This page consolidates every network and firewall requirement of a bessa deployment at a customer site. It is written for IT administrators who need to decide — in a managed network with firewalls, segmented VLANs, or allowlists — which hosts and ports to open so that the sales point, the order channel, printers, payment terminals, and beverage dispensers all work as expected.
The content is grouped by product area. Each area has two subsections: outbound (internet) and internal (local network).
This page is the source for the IT-onboarding process. Feel free to link to the page or to a specific section directly when answering requests from customer IT teams.
General notes
-
Cloud connectivity: every outbound connection to a bessa service uses HTTPS / TCP 443. No additional outbound ports are required.
-
DNS: standard system DNS resolution is sufficient. No bessa-specific DNS configuration is required.
-
NTP: there is currently no mandatory NTP requirement on devices or on the network.
-
IP allowlists: allow hostnames only. Concrete IP ranges (CIDR) are not stable — cloud services are delivered over CDN / load-balancer pools that change.
-
Local devices: printers, payment terminals, and beverage dispensers need a static IP or a reserved DHCP lease. They must be reachable from the sales point on the same subnet, or routed between subnets.
-
ICMP / PING: some devices (e.g. Brau Union Z1U dispenser) deliberately do not answer ICMP. Diagnose via the device's TCP/UDP port, not via
ping.
1. bessa Kassa (sales point)
The sales point talks to the bessa cloud (Manager / API) and — depending on the country — to a certified signing component (RKSV / TSE / country-specific).
Outbound
|
Purpose |
Hostname |
Port / Protocol |
|---|---|---|
|
bessa Manager (sales-point backend) |
|
TCP 443 / HTTPS |
|
bessa API (sales-point backend) |
|
TCP 443 / HTTPS |
|
bessa Manager (add-on products) |
|
TCP 443 / HTTPS |
|
bessa API (add-on products) |
|
TCP 443 / HTTPS |
|
RKSV signing component (Austria) |
|
TCP 443 / HTTPS |
|
RKSV signing component (Austria, alternative) |
|
TCP 443 / HTTPS |
|
TSE middleware (Germany) |
|
TCP 443 / HTTPS |
|
Country-specific fiscal cloud (e.g. Croatia) |
|
TCP 443 / HTTPS |
|
App updates, standard Android |
Google Play Store |
TCP 443 / HTTPS |
|
App updates, Sunmi devices |
vendor-specific app store |
TCP 443 / HTTPS |
|
App updates, iMin devices |
vendor-specific app store |
TCP 443 / HTTPS |
|
App updates, Orderman |
System Center Next |
TCP 443 / HTTPS |
Which signing component is contacted depends on the customer's country — Austria (RKSV), Germany (TSE), or another jurisdiction. Allow only the hostnames relevant to your site.
Internal
|
Purpose |
Port |
Notes |
|---|---|---|
|
Main sales-point discovery |
UDP 48858 |
Sub-terminals and order monitors locate the responsible main sales point on the LAN over this port |
|
Sub-terminals ↔ main sales point |
TCP 48880 |
Booking and sync between a sub-terminal and the main sales point |
|
Order monitor ↔ sales point |
TCP 48888 |
Order forwarding to order monitors (kitchen, bar) |
|
mDNS / Bonjour discovery |
UDP 5353 |
Discovery of network printers (see section 6) |
|
Real-time messaging (SSE / wss) |
TCP 443 |
Server-Sent Events and WebSocket Secure ( |
Printers, payment terminals, and beverage dispensers are documented in the dedicated sections below — the sales point opens outbound TCP connections to these devices on the LAN.
2. Order channel (Connector)
The bessa Connector is the central order interface between external order channels (self-order tablets, ordering apps, web shop) and the sales point. It runs as a Windows service, on Android, or as a Sunmi-standalone — port requirements do not differ by platform but by the connected sales-point system.
Outbound
|
Purpose |
Hostname |
Port / Protocol |
|---|---|---|
|
bessa Manager |
|
TCP 443 / HTTPS |
|
bessa API (HTTPS + WebSocket Secure) |
|
TCP 443 / HTTPS and |
|
Treuepass POS endpoint |
|
TCP 443 / HTTPS |
The Connector keeps a long-lived WebSocket Secure connection (wss://) on TCP 443 to the bessa API — orders and status updates are exchanged over this channel in real time. The firewall must allow long-lived outbound TCP 443 connections without idle timeout.
Internal
Connector ↔ sales point:
|
Sales-point system |
Port |
|---|---|
|
dieKassa (integrated Connector) |
TCP 20030 on 127.0.0.1 |
|
dieKassa (standalone Connector on the LAN) |
TCP 20030 on the sales point's static IP |
|
Other sales-point systems |
TCP 20031 or 1090 — to be confirmed with the vendor |
Order channels (self-order tablets, third-party order apps, web shop): communication runs exclusively via the cloud (HTTPS). No port allowance is required directly at the Connector on the LAN.
3. Customer loyalty
Customer loyalty (bonus / loyalty program) runs entirely through the bessa cloud. There is no LAN component.
Outbound
|
Purpose |
Hostname |
Port / Protocol |
|---|---|---|
|
bessa API |
|
TCP 443 / HTTPS |
|
bessa Manager |
|
TCP 443 / HTTPS |
The legacy treuepass.app domain is deprecated. New deployments communicate exclusively via bessa.app endpoints.
Internal
None. No dedicated LAN hardware (no Treuepass reader / NFC terminal) is required.
4. Vouchers
Voucher management runs entirely through the bessa cloud.
Outbound
|
Purpose |
Hostname |
Port / Protocol |
|---|---|---|
|
bessa API (voucher validation & issue) |
|
TCP 443 / HTTPS |
External voucher providers (third-party in-house voucher platforms etc.) are not currently supported — no additional hosts need to be allowed.
Internal
None.
5. KPI app (Kennzahlen)
The KPI app delivers real-time reporting for a sales point. It talks locally to the sales point and outbound to the bessa cloud for sync and reporting.
Outbound
|
Purpose |
Hostname |
Port / Protocol |
|---|---|---|
|
bessa API (reporting / sync) |
|
TCP 443 / HTTPS |
Internal
-
KPI app ↔ sales point: TCP 1090
In multi-site deployments there is no central network-level aggregation. Each sales point is queried individually — the KPI app needs LAN reachability per site, not site-spanning.
6. Printers
Printers are local devices only. No outbound internet connectivity is required.
Outbound
None.
Internal
|
Printer type |
Discovery |
Port (TCP) |
Notes |
|---|---|---|---|
|
Star (receipt printer, network) |
mDNS / Bonjour (UDP 5353) |
9100 (Raw / ESC/POS) |
Discovery or static IP |
|
Epson (receipt printer, network) |
mDNS / Bonjour (UDP 5353) |
9100 |
Discovery or static IP |
|
Bixolon (receipt printer, network) |
mDNS / Bonjour (UDP 5353) |
9100 |
Discovery or static IP |
|
Metapace, Pulse |
no discovery |
9100 |
Static IP configuration |
|
Aures (label printer) |
no discovery |
9100 |
Static IP required |
|
Sunmi / iMin (built-in receipt printer) |
— |
— |
USB-local, no LAN configuration |
Reserve a DHCP lease for every network printer or assign a static IP. For most printer brands discovery is only used during initial setup — afterwards communication targets the static IP.
AirPrint / IPP (TCP 631) is not used.
7. Payment terminals
Payment terminals fall into two classes: card-payment terminals (cards, NFC, SoftPOS) and cash-payment terminals (Cashmatic). Cloud-only terminals (Vivawallet, SumUp, GPTom cloud mode) do not need a LAN port allowance; classic network terminals use ZVT, TIM, or TECS.
Outbound
-
Per vendor: HTTPS / TCP 443 to the vendor cloud (for backend log-in, transaction routing, terminal software updates).
-
The exact vendor cloud hostnames need to be obtained from the respective vendor — they are subject to vendor-side changes and are deliberately not hard-coded here.
Internal
|
Vendor |
Protocol |
Port (TCP) |
Notes |
|---|---|---|---|
|
Nexi |
ZVT |
5577 |
Network terminal, static IP |
|
Hobex |
ZVT |
20007 |
Network terminal, static IP |
|
Hobex |
TECS |
9990 |
Network terminal, static IP |
|
Worldline / PayOne |
TIM (WPI) |
20007 (default) |
Network terminal, static IP |
|
Worldline / PayOne |
ZVT |
7784 |
Network terminal, static IP — alternative ZVT configuration |
|
CCV / cardcomplete |
ZVT |
20007 (default) |
Network terminal, static IP |
|
Cashmatic (cash payment) |
proprietary |
7409 (default, freely configurable) |
Static IP |
|
Vivawallet |
— |
— |
Cloud-only (HTTPS) — no LAN port allowance required |
|
SumUp |
— |
— |
Cloud + Bluetooth — no LAN port allowance required |
|
Global Payments / GPTom |
— |
— |
Cloud variant: HTTPS; device-internal variant: communication directly between terminal and sales point |
Tap-on-Mobile / SoftPOS (Worldline WPI, GPTom app, Viva Tap-to-Pay) do not require their own LAN port allowance — the communication runs either via the vendor cloud (HTTPS) or locally on the Android device itself.
8. Beverage dispensers (Schankanlagen)
Beverage dispensers are typically vendor-certified and partially hardened devices that connect to the sales point — either directly via serial / USB or over the LAN.
Outbound
-
Each dispenser vendor typically contacts a vendor cloud for telemetry and updates (e.g. Heineken / Brau Union). The exact hostnames need to be obtained from the respective vendor.
Internal
|
Vendor / Protocol |
Connection |
Port |
Notes |
|---|---|---|---|
|
Brau Union Z1U |
LAN, static IP |
TCP 443 (HTTPS) |
Does not respond to ICMP / PING — diagnose directly via TCP 443 (see Brau Union Z1U dispenser ) |
|
E-Protocol |
USB / Serial |
— |
No LAN component |
|
VMPS |
USB / Serial or LAN |
UDP 28001 (default, in LAN mode) |
Static IP recommended in LAN mode |
FAQ
Is outbound HTTPS sufficient for cloud connectivity? Yes. All bessa cloud endpoints are reachable over TCP 443 / HTTPS only. No additional outbound ports are required.
Do we need to allow specific IP ranges (CIDR)? No. Allow only the hostnames listed in the tables above. Cloud IPs are delivered over CDN / load-balancer pools and can change.
Is an outbound-only profile sufficient for the sales point? For cloud connectivity, outbound HTTPS is enough. For the sales point's communication with local devices (printers, payment terminals, beverage dispensers), the sales point must actively reach those devices over the LAN — see the per-area tables.
Do devices need to answer ICMP / PING? No, ICMP is not strictly required. Some devices (e.g. Brau Union Z1U dispenser) deliberately do not answer ICMP. Diagnose via the device's TCP / UDP port instead.
We run multiple sites behind an SD-WAN — what changes? The same requirements apply per site. There is no site-spanning network-level aggregation; each site communicates independently with the bessa cloud and with its local devices.
Which hostnames need to be allowed for the TSE / RKSV signing component? This depends on the customer's country: Austria (RKSV) requires rksv.a-trust.at and / or rksv.fiskaly.com, Germany (TSE) requires kassensichv-middleware.fiskaly.com, and other countries may require cloud-efr.efsta.net. Allow only the hostnames relevant to your site.
What if a vendor cloud hostname is missing for a payment terminal or beverage dispenser? These hostnames need to be obtained from the respective vendor — they are subject to vendor-side changes and are deliberately not hard-coded here.