Skip to main content
Español Français Italiano Nederlands Português

Guidelines on POS Network Integration

This document is a WIP. Deliverect guidelines on network integration with partners. These guidelines aimed to define Deliverect's preferred way of integrating with partners taking into consideration their size and infrastructure topology.

 

Glossary

Term

Definition

Notes

ISP

Internet Service Provider

Example: Proximus, Telenet, Comcast, Vodafone, ...

FQDN

Fully Qualified Domain Name

Example: deliverect.com

DNS

Domain Name Server

Some DNS registrars are: Google, Namecheap, No-IP, Dyn, GoDaddy

DUC

Dynamic DNS Update Client

No-IP tool to automatic update IP

Dyn's Update Client

Dynamic DNS Update Client

Dyn tool to automatic update IP

Reverse proxy

A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself.

https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html

POS

Point of Sale

 

 

Problem

Deliverect provides seamless integration between the delivery channel and the POS.

In order to provide this integration, Deliverect services need a connection to the POS. This document addresses the issue that not all POS is accessible from the internet, and how can this issue be solved in a way that is secure and demands the least maintenance effort on both parts.

In this document, we propose multiple solutions to solve the problem described above from small business integrations to enterprise customers.

General Information

Deliverect IPs and API documentation

All Deliverect services are hosted in a distributed cloud environment and, currently, running on Google Cloud Platform.

At the moment, the document that holds the official Deliverect API documentation and the public IPs associated with it can be found here.

Solutions

1. Direct connection to the POS

(Deliverect preferred solution)

Description

Deliverect suggests using this solution. Here, the setup allows Deliverect services to access the POS directly from the internet through an exposed port on the firewall.

Installation steps

  1. As a best practice, an FQDN (Fully Qualified Domain Name) should be configured and associated with the IP. This simplifies the management of this approach. If the client doesn't have one, buying one is the best option but it's also possible to request one for free, but it might require manual interaction every month as an approval to keep using that domain (such as receiving an email every month and click to confirm the usage of it).
  2. There are 2 scenarios for this setup. A static public IP (which we recommend) and a dynamic one:
  1. If the IP is static it only needs to be added to the DNS list. [Set DNS entry]
  2. (Deliverect doesn't recommend dynamic IPs) If the IP is dynamic there are some tools which can give a static web address that can be used. There are some limitations for this kind of solutions which might bring downtime while the IP switches (when the ISP generates a new IP for the client). Also, if this IP update tool is down, there will be no update and this might cause problems that are harder to troubleshoot because DNS IP check is not usually checked when debugging.
  1. Once the IP has been set up, the firewall should be updated to give access to the required port to the POS host.
  2. Make sure the POS service is running.
  3. Validate the public access to that specific port.
  4. To improve security, whitelist Deliverect outgoing IP’s present here. Even though these should not change, they might change and any change will be communicated with a reasonable time in advance.

Notes

POS Host internal IP

When setting up the firewall to open the port for the POS Host, make sure that the firewall always points to the same host. This configuration might be different per firewall and might allow different configurations (example: to a MAC address or to an IP address). If the configuration requires an IP address, make sure that the POS host has an internal fixed IP in the network.

 

2. Reverse-proxy inside of the client's network

Description

For the setup, it's necessary to set the reverse proxy, its authentication, and the ports that need to be configured on the firewall to expose it. (This should be discussed ahead before the implementation).

If the client has a centralized way to access the network where different POS is, then configuring one reverse-proxy is enough to reach all of them. Here, the stakeholders should reach an agreement on how one reverse-proxy will allow connecting to different POS (i.e. different subdomains or different URI paths).

If this is not the case, one reverse-proxy needs to be set up per network.

After the setup, the Deliverect services will send the request to the reverse-proxy and according to its rules, the request gets redirected to the target POS.

Installation steps

  1. Arrange an agreement between the stakeholders for:
  1. The reverse-proxy to use (i.e. Nginx, apache, ...)
  2. Authentication (i.e. Basic Auth, SelfSigned certificates, ...)
  3. Ports to expose (using unconventional ports might help to improve the security)
  1. As a best practice, an FQDN should be configured that points to the reverse-proxy IP address.
  2. Setup the reverse proxy with instructions provided by Deliverect (a list will be provided with the required features)
  3. Guarantee access from the reverse-proxy to the POS (this requires to take a look at the client's infrastructure topology)
  4. Configure the firewall to expose the port to the reverse-proxy
  5. At this point, share with your Deliverect account manager the different subdomains or URIs to be able to reach the POS

Notes

(TBD Strategy to update the reverse-proxy)

3. TCP tunnel to the client’s network

(Not suggested for large scale roll-outs)

Description

The first two cases are advised when the firewall configuration to expose ports is an option (with security rules or not, like IP whitelisting). When this is not the case, we allow using a TCP tunnel between the client and Deliverect.

Installation steps

Before starting the installation, if any instance of the tunnel was previously installed please uninstall it. (Instructions can be found in the "Notes" section)

Windows

  1. Download the installer (choose one of the following: link)
  2. Run the installer with the following parameters:
  1. Token:    This should be requested to Deliverect
  2. Port:       The port in which the POS service is running
  1. Follow the installer redirect (access the following link on the browser https://localhost:4040) to confirm it is working and see the tunnel domain.
  2. Ask your account manager (in Deliverect) to update your channel-link and add the new POS URL: https://DOMAIN-SHOWN-ABOVE.tunnel.deliverect.com (provide the https URL)
  3. Send order and confirm the setup is working.

Linux/Mac

  1. TBD

Notes

Security

Only services inside of the Deliverect's network will be able to send requests through TCP tunnel server (POS proxied services).

This solution is not yet tested in large live environments and not advised for production systems.

Uninstall

Uninstall by browsing to the installation folder (for Windows, it can probably be found in "Program Files (x86)/deliverect-tunnel") and run the uninstall file (unis000.exe).

Extra Details

Identify if the ISP gives a static or dynamic public IP. This needs to be identified per ISP or maybe per country.

 

Note: In most cases, there's always the possibility of requesting/buying the static IP on the ISP services.

Examples/Checks

Check Open Port

If you need to check a port you can use several tools (i.e. Nmap).

If the exposed port is not publicly open, Nmap can be used (Nmap example TBD).

 

On the other hand, if the port is a publicly open one, one tool to check if the expected port is open in the firewall is canyouseeme.org.

If the port is open and the service is running on that port, you should see a successful connection port attempt (example below).