Configuration of SELLmatix Remote Acess

There are many ways that remote access to SELLmatix can be configured but the same basic principles apply.

Typical LAN Configuration Any computer technician will be familiar with the configuration diagram to the right where a number of computers in a small business network share one internet connection.

Local computers use private IP addresses that are not visible on the internet. Any IP address beginning with 192.168 or 10 is a private address. Addresses in these ranges are used as private addresses on almost every private LAN.

One computer or router connects to an Internet Service Provider using either a fixed IP address, or an IP address that is temporarily assigned by the ISP.

When a local machine makes a request over the internet, it is sent through a gateway that runs Network Address Translation (NAT), and when a reply is received, the NAT forwards it to the machine where the request originated.

Enabling Remote Access
SELLmatix Control running in a shop or restaurant can be accessed by other computers that also run SELLmatix Control over the internet. The steps involved are as follows. We suggest taking them in sequence.

Configure Control in Shop/Restaurant
Configure Network/Router in Shop/Restaurant
IP Address or Name Resolution
Configure Remote Terminals
Configure Security & Encryption

Back to top

With SELLmatix, the POS terminals listen for an incoming connection, which is initiated by Control. The default port used is 20000. Normally, POS terminals would not have internet access enabled. That is to say that no gateway would be configured in their TCP/IP configuration, and they may also be blocked in the router configuration. They merely listen for an incoming connection from Control, which is also running on the local network with a private IP address.

Incoming Connection Configuration To enable remote access over the internet, on the system running Control, set up a "virtual terminal" in Connection Manager that listens for an incoming connection over the internet.

We suggest using Port 30000 for Control to Control connections, and Port 20000 for connections from Control to POS to avoid confusion.

If you are running both POS and Control on the same machine in the store, however you must use a different port because you can not have more than one connection to a machine on the same port.

Back to top

When a remote computer on the internet tries to connect to the shop/restaurant the connection request is received by the router on the public IP Address that is visible over the internet.

However, SELLmatix Control is running on the local LAN with a private IP address normally in the 192.168.X.X. range and that machine is not visible to the outside internet, so the Router or NAT configuration must be set up to forward the request to the computer that is running SELLmatix Control.

TCP/IP Configuration In many cases, the computers on the local LAN have dynamically allocated IP addresses so that they can "Obtain an IP Address Automatically".

But these dynamically allocated IP addresses change from time to time, and if you use automatic configuration for the computer running SELLmatix Control then you will need to change the router configuration every time it changes the IP address on the machine running Control.

Instead, it is better to use a static IP address for the machine running Control so it won't change.

If you continue using DHCP for other IP addresses on the Local LAN, then make sure that the static IP address used for Control is outside the range of numbers used by DHCP for other machines.

You will also need set up a default "Gateway" and preferred DNS server. Usually this simply means entering the IP address of the Router. Having made these changes, the machine running Control should work exactly as normal and be able to access the internet in the normal way. Check that this is the case before proceeding further.

Router Configuration
In this example, we now have SELLmatix Control listening for incoming connections over the internet on Port 30000.

Control is running on the local LAN on a machine with a private static IP address of 192.168.1.51, and is connected to the Internet via a Router that has a local private IP address of 192.168.1.1

The router also has a public IP address, visible on the Internet which is allocated by the ISP, but for the moment, we don't know what that IP address is.

The next step is to configure the router so that it sends incoming connection requests on Port 30000 to the computer running SELLmatix Control. We will configure the router to only forward requests on the ports that we are actually going to use for security reasons.

This is normally called Port Forwarding, but different routers have different ways of setting this up, and sometimes they use different terms to describe this operation. You will need to refer to your router or NAT documentation to figure out how to do this.

Here is an example, of the Port Forwarding configuration screen on a Siemens 4100/4200 which is set up to pass SELLmatix traffic on ports 20000 and 30000 to the IP address 10.0.0.1

Notice that on this configuration, requests on Port 80 are also forwarded to the same machine, which indicates it is also running a Web server. ICMP requests allow diagnostics such as "ping" to work as well, and it is a good idea to have this enabled.

Another "nameless" model of router uses the term "Virtual Server" instead of "Port Forwarding" as follows:-

This router is configured to pass both HTTP (web) traffic on Port 80 as well as, SELLmatix traffic on Port 30000 to the local LAN address 192.168.1.51

There are so many different types of Router and NAT services that it is impossible to cover all of them here. But they work in a similar manner and you can normally figure out what to do from looking at the documentation. If you have a really unusual or difficult configuration, then you may need help from a technician, but in most cases it is fairly easy.

Testing
The next step is to test that the computer running Control is visible over the internet, and that other computers on the internet will be able to connect.

The first step is to find out the publicly visible IP address that has been assigned by your ISP. There are many ways to do this, but one of the simplest is to click the following link on the computer that is running SELLmatix Control

Show My IP Address.

Now we have the IP address that other systems on the Internet must use to connect to SELLmatix Control running on your site. The next thing is to test to see if this actually works.

And here we have a slight problem, because you can't test this on a computer that uses the same internet connection as the one running SELLmatix Control. You need to test from somewhere outside, using a different internet connection to know if the configuration is really working.

Fortunately, there is an easy solution. On the computer running SELLmatix Control, follow this link to:-

CanYouSeeMe.org.

There you will see a very nice utility that detects your incoming IP address, and lets you enter the Port number you want to test. When you click the "Check" button, their server attempts to connect to your machine from outside your LAN and reports the results.

If you see a display similar to this when you test, then everything is OK.

Please Note that if you run the test and the reason for a failure is that the connection was refused that this indicates that the router configuration was correct, but that SELLmatix Control was not running or listening on that port. Refused means that the computer received the connection request, and actively refused the connection, because no software was running to accept the incoming connection. "Refused" is not a network configuration error.

Before proceeding further, you need to verify that your router and network configuration are set up correctly, and CanYouSeeMe.org is a very good way of doing so. There are millions of different ways of configuring networks and routers, and we can't help you with this because we don't know what equipment you use or how it is set up. But any local network engineer can set this up for you quickly and easily, and will be familiar with what needs to be done.

Back to top

In the example above, we used the public IP Address provided by your ISP to access the system running in your site.

As you know, most internet connections use a name instead of an IP address, but what happens when you enter a name like "www.himatix.com" or "news.bbc.co.uk" is that name is resolved to an IP address using Domain Name Service (DNS). The actual communication takes place using the IP address and DNS is something like a telephone directory.

Servers on the internet almost always have a permanent fixed IP address, and you can register Domain Names which nobody else can use while you hold the name registration.

Small businesses that access the internet using a local Internet Service provider usually do not have fixed IP address that is permanently assigned to them, and they use an IP address assigned to them by the ISP when they connect. That address does change from time to time, sometimes several times per day. And, in most cases, these small businesses do not have a domain name registered.

There are several ways to deal with this situation including:-

Manually changing the IP address of the site every time it changes. If you need to connect from a head office, then you might need to phone the site, get them to run one of the tests to determine the current IP address, and then the key in the correct address in the machine that will initiate the connection. This is very inconvenient.
Obtain a fixed IP address for the site and possibly a domain name. This takes quite a bit of time and can be expensive.
Use some form of Dynamic DNS resolution.

Dynamic Domain Name Services
With DDNS, you use a name instead of an IP address just like a normal web server. But Dynamic DNS is updated automatically whenever your ISP changes the actual IP address used in your site. You connect to your site using the name, and it is automatically mapped to the correct IP address so that you don't even know when it has changed.

When we were designing Remote Control for SELLmatix, we intended to write software to provide similar functionality, and offer that service ourselves.

Fortunately, we discovered two companies that offer this service already, and there are probably others. We have tested and used their Dynamic DNS services and they are excellent. Most sites using Remote Control for SELLmatix now use these services and we strongly recommend that you do the same.

What is even better is that these services are free for up to 5 sites, provided that you accept some limitation about the names in use. For example, you will get a "subdomain" to use which will be something like:-

YourShop.dyndns.info
YourRestaurant.no-ip.com
YourOffice.myvnc.com

Since you are using these addresses for your own use, and not as internet addresses that you pass out to others, we don't think this is a problem.

But if you want to use something like "YourCompany.com" then you will need to pay to register that name, and we recommend that you use one of these companies to handle the registration since they provide the other valuable services free.

The two companies we have tested are:-

Both are excellent. Use them.

Back to top

Now that you have set up everything in the shop or restaurant, it is simply a matter of installing SELLmatix Control on the computers that will access the site over the internet.

You could install on a system in Head Office. You could set up Control on a Notebook Computer that you use when traveling, or you could install Control on your system at home so you can work from home or check what is happening at the shop while you are away.

Remote Connection Manager Setting up Control on a remote machine is the same as setting up Control in the shop, but with a couple of variations.

In Connection Manager, instead of setting up POS terminals, the "terminals" are the machines running Control at the retail shops. You simply enter the IP Address of the remote system, or the DDNS name that you use for each site, and everything works the same as if the machine was on your local LAN. Of course the connection speed will depend on the connections speed of the internet connections, so typically remote connections will work a little more slowly.

Remote Reports When printing reports, you simply select one of the machines from the "Source Data From" box.

Everything else in the reporting works as if the data in the report was being sourced from your local machine or LAN.

If you have more than one store, you can have multiple screen reports open at the same time so that you can compare each site.

You can set up the system so that you update products, customers any anything else on your head office system, and the updates are automatically sent to each of the stores.

Transactions can be automatically sent to the head office, so you can have customer accounts where the customers can buy from any of the stores, and receive a single statement issued by head office.

Back to top

For data passing over the internet, we strongly recommend using encryption.

SELLmatix has built in CAST 128 encryption which means that if your data was intercepted over the internet, it would be extremely difficult for anyone to decipher the data without the key.

Since you control the machines at both end of the connection you can enter whatever key you choose, and you need to protect the key so that no unauthorised person gains access to the key. If you suspect that someone has gained access to the key, then you should change the key.

The SELLmatix implementation of CAST 128 uses a full 128 bit key, though some other implementations can use a smaller key. Since there are 8 "bits" in a "byte" this translates to a key that is 16 bytes long.

The range of printable characters that can be entered through a keyboard is only a small subset of the 256 different "characters" that can be stored in a byte. In SELLmatix you enter the key as 4 groups of four "bytes", each of which is entered as a number in the range of 0-255. This makes it more difficult to enter a key that would easily be guessed.

Since the only known way to break CAST 128 encryption is by a "brute force" attack where possible key combinations are tried until the one that works is found, the keys you use should be unpredictable. Don't go and enter IP addresses of machines that you know of or use, and avoid sequences of numbers that fit any pattern.

Turning on encryption should be the last thing you do when setting up remote access, to eliminate the possibility that an incorrectly entered key might be confused with some other configuration error.

If you are using an encrypted VPN connection, or encrypted wireless connection, it may not be necessary to turn on SELLmatix encryption. But having SELLmatix encryption turned on does no harm and it is not a limiting factor in network speed.

While we have tested our CAST 128 implementation against other reference implementations of the algorithm successfully and believe that our implementation is as secure as any, no encryption system can be guaranteed to be unbreakable.

Back to top