I own a small company that instals and supports point-of-sale systems
that are normally independent IP based ethernet connected PC's
operating as a stand alone network. Frequently we have our small
server connected to the internet for high speed credit transactions as
well as pc anywhere host support from our company. Recently we have
begun to implement our solution in cafeterias of larger corporate
accounts where we are asked (required) to become a part of the larger
network. We have been involved in three of these installations to date
and each seems to have created network issues that we normally would
not encounter. We have a few techs with limited networking knowledge
who have muddled thru various fixes until resolution.  Now, we have
another opportunity and the corporate IT staff have asked us to
provide them with a basic framework for installing our system network
along with cabling requirements, distance limitations, IP address
assignment etc. So, we have the chance to outline the network
installation that would provide us with the safest and most reliable
network to support our system. We will need to connect to them because
we will be accessing the internet for reporting purposes and for high
speed credit. Now, I own the company and our motto is "Do it right the
first time" so that is why I am looking for a document or instruction
that is non technical enough that sales types can understand and yet
technical enough that their network administrator understands. This
document may be used again in the future and should include how to
handle remote (separate building) connections to the terminals. In
researching this initially, it looked like maybe a subnet with a
separate router and some masking software would be the answer, but
that may be far too complex as this little network consists of seven
terminals and a host pc server. I would like to get this document down
to a couple of pages if possible.

"Frequently we have our small server connected to the Internet for
high speed credit transactions as well as pc anywhere host support
from our company."

" We will need to connect to them because
we will be accessing the internet for reporting purposes and for high
speed credit."

The statements above looks to be the crux of the issue. I'll be happy
to write this up as a tech sheet for you once we have worked out the
details and insure that what I'm going to give you here is a working
solution.

I agree that adding in a subnet with a router is using very large
hammers to kill flies on windows. It is also not going to be a warm
fuzzy solution for most system administrators at the table to listen
too.

When going into a company that has a local network of any size, that
network is going to have a router of some type, and a subnet assigned,
and probably DHCP running it (dynamic addressing for the local
computers on the network).

What you need is to get to the outside for credit transactions and PC
Anywhere connections to your server (the one you installed). By the
way, you might want to check out TightVNC (http://www.tightvnc.com/ )
.. it is very fast and light on the computers and works much better
than my personal experiences with pcAnywhere.

Once inside their network, you should be able to make credit card
transactions anyway. If not, then let me know this, and what you are
using to make those transactions (what software). More than likely,
(if you are not able to make this connection) what needs to be done is
the port the software is using, needs to be opened in the firewall and
the router. The same is true for pcAnywhere.

Really, what you are doing by adding a subnet and router to the
existing internal network, is by-passing the company's firewall and
router system. Most companies will not feel good about this. Opening a
port however, is normally not a problem, because it is controllable.
Any traffic coming in for that port number, is directed to your
server, and any thing coming out for a port (like your credit card
application) has to come from your computer.

If the company has a firewall, then it needs to be setup to allow this
port communication, if they do not, then you only need to adjust the
router.

Adjusting the router is simple. It will be in the Port Forwarding area
of the router setup screen. An example sheet for this is here
(http://kbserver.netgear.com/kb_web_files/n101145.asp ) from Netgear.
Most routers are basically the same. Typical Port Settings can be
found here : (http://kbserver.netgear.com/kb_web_files/n100495.asp )
pcAnywhere is defaulted to 5631 - 5632. TightVNC runs by default on
5900 and 5800.

Adjusting the firewall is a bit more tricky. I would suggest to you,
that the "right" way here is to let their system administrator do it,
or who ever it was that setup the firewall in the first place. That
should be your default answer for this area. Any company of size, that
has a firewall, is going to know who to talk to. Small companies, who
don't have a sys admin, probably are going to be using simple
"out-of-the-box" firewalls on the PC's themselves, and you won't have
to worry about it.

That answer (they are responcible), for the Firewalls, is what I would
want to hear from you if I was the System Administrator. You would
tell me what ports you need open, and let me know which computers (if
not just the server you are installing) are going to need to be
accessed for each port. There are just too many firewalls and an
excessive amount of settings for you to try to get your installers
familiar enough with all of them to make anyone comfortable.

You mention "reporting purposes" ... what reporting purposes and what
program is used for this? Still pcAnywhere? The reason I ask is the
Security topic you have in your question. Many programs can be setup
using a SSL tunnel through the ports. You can setup Tight VNC this
way, so that it is always secure. Any encryption makes things slower,
but it is typically a good idea to do so. I'll need to know all of the
programs which need to be able to have communication to the outside so
I can check what security measures are available to you.

So, to continue with your answer here, I need:

a) a list of all the programs which need to have communication to the internet. 

b)What port your credit card system is running on (if you don't know,
just the name of the product will do and I'll look it up.

c) verify that connection for the credit card billing functions
normally does work if the port is setup right on the router (input
from our techs is needed here).

d) do you normally install SSH or OpenSSH on these computers for
secure connections.

If your credit card billing doesn't normally work with the changing of
the port forwarding on the router, I'll need to know something about
how they "muddled" through it a few times. Any hints would probably
put me on the right track. But it was more than likely a port
assignment.

