Network requirements - Domains and ports
For Open POS to work correctly, certain domains and network ports must be accessible from the customer's network. Below are the domains and ports that must be allowed in firewalls, proxy servers and other network-related security solutions.
Required domains
| Domain | Description |
|---|---|
| devices.pos.prod.op3n.dev | Primary backend for POS devices. Used for authentication, configuration, API calls and SignalR-based real-time communication |
| ingest.logging.tools.openpos.tech | Log ingestion and technical diagnostics |
| cdnassetsstorage.blob.core.windows.net | Download of static resources such as images, configuration files and other assets |
| *.firebaseio.com | Real-time data communication via Firebase |
| *.googleapis.com | Firebase services (configuration, authentication, push notifications, etc.) |
| *.gstatic.com | Static resources required by Firebase SDK |
Ports
| Protocoll | Port | Direction | Usage |
|---|---|---|---|
| HTTPS (TCP) | 443 | Outbound | Backend API, SignalR, Firebase, CDN and logging |
| WebSocket (WSS) | 443 | Outbound | SignalR-based real-time communication |
Only outbound traffic is required. No inbound traffic to the customer's network needs to be allowed.
Real time communication (SignalR)
- SignalR is trafficed via devices.pos.prod.op3n.dev
- Communication takes place over HTTPS and WebSockets (WSS) on port 443
- If WebSockets are blocked, a fallback to HTTPS (long polling) is used, but WebSockets is recommended for optimal function
Encrytion and security
- All communication takes place over TLS 1.2 or later
- Certificates are issued by a trusted public Certificate Authority (CA)
- No unencrypted HTTP traffic is used
Local unencrypted communication (HTTP)
In addition to external encrypted communication, local communication over HTTP occurs within the same local network.
- Unencrypted HTTP is only used locally (LAN)
- No unencrypted traffic is sent over the internet
- All data being transferred locally is cryptoraphically signed to ensure:
- data integrity
- authenticity (sender verification)
This communication is used for internal collaboration between local components in the POS environment, for example, regarding device discovery or local coordination.
Proxy and traffic inspection
If the network is using SSL/TLS inspection and/or Transparent or explicit proxy, the domains listed above must be fully allowed, or exempted from SSL inspection.
This is to avoid issues with:
- WebSocket connections (SignalR)
- Firebase SDK
- Real-time communication and certificate validation
Summary (for IT / firewall)
✅ Allow outbound TCP 443 (HTTPS / WSS) to:
- devices.pos.prod.op3n.dev
- ingest.logging.tools.openpos.tech
- cdnassetsstorage.blob.core.windows.net
- *.firebaseio.com
- *.gstatic.com
- *.googleapis.com
❌ No inbound traffic is required