To connect a Simphony POS to Deliverect, utilize one of the options explained in this article.
- Option 1: Direct connection to the POS (recommended)
- Option 2: Reverse-proxy inside of the client's network
- Option 3: TCP tunnel to the client’s network (not recommended for large scale roll-outs)
Option 1: Direct connection to the POS (recommended)
This configuration allows Deliverect services to access the POS directly via an exposed firewall port.
Step 1. As a best practice, an FQDN (Fully Qualified Domain Name) should be configured and associated with the IP, which simplifies any future management. These can be purchased.
Step 2. There are two scenarios for this setup. A static public IP address (recommend) and a dynamic one:
- Static IP: If the IP address is static it only needs to be added to the DNS list.
- Dynamic: There are services that can provide a static web address. We don't recommend this option as downtime may occur when:
- The IP address is being changed by an ISP.
- The service is down. There will then be no update which will create an issue harder to troubleshoot (DNS IP address is not something usually checked during troubleshooting).
Step 3. Once the IP address has been configured, the firewall needs to be updated to give access to the required port on the POS host.
Step 4. Validate public access to the port (make sure the POS service is running).
Step 5. To improve security, add the Deliverect outgoing IP addresses to your allowlist (available here). You will be contacted in advance if these are to be changed.
When opening the port on the firewall for the POS host, make sure that the firewall always points to the same host. This configuration will differ per firewall type and may allow different configurations (e.g. to a MAC address or to an IP address). If the configuration requires an IP address, make sure that the POS host has an internal fixed IP address in the network.
Option 2: Reverse proxy inside of the client's network
For this option, it's necessary to set the reverse proxy, its authentication, and the ports that need to be configured on the firewall to expose it (this should be discussed before implementation).
If the client has a centralized way to access the network where multiple POS exist, then configuring one reverse proxy is enough to reach them all. Here, the stakeholders should reach an agreement on how one reverse proxy will allow the connection to different POS (e.g. different subdomains or different URI paths).
If this is not the case, one reverse proxy needs to be set up per network.
After the setup, the Deliverect services will send a request to the reverse proxy and according to its rules, get redirected to the target POS.
Step 1. Receive an agreement between the stakeholders for:
- The reverse proxy to use (e.g. NGINX, Apache, etc.)
- Authentication (e.g. Basic Auth, SelfSigned certificates, etc.)
- The ports to expose (using unconventional ports may help to improve security)
Step 2. As a best practice, an FQDN should be configured that points to the reverse proxy IP address.
Step 3. Set up the reverse proxy with instructions provided by Deliverect (a list will be provided with the required features).
Step 4. Guarantee access from the reverse proxy to the POS (this requires taking a look at the client's infrastructure topology).
Step 5. Add Deliverect's IP addresses to your allowlist. These are found here.
Step 6. Configure the firewall to expose the port to the reverse proxy.
Step 7. At this point, share with your Deliverect account manager the different subdomains or URIs to be able to reach the POS.
Option 3: TCP tunnel to the client’s network (not recommended for large scale roll-outs)
The first two options are advised when the firewall configuration to expose ports is a possibility. When that is not the case, we allow using a TCP tunnel between the client and Deliverect.
Follow the steps in this article.
Check if a port is open
If you need to check a port, several tools are available.
- If the exposed port is not publicly open, Nmap can be used.
- If the port is open to the public, it can be checked by using an online service (e.g. canyouseeme.org).