Available in PaperCut NG and PaperCut MF.

Restrict access to the Application Server

You can restrict access to the Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. by the following components:

Restrict access to the Application Server by SysAdmins

After initial installation only the admin user, defined during the setup process, is permitted to administer the system. To allow additional users to administer PaperCut NG/MF follow the instructions defined in Assigning administrator level access.

You can also lock down access to the Admin web interface so that admins can log in only from a subset of network addresses.

  1. Select Options > Advanced. The Advanced page is displayed.

  2. In the Security area, in Allowed admin IP addresses, enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Test that admins can access the Application Server Admin interface from the allowed network addresses.

Restrict access to the Application Server by MFDs

You can restrict the devices that can to communicate with the Application Server.

  1. Select Options > Advanced. The Advanced page is displayed.

  2. In the Security area, in Allowed device IP addresses, enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Perform a test login or print job release from each MFD to ensure they can still communicate to the Application Server.

Restrict access to the Application Server by Site Servers

The PaperCut NG/MF architecture (see Architecture Overview and Print monitoring architecture) involves having a central Application Server and possibly multiple Site Servers sending data back to the Application Server to process.

PaperCut NG/MF supports an unlimited number of Site Servers and they can be located anywhere on the network. By default, PaperCut NG/MF allows these Site Servers to connect from any machine on the network. You can restrict this to a reduced set of machines by specifying a list of IP addresses or subnets that are allowed to submit information to the Application Server. You can set this using any one of the following methods:

ClosedFrom the Options > Advanced > Security area:

  1. Select Options > Advanced. The Advanced page is displayed.

  2. In the Security area, in Allowed site server IP addresses (eg. secondary print servers), enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Test all Site Servers to ensure that they can still submit information to the Application Server. To test the Site ServerSite Servers take over the role of a Primary Application Server in the event of network outages. Key roles taken over include authentication, copy and print tracking and Find-Me printing. Site Servers ensure continuous availability of printing resources to support key business functions over unreliable network links or during unplanned network disruptions., perform a test print job to the Site Server that the provider is running on.

ClosedUsing the Advanced Config Editor:

  1. Click the Options tab. The General page is displayed.

  2. In the Actions menu, click Config editor (advanced).

    The Config EditorThe Config Editor stores information used by PaperCut to configure advanced options and functions. This information is stored in config keys, which are editable by an administrator. page is displayed.

  3. Edit the following config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor.:
    Config nameDescription
    auth.site.allowed-addresses

    Enter a comma separated list of IP addresses to allow.

  4. Click Apply.

  5. Test all Site Servers to ensure that they can still submit information to the Application Server. To test the Site Server, perform a test print job to the Site Server that the provider is running on.

Restrict access to the Application Server by print servers

The PaperCut NG/MF architecture (see Architecture Overview and Print monitoring architecture) involves having a central Application Server and possibly multiple print servers sending data back to the Application Server to process. The PaperCut NG/MF components on the print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as file serving that are responsible for sending this data back to the Application Server include Print Providers and Mobility Print.

PaperCut NG/MF supports an unlimited number of information providers and they can be located anywhere on the network. By default, PaperCut NG/MF allows these providers to connect from any machine on the network. You can restrict this to a reduced set of machines by specifying a list of IP addresses or subnets that are allowed to submit information to the Application Server.

  1. Select Options > Advanced. The Advanced page is displayed.

  2. In the Security area, in Allowed remote provider IP addresses (eg. secondary print servers), enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Test all providers to ensure that they can still submit information to the Application Server. To test the Print ProviderA Print Provider is a monitoring service installed on a secondary print server to allow PaperCut to control and track printers. This monitoring component intercepts the local printing and reports the use back to the primary Application Server., perform a test print job to the server that the provider is running on.

Restrict access to the XML Web Services

You can lock down access so that only a subset of network addresses can call the XML Web Services APIApplication Programming Interface (API) is a set of routines, protocols, and tools for building software and applications. An API expresses a software component in terms of its operations, inputs, outputs, and underlying types, defining functionalities that are independent of their respective implementations, which allows definitions and implementations to vary without compromising the interface..

  1. Select Options > Advanced. The Advanced page is displayed.

  2. In the Security area, in Allowed XML Web Services callers, enter the list of IP addresses or subnet masks to allow access to the XML Web Services API. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Perform a test XML Web Services call from the allowed network addresses.

Set up trusted proxy servers

PaperCut NG/MF uses the originating IP address to help identify the calling device in some situations. If you are accessing the PaperCut NG/MF Application Server via a proxy server or load balancer, the originating IP address might be obscured. This might cause situations such as no jobs being displayed in the Mobile web client for iPhone/iPad users, or problems using some features of secondary print servers.

Most proxy servers do retain the originating source address in an X-Forwarded-For HTTP header. This header lists the originating source address plus the address of each proxy server forwarding the message.

For security reasons, PaperCut NG/MF by default does not trust the X-Forwarded-For header. To make use of this header and get your clients to work via a proxy server, you must first add your proxy servers to PaperCut NG/MF’s list of trusted proxy servers. If a request arrives from a trusted proxy server, PaperCut will look at the X-Forwarded-For header and work backwards through the "hops” (if there are multiple values) to find the IP that made the request to the first trusted proxy server.

You can set up trusted proxy servers for Mobile Client access.

  1. Select Options > Advanced. The Advanced page is displayed.

  2. In the Security area, in Trusted Proxy Servers, enter the list of IP addresses or subnet masks to allow access to the server via a proxy. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Test remote access via your proxy server.

Restrict access to the Application Server by Release Stations

You can restrict the address ranges from which standard Release Stations (see Standard Release Station) access the Application Server. This measure only applies to standard Release Stations and does not affect print release at an embedded device or from a web browser.

  1. Click the Options tab. The General page is displayed.

  2. In the Actions menu, click Config editor (advanced).

    The Config Editor page is displayed.

  3. Search for the config key: auth.release-station.allowed-addresses

  4. Enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  5. Click Update.

  6. Test all standard Release Stations to ensure they can still successfully start-up and connect to the Application Server.