"Frequently we have our small server connected to the Internet for
high speed credit transactions as well as pc anywhere host support
from our company."
" We will need to connect to them because
we will be accessing the internet for reporting purposes and for high
speed credit."
The statements above looks to be the crux of the issue. I'll be happy
to write this up as a tech sheet for you once we have worked out the
details and insure that what I'm going to give you here is a working
solution.
I agree that adding in a subnet with a router is using very large
hammers to kill flies on windows. It is also not going to be a warm
fuzzy solution for most system administrators at the table to listen
too.
When going into a company that has a local network of any size, that
network is going to have a router of some type, and a subnet assigned,
and probably DHCP running it (dynamic addressing for the local
computers on the network).
What you need is to get to the outside for credit transactions and PC
Anywhere connections to your server (the one you installed). By the
way, you might want to check out TightVNC (http://www.tightvnc.com/ )
.. it is very fast and light on the computers and works much better
than my personal experiences with pcAnywhere.
Once inside their network, you should be able to make credit card
transactions anyway. If not, then let me know this, and what you are
using to make those transactions (what software). More than likely,
(if you are not able to make this connection) what needs to be done is
the port the software is using, needs to be opened in the firewall and
the router. The same is true for pcAnywhere.
Really, what you are doing by adding a subnet and router to the
existing internal network, is by-passing the company's firewall and
router system. Most companies will not feel good about this. Opening a
port however, is normally not a problem, because it is controllable.
Any traffic coming in for that port number, is directed to your
server, and any thing coming out for a port (like your credit card
application) has to come from your computer.
If the company has a firewall, then it needs to be setup to allow this
port communication, if they do not, then you only need to adjust the
router.
Adjusting the router is simple. It will be in the Port Forwarding area
of the router setup screen. An example sheet for this is here
(http://kbserver.netgear.com/kb_web_files/n101145.asp ) from Netgear.
Most routers are basically the same. Typical Port Settings can be
found here : (http://kbserver.netgear.com/kb_web_files/n100495.asp )
pcAnywhere is defaulted to 5631 - 5632. TightVNC runs by default on
5900 and 5800.
Adjusting the firewall is a bit more tricky. I would suggest to you,
that the "right" way here is to let their system administrator do it,
or who ever it was that setup the firewall in the first place. That
should be your default answer for this area. Any company of size, that
has a firewall, is going to know who to talk to. Small companies, who
don't have a sys admin, probably are going to be using simple
"out-of-the-box" firewalls on the PC's themselves, and you won't have
to worry about it.
That answer (they are responcible), for the Firewalls, is what I would
want to hear from you if I was the System Administrator. You would
tell me what ports you need open, and let me know which computers (if
not just the server you are installing) are going to need to be
accessed for each port. There are just too many firewalls and an
excessive amount of settings for you to try to get your installers
familiar enough with all of them to make anyone comfortable.
You mention "reporting purposes" ... what reporting purposes and what
program is used for this? Still pcAnywhere? The reason I ask is the
Security topic you have in your question. Many programs can be setup
using a SSL tunnel through the ports. You can setup Tight VNC this
way, so that it is always secure. Any encryption makes things slower,
but it is typically a good idea to do so. I'll need to know all of the
programs which need to be able to have communication to the outside so
I can check what security measures are available to you.
So, to continue with your answer here, I need:
a) a list of all the programs which need to have communication to the internet.
b)What port your credit card system is running on (if you don't know,
just the name of the product will do and I'll look it up.
c) verify that connection for the credit card billing functions
normally does work if the port is setup right on the router (input
from our techs is needed here).
d) do you normally install SSH or OpenSSH on these computers for
secure connections.
If your credit card billing doesn't normally work with the changing of
the port forwarding on the router, I'll need to know something about
how they "muddled" through it a few times. Any hints would probably
put me on the right track. But it was more than likely a port
assignment.
Look forward to getting this written up for you as soon as I hear back
on these issues.
webadept-ga |
Clarification of Answer by
webadept-ga
on
06 Apr 2005 23:15 PDT
System requirements for POS installation.
All POS computers installed will require static IP addresses inside
the local network. So, for example; if the local network is using
192.168.0.0 type addresses, the local DHCP server will need to be set
so that a section of IP addresses are removed from the pool of
available address for 192.168.0.100 - 109 if 10 POS systems are being
installed. These example addresses are not required, they are just
examples, but 10 static IP addresses will need to be pulled from the
DHCP server.
For maintenance, we use pcAnywhere. To reach the POS computers
directly through your company's Router and Firewall, each POS system
will need a Port opened for traffic to a single computer. Using Port
Forwarding, and starting at Port Number 5631, counting up to the
number of POS computers installed.
So for our example above, the POS computer assigned IP address
192.168.1.100 would be reached by using Port Number 5631,
192.168.1.101 would be reached through Port 5632, and so on.
Each POS computer will also require access to the Internet via Port 80
and 443 (HTTP, and HTTPS). These ports are opened for our direct
billing system used by the POS program.
Unless the POS computer requires the use of Email, all other ports may
be firewalled off.
------
How to make this work.
When installing the POS computers you will need the IP address and
port number for each of them. The best way to do this is to write them
under the keyboard for each computer using a sticker of some type.
With Ports 80 and 443 open, you shouldn't have any trouble with your
credit card billing. So that part is done.
The pcAnywhere software will need to address each of the computers
directly, through the client's router. Using Port Forwarding, and
setting the pcAnywhere software to the address and port, you will get
to the correct computer.
Example. Computer 3 needs to be looked at. It has an inside IP address
of 192.168.1.102, and its open port is 5633. The "outside" public
address for the client is 54.32.19.45 (example). To use pcAnywhere to
get to that computer you would set pcAnywhere to go to IP address
54.32.19.45 using port number 5633. This will give you the password
challenge for computer number 3. Changing the support's pcAnywhere
program to go to port number 5632 will take you to the clients #2 POS
computer.
Your customer support, can ask the client calling in to look on the
bottom of the keyboard for the Port number if they are not sure which
computer they are on. Another way would be to have the client go to
DOS and type in the command ipconfig to get their local IP address,
which the customer support person can then look up in the support log
for which port to go to.
The static IP addresses are for that problem you described above,
where your computer was given a new address, or the address it was
using got assigned to another device. This is common with DHCP, but
all DHCP servers have the ability to remove IP addresses from their
pool of available addresses. Thus, you can have static IP's which is
what you need for the port Forwarding.
If you need more clarification with this, please don't hesitate to ask.
thanks,
webadept-ga
|