon packages on Update Service

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

Internet Service for Thomson Reuters Eikon

Certificate Revocation List Validation

1.2 THOMSON REUTERS HOSTED PRIVATE NETWORK

TCP/IP Standard Port for Thomson Reuters Hosted Private

Thomson Reuters Hosted Private Deliver over Private Network

1024+ 10240 1024+ 10240

Reuters Insider is not available on this delivery mode.

The DNS server configuration are as following:

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

BT DNS London New York Singapore

IP Address 155.195.48.4 155.195.48.36 155.195.48.68

BT DNS FQDN londnsaa001.a.radianz.net hpggnsba001a.radianz.net sinsnsba001a.radianz.net

BT Private Network Routing

155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

Internet Service for Thomson Reuters Eikon

Certificate Revocation List Validation

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

2. THOMSON REUTERS MANAGED DEPLOYMENT

Thomson Reuters Managed Profile Deliver over Private Network

Streaming Service Update Service

Thomson Reuters Platform

1024+ 1024+ 1024+ 1024+

Time Series Proxy

1024+ 10240 1024+ 10240 TCP/UDP

Contribution Service on CFI server through InsertLink, Eikon Excel DNS

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

DNS resource name lookup

Internet Service for Thomson Reuters Eikon