Network Considerations when Deploying the Remote Host Daemon
When deploying TT applications on Remote Clients, TT recommends the following:
- Use a dedicated machine for the Remote Host Daemon. It must not run any TT applications other than Guardian.
- Determine the amount of bandwidth you need according to how you trade (e.g., contracts and volume). Supply at least that amount of bandwidth.
- Because each TT application uses a variable amount of bandwidth depending on the number of contracts opened, their volumes, and the level of price coalescing, monitor bandwidth usage on a regular basis.
- If you use up your bandwidth, consider using multicast to connect your network segments or increase your bandwidth.
- When deploying Remote Clients over the Internet, for the host site, obtain a DS1 (T1) or better connection to a Tier One ISP.
In a TT trading network environment:
- Do not use Remote Clients to trade over a LAN.
- Do not set up Remote Clients to connect directly to a TT Gateway.
- Do not use an unresolved IP address for the Remote Client connection.
- Do not use a web-proxy solution for production trading. Even if the proxy server allows persistent TCP connections and can technically support remote mode connections, web-proxy software can cause serious performance and reliability issues, especially during periods of high trade volume.
Do not set up a Remote Client to function as a Remote Host Daemon or WAN Router. A Remote Client must be the last entity (furthest removed) in any network chain.
No matter how you connect to the Internet, the amount of bandwidth available to your remote TT applications is highly variable and based strictly on Internet traffic. If large numbers of people or organizations are using the Internet, remote TT applications can experience a slow-down.
Guardian encrypts all login information (such as user IDs and passwords) using Diffie-Hellman key swapping and triple DES encryption. This ensures that user IDs and passwords cannot be captured and used by non-authorized personnel.
VPN or Secure Shell (SSH) Technology
For maximum security, TT recommends that you use VPN software when trading on public networks such as the Internet.
You do not need to create a special setup on the Remote Client or Remote Host Daemon to connect to the TT network using VPN or SSH technology. However, if you use a NAT device, and the Remote Host Daemon has an IP address that is translated across the device, you must enter the external facing address into the Installation Type dialog box during install.
Before starting the remote TT application, the trader must completely log into the host network using a VPN or SSH.
NAT Firewalls and Routers
You can install the Remote Host Daemon either inside or outside a firewall. Additionally, the Remote Client can lie behind a NAT device. When setting up a Remote Client in an environment that includes NAT devices, the only essential item to know is the external IP address of the Remote Host Daemon (i.e., its address as it appears to the Remote Client). Thus, if the IP address of a Remote Host Daemon happens to be 10.22.68.100 but a firewall translates the address to become 10.243.67.101, you must enter 10.243.67.101 into the Daemon Setup dialog box.
In the following Remote Setup and NAT Firewalls diagram, all machines use the default multicast subscription address (184.108.40.206). Additionally, all Remote Clients connect to IP address 10.243.67.101 (i.e., the external-facing NAT IP address). The firewall resolves the external-facing IP address 10.243.67.101 to the Remote Host Daemon’s actual (internal) IP address of 10.22.68.100.