Eikon Networking Guide v2.11
Short Description
Download Eikon Networking Guide v2.11...
Description
THOMSON REUTERS EIKON NETWORKING GUIDE
THOMSON REUTERS EIKON NETWORKING GUIDE
Document Version 2.11 Date of issue: 27 March 2012
Thomson Reuters Eikon Networking Guide
REVISION HISTORY DATE
VERSION
REVISION DETAILS
14 Jun 2010
1.0
First Release version
6 Feb 2011
2.0
- Update and reformat document - Add Proxy and Firewall Policy - Update DNS table
7 Feb 2011
2.01
- Add Verisign and GeoTrust in Content Filtering Policy
23 Feb 2011
2.02
-Add Reuters Insider information -Add Certificate Management -Add Certificate Revocation concept in Appendix -Add Private Network Routing table -Add TCP/IP port 10240 for CFI -Update DNS table -Remove List of Thomson Reuters Eikon Host from Appendix
2 Mar 2011
2.03
-Add IP address divulge policy in DNS section -Correct DNS host name for Reuters Insider -Correct TCP/IP port for CFI
21 Apr 2011
2.04
-Add ia.thomsonreuters.com Domain -Add eikontest.thomsonreuters.com for System Test -Add Appendix E WinHTTP Proxy configuration -Add WPAD issue on Thomson Reuters Hosted -Correct information on Certificate Revocation through WinHTTP -Add Certificate Revocation list validation and WinHTTP
24 May 2011
2.05
-Add graphics.thomsonreuters.com for System Test -Add training.thomsonreuters.com for Knowledge network -Add saleforce.com and force.com for Knowledge Network -Add section 3.3 DACS Daemon services for RTIC connection -Add more information on service on Content filtering
14 July 2011
2.06
-Add customers.reuters.com not available on Savvis network -Correct on Certificate management typo mistake -Update BT routing table for Thomson Reuters Eikon and Thomson Reuters Eikon Wealth Management - Add Section Thomson Reuters Hosted Private deployment - Update DNS table for Eikon for Wealth Management due to the streaming service change in August 2011
29 Sep 2011
2.07
-Update Savvis Private Network information -Add a new chapter, Thomson Reuters Eikon for Wealth Management -Change thomsonreuters.com DNS suffix to Internet -Add DNS table for Savvis -Change pdf.reuters.com domain to reuters.com domain as news content have multiple link e.g. pdf.reuters.com, link.reuters.com, r.reuters.com, blogs.reuters.com, www.reuters.com, etc. - Add Section 1.3Thomson Reuters Hosted Internet and Customer Managed -Add Jre.exe to Personal Firewall table in order to fix an issue on Aviva program
4 Nov 2011
2.08
-Provide some news URL instead of reuters.com -Correct Thomson Reuters Eikon for Wealth Management DNS table -Update Appendix A
12 Dec 2011
2.09
- Add the Internet DNS for Eikon 2.0
Document Version 2.11 Date of issue: 27 March 2012
2
Thomson Reuters Eikon Networking Guide
Hihifrds.com loanpricing.com pointcarbon.com* ReutersRealEstate.com Streetsight.thomson.com tiles.virtualearth.net - Add Troubleshooting section in Appendix D - Combine Appendix E as a section in Appendix D -Update Certificate Revocation section - Move duplicate content to Chapter 5 and 6 - Add Internet Options in Chapter 5 - Remove Section 1.3 24 Feb 2012
2.10
- Add Eikon for Compliance Management content filtering policy in Chapter 5 - Add DNS rule for Thomson Reuters Hosted Private - Add Autex, breakingviews in Internet Service - Remove DNS Round Robin for TSP and SPX - Correct PAZW to PAWZ
27 Mar 2012
2.11
-Add new 75.124.118.0/24 for Thomson Reuters Platform -Add public.login.cp.thomsonreuters.net -Add port 8101 on SPX on Appendix A
Document Version 2.11 Date of issue: 27 March 2012
3
Thomson Reuters Eikon Networking Guide
CONTENT About this document ................................................................................................................................................. 6 Intended readership ...................................................................................................................................................... 6 In this guide ................................................................................................................................................................... 6 Glossary ..................................................................................................................................................................... 7 1. Thomson Reuters Hosted Deployment ................................................................................................................... 8 1.1 Thomson Reuters Hosted Internet ........................................................................................................................... 8 1.2 Thomson Reuters Hosted Private Network ............................................................................................................ 10 2. Thomson Reuters Managed Deployment ............................................................................................................. 13 2.1 BT infrastructure .................................................................................................................................................... 15 2.2 SAVVIS infrastructure ............................................................................................................................................ 16 3. Customer Managed Deployment ......................................................................................................................... 18 3.1 BT infrastructure .................................................................................................................................................... 20 3.2 SAVVIS infrastructure ............................................................................................................................................ 22 3.3 DACS Daemon service for RTIC Connection ........................................................................................................... 23 4. Thomson Reuters Eikon for Wealth Management ............................................................................................... 24 4.1 Thomson Reuters Eikon for Wealth Management Internet................................................................................... 24 4.2 Thomson Reuters Eikon for Wealth Management Private Network ..................................................................... 25 4.3 Proxy and Firewall Policy ....................................................................................................................................... 28 5. Internet Service for Thomson Reuters Eikon ........................................................................................................ 30 5.1 Internet Service DNS .............................................................................................................................................. 30 5.2 FIREWALL Policy .................................................................................................................................................... 31 5.3 Web Proxy Auto-Discovery Protocol (WPAD) ........................................................................................................ 33 5.4 Reuters Insider ....................................................................................................................................................... 33 5.5 Thomson Reuters Eikon for Compliance Management ......................................................................................... 33 5.6 Internet Options Setting ........................................................................................................................................ 34 6 Thomson Reuters Eikon Certificate Management ................................................................................................. 37 6.1 Thomson Reuters Eikon Certificates authorities .................................................................................................... 37 6.2 Thomson Reuters Eikon for Wealth Management Certificates authorities ........................................................... 38 6.3 Testing Trusted Root Certificate ............................................................................................................................ 38 Appendix A: List Of device TCP/IP Information ........................................................................................................ 39 Time Series Proxy TCP/IP Port .................................................................................................................................... 39 Streaming Proxy TCP/IP Port ...................................................................................................................................... 39
Document Version 2.11 Date of issue: 27 March 2012
4
Thomson Reuters Eikon Networking Guide
Reuters Insider Firewall Port allowed ........................................................................................................................ 40 BT Routing for Thomson Reuters Managed Device ................................................................................................... 40 Savvis Network Information for Thomson Reuters Managed Device ....................................................................... 40 Appendix B: List of switch allocation on BT Switch (VLAN) ....................................................................................... 42 Appendix C: Local DNS configuration to support network failover (Private Delivery to internet)* ........................... 43 Appendix D: Certificate Revocation Concept ............................................................................................................ 54
Document Version 2.11 Date of issue: 27 March 2012
5
Thomson Reuters Eikon Networking Guide
ABOUT THIS DOCUMENT INTENDED READERSHIP This document is intended for Thomson Reuters support personals; Field Engineers, Planning Engineers, Client Implementation Specialists, Technical Deployment Specialist, Technical Account Managers and Client Network engineers. It can also be useful for Thomson Reuters Eikon customer’s IT or Networking personnel to plan Thomson Reuters Eikon deployment.
IN THIS GUIDE This guide provides an overview of the network set up requirement for Thomson Reuters Eikon, delivered globally using Thomson Reuters Platform that covers TCP/IP Standard ports, Network routing and DNS. The chapter is based on Customer Delivery mode. You can implement it following the deployment on site. Thomson Reuters Eikon requires some services that are available on Internet only. It is recommended that clients have Internet connection in order to get all services which are listed in Chapter 5.
Document Version 2.11 Date of issue: 27 March 2012
6
Thomson Reuters Eikon Networking Guide
GLOSSARY Abbreviations and acronyms are listed here:
Abbreviation/Term BT CAS CFI CRL DNS DTS
Definition British Telecom Central Authentication Service Contributor Frontend IP – also known as the Open Contributor Front End Certificate Revocation List Domain Name Server Direct Technical Specialist, providing pre-sales support and service management for all Direct customers.
ePO FTA GMI HMDS HTTP HTTPS NGTX IP ISP OCSP PAZW PKI RSS RTMP RWS SIG SMF SNMP SSH TAM TCP TPM UDP WinHTTP WPAD
Document Version 2.11 Date of issue: 27 March 2012
McAfee Anti-Virus ePolicy Orchestrator File Transfer Application Global Management Infrastructure Hosted Market Data System Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Next Generation Transactions Internet Protocol Internet Service Provider Online Certificate Status Protocol Performance Analysis Web Zone Public key Infrastructure Reuters Site Server Real Time Messaging Protocol Reuters Workstation Server Secure Internet Gateway Server Management Foundation Simple Network Management Protocol Secure Shell Technical Account Manager Transmission Control Protocol Tivoli Provisioning Manager User Datagram Protocol Microsoft Windows HTTP Services Web Proxy Auto-Discovery
7
Thomson Reuters Eikon Networking Guide
1. THOMSON REUTERS HOSTED DEPLOYMENT 1.1 THOMSON REUTERS HOSTED INTERNET TCP/IP Standard Port for Thomson Reuters Hosted Internet Product Profile
Protocol
Thomson Reuters Hosted
TCP
TCP/UDP
Port Numbers Workstation Thomson Reuters 1024+ 80 1024+ 80 1024+ 443 1024+ 443
1024+ 53 1024+ 53
Thomson Reuters Servers
Use
Thomson Reuters Platform
Administration Service Views Service Streaming Service Search &Navigation Service Time Series Service Messaging Service Trading Service Update Service Reuters Insider
DNS server
DNS server (no Internet Proxy)
DNS Server for Thomson Reuters Eikon Hosted Internet All Thomson Reuters Hosted deployment servers are able to resolve IP address through local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding DNS thomsonreuters.com cp.thomsonreuters.net reuters.com
DNS Server Internet ISP Internet ISP Internet ISP
trading.thomsonreuters.net
Internet ISP
Thomson Reuters Service Thomson Reuters Eikon Thomson Reuters Eikon Customer Zone and URL links in some news content, Trading Services, SDN, etc Trading Service, System Test
Additional Internet domains/services are listed in Chapter 5. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
Proxy Server: If clients implement an Internet proxy server on site, it is necessary that the proxy be able to solve the following domain correctly. Internet Explorer object will forward all request to the proxy server without resolving the domain name service.
Proxy and Firewall Policy See information in Chapter 5.
Document Version 2.11 Date of issue: 27 March 2012
8
Thomson Reuters Eikon Networking Guide
Authentication Proxy Thomson Reuters Eikon has been qualified with the following authenticated proxies: PROXY
AUTHENTICATION METHOD
Apache
Basic
Apache
DIGEST
Squid
Basic
Squid
DIGEST
MS ISA
NTLM
It is advisable to allow Reuters Insider URL to bypass NTLM authentication in Proxy, as we have experienced authentication timeouts with Flash-based applications with a number of clients when NTLM authentication is enabled.
Web Proxy Auto-Discovery Protocol (WPAD) Thomson Reuters Eikon does not support the Web Proxy Auto-Discovery Protocol (WPAD). The Update Agent cannot connect to the dedicated proxy server indicated in the WPAD file; as a consequence, users are not able to install Thomson Reuters Eikon or upgrade to the latest Service Releases or Hotfixes. The issue is under investigation by our development teams.
EXE Download Policy Thomson Reuters Eikon installation package is an EXE Wrapper file (MSI/MSP file wrap inside EXE file). These files are virus checked and signed by Thomson Reuters before they are published on Thomson Reuters Update Service. Your site (workstation) firewall must be set-up to allow the download of these packages. Thomson Reuters is using this file format to guarantee best compression rates for the downloaded packages. Firewall has to ALLOW the following servers to download EXE file through http protocol: DOMAIN
DOWNLOAD
customers.thomsonreuters.com
For installation bootstrap, system Test standalone over Internet
*.download.cp.thomsonreuters.net
For Thomson Reuters Eikon packages on Update Service
Document Version 2.11 Date of issue: 27 March 2012
9
Thomson Reuters Eikon Networking Guide
Internet Service for Thomson Reuters Eikon See information on Chapter 5
Certificate Revocation List Validation See the information on Chapter 6
1.2 THOMSON REUTERS HOSTED PRIVATE NETWORK BT Service Package The following Service Packages are mandatory: Thomson Reuters Platform with Real Time 2.0
Messaging Service Package
NGTX service Package
Contribution Service package (Optional for Contribution)
TCP/IP Standard Port for Thomson Reuters Hosted Private Product Profile
Protocol
Thomson Reuters Hosted Private
TCP
Deliver over Private Network
TCP/UDP
Port Numbers Workstation Thomson Reuters 1024+ 80 1024+ 80 1024+ 443 1024+ 443
Thomson Reuters Servers
Use
Thomson Reuters Platform
Administration Service Views Service Streaming Service Search &Navigation Service Time Series Service Messaging Service Trading Service Update Service
1024+ 10240 1024+ 10240
CFI server
Contribution Service on CFI server through InsertLink,
1024+ 53 1024+ 53
DNS server
DNS
Reuters Insider is not available on this delivery mode.
DNS See DNS suffices in Chapter 3.
The DNS server configuration are as following: CLIENT CONFIGURATION
DNS
COMMENT
Client workstation resolver
BT DNS
Clients use local resolver fall-through. This relies on
Document Version 2.11 Date of issue: 27 March 2012
10
Thomson Reuters Eikon Networking Guide
only (No Client Site DNS)
SERVFAIL answer from BT DNS for invalid domains.
Client site DNS using selective forwarding or conditional forwarding
EDNS
Client site DNS using zone delegation
EDNS
BT DNS response time will be slower unless record is already in cache
The EDNS and BT DNS are shown as in the table: EDNS
DNS IP Address
BT Extranet DNS FQDN
London
155.195.64.4
edns02.uk.extranet.reuters.biz
New York
155.195.84.4
edns02.us.extranet.reuters.biz
Singapore
155.195.76.4
edns02.sg.extranet.reuters.biz
IP Address
BT DNS FQDN
London
155.195.48.4
londnsaa001.a.radianz.net
New York
155.195.48.36
hpggnsba001a.radianz.net
Singapore
155.195.48.68
sinsnsba001a.radianz.net
BT DNS
BT Private Network Routing The client can set up as either:
Set up BT Router as a default gateway or
Set up the following routing to BT router IP Subnet
65.63.72.0 /22 and 75.124.118.0/24 65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24 67.56.184.0/21
155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21
Document Version 2.11 Date of issue: 27 March 2012
Description / Used for EIKON Thomson Reuters Eikon Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.
Messaging Service over Private Network – this is a mandatory component but the default is source from Internet BT DNS Customer Zone, Contribution (Insert Link) Trading Service over Private Network
11
Thomson Reuters Eikon Networking Guide
Internet Service for Thomson Reuters Eikon See information on Chapter 5
Certificate Revocation List Validation See the information on Chapter 6
Document Version 2.11 Date of issue: 27 March 2012
12
Thomson Reuters Eikon Networking Guide
2. THOMSON REUTERS MANAGED DEPLOYMENT TCP/IP Standard Port for Thomson Reuters Managed Product Profile
Protocol
Thomson Reuters Managed Profile
TCP
Deliver over Private Network
Port Numbers Workstation Thomson Reuters 1024+ 14002 1024+ 14002 1024+ 80 1024+ 80 1024+ 80 1024+ 80 1024+ 443 1024+ 443
1024+ 1024+ 1024+ 1024+
80 80 8082* 8082*
1024+ 10240 1024+ 10240
Thomson Reuters Servers Streaming Proxy
Use
Streaming Service Update Service
Thomson Reuters Platform
Time Series Proxy
Administration Service Views Service Search &Navigation Service Time Series Service Messaging Service Trading Service Time Series Service *port 8082 is for maintenance services.
CFI server
Contribution Service on CFI server through InsertLink, Eikon Excel DNS
DNS server 1024+ 53 1024+ 53 Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443. TCP/UDP
DNS The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com
Authoritative DNS Server Internet
extranet.thomsonreuters.biz
Extranet DNS
cp.thomsonreuters.net
Extranet DNS
public.login.cp.thomsonreuters.net customers.reuters.com
Internet Extranet DNS/ Internet Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet**
trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com
Document Version 2.11 Date of issue: 27 March 2012
Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
13
Thomson Reuters Eikon Networking Guide
* *These domains require NGTX Service package. If you have the NGTX Service package, the DNS MUST forward to the Extranet DNS rather than Internet DNS. Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
DNS resource name lookup You need to add a host record entry for Thomson Reuters Platform services into your local DNS servers with your local server IP address. The entry should be put in the same DNS suffixes that set up on the Advanced TCP/IP settings on the workstation. Servers Streaming Proxy TimeSeries Proxy
DNS entry tr-streaming-proxy tr-timeseries-proxy
E.g. If the first DNS Suffix Search List of the client workstation is “xxx.company.com”, you have to add the “tr-timeseries-proxy” host record entry added to the xxx.company.com domain. Thus the workstation is able to resolve IP address of the local Streaming Proxy by lookup “tr-streaming-proxy” upon Thomson Reuters Eikon application start-up. However, this new DNS entry name can be changed in the Thomson Reuters User Profile in Administration Service to reflect the new DNS hostname. Please contact your TAM or DTS and make a request.
FIREWALL Policy See information on Chapter 6
Internet Service for Thomson Reuters Eikon See information on Chapter 5
Certificate Revocation List Validation See the information on Chapter 6
EXE Download Policy Thomson Reuters Eikon installation package is an EXE Wrapper file (MSI/MSP file wrap inside EXE file). These files are virus checked and signed by Thomson Reuters before they are published on Thomson Reuters Update Service. Your site (workstation) firewall must be set-up to allow the download of these packages. Thomson Reuters is using this file format to guarantee best compression rates for the downloaded packages. Firewall has to ALLOW the following servers to download EXE file through http protocol:
Document Version 2.11 Date of issue: 27 March 2012
14
Thomson Reuters Eikon Networking Guide
DOMAIN
DOWNLOAD
customers.thomsonreuters.com
For installation bootstrap, system Test standalone over Internet
customers.extranet.thomsonreuters.biz
For installation bootstrap, system Test standalone over Private Network
*.download.cp.thomsonreuters.net
For Thomson Reuters Eikon packages on Update Service
tr-streaming-proxy
For Thomson Reuters Eikon packages on Streaming Proxy
2.1 BT INFRASTRUCTURE
Thomson Reuters Platform Service Package version 2.0 is a mandatory for all sites
Messaging Service Package is needed unless you set up Collaboration Service over Internet
Contribution Service Package is needed for InsertLink
NGTX Service Package is needed unless you set up Trading Service over Internet
The recommended Extranet DNS server configurations are as following: CLIENT CONFIGURATION
DNS
COMMENT
Client workstation resolver only (No Client Site DNS)
BT DNS
Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains.
