Eikon Networking Guide v2.11

June 3, 2016 | Author: Danilo Lima | Category: Topics, Art & Design
Share Embed Donate


Short Description

Download Eikon Networking Guide v2.11...

Description

THOMSON REUTERS EIKON NETWORKING GUIDE

THOMSON REUTERS EIKON NETWORKING GUIDE

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Eikon Networking Guide

REVISION HISTORY DATE

VERSION

REVISION DETAILS

14 Jun 2010

1.0

First Release version

6 Feb 2011

2.0

- Update and reformat document - Add Proxy and Firewall Policy - Update DNS table

7 Feb 2011

2.01

- Add Verisign and GeoTrust in Content Filtering Policy

23 Feb 2011

2.02

-Add Reuters Insider information -Add Certificate Management -Add Certificate Revocation concept in Appendix -Add Private Network Routing table -Add TCP/IP port 10240 for CFI -Update DNS table -Remove List of Thomson Reuters Eikon Host from Appendix

2 Mar 2011

2.03

-Add IP address divulge policy in DNS section -Correct DNS host name for Reuters Insider -Correct TCP/IP port for CFI

21 Apr 2011

2.04

-Add ia.thomsonreuters.com Domain -Add eikontest.thomsonreuters.com for System Test -Add Appendix E WinHTTP Proxy configuration -Add WPAD issue on Thomson Reuters Hosted -Correct information on Certificate Revocation through WinHTTP -Add Certificate Revocation list validation and WinHTTP

24 May 2011

2.05

-Add graphics.thomsonreuters.com for System Test -Add training.thomsonreuters.com for Knowledge network -Add saleforce.com and force.com for Knowledge Network -Add section 3.3 DACS Daemon services for RTIC connection -Add more information on service on Content filtering

14 July 2011

2.06

-Add customers.reuters.com not available on Savvis network -Correct on Certificate management typo mistake -Update BT routing table for Thomson Reuters Eikon and Thomson Reuters Eikon Wealth Management - Add Section Thomson Reuters Hosted Private deployment - Update DNS table for Eikon for Wealth Management due to the streaming service change in August 2011

29 Sep 2011

2.07

-Update Savvis Private Network information -Add a new chapter, Thomson Reuters Eikon for Wealth Management -Change thomsonreuters.com DNS suffix to Internet -Add DNS table for Savvis -Change pdf.reuters.com domain to reuters.com domain as news content have multiple link e.g. pdf.reuters.com, link.reuters.com, r.reuters.com, blogs.reuters.com, www.reuters.com, etc. - Add Section 1.3Thomson Reuters Hosted Internet and Customer Managed -Add Jre.exe to Personal Firewall table in order to fix an issue on Aviva program

4 Nov 2011

2.08

-Provide some news URL instead of reuters.com -Correct Thomson Reuters Eikon for Wealth Management DNS table -Update Appendix A

12 Dec 2011

2.09

- Add the Internet DNS for Eikon 2.0

Document Version 2.11 Date of issue: 27 March 2012

2

Thomson Reuters Eikon Networking Guide

Hihifrds.com loanpricing.com pointcarbon.com* ReutersRealEstate.com Streetsight.thomson.com tiles.virtualearth.net - Add Troubleshooting section in Appendix D - Combine Appendix E as a section in Appendix D -Update Certificate Revocation section - Move duplicate content to Chapter 5 and 6 - Add Internet Options in Chapter 5 - Remove Section 1.3 24 Feb 2012

2.10

- Add Eikon for Compliance Management content filtering policy in Chapter 5 - Add DNS rule for Thomson Reuters Hosted Private - Add Autex, breakingviews in Internet Service - Remove DNS Round Robin for TSP and SPX - Correct PAZW to PAWZ

27 Mar 2012

2.11

-Add new 75.124.118.0/24 for Thomson Reuters Platform -Add public.login.cp.thomsonreuters.net -Add port 8101 on SPX on Appendix A

Document Version 2.11 Date of issue: 27 March 2012

3

Thomson Reuters Eikon Networking Guide

CONTENT About this document ................................................................................................................................................. 6 Intended readership ...................................................................................................................................................... 6 In this guide ................................................................................................................................................................... 6 Glossary ..................................................................................................................................................................... 7 1. Thomson Reuters Hosted Deployment ................................................................................................................... 8 1.1 Thomson Reuters Hosted Internet ........................................................................................................................... 8 1.2 Thomson Reuters Hosted Private Network ............................................................................................................ 10 2. Thomson Reuters Managed Deployment ............................................................................................................. 13 2.1 BT infrastructure .................................................................................................................................................... 15 2.2 SAVVIS infrastructure ............................................................................................................................................ 16 3. Customer Managed Deployment ......................................................................................................................... 18 3.1 BT infrastructure .................................................................................................................................................... 20 3.2 SAVVIS infrastructure ............................................................................................................................................ 22 3.3 DACS Daemon service for RTIC Connection ........................................................................................................... 23 4. Thomson Reuters Eikon for Wealth Management ............................................................................................... 24 4.1 Thomson Reuters Eikon for Wealth Management Internet................................................................................... 24 4.2 Thomson Reuters Eikon for Wealth Management Private Network ..................................................................... 25 4.3 Proxy and Firewall Policy ....................................................................................................................................... 28 5. Internet Service for Thomson Reuters Eikon ........................................................................................................ 30 5.1 Internet Service DNS .............................................................................................................................................. 30 5.2 FIREWALL Policy .................................................................................................................................................... 31 5.3 Web Proxy Auto-Discovery Protocol (WPAD) ........................................................................................................ 33 5.4 Reuters Insider ....................................................................................................................................................... 33 5.5 Thomson Reuters Eikon for Compliance Management ......................................................................................... 33 5.6 Internet Options Setting ........................................................................................................................................ 34 6 Thomson Reuters Eikon Certificate Management ................................................................................................. 37 6.1 Thomson Reuters Eikon Certificates authorities .................................................................................................... 37 6.2 Thomson Reuters Eikon for Wealth Management Certificates authorities ........................................................... 38 6.3 Testing Trusted Root Certificate ............................................................................................................................ 38 Appendix A: List Of device TCP/IP Information ........................................................................................................ 39 Time Series Proxy TCP/IP Port .................................................................................................................................... 39 Streaming Proxy TCP/IP Port ...................................................................................................................................... 39

Document Version 2.11 Date of issue: 27 March 2012

4

Thomson Reuters Eikon Networking Guide

Reuters Insider Firewall Port allowed ........................................................................................................................ 40 BT Routing for Thomson Reuters Managed Device ................................................................................................... 40 Savvis Network Information for Thomson Reuters Managed Device ....................................................................... 40 Appendix B: List of switch allocation on BT Switch (VLAN) ....................................................................................... 42 Appendix C: Local DNS configuration to support network failover (Private Delivery to internet)* ........................... 43 Appendix D: Certificate Revocation Concept ............................................................................................................ 54

Document Version 2.11 Date of issue: 27 March 2012

5

Thomson Reuters Eikon Networking Guide

ABOUT THIS DOCUMENT INTENDED READERSHIP This document is intended for Thomson Reuters support personals; Field Engineers, Planning Engineers, Client Implementation Specialists, Technical Deployment Specialist, Technical Account Managers and Client Network engineers. It can also be useful for Thomson Reuters Eikon customer’s IT or Networking personnel to plan Thomson Reuters Eikon deployment.

IN THIS GUIDE This guide provides an overview of the network set up requirement for Thomson Reuters Eikon, delivered globally using Thomson Reuters Platform that covers TCP/IP Standard ports, Network routing and DNS. The chapter is based on Customer Delivery mode. You can implement it following the deployment on site. Thomson Reuters Eikon requires some services that are available on Internet only. It is recommended that clients have Internet connection in order to get all services which are listed in Chapter 5.

Document Version 2.11 Date of issue: 27 March 2012

6

Thomson Reuters Eikon Networking Guide

GLOSSARY Abbreviations and acronyms are listed here:

Abbreviation/Term BT CAS CFI CRL DNS DTS

Definition British Telecom Central Authentication Service Contributor Frontend IP – also known as the Open Contributor Front End Certificate Revocation List Domain Name Server Direct Technical Specialist, providing pre-sales support and service management for all Direct customers.

ePO FTA GMI HMDS HTTP HTTPS NGTX IP ISP OCSP PAZW PKI RSS RTMP RWS SIG SMF SNMP SSH TAM TCP TPM UDP WinHTTP WPAD

Document Version 2.11 Date of issue: 27 March 2012

McAfee Anti-Virus ePolicy Orchestrator File Transfer Application Global Management Infrastructure Hosted Market Data System Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Next Generation Transactions Internet Protocol Internet Service Provider Online Certificate Status Protocol Performance Analysis Web Zone Public key Infrastructure Reuters Site Server Real Time Messaging Protocol Reuters Workstation Server Secure Internet Gateway Server Management Foundation Simple Network Management Protocol Secure Shell Technical Account Manager Transmission Control Protocol Tivoli Provisioning Manager User Datagram Protocol Microsoft Windows HTTP Services Web Proxy Auto-Discovery

7

Thomson Reuters Eikon Networking Guide

1. THOMSON REUTERS HOSTED DEPLOYMENT 1.1 THOMSON REUTERS HOSTED INTERNET TCP/IP Standard Port for Thomson Reuters Hosted Internet Product Profile

Protocol

Thomson Reuters Hosted

TCP

TCP/UDP

Port Numbers Workstation  Thomson Reuters 1024+  80 1024+  80 1024+  443 1024+  443

1024+  53 1024+  53

Thomson Reuters Servers

Use

Thomson Reuters Platform

Administration Service Views Service Streaming Service Search &Navigation Service Time Series Service Messaging Service Trading Service Update Service Reuters Insider

DNS server

DNS server (no Internet Proxy)

DNS Server for Thomson Reuters Eikon Hosted Internet All Thomson Reuters Hosted deployment servers are able to resolve IP address through local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding DNS thomsonreuters.com cp.thomsonreuters.net reuters.com

DNS Server Internet ISP Internet ISP Internet ISP

trading.thomsonreuters.net

Internet ISP

Thomson Reuters Service Thomson Reuters Eikon Thomson Reuters Eikon Customer Zone and URL links in some news content, Trading Services, SDN, etc Trading Service, System Test

Additional Internet domains/services are listed in Chapter 5. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.

Proxy Server: If clients implement an Internet proxy server on site, it is necessary that the proxy be able to solve the following domain correctly. Internet Explorer object will forward all request to the proxy server without resolving the domain name service.

Proxy and Firewall Policy See information in Chapter 5.

Document Version 2.11 Date of issue: 27 March 2012

8

Thomson Reuters Eikon Networking Guide

Authentication Proxy Thomson Reuters Eikon has been qualified with the following authenticated proxies: PROXY

AUTHENTICATION METHOD

Apache

Basic

Apache

DIGEST

Squid

Basic

Squid

DIGEST

MS ISA

NTLM

It is advisable to allow Reuters Insider URL to bypass NTLM authentication in Proxy, as we have experienced authentication timeouts with Flash-based applications with a number of clients when NTLM authentication is enabled.

Web Proxy Auto-Discovery Protocol (WPAD) Thomson Reuters Eikon does not support the Web Proxy Auto-Discovery Protocol (WPAD). The Update Agent cannot connect to the dedicated proxy server indicated in the WPAD file; as a consequence, users are not able to install Thomson Reuters Eikon or upgrade to the latest Service Releases or Hotfixes. The issue is under investigation by our development teams.

EXE Download Policy Thomson Reuters Eikon installation package is an EXE Wrapper file (MSI/MSP file wrap inside EXE file). These files are virus checked and signed by Thomson Reuters before they are published on Thomson Reuters Update Service. Your site (workstation) firewall must be set-up to allow the download of these packages. Thomson Reuters is using this file format to guarantee best compression rates for the downloaded packages. Firewall has to ALLOW the following servers to download EXE file through http protocol: DOMAIN

DOWNLOAD

customers.thomsonreuters.com

For installation bootstrap, system Test standalone over Internet

*.download.cp.thomsonreuters.net

For Thomson Reuters Eikon packages on Update Service

Document Version 2.11 Date of issue: 27 March 2012

9

Thomson Reuters Eikon Networking Guide

Internet Service for Thomson Reuters Eikon See information on Chapter 5

Certificate Revocation List Validation See the information on Chapter 6

1.2 THOMSON REUTERS HOSTED PRIVATE NETWORK BT Service Package The following Service Packages are mandatory:  Thomson Reuters Platform with Real Time 2.0 

Messaging Service Package



NGTX service Package



Contribution Service package (Optional for Contribution)

TCP/IP Standard Port for Thomson Reuters Hosted Private Product Profile

Protocol

Thomson Reuters Hosted Private

TCP

Deliver over Private Network

TCP/UDP

Port Numbers Workstation  Thomson Reuters 1024+  80 1024+  80 1024+  443 1024+  443

Thomson Reuters Servers

Use

Thomson Reuters Platform

Administration Service Views Service Streaming Service Search &Navigation Service Time Series Service Messaging Service Trading Service Update Service

1024+  10240 1024+  10240

CFI server

Contribution Service on CFI server through InsertLink,

1024+  53 1024+  53

DNS server

DNS

Reuters Insider is not available on this delivery mode.

DNS See DNS suffices in Chapter 3.

The DNS server configuration are as following: CLIENT CONFIGURATION

DNS

COMMENT

Client workstation resolver

BT DNS

Clients use local resolver fall-through. This relies on

Document Version 2.11 Date of issue: 27 March 2012

10

Thomson Reuters Eikon Networking Guide

only (No Client Site DNS)

SERVFAIL answer from BT DNS for invalid domains.

Client site DNS using selective forwarding or conditional forwarding

EDNS

Client site DNS using zone delegation

EDNS

BT DNS response time will be slower unless record is already in cache

The EDNS and BT DNS are shown as in the table: EDNS

DNS IP Address

BT Extranet DNS FQDN

London

155.195.64.4

edns02.uk.extranet.reuters.biz

New York

155.195.84.4

edns02.us.extranet.reuters.biz

Singapore

155.195.76.4

edns02.sg.extranet.reuters.biz

IP Address

BT DNS FQDN

London

155.195.48.4

londnsaa001.a.radianz.net

New York

155.195.48.36

hpggnsba001a.radianz.net

Singapore

155.195.48.68

sinsnsba001a.radianz.net

BT DNS

BT Private Network Routing The client can set up as either: 

Set up BT Router as a default gateway or



Set up the following routing to BT router IP Subnet

65.63.72.0 /22 and 75.124.118.0/24 65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24 67.56.184.0/21

155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21

Document Version 2.11 Date of issue: 27 March 2012

Description / Used for EIKON Thomson Reuters Eikon Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.

Messaging Service over Private Network – this is a mandatory component but the default is source from Internet BT DNS Customer Zone, Contribution (Insert Link) Trading Service over Private Network

11

Thomson Reuters Eikon Networking Guide

Internet Service for Thomson Reuters Eikon See information on Chapter 5

Certificate Revocation List Validation See the information on Chapter 6

Document Version 2.11 Date of issue: 27 March 2012

12

Thomson Reuters Eikon Networking Guide

2. THOMSON REUTERS MANAGED DEPLOYMENT TCP/IP Standard Port for Thomson Reuters Managed Product Profile

Protocol

Thomson Reuters Managed Profile

TCP

Deliver over Private Network

Port Numbers Workstation  Thomson Reuters 1024+  14002 1024+  14002 1024+  80 1024+  80 1024+  80 1024+  80 1024+  443 1024+  443

1024+ 1024+ 1024+ 1024+

 80  80  8082*  8082*

1024+  10240 1024+  10240

Thomson Reuters Servers Streaming Proxy

Use

Streaming Service Update Service

Thomson Reuters Platform

Time Series Proxy

Administration Service Views Service Search &Navigation Service Time Series Service Messaging Service Trading Service Time Series Service *port 8082 is for maintenance services.

CFI server

Contribution Service on CFI server through InsertLink, Eikon Excel DNS

DNS server 1024+  53 1024+  53 Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443. TCP/UDP

DNS The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com

Authoritative DNS Server Internet

extranet.thomsonreuters.biz

Extranet DNS

cp.thomsonreuters.net

Extranet DNS

public.login.cp.thomsonreuters.net customers.reuters.com

Internet Extranet DNS/ Internet Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet**

trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service

13

Thomson Reuters Eikon Networking Guide

* *These domains require NGTX Service package. If you have the NGTX Service package, the DNS MUST forward to the Extranet DNS rather than Internet DNS. Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.

DNS resource name lookup You need to add a host record entry for Thomson Reuters Platform services into your local DNS servers with your local server IP address. The entry should be put in the same DNS suffixes that set up on the Advanced TCP/IP settings on the workstation. Servers Streaming Proxy TimeSeries Proxy

DNS entry tr-streaming-proxy tr-timeseries-proxy

E.g. If the first DNS Suffix Search List of the client workstation is “xxx.company.com”, you have to add the “tr-timeseries-proxy” host record entry added to the xxx.company.com domain. Thus the workstation is able to resolve IP address of the local Streaming Proxy by lookup “tr-streaming-proxy” upon Thomson Reuters Eikon application start-up. However, this new DNS entry name can be changed in the Thomson Reuters User Profile in Administration Service to reflect the new DNS hostname. Please contact your TAM or DTS and make a request.

FIREWALL Policy See information on Chapter 6

Internet Service for Thomson Reuters Eikon See information on Chapter 5

Certificate Revocation List Validation See the information on Chapter 6

EXE Download Policy Thomson Reuters Eikon installation package is an EXE Wrapper file (MSI/MSP file wrap inside EXE file). These files are virus checked and signed by Thomson Reuters before they are published on Thomson Reuters Update Service. Your site (workstation) firewall must be set-up to allow the download of these packages. Thomson Reuters is using this file format to guarantee best compression rates for the downloaded packages. Firewall has to ALLOW the following servers to download EXE file through http protocol:

Document Version 2.11 Date of issue: 27 March 2012

14

Thomson Reuters Eikon Networking Guide

DOMAIN

DOWNLOAD

customers.thomsonreuters.com

For installation bootstrap, system Test standalone over Internet

customers.extranet.thomsonreuters.biz

For installation bootstrap, system Test standalone over Private Network

*.download.cp.thomsonreuters.net

For Thomson Reuters Eikon packages on Update Service

tr-streaming-proxy

For Thomson Reuters Eikon packages on Streaming Proxy

2.1 BT INFRASTRUCTURE 

Thomson Reuters Platform Service Package version 2.0 is a mandatory for all sites



Messaging Service Package is needed unless you set up Collaboration Service over Internet



Contribution Service Package is needed for InsertLink



NGTX Service Package is needed unless you set up Trading Service over Internet

The recommended Extranet DNS server configurations are as following: CLIENT CONFIGURATION

DNS

COMMENT

Client workstation resolver only (No Client Site DNS)

BT DNS

Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains.

