IPC Agility 3.

Introduction
IPC Agility is a Transformational Application Platform designed to work with Unigy and Connexus to
provide our customers with more flexibility with reduced risk.
IPC Agility is the direct result of IPC’s continued “API First” philosophy to enable open platforms, new
paradigms and drive efficiencies.
IPC Agility enables the power of containerized or virtualized applications and tools that can be
deployed in parallel with Unigy. This segregation reduces development and deployment times while
ensuring stability of the trading system.
Supported by Connexus Cloud, IPC Agility can also enable services across IPC’s wide eco-system of
Partners and expansive community.
By its architecture, the IPC Agility instance provides:
• Automated installation and upgrade of the application running on the instance
• On-demand application deployment
• Multiple layers of resiliency (physical and software) to offer High Availability
• Capacity to scale up and down easily to adjust on the load
• High level of security with latest software / tailored OS / embedded firewall / HTTPS communication through
proxy with Connexus Cloud/ Secured Communications.
• Log monitoring, alerting and analyzing by IPC Operations

IPC has developed a set of applications, running on IPC Agility, to provide new services to the
customers:
- Control and Oversight Services
o Single Click Deployer (SCD) - Unigy Trading system deployment and software upgrade automation
o Log Forwarding (Unigy and IPC Agility logs) to monitor in real time the IPC Agility instance /
applications and improve Unigy troubleshooting
o Network Diagnostic Tool (NDT) – Unigy Network prerequisites testing tool (port / protocols /
bandwidth …)
o Automatic Health Check Dashboard – Unigy Trading Environment daily health check
o Recording Check – Daily Voice Recording Check
- Unigy Soft Client
- Mobile Client
- Real Time Audio Gateway (RTAG) – API to access to End points audio source for speech to text translation.
- Blue Wave Micro Services which replace the Blue Wave deployed on Unigy zones.

In order to take advantage of the applications/services listed above the Agility platform must have
B2B (“machine to machine”) connectivity back to the IPC AIM infrastructure. Please note that this is
different and distinct from traditional remote access. In the case of the latter the customer can still
determine what type of remote access is aligned with their Corporate security standards. Ie: Full
remote access, Customer managed on demand remote access or no remote access. A “no remote

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 1
access” policy will have significant implications on day 2 support. Please see the IPC remote access
policy document for more details.

IPC Agility infrastructure overview

IPC Agility infrastructure is composed of:
- Hypervisor: Hypervisor software creates and runs virtual machines (VMs). A hypervisor allows one host
computer to support multiple guest VMs by virtually sharing its resources, such as memory and processing.
Provided either by IPC or the customer.
- Red Hat Enterprise Linux (RHEL 7.9) Virtual Machines: VMs that run the Red Hat Linux-based operating
system which manage the Kubernetes/Docker containerization layer. Provided and supported by IPC.
- Kubernetes and Docker:
o Kubernetes (K8s): Kubernetes is used as the orchestrator of the containerization infrastructure.
Kubernetes allows you to supervise the number of containers to deploy. Kubernetes keeps the
system stable and resilient by managing the instance's high availability.
o Docker: Docker is used as the containerization engine that allows you to run the containers.
Both Kubernetes and Docker are provided and supported by IPC.

Agility has been designed to optimize the delivery of new services to our customers, facilitate and
accelerate maintenance processes - which include application upgrades, system diagnostics and
second day support.
With-in IPC’s data center fabric exists a centralized Agility Infrastructure Management (AIM) platform
that enable these processes.

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 2
The AIM platform is connected to the ecosystem of Agility platforms through an HTTPS connectivity.
Thus, providing a highly secure communication path through either the Internet or via the IPC private
Connexus Cloud.
The IPC created Internet tunnel(s) may not be approved by our customer’s security team since some
clients may need to have control of the data transiting though the tunnel and on the technology used
for creating the secure tunnels.
Without the connection to IPC’s AIM platform, day 2 support processes are more complex and time
consuming.
IPC’s goal is to understand our customers concerns and requirements and provide enhanced
solutions that meet and exceed their expiations.
To that end, the Agility architecture continues to evolve to facilitate the necessary communications
between the Agility instances deployed in the customers infrastructure and the AIM deployed across
IPC global datacenter fabric.
The HTTPS B2B (“machine to machine”) outbound connectivity, in Agility version 3.1, should simplify
the Customer security approval process.
Flows include:
- Log forwarding
- On-demand log forwarding
- Agility application upgrades
- Agility application configuration updates
- Operating System patching
- Unigy ISO download for SCD (Single Click Deployer)
- Agility Core upgrade

As noted above, sessions established by the clients Agility platforms, deployed on premise, to the
AIM platform deployed throughout IPC’s global datacenter fabric, can be provided via Internet or
Connexus Cloud.
This will provide the following advantages:
- Use a standard protocol to get more easily approval from customer’s security team
- Remove the need of a VPN which could be a blocker for some of the customers
- Ability to integrate with the customer HTTPS proxy to perform packet inspection (which is
mandatory for some customer for external flows)
- Facilitate and accelerate the installation and deployment
- Access to new features for customer who refused ION VPN solution.
- Security of the customer data with encrypted flows through HTTPS

Agility 3.1 new features

Agility Architecture evolution phase 2
IPC Agility version 3.0 has introduced the replacement of ION v2 VPN connection by a full standard
HTTPS B2B outbound communication, between the Agility platform deployed on premise and the IPC
Agility Infrastructure Management, for the applications management.

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 3
IPC Agility version 3.1 finalizes this architecture evolution by leveraging the HTTPS communication
for the Agility Core upgrade.
As a reminder, the HTTPS connection can be established either directly or through a HTTP proxy
provided by the customer. When using a proxy offering decryption capability, the customer can also
perform packet inspection of all the data transiting between IPC and the Agility deployed on premise.
The HTTPS connection can be established through Internet or through IPC provided Private
Connexus network.
To control the establishment of the HTTPS connectivity, the customer has access to a new web
interface: Agility Local Management (more details are provided in the next section).
The customer must provide their DNS server IP to allow the resolution of the public URL of AIM.
Here is the list of URLs (and ports) that need to be reachable
Service Host Name via Connexus IP TCP DNS on Internet Test Command
Ports
(Agility)

Artifactory ffdctnoctoolsartifactory.ipc.com 104.254.178.128 443 amer-srep.aim.ipc.com curl -v https://AMER-

srep.aim.ipc.com:443

Gitea ffdctnoctoolsgitea.ipc.com 104.254.178.129 443 amer-cfgs.aim.ipc.com curl -v https://AMER-

cfgs.aim.ipc.com:443

Splunk splunk-lm-01.ipc.com 104.254.178.135 8089 amer-mlic.aim.ipc.com curl -v https://AMER-

License mlic.aim.ipc.com:8089
Server

Splunk fdctnoctoolssplunkds1.ipc.com 104.254.178.130 8089 amer-mdep.aim.ipc.com curl -v https://AMER-

Deployment mdep.aim.ipc.com:8089
Server

Splunk ffdctnoctoolssplunkfwd3.ipc.com 104.254.178.133 9997, amer-ifwd.aim.ipc.com curl -v https://AMER-

Intermediate 8088 ifwd.aim.ipc.com:9997
Forwarder 3

Ad-hoc ffdctnocadhoc 104.254.178.136 443 amer-mdmd.aim.ipc.com curl -v https://AMER-

mdmd.aim.ipc.com:443

IPC Agility version 3.1 will not have the ION v2 Virtual Machine deployed anymore. The connection to
IPC AIM will no longer be possible through ION v2. Customers that upgrade to Agility 3.1 will need to
reconfigure the platform to transition from ION v2 "B2B” connectivity to HTTPS.
For remote access purpose, please refer to the ION v2 End of Life announcement on IPC Exchange
portal.

Agility Local Management

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 4
With Agility 3.1, a new web interface is exposed to the customer. This interface will allow the
customer to control the HTTPS connectivity back to IPC for the 3 following features:
- Applications updates (configuration changes / applications version upgrade)
- Core upgrade and OS patches
- IPC Observability (Unigy and Agility whitelist log forwarding for troubleshooting)

Only the customer administrator will have access to this web interface on their local network. To
connect to it, the user will have to use their Active Directory credentials.
Customer will have the possibility to manage access privileges by allowing specific Groups (CN) in
the right DN (Distinguished name).

Design / Sizing

IPC in concordance with the customer will define the right architecture to fit the customer
requirements in term of High Availability and number of end users.

IPC Agility need to be designed following these rules:

1. At least 1 IPC Agility instance must be deployed per Unigy Data center and per Unigy Instance.
2. Multiple IPC Agility instance can be deployed in the same data center if needed
3. 1 IPC Agility instance can manage up to 8 zones in a single Data center
4. An IPC Agility Instance can be composed of a single server (standalone deployment) or multiple servers (3
servers) to provide additional resiliency capacity and more capacity.
5. Hardware deployment

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 5
 a. If customer want to have Hardware resiliency, he can ask for a multi-server type of deployment.
b. An IPC Agility instance cannot have more than 3 servers.
6. Virtualized deployment (on customer infrastructure)
a. Customer must follow the IPC’s Virtualization prerequisites (to be discussed with the Project
Manager).
b. For large deployment IPC recommend that the customer provides at least three hypervisors, each
one managing a master and a worker node (same as when IPC provide the Appliances).
c. IPC will provide the VMs size based on the applications which need to be deployed and the number
of end users (Hardware & soft client)

Specific rules for Unigy Soft Client:

1. 1 Standalone IPC Agility instance can support up to 500 Unigy Soft Client in a single data center (on 8
zones maximum)
2. 1 Multi-server IPC Agility instance can support up to 1600 Unigy Soft Client in a single data center (on 8
zones maximum)
3. Number of Media Manager per Unigy zone need to be adjusted (leveraging the calculator)

Prerequisites summary

Here is a summary list of all the prerequisites that the customer has to provide to deploy an IPC
Agility instance:
• /27 range for each IPC Agility Instance (or 30 contiguous IPs in a subnet)
• NTP synchronization to the customer NTP source (same as Unigy zone)
• The right number of server (or the right number of VMs) based on the size of the customer and
the application he will use
• 4 physical interfaces per server need to be connected to the customer switch (full duplex /
1GB)
• IDRAC interface
• Eth1 for the Management network of ESXI (only enable on non-standard deployment)
• Eth2 and 3 for the integration with the customer network (NIC teaming, single or dual
attachment)
• Customer switch ports connected to Eth2/Eth3 must be configured as 802.1q trunks,
and allow both VLAN IDs below
• 2 unique VLAN IDs need to be provided (VLAN IDs number have no importance)
• First VLAN which is the Customer network VLAN (routed)
• Second VLAN will be an internal VLAN for the local network between each VMs
deployed on the IPC Agility (Non routed VLAN so not accessible on the customer
network)
• For Multi-server architecture, IPC Agility servers need to be connected to the same customer
Switch to enable the Layer 2 communication between the VMs.

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 6
 • B2B Connectivity to IPC datacenter for the log forwarding and Agility application upgrades /
configuration updates
• Connexus Unigy (preferred option as the most secured and reliable)
• Internet
• Bandwidth for HTTPS connectivity between the IPC Agility instance and IPC data center
(through the customer network and Connexus or Internet)
• 2Mbps -> 50 users maximum
• 5Mbps -> 250 users maximum
• 10 Mbps for more than 250 users
• Customer LAN & WAN bandwidth between the IPC Agility instance and the Unigy backroom /
Unigy Soft client end users.
• DNS:
• Customer must provide a DNS server for the URL resolution for the communication
through HTTPS back to IPC (used for application / patch update, log forwarding,
upgrades …)
• The customer DNS server need to be configured to redirect the request to the IPC
public IPs.
• Optional Customer HTTPS Proxy to control the link with IPC: Proxy URL / Port and Proxy
certificate for the Packet Inspection
• Customer, with the help of IPC Project Manager must complete the Site prep excel
spreadsheet for each IPC Agility instance. These documents are mandatory for IPC
manufacturing team who will stage the servers / environment.
• Some applications, like Soft Client have additional pre-requisites. You will find them on the IPC
official documentation.

Virtual deployment on customer provided infrastructure additional prerequisites

For customer who want to provide their own virtualized environment, IPC will deliver to the customer
OVFs files (Master (1 or 3), 3 Workers per Agility instance).
The customer has to deploy by themselves the OVFs on their virtual environment.
Their virtual environment require:
- VMware vSphere ESXi v7.0 hypervisors are supported •
- CPU is Intelx86_64 family processors
- Minimum CPU clock speed of 2.1GHz
- NIC redundancy must be handled by the host (hypervisor), not through bounded NICs within the VM
- Hyperthreading is supported
- VMware Tools is enabled and running
The host resources are calculated based on the number and type of VMs planned for a single
hypervisor.

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 7
The customer must configure their virtualized environment with the 2 VLANs (port groups):
- Local Network: For the ESXi port group of the IPC Agility local network.
- Customer Network: For the ESXi port group of the IPC Agility Customer network

These port groups will be used during the OVFs deployment.

Some additional prerequisites need to be respected at the VM level:
Virtual machine options Defined configuration
Power-saving For maximum processor performance, disable the power
saving options for each VM, and if possible, for the host
as well.
NTP source NTP for the Agility virtual machines should be assigned
and configured the same way as the CCM or MM
appliances. The host server should also have the same
NTP source as the Agility virtual machines
Limit (allocated CPU resources) Unlimited
Reservation (allocated CPU resources) Reservation = vCPUs x pCPU.Frequency
Note
vCPUs is the number of virtual CPUs assigned to the VM.
pCPU.Frequency is the host physical CPU frequency. To
determine this value, check the physical machine server
resource settings in the hypervisor.
Shares (allocated CPU resources) Normal
CPU/MMU virtualization Deprecated setting
Virtual memory (vRAM) Allocate the expected amount of memory (refer to the
VM type requirements). In Edit Settings, within the
Virtual Hardware tab, select the Reserve all guest
memory (All locked) check box or select the full memory
size in the Reservation field.
Virtual disk Allocate the expected disk space (refer to the VM type
requirements).
Network adapter
- Gigabit Ethernet: E1000
- Use VMXNET3 virtual network device
(generation 3)

Latency sensitivity Normal

vMotion Not supported
DRS (Distributed Resource Scheduler) Not supported

For the VM specifications, please contact IPC Customer solution which will provide the right VM
sizing based on the number of end users.

Optional Prerequisites

Certificate:
Customer can provide their own certificate for the IPC Agility instance. This will remove all the
security alerts and messaging on their network when they try to reach the IPC Agility instance.
It is not mandatory to use the customer signed certificate. By default, the IPC Agility generate a self-
sign certificate which is used for the secure communications.

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 8
Monitoring:
Customer can provide the Syslog server IP address which will receive the alerts from the IPC Agility
instance.
IPC support only 1 IP or a URL for this integration for each IPC Agility.
Active Directory integration for the Agility Local Management Interface:
With Agility 3.1, Agility exposes a web page to control the HTTPS link to IPC datacenter. This link is
used to enable / disable on demand the connectivity to IPC to perform application update /
configuration changes / OS patching and Core upgrade.
The login to this page is through a delegated authentication and authorization to the customer Active
Directory.
Few parameters will be needed to configure it:
- IP / URL + port
- Secure / non secure connection
- Domain name
- Search base Distinguished Name (DN)
- Authorized groups (CN)

FAQ’s
Why should I upgrade my older version of Agility to Agility 3.1?

Upgrading to Agility 3.1 will provide the following advantages:

• Redhat OS packages updates will improve the platform stability and security
• Agility 3.1 will use a more standard B2B (machine to machine) connectivity (HTTPS) instead of ION
technology. This should simplify approval from the Customers Infosec Team
• Remote access will be more flexible.
• The Customer will have the ability to control the B2B connectivity (not available in previous versions)
• Agility 3.1 has improved the diagnostic tools. This will make day 2 support more efficient.

What is IPC’s software maintenance policy on Agility?

IPC would ideally like all Customers to be running the latest version of software across all elements of
the Unigy platform. From a policy perspective mainstream software support is N-2. This means that
3.1, 3.0 and 2.3 are currently under mainstream support

How invasive is the upgrade to 3.1?

Upgrades to Agility version 3.1 are the same as previous Agility version upgrade. The customer will
have to decide to perform a Hard Drive or OVFs swap.

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 9
Do I need HTTPS based B2B connectivity to take advantage of key services in Agility 3.1 ?

Yes. The efficiency of Agility operational model is based on that connectivity. As we are configuring
and administrate Agility platforms from Agility Infrastructure Management it is critical to enable this
access.
On top of that, services like the IPC observability (log forwarding) are critical for IPC to provide the
best and most efficient support experience to our customer. We have developed features like
Whitelisting of logs / log obfuscation to comply with customer requirement to allow this type of
features.

Can I install Agility 3.1 with no B2B connectivity?

Yes, however there are several key “disadvantages” if you do this:

• You will not be able to take advantage of key applications/services.
• The software upgrade process will be much more complicated and manually intensive
• The day 2 incident trouble shooting / triage process will be much less efficient for the IPC ASG team
• Remote OS Patching will not be available (must go through a complete upgrade process with
Disks/OVFs swap)

Can a customer disable only a part of the features provided through the B2B?

Yes. Agility Local Management interface provide that capability to the customer. Please refer to the
feature introduction section above.

Can I install Agility without remote access?

Yes. However, this strongly not recommended. Unigy – Agility that is installed as an “island” presents
multiple issues for day 2 support. Similarly, Unigy – Agility that is installed without remote access has
commercial implications for maintenance.

If I upgrade to Agility 3.1 do I need to convert from ION V2 B2B connectivity to HTTPS?

Yes, the conversion is automatically included with the Agility 3.1 VMs provided as part of the upgrade.
• Customer will have to open additional ports on their firewall to allow the traffic to IPC
• Customer will have to provide their HTTP proxy information if they want to leverage it to control the traffic

Can I continue to use ION V2 remote access with Agility 3.1?

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 10
Yes, for now. However, IPC strongly recommends that you initiate a migration process to IPC Safe
Connect which is the new remote access solution provided by IPC (Available in May 2023). Be aware
that ION or IPC Safe Connect are completely decoupled from Agility. A specific Sales order will be
needed to get the right remote access solution.

Can I use the SCD functionality in Agility to upgrade the software in my Unigy system if I do not have B2B
connectivity?

Yes. However, the Agility will not be able to “fetch” the latest software from the IPC archive. Manual
intervention will be required to import the software into Agility. This process is more complicated if the
system does not have B2Baccess back to IPC

© Copyright 2023 IPC Systems, Inc. All rights reserved. IPC proprietary information 11