Background: 

Voraussetzungen

Physische Sicherheitsgeräte können nur dann geteilt werden, wenn ALLE nachstehenden Bedingungen berücksichtigt werden:

a) Die teilnehmenden Benutzer gehören entweder zu derselben Körperschaft oder anderen Körperschaften, die jedoch dieselben Identifikationsdaten aufweisen müssen (Geburtsdatum, Staatsbürgerschaft, Land des rechtmäßigen Wohnsitzes, Art des Identifikationsnachweises und Identifikationsnummer bzw. Sozialversicherungsnummer für US-Bürger und in den USA ansässige Personen). 

b) Derzeit ist den teilnehmenden Benutzern KEIN vorübergehendes Sicherheitsgerät (vorübergehender Code, Online-Sicherheitscodekarte) zugeteilt.

c) Das physische Gerät, das den meisten Schutz gewährt, muss geteilt werden. Für den Fall, dass alle Geräte dasselbe Maß an Schutz bieten, sollte das Gerät verwendet werden, das alle anderen Bedingungen erfüllt. In der nachstehenden Tabelle ist das Schutzniveau aller Geräte aufgeführt:

Schutzniveau	Gerätename	Bild zum Gerät
Höchster Schutz	Digitale Sicherheitskarte+ (DSC+)
Geringster Schutz	Sicherheitscodekarte (SLS-Karte)

 

 

Schritte:

1. Wählen Sie aus den möglichen Kandidaten das Gerät aus, das den meisten Schutz bietet und den Benutzer, dem das Gerät gehört. Wir werden diesen Benutzer Geräteinhaber nennen.

2. Loggen Sie sich in Ihr Client Portal mittels Ihres beantragenden Benutzers ein (NICHT mittels des Benutzers des Geräteinhabers).

3. Klicken Sie auf das Menü-Symbol oben links und wählen Sie "Einstellungen" und danach Benutzereinstellungen
aus.

6. Geben Sie die Logindaten des Geräteinhabers ein, den Sie bei Punkt 1 bestimmt haben und klicken Sie auf Weiter.

 

8. Sobald Sie die Richtigkeit der eingegebenen Informationen überprüft haben, klicken Sie auf Weiter.

 

9. Das System wird den Status Ihres Antrags anzeigen (siehe Hinweis a. für Details). Klicken Sie auf OK, um den Vorgang abzuschließen.

HINWEISE:

a. In den meisten Fällen wird Ihr Antrag automatisch und umgehend genehmigt, bearbeitet und aktiviert. Für den Fall, dass die Genehmigung durch unsere Compliance-Abteilung erforderlich ist, bleibt Ihr Antrag im Status "Ausstehend", bis dieser Schritt abgeschlossen wurde.

c. Nachstehend finden Sie die häufigsten Fehlermeldungen und deren Ursachen:

- Less secure device (weniger sicheres Gerät): Dieser Fehler wird angezeigt, wenn Sie das weniger sichere Sicherheitsgerät für die gemeinsame Nutzung ausgewählt haben. Bitte wählen Sie das sicherste Gerät aus und teilen Sie dieses.

 Referenzmaterial:

• Übersicht zum Secure-Login-System: KB1131 oder ibkr.com/sls 
• Multiples Zwei-Faktor-System (M2FS): KB2895
• Anweisungen zur gemeinsamen Nutzung des Sicherheitsgeräts zwischen zwei oder mehreren Benutzern: KB2481
• Anmeldung zum Secure-Login-System: KB2545
• Sicherheitserwägungen nach einer Abmeldung vom SLS: KB1198
• Informationen zu Gebühren bzw. Kosten im Zusammenhang mit Sicherheitsgeräten. KB1861
• Problembehandlung wenn Sie sich nicht ins Client Portal einloggen können: KB1132
• Problembehandlung wenn Sie sich in keine Handelsplattform einloggen können: KB1133

• Client Portal
• TWS
• IBKR Mobile - iOS
• IBKR Mobile - Android

Client Portal

1. Click on "Didn't receive a security code?"

2. From the two options, select "Voice" and wait for the callback.

3. After selecting Voice, you should receive the callback within a minute. Please wait for the callback and be ready to write down the code that will be provided over the callback.

