This document describes an industry standard best practice for handling on-site customer colocation of a Referral Trak server on a customer network.

The Referral Trak server is in and of itself a firewall. We built the system in this very manner so that if a client does not have a dmz the Referral Trak
Server is **already** protecting itself fully.

Customers that wish to protect the rest of their network should follow the below guidelines:

1. Install the Referral Trak Server to your DMZ network. The DMZ will be the 3rd interface on you firewall or the lan between your firewall and screening
router.

2. (Optional) Filter ALL incoming traffic to the Referral Trak Server ecept for the Richweb NOC IP list:

63.90.9.0/24
208.73.136.0/23

3. That will keep everyone in the world except for Richweb from
communicating with the server. This will be done on your screening
router or dmz inout interface on your firewall.

4. Filter ALL traffic originating from the Referral Trak Server inbound
to your network. That will keep the server from contacting anything on your network. You should allow return traffic from the Referral Trak Server that ORIGINATED from your inside network. This will be the http/https requests for Referral Trak pages and resources.

5. We need these ports from our IP ranges INBOUND (from our noc to the
server):

tcp/22
tcp/80
tcp/443

icmp 0, 3, 4, 8, 11, 12

In addition to the inbound filters discussion you will also want to allow
the referral trak server to:

make OUTBOUND ftp connections to the same noc ip address I sent you. These
connections are used to transmit encoded data files back to Bankers
Insurance that allow them to analyze referrals made for their products if
you have BI integration.

6. Also your Ref Trak server needs to make INBOUND ftp connections to a server
on your network where it can push database backups if you have selected this backup option.

OUTBOUND connections to tcp port 21 (to RW noc ip ranges).
OUTBOUND connections to tcp ports 21000:21499

RW programs our ftp daemons to use port ranges 21000 thru 21499 for PASV mode
ftp data connections.

If you are using a windows based ftp server you can do the same, but you
will have to edit your metabase (if using IIS), or whatever ftp products
you use if not IIS will have some sort of PASV port range config tool.

7. The referral trak server also needs to be able to create outbound port 80 (http) connections to fetch updates. You should allow outbound dns traffic as well from the Referral Trak server. Either allow udp/53 and tcp/53 outbound globally, or restrict these dns protocols to the Richweb NOC ip range (where Richweb DNS servers will be located).