In order to provide various real-time integration functions between a Magento website and a NCR Counterpoint system, it is necessary to allow for inbound requests originating from the web server requesting data from the NCR Counterpoint server. In order to handle this traffic as securely as possible, we have detailed the following networking requirements with a few suggestions on how to secure this traffic.
We strongly recommend consulting with your IT provider to implement the right solution for your environment.
For all real time integrations the traffic involved is TCP traffic over a specific port originating from the web server and received by the services below in the Counterpoint environment. The ports may be changed by configuration, but the default ports are:
- Commerce5 Gateway: 50937
- Commerce5 Core Web Services: 50938
Both services utilize strong TLS 1.2 encryption, but additional steps should be taken to ensure security. Some common scenarios utilized to enhance security are given below.
These scenarios are by no means a complete list, nor are they mutually exclusive so they may be blended to fit your needs.
Port Forwarding and Whitelisting IPs
The ports configured for each of the above services may be directly forwarded from your NCR Counterpoint environments public IP to the server housing the services. To ensure only authorized sources are connecting to the services, firewall rules should be utilized to allow only traffic originating from known sources. Specifically the web server environment, Red Rook offices, and web developer offices.
All Red Rook traffic will originate from the following subnets: 126.96.36.199/28 and 188.8.131.52/26.
Site to Site VPN
To tunnel the traffic securely a Site to Site VPN may be configured between the web server and NCR Counterpoint environments. When utilizing this configuration additional remote access may be required for Red Rook and web developer personnel to connect to the services for development and debugging.
DMZ Application Server
Similar to the port forwarding option above the ports may be forwarded to an application server housing the services above, but to add an additional layer of security the server may be placed in a DMZ where it is itself firewalled off from the rest of the network. This second level firewall would then allow only database traffic from the application server to the SQL Server housing the NCR Counterpoint database. This greatly limits the ability of any individual able to compromise the application server to further penetrate the network.