Look forward to getting this written up for you as soon as I hear back
on these issues.

webadept-ga

---

Request for Answer Clarification by kennythebus-ga on 03 Apr 2005 13:26 PDT

webadept-ga

Well, I think you are on the right track. One example of a problem
that we muddled through at a fairly large corporation was a situation
where one of the corporately assigned IP numbers for one of our POS
devices gaot reassigned to a network printer somewhere in the
corporation about 2-3 weeks into go live.  This obviously created
intranet issues for our POS system as we were unable to access that
device for a while until the confused device was discovered. Another
issue involved a large government facility (which may explain a lot in
itself) whereby we were actually running cafeterias in two different
buildings on the same server.  The agency provided a switch of some
sort to connect the two different sets of POS terminals to the same
server.  After much trouble, we discovered that one of the buildings
was running at 10mb and the other at 100mb which should not have
affected our system according to the software provider. The connection
to the outside world for reports involves the actual food service
vendor operating the cafeterias under contract to the corporation. An
example might be like Sudexho operating in a GM plant that wants
reports at their regional office usually delivered over the internet.
I am not sure that our company will have any difficulty configuring
the router (if one is available and allowable by the corporate
customer) as we have done that well over a hundred times to
accommodate credit and pc anywhere WHEN WE ARE OPERATING AS A
STANDALONE entity.

What I am trying to prevent is another debacle because of
miscommunications or lack of clarity in our implementation
requirements. I am involved because our technical folks can't seem to
get this to a simple document that a CFO might understand as readily
as a CTO or CIO or network administrator. Basically, I feel like that
if we can isolate our system so that essentially is operating in
standalone mode but on their network, both parties will be happy with
the performance.

I probably didn't mention that I have been retired for about four
years and am in the process of trying to improve our company's
efficiency and profitability. When you say that the corporate NA will
"open a port" for us, does that allow us to operate 10-12 devices and
a server from that one port?  Will we then set up our own little
subnet from that port?  Will that port be an IP address and will the
company need to provide any further IP addresses? I want you to
provide this document for me because you are on the right track.

Thanks and I look forward to answering additional questions, although
I need this document soon ( a day or two at most).

---

Clarification of Answer by webadept-ga on 06 Apr 2005 01:01 PDT

Hi again,

Okay, I'll get this done Wednesday. Going over your clarification here
it looks like I have enough to put together a tech paper for you and
I'll pay attention to 'who I am writing for'. It looks like I'll need
to put together the paper in two parts however, one as the tech paper
and one for traing on what the tech paper means. Cliff notes, as it
were.

I'll get you what you need.

webadept-ga

---

Clarification of Answer by webadept-ga on 06 Apr 2005 23:15 PDT

System requirements for POS installation.

All POS computers installed will require static IP addresses inside
the local network. So, for example; if the local network is using
192.168.0.0 type addresses, the local DHCP server will need to be set
so that a section of IP addresses are removed from the pool of
available address for 192.168.0.100 - 109 if 10 POS systems are being
installed. These example addresses are not required, they are just
examples, but 10 static IP addresses will need to be pulled from the
DHCP server.

For maintenance, we use pcAnywhere. To reach the POS computers
directly through your company's Router and Firewall, each POS system
will need a Port opened for traffic to a single computer. Using Port
Forwarding, and starting at Port Number 5631, counting up to the
number of POS computers installed.

So for our example above, the POS computer assigned IP address
192.168.1.100 would be reached by using Port Number 5631,
192.168.1.101 would be reached through Port 5632, and so on.

Each POS computer will also require access to the Internet via Port 80
and 443 (HTTP, and HTTPS). These ports are opened for our direct
billing system used by the POS program.

Unless the POS computer requires the use of Email, all other ports may
be firewalled off.

------

How to make this work. 

When installing the POS computers you will need the IP address and
port number for each of them. The best way to do this is to write them
under the keyboard for each computer using a sticker of some type.

With Ports 80 and 443 open, you shouldn't have any trouble with your
credit card billing. So that part is done.

The pcAnywhere software will need to address each of the computers
directly, through the client's router. Using Port Forwarding, and
setting the pcAnywhere software to the address and port, you will get
to the correct computer.

Example. Computer 3 needs to be looked at. It has an inside IP address
of 192.168.1.102, and its open port is 5633. The "outside" public
address for the client is 54.32.19.45 (example).  To use pcAnywhere to
get to that computer you would set pcAnywhere to go to IP address 
54.32.19.45 using port number 5633. This will give you the password
challenge for computer number 3. Changing the support's pcAnywhere
program to go to port number 5632 will take you to the clients #2 POS
computer.

Your customer support, can ask the client calling in to look on the
bottom of the keyboard for the Port number if they are not sure which
computer they are on. Another way would be to have the client go to
DOS and type in the command ipconfig to get their local IP address,
which the customer support person can then look up in the support log
for which port to go to.

The static IP addresses are for that problem you described above,
where your computer was given a new address, or the address it was
using got assigned to another device. This is common with DHCP, but
all DHCP servers have the ability to remove IP addresses from their
pool of available addresses. Thus, you can have static IP's which is
what you need for the port Forwarding.

If you need more clarification with this, please don't hesitate to ask. 

thanks, 

webadept-ga