General Requirements


CU*BASE GOLD, CBX, and the associated CU*Asterisk software suite (Station Control, ProDOC, SearchLink, etc.) require that the following networks be routed to the CU*Answers CU*Asterisk network (typically via a CU*Answers Cisco router):
  • For all CU*Answers privately routed networks below, all ports/services should be allowed outbound from any device accessing CU*BASE or CBX.
  • Required for standard Production connectivity:
    • 63.150.21.96/27
    • 63.236.240.16/28                                                            
    • 63.236.240.48/28
    • 63.236.240.79/32
    • 63.236.240.128/29
    • 63.236.240.138/32
    • 63.236.240.142/32
    • 63.236.240.144/28
  • Required for HA/Disaster Recovery connectivity:
    • 216.111.149.8/30
    • 216.111.149.16/28
    • 216.111.149.240/28
    • 66.115.246.224/27
  • The following 3 IP addresses need to be routed out to the Internet to allow the CU*Answers router to establish VPNs to the CU*Answers head-end routers:
    • 63.236.240.42
    • 216.111.149.124
    • 66.115.246.17
  • Additionally, you will need to allow the following ports and protocols through your firewall to and from the above 3 IP addresses. This will permit the CU*Answers router to establish VPNs to the CU*Answers head-end routers:
    • UDP/500
    • UDP/4500
    • IP Protocol 50 (ESP / IPSec)
  • Finally, the following websites/domains should be allowed through any proxy filters, website blacklists and/or whitelisted.  This includes GeoIP lists, DNS filtering services (like Cisco Umbrella), and SSLDPI:
    • *.cuasterisk.com​
    • *.cuanswers.com
    • *.cubase.org
    • *.xtendcu.com
    • *.xtendcle.com
    • *.itsme247.com
    • *.edoclogic.com
    • *.lendervp.com
    • *.cuatv.com
    • *.cu-northwest.com
    • *.cusouth.com
    • *.cusecure.org
    • *.createacreditunion.com
    • *.gividends.com
    • *.retailerdirectloans.com
    • *.cupublisher.com

DNS considerations

All CU*BASE GOLD and CBX connections should be set to use a fully qualified domain name (FQDN) instead of an IP address.  This will allow for faster and more reliable High Availability and Disaster Recovery failovers.  To better handle this, CU*Answers maintains its own DNS server for all of its important domain names.  When CU*Answers rolls to its HA or DR sites, it updates the DNS entry for the CU*Asterisk servers to point to the new location. CU*BASE GOLD, CBX, and other applications may encounter connectivity issues if a credit union is hosting its own copy of the cubase.org zone or is not properly forwarding requests to the CU*Answers DNS server.  For this reason, it is extremely important that DNS be configured properly at the credit union.

If a credit union is hosting its own DNS internally, 63.236.240.134 and 216.111.149.251 should be added as conditional DNS forwarders for all of the above previously mentioned wildcard domains.  If the credit union does not host its own DNS, it is strongly recommended that the DNS hosting application be configured to query CU*Answers DNS servers for CU*Asterisk related domains.

What if I want to place the CU*Answers Cisco Router in a DMZ?

It is possible to place the CU*Asterisk connection in a DMZ.  All of the routing requirements above must be met in order to ensure CU*BASE will work without issue.  If the GUAPPLE and/or iSweep appliances are not in the same DMZ as the CU*Answers Cisco router, you must ensure that inbound access from the router to the GUAPPLE and/or iSweep is allowed on all ports.

What if we use a GUAPPLE?

These requirements must be met for each location utilizing a GUAPPLE.  One GUAPPLE is required at each branch location; GUAPPLEs cannot be shared between locations.  For each GUAPPLE, the following network requirements must be met:
  • Each GUAPPLE requires a static IP address on the network
  • All CU*Answers routing requirements must be met (listed above)
  • The GUAPPLE must have the following outbound access:
    • Access to all CU*Answers privately routed networks (listed above) on all ports
    • Access to ubuntu.com and all subdomains on ports 21 (FTP), 80 (HTTP), and 443 (HTTPS)
      • Used for security updates
  • The GUAPPLE must have the following inbound access:
    • Access from all CU*Answers privately routed networks (listed above) on all ports
    • Access from all LAN subnets on all ports
    • (Note: The GUAPPLE does not reach out to workstations. The workstations reach in to the GUAPPLE.)

What if we use an iSweep?

These requirements must be met for each location utilizing an iSweep.  One iSweep is required at each branch location; iSweeps cannot be shared between locations.  For each iSweep, the following network requirements must be met:
  • Each iSweep requires a static IP address on the network
  • All CU*Answers routing requirements must be met (listed above)
  • The iSweep must have the following outbound access:
    • Access to all CU*Answers privately routed networks (listed above) on all ports
    • Access to idocvault.cuanswers.com and idocvault02.cuanswers.com on ports 80 (HTTP) and 443 (HTTPS)
    • Access to eupdate.cuanswers.com on port 20212 (TCP)
    • Access to microsoft.com domains (*.microsoft.com) on ports 80 (HTTP) and 443 (HTTPS)
      • Used for security updates
    • Access to rmm.cuanswers.com on port 5721 (TCP & UDP)  
    • Access to the following TrendMicro destination network:
      • 150.70.0.0/16
      • If your firewall supports it, use the TrendMicro dynamic groups to allow outbound access for updates
  • The iSweep must have the following inbound access:
    • Access from all CU*BASE privately routed networks (listed above) on all ports
    • Access from all LAN subnets on all ports
    • (Note: The iSweep does not reach out to workstations. The workstations reach in to the iSweep.)

What if I want to place the iSweep and GUAPPLE in a DMZ?

It is recommended that you place the iSweep and GUAPPLE on your local network to allow for an easier connection from your workstations to the file shares on the unit.  However, it is possible to place the iSweep and GUAPPLE in a DMZ for additional security if you would like.  All of the client workstations need to be able to communicate with the iSweep and GUAPPLE, and CU*Answers will need access to the iSweep and GUAPPLE from its privately routed networks.  If the CU*Answers Cisco router is on a different subnet than the iSweep, GUAPPLE, and client workstations, access from the router will also be needed.

What if we use a Gweep?

A "Gweep" is a combination of a GUAPPLE and an iSweep.  The base unit is identical to an iSweep, and it runs a Windows localized version of the GUAPPLE components, eliminating the need for two physical units.  The network requirements for the Gweep are identical to that of the iSweep and the GUAPPLE combined.  Please review the above sections and ensure that the requirements for both GUAPPLE and iSweep are met.