CU*BASE GOLD requires that the following networks be routed to the CU*Answers CU*NextNET connection:
- For all CU*Answers privately routed networks below, all ports/services should be allowed outbound from the LAN
- Required for standard Production connectivity:
- 63.150.21.96/27
- 63.236.240.16/28
- 63.236.240.48/28
- 63.236.240.79/32
- 63.236.240.128/29
- 63.236.240.138/32
- 63.236.240.144/28
- Required for HA/Disaster Recovery connectivity:
- 216.111.149.8/30
- 216.111.149.16/28
- 216.111.149.240/28
- 66.115.246.224/27
- In addition to the routes above, self-processors must route the following to CU*Answers:
- 63.236.240.89/32
- 63.150.21.192/27
- 10.10.1.0/24
- The following 3 IP addresses need to be routed out to the Internet to allow the CU*Answers CU*NextNET router to establish VPNs to the CU*Answers head-end routers:
- 63.236.240.42
- 216.111.149.124
- 66.115.246.17
- Additionally, you will need to allow the following ports and protocols through your firewall to and from the above 3 IP addresses. This will permit the CU*Answers CU*NextNET router to establish VPNs to the CU*Answers head-end routers:
- UDP/500
- UDP/4500
- IP Protocol 47 (GRE / Generic Routing Encapsulation)
- IP Protocol 50 (ESP / IPSec)
- Finally, the following websites/domains should be allowed through any proxy filters or website blacklists:
- *.cuasterisk.com
- *.cuanswers.com
- *.cubase.org
- *.xtendcu.com
- *.xtendcle.com
- *.itsme247.com
- *.edoclogic.com
- *.lendervp.com
- *.cuatv.com
- *.cu-northwest.com
- *.cusouth.com
- *.cusecure.org
- *.createacreditunion.com
- *.gividends.com
- *.retailerdirectloans.com
- *.cupublisher.com
What if I want to place the CU*Answers NextNET connection in a DMZ?
It is possible to place the CU*Answers NextNET connection in a DMZ. All of the routing requirements above must be met in order to ensure CU*BASE will work without issue. If the GUAPPLE and/or iSweep appliances are not in the same DMZ as the CU*Answers Cisco router, you must ensure that inbound access from the router to the GUAPPLE and/or iSweep is allowed on all ports.
What if we use a GUAPPLE, iSweep, or Gweep?
All of the routing above needs to be met first. The GUAPPLE, iSweep, and Gweep appliances have other requirements. Please refer to these articles for more information: