ASX VPN Service Guide - Dashboard · Web viewASX VPN Access – Service Overview Version 1.3 Date:...

ASX VPN Access – Service OverviewVersion 1.3

Date: 26 April 2012

ASX VPN Access -Service Overview –Version 1.3 – April 2012

ASX VPN Access - Service Overview

Table of Contents:1. Introduction....................................................32. Current ASX VPN Providers.............................53. ASX access into the VPN’s...............................74. Support...........................................................75. Security..........................................................8Appendix 1 – VPN services Bandwidth requirements:......10Appendix 2 – Network overview.......................................11Appendix 3 - Server Configuration Details........................12Appendix 4 – VPN Setup Information Sheet:.....................13Appendix 5 – iVPN Setup:.................................................14Appendix 6 – Voiceline Setup:..........................................16Form 1 – Voiceline over Internet Connection....................17


1. IntroductionASX has enabled access to the ASX Trade test systems, CHESS and a variety of Market Information products via third party Virtual Private Network (VPN) providers and, under limited circumstances, Internet based VPN’s (iVPN).

All applications made available reside within an ASX managed network infrastructure, ASXs’ E2 network, that provides local and cross site redundancy as well as enhanced application delivery to the subscriber via network application switching technologies. This ASX network acts as a secure portal for the various VPN carriers that allow its customers a varying choice of connectivity methods for access to ASX content.

Within this delivery model, the ASX participates as a content provider. The VPN carrier networks themselves are delivered and managed by third parties who are responsible for installation, availability and the rectification of any issues within the VPNs. See diagram in Appendix 2 for overview.

Parties who connect for the purpose of gaining access to ASX services contract directly with the network provider for the delivery component of the service. A separate agreement for the right to receive and use the data is entered into directly with the ASX.

The following ASX systems and content is currently available over the VPN’s:

o CHESSo Market Information Products, including ComNews, MarketSource,

ReferencePoint, Signal B and the ASX24 ITC datafeed, o ASX Voicelineo External Technical Test Environments including:

o ASX Trade Participant Technical Environment(PTE) for functional testing only

o DCS Member Test Environment (MTE)o CHESS Test Environmento ASX Trade 24 Test Environments

The size of the VPN connection is dependent on the content the customer is subscribing to. The ASX has set minimum bandwidth requirements for the various services. This is shown in Appendix 1.

The supported VPN providers may also have additional non-ASX content available on their networks. This may allow subscribers to get multiple contents over one network connection providing economies of scale. If a customer subscribes to additional non-ASX content, the size of their connection will need to be scaled appropriately. It is important at all times to ensure that adequate bandwidth is allocated to ASX applications.

All potential subscribers to the above VPN options must consider the most appropriate means of connection into ASX services. The ASX has worked


with VPN providers to ensure that a range of redundant and non-redundant connectivity options is available.

In addition to the carrier networks mentioned in section 2 of this document, ASX also provides access to an Internet based VPN, iVPN, for limited purposes as outlined below. This can be used for accessing the ASX Trade Functional and ASX Trade24 Functional test environments; to subscribe to a limited number of Market Information products; and for CHESS connectivity in limited circumstances. DCS test environment connectivity is also available.

iVPN use for CHESS Production connectivity

Use of iVPN for CHESS connectivity is subject to the following conditions:

1. Primary Internet access is not allowed for Payment Providers or Registry participants.

2. ASX Account Participants that sponsor HIN’s only may use iVPN.

3. Primary Internet access may be approved for Clearing and / or Settlement Participants that settle less than 1% of market value and volume. Written applications for approval must provide details of back-up arrangements and the operational impacts on the Participant in the event internet services are unavailable for any reason. Applications should be addressed to the General Manager, Clearing and Settlement Operations and emailed to Market Access at the address below.

There may be situations where permission to use Internet VPN where a Participant with once less than 1% of volume and value has grown such that they are now above the threshold, or in the event that the Internet becomes unstable or has an increased threat of instability we may want to withdraw permission

4. Participants must upgrade to a VPN access service if directed to do so by ASX in the event that their activity exceeds the levels specified in condition 2 above.