Client site DNS using selective forwarding or conditional forwarding
EDNS
BT DNS response time will be slower unless record is already in cache
Client site DNS using zone delegation
EDNS
The EDNS and BT DNS are shown as in the table: EDNS
DNS IP Address
BT Extranet DNS FQDN
London
155.195.64.4
edns02.uk.extranet.reuters.biz
New York
155.195.84.4
edns02.us.extranet.reuters.biz
Singapore
155.195.76.4
edns02.sg.extranet.reuters.biz
IP Address
BT DNS FQDN
BT DNS
Document Version 2.11 Date of issue: 27 March 2012
15
Thomson Reuters Eikon Networking Guide
London
155.195.48.4
londnsaa001.a.radianz.net
New York
155.195.48.36
hpggnsba001a.radianz.net
Singapore
155.195.48.68
sinsnsba001a.radianz.net
The recommended DNS search ordering is based on the client location as following:
REGION
FIRST DNS SERVER
SECOND DNS SERVER
THIRD DNS SERVER
EMEA
London
New York
Singapore
AMERICA
New York
London
Singapore
ASIA
Singapore
New York
London
BT Private Network Routing IP Subnet
Description / Used for EIKON
65.63.72.0/22 and 75.124.118.0/24
Thomson Reuters Eikon
65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24 67.56.184.0/21
Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.
155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21
*Messaging Service over Private Network – this is a mandatory component but the default is source from Internet BT DNS – Optional DNS Service –on EDNS, Customer Zone, **Contribution (Insert Link) ***Trading Service over Private Network
Note: * Messaging Service Package is needed ** Contribution Service package is needed ***NGTX service Package is needed
2.2 SAVVIS INFRASTRUCTURE Note: The following services are not available on SAVVIS Private Network. Customers have to set up on Internet only: Messaging Service Package NGTX Service Package
Document Version 2.11 Date of issue: 27 March 2012
16
Thomson Reuters Eikon Networking Guide
Customers Zone for customers.reuters.com
DNS Server EDNS
Savvis Extranet DNS IP Address
Savvis Extranet DNS FQDN
192.155.142.4
edns03.us.extranet.reuters.biz
192.155.141.196
edns04.us.extranet.reuters.biz
Nutley Hazelwood
DNS The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com
Authoritative DNS Server Internet
extranet.thomsonreuters.biz
Extranet DNS
cp.thomsonreuters.net customers.reuters.com trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com
Extranet DNS Internet Internet Internet Internet Internet
Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services.
Savvis Private Network Routing IP Subnet 192.155.137.0/25 192.155.138.0/25 159.220.80.0/27 192.155.142.0/28 192.155.141.192/28
Document Version 2.11 Date of issue: 27 March 2012
Description / Used for EIKON Thomson Reuters Eikon Customer Zone on Extranet (customers.extranet.thomsonreuters.biz) DNS service
17
Thomson Reuters Eikon Networking Guide
3. CUSTOMER MANAGED DEPLOYMENT TCP/IP Standard Port for Customer Managed Protocol
Customer Managed Profile
TCP
Deliver over Private Network
TCP/UDP Update Proxy
TCP
Port Numbers Workstation Thomson Reuters 1024+ 14002 1024+ 14002 1024+ 8101 1024+ 8101 1024+ 8261 1024+ 8261 1024+ 80 1024+ 80 1024+ 443 1024+ 443
Thomson Reuters Servers RMDS 6, ADS RMDS 5, RMDS 6, ADS RMDS 5, RMDS 6 , ADS Thomson Reuters Platform
1024+ 1024+ 1024+ 1024+
80 80 8082* 8082*
Time Series Proxy
1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+
2400 2400 8302 8302 80 80 443 443 10240 10240
DBU (Optional)
1024+ 1024+ 1024+ 1024+ 1024+ 1024+
53 53 80 80 443 443
DNS server
Use
Realtime Data Service (RSSL) Realtime Data Service (SSL) Permission Proxy Administration Service Views Service Search &Navigation Service TimeSeries Service Messaging Service Trading Service Update Service TimeSeries Service *port 8082 is for maintenance services.
DACS server Update Proxy
CFI server
Thomson Reuters Platform
TimeSeries Data for 3 party feed Permission Service DACS Daemon Update Service
Contribution Service on CFI server through InsertLink, Eikon Excel DNS Update Service
Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.
Document Version 2.11 Date of issue: 27 March 2012
rd
18
Thomson Reuters Eikon Networking Guide
DNS The following domains must be selected forwarding or delegating toward authorities DNS server.
DNS thomsonreuters.com
Authoritative DNS Server Internet
extranet.thomsonreuters.biz
Extranet DNS
cp.thomsonreuters.net
Extranet DNS
public.login.cp.thomsonreuters.net customers.reuters.com
Internet Extranet DNS/ Internet Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet**
trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com
Thomson Reuters Service Thomson Reuters Eikon, Collaboration, Reuters Insider over Internet Thomson Reuters Eikon, Thomson Reuters Eikon for Wealth Management Customer Zone, Collaboration Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service
** These domains require NGTX Service package. If you have the NGTX Service package, the DNS MUST forward to the Extranet DNS rather than Internet DNS. Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
DNS resource name lookup You need to add a host record entry for Thomson Reuters Platform services into your local DNS servers with your local server IP address. The entry should be put in the same DNS suffixes that set up on the Advanced TCP/IP settings on the workstation. Deployed Services TimeSeries Proxy Update Proxy Configuration Proxy
DNS entry tr-timeseries-proxy tr-update-proxy tr-config-proxy
E.g. If the default lookup domain of the client workstation is “xxx.company.com” where “xxx” is the host being resolved then you need the “tr-timeseries-proxy” host record entry added to the company.com domain. However, this new DNS entry name can be changed in the Thomson Reuters User Profile in Administration Service to reflect the new DNS hostname. Please contact your TAM or DTS and make a request.
Document Version 2.11 Date of issue: 27 March 2012
19
Thomson Reuters Eikon Networking Guide
FIREWALL Policy See information on Chapter 5
Internet Service for Thomson Reuters Eikon See information on Chapter 5
Certificate Revocation List Validation See the information on Chapter 6
EXE Download Policy Thomson Reuters Eikon installation package is an EXE Wrapper file (MSI/MSP file wrap inside EXE file). These files are virus checked and signed by Thomson Reuters before they are published on Thomson Reuters Update Service. Your site (workstation) firewall must be set-up to allow the download of these packages. Thomson Reuters is using this file format to guarantee best compression rates for the downloaded packages. Firewall has to ALLOW the following servers to download EXE file through http protocol: DOMAIN
DOWNLOAD
customers.thomsonreuters.com
For installation bootstrap, system Test standalone over Internet
customers.extranet.thomsonreuters.biz
For installation bootstrap, system Test standalone over Private Network
*.download.cp.thomsonreuters.net
For Thomson Reuters Eikon packages on Update Service
For Thomson Reuters Eikon package on Customer Managed
1
3.1 BT INFRASTRUCTURE
Thomson Reuters Platform Service Package version 2.0 is a mandatory for all sites
Messaging Service Package is needed unless you set up Collaboration Service over Internet
Contribution Service Package is needed for Contribution product e.g. InsertLink
NGTX Service Package is needed unless you set up Trading Service over Internet
The recommended Extranet DNS server configurations are as following:
Document Version 2.11 Date of issue: 27 March 2012
20
Thomson Reuters Eikon Networking Guide
CLIENT CONFIGURATION
DNS
COMMENT
Client workstation resolver only (No Client Site DNS)
BT DNS
Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains.
Client site DNS using selective forwarding or conditional forwarding
EDNS
BT DNS response time will be slower unless record is already in cache
Client site DNS using zone delegation
EDNS
The EDNS and BT DNS are shown as in the table: EDNS
DNS IP Address
BT Extranet DNS FQDN
London
155.195.64.4
edns02.uk.extranet.reuters.biz
New York
155.195.84.4
edns02.us.extranet.reuters.biz
Singapore
155.195.76.4
edns02.sg.extranet.reuters.biz
IP Address
BT DNS FQDN
London
155.195.48.4
londnsaa001.a.radianz.net
New York
155.195.48.36
hpggnsba001a.radianz.net
Singapore
155.195.48.68
sinsnsba001a.radianz.net
BT DNS
The recommended DNS search ordering is based on the client location as following:
REGION
FIRST DNS SERVER
SECOND DNS SERVER
THIRD DNS SERVER
EMEA
London
New York
Singapore
AMERICA
New York
London
Singapore
ASIA
Singapore
New York
London
BT Private Network Routing IP Subnet 65.63.72.0/22 and
75.124.118.0/24
Document Version 2.11 Date of issue: 27 March 2012
Description / Used for EIKON Thomson Reuters Eikon
21
Thomson Reuters Eikon Networking Guide
65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24
Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.
