CU*BASE GOLD requires that the following networks be routed to the CU*Answers CU*NextNET connection:
  • For all CU*Answers privately routed networks below, all ports/services should be allowed outbound from the LAN
  • Required for standard Production connectivity:
    • 63.236.240.16/28
    • 63.236.240.48/28
    • 63.236.240.79/32
    • 63.236.240.128/29
    • 63.236.240.138/32
    • 63.236.240.144/28
  • Required for HA/Disaster Recovery connectivity:
    • 216.111.149.8/30
    • 216.111.149.16/28
    • 216.111.149.240/28
    • 66.115.246.224/27
  • In addition to the routes above, self-processors must route the following to CU*Answers:
    • 63.236.240.89/32
    • 63.150.21.192/27
    • 10.10.1.0/24
  • The following 3 IP addresses need to be routed out to the Internet to allow the CU*Answers CU*NextNET router to establish VPNs to the CU*Answers head-end routers:
    • 63.236.240.42
    • 216.111.149.124
    • 66.115.246.17
  • Additionally, you will need to allow the following ports and protocols through your firewall to and from the above 3 IP addresses. This will permit the CU*Answers CU*NextNET router to establish VPNs to the CU*Answers head-end routers:
    • UDP/500
    • UDP/4500
    • IP Protocol 47 (GRE / Generic Routing Encapsulation)
    • IP Protocol 50 (ESP / IPSec)
  • Finally, the following websites/domains should be allowed through any proxy filters or website blacklists:
    • *.cuasterisk.com​
    • *.cuanswers.com
    • *.cubase.org
    • *.xtendcu.com
    • *.xtendcle.com
    • *.itsme247.com
    • *.edoclogic.com
    • *.lendervp.com
    • *.cuatv.com
    • *.cu-northwest.com
    • *.cusouth.com
    • *.cusecure.org
    • *.createacreditunion.com
    • *.gividends.com
    • *.retailerdirectloans.com
    • *.cupublisher.com
What if I want to place the CU*Answers NextNET connection in a DMZ?

It is possible to place the CU*Answers NextNET connection in a DMZ.  All of the routing requirements above must be met in order to ensure CU*BASE will work without issue.  If the GUAPPLE and/or iSweep appliances are not in the same DMZ as the CU*Answers Cisco router, you must ensure that inbound access from the router to the GUAPPLE and/or iSweep is allowed on all ports.

What if we use a GUAPPLE, iSweep, or Gweep?

All of the routing above needs to be met first.  The GUAPPLE, iSweep, and Gweep appliances have other requirements.  Please refer to these articles for more information: