Problems with ZoneAlarm firewall and the Interactive Brokers IB/TWS off-line application

Part of: Thoughts

The problem

Attempts to run the off-line IB/TWS trading application on a new Win7/64 node, which had the Zone Alarm firewall running, would consistently fail with "cannot connect to server, retrying in X seconds..." and no connection would ever be established.

Meanwhile Zone Alarm would not pop up a dialog to enable/disable Internet access for the application (for IB/TWS Workstation, that'd be the Java JRE itself, i.e. javaw.exe)

Things tried already: no dice / observations / oddities

After some experiments it was revealed that logging into my trading account only worked as soon I turned off the ZA firewall. This is no-way, no-go!

The odd thing to note is that on my regular system – which also runs the very same Zone Alarm free firewall – no such problem ever surfaced, so this is a bit of a wicked problem.

The regular SOP for MS Windows Problem Resolving didn't solve matters:

  1. [German] Ein Reboot tut immer gut. – Powercycle FTW!

  2. Uninstall offender & suspects. Another reboot and reinstall.

    (Here, IB/TWS, Java JRE and ZoneAlarm were deemed 'suspects'.)

  3. IAEF: Wail & Wait. Not too much though.

    (Sometimes Windows machines appear to truely crave their sabbath / coffee break...)

All the above steps have been executed in several different sequence orders with extreme prejudice and nothing 'worked'.

The solution

For whatever reason, this Zone Alarm install did block the Java JRE from accessing internet server ports outside the range of usual suspects (HTTP/80, HTTPS/443, etc.). IB/TWS connects to ports 4000/4001 and ZoneAlarm logged the (blocked) attempts in its log. You can view the ZA log when you've opened the ZA main window and click the 'Log' entry in the menu: you then see the blocked IP addresses + port numbers listed.

The hard part of course is identifying which lines are 'yours'. It helps when you've a minimal set of applications running and cleaned the log just prior to attempting another login using the IB/TWS Workstation app.

I'll make it easy here: the IP address it was attempting to connect to resolved to (using nslookup) A bit of testing reveals that IB has several of these and it would be prudent to ensure that, in case they've shut down this particular one, IB/TWS Workstation would be able to connect to any of the others. Tests indicate that these nodes sit in a /28 IP range, so we use that bit of info to open up a special Zone in the firewall.

Set up a Trusted Zone; IP range reported here is valid at the date of testing: May 2012

The way forward here in Zone Alarm is to define a Trusted Zone for this IP range, in order to allow IB/TWS Workstation to access arbitrary server ports within the range: -, i.e. IP+netmask a.k.a.


Oh, and did I mention that the IB/TWS installer absolutely refuses to comply when you've got the x64 Java JRE installed? On Windows/x64 ('64-bit') you must install the x32 ('32 bit') Java JRE and only that one.

Of course, all imaginable cop-outs / disclaimers apply; as ever, the time-worn German saying applies in full force: Vertrauen ist gut, Kontrolle ist besser.