67.56.184.0/21
*Messaging Service over Private Network – this is a mandatory component but the default is source from Internet
155.195.48.0/22 155.195.64.0/18
BT DNS – Optional DNS Service –on EDNS, Customer Zone, **Contribution (Insert Link) ***Trading Service over Private Network
204.109.128.0/17 or 204.109.109.224.0/21 Note: * Messaging Service Package is needed ** Contribution Service package is needed ***NGTX service Package is needed
3.2 SAVVIS INFRASTRUCTURE Note: The following services are not available on SAVVIS Private Network. Customers have to set up on Internet only: Messaging Service Package (collaboration) NGTX Service Package Customers Zone for customers.reuters.com
DNS Server EDNS
Savvis Extranet DNS IP Address
Savvis Extranet DNS FQDN
192.155.142.4
edns03.us.extranet.reuters.biz
192.155.141.196
edns04.us.extranet.reuters.biz
Nutley Hazelwood
DNS The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com
Authoritative DNS Server Internet
extranet.thomsonreuters.biz
Extranet DNS
cp.thomsonreuters.net customers.reuters.com
Extranet DNS Internet
Document Version 2.11 Date of issue: 27 March 2012
Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon Customer Zone
22
Thomson Reuters Eikon Networking Guide
trading.thomsonreuters.net Internet Trading Service fitrading.reuters.com Internet Trading Service fxtrading.reuters.com Internet Trading Service rtextrading.reuters.com Internet Trading Service Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services.
Savvis Private Network Routing IP Subnet 192.155.137.0/25 192.155.138.0/25 159.220.80.0/27
Description / Used for EIKON Thomson Reuters Eikon Customer Zone on Extranet (customers.extranet.thomsonreuters.biz) DNS service
192.155.142.0/28 192.155.141.192/28
3.3 DACS DAEMON SERVICE FOR RTIC CONNECTION Ensure that the personal firewall does not block those services on the client machine. And the following services are valid in the file C:\Windows\System32\etc\services
dacs_lib
8211/tcp
dacs_perm 8250/tcp
Document Version 2.11 Date of issue: 27 March 2012
#dacs_snkd.exe #dacs_snkd.exe
23
Thomson Reuters Eikon Networking Guide
4. THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT 4.1 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT INTERNET TCP/IP Standard Port for Thomson Reuters Eikon Wealth Management Internet Product Profile
Protocol
Thomson Reuters Eikon for Wealth Management Internet
TCP
Port Numbers Workstation Thomson Reuters 1024+ 80 1024+ 80 1024+ 443 1024+ 443
Thomson Reuters Servers Thomson Reuters Platform
Use
Administration Service Views Service News Service Streaming Service Search &Navigation Service Time Series Service Update Service Reuters Insider
Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.
DNS Server All Thomson Reuters Hosted deployment servers are able to resolve IP address through local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding
DNS thomsonreuters.com
Authorized DNS Server Internet
Thomson Reuters Service
cp.thomsonreuters.net
Internet
reuters.com
Internet
force.com reutersinsider.com saleforces.com sdn.reuters.com Thomson.112.2o7.net training.thomsonreuters.com trainingportal.us webex.com
Internet Internet Internet Internet Internet Internet
Thomson Reuters Eikon for Wealth Management, Reuters Insider, Customer Zone Thomson Reuters Eikon for Wealth Management Customer Zone and some URL link in some news content, e.g. pdf.reuters.com, link.reuters.com, www.reuters.com Migration tools (Knowledge Network) Reuters Insider Migration tools (Knowledge Network) Securitised Derivative Network Insider Thomson Reuters E-Learning
Internet
Remote Support
Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
Document Version 2.11 Date of issue: 27 March 2012
24
Thomson Reuters Eikon Networking Guide
4.2 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT PRIVATE NETWORK It is strongly recommended that client have both Private network and Internet connection
BT Service Package The following BT Service Packages are needed: Thomson Reuters Platform with Real Time 2.0
TCP/IP Standard Port for Thomson Reuters Hosted Private Product Profile
Protocol
Thomson Reuters Eikon for Wealth Management Private Network
TCP
Port Numbers Workstation Thomson Reuters 1024+ 80 1024+ 80 1024+ 443 1024+ 443
Thomson Reuters Servers Thomson Reuters Platform
Deliver over Private Network
TCP/UDP
1024+ 53 1024+ 53
DNS server
Use
Administration Service Views Service News Service Streaming Service Search &Navigation Service Time Series Service Update Service Customer Zone DNS
Reuters Insider requires Internet connection.
DNS Server All Thomson Reuters Hosted deployment servers are able to resolve IP address through BT DNS and local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding
DNS cp.thomsonreuters.net extranet.thomsonreuters.biz thomsonreuters.com customers.reuters.com force.com
Authorized DNS Server Extranet Extranet Internet Internet/ Extranet Internet
geotrust.com verisign.com reutersinsider.com reuters.com
Internet
salesforce.com sdn.reuters.com
Internet Internet
Document Version 2.11 Date of issue: 27 March 2012
Internet Internet
Thomson Reuters Service Thomson Reuters Eikon for Wealth Manager Thomson Reuters Eikon for Wealth Manager, Customer Zone Customer Zone, Reuters Insider Customer Zone Migration tools (Knowledge Network) Certificate Validation Reuters Insider URL link in some news content, e.g. pdf.reuters.com, blogs.reutes.com, www.reuters.com Migration tools Securitized Derivative Network
25
Thomson Reuters Eikon Networking Guide
thomson.112.2o7.net trainingportal.us webex.com webtrendslive.com
Internet Internet Internet Internet
Reuters Insider Thomson Reuters E-Learning Remote Support Migration tools
Note*: NGTX service package is required Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
Uses BT DNS as shown in the table: BT DNS
IP Address
BT DNS FQDN
London
155.195.48.4
londnsaa001.a.radianz.net
New York
155.195.48.36
hpggnsba001a.radianz.net
Singapore
155.195.48.68
sinsnsba001a.radianz.net
The recommended DNS search ordering is based on the client location as following:
REGION
FIRST DNS SERVER
SECOND DNS SERVER
THIRD DNS SERVER
EMEA
London
New York
Singapore
AMERICA
New York
London
Singapore
ASIA
Singapore
New York
London
BT Private Network Routing The client can set up as either:
Set up BT Router as a default gateway or
Set up the following routing to BT router
CLIENT CONFIGURATION
DNS
COMMENT
Client workstation resolver only (No Client Site DNS)
BT DNS
Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains. Clients with dedicated Extranet workstations can use the EDNS to take advantage of faster response
Client site DNS using selective forwarding or conditional forwarding
EDNS
BT DNS response time will be slower unless record is already in cache
Client site DNS using zone delegation
EDNS
Document Version 2.11 Date of issue: 27 March 2012
26
Thomson Reuters Eikon Networking Guide
The EDNS and BT DNS are shown as in the table: EDNS
DNS IP Address
BT Extranet DNS FQDN
London
155.195.64.4
edns02.uk.extranet.reuters.biz
New York
155.195.84.4
edns02.us.extranet.reuters.biz
Singapore
155.195.76.4
edns02.sg.extranet.reuters.biz
IP Address
BT DNS FQDN
London
155.195.48.4
londnsaa001.a.radianz.net
New York
155.195.48.36
hpggnsba001a.radianz.net
Singapore
155.195.48.68
sinsnsba001a.radianz.net
BT DNS
The recommended DNS search ordering is based on the client location as following:
REGION
FIRST DNS SERVER
SECOND DNS SERVER
THIRD DNS SERVER
EMEA
London
New York
Singapore
ASIA
Singapore
New York
London
BT Private Network Routing IP Subnet 65.62.0.0/15 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 155.195.48.0/22 155.195.64.0/18
Description / Used for EIKON Thomson Reuters Eikon for Wealth Management
BT DNS – Optional DNS Service –on EDNS, Customer Zone
Note: *NGTX service Package is needed
Thomson Reuters Eikon for Wealth Management Internet and Thomson Reuters Eikon Customer Managed on Private Network The Administration service over Private Network is able to authenticate the Internet Services. If clients have Thomson Reuters Eikon for Wealth Management over Internet and Thomson Reuters Eikon over Private network on the same site, set up the additional DNS on DNS server: DNS download.cp.thomsonreuters.net
Document Version 2.11 Date of issue: 27 March 2012
DNS Server Internet ISP/ Extranet DNS*
Thomson Reuters Service Update Service
27
Thomson Reuters Eikon Networking Guide
cp.thomsonreuters.net extranet.thomsonreuters.biz
Extranet DNS Extranet DNS
Administration Service Thomson Reuters Platform Service
* Thomson Reuters Eikon Excel for Wealth Management installation files, Hotfixes, Add-ons are downloaded from the domain download.cp.thomsonreuters.net. Clients are able to download packages from either Internet or Private network.
4.3 PROXY AND FIREWALL POLICY Authentication Proxy Thomson Reuters Eikon for Wealth Management does not support Authentication Proxy. Streaming Services is not able to be established streaming service through HTTP authentication process. Reuters Insider always has slow response with Authentication Proxy.
Certificate Management See Chapter 6
FIREWALL Policy Thomson Reuters Eikon Excel is a part of Thomson Reuters Eikon for Wealth Management. See Section 5.2 for more information.
Content filtering Policy DNS Suffixes cp.thomsonreuters.net
Thomson Reuters Service Thomson Reuters Eikon for Wealth Management
cp.thomsonreuters.com ia.thomsonreuters.com eikon.thomsonreuters.com eikon.extranet.thomsonreuters.biz cp.extranet.thomsonreuters.biz ia.extranet.thomsonreuters.biz customers.reuters.com customers.extranet.thomsonreuters.biz customers.thomsonreuters.com eikontest.thomsonreuters.com graphics.thomsonreuters.com reuters.com breakingviews.com sdn.reuters.com force.com salesforce.com webtrendslive.com
Document Version 2.11 Date of issue: 27 March 2012
Customer Zone
Thomson Reuters Eikon Excel System Test URL link in some news content e.g. pdf.reuters.com, www.reuters.com, blogs.reuters.com, www.breakingviews.com Securitized Derivatives Network Migration tools (Knowledge network)
28
Thomson Reuters Eikon Networking Guide
insider.thomsonreuters.com reutersinsider.com
Reuters Insider
thomson.112.2o7.net (used for analytic and report of user interactions)
training.thomsonreuters.com trainingportal.us geotrust.com verisign.com Webex.com
Document Version 2.11 Date of issue: 27 March 2012
Thomson Reuters E-learning Certificate Validation Remote Support
29
Thomson Reuters Eikon Networking Guide
5. INTERNET SERVICE FOR THOMSON REUTERS EIKON 5.1 INTERNET SERVICE DNS The following DNS Suffixes are able to be resolved on internet only. It is strongly recommended that clients have Internet Connection in order to get the services. DNS public.login.cp.thomsonreuter.net blogs.reuters.com breakingviews.com link.reuters.com pdf.reuters.com r.reuters.com today.reuters.com topnews.reuters.com uk.reuters.com www.reuters.com thomsonreuters.com trainingportal.us training.thomsonreuters.com reutersinsider.com thomson.112.2o7.net force.com salesforce.com webtrendslive.com webex.com emaxx.reuters.com sdn.reuters.com autex.com autexnow.com db.dealwatch.jp europrospectus.com fixedincomelabs.com Hihifrds.com Intindex.com Lipperweb.com loanpricing.com pointcarbon.com* ReutersRealEstate.com rts.scanrate.dk Streetsight.thomson.com Stormpulse.com** tiles.virtualearth.net**
DNS Server Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP
Tubemogul.com tradeweb.com Geotrust.com Verisign.com Digicert.com complinet.com
Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP
Document Version 2.11 Date of issue: 27 March 2012
Thomson Reuters Service Thomson Reuters Administrative Services News URL link News URL link News URL link News URL link News URL link News URL link News URL link News URL link News URL link Thomson Reuters web services Thomson Reuters E learning Thomson Reuters E learning Reuters Insider Reuters Insider Thomson Reuters Eikon Migration Tools Thomson Reuters Eikon Migration Tools Thomson Reuters Eikon Migration Tools Remote Support Bond Holdings Securitized Derivatives Network Autex Autex Deal watch Euro Prospectus Fixed Income in Thomson Reuters Eikon Treasury Community Tools International Index Company Lipper Market Insight Load Pricing Eikon Point Carbon C&E Thomson Reuters Real Estate Danish MBS Street Sight Stormpulse Weather Service Aerial and Satellite image for Interactive Map component Stormpulse Weather Service Tradeweb Certificate Management Certificate Management Certificate Management Thomson Reuters Accelus***
30
Thomson Reuters Eikon Networking Guide
tta.thomson.com
Internet ISP
globalrelay.com
Internet ISP
Thomson Reuters Transacation Analytics*** Thomson Reuters Messaging Compliance***
* Eikon Point Carbon will be integrated in Q1, 2012. **Interactive Map component, a new object will be available early 2012 ***Thomson Reuters Eikon for Compliance Management services only Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.
5.2 FIREWALL POLICY If you use Thomson Reuters Messaging 8.x and Thomson Reuters Eikon on the same machine, see the Thomson Reuters Messaging 8 Firewall/IP Guide in https://customers.reuters.com/a/support/paz/pazDocs.aspx?dId=389804
Content Filtering Policy If you set up a policy for Content Filtering on the Internet Proxy or Firewall, the following DNS suffixes must be set to ALLOW for Thomson Reuters Eikon. DNS Suffixes thomsonreuters.com thomsonreuters.net reuters.com autex.com autexnow.com breakingviews.com collab.thomsonreuters.com cp.thomsonreuters.com
eikontest.thomsonreuters.com europrospectus.com fitrading.reuters.com fixedincomelabs.com force.com
Thomson Reuters Service Thomson Reuters Web Services Thomson Reuters Web Services Thomson Reuters Web Services Autex Autex Breaking News Collaboration Service Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Customer Zone Customer Zone Internet ISP Certificate Revocation Validation Thomson Reuters Eikon and Thomson Reuters Eikon Wealth management System Test Internet ISP Trading Service, System Test Fixed Income tools Thomson Reuters Eikon Migration tools
fxtrading.reuters.com geotrust.com graphics.thomsonreuters.com hihifrds.com
Trading Service, System Test GeoTrust Certificate Revocation Validation System Test Treasury Community Tools
cp.thomsonreuters.net customers.reuters.com customers.thomsonreuters.com db.dealwatch.jp digicert.com eikon.thomsonreuters.com
(Knowledge network)
Document Version 2.11 Date of issue: 27 March 2012
31
Thomson Reuters Eikon Networking Guide
ia.thomsonreuters.com insider.thomsonreuters.com Intindex.com Lipperweb.com loanpricing.com pointcarbon.com reutersinsider.com ReutersRealEstate.com rtextrading.reuters.com rts.scanrate.dk salesforce.com
Thomson Reuters Eikon Wealth Management Reuters Insider International Index Company Lipperweb Loan Pricing Eikon Point Carbon Reuters Insider Thomson Reuters Real Estate Trading Service, System Test Internet ISP Thomson Reuters Eikon Migration tools (Knowledge network)
stormpulse.com streetsight.thomson.com thomson.112.2o7.net
Strom Pulse Thomson Street sight Reuters Insider (used for analytic and report of user interactions)
tiles.virtualearth.net tradeweb.com trading.thomsonreuters.net trainingportal.us traininig.thomsonreuters.com Tubemogul.com verisign.com webex.com
Aerial and Satellite image for Interactive Map component Trade web Trading Service, System Test Thomson Reuters E-learning Thomson Reuters E-learning Internet ISP Verisign Certificate Revocation Validation Remote Support
Note: Customers can use thomsonreuters.com and reuters.com instead of adding multiple entries from the table. The multimedia news service, Reuters Insider, uses the Akamai Content Delivery Network (CDN), the 3 party service provider, to cache and distribute dynamic and static content through thousands of Edge servers. Due to the dynamic nature of the Akamai CDN, the user is dynamically directed to the Akamai Edge servers that offer the best performance. Therefore please allow content for Content-Type =”application/x-fcs” for Reuters Insider.
rd
Personal Firewall If you use a personal firewall, please ensure that the Firewall allows those processes: PROCESS NAME
SERVICES
Kobra.exe
Thomson Reuters Eikon Desktop
Excel.exe
Thomson Reuters Eikon Excel
Rdmc.exe
System Test
Agent.exe
Thomson Reuters Update Services
Document Version 2.11 Date of issue: 27 March 2012
32
Thomson Reuters Eikon Networking Guide
Isdm.exe
Thomson Reuters Update Services
Jre.exe
Trading Services
Note: Kobra.exe and Jre.exe are not available on Thomson Reuters Eikon for Wealth Management
5.3 WEB PROXY AUTO-DISCOVERY PROTOCOL (WPAD) Thomson Reuters Eikon does not support the Web Proxy Auto-Discovery Protocol (WPAD). The Update Agent cannot connect to the dedicated proxy server indicated in the WPAD file; as a consequence, users are not able to install Thomson Reuters Eikon or upgrade to the latest Service Releases or Hotfixes. The issue is under investigation by our development teams.
5.4 REUTERS INSIDER Reuters Insider does not support delivery over Private Delivery connections because internet delivery offers greater scalability, is more cost effective for clients and it's not prudent for video streaming to share the same connection as time-critical data. Many proxy and enterprise network monitoring tools allow bandwidth management of video internet traffic and these can be used to control quality and quantity risks associated with the internet delivery method. rd
Reuters Insider uses the Akamai Content Delivery Network (CDN), the 3 party service provider, to cache and distribute dynamic and static content through thousands of Edge servers. Due to the dynamic nature of the Akamai CDN, the user is dynamically directed to the Akamai Edge servers that offer the best performance. Therefore please allow content for Content-Type =”application/x-fcs” for Reuters Insider.
NTLM Authentication It is advisable to allow Reuters Insider to bypass NTLM authentication, as we have experienced authentication timeouts with Flash-based applications with a number of clients when NTLM authentication is enabled. For additional information, visit https://kb.bluecoat.com/index?page=content&id=KB3243&actp=LIST
Timeouts or Disconnections If Reuters Insider video streams occasionally time out or disconnect and it does not appear to be an issue with your proxy, the problem might be caused by: A default setting in Internet Explorer versions 6 or 7 that limits the user to two concurrent connections to a server. As Reuters Insider is a feature rich multimedia platform, it sometimes requires more than two concurrent connections. This is a known limitation of these versions of Internet Explorer; the Microsoft article at the following URL explains how to increase this value: http://support.microsoft.com/kb/282402.
5.5 THOMSON REUTERS EIKON FOR COMPLIANCE MANAGEMENT Content Filtering For Thomson Reuters Eikon for Compliance Management, it is necessary that client allow the additional DNS suffix from section 5.2 DNS SUFFIX
complinet.com
Document Version 2.11 Date of issue: 27 March 2012
SERVICES
Thomson Reuters Accelus
33
Thomson Reuters Eikon Networking Guide
tta.thomson.com compliance.collab.thomsonreuters.com ecm-archiver.globalrelay.com
Thomson Reuters Transaction Analytics Thomson Reuters Messenger Compliance – Administration Portal Thomson Reuters Messenger Compliance – Global Relay Reviewer Portal
5.6 INTERNET OPTIONS SETTING Advanced Option
Enable Use HTTP1.1
Enable Use HTTP 1.1 through proxy connections
Disable Do not save encrypted pages to disk
Document Version 2.11 Date of issue: 27 March 2012
34
Thomson Reuters Eikon Networking Guide
Check Certificate Revocation Web installation is will fail if certificate revocation check is turned on and Internet cannot be reached. Refer to the following table for recommended actions.
CLIENT SITE
ADVISE
Client without Internet access and Thomson Reuters Hosted Private
Advise to disable the following IE options
Document Version 2.11 Date of issue: 27 March 2012
Check for publisher’s certificate revocation
Check for server certificate revocation
Check for signatures on downloaded programs
35
Thomson Reuters Eikon Networking Guide
Note: the setting is per-user, unless locked by IT policies. Client with Internet access
Document Version 2.11 Date of issue: 27 March 2012
For security reason, client should enable those options.
36
Thomson Reuters Eikon Networking Guide
6 THOMSON REUTERS EIKON CERTIFICATE MANAGEMENT For security purposes, servers, Thomson Reuters Eikon package and Thomson Reuters Eikon Excel for Wealth Management package requires up to date certificates at installation, update and start-up. To ensure access to Thomson Reuters at all time, it is crucial that you validate the Certificate Management approach most appropriate to your network. With the SSL certificate, it is required to validate the status of the certificates used when performing authentication, signing or encryption operations. Failures to validate the certificates prevent the product working. The validation can be either CRL or OCSP based on the client Operating System. See more information in Appendix D. It is necessary the certificates be validated through Internet or Internal Certificate Infrastructure, Microsoft Online Responder, OCSP Proxy and etc., unless delegated to an internal certificate management system You have to ensure that the certificate validation process can be updated from both
*.geotrust.com
*.verisign.com
Microsoft provides a number of white papers how to set trust relationship within a closed network. Starting point is here:
Certificate Status and Revocation Checking (Windows XP): http://social.technet.microsoft.com/wiki/contents/articles/certificate-status-and-revocationchecking.aspx
How Certificate Revocation Work (Windows 7, Windows 2008) http://technet.microsoft.com/engb/library/ee619754(WS.10).aspx
Windows root Certificate Program: http://support.microsoft.com/kb/931125
6.1 THOMSON REUTERS EIKON CERTIFICATES AUTHORITIES Thomson Reuters Eikon uses root certificates are shown as
Verisign
TRUSTED ROOT CERTIFICATE AUTHORITIES
INTERMEDIATE CERTIFICATE AUTHORITIES
Verisign: Class 3 Public Primary Certificate Authority – G2
Verisign Class 3 Secure Server CA- G2
Verisign Class 3 Public Primary Certificate Authority – G5
VeriSign Class 3 Secure Server CA-G3
Equifax*
Equifax Secure Certificate Authority
GeoTrust
GeoTrust Glocal CA
Thawte
Thawte Timestamping CA
DigiCert**
DigiCert High Assurance EV Root CA
http://crl.verisign.com/SVRSecureG2.cer http://crl.verisign.com/SVRSecureG3.cer
GeoTrust SSL CA
DigiCert High Assurance CA-3
Note: *Equifax Secure Certificate Authority is replacing by GeoTrust Global CA **DigiCert is used for Eikon Carbon Point which will be integrated in Eikon by Q1, 2012. The Trusted root certificates that are required by Microsoft Windows is listed in KB 293781, http://support.microsoft.com/kb/293781 It is necessary that all of them are available on the machine.
Document Version 2.11 Date of issue: 27 March 2012
37
Thomson Reuters Eikon Networking Guide
6.2 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT CERTIFICATES AUTHORITIES Thomson Reuters Eikon for Wealth Management uses root certificates as
Verisign
TRUSTED ROOT CERTIFICATE AUTHORITIES
INTERMEDIATE CERTIFICATE AUTHORITIES
Verisign: Class 3 Public Primary Certificate Authority – G2
Verisign Class 3 Secure Server CA- G2
Verisign Class 3 Public Primary Certificate Authority – G5
VeriSign Class 3 Secure Server CA-G3
Equifax*
Equifax Secure Certificate Authority
GeoTrust
GeoTrust Glocal CA
Thawte
Thawte Timestamping CA
http://crl.verisign.com/SVRSecureG2.cer http://crl.verisign.com/SVRSecureG3.cer
GeoTrust SSL CA
Note: *Equifax Secure Certificate Authority is replacing by GeoTrust Global CA
The Trusted root certificates, required by Microsoft Windows, are listed in Microsoft KB 293781, http://support.microsoft.com/kb/293781 It is necessary that all of them are available on the machine.
6.3 TESTING TRUSTED ROOT CERTIFICATE The Trusted Root can be tested from the following URL TRUSTED ROOT CERTIFICATE
TEST URL
Verisign: Class 3 Public Primary Certificate Authority – G2
https://ssltest24.bbtest.net
Verisign Class 3 Public Primary Certificate Authority – G5
https://ssltest2.bbtest.net
Equifax Secure Certificate Authority
https://ssltest11.bbtest.net
GeoTrust Glocal CA
https://ssltest15.bbtest.net
DigiCert High Assurance EV Root CA
https://ev-root.digicert.com/testroot/
Document Version 2.11 Date of issue: 27 March 2012
38
Thomson Reuters Eikon Networking Guide
APPENDIX A: LIST OF DEVICE TCP/IP INFORMATION This Appendix shows all device information.
TIME SERIES PROXY TCP/IP PORT Services
Network Port
Management SNMP
TCP/UDP: 8082, 8085 SSH: 22 161/ UDP
Thomson Reuters Eikon
HTTP
Time Series Service
HTTP
Note
STREAMING PROXY TCP/IP PORT Network components
RSS HMDS
Network components connect to the ports on Streaming Proxy Dynamic Dynamic
Streaming Proxy connects to the ports on the network components TCP: 2000, 8801 TCP: 14002
RWS Thomson Reuters Eikon
Dynamic TCP: 14002
TCP: 8101 Dynamic
Application Console SMF Update Proxy Dealing Key station GMI components
TCP: 8603, 7011 TCP: 8603, 7011 TCP: 80 TCP: 8101 Ports to be opened in Streaming Proxy 22, 9510, 9514, 9515 / TCP
TCP: 8603, 7011 TCP: 8603, 7011 TCP: 80 Dynamics Ports to be opened in other devices
SSH Traffic, CAS Agent Manager Traffic CAS Agent Manager Traffic; Inventory Collector Traffic SNMP Gets SNMP Traps Precision / IP Traffic ICMP SSH Traffic Probe Rule Traffic Syslog Message Data/File Retrieval from PAWZ Agent / PAWZ Agent Profile Update PAWZ Real Time Agent Data FTA
Document Version 2.11 Date of issue: 27 March 2012
Note TPM Server
9511, 9512, 9513, 9080 /TCP 161 / UDP 3306, 4100, 7600, 32972 / TCP ICMP 22 / TCP
Note
162 / UDP 3306, 4100, 7600, 32972 / TCP ICMP
TPM Server NetCool Server NetCool Server NetCool Server
1661 / TCP
NetCool Server NerCool Server NetCool Server NetCool Server PAWZ Server
2102 / TCP
PAWZ Server
1661 / TCP
FTA Server
80 / TCP 514 / TCP, 514 / UDP
39
Thomson Reuters Eikon Networking Guide
ePO Microsoft
8902, 8903 / UDP Ports to be opened in Streaming Proxy
Windows Server Activation
8900 / UDP Ports to be opened in other devices 1688/ TCP
ePO Server Note KMS Server
REUTERS INSIDER FIREWALL PORT ALLOWED
HTTP 80
HTTPS 443
One of these ports (80, 443, 1935) must be open for RTMP to live.flash.insider.thomsonreuters.com
BT ROUTING FOR THOMSON REUTERS MANAGED DEVICE
IP SUBNET 65.62.0.0 / 15
DOMAIN/SYSTEM Spring Servers (Ex Client WAN Range) Super net (Aggregated Prefix)
DESCRIPTION/USED FOR TR EIKON Spring Server Ex Client WAN Range contains - 65.62.64.0/22 Range1 - 65.62.68.0/22 Range 2 - 65.63.72.0/22 Range 3
67.56.0.0 / 15
Reuters servers range 03
Reuters server range 3
75.124.0.0 / 16
Reuters servers CAA15
Contain (Spring Servers (Ex Client WAN range 4,
75.96.96.0 / 20
Reuters servers CAA18
Reuters servers CAA18
155.195.48.0 / 22
Reuters servers range 01
Reuters servers range 01
155.195.64.0 / 18
Reuters servers range 01
Reuters servers range 01
159.220.192.0 /20
Global Management Infrastructure (GMI)
Global Management Infrastructure (GMI)
198.206.64.0 /18
Reuters client range 10
Spring Reuters Servers Range 2 (198.206.86.0/23),
198.210.128.0 /17
Reuters client range 06
204.109.128.0 /17
FCE clients range 04
206.60.0.0 /16
Spring Reuters servers range 3
Reuters client range 06 FCE clients range 04 Spring Reuters servers range 3
SAVVIS NETWORK INFORMATION FOR THOMSON REUTERS MANAGED DEVICE IP Subnet
Note
159.220.0.0/16 192.155.40.64/30
Thomson Reuters Managed NTP Server
Document Version 2.11 Date of issue: 27 March 2012
40
Thomson Reuters Eikon Networking Guide
192.155.136.0/21
Thomson Reuters Platform Services, DNS
SERVICES
HOST NAME
IP ADDRESS
NTP Server
NTCP-NTP201
192.155.40.64
NTCP-NTP202
192.155.40.66
DTCP-EPO0001.session.rservices.com
192.155.129.54
EPO Server
Document Version 2.11 Date of issue: 27 March 2012
41
Thomson Reuters Eikon Networking Guide
APPENDIX B: LIST OF SWITCH ALLOCATION ON BT SWITCH (VLAN) Recommended IP address for Streaming Proxy Server and Time Series Proxy on Private Delivery managed VLAN switch These are recommended IP Address for Streaming Proxy Server and Time Series Proxy devices connecting to the BT Managed VLAN Switch. A different network range should only be used if the suggested IP address range conflicts with your internal network.