5. All customers can establish Internet based CHESS access arrangements to meet their BCP requirements.

6. There may be situations where the above requirements cannot be met, these should be discussed with Market Access.

Further information is included in the CHESS External Interface Specification – section 10

iVPN use for ASX Trade test environments connectivity

If a customer wishes to use Internet VPN access for functionality testing for ASX Trade or ASX Trade24, a procedure document can be obtained from Market Access.


ASX Net use for connectivity to VPN Services

If a customer wishes to use ASX Net to access services delivered over VPN carriers details can be obtained from Market Access.

For further information regarding VPN access to ASX services please contact:

o Market Access 1800 663 053 [email protected]

2. Current ASX VPN ProvidersASX currently supports access via the following VPN providers. Diagrams showing client connection options are shown in appendix 2.

OptusProduct Name: eFinity (Not provisioning new services)

Connection Options: Frame relay with single router Frame relay, single router with ISDN back up Dual frame relay, dual router.

Primary Sales Contact – Marko Nakomcic Direct +612 8082 4135 ,Mobile +614020299 52

RadianzProduct Name: RadianzNet

Connection Options: Dual lines (Leased line – DDS), Dual POPs, Dual Dual lines (Leased line – DDS), Single POP, Dual Single line (Leased line – DDS), Single router

Primary Sales Contact- Adam Bradley; ph: +61 2 9269 1062 and +61 404 482 523.

TelstraProduct Name: IP Evo Network (formally ASX COIN)

Connection Options: Frame relay with single router Frame relay, single router with ISDN back up Dual frame relay, dual router Frame Relay and ISDN backup, dual router Telstra IP Evo ADSL/BDSL, single router

Primary Sales Contact – David Wilson; ph: +61 2 8576 3749 Mob+61 429 600 232.

IPC


mailto:[email protected]

Primary Sales Contact – Bryan Keough; ph: +61.2.9240.5500 and +61 411 10 6171

Internet based VPN’sProduct Name: iVPN

Subject to the conditions detailed in Section 1, ASX offers a VPN solution based on secure Internet connectivity. This service is accessible via an ISP connection of the subscriber’s choice. It requires the use of a Cisco 3000 VPN client running on a host computer. Current platforms tested are certain Windows versions, Solaris, Red Hat Linux and Macintosh.

All VPN connections are secured via triple DES encryption. Service levels are dependant on the contracted ISP access method; the ASX employs redundant VPN Concentrators and ISP links to ensure high availability within its delivery environment.

Connection Options:Customers choose how to connect to the public internet. These may include:

Dialup Internet ADSL Internet Cable Modem Internet Ethernet Internet Service Corporate Internet connection

For further information regarding iVPN access to ASX services please contact:

o Market Access 1800 663 053 [email protected]

3. ASX access into the VPN’sRedundant connection into the ASX primary and backup data centres is catered for within each VPN access method.

In the event of VPN link loss to the ASX production site, all production traffic will be redirected via alternate connections back to ASX production hosts. This mechanism is consistent across all available VPN access methods; the end subscriber is not required to perform any reconfiguration action in terms of target hosts etc within this failure scenario.

In the event of the loss of ASX production hosts, and in most cases the failover to alternate hosts is handled automatically via smart network application switching within the ASX network infrastructure and the customer does not have to connect to another IP address. There are very few systems that may require some manual process, these typically include the various application test systems and most of these do not have a backup system regardless. (customer target IP addresses are listed in appendix 3). The requirement to do this will be communicated at the time



by the relevant ASX business units where appropriate. Once connectivity has been automatically established, Signals users may enter their original username/password details and re-request data from the last sequence number. CHESS subscribers may establish a CHESS session in the usual manner.

In the event of loss of the primary data-centre, ASX technical staff will be required to perform certain reconfiguration activity within its processing environment, again where appropriate. However on all production systems the customer will connect to the same IP address as previous and re-enter login credentials.

Notification as to the availability of services following reconfiguration activity will be managed via the respective ASX business units.

4. Support Setup SupportAll installation and configuration requests for Carrier Based VPN, iVPN, and Internet connections are managed through Market Access (8am to 6pm Sydney time):

Market Access 1800 663 053 [email protected]

Individual Subscriber issuesIf a customer is having a problem with their ASX “content” over the VPN, the following process should be used:

Contact the relevant ASX Help Desk; this will determine if the problem is application or network related:

Market Access (ASX Trade Test, Market Information, ASX Trade 24 Test, ITC, etc ) 1800 663 053 [email protected]

Clearing & Settlement Operations 1800 814 051 [email protected]

If the problem is content or application related, the ASX will work with the customer to resolve the issue.

If the problem is network related, while the ASX will help facilitate the resolution of the issue, subscriber-end network issues need to be resolved between the customer and VPN provider.

If a customer receives content from multiple providers over their VPN connection and is having issues with all of their content, the customer should take this up directly with their VPN provider as it is highly probable that the issue is network related.





Support arrangements, contact numbers etc. should be obtained directly from the customer’s VPN providers.

Broader VPN issuesThe ASX has a regular review process with each VPN provider. The purpose of this meeting is to examine issues and discuss performance within each VPN environment.

The ASX will be informed of and will react to issues that affect the delivery of its services to its subscriber base- this will be addressed within the monthly review process and on an ad-hoc basis as required or as dictated by the severity of an event or outage.


5. SecurityThe ASX treats VPN’s as un-trusted environments and use firewalls, Network Address Translation (NAT), network application switching techniques such as server load balancing, and network switch policies as well as routing control policies to protect against unauthorized connections.

The basic rules employed are:

Only known Client source addresses (NATed addresses) can connect- all others are dropped.

Only known/valid ASX destination addresses are accepted. Tightly defined destination TCP/UDP ports only allowed, all other ports

are blocked.

Additional security is provided by the applications:

Client Usernames are tied to their source address. TCP ports are bound to the application.

IPSec is currently available across the public network (www) and also the ANNI network as part of its network architecture. IPSec is chosen as the framework of open standards for defining the rules for secure communications and due to the nature of the delivery mediums used in these two differing networks it is important that IPSec and associated set of rules defined by ASX be used between customer and ASX applications.

For internet VPN connections, security is provided by triple DES encryption coupled with application(s) security as mentioned above. VPN client software is also certificate-based (ASX managed).

The ASX strongly recommends that all Clients also treat any VPN as an untrusted environment and to protect themselves appropriately.


Appendix 1 – VPN services Bandwidth requirements:Service Name Bandwidt

h requirement (Kbps)

Prod / Test

Shared / Dedicated

Comment

Signal B 64Kbps Prod Shared

Can be shared with any other service of the same or greater bandwidth

MarketSource (Equities only or Derivatives only) 1024Kbps Prod Dedicated

Bandwidth must be added to current configuration

MarketSource (Equities and Derivatives) 2048Kbps Prod Dedicated

Bandwidth must be added to current configuration

ReferencePoint (old Signal E) 64Kbps Prod Shared


ComNews 256Kbps Prod DedicatedBandwidth must be added to current configuration

CHESS 64Kbps Prod Shared


ASX24 ITC Market Data feed (Futures markets) 512Kbps Prod Dedicated


Voiceline 64Kbps Prod Dedicated

Bandwidth must be added to current configuration or preferably a Voiceline PVC required

ASX Trade PTE 128Kbps Test Shared

Can be shared with any other service of the same or greater bandwidth.

ASX Trade 24 AOEI Functional Test 128Kbps Test Shared


ASX Trade 24 Upgraded AOEI Functional Test 128Kbps Test Shared

Can be shared with any other service of the same or greater bandwidth.

With the exception of Signal B and CHESS, combining any of the above services requires combining their respective bandwidth. Some examples are below (however production criticality of a service, must be taken into account):

Service combinations Minimum Bandwidth requirement (Kbps)

Comments

Signal B and CHESS 64 kbps 64 Both items can be shared

Signal B and MarketSource 1024 Although MP is dedicated, Signal B is low usage

ReferencePoint and ComNews 128 Reference point is low impact

Signal B, MarketSource, ReferencePoint and ComNews

1280 + Need next carrier available bandwidth.

MarketSource, and CHESS 1024


Appendix 2 – Network overviewThe following diagram shows the provides a basic overview of the ASX E2 VPN environments and the various associated VPN delivery infrastructures on offer by ASX itself and third party suppliers.


Appendix 3 - Server Configuration DetailsThe following table shows TCP/IP addressing and port numbers required for connections for the various services on offer via the ASX E2 VPN portal.

ASX Net services uses ASX’s public IP addresses (see Internet VPN column above)


Appendix 4 – VPN Setup Information Sheet:Please contact Market Access (1800 663 053 [email protected]) for any queries relating this form.

Below required information is to be completed and returned to ASX Market Access. The information provided will the assist the ASX in ensuring sufficient bandwidth is in place for your VPN set up and that the correct services are configured and delivered over your chosen VPN.

Note: Voiceline Subscribers see Appendix 6

Service(s) required:

New VPN service.

Change of service: ( Additional service. Removal of service.)

Live Services:

Signal B MarketSource (Equities Only) MarketSource (Equities and Derivatives ReferencePoint ComNews CHESS AIC: ____ ASX24 ITC Feed (Futures Market Data) Voiceline (See Appendix 6)

Test Services:

ASX Trade PTE FTE (Functional Technical Environment) ASX Trade PTE ETE (Enhanced Technical Environment) ASX Trade 24 FTE CHESS AIC: ________ DCS

Using the enclosed bandwidth table please calculate your required bandwidth:

Kbps. Please take into consideration which services require dedicated bandwidth and which services can be shared with greater or equal bandwidth (if unsure please contact ASX Market Access for assistance).

Service Provider details:

Please provide details of your chosen VPN service provider:

Radianz. Telstra (COIN). Optus Efinity. ASX Internet VPN (iVPN).

This will enable ASX Market Access to provide you any additional support documentation that will help you setup access to ASX services

Site configuration details:

IP Addressing details:

Please provide your VPN providers NAT address for your site. This includes internet static address for ASX iVPN services: . . . (This address is required to be provisioned on ASX servers and firewalls and is also required for fault finding purposes).

Please note any service access port numbers listed in Appendix 3 of the “ASX VPN ACCESS-Service Overview” customer information document will need to be provisioned through your sites firewalls.


Appendix 5 – iVPN Setup:Please contact Market Access (1800 663 053 [email protected]) for any queries relating the below form.

Ivpn.asx.com.au is the ASX’s Internet based VPN offering for the delivery of ASX information and services.ASX services via the ASX’s secure internet VPN include:

Live Services:

Signal B ReferencePoint ComNews CHESS AIC: _____ (See Notes) Voiceline (See Notes)

Notes: For Chess Production Services over iVPN (only available to Participants under limited circumstances), a formal application for approval by the General Manager, Clearing & Settlement Operations is required. The application is to be attached and returned to Market Access together with this Appendix and the Technical Access Agreement.

Voiceline is provided over the internet, not over iVPN. Voiceline Subscribers see Appendix 6

Test Services:

ASX Trade PTE (FTE) ASX Trade PTE (ETE) ASX Trade 24 FTE CHESS AIC: ______ DCS

This VPN service is administered and owned by the ASX. For customers wishing to connect to ivpn.asx.com.au all that is required is Internet access and a PC to run the Cisco VPN 3000 Client software. The Cisco VPN 3000 Client software can be downloaded from an ASX FTP link.

The client software will require the creation and permissioning of a digital certificate as per ASX Digital Certificate procedures.

Should you be running firewall software or a dedicated firewall you will only need to allow TCP port 10000.

To help assist us with your ivpn.asx.com.au activation please complete the below questionnaire and have the form returned to ASX Market Access ([email protected]). A procedure document detailing the Cisco installation process step by step can then be requested from Market Access.

VPN 3000 Client software and connectivity to ivpn.asx.com.au

Your company name

Technical contact details (Name, Email, and Phone numbers)Name: Email address: Contact numbers:

Which ASX service do you require to receive via the ivpn.asx.com.au network?

What type of Internet access do you currently have?

What is the speed of your Internet connection?


When calculating your requirements, please refer to the “ASX VPN Access-Service Overview” document available from ASXOnline or ASX Market Access.

What is the external IP address of your Internet access?i.e. the IP address facing the internet provider. Note: this must be a static address.

. . .

Will your Internet access be dedicated for ivpn.asx.com.au?Yes No

What operating system does the PC which will be running the Cisco VPN 3000 Client software use?

Are you running a firewall or firewall software between your Cisco VPN 3000 Client PC and the Internet?

Yes No


Appendix 6 – Voiceline Setup:Request Order Form from Market Access ([email protected])

Voiceline IP Streaming Customer Setup

Streaming Voiceline is a new service ASX offering to customers for the delivery of Company audio announcements. The service is administered, owned by ASX and is offered over ASX approved VPN providers and the internet. Its delivery uses audio streaming technology over TCP/IP and requires the installation of a hardware decoder device at the customer premise.

When ordering the service following must be taken into consideration:

If using a currently approved ASX VPN service, note that the hardware decoder device requires an Ethernet connection to receive the audio stream, but the output is via standard 3.5mm Audio out connection or RCA stereo line-out connection.

If using a currently approved ASX VPN service, the bandwidth required for Voiceline (64Kbps) must be added to your currently provisioned bandwidth.

If ordering a new ADSL service for Voiceline, a static IP address must be requested.

Port forwarding to decoder device for UDP port 5555 must be enabled on the ADSL modem.

If running firewall software or a dedicated firewall, you will need to allow UDP 5555 inbound and UDP 4444 outbound.

Any new ADSL service dedicated to Voiceline should be installed near to where your Voiceline P.A. equipment is located.

As the service is delivered over TCP/IP, if you are using an existing ASX VPN provider or and existing internet connection, there must be Ethernet connectivity to where the Voiceline P.A. equipment is located.

To assist with your voiceline activation please complete one of the following forms based on your choice of network connection. Once this form has been completed, please return to ASX Market Access at [email protected]

What type of network connection will you use to receive Voiceline?

Internet connection – Use Form 1 – Voiceline over Internet Connection ASX VPN service - Use Form 2 – Voiceline over VPN Service


Form 1 – Voiceline over Internet ConnectionUse this form if you wish to use an existing Internet connection for Voiceline. The decoder device should be connected in the DMZ on the inside of the customer Internet environment. The device that terminates the Internet connection will need inbound port forwarding to the decoder and an outbound rule to connect to Voiceline. The Internet connection must have a static IP address to receive the Voiceline IP stream. The diagram shows the basic setup. The numbers correspond with the questions below.

Diagram: Voiceline setup over the Internet

1. Company Details:Name: Address:

2. Technical Contacts:Name: Name: Email: Email: Phone: Phone:

3. Site Location (Details of where the decoder will be installed)Address: Floor: Cabinet:

4. Is the Internet connection new or existing? If new the following questions will have to be answered after the installation.

New Internet Connection Existing Internet Connection


Decoder

Exstreamer connected into DMZ

To customers

P.A.

Voiceline Internet Scenario

InternetRouter / Modem/

Firewall

Port Forward or NAT required on

customer’s internet Router/Modem

Port Forwarding required on customer’s Internet device:

Inbound port forwardsource 203.15.147.69 UDP port any -> dest <customer Public IP address> UDP port 5555

must be forwarded as:

source 203.15.147.69 UDP port any -> dest <customer Private IP address> UDP port 5555

Outbound rulesource <customer Private IP address> UDP port any -> dest 203.15.147.69 UDP port 4444

DMZ

Internet

5 6

7

5. What is the external IP address of your Internet connection? This is the static address facing the Internet. See 5.on the diagram above.

. . .

6. What is the internal IP address of your Internet on the DMZ? i.e. the gateway address to reach the Internet. This must be on the same IP subnet as the decoder. See 6. on the diagram above.

. . .

7. What will be the internal IP address allocated to the Voiceline decoder hardware device on the DMZ? This must be on the same IP subnet as the Internet Device (in question 6). See 7.on the diagram above.

. . .

8. Will your Internet access be dedicated for Streaming Voiceline?Yes No

9. What is the speed of your Internet connection?

10. Who is your Internet carrier?

11. Is there a UTP Ethernet connection available where the decoder device will be located? This must be patched through to the Internet DMZ

Yes No

12. Can the decoder device be located near your Voiceline P.A. equipment and what is the distance between the two?

Yes No Mtrs.

13. Has the port forwarding work been scheduled? What date will it be completed by?

Yes No Date:

14. Do you currently have Voiceline? If so what Telstra line numbers do you have for all of your sites (line numbers are of the form NxxxxxxxP)

Yes No Line Numbers:


Form 2 – Voiceline over VPN ServiceUse this form if you wish to use a new VPN Service for Voiceline. The decoder device should be connected in the DMZ on the inside of the customer’s VPN environment. The carrier’s router will need inbound port forwarding configuring to allow connection to Voiceline. The diagram shows the basic setup. The numbers correspond with the questions below.

Diagram: Voiceline setup over VPN

1. Company Details:Name: Address:

2. Technical Contacts:Name: Name: Email: Email: Phone: Phone:

3. Site Location (Details of where the decoder will be installed)Address: Floor: Cabinet:

4. Is the VPN service new or existing? If new the following questions will have to be answered after the installation.

New VPN Service Existing VPN Service


Decoder

Exstreamer connected into Carrier DMZ

To customers

P.A.

Voiceline VPN Scenario

VPN NetworkCarrier Router

Port Forwarding required on Carrier’s

VPN Router

Port Forwarding required on carrier’s router:

Inbound port forwardsource 203.4.179.169 UDP port any -> dest <customer Public IP address> UDP port 5555

must be forwarded as:

source 203.4.179.169 UDP port any -> dest <customer Private IP address> UDP port 5555

DMZ5 6

7

5. What is the external IP address of your VPN? This is the IP address that you are seen as by the ASX. In the case of Radianz, they will allocate a new NAT address. See 5. on the diagram above.

. . .

6. What is the internal IP address of the VPN router? Ie. the gateway address to reach the VPN. This must be on the same IP subnet as the decoder. See 6. on the diagram above.

. . .

7. What will be the internal IP address allocated to the Voiceline decoder hardware device on the DMZ? This must be on the same IP subnet as the internal address of the VPN router (in question 6). See 7. on the diagram above.

. . .

8. Will your VPN be dedicated for Voiceline?Yes No

9. What is the speed of your current VPN?

10. Who is your VPN carrier?

11. Is there a UTP Ethernet connection available where the decoder device will be located? This must be patched through to the VPN DMZ

Yes No

12. Can the decoder device be located near your Voiceline P.A. equipment and what is the distance between the two?

Yes No Mtrs.

13. Have you contacted the carrier and requested subscription to Voiceline? What date will it be completed by?

Yes No Date:

14. Do you currently have Voiceline? If so, what Telstra line numbers do you have for all of your sites (line numbers are of the form NxxxxxxxP)

Yes No Line Numbers:


ASX VPN Service Guide - Dashboard · Web viewASX VPN Access – Service Overview Version 1.3 Date:...

Documents

Transcript of ASX VPN Service Guide - Dashboard · Web viewASX VPN Access – Service Overview Version 1.3 Date:...