Client site DNS using selective forwarding or conditional forwarding

EDNS

BT DNS response time will be slower unless record is already in cache

Client site DNS using zone delegation

EDNS

The EDNS and BT DNS are shown as in the table: EDNS

DNS IP Address

BT Extranet DNS FQDN

London

155.195.64.4

edns02.uk.extranet.reuters.biz

New York

155.195.84.4

edns02.us.extranet.reuters.biz

Singapore

155.195.76.4

edns02.sg.extranet.reuters.biz

IP Address

BT DNS FQDN

BT DNS

Document Version 2.11 Date of issue: 27 March 2012

15

Thomson Reuters Eikon Networking Guide

London

155.195.48.4

londnsaa001.a.radianz.net

New York

155.195.48.36

hpggnsba001a.radianz.net

Singapore

155.195.48.68

sinsnsba001a.radianz.net

The recommended DNS search ordering is based on the client location as following:

REGION

FIRST DNS SERVER

SECOND DNS SERVER

THIRD DNS SERVER

EMEA

London

New York

Singapore

AMERICA

New York

London

Singapore

ASIA

Singapore

New York

London

BT Private Network Routing IP Subnet

Description / Used for EIKON

65.63.72.0/22 and 75.124.118.0/24

Thomson Reuters Eikon

65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24 67.56.184.0/21

Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.

155.195.48.0/22 155.195.64.0/18 204.109.128.0/17 or 204.109.109.224.0/21

*Messaging Service over Private Network – this is a mandatory component but the default is source from Internet BT DNS – Optional DNS Service –on EDNS, Customer Zone, **Contribution (Insert Link) ***Trading Service over Private Network

Note: * Messaging Service Package is needed ** Contribution Service package is needed ***NGTX service Package is needed

2.2 SAVVIS INFRASTRUCTURE Note: The following services are not available on SAVVIS Private Network. Customers have to set up on Internet only:  Messaging Service Package  NGTX Service Package

Document Version 2.11 Date of issue: 27 March 2012

16

Thomson Reuters Eikon Networking Guide



Customers Zone for customers.reuters.com

DNS Server EDNS

Savvis Extranet DNS IP Address

Savvis Extranet DNS FQDN

192.155.142.4

edns03.us.extranet.reuters.biz

192.155.141.196

edns04.us.extranet.reuters.biz

Nutley Hazelwood

DNS The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com

Authoritative DNS Server Internet

extranet.thomsonreuters.biz

Extranet DNS

cp.thomsonreuters.net customers.reuters.com trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com

Extranet DNS Internet Internet Internet Internet Internet

Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service

Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services.

Savvis Private Network Routing IP Subnet 192.155.137.0/25 192.155.138.0/25 159.220.80.0/27 192.155.142.0/28 192.155.141.192/28

Document Version 2.11 Date of issue: 27 March 2012

Description / Used for EIKON Thomson Reuters Eikon Customer Zone on Extranet (customers.extranet.thomsonreuters.biz) DNS service

17

Thomson Reuters Eikon Networking Guide

3. CUSTOMER MANAGED DEPLOYMENT TCP/IP Standard Port for Customer Managed Protocol

Customer Managed Profile

TCP

Deliver over Private Network

TCP/UDP Update Proxy

TCP

Port Numbers Workstation  Thomson Reuters 1024+  14002 1024+  14002 1024+  8101 1024+  8101 1024+  8261 1024+  8261 1024+  80 1024+  80 1024+  443 1024+  443

Thomson Reuters Servers RMDS 6, ADS RMDS 5, RMDS 6, ADS RMDS 5, RMDS 6 , ADS Thomson Reuters Platform

1024+ 1024+ 1024+ 1024+

 80  80  8082*  8082*

Time Series Proxy

1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+ 1024+

 2400  2400  8302  8302  80  80  443  443  10240  10240

DBU (Optional)

1024+ 1024+ 1024+ 1024+ 1024+ 1024+

 53  53  80  80  443  443

DNS server

Use

Realtime Data Service (RSSL) Realtime Data Service (SSL) Permission Proxy Administration Service Views Service Search &Navigation Service TimeSeries Service Messaging Service Trading Service Update Service TimeSeries Service *port 8082 is for maintenance services.

DACS server Update Proxy

CFI server

Thomson Reuters Platform

TimeSeries Data for 3 party feed Permission Service DACS Daemon Update Service

Contribution Service on CFI server through InsertLink, Eikon Excel DNS Update Service

Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.

Document Version 2.11 Date of issue: 27 March 2012

rd

18

Thomson Reuters Eikon Networking Guide

DNS The following domains must be selected forwarding or delegating toward authorities DNS server.

DNS thomsonreuters.com

Authoritative DNS Server Internet

extranet.thomsonreuters.biz

Extranet DNS

cp.thomsonreuters.net

Extranet DNS

public.login.cp.thomsonreuters.net customers.reuters.com

Internet Extranet DNS/ Internet Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet** Extranet DNS / Internet**

trading.thomsonreuters.net fitrading.reuters.com fxtrading.reuters.com rtextrading.reuters.com

Thomson Reuters Service Thomson Reuters Eikon, Collaboration, Reuters Insider over Internet Thomson Reuters Eikon, Thomson Reuters Eikon for Wealth Management Customer Zone, Collaboration Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon Customer Zone Trading Service Trading Service Trading Service Trading Service

** These domains require NGTX Service package. If you have the NGTX Service package, the DNS MUST forward to the Extranet DNS rather than Internet DNS. Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services. Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.

DNS resource name lookup You need to add a host record entry for Thomson Reuters Platform services into your local DNS servers with your local server IP address. The entry should be put in the same DNS suffixes that set up on the Advanced TCP/IP settings on the workstation. Deployed Services TimeSeries Proxy Update Proxy Configuration Proxy

DNS entry tr-timeseries-proxy tr-update-proxy tr-config-proxy

E.g. If the default lookup domain of the client workstation is “xxx.company.com” where “xxx” is the host being resolved then you need the “tr-timeseries-proxy” host record entry added to the company.com domain. However, this new DNS entry name can be changed in the Thomson Reuters User Profile in Administration Service to reflect the new DNS hostname. Please contact your TAM or DTS and make a request.

Document Version 2.11 Date of issue: 27 March 2012

19

Thomson Reuters Eikon Networking Guide

FIREWALL Policy See information on Chapter 5

Internet Service for Thomson Reuters Eikon See information on Chapter 5

Certificate Revocation List Validation See the information on Chapter 6

EXE Download Policy Thomson Reuters Eikon installation package is an EXE Wrapper file (MSI/MSP file wrap inside EXE file). These files are virus checked and signed by Thomson Reuters before they are published on Thomson Reuters Update Service. Your site (workstation) firewall must be set-up to allow the download of these packages. Thomson Reuters is using this file format to guarantee best compression rates for the downloaded packages. Firewall has to ALLOW the following servers to download EXE file through http protocol: DOMAIN

DOWNLOAD

customers.thomsonreuters.com

For installation bootstrap, system Test standalone over Internet

customers.extranet.thomsonreuters.biz

For installation bootstrap, system Test standalone over Private Network

*.download.cp.thomsonreuters.net

For Thomson Reuters Eikon packages on Update Service



For Thomson Reuters Eikon package on Customer Managed

1

3.1 BT INFRASTRUCTURE 

Thomson Reuters Platform Service Package version 2.0 is a mandatory for all sites



Messaging Service Package is needed unless you set up Collaboration Service over Internet



Contribution Service Package is needed for Contribution product e.g. InsertLink



NGTX Service Package is needed unless you set up Trading Service over Internet

The recommended Extranet DNS server configurations are as following:

Document Version 2.11 Date of issue: 27 March 2012

20

Thomson Reuters Eikon Networking Guide

CLIENT CONFIGURATION

DNS

COMMENT

Client workstation resolver only (No Client Site DNS)

BT DNS

Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains.

Client site DNS using selective forwarding or conditional forwarding

EDNS

BT DNS response time will be slower unless record is already in cache

Client site DNS using zone delegation

EDNS

The EDNS and BT DNS are shown as in the table: EDNS

DNS IP Address

BT Extranet DNS FQDN

London

155.195.64.4

edns02.uk.extranet.reuters.biz

New York

155.195.84.4

edns02.us.extranet.reuters.biz

Singapore

155.195.76.4

edns02.sg.extranet.reuters.biz

IP Address

BT DNS FQDN

London

155.195.48.4

londnsaa001.a.radianz.net

New York

155.195.48.36

hpggnsba001a.radianz.net

Singapore

155.195.48.68

sinsnsba001a.radianz.net

BT DNS

The recommended DNS search ordering is based on the client location as following:

REGION

FIRST DNS SERVER

SECOND DNS SERVER

THIRD DNS SERVER

EMEA

London

New York

Singapore

AMERICA

New York

London

Singapore

ASIA

Singapore

New York

London

BT Private Network Routing IP Subnet 65.63.72.0/22 and

75.124.118.0/24

Document Version 2.11 Date of issue: 27 March 2012

Description / Used for EIKON Thomson Reuters Eikon

21

Thomson Reuters Eikon Networking Guide

65.62.0.0/15 and 75.124.118.0/24 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 -75.124.118.0/24

Uses this range if installing both Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Manager on site.

67.56.184.0/21

*Messaging Service over Private Network – this is a mandatory component but the default is source from Internet

155.195.48.0/22 155.195.64.0/18

BT DNS – Optional DNS Service –on EDNS, Customer Zone, **Contribution (Insert Link) ***Trading Service over Private Network

204.109.128.0/17 or 204.109.109.224.0/21 Note: * Messaging Service Package is needed ** Contribution Service package is needed ***NGTX service Package is needed

3.2 SAVVIS INFRASTRUCTURE Note: The following services are not available on SAVVIS Private Network. Customers have to set up on Internet only:  Messaging Service Package (collaboration)  NGTX Service Package  Customers Zone for customers.reuters.com

DNS Server EDNS

Savvis Extranet DNS IP Address

Savvis Extranet DNS FQDN

192.155.142.4

edns03.us.extranet.reuters.biz

192.155.141.196

edns04.us.extranet.reuters.biz

Nutley Hazelwood

DNS The following domains must be selected forwarding or delegating toward authorities DNS server. DNS thomsonreuters.com

Authoritative DNS Server Internet

extranet.thomsonreuters.biz

Extranet DNS

cp.thomsonreuters.net customers.reuters.com

Extranet DNS Internet

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Service Thomson Reuters Eikon , Collaboration, Customer Zone over Internet Thomson Reuters Eikon, Customer Zone, Collaboration Thomson Reuters Eikon Customer Zone

22

Thomson Reuters Eikon Networking Guide

trading.thomsonreuters.net Internet Trading Service fitrading.reuters.com Internet Trading Service fxtrading.reuters.com Internet Trading Service rtextrading.reuters.com Internet Trading Service Additional Internet domains/services are listed in Chapter 5. It is recommended that client has Internet connection for Thomson Reuters Eikon in order to get full services.

Savvis Private Network Routing IP Subnet 192.155.137.0/25 192.155.138.0/25 159.220.80.0/27

Description / Used for EIKON Thomson Reuters Eikon Customer Zone on Extranet (customers.extranet.thomsonreuters.biz) DNS service

192.155.142.0/28 192.155.141.192/28

3.3 DACS DAEMON SERVICE FOR RTIC CONNECTION Ensure that the personal firewall does not block those services on the client machine. And the following services are valid in the file C:\Windows\System32\etc\services

dacs_lib

8211/tcp

dacs_perm 8250/tcp

Document Version 2.11 Date of issue: 27 March 2012

#dacs_snkd.exe #dacs_snkd.exe

23

Thomson Reuters Eikon Networking Guide

4. THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT 4.1 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT INTERNET TCP/IP Standard Port for Thomson Reuters Eikon Wealth Management Internet Product Profile

Protocol

Thomson Reuters Eikon for Wealth Management Internet

TCP

Port Numbers Workstation  Thomson Reuters 1024+  80 1024+  80 1024+  443 1024+  443

Thomson Reuters Servers Thomson Reuters Platform

Use

Administration Service Views Service News Service Streaming Service Search &Navigation Service Time Series Service Update Service Reuters Insider

Thomson Reuters Eikon Multimedia Service (Reuters Insider) is delivered over the Internet. Each desktop will need to have access to make HTTP and HTTPS connections. Furthermore, video is streamed using Adobe Flash RTMP protocol tunnelled through HTTP so no further ports are required other normal HTTP:80 and HTTPS: 443.

DNS Server All Thomson Reuters Hosted deployment servers are able to resolve IP address through local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding

DNS thomsonreuters.com

Authorized DNS Server Internet

Thomson Reuters Service

cp.thomsonreuters.net

Internet

reuters.com

Internet

force.com reutersinsider.com saleforces.com sdn.reuters.com Thomson.112.2o7.net training.thomsonreuters.com trainingportal.us webex.com

Internet Internet Internet Internet Internet Internet

Thomson Reuters Eikon for Wealth Management, Reuters Insider, Customer Zone Thomson Reuters Eikon for Wealth Management Customer Zone and some URL link in some news content, e.g. pdf.reuters.com, link.reuters.com, www.reuters.com Migration tools (Knowledge Network) Reuters Insider Migration tools (Knowledge Network) Securitised Derivative Network Insider Thomson Reuters E-Learning

Internet

Remote Support

Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.

Document Version 2.11 Date of issue: 27 March 2012

24

Thomson Reuters Eikon Networking Guide

4.2 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT PRIVATE NETWORK It is strongly recommended that client have both Private network and Internet connection

BT Service Package The following BT Service Packages are needed:  Thomson Reuters Platform with Real Time 2.0

TCP/IP Standard Port for Thomson Reuters Hosted Private Product Profile

Protocol

Thomson Reuters Eikon for Wealth Management Private Network

TCP

Port Numbers Workstation  Thomson Reuters 1024+  80 1024+  80 1024+  443 1024+  443

Thomson Reuters Servers Thomson Reuters Platform

Deliver over Private Network

TCP/UDP

1024+  53 1024+  53

DNS server

Use

Administration Service Views Service News Service Streaming Service Search &Navigation Service Time Series Service Update Service Customer Zone DNS

Reuters Insider requires Internet connection.

DNS Server All Thomson Reuters Hosted deployment servers are able to resolve IP address through BT DNS and local Internet Service Provider (ISP) DNS. The following domains must be selected forwarding

DNS cp.thomsonreuters.net extranet.thomsonreuters.biz thomsonreuters.com customers.reuters.com force.com

Authorized DNS Server Extranet Extranet Internet Internet/ Extranet Internet

geotrust.com verisign.com reutersinsider.com reuters.com

Internet

salesforce.com sdn.reuters.com

Internet Internet

Document Version 2.11 Date of issue: 27 March 2012

Internet Internet

Thomson Reuters Service Thomson Reuters Eikon for Wealth Manager Thomson Reuters Eikon for Wealth Manager, Customer Zone Customer Zone, Reuters Insider Customer Zone Migration tools (Knowledge Network) Certificate Validation Reuters Insider URL link in some news content, e.g. pdf.reuters.com, blogs.reutes.com, www.reuters.com Migration tools Securitized Derivative Network

25

Thomson Reuters Eikon Networking Guide

thomson.112.2o7.net trainingportal.us webex.com webtrendslive.com

Internet Internet Internet Internet

Reuters Insider Thomson Reuters E-Learning Remote Support Migration tools

Note*: NGTX service package is required Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.

Uses BT DNS as shown in the table: BT DNS

IP Address

BT DNS FQDN

London

155.195.48.4

londnsaa001.a.radianz.net

New York

155.195.48.36

hpggnsba001a.radianz.net

Singapore

155.195.48.68

sinsnsba001a.radianz.net

The recommended DNS search ordering is based on the client location as following:

REGION

FIRST DNS SERVER

SECOND DNS SERVER

THIRD DNS SERVER

EMEA

London

New York

Singapore

AMERICA

New York

London

Singapore

ASIA

Singapore

New York

London

BT Private Network Routing The client can set up as either: 

Set up BT Router as a default gateway or



Set up the following routing to BT router

CLIENT CONFIGURATION

DNS

COMMENT

Client workstation resolver only (No Client Site DNS)

BT DNS

Clients use local resolver fall-through. This relies on SERVFAIL answer from BT DNS for invalid domains. Clients with dedicated Extranet workstations can use the EDNS to take advantage of faster response

Client site DNS using selective forwarding or conditional forwarding

EDNS

BT DNS response time will be slower unless record is already in cache

Client site DNS using zone delegation

EDNS

Document Version 2.11 Date of issue: 27 March 2012

26

Thomson Reuters Eikon Networking Guide

The EDNS and BT DNS are shown as in the table: EDNS

DNS IP Address

BT Extranet DNS FQDN

London

155.195.64.4

edns02.uk.extranet.reuters.biz

New York

155.195.84.4

edns02.us.extranet.reuters.biz

Singapore

155.195.76.4

edns02.sg.extranet.reuters.biz

IP Address

BT DNS FQDN

London

155.195.48.4

londnsaa001.a.radianz.net

New York

155.195.48.36

hpggnsba001a.radianz.net

Singapore

155.195.48.68

sinsnsba001a.radianz.net

BT DNS

The recommended DNS search ordering is based on the client location as following:

REGION

FIRST DNS SERVER

SECOND DNS SERVER

THIRD DNS SERVER

EMEA

London

New York

Singapore

ASIA

Singapore

New York

London

BT Private Network Routing IP Subnet 65.62.0.0/15 or - 65.62.64.0/22 - 65.62.68.0/22 - 65.63.72.0/22 155.195.48.0/22 155.195.64.0/18

Description / Used for EIKON Thomson Reuters Eikon for Wealth Management

BT DNS – Optional DNS Service –on EDNS, Customer Zone

Note: *NGTX service Package is needed

Thomson Reuters Eikon for Wealth Management Internet and Thomson Reuters Eikon Customer Managed on Private Network The Administration service over Private Network is able to authenticate the Internet Services. If clients have Thomson Reuters Eikon for Wealth Management over Internet and Thomson Reuters Eikon over Private network on the same site, set up the additional DNS on DNS server: DNS download.cp.thomsonreuters.net

Document Version 2.11 Date of issue: 27 March 2012

DNS Server Internet ISP/ Extranet DNS*

Thomson Reuters Service Update Service

27

Thomson Reuters Eikon Networking Guide

cp.thomsonreuters.net extranet.thomsonreuters.biz

Extranet DNS Extranet DNS

Administration Service Thomson Reuters Platform Service

* Thomson Reuters Eikon Excel for Wealth Management installation files, Hotfixes, Add-ons are downloaded from the domain download.cp.thomsonreuters.net. Clients are able to download packages from either Internet or Private network.

4.3 PROXY AND FIREWALL POLICY Authentication Proxy Thomson Reuters Eikon for Wealth Management does not support Authentication Proxy. Streaming Services is not able to be established streaming service through HTTP authentication process. Reuters Insider always has slow response with Authentication Proxy.

Certificate Management See Chapter 6

FIREWALL Policy Thomson Reuters Eikon Excel is a part of Thomson Reuters Eikon for Wealth Management. See Section 5.2 for more information.

Content filtering Policy DNS Suffixes cp.thomsonreuters.net

Thomson Reuters Service Thomson Reuters Eikon for Wealth Management

cp.thomsonreuters.com ia.thomsonreuters.com eikon.thomsonreuters.com eikon.extranet.thomsonreuters.biz cp.extranet.thomsonreuters.biz ia.extranet.thomsonreuters.biz customers.reuters.com customers.extranet.thomsonreuters.biz customers.thomsonreuters.com eikontest.thomsonreuters.com graphics.thomsonreuters.com reuters.com breakingviews.com sdn.reuters.com force.com salesforce.com webtrendslive.com

Document Version 2.11 Date of issue: 27 March 2012

Customer Zone

Thomson Reuters Eikon Excel System Test URL link in some news content e.g. pdf.reuters.com, www.reuters.com, blogs.reuters.com, www.breakingviews.com Securitized Derivatives Network Migration tools (Knowledge network)

28

Thomson Reuters Eikon Networking Guide

insider.thomsonreuters.com reutersinsider.com

Reuters Insider

thomson.112.2o7.net (used for analytic and report of user interactions)

training.thomsonreuters.com trainingportal.us geotrust.com verisign.com Webex.com

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters E-learning Certificate Validation Remote Support

29

Thomson Reuters Eikon Networking Guide

5. INTERNET SERVICE FOR THOMSON REUTERS EIKON 5.1 INTERNET SERVICE DNS The following DNS Suffixes are able to be resolved on internet only. It is strongly recommended that clients have Internet Connection in order to get the services. DNS public.login.cp.thomsonreuter.net blogs.reuters.com breakingviews.com link.reuters.com pdf.reuters.com r.reuters.com today.reuters.com topnews.reuters.com uk.reuters.com www.reuters.com thomsonreuters.com trainingportal.us training.thomsonreuters.com reutersinsider.com thomson.112.2o7.net force.com salesforce.com webtrendslive.com webex.com emaxx.reuters.com sdn.reuters.com autex.com autexnow.com db.dealwatch.jp europrospectus.com fixedincomelabs.com Hihifrds.com Intindex.com Lipperweb.com loanpricing.com pointcarbon.com* ReutersRealEstate.com rts.scanrate.dk Streetsight.thomson.com Stormpulse.com** tiles.virtualearth.net**

DNS Server Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP

Tubemogul.com tradeweb.com Geotrust.com Verisign.com Digicert.com complinet.com

Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP Internet ISP

Document Version 2.11 Date of issue: 27 March 2012

Thomson Reuters Service Thomson Reuters Administrative Services News URL link News URL link News URL link News URL link News URL link News URL link News URL link News URL link News URL link Thomson Reuters web services Thomson Reuters E learning Thomson Reuters E learning Reuters Insider Reuters Insider Thomson Reuters Eikon Migration Tools Thomson Reuters Eikon Migration Tools Thomson Reuters Eikon Migration Tools Remote Support Bond Holdings Securitized Derivatives Network Autex Autex Deal watch Euro Prospectus Fixed Income in Thomson Reuters Eikon Treasury Community Tools International Index Company Lipper Market Insight Load Pricing Eikon Point Carbon C&E Thomson Reuters Real Estate Danish MBS Street Sight Stormpulse Weather Service Aerial and Satellite image for Interactive Map component Stormpulse Weather Service Tradeweb Certificate Management Certificate Management Certificate Management Thomson Reuters Accelus***

30

Thomson Reuters Eikon Networking Guide

tta.thomson.com

Internet ISP

globalrelay.com

Internet ISP

Thomson Reuters Transacation Analytics*** Thomson Reuters Messaging Compliance***

* Eikon Point Carbon will be integrated in Q1, 2012. **Interactive Map component, a new object will be available early 2012 ***Thomson Reuters Eikon for Compliance Management services only Please be aware that Thomson Reuters will not divulge IP address information in any circumstances. Doing so prevent us from changing IP addresses as and when needed without notification period and these IP addresses may not always be under our direct control. Clients should always use DNS.

5.2 FIREWALL POLICY If you use Thomson Reuters Messaging 8.x and Thomson Reuters Eikon on the same machine, see the Thomson Reuters Messaging 8 Firewall/IP Guide in https://customers.reuters.com/a/support/paz/pazDocs.aspx?dId=389804

Content Filtering Policy If you set up a policy for Content Filtering on the Internet Proxy or Firewall, the following DNS suffixes must be set to ALLOW for Thomson Reuters Eikon. DNS Suffixes thomsonreuters.com thomsonreuters.net reuters.com autex.com autexnow.com breakingviews.com collab.thomsonreuters.com cp.thomsonreuters.com

eikontest.thomsonreuters.com europrospectus.com fitrading.reuters.com fixedincomelabs.com force.com

Thomson Reuters Service Thomson Reuters Web Services Thomson Reuters Web Services Thomson Reuters Web Services Autex Autex Breaking News Collaboration Service Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Thomson Reuters Eikon and Thomson Reuters Eikon for Wealth Management Customer Zone Customer Zone Internet ISP Certificate Revocation Validation Thomson Reuters Eikon and Thomson Reuters Eikon Wealth management System Test Internet ISP Trading Service, System Test Fixed Income tools Thomson Reuters Eikon Migration tools

fxtrading.reuters.com geotrust.com graphics.thomsonreuters.com hihifrds.com

Trading Service, System Test GeoTrust Certificate Revocation Validation System Test Treasury Community Tools

cp.thomsonreuters.net customers.reuters.com customers.thomsonreuters.com db.dealwatch.jp digicert.com eikon.thomsonreuters.com

(Knowledge network)

Document Version 2.11 Date of issue: 27 March 2012

31

Thomson Reuters Eikon Networking Guide

ia.thomsonreuters.com insider.thomsonreuters.com Intindex.com Lipperweb.com loanpricing.com pointcarbon.com reutersinsider.com ReutersRealEstate.com rtextrading.reuters.com rts.scanrate.dk salesforce.com

Thomson Reuters Eikon Wealth Management Reuters Insider International Index Company Lipperweb Loan Pricing Eikon Point Carbon Reuters Insider Thomson Reuters Real Estate Trading Service, System Test Internet ISP Thomson Reuters Eikon Migration tools (Knowledge network)

stormpulse.com streetsight.thomson.com thomson.112.2o7.net

Strom Pulse Thomson Street sight Reuters Insider (used for analytic and report of user interactions)

tiles.virtualearth.net tradeweb.com trading.thomsonreuters.net trainingportal.us traininig.thomsonreuters.com Tubemogul.com verisign.com webex.com

Aerial and Satellite image for Interactive Map component Trade web Trading Service, System Test Thomson Reuters E-learning Thomson Reuters E-learning Internet ISP Verisign Certificate Revocation Validation Remote Support

Note: Customers can use thomsonreuters.com and reuters.com instead of adding multiple entries from the table. The multimedia news service, Reuters Insider, uses the Akamai Content Delivery Network (CDN), the 3 party service provider, to cache and distribute dynamic and static content through thousands of Edge servers. Due to the dynamic nature of the Akamai CDN, the user is dynamically directed to the Akamai Edge servers that offer the best performance. Therefore please allow content for Content-Type =”application/x-fcs” for Reuters Insider.

rd

Personal Firewall If you use a personal firewall, please ensure that the Firewall allows those processes: PROCESS NAME

SERVICES

Kobra.exe

Thomson Reuters Eikon Desktop

Excel.exe

Thomson Reuters Eikon Excel

Rdmc.exe

System Test

Agent.exe

Thomson Reuters Update Services

Document Version 2.11 Date of issue: 27 March 2012

32

Thomson Reuters Eikon Networking Guide

Isdm.exe

Thomson Reuters Update Services

Jre.exe

Trading Services

Note: Kobra.exe and Jre.exe are not available on Thomson Reuters Eikon for Wealth Management

5.3 WEB PROXY AUTO-DISCOVERY PROTOCOL (WPAD) Thomson Reuters Eikon does not support the Web Proxy Auto-Discovery Protocol (WPAD). The Update Agent cannot connect to the dedicated proxy server indicated in the WPAD file; as a consequence, users are not able to install Thomson Reuters Eikon or upgrade to the latest Service Releases or Hotfixes. The issue is under investigation by our development teams.

5.4 REUTERS INSIDER Reuters Insider does not support delivery over Private Delivery connections because internet delivery offers greater scalability, is more cost effective for clients and it's not prudent for video streaming to share the same connection as time-critical data. Many proxy and enterprise network monitoring tools allow bandwidth management of video internet traffic and these can be used to control quality and quantity risks associated with the internet delivery method. rd

Reuters Insider uses the Akamai Content Delivery Network (CDN), the 3 party service provider, to cache and distribute dynamic and static content through thousands of Edge servers. Due to the dynamic nature of the Akamai CDN, the user is dynamically directed to the Akamai Edge servers that offer the best performance. Therefore please allow content for Content-Type =”application/x-fcs” for Reuters Insider.

NTLM Authentication It is advisable to allow Reuters Insider to bypass NTLM authentication, as we have experienced authentication timeouts with Flash-based applications with a number of clients when NTLM authentication is enabled. For additional information, visit https://kb.bluecoat.com/index?page=content&id=KB3243&actp=LIST

Timeouts or Disconnections If Reuters Insider video streams occasionally time out or disconnect and it does not appear to be an issue with your proxy, the problem might be caused by: A default setting in Internet Explorer versions 6 or 7 that limits the user to two concurrent connections to a server. As Reuters Insider is a feature rich multimedia platform, it sometimes requires more than two concurrent connections. This is a known limitation of these versions of Internet Explorer; the Microsoft article at the following URL explains how to increase this value: http://support.microsoft.com/kb/282402.