TWS

1. Click on "Request new Security Code"

2. From the two options, select "Voice" and click on OK. Then wait for the callback.

 3. After selecting Voice, you should receive the callback within a minute. Please wait for the callback and be ready to write down the code that will be provided over the callback.

Note: Voice callback for the TWS is only available in the LATEST and BETA version.

IBKR Mobile - iOS

1. Click on "Request New Code"

2. From the two options, select "Voice" and wait for the callback.

 3. After selecting Voice, you should receive the callback within a minute. Please wait for the callback and be ready to write down the code that will be provided over the callback.

IBKR Mobile - Android

1. Click on "Request New Security Code"

2. From the two options, select "Voice" and wait for the callback.

 3. After selecting Voice, you should receive the callback within a minute. Please wait for the callback and be ready to write down the code that will be provided over the callback.

References:

• How to login using SMS authentication
• Overview of Secure Login System
• Information and procedures related to Security Devices
• IBKR Mobile Authentication

Table of contents

Configuration instructions

1. Can the TWS / IB Gateway operate through a Proxy server, and how?
   
2. If I use a SOCKS Proxy server, do I need to configure the TWS / IB Gateway?
3. If I use a SOCKS Proxy server, do I need to configure the client machines where TWS / IB Gateway runs?
4. If I use a Web (HTTP) Proxy server, do I need to configure the TWS / IB Gateway?
   
5. What alternatives do I have in case I cannot implement a proxy solution on my network?

Common issues

6. Your computer is set up to use a Proxy, but there is no actual Proxy running on the network

7. You are using Public proxies and proxy chains to hide your presence or identity

Technical Background

8. What is a Proxy server?
9. Which types of Proxy servers are commonly used and where?

Configuration instructions

1. Can the TWS / IB Gateway operate through a Proxy?

Upon start-up and during the run-time, the TWS / IB Gateway must establish and maintain direct network connections to our gateways and market data servers¹. Such connections are created from random local TCP ports (above 1024) and are directed to TCP ports 4000 and TCP 4001.  Since those are not HTTP connections, they cannot be serviced by a Web (HTTP) Proxy. They can only be serviced by a SOCKS Proxy.

From within the TWS interface, you can access several external services, such as IBKR Client Portal, Statements, Contract details, Bond Search, etc. Those services, being web-based, can be accessed through a Web (HTTP) Proxy (see section 6 for details and configuration) or through a SOCKS Proxy (see sections 4. and 5. for details and configuration). 

2. If I use a SOCKS Proxy server, do I need to configure the TWS / IB Gateway?

The TWS / IB Gateway does not contemplate an option for SOCKS proxy forwarding. Therefore, it does not have a place where an explicit SOCKS Proxy host/port can be configured. This does not mean that the TWS / IB Gateway cannot work with a Proxy. It simply means that the TWS / IB Gateway is unaware of the underlying SOCKS proxy setup (proxy-agnostic).

Important Note: While it is impossible for us to determine whether a Proxy is enabled on your network, we assure you that all IBKR platforms, including the TWS, do not impact nor influence your network configuration.

3. If I use a SOCKS Proxy server, do I need to configure the client machines where TWS / IB Gateway runs?

The connections started by the TWS / IB Gateway can be redirected to a SOCKS (Application) Proxy through a specific client machine setup. We mention some of them below. Please note that the final decision is yours and none of the below suggestions can be recommended by us as best adapted to your setup and requirements.

3a. Using a Proxy Client software installed on the client machine where TWS / IB Gateway is running

With this setup, the Proxy client will intercept the connections (not only HTTP but for other ports as well) initiated by the TWS / IB Gateway and redirect them to a SOCKS proxy server. The typical benefits of a transparent proxy include a standard enterprise configuration where all clients routed to the Internet will always be filtered and protected no matter what the end users do, or change, on their machines and the added benefit of reduction in typical user’s client-proxy configuration troubleshooting.