Device SPX / TSP (No Converge-VLAN130) Switch 1 - IDN-DAF VLAN Sub Interface Address Switch 1 port 9 – 1st client SPX / TSP Switch 1 port 10 – 3rd client SPX / TSP Switch 1 port 11 – 5th client SPX / TSP Switch 1 port 12 – 7th client SPX / TSP Switch 1 port 13 – 9th client SPX / TSP Switch 1 port 14 – Network Monitor SPX / TSP (No Converge-VLAN130) Switch 2 - IDN-DAF VLAN Sub Interface Address Switch 2 port 9 – 2nd client SPX / TSP Switch 2 port 10 – 4th client SPX / TSP Switch 2 port 11 – 6th client SPX / TSP Switch 2 port 12 – 8th client SPX / TSP Switch 2 port 13 – 10th client SPX / TSP Switch 2 port 14 – Network Monitor SPX / TSP (Standard Converge-VLAN160) Switch 1 - IDN-SAF VLAN Sub Interface Address Switch 1 port 17 – 1st client SPX / TSP Switch 1 port 18 – 3rd client SPX / TSP Switch 1 port 19 – 5th client SPX / TSP Switch 1 port 14 - Network Monitor SPX / TSP (Standard Converge-VLAN160) Switch 2 - IDN-SAF VLAN Sub Interface Address Switch 2 port 17 – 2nd client SPX / TSP Switch 2 port 18 – 4th client SPX / TSP Switch 2 port 19 – 6th client SPX / TSP Switch 2 port 14 - Network Monitor
Document Version 2.11 Date of issue: 27 March 2012
IP Address (Option A)
VLAN HSRP
IP Address (Option B)
VLAN HSRP
172.31.11.1 /24 172.31.11.11 /24 172.31.11.12 /24 172.31.11.13 /24 172.31.11.14 /24 172.31.11.15 /24 172.31.11.10 /24
N/A N/A N/A N/A N/A N/A N/A
192.168.11.1 /24 192.168.11.11 /24 192.168.11.12 /24 192.168.11.13 /24 192.168.11.14 /24 192.168.11.15 /24 192.168.11.10 /24
N/A N/A N/A N/A N/A N/A N/A
172.31.12.1 /24 172.31.12.11 /24 172.31.12.12 /24 172.31.12.13 /24 172.31.12.14 /24 172.31.12.15 /24 172.31.12.10 /24
N/A N/A N/A N/A N/A N/A N/A
192.168.12.1 /24 192.168.12.11 /24 192.168.12.12 /24 192.168.12.13 /24 192.168.12.14 /24 192.168.12.15 /24 192.168.12.10 /24
N/A N/A N/A N/A N/A N/A N/A
172.25.10.1 /24 172.25.10.11 /24 172.25.10.13 /24 172.25.10.15 /24 172.25.10.9 /24
172.25.10.3 /24
192.168.20.1 /24 192.168.20.11 /24 192.168.20.13 /24 192.168.20.15 /24 192.168.20.9 /24
192.168.20.3 /24
172.25.10.2 /24 172.25.10.12 /24 172.25.10.14 /24 172.25.10.16 /24 172.25.10.10 /24
172.25.10.3 /24
192.168.20.2 /24 192.168.20.12 /24 192.168.20.14 /24 192.168.20.16 /24 192.168.20.10 /24
192.168.20.3 /24
42
Thomson Reuters Eikon Networking Guide
APPENDIX C: LOCAL DNS CONFIGURATION TO SUPPORT NETWORK FAILOVER (PRIVATE DELIVERY TO INTERNET)* *This configuration should only apply in case of BT MPLS failover i.e. not something to setup by default.
Configuration Microsoft Windows 2003 Server DNS for Selective Forwarding NOTE: Microsoft refers to this as Conditional Forwarding For Forwarders tab, all other DNS domains, the forwarder IP Address list is containing eDNS and Internet DNS. As figure below (155.195.76.4 is eDNS server and 203.144.207.29 is Internet ISP DNS).
For the cp.thomsonreuters.net suffix, The forwarder IP address list needs add both eDNS and Internet ISP DNS. Add both DNS Providers because when the primary (Private Delivery) Infrastructure is fail, it will use Internet ISP DNS to resolve instead.
Document Version 2.11 Date of issue: 27 March 2012
43
Thomson Reuters Eikon Networking Guide
For the extranet.thomsonreuters.biz suffix, The forwarder IP address list needs add both eDNS only.
For the thomsonreuters.com suffix, The forwarder IP address list needs add both Internet ISP DNS only.
Document Version 2.11 Date of issue: 27 March 2012
44
Thomson Reuters Eikon Networking Guide
Configuration Microsoft Windows 2003 Server DNS for Delegation For the extranet.thomsonreuters.biz suffix
To Delegate this domain create a new Forward Lookup Zone (Standard Primary) called thomsonreuters.biz as the step showing below: 1. Right Click on Forward Lookup Zone to create new zone
2. Click next
Document Version 2.11 Date of issue: 27 March 2012
45
Thomson Reuters Eikon Networking Guide
3. Select Primary zone and Click Next
4. Input zone name thomsonreuters.biz and Click next
Document Version 2.11 Date of issue: 27 March 2012
46
Thomson Reuters Eikon Networking Guide
5. Create a new file with file name (default) and Click next
6. Select “Do not allow dynamic updates” and Click next
Document Version 2.11 Date of issue: 27 March 2012
47
Thomson Reuters Eikon Networking Guide
7. Click Finish
8. The domain thomsonreuters.biz is created
Document Version 2.11 Date of issue: 27 March 2012
48
Thomson Reuters Eikon Networking Guide
9. Create New Delegation by Right Click on thomsonreuters.biz domain
10. Windows Wizard pop up and Click next
Document Version 2.11 Date of issue: 27 March 2012
49
Thomson Reuters Eikon Networking Guide
11. Enter “extranet” in the Delegated domain and Click next
12. Click Add to add the DNS server
Document Version 2.11 Date of issue: 27 March 2012
50
Thomson Reuters Eikon Networking Guide
13. Enter the eDNS server name into the FQDN, Click Resolve to get the IP Address and Click OK
14. Click next
Document Version 2.11 Date of issue: 27 March 2012
51
Thomson Reuters Eikon Networking Guide
15. Click Finish
Repeat create cp.thomsonreuters.com domain for delegated domain.
The Local DNS server has two delegated domains as below
Document Version 2.11 Date of issue: 27 March 2012
52
Thomson Reuters Eikon Networking Guide
Forwarding DNS for cp.thomsonreuters.net domain
NOTE: It is not recommended to delegate the Universal Domains and Global Universal Domains, cp.thomsonreuters.net, since this breaks failover from MPLS to Internet. Please use forwarding DNS for cp.thomsonreuters.net
Document Version 2.11 Date of issue: 27 March 2012
53
Thomson Reuters Eikon Networking Guide
APPENDIX D: CERTIFICATE REVOCATION CONCEPT Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists (CRL), and certification authorities (CA). ). In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), and smart cards, is required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status. Time. Certificates are issued for a fixed period of time and considered valid as long as the expiration date of the certificate is not reached, unless revoked before that date. Revocation status. Certificates can be revoked before their expiration date because of multiple reasons such as key compromise or suspension. Before performing any operation, applications often validate that the certificate was not revoked. Windows XP and Windows 2003 support only CRL. Windows Vista, Windows 7 and the Windows 2008 support both CRL and OCSP as a method of determining certificate status. The OCSP support includes both the client component as well as the Online Responder, which is the server component.
Certificate Revocation Checking When an application performs a certificate evaluation, the validation is performed on all certificates in that certificate's chain. This includes every certificate from the end-entity certificate presented to the application to the root certificate. When the first certificate in the chain is validated, the following process takes place: 1. The certificate chaining engine attempts to build the chain for the certificate inspected by querying the local certificate store or by downloading from one of the URLs available in the inspected certificate's authority information access extensions. 2. For all certificate chains that end in a trusted root, all certificates in the chain are validated. This involves the following steps: - Verify that each certificate's signature is valid. - Verify that the current date and time fall within each certificate's validity period. - Verify that each certificate is not corrupt or malformed. 3. Each certificate in the certificate chain is checked for revocation status. Revocation checking is performed either by using a CRL or OCSP, based on the certificate configuration. After the validation check is completed, the certificate chaining engine returns the results of the validation check to the application that originated the validation request. The results will indicate if all certificates in the chain are valid, if the chain terminates at a non-trusted root CA, if any certificates in the chain are not valid, or if the revocation status for any of the certificates in the chain cannot be determined. For more information, see Certificate Revocation and Status Checking in http://go.microsoft.com/fwlink/?LinkID=27081
CRL A CRL is a file, created and signed by a CA that contains serial numbers of certificates that have been issued by that CA and are revoked. In addition to the serial number for the revoked certificates, the CRL also contains the revocation reason for each certificate and the time the certificate was revoked. Currently, two types of CRL exist: base CRL and delta CRL. Base CRL maintain a complete list of revoked certificates while delta CRL maintain only those certificates that have been revoked since the last publication of a base CRL. The major drawback of CRL is their potentially large size, which limits the scalability of the CRL approach. The large size adds significant bandwidth and storage burdens to the CA and relying party, and therefore limits the ability of the system to distribute the CRL. Bandwidth, storage space, and CA processing capacity
Document Version 2.11 Date of issue: 27 March 2012
54
Thomson Reuters Eikon Networking Guide
can also be negatively affected if the publishing frequency gets too high. Numerous attempts have been made to solve the CRL size issue through the introduction of partitioned CRL, delta CRL, and indirect CRL. All these approaches have added complexity and cost to the system without providing an ideal solution to the underlying problem. Another drawback of CRL is latency; because the CRL publishing period is predefined, information in the CRL might be out of date until a new CRL or delta CRL is published.
OCSP OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. This returns a definitive, digitally signed response indicating the certificate status. The amount of data retrieved per request is constant regardless of the number of revoked certificates in the CA. Most OCSP responders get their data from published CRL and are therefore reliant on the publishing frequency of the CA. Some OCSP responders can, however, receive data directly from the CA's certificate status database and consequently provide near real-time status. Scalability is the major drawback of the OCSP approach. Since it is an online process and is designed to respond to single certificate status requests, it results in more server hits, requiring multiple and sometimes geographically dispersed servers to balance the load. The response signing and signature verification processes also take time, which can adversely affect the overall response time at the relying party. Finally, since the integrity of the signed response depends on the integrity of the OCSP responder's signing key, the validity of this key must also be verified after a response is validated by the client.
Troubleshooting Thomson Reuters Eikon uses Microsoft Crypto API to check and download Certificate Revocation (CRL) from a CRL distribution point. The Crypto API internally uses the WinHTTP API to download the HTTP based URL for the CRL distribution point. If the proxy is not reachable or is incorrect, WinHTTP will not be able to download the CRL. The certificate revocation check will fail. Thomson Reuters Eikon does not create any secure connection to the platform which causes the program shutdown or get an error message. The logic to discover a Proxy server is as following: 1. Check the static proxy settings. WINDOWS
COMMAND
Windows XP
Proxycfg.exe
Windows Vista, Windows 7
Netsh.exe winhttp show proxy
2. If there is no static proxy setting, API tries to retrieve the Internet Explorer setting on the following order. The following registry locations are queried based on the executing identity: REGISTRY KEY Current User
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
NETWORK SERVICE
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings
LOCAL SYSTEM
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings
LOCAL SERVICE
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Document Version 2.11 Date of issue: 27 March 2012
55
Thomson Reuters Eikon Networking Guide
Any Other user
HKEY_USERS\ \Software\Microsoft\Windows\CurrentVersion\ Internet Settings
3. If the Internet Explorer proxy settings are not present for the executing user or if the Internet Explorer settings as indicate in - Automatically detect settings - Use automatic configuration script The Crypto API will try to automatically discover a proxy for the CRL. This will either return specific proxy information or return 'no proxy' if the automatic proxy discovery fails or if the URL does not require a proxy. More information, see Microsoft KB 2623724 as in http://support.microsoft.com/kb/2623724
WinHTTP Proxy Configuration The WinHTTP proxy configuration utility, proxycfg.exe, configures WinHTTP to access HTTP and HTTPS servers through a proxy server on Windows XP. An administrator can use the proxycfg.exe utility as part of the deployment and installation process of an application that uses WinHTTP. The administrator who runs proxycfg.exe must have local administrator privileges so that proxycfg.exe can update the registry of the local computer. WinHTTP proxy settings are per-machine, not per-user. For Windows Vista, Windows 2008 and Windows 7, use Netsh.exe winhttp instead of proxycfg.exe. Netsh.exe requires administrative rights to modify machine configuration.
Usage The following examples show the syntax use for various commands in the proxycfg.exe utility. COMMAND LINE
DESCRIPTION
Proxycfg
Display the current WinHTTP proxy settings
Proxycfg –d
Set direct access
Proxycfg –u
Import proxy setting from current users Internet Explorer manual settings
Proxycfg –p proxy-server-list optional-by-pass-list
Specify one or more proxy server and optional list of hosts that should be accessed directly.
The following examples show the syntax use for various commands for Windows Vista and Windows Seven COMMAND LINE
DESCRIPTION
Netsh winhttp show proxy
Display the current WinHTTP proxy settings
Netsh winhttp reset proxy
Set direct access
Netsh winhttp import proxy source=ie
Import proxy setting from current users Internet Explorer manual settings
Netsh winhttp set proxy proxy-server bypass-list=“ optional-by-pass-list”
Specify one proxy server and optional list of hosts that should be accessed directly.
Netsh winhttp set proxy proxy-server= ”proxy-server-list “ bypass-list=“ optional-by-pass-list”
Specify one or more proxy server and optional list of hosts that should be accessed directly.
Document Version 2.11 Date of issue: 27 March 2012
56
Thomson Reuters Eikon Networking Guide
PARAMETER
DESCRIPTION OF USE
Proxy-server-list
Proxy are list in a specific protocol as Windows XP: “protocol=http://proxy_name:port” Windows Vista and Seven: “protocol=proxyname:port;” where protocol is either http or https and proxy_name is the name of the proxy server.
Optional-bypass-list
The list contains host names or IP address that is locally known. This list can contain wildcards, "*", that cause the application to bypass the proxy server for addresses that fit the specified pattern. For example, both "*.microsoft.com" and "*.org" are acceptable wildcard patterns. Wildcard characters must be the left-most characters in the list, so "myserver.*" is not supported. To list multiple addresses and host names, separate them with blank spaces or semicolons in the proxy bypass string. If the "" macro is specified, the function bypasses any host name that does not contain a period.
Example on Windows XP
Import the current Internet Proxy setting to WinHTTP (for manual setting on Internet Explorer only) C:\> proxycfg -u Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
Proxy Server(s) : 10.42.72.142:8080
Set up proxy1.test.com as a proxy for WinHTTP and bypass proxy for the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net c:\>proxycfg -p proxy1.test.com ";*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\
Document Version 2.11 Date of issue: 27 March 2012
57
Thomson Reuters Eikon Networking Guide
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
Proxy Server(s) : proxy1.test.com Bypass List
: ;*.extranet.thomsonreutes.biz;*.thomsonreutes.net
Set up Proxy1.test.com for a http protocol on port 80 and Proxy2.test.com for https protocol on port 3128 . And direct access to the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net C:\> proxycfg -d "http=proxy1.test.com:8080 https=proxy2.test.com:3128" “;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
Proxy Server(s) : http=proxy1.test.com:8080 https=proxy2.test.com:3128 Bypass List
: ;*.extranet.thomsonreuters.biz;*.thomsonreuters.net
Clear the WinHTTP configuration C:\> proxycfg -d Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :
Direct access (no proxy server).
Document Version 2.11 Date of issue: 27 March 2012
58
Thomson Reuters Eikon Networking Guide
Example on Windows Vista and Windows 7
Import the current Internet Proxy setting to WinHTTP (for manual setting on Internet Explorer only) C:\> netsh winhttp import proxy source=ie Current WinHTTP proxy settings under: Proxy Server(s) : 10.42.72.142:8080 Bypass List:
Set up proxy1.test.com as a proxy for WinHTTP and bypass proxy for the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net c:\>netsh winhttp set proxy proxy1.test.com bypass-list ="; *.extranet.thomsonreuters.biz;*.thomsonreuters.net" Current WinHTTP proxy settings under: Proxy Server(s) : proxy1.test.com Bypass List
: ;*.extranet.thomsonreutes.biz;*.thomsonreutes.net
Set up Proxy1.test.com for a http protocol on port 80 and Proxy2.test.com for https protocol on port 3128 . And direct access to the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net C:\>netsh winhttp set proxy proxy-server="http=proxy1.test.com:8080; https=proxy2.test.com:3128" bypass-list= “;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Current WinHTTP proxy settings under: Proxy Server(s) : http=proxy1.test.com:8080; https=proxy2.test.com:3128 Bypass List
: ;*.extranet.thomsonreuters.biz;*.thomsonreuters.net
Clear the WinHTTP configuration C:\> netsh winhttp reset proxy Current WinHTTP proxy settings: Direct access (no proxy server).
Document Version 2.11 Date of issue: 27 March 2012
59
Thomson Reuters Eikon Networking Guide
Document Version 2.11 Date of issue: 27 March 2012
60
View more...
Comments
