Server Inbound/Outbound Connections Required to Install and Run AlgoTrader

The server on which AlgoTrader runs, needs to be installed/run should be allowed to initialize connections to anywhere on the internet to be able to

• Install the application (download artifacts etc.)
• Run the application (connect to exchanges/brokers, validate licenses etc.)

Inbound Access to AlgoTrader should be allowed at least for the ports below from any IP that needs to be able to access AlgoTrader (API access and/or browser connection).

A standard (authenticated/secured) server application will require

• 443 HTTPS, Browser access (via SSL)
• 61613 TCP/STOMP, Secure WebSocket Port
• 8444 HTTPS, KeyCloack auth (via SSL)
• 3000 HTTPS, Grafana dashboards browser access

API access:

• FIX: 9880 TCP, FIX API (note: TLS-secured API uses the same port unless configured differently)

On premises installation for running/backtesting quant strategies also requires (authenticated/secured access):

• 61618 TCP, ActiveMQ Secure Stomp Port
• 1198 TCP, RMI Service Port
• 1199 TCP, RMI Remote Port

A local strategy development environment will also require

• 3306 TCP, MySQL Database
• 8086 TCP, InfluxDB Database

For distributed strategy usage, Hazelcast cluster members must see each other's subnets (meaning any port should be accessible for them i.e., a VPN needs to be set up or all ports opened).

Outbound Access: 

To start the application the next outbound rules should be in place

Artifact repository

In case of dockerized application: 

• docker.algotrader.com 443
• hub.docker.com 443

or for the standalone installer

• https://repo.algotrader.com 443
• https://repo.maven.apache.org 443

To run AlgoTrader, we'll also need access to

• https://api.keygen.sh 443
• https://license.algotrader.com/ 443

We could list the outbound IPs required to operate AlgoTrader but when it comes to exchange/broker connectivity, it is out of our control and they could easily change their IPs, so please validate with the relavant venues and allow outbound access accordingly.

Note that some venues require whitelisting on the IPs that are allowed to access the API.

Machines that are running an actual browser running the AT front end, make sure you also allow access to

Trading View

• https://s.tradingview.com 443
• https://s3.tradingview.com 443
• https://pushstream.tradingview.com 443
• https://widgetdata.tradingview.com 443

UI Customer experience data: to gather customer experience data either through fullstory.com or hotjar.com following URLs need to be whitelisted:

1. *.fullstory.com 443
2. *.hotjar.com 443

Alternatively the precise, non-wildcard URLs below can be whitelisted:

1. edge.fullstory.com 443
2. rs.fullstory.com 443
3. static.hotjar.com 443
4. script.hotjar.com 443
5. vars.hotjar.com 443
6. in.hotjar.com 443
7. ws48.hotjar.com 443

Note that neither of those tools will start scraping customer experience automatically - this needs to be configured in the Wyden configuration (app ids need to be configured - you can have your own app Id if you want to maintain full privacy. Either way, the scraped data is anonymized and sensitive data is being masked before being sent to either fullstory or hotjar).