Access SFTP Data and Reports

Using SFTP, you can connect to CME Group systems to send and receive files, using an application enabled for ssh encrypted login.

Public / private key authentication is allowed to secure connections, using SSH public key file format (RFC4716).

  • To establish a connection and access files:
  1. Using the password or SSH authentication, log in to access CME Group directories (incoming / outgoing):

Futures & Options / BrokerTec / EBS: Production access via internet

  • Address: sftp.cmegroup.com
  • For firms/users accessing the Google Cloud secure repository: sftpx.cmegroup.com
  • IP address: 205.209.196.150
  • Port: 22

Futures & Options: Production access via leased line WAN

  • Address: sftp.cmegroup.com
  • WAN CDN connection VPN IP address: 167.204.72.96
  • WAN Futures &Options: 167.204.41.34
  • For firms/users accessing the Google Cloud secure repository: sftpx.cmegroup.com
  • Port: 22

BrokerTec: Production access via leased line WAN

  • Address: sftp.cmegroup.com
  • WAN CDN connection VPN IP address: 167.204.72.96
  • For firms/users accessing the Google Cloud secure repository: sftpx.cmegroup.com
  • Port: 22

EBS: Production access via leased line WAN

  • Address: sftp.cmegroup.com
  • IP address: 167.204.72.206
  • For firms/users accessing the Google Cloud secure repository: sftpx.cmegroup.com
  • Port: 22
  1. After successful login, the root directory appears with default directories to access files.

Directory paths are case sensitive and must be entered exactly as indicated.

Folders and directory path are available as described below:

  • incoming: Confidential data files submitted by firms. Firms upload files as required by CME Group.
  • outgoing: Confidential files, from CME Group, for firms to download and review or complete.
  • pub: A file folder that can be setup with subdirectories to send and receive files.
  • Sample report filenames:

BrokerTec

  • BTEC111_IDY.[Business_Date].BTEU.[GFID].[master account].csv
  • BTEC111_EOD.[Business_Date].BTEU.[GFID].[master account].csv

EBS: End of Day report format

EREP

  • CEOD200_EBS_(GFID)_yyyy-mmm-dd.csv

In this example CEOD200 is the EOD Client Order Events - EBS Market - Daily Report, which is available via EREP.

  • CEOD200_EBS_(GFID)_yyyy-mmm-dd.csv

SFTP

  • CEOD200_(yyyymmmdd).EBS.(GFID).OG_(CID).csv

In this example CEOD200 is the EOD Client Order Events - EBS Market - Regulatory - Daily Report, which is available via SFTP.

  • CEOD200_(yyyymmmdd).EBS.(GFID).OG_(CID).csv

Reports are updated at:

US

  • 9:00 a.m. CT
  • Intraday: every hour
  • 4:30 p.m. CT

 

  • Inbound Public SFTP Keys

This PGP public key is used by the customer to encrypt files before sending to CME Group.

To encrypt your files before uploading to CME SFTP, use the following key:

  • Production Environment

https://www.cmegroup.com/content/dam/cmegroup/misc/sftp-key/CMEGroup_PROD_PGP_pubkey.asc

 

Testing / Confirming Connectivity

The following instructions describe the process to verify network connectivity to the CME Group SFTP environment; ensuring firewall and internal network allow traffic over required ports. Testing the connection is an essential function to ensure persistent file access and submission.

Confirm connection details

Clients accessing the following hostnames/endpoints and port must use a SFTP-capable client application or command-line interface.

Environment

Hostname

Port

User Acceptance Testing (UAT)

sftpx.uat.cmegroup.com

22

Production

sftpx.cmegroup.com

22
Test Connectivity

Windows (Powershell)

To verify the TCP handshake to validate the production environment connection, use the Test-NetConnection cmdlet.

  1. Using PowerShell, enter the following command:

Test-NetConnection -ComputerName sftpx.cmegroup.com -Port 22

  1. On the response that appears, verify if TcpTestSucceeded : True appears.

If a False message is returned, your network may be blocking outbound Port 22 traffic.

For further assistance, contact your network or system administrator

Linux / macOS (Bash)

Use the netcat (nc) utility to probe the port.

  1. Using Bash, enter the following command:

nc -v -w 2 sftpx.cmegroup.com 22

  1. On the response that appears, a successful connection is indicated by the following message.

Example: Connection to sftpx.cmegroup.com 22 port [tcp/ssh] succeeded

Telnet (Universal)

If the above tools are unavailable, perform a Telnet basic connectivity check.

  1. Open Telnet and enter the following command:

telnet sftpx.cmegroup.com 22

  1. If successful, the screen will be blank or display a ssh version string.

Example: SSH-2.0-OpenSSH...

  1. If unsuccessful, a connection failed or operation timeout message will appear.
Troubleshooting Connectivity

  • Q: I can "ping" the address, but can't connect via SFTP. Why?

  • A: Ping uses ICMP, while SFTP uses TCP Port 22.

Many corporate firewalls allow ICMP/pings but block specific data ports. To confirm access, use the above port-specific (PowerShell/Terminal) tests.

Note: Ping tests confirm the server is reachable. It does not confirm that SFTP traffic is allowed. A successful port 22 connection test is the only valid confirmation of connectivity.

 

  • Q:Do I need to provide a public IP for whitelisting?

  • A: No, A public IP is not required for whitelisting, Ensure your internal network allows outbound traffic to the specific IP range.

 

  • Q: Why does the production URL start with "http://" in some documents?

  • A: For SFTP file transfers, do not use http:// or https://. Most SFTP clients require the raw hostname only (sftpx.cmegroup.com).

 

  • Q: What should I do if my connectivity test fails (TcpTestSucceeded : False)?

- Linux (terminal)/macOS - If Connection refused or Operation timed out appears in the response.

  • A: Contact your internal internal IT, Networking, Security team to ensure Port 22 is open for outbound traffic to the CME Group IP range.