5.5 THOMSON REUTERS EIKON FOR COMPLIANCE MANAGEMENT Content Filtering For Thomson Reuters Eikon for Compliance Management, it is necessary that client allow the additional DNS suffix from section 5.2 DNS SUFFIX

complinet.com

Document Version 2.11 Date of issue: 27 March 2012

SERVICES

Thomson Reuters Accelus

33

Thomson Reuters Eikon Networking Guide

tta.thomson.com compliance.collab.thomsonreuters.com ecm-archiver.globalrelay.com

Thomson Reuters Transaction Analytics Thomson Reuters Messenger Compliance – Administration Portal Thomson Reuters Messenger Compliance – Global Relay Reviewer Portal

5.6 INTERNET OPTIONS SETTING Advanced Option 

Enable Use HTTP1.1



Enable Use HTTP 1.1 through proxy connections



Disable Do not save encrypted pages to disk

Document Version 2.11 Date of issue: 27 March 2012

34

Thomson Reuters Eikon Networking Guide

Check Certificate Revocation Web installation is will fail if certificate revocation check is turned on and Internet cannot be reached. Refer to the following table for recommended actions.

CLIENT SITE

ADVISE

Client without Internet access and Thomson Reuters Hosted Private

Advise to disable the following IE options

Document Version 2.11 Date of issue: 27 March 2012



Check for publisher’s certificate revocation



Check for server certificate revocation



Check for signatures on downloaded programs

35

Thomson Reuters Eikon Networking Guide

Note: the setting is per-user, unless locked by IT policies. Client with Internet access

Document Version 2.11 Date of issue: 27 March 2012

For security reason, client should enable those options.

36

Thomson Reuters Eikon Networking Guide

6 THOMSON REUTERS EIKON CERTIFICATE MANAGEMENT For security purposes, servers, Thomson Reuters Eikon package and Thomson Reuters Eikon Excel for Wealth Management package requires up to date certificates at installation, update and start-up. To ensure access to Thomson Reuters at all time, it is crucial that you validate the Certificate Management approach most appropriate to your network. With the SSL certificate, it is required to validate the status of the certificates used when performing authentication, signing or encryption operations. Failures to validate the certificates prevent the product working. The validation can be either CRL or OCSP based on the client Operating System. See more information in Appendix D. It is necessary the certificates be validated through Internet or Internal Certificate Infrastructure, Microsoft Online Responder, OCSP Proxy and etc., unless delegated to an internal certificate management system You have to ensure that the certificate validation process can be updated from both 

*.geotrust.com



*.verisign.com

Microsoft provides a number of white papers how to set trust relationship within a closed network. Starting point is here: 

Certificate Status and Revocation Checking (Windows XP): http://social.technet.microsoft.com/wiki/contents/articles/certificate-status-and-revocationchecking.aspx



How Certificate Revocation Work (Windows 7, Windows 2008) http://technet.microsoft.com/engb/library/ee619754(WS.10).aspx



Windows root Certificate Program: http://support.microsoft.com/kb/931125

6.1 THOMSON REUTERS EIKON CERTIFICATES AUTHORITIES Thomson Reuters Eikon uses root certificates are shown as

Verisign

TRUSTED ROOT CERTIFICATE AUTHORITIES

INTERMEDIATE CERTIFICATE AUTHORITIES

Verisign: Class 3 Public Primary Certificate Authority – G2

Verisign Class 3 Secure Server CA- G2

Verisign Class 3 Public Primary Certificate Authority – G5

VeriSign Class 3 Secure Server CA-G3

Equifax*

Equifax Secure Certificate Authority

GeoTrust

GeoTrust Glocal CA

Thawte

Thawte Timestamping CA

DigiCert**

DigiCert High Assurance EV Root CA

http://crl.verisign.com/SVRSecureG2.cer http://crl.verisign.com/SVRSecureG3.cer

GeoTrust SSL CA

DigiCert High Assurance CA-3

Note: *Equifax Secure Certificate Authority is replacing by GeoTrust Global CA **DigiCert is used for Eikon Carbon Point which will be integrated in Eikon by Q1, 2012. The Trusted root certificates that are required by Microsoft Windows is listed in KB 293781, http://support.microsoft.com/kb/293781 It is necessary that all of them are available on the machine.

Document Version 2.11 Date of issue: 27 March 2012

37

Thomson Reuters Eikon Networking Guide

6.2 THOMSON REUTERS EIKON FOR WEALTH MANAGEMENT CERTIFICATES AUTHORITIES Thomson Reuters Eikon for Wealth Management uses root certificates as

Verisign

TRUSTED ROOT CERTIFICATE AUTHORITIES

INTERMEDIATE CERTIFICATE AUTHORITIES

Verisign: Class 3 Public Primary Certificate Authority – G2

Verisign Class 3 Secure Server CA- G2

Verisign Class 3 Public Primary Certificate Authority – G5

VeriSign Class 3 Secure Server CA-G3

Equifax*

Equifax Secure Certificate Authority

GeoTrust

GeoTrust Glocal CA

Thawte

Thawte Timestamping CA

http://crl.verisign.com/SVRSecureG2.cer http://crl.verisign.com/SVRSecureG3.cer

GeoTrust SSL CA

Note: *Equifax Secure Certificate Authority is replacing by GeoTrust Global CA

The Trusted root certificates, required by Microsoft Windows, are listed in Microsoft KB 293781, http://support.microsoft.com/kb/293781 It is necessary that all of them are available on the machine.

6.3 TESTING TRUSTED ROOT CERTIFICATE The Trusted Root can be tested from the following URL TRUSTED ROOT CERTIFICATE

TEST URL

Verisign: Class 3 Public Primary Certificate Authority – G2

https://ssltest24.bbtest.net

Verisign Class 3 Public Primary Certificate Authority – G5

https://ssltest2.bbtest.net

Equifax Secure Certificate Authority

https://ssltest11.bbtest.net

GeoTrust Glocal CA

https://ssltest15.bbtest.net

DigiCert High Assurance EV Root CA

https://ev-root.digicert.com/testroot/

Document Version 2.11 Date of issue: 27 March 2012

38

Thomson Reuters Eikon Networking Guide

APPENDIX A: LIST OF DEVICE TCP/IP INFORMATION This Appendix shows all device information.

TIME SERIES PROXY TCP/IP PORT Services

Network Port

Management SNMP

TCP/UDP: 8082, 8085 SSH: 22 161/ UDP

Thomson Reuters Eikon

HTTP

Time Series Service

HTTP

Note

STREAMING PROXY TCP/IP PORT Network components

RSS HMDS

Network components connect to the ports on Streaming Proxy Dynamic Dynamic

Streaming Proxy connects to the ports on the network components TCP: 2000, 8801 TCP: 14002

RWS Thomson Reuters Eikon

Dynamic TCP: 14002

TCP: 8101 Dynamic

Application Console SMF Update Proxy Dealing Key station GMI components

TCP: 8603, 7011 TCP: 8603, 7011 TCP: 80 TCP: 8101 Ports to be opened in Streaming Proxy 22, 9510, 9514, 9515 / TCP

TCP: 8603, 7011 TCP: 8603, 7011 TCP: 80 Dynamics Ports to be opened in other devices

SSH Traffic, CAS Agent Manager Traffic CAS Agent Manager Traffic; Inventory Collector Traffic SNMP Gets SNMP Traps Precision / IP Traffic ICMP SSH Traffic Probe Rule Traffic Syslog Message Data/File Retrieval from PAWZ Agent / PAWZ Agent Profile Update PAWZ Real Time Agent Data FTA

Document Version 2.11 Date of issue: 27 March 2012

Note TPM Server

9511, 9512, 9513, 9080 /TCP 161 / UDP 3306, 4100, 7600, 32972 / TCP ICMP 22 / TCP

Note

162 / UDP 3306, 4100, 7600, 32972 / TCP ICMP

TPM Server NetCool Server NetCool Server NetCool Server

1661 / TCP

NetCool Server NerCool Server NetCool Server NetCool Server PAWZ Server

2102 / TCP

PAWZ Server

1661 / TCP

FTA Server

80 / TCP 514 / TCP, 514 / UDP

39

Thomson Reuters Eikon Networking Guide

ePO Microsoft

8902, 8903 / UDP Ports to be opened in Streaming Proxy

Windows Server Activation

8900 / UDP Ports to be opened in other devices 1688/ TCP

ePO Server Note KMS Server

REUTERS INSIDER FIREWALL PORT ALLOWED 

HTTP 80



HTTPS 443



One of these ports (80, 443, 1935) must be open for RTMP to live.flash.insider.thomsonreuters.com

BT ROUTING FOR THOMSON REUTERS MANAGED DEVICE

IP SUBNET 65.62.0.0 / 15

DOMAIN/SYSTEM Spring Servers (Ex Client WAN Range) Super net (Aggregated Prefix)

DESCRIPTION/USED FOR TR EIKON Spring Server Ex Client WAN Range contains - 65.62.64.0/22 Range1 - 65.62.68.0/22 Range 2 - 65.63.72.0/22 Range 3

67.56.0.0 / 15

Reuters servers range 03

Reuters server range 3

75.124.0.0 / 16

Reuters servers CAA15

Contain (Spring Servers (Ex Client WAN range 4,

75.96.96.0 / 20

Reuters servers CAA18

Reuters servers CAA18

155.195.48.0 / 22

Reuters servers range 01

Reuters servers range 01

155.195.64.0 / 18

Reuters servers range 01

Reuters servers range 01

159.220.192.0 /20

Global Management Infrastructure (GMI)

Global Management Infrastructure (GMI)

198.206.64.0 /18

Reuters client range 10

Spring Reuters Servers Range 2 (198.206.86.0/23),

198.210.128.0 /17

Reuters client range 06

204.109.128.0 /17

FCE clients range 04

206.60.0.0 /16

Spring Reuters servers range 3

Reuters client range 06 FCE clients range 04 Spring Reuters servers range 3

SAVVIS NETWORK INFORMATION FOR THOMSON REUTERS MANAGED DEVICE IP Subnet

Note

159.220.0.0/16 192.155.40.64/30

Thomson Reuters Managed NTP Server

Document Version 2.11 Date of issue: 27 March 2012

40

Thomson Reuters Eikon Networking Guide

192.155.136.0/21

Thomson Reuters Platform Services, DNS

SERVICES

HOST NAME

IP ADDRESS

NTP Server

NTCP-NTP201

192.155.40.64

NTCP-NTP202

192.155.40.66

DTCP-EPO0001.session.rservices.com

192.155.129.54

EPO Server

Document Version 2.11 Date of issue: 27 March 2012

41

Thomson Reuters Eikon Networking Guide

APPENDIX B: LIST OF SWITCH ALLOCATION ON BT SWITCH (VLAN) Recommended IP address for Streaming Proxy Server and Time Series Proxy on Private Delivery managed VLAN switch These are recommended IP Address for Streaming Proxy Server and Time Series Proxy devices connecting to the BT Managed VLAN Switch. A different network range should only be used if the suggested IP address range conflicts with your internal network.

Device SPX / TSP (No Converge-VLAN130) Switch 1 - IDN-DAF VLAN Sub Interface Address Switch 1 port 9 – 1st client SPX / TSP Switch 1 port 10 – 3rd client SPX / TSP Switch 1 port 11 – 5th client SPX / TSP Switch 1 port 12 – 7th client SPX / TSP Switch 1 port 13 – 9th client SPX / TSP Switch 1 port 14 – Network Monitor SPX / TSP (No Converge-VLAN130) Switch 2 - IDN-DAF VLAN Sub Interface Address Switch 2 port 9 – 2nd client SPX / TSP Switch 2 port 10 – 4th client SPX / TSP Switch 2 port 11 – 6th client SPX / TSP Switch 2 port 12 – 8th client SPX / TSP Switch 2 port 13 – 10th client SPX / TSP Switch 2 port 14 – Network Monitor SPX / TSP (Standard Converge-VLAN160) Switch 1 - IDN-SAF VLAN Sub Interface Address Switch 1 port 17 – 1st client SPX / TSP Switch 1 port 18 – 3rd client SPX / TSP Switch 1 port 19 – 5th client SPX / TSP Switch 1 port 14 - Network Monitor SPX / TSP (Standard Converge-VLAN160) Switch 2 - IDN-SAF VLAN Sub Interface Address Switch 2 port 17 – 2nd client SPX / TSP Switch 2 port 18 – 4th client SPX / TSP Switch 2 port 19 – 6th client SPX / TSP Switch 2 port 14 - Network Monitor

Document Version 2.11 Date of issue: 27 March 2012

IP Address (Option A)

VLAN HSRP

IP Address (Option B)

VLAN HSRP

172.31.11.1 /24 172.31.11.11 /24 172.31.11.12 /24 172.31.11.13 /24 172.31.11.14 /24 172.31.11.15 /24 172.31.11.10 /24

N/A N/A N/A N/A N/A N/A N/A

192.168.11.1 /24 192.168.11.11 /24 192.168.11.12 /24 192.168.11.13 /24 192.168.11.14 /24 192.168.11.15 /24 192.168.11.10 /24

N/A N/A N/A N/A N/A N/A N/A

172.31.12.1 /24 172.31.12.11 /24 172.31.12.12 /24 172.31.12.13 /24 172.31.12.14 /24 172.31.12.15 /24 172.31.12.10 /24

N/A N/A N/A N/A N/A N/A N/A

192.168.12.1 /24 192.168.12.11 /24 192.168.12.12 /24 192.168.12.13 /24 192.168.12.14 /24 192.168.12.15 /24 192.168.12.10 /24

N/A N/A N/A N/A N/A N/A N/A

172.25.10.1 /24 172.25.10.11 /24 172.25.10.13 /24 172.25.10.15 /24 172.25.10.9 /24

172.25.10.3 /24

192.168.20.1 /24 192.168.20.11 /24 192.168.20.13 /24 192.168.20.15 /24 192.168.20.9 /24

192.168.20.3 /24

172.25.10.2 /24 172.25.10.12 /24 172.25.10.14 /24 172.25.10.16 /24 172.25.10.10 /24

172.25.10.3 /24

192.168.20.2 /24 192.168.20.12 /24 192.168.20.14 /24 192.168.20.16 /24 192.168.20.10 /24

192.168.20.3 /24

42

Thomson Reuters Eikon Networking Guide

APPENDIX C: LOCAL DNS CONFIGURATION TO SUPPORT NETWORK FAILOVER (PRIVATE DELIVERY TO INTERNET)* *This configuration should only apply in case of BT MPLS failover i.e. not something to setup by default.

Configuration Microsoft Windows 2003 Server DNS for Selective Forwarding NOTE: Microsoft refers to this as Conditional Forwarding For Forwarders tab, all other DNS domains, the forwarder IP Address list is containing eDNS and Internet DNS. As figure below (155.195.76.4 is eDNS server and 203.144.207.29 is Internet ISP DNS).

For the cp.thomsonreuters.net suffix, The forwarder IP address list needs add both eDNS and Internet ISP DNS. Add both DNS Providers because when the primary (Private Delivery) Infrastructure is fail, it will use Internet ISP DNS to resolve instead.

Document Version 2.11 Date of issue: 27 March 2012

43

Thomson Reuters Eikon Networking Guide

For the extranet.thomsonreuters.biz suffix, The forwarder IP address list needs add both eDNS only.

For the thomsonreuters.com suffix, The forwarder IP address list needs add both Internet ISP DNS only.

Document Version 2.11 Date of issue: 27 March 2012

44

Thomson Reuters Eikon Networking Guide

Configuration Microsoft Windows 2003 Server DNS for Delegation For the extranet.thomsonreuters.biz suffix 

To Delegate this domain create a new Forward Lookup Zone (Standard Primary) called thomsonreuters.biz as the step showing below: 1. Right Click on Forward Lookup Zone to create new zone

2. Click next

Document Version 2.11 Date of issue: 27 March 2012

45

Thomson Reuters Eikon Networking Guide

3. Select Primary zone and Click Next

4. Input zone name thomsonreuters.biz and Click next

Document Version 2.11 Date of issue: 27 March 2012

46

Thomson Reuters Eikon Networking Guide

5. Create a new file with file name (default) and Click next

6. Select “Do not allow dynamic updates” and Click next

Document Version 2.11 Date of issue: 27 March 2012

47

Thomson Reuters Eikon Networking Guide

7. Click Finish

8. The domain thomsonreuters.biz is created

Document Version 2.11 Date of issue: 27 March 2012

48

Thomson Reuters Eikon Networking Guide

9. Create New Delegation by Right Click on thomsonreuters.biz domain

10. Windows Wizard pop up and Click next

Document Version 2.11 Date of issue: 27 March 2012

49

Thomson Reuters Eikon Networking Guide

11. Enter “extranet” in the Delegated domain and Click next

12. Click Add to add the DNS server

Document Version 2.11 Date of issue: 27 March 2012

50

Thomson Reuters Eikon Networking Guide

13. Enter the eDNS server name into the FQDN, Click Resolve to get the IP Address and Click OK

14. Click next

Document Version 2.11 Date of issue: 27 March 2012

51

Thomson Reuters Eikon Networking Guide

15. Click Finish



Repeat create cp.thomsonreuters.com domain for delegated domain.



The Local DNS server has two delegated domains as below

Document Version 2.11 Date of issue: 27 March 2012

52

Thomson Reuters Eikon Networking Guide



Forwarding DNS for cp.thomsonreuters.net domain

NOTE: It is not recommended to delegate the Universal Domains and Global Universal Domains, cp.thomsonreuters.net, since this breaks failover from MPLS to Internet. Please use forwarding DNS for cp.thomsonreuters.net

Document Version 2.11 Date of issue: 27 March 2012

53

Thomson Reuters Eikon Networking Guide

APPENDIX D: CERTIFICATE REVOCATION CONCEPT Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists (CRL), and certification authorities (CA). ). In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), and smart cards, is required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status.  Time. Certificates are issued for a fixed period of time and considered valid as long as the expiration date of the certificate is not reached, unless revoked before that date.  Revocation status. Certificates can be revoked before their expiration date because of multiple reasons such as key compromise or suspension. Before performing any operation, applications often validate that the certificate was not revoked. Windows XP and Windows 2003 support only CRL. Windows Vista, Windows 7 and the Windows 2008 support both CRL and OCSP as a method of determining certificate status. The OCSP support includes both the client component as well as the Online Responder, which is the server component.

Certificate Revocation Checking When an application performs a certificate evaluation, the validation is performed on all certificates in that certificate's chain. This includes every certificate from the end-entity certificate presented to the application to the root certificate. When the first certificate in the chain is validated, the following process takes place: 1. The certificate chaining engine attempts to build the chain for the certificate inspected by querying the local certificate store or by downloading from one of the URLs available in the inspected certificate's authority information access extensions. 2. For all certificate chains that end in a trusted root, all certificates in the chain are validated. This involves the following steps: - Verify that each certificate's signature is valid. - Verify that the current date and time fall within each certificate's validity period. - Verify that each certificate is not corrupt or malformed. 3. Each certificate in the certificate chain is checked for revocation status. Revocation checking is performed either by using a CRL or OCSP, based on the certificate configuration. After the validation check is completed, the certificate chaining engine returns the results of the validation check to the application that originated the validation request. The results will indicate if all certificates in the chain are valid, if the chain terminates at a non-trusted root CA, if any certificates in the chain are not valid, or if the revocation status for any of the certificates in the chain cannot be determined. For more information, see Certificate Revocation and Status Checking in http://go.microsoft.com/fwlink/?LinkID=27081

CRL A CRL is a file, created and signed by a CA that contains serial numbers of certificates that have been issued by that CA and are revoked. In addition to the serial number for the revoked certificates, the CRL also contains the revocation reason for each certificate and the time the certificate was revoked. Currently, two types of CRL exist: base CRL and delta CRL. Base CRL maintain a complete list of revoked certificates while delta CRL maintain only those certificates that have been revoked since the last publication of a base CRL. The major drawback of CRL is their potentially large size, which limits the scalability of the CRL approach. The large size adds significant bandwidth and storage burdens to the CA and relying party, and therefore limits the ability of the system to distribute the CRL. Bandwidth, storage space, and CA processing capacity

Document Version 2.11 Date of issue: 27 March 2012

54

Thomson Reuters Eikon Networking Guide

can also be negatively affected if the publishing frequency gets too high. Numerous attempts have been made to solve the CRL size issue through the introduction of partitioned CRL, delta CRL, and indirect CRL. All these approaches have added complexity and cost to the system without providing an ideal solution to the underlying problem. Another drawback of CRL is latency; because the CRL publishing period is predefined, information in the CRL might be out of date until a new CRL or delta CRL is published.

OCSP OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. This returns a definitive, digitally signed response indicating the certificate status. The amount of data retrieved per request is constant regardless of the number of revoked certificates in the CA. Most OCSP responders get their data from published CRL and are therefore reliant on the publishing frequency of the CA. Some OCSP responders can, however, receive data directly from the CA's certificate status database and consequently provide near real-time status. Scalability is the major drawback of the OCSP approach. Since it is an online process and is designed to respond to single certificate status requests, it results in more server hits, requiring multiple and sometimes geographically dispersed servers to balance the load. The response signing and signature verification processes also take time, which can adversely affect the overall response time at the relying party. Finally, since the integrity of the signed response depends on the integrity of the OCSP responder's signing key, the validity of this key must also be verified after a response is validated by the client.

Troubleshooting Thomson Reuters Eikon uses Microsoft Crypto API to check and download Certificate Revocation (CRL) from a CRL distribution point. The Crypto API internally uses the WinHTTP API to download the HTTP based URL for the CRL distribution point. If the proxy is not reachable or is incorrect, WinHTTP will not be able to download the CRL. The certificate revocation check will fail. Thomson Reuters Eikon does not create any secure connection to the platform which causes the program shutdown or get an error message. The logic to discover a Proxy server is as following: 1. Check the static proxy settings. WINDOWS

COMMAND

Windows XP

Proxycfg.exe

Windows Vista, Windows 7

Netsh.exe winhttp show proxy

2. If there is no static proxy setting, API tries to retrieve the Internet Explorer setting on the following order. The following registry locations are queried based on the executing identity: REGISTRY KEY Current User

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

NETWORK SERVICE

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings

LOCAL SYSTEM

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings

LOCAL SERVICE

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Document Version 2.11 Date of issue: 27 March 2012

55

Thomson Reuters Eikon Networking Guide

Any Other user

HKEY_USERS\ \Software\Microsoft\Windows\CurrentVersion\ Internet Settings

3. If the Internet Explorer proxy settings are not present for the executing user or if the Internet Explorer settings as indicate in - Automatically detect settings - Use automatic configuration script The Crypto API will try to automatically discover a proxy for the CRL. This will either return specific proxy information or return 'no proxy' if the automatic proxy discovery fails or if the URL does not require a proxy. More information, see Microsoft KB 2623724 as in http://support.microsoft.com/kb/2623724

WinHTTP Proxy Configuration The WinHTTP proxy configuration utility, proxycfg.exe, configures WinHTTP to access HTTP and HTTPS servers through a proxy server on Windows XP. An administrator can use the proxycfg.exe utility as part of the deployment and installation process of an application that uses WinHTTP. The administrator who runs proxycfg.exe must have local administrator privileges so that proxycfg.exe can update the registry of the local computer. WinHTTP proxy settings are per-machine, not per-user. For Windows Vista, Windows 2008 and Windows 7, use Netsh.exe winhttp instead of proxycfg.exe. Netsh.exe requires administrative rights to modify machine configuration.

Usage The following examples show the syntax use for various commands in the proxycfg.exe utility. COMMAND LINE

DESCRIPTION

Proxycfg

Display the current WinHTTP proxy settings

Proxycfg –d

Set direct access

Proxycfg –u

Import proxy setting from current users Internet Explorer manual settings

Proxycfg –p proxy-server-list optional-by-pass-list

Specify one or more proxy server and optional list of hosts that should be accessed directly.

The following examples show the syntax use for various commands for Windows Vista and Windows Seven COMMAND LINE

DESCRIPTION

Netsh winhttp show proxy

Display the current WinHTTP proxy settings

Netsh winhttp reset proxy

Set direct access

Netsh winhttp import proxy source=ie

Import proxy setting from current users Internet Explorer manual settings

Netsh winhttp set proxy proxy-server bypass-list=“ optional-by-pass-list”

Specify one proxy server and optional list of hosts that should be accessed directly.

Netsh winhttp set proxy proxy-server= ”proxy-server-list “ bypass-list=“ optional-by-pass-list”

Specify one or more proxy server and optional list of hosts that should be accessed directly.

Document Version 2.11 Date of issue: 27 March 2012

56

Thomson Reuters Eikon Networking Guide

PARAMETER

DESCRIPTION OF USE

Proxy-server-list

Proxy are list in a specific protocol as Windows XP: “protocol=http://proxy_name:port” Windows Vista and Seven: “protocol=proxyname:port;” where protocol is either http or https and proxy_name is the name of the proxy server.

Optional-bypass-list

The list contains host names or IP address that is locally known. This list can contain wildcards, "*", that cause the application to bypass the proxy server for addresses that fit the specified pattern. For example, both "*.microsoft.com" and "*.org" are acceptable wildcard patterns. Wildcard characters must be the left-most characters in the list, so "myserver.*" is not supported. To list multiple addresses and host names, separate them with blank spaces or semicolons in the proxy bypass string. If the "" macro is specified, the function bypasses any host name that does not contain a period.

Example on Windows XP 

Import the current Internet Proxy setting to WinHTTP (for manual setting on Internet Explorer only) C:\> proxycfg -u Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.

Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :

Proxy Server(s) : 10.42.72.142:8080



Set up proxy1.test.com as a proxy for WinHTTP and bypass proxy for the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net c:\>proxycfg -p proxy1.test.com ";*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.

Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\

Document Version 2.11 Date of issue: 27 March 2012

57

Thomson Reuters Eikon Networking Guide

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :

Proxy Server(s) : proxy1.test.com Bypass List



: ;*.extranet.thomsonreutes.biz;*.thomsonreutes.net

Set up Proxy1.test.com for a http protocol on port 80 and Proxy2.test.com for https protocol on port 3128 . And direct access to the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net C:\> proxycfg -d "http=proxy1.test.com:8080 https=proxy2.test.com:3128" “;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.

Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :

Proxy Server(s) : http=proxy1.test.com:8080 https=proxy2.test.com:3128 Bypass List



: ;*.extranet.thomsonreuters.biz;*.thomsonreuters.net

Clear the WinHTTP configuration C:\> proxycfg -d Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.

Updated proxy settings Current WinHTTP proxy settings under: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ WinHttpSettings :

Direct access (no proxy server).

Document Version 2.11 Date of issue: 27 March 2012

58

Thomson Reuters Eikon Networking Guide

Example on Windows Vista and Windows 7 

Import the current Internet Proxy setting to WinHTTP (for manual setting on Internet Explorer only) C:\> netsh winhttp import proxy source=ie Current WinHTTP proxy settings under: Proxy Server(s) : 10.42.72.142:8080 Bypass List:



Set up proxy1.test.com as a proxy for WinHTTP and bypass proxy for the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net c:\>netsh winhttp set proxy proxy1.test.com bypass-list ="; *.extranet.thomsonreuters.biz;*.thomsonreuters.net" Current WinHTTP proxy settings under: Proxy Server(s) : proxy1.test.com Bypass List



: ;*.extranet.thomsonreutes.biz;*.thomsonreutes.net

Set up Proxy1.test.com for a http protocol on port 80 and Proxy2.test.com for https protocol on port 3128 . And direct access to the local domain, *.extranet.thomsonreuters.biz and *.thomsonreuters.net C:\>netsh winhttp set proxy proxy-server="http=proxy1.test.com:8080; https=proxy2.test.com:3128" bypass-list= “;*.extranet.thomsonreuters.biz;*.thomsonreuters.net" Current WinHTTP proxy settings under: Proxy Server(s) : http=proxy1.test.com:8080; https=proxy2.test.com:3128 Bypass List



: ;*.extranet.thomsonreuters.biz;*.thomsonreuters.net

Clear the WinHTTP configuration C:\> netsh winhttp reset proxy Current WinHTTP proxy settings: Direct access (no proxy server).

Document Version 2.11 Date of issue: 27 March 2012

59

Thomson Reuters Eikon Networking Guide

Document Version 2.11 Date of issue: 27 March 2012

60

View more...

Comments

Copyright ©2017 KUPDF Inc.