3b. Using a so-called Proxifier

This configuration is very similar to the one at point 5a with the only difference that the Proxifier software can be set to redirect to a Proxy all the requests started by a specific process (e.g., C:\Jts\tws.exe; C:\JTS\ibgateway\XYZ\ibgateway.exe), hence instating a process level packet forwarding instead of a port level forwarding. This setup allows handling environments where different proxy servers are used for different applications or where you would like to address a specific application requirement without modifying/disrupting the connectivity schema for other software installed. The advantage of this solution is minimal maintenance since the connectivity schema is bound to the process and not to the hosts/ports.

3c. Using specific network routing on a client machine

With this setup, you can modify the client machine standard network routes, adding new ones in order to forward packets with specific destinations (e.g., Order routing and Market Data servers¹) to a different gateway.
This gateway will then be in charge of routing those requests to the destination hosts. This solution has as well the benefit of not modifying/disrupting the connectivity schema for other software installed but usually requires more maintenance on the gateway and on the client machine in case the IP of the destination servers are changed or in case new servers are added.

4. If I use a Web (HTTP) Proxy server, do I need to configure the TWS / IB Gateway?

If the Workstations on your local network access the Web content through a Web (HTTP) Proxy, you need to specify the Web Proxy IP Address and port. To do this, click More Options at the bottom of the TWS Login Screen, and enter your Proxy server details in the fields Host and Port (see Figure 1 below). The same fields are present in the IB Gateway Login Screen.

Figure 1.

The Web Proxy you set there will ONLY be used to fetch the web content accessible from within the TWS (e.g., Client Portal, Statements, Product Details, etc.)

5. What alternatives do I have in case I cannot implement a proxy solution on my network?
In this case, you might orient yourself towards a different type of access to the IBKR infrastructure, which includes a special connection type and a FIX/CTCI engine setup. This setup would, on the other hand, have different requirements in terms of commissions².  

Common Issues

6. What happens if the proxy configuration on your computer is wrong or outdated?

Occasionally, third-party software, even if already uninstalled, may leave behind a SOCKS proxy configuration on your computer. This may also happen if your computer has been infected with malware. In such cases, the proxy server, although configured, is non-existent or not accessible on the network. In such scenarios, the TWS will show an error message (e.g., No Internet Connectivity) and/or start the "Connection attempt #" loop upon login. The same will happen if the Proxy server exists, but has not been correctly configured on the client machines.

6a. How can I correct the proxy configuration if wrong?

When applicable, we recommend you always consult the IT / Networking team of your company first and ask for guidance.

If you are autonomously managing your network, please follow the instructions below according to the Operating System of your machine/s:

Windows

W.1 Press CTRL+S to open the Windows search

W.2 Type Proxy Settings and press Enter

W.3 If no Proxy is present on your network, make sure the switch "Use a proxy server" is deactivated (see Figure 2 below). If a Proxy server is active on your network, make sure the Address (or hostname) and Port are correctly defined.

Figure 2.

Mac

M.1 Click on the Apple icon at the top left corner of the screen and select System Preferences

M.2 Click on Network

M.3 Select the Network connection you are using to access the Internet (e.g. Wi-Fi) and click on it

M.4 Click on the Advanced button and then on the Proxies tab

5. If no proxy is present on your network, make sure all the checkboxes (SOCKS Proxy, Web Proxy, Secure Web Proxy) are deactivated (see Figure 3 below). If a Proxy is present on your network, ensure the Protocol, Address (or hostname) and Port are correct.

Figure 3.

7. You are using Public proxies and proxy chains to hide your presence or identity

There are public proxy and proxy chain services purposed to disguise or hide the identity and the activity of the subscriber or to bypass regional restrictions. One of the most famous services is the "Tor" network.

While those services may not necessarily be used for criminal purposes, they render subscriber traceability very difficult when not impossible. Since IBKR is obliged by the financial industry regulators to maintain records of trading activities and trade initiators, we do not allow our clients to reach our systems while using an anonymizing service. If you are using such a service, your TWS connection attempts will be automatically rejected by our gateways.

Technical Background

8. What is a Proxy Server?

A proxy server usually acts as a gateway and as a barrier between your local network and the Internet. The proxy listens for outgoing connection requests from the internal workstation/s and forwards them to the desired target host or service on the Internet. When the target replies to such requests, the proxy routes the incoming responses back to the internal workstation/s that initiated the process.

Being the proxy, the only machine of your network actually accessing the Internet, it prevents the other machines and the internal segment of your network (LAN) from being accessible by external actors and hence from being exposed to threats and intrusion attempts.

Additionally, a proxy server can offer a variety of other services, such as web content caching and filtering.

9. Which types of Proxy servers are commonly used and where?

Proxy servers are commonly found within enterprise-grade networks. In the vast majority of cases, proxies are not used by individuals since private broadband connections are established through consumer-grade routers that already offer built-in proxy/firewall solutions. An exception is represented by public proxy or proxy chains discussed in detail in the section You are using Public proxies and proxy chains to hide your presence or identity

There are two main types of Proxy servers:

9a. Web (HTTP) Proxies

The HTTP (Hypertext Transfer Protocol) defines the rules and the standards for fetching Web content from a Web server and rendering such content on your Web Browser.

A Web Proxy handles only the routing of HTTP requests and HTTP responses. Those requests are transparently generated and sent by your browser whenever you access a Web page.  Such requests are normally sent using specific ports (TCP 80 and TCP 443). Hence a Web Proxy usually listens for outgoing HTTP requests coming from your internal network (LAN) only on the TCP ports mentioned above.

9b. SOCKS Proxies

SOCKS (Socket Secure) Proxies are designed to handle any type of traffic (not only HTTP/S traffic), generated by any protocol or program (including Trader Workstation).

Notes

1. More information about the servers accessed by the TWS is available in IBKB2816.

2. For an overview of the different special connection options and related requirements, please click here.
For an overview of the FIX infrastructure, please click here.

1. Activate the IBKR Mobile Authentication (IB Key) as 2-Factor security device

In order to be independent of wireless/phone carrier-related issues and have a steady delivery of all IBKR messages we recommend to activate the IBKR Mobile Authentication (IB Key) on your smartphone.

The smartphone authentication with IB Key provided by our IBKR Mobile app serves as a 2-Factor security device, thereby eliminating the need to receive authentication codes via SMS when logging in to your IBKR account. 

Our IBKR Mobile app is currently supported on smartphones running either Android or iOS operating system. The installation, activation, and operating instructions can be found here:

Android: KB2277
iOS: KB2278

2. Restart your phone:

Power your device down completely and turn it back on. Usually this should be sufficient for text messages to start coming through. 

Please note that in some cases, such as roaming outside of your carrier's coverage (when abroad) you might not receive all messages.

3. Use Voice callback

If you do not receive your login authentication code after restarting your phone, you may select 'Voice' instead. You will then receive your login authentication code via an automated callback. Further instructions on how to use Voice callback can be found in IBKB 3396.

4. Check whether your phone carrier is blocking the SMS from IBKR

Some phone carriers automatically block IBKR text messages, as they are wrongly recognized as spam or undesirable content. According to your region, those are the services you can contact to check if a SMS filter is in place for your phone number:

In the US:

• All carriers: Federal Trade Commission Registry
• T-Mobile: Message Blocking settings are available on T-Mobile web site or directly on the T-Mobile app

In India:

• All carriers: Telecom Regulatory Authority of India

In China:

• Call your phone carrier directly to check whether they are blocking IBKR messages

References:

• How to login using SMS authentication
• Overview of Secure Login System
• Information and procedures related to Security Devices
• IBKR Mobile Authentication