Background: 

要求

只有滿足下列所有條件才能共享實物安全設備：

a) 參與使用者屬�同一實體；或雖屬�不同實體但身份信息相同（出生日期、國籍、法定居住國家、身份文件類型與號碼、美國公民和居民的社會安全號碼）。 

b) 參與使用者當前沒有臨時安全設備（臨時碼、在線安全代碼卡）。

c) 必須共享具有最高保護等級的實物設備。如果所有設備保護等級一樣，則可任選一個。您可根據下表檢查自己設備的安全等級：

安全等級	設備名稱	設備圖像
最高	數碼安全卡+（DSC+）
最低	安全代碼卡（SLS卡）

 

 

操作步驟：

1. 確定保護等級最高的設備和設備所屬的使用者。我們稱該等使用者為設備所有者

2. 用提出請求的使用者（不是設備所有者）登錄客戶端

3. 點擊左上方的菜單圖標，然後依次點擊設置>使用者設置

6. 輸入在第1條中確定的設備所有者的登錄信息，然後點擊繼續

 

8. 檢查輸入的信息是否正確，然後點擊繼續 

 

9. 系統會顯示共享請求的狀態（詳情請見注意事項a.）。點擊確認完成操作

注意事項：

a. 大多數情況下，您的共享請求都會自動立即獲批、處理並實施。如果需要您的合規部門批准，在批准完成前，請求會保持待定狀態。

c. 下方為最常見的錯誤信息及其原因：

- 設備安全等級低：如果請求共享的設備安全等級相對更低，便會出現此錯誤提示。請選擇安全等級最高的設備進行共享。

 參考文章：

• 安全登錄系統概述：KB1131或ibkr.com/sls 
• 多重雙因素驗證系統（M2FS）：KB2895
• 如何在多個使用者之間共享安全登錄設備：KB2481
• 如何在退出後重新加入安全登錄系統：KB2545
• 退出安全登錄系統後的安全考慮：KB1198
• 安全設備是否收取任何費用？KB1861
• 如何排除客戶端登錄故障：KB1132
• 如何排除交易平臺登錄故障：KB1133

• Client Portal
• TWS
• IBKR Mobile - iOS
• IBKR Mobile - Android

Client Portal

1. Click on "Didn't receive a security code?"

2. From the two options, select "Voice" and wait for the callback.

3. After selecting Voice, you should receive the callback within a minute. Please wait for the callback and be ready to write down the code that will be provided over the callback.

TWS

1. Click on "Request new Security Code"

2. From the two options, select "Voice" and click on OK. Then wait for the callback.

 3. After selecting Voice, you should receive the callback within a minute. Please wait for the callback and be ready to write down the code that will be provided over the callback.

Note: Voice callback for the TWS is only available in the LATEST and BETA version.

IBKR Mobile - iOS

1. Click on "Request New Code"

2. From the two options, select "Voice" and wait for the callback.

 3. After selecting Voice, you should receive the callback within a minute. Please wait for the callback and be ready to write down the code that will be provided over the callback.

IBKR Mobile - Android

1. Click on "Request New Security Code"

2. From the two options, select "Voice" and wait for the callback.

 3. After selecting Voice, you should receive the callback within a minute. Please wait for the callback and be ready to write down the code that will be provided over the callback.

References:

• How to login using SMS authentication
• Overview of Secure Login System
• Information and procedures related to Security Devices
• IBKR Mobile Authentication

Table of contents

Configuration instructions

1. Can the TWS / IB Gateway operate through a Proxy server, and how?
   
2. If I use a SOCKS Proxy server, do I need to configure the TWS / IB Gateway?
3. If I use a SOCKS Proxy server, do I need to configure the client machines where TWS / IB Gateway runs?
4. If I use a Web (HTTP) Proxy server, do I need to configure the TWS / IB Gateway?
   
5. What alternatives do I have in case I cannot implement a proxy solution on my network?

Common issues

6. Your computer is set up to use a Proxy, but there is no actual Proxy running on the network

7. You are using Public proxies and proxy chains to hide your presence or identity

Technical Background

8. What is a Proxy server?
9. Which types of Proxy servers are commonly used and where?

Configuration instructions

1. Can the TWS / IB Gateway operate through a Proxy?

Upon start-up and during the run-time, the TWS / IB Gateway must establish and maintain direct network connections to our gateways and market data servers¹. Such connections are created from random local TCP ports (above 1024) and are directed to TCP ports 4000 and TCP 4001.  Since those are not HTTP connections, they cannot be serviced by a Web (HTTP) Proxy. They can only be serviced by a SOCKS Proxy.

From within the TWS interface, you can access several external services, such as IBKR Client Portal, Statements, Contract details, Bond Search, etc. Those services, being web-based, can be accessed through a Web (HTTP) Proxy (see section 6 for details and configuration) or through a SOCKS Proxy (see sections 4. and 5. for details and configuration). 

2. If I use a SOCKS Proxy server, do I need to configure the TWS / IB Gateway?

The TWS / IB Gateway does not contemplate an option for SOCKS proxy forwarding. Therefore, it does not have a place where an explicit SOCKS Proxy host/port can be configured. This does not mean that the TWS / IB Gateway cannot work with a Proxy. It simply means that the TWS / IB Gateway is unaware of the underlying SOCKS proxy setup (proxy-agnostic).

Important Note: While it is impossible for us to determine whether a Proxy is enabled on your network, we assure you that all IBKR platforms, including the TWS, do not impact nor influence your network configuration.

3. If I use a SOCKS Proxy server, do I need to configure the client machines where TWS / IB Gateway runs?

The connections started by the TWS / IB Gateway can be redirected to a SOCKS (Application) Proxy through a specific client machine setup. We mention some of them below. Please note that the final decision is yours and none of the below suggestions can be recommended by us as best adapted to your setup and requirements.

3a. Using a Proxy Client software installed on the client machine where TWS / IB Gateway is running

With this setup, the Proxy client will intercept the connections (not only HTTP but for other ports as well) initiated by the TWS / IB Gateway and redirect them to a SOCKS proxy server. The typical benefits of a transparent proxy include a standard enterprise configuration where all clients routed to the Internet will always be filtered and protected no matter what the end users do, or change, on their machines and the added benefit of reduction in typical user’s client-proxy configuration troubleshooting.

3b. Using a so-called Proxifier

This configuration is very similar to the one at point 5a with the only difference that the Proxifier software can be set to redirect to a Proxy all the requests started by a specific process (e.g., C:\Jts\tws.exe; C:\JTS\ibgateway\XYZ\ibgateway.exe), hence instating a process level packet forwarding instead of a port level forwarding. This setup allows handling environments where different proxy servers are used for different applications or where you would like to address a specific application requirement without modifying/disrupting the connectivity schema for other software installed. The advantage of this solution is minimal maintenance since the connectivity schema is bound to the process and not to the hosts/ports.

3c. Using specific network routing on a client machine

With this setup, you can modify the client machine standard network routes, adding new ones in order to forward packets with specific destinations (e.g., Order routing and Market Data servers¹) to a different gateway.
This gateway will then be in charge of routing those requests to the destination hosts. This solution has as well the benefit of not modifying/disrupting the connectivity schema for other software installed but usually requires more maintenance on the gateway and on the client machine in case the IP of the destination servers are changed or in case new servers are added.

4. If I use a Web (HTTP) Proxy server, do I need to configure the TWS / IB Gateway?

If the Workstations on your local network access the Web content through a Web (HTTP) Proxy, you need to specify the Web Proxy IP Address and port. To do this, click More Options at the bottom of the TWS Login Screen, and enter your Proxy server details in the fields Host and Port (see Figure 1 below). The same fields are present in the IB Gateway Login Screen.

Figure 1.

The Web Proxy you set there will ONLY be used to fetch the web content accessible from within the TWS (e.g., Client Portal, Statements, Product Details, etc.)

5. What alternatives do I have in case I cannot implement a proxy solution on my network?
In this case, you might orient yourself towards a different type of access to the IBKR infrastructure, which includes a special connection type and a FIX/CTCI engine setup. This setup would, on the other hand, have different requirements in terms of commissions².  

Common Issues

6. What happens if the proxy configuration on your computer is wrong or outdated?

Occasionally, third-party software, even if already uninstalled, may leave behind a SOCKS proxy configuration on your computer. This may also happen if your computer has been infected with malware. In such cases, the proxy server, although configured, is non-existent or not accessible on the network. In such scenarios, the TWS will show an error message (e.g., No Internet Connectivity) and/or start the "Connection attempt #" loop upon login. The same will happen if the Proxy server exists, but has not been correctly configured on the client machines.

6a. How can I correct the proxy configuration if wrong?

When applicable, we recommend you always consult the IT / Networking team of your company first and ask for guidance.

If you are autonomously managing your network, please follow the instructions below according to the Operating System of your machine/s:

Windows

W.1 Press CTRL+S to open the Windows search

W.2 Type Proxy Settings and press Enter

W.3 If no Proxy is present on your network, make sure the switch "Use a proxy server" is deactivated (see Figure 2 below). If a Proxy server is active on your network, make sure the Address (or hostname) and Port are correctly defined.

Figure 2.

Mac

M.1 Click on the Apple icon at the top left corner of the screen and select System Preferences

M.2 Click on Network

M.3 Select the Network connection you are using to access the Internet (e.g. Wi-Fi) and click on it

M.4 Click on the Advanced button and then on the Proxies tab

5. If no proxy is present on your network, make sure all the checkboxes (SOCKS Proxy, Web Proxy, Secure Web Proxy) are deactivated (see Figure 3 below). If a Proxy is present on your network, ensure the Protocol, Address (or hostname) and Port are correct.

Figure 3.

7. You are using Public proxies and proxy chains to hide your presence or identity

There are public proxy and proxy chain services purposed to disguise or hide the identity and the activity of the subscriber or to bypass regional restrictions. One of the most famous services is the "Tor" network.

While those services may not necessarily be used for criminal purposes, they render subscriber traceability very difficult when not impossible. Since IBKR is obliged by the financial industry regulators to maintain records of trading activities and trade initiators, we do not allow our clients to reach our systems while using an anonymizing service. If you are using such a service, your TWS connection attempts will be automatically rejected by our gateways.

Technical Background

8. What is a Proxy Server?

A proxy server usually acts as a gateway and as a barrier between your local network and the Internet. The proxy listens for outgoing connection requests from the internal workstation/s and forwards them to the desired target host or service on the Internet. When the target replies to such requests, the proxy routes the incoming responses back to the internal workstation/s that initiated the process.

Being the proxy, the only machine of your network actually accessing the Internet, it prevents the other machines and the internal segment of your network (LAN) from being accessible by external actors and hence from being exposed to threats and intrusion attempts.

Additionally, a proxy server can offer a variety of other services, such as web content caching and filtering.

9. Which types of Proxy servers are commonly used and where?

Proxy servers are commonly found within enterprise-grade networks. In the vast majority of cases, proxies are not used by individuals since private broadband connections are established through consumer-grade routers that already offer built-in proxy/firewall solutions. An exception is represented by public proxy or proxy chains discussed in detail in the section You are using Public proxies and proxy chains to hide your presence or identity

There are two main types of Proxy servers:

9a. Web (HTTP) Proxies

The HTTP (Hypertext Transfer Protocol) defines the rules and the standards for fetching Web content from a Web server and rendering such content on your Web Browser.

A Web Proxy handles only the routing of HTTP requests and HTTP responses. Those requests are transparently generated and sent by your browser whenever you access a Web page.  Such requests are normally sent using specific ports (TCP 80 and TCP 443). Hence a Web Proxy usually listens for outgoing HTTP requests coming from your internal network (LAN) only on the TCP ports mentioned above.

9b. SOCKS Proxies

SOCKS (Socket Secure) Proxies are designed to handle any type of traffic (not only HTTP/S traffic), generated by any protocol or program (including Trader Workstation).

Notes

1. More information about the servers accessed by the TWS is available in IBKB2816.

2. For an overview of the different special connection options and related requirements, please click here.
For an overview of the FIX infrastructure, please click here.

1. Activate the IBKR Mobile Authentication (IB Key) as 2-Factor security device

In order to be independent of wireless/phone carrier-related issues and have a steady delivery of all IBKR messages we recommend to activate the IBKR Mobile Authentication (IB Key) on your smartphone.

The smartphone authentication with IB Key provided by our IBKR Mobile app serves as a 2-Factor security device, thereby eliminating the need to receive authentication codes via SMS when logging in to your IBKR account. 

Our IBKR Mobile app is currently supported on smartphones running either Android or iOS operating system. The installation, activation, and operating instructions can be found here:

Android: KB2277
iOS: KB2278

2. Restart your phone:

Power your device down completely and turn it back on. Usually this should be sufficient for text messages to start coming through. 

Please note that in some cases, such as roaming outside of your carrier's coverage (when abroad) you might not receive all messages.

3. Use Voice callback

If you do not receive your login authentication code after restarting your phone, you may select 'Voice' instead. You will then receive your login authentication code via an automated callback. Further instructions on how to use Voice callback can be found in IBKB 3396.

4. Check whether your phone carrier is blocking the SMS from IBKR

Some phone carriers automatically block IBKR text messages, as they are wrongly recognized as spam or undesirable content. According to your region, those are the services you can contact to check if a SMS filter is in place for your phone number:

In the US:

• All carriers: Federal Trade Commission Registry
• T-Mobile: Message Blocking settings are available on T-Mobile web site or directly on the T-Mobile app

In India:

• All carriers: Telecom Regulatory Authority of India

In China:

• Call your phone carrier directly to check whether they are blocking IBKR messages

References:

• How to login using SMS authentication
• Overview of Secure Login System
• Information and procedures related to Security Devices
• IBKR Mobile Authentication