Firewall Ports used by NG & MF

Q I would like to configure a firewall on the server. What ports does PaperCut use?

The main network TCP ports used by PaperCut are:

• 9191 for HTTP connections
• 9192 for secure HTTP/SSL connection
• 9193 for device RPC (only used for embedded copier/MFP solutions)

UDP ports are not used for connections from PaperCut client to the sever, only standard TCP. All connections are made inbound from clients and secondary servers to the primary server. No outbound connections are made by the primary server to any workstation or secondary server.

PaperCut uses standard HTTP XML WebServices for client-server and server-server communication (XML-RPC). Sensitive data is sent over SSL/