These guidelines aimed to define Deliverect's preferred way of integrating with partners taking into consideration their size and infrastructure topology.

Deliverect provides seamless integration between the delivery channel and the POS.

To provide this integration, Deliverect services need a connection to the POS. This document addresses the issue that not all POS is accessible from the internet, and how can this issue be solved in a way that is secure and demands the least maintenance effort on both parts.

In this article, we propose multiple solutions to solve the problem described above from small business integrations to enterprise customers.

All Deliverect services are hosted in a distributed cloud environment and, are currently running on Google Cloud Platform.

At the moment, the document that holds the official Deliverect API documentation and the public IPs associated with it can be found here.

(Deliverect preferred solution)

Deliverect suggests using this solution as it allows Deliverect services to access the POS directly from the internet through an exposed port on the firewall.

Step 1. As a best practice, an FQDN (Fully Qualified Domain Name) should be configured and associated with the IP. This simplifies the management of this approach. If the client doesn't have one, buying one is the best option but it's also possible to request one for free, but it might require manual interaction every month as approval to keep using that domain (such as receiving an email every month and click to confirm the usage of it).

Step 2. There are two scenarios for this setup. A static public IP (which we recommend) and a dynamic one:

Step 3. Once the IP has been set up, the firewall should be updated to give access to the required port to the POS host.

Step 4. Make sure the POS service is running.

Step 5. Validate the public access to that specific port.

Step 6. To improve security, whitelist Deliverect outgoing IP’s present here. Even though these should not change, they might change and any change will be communicated with a reasonable time in advance.

When setting up the firewall to open the port for the POS Host, make sure that the firewall always points to the same host. This configuration might be different per firewall and might allow different configurations (example: to a MAC address or to an IP address). If the configuration requires an IP address, make sure that the POS host has an internal fixed IP in the network.

For the setup, it's necessary to set the reverse proxy, its authentication, and the ports that need to be configured on the firewall to expose it. (This should be discussed ahead before the implementation).

If the client has a centralized way to access the network where different POS is, then configuring one reverse proxy is enough to reach all of them. Here, the stakeholders should agree on how one reverse proxy will allow connecting to different POS (e.g., different subdomains or URI paths).

If this is not the case, one reverse proxy needs to be set up per network.

After the setup, the Deliverect services will send the request to the reverse proxy and according to its rules, the request gets redirected to the target POS.

Step 1. Arrange an agreement between the stakeholders for:

Step 2. As a best practice, an FQDN should be configured that points to the reverse proxy IP address.

Step 3. Set up the reverse proxy with instructions provided by Deliverect (a list will be provided with the required features)

Step 4. Guarantee access from the reverse proxy to the POS (this requires to take a look at the client's infrastructure topology)

Step 5. Configure the firewall to expose the port to the reverse proxy.

Step 6. At this point, share with your Deliverect account manager the different subdomains or URIs to be able to reach the POS

(Not suggested for large-scale roll-outs)

The first two cases are advised when the firewall configuration to expose ports is an option (with security rules or not, like IP whitelisting). When this is not the case, we allow using a TCP tunnel between the client and Deliverect.

Before starting the installation, if any instance of the tunnel was previously installed please uninstall it. (Instructions can be found in the "Notes" section)

Step 1. Download the installer (choose one of the following: link)

Step 2. Run the installer with the following parameters:

Step 3. Follow the installer redirect (access the following link on the browser https://localhost:4040) to confirm it is working and see the tunnel domain.

Step 4. Ask your account manager (in Deliverect) to update your channel-link and add the new POS URL: https://DOMAIN-SHOWN-ABOVE.tunnel.deliverect.com (provide the https URL)

Step 5. Send an order to confirm the setup is working.

Only services inside of the Deliverect's network will be able to send requests through TCP tunnel server (POS proxied services).

This solution has not been tested in large live environments and is not advised for production systems.

Uninstall by browsing to the installation folder (for Windows, it can probably be found in "Program Files (x86)/deliverect-tunnel") and run the uninstall file (unis000.exe).

Identify if the ISP gives a static or dynamic public IP. This needs to be identified per ISP or maybe per country.

Note: In most cases, there's always the possibility of requesting/buying the static IP on the ISP services.

If you need to check a port you can use several tools (e.g., Nmap).

If the exposed port is not publicly open, Nmap can be used (Nmap example TBD).

On the other hand, if the port is a publicly open one, one tool to check if the expected port is open in the firewall is canyouseeme.org.

If the port is open and the service is running on that port, you should see a successful connection port attempt (example below).