Windows Service inside the network
A lightweight .NET 8 BackgroundService runs on a server inside the customer network. Reads ERP data via stored procs, ODBC, or native API. .NET 8 ensures modern security, TLS 1.3, and fast cold-start.
Battle-tested in production — connects Vista by Viewpoint today
Connect on-premise ERPs to the cloud
Most SaaS companies give up on on-premise ERPs — Vista by Viewpoint, MYOB Desktop, Sage 300, custom systems. We didn’t. The Windows Service + SQS work queue pattern we built for StatementZen solves the air-gapped ERP problem without VPNs, firewall holes, or IT tickets. Now we build it for other SaaS companies.
The air-gapped ERP problem
Why most SaaS companies can’t integrate with the ERPs their biggest customers actually use.
No public API
Vista, MYOB Desktop, Sage 300 — they run on-premise, behind firewalls, with no cloud API. The vendor never built one.
No VPN option
Customer IT teams won’t open inbound ports, won’t provision VPN tunnels for every SaaS vendor, won’t manage static IPs.
Integration graveyard
SaaS competitors list “coming soon” forever. The ones that try CSV exports create support nightmares. Customers stay on Excel.
The pattern that actually works
Battle-tested architecture. Running in production. Reusable for any on-premise ERP.
Outbound-only SQS work queue
Service long-polls an AWS SQS queue. No inbound ports, no VPN, no firewall holes, no static IPs. Backend pushes work (fetch data, refresh, rotate secret) — service pulls and executes.
6-character pairing flow
No manual credential copy-paste. Service generates a 6-char code (unambiguous alphabet). Customer enters code in web app. Backend creates ERP config. Service polls pairing-status until claimed. Under 5 minutes.
Zero-downtime secret rotation
Pending → active promotion with atomic commit. 409-concurrency guard prevents races. Customer never sees a credential prompt. Enterprise-grade security posture without operational pain.
AES-256-GCM credential storage
DB passwords encrypted at rest in Windows registry (HKLM). AES-256-GCM replaces legacy DPAPI for portability and compliance. SOC 2 Type II-aligned controls.
Velopack auto-updates
Client checks S3 hourly, downloads delta packages, applies silently, restarts the service. Deploy fixes across all customers without IT tickets. Velopack hooks handle install/uninstall/update cleanly.
ERPs we integrate with this pattern
Every on-premise ERP that has a SQL Server, ODBC, or Windows API is a candidate.
Vista by Viewpoint
Live in productionRunning the StatementZen integration today across multiple US construction contractors.
MYOB Desktop (AccountRight)
Ideal candidateNo cloud API, firewall-locked ODBC. The exact pattern this architecture was built for.
Sage 300 CRE / ERP
Ideal candidateOn-premise SQL Server. Stored proc access available. Same pattern as Vista.
Custom / legacy ERPs
Ideal candidateAny SQL Server, Oracle, or flat-file based ERP. If it has a stored proc or ODBC connection, we can integrate it.
Acumatica (on-prem)
Ideal candidateWhen the hosted instance isn't an option. Same Windows Service + SQS pattern.
Timberline / Sage Timberline
Ideal candidateConstruction ERP with SQL backend, same integration shape as Vista.
Frequently asked questions
How do you integrate an on-premise ERP that has no public API?+
You install a lightweight Windows Service inside the customer network. The service long-polls an outbound AWS SQS queue for work items, reads ERP data via stored procs or ODBC, and streams results back to the cloud. No inbound ports, no VPN, no firewall changes. This is how we connected Vista by Viewpoint — proven, in production, reusable for any on-premise ERP.
Why not just use a VPN or direct SQL connection?+
VPNs are operationally expensive (IT tickets, credential management, per-customer tunnels) and direct SQL requires firewall changes most customers will never approve. An outbound-only SQS pattern works with any corporate firewall without configuration. It scales to thousands of customers without infrastructure growth.
What's the advantage of SQS over HTTP polling?+
SQS long-polling gives you push semantics with pull reliability. Service stays idle with one open connection. Backend dispatches work with near-zero latency. Messages persist if the service is offline — work resumes when it reconnects. HTTP polling is wasteful, laggy, and brittle by comparison.
How does customer onboarding actually work?+
Customer downloads the installer (Velopack Setup.exe from S3, signed). Runs as admin. Installer creates the Windows Service, service generates a 6-character pairing code. Customer logs into the web app, enters the code on the integration page. Backend creates the ERP config and links the service. Done — under 5 minutes, no IT ticket.
What ERPs is this pattern suitable for?+
Any on-premise ERP with a SQL Server backend, ODBC connection, or native Windows API. Vista by Viewpoint (live in production), MYOB Desktop, Sage 300 CRE, Sage Timberline, on-prem Acumatica, custom accounting systems. We've already built the hard parts — pairing, secret rotation, auto-updates, heartbeat, SQS dispatch — so new integrations reuse the infrastructure.
How long does a new offline ERP integration take to build?+
The pattern infrastructure already exists. Adding a new ERP means: (1) stored proc or API readers for that ERP, (2) new SQS message types, (3) streaming endpoints on the backend, (4) frontend settings UI. Typical timeline: 4-8 weeks for a new ERP including testing and Velopack packaging. Compare to 6-9 months from scratch.
Can we white-label this for our product?+
Yes. We license the pattern to SaaS companies that need to integrate customer on-premise ERPs. You get the Windows Service template, SQS dispatch, pairing flow, auto-update pipeline, secret rotation, and frontend component. Your branding, your product, proven infrastructure.
Stop telling customers their ERP isn't supported.
Book a 30-minute architecture call. We'll scope your offline ERP integration, quote fixed price, and typically ship a working Windows Service in 4-8 weeks.
Book a Free Scoping Call
30 minutes. No obligation. Hourly or fixed-price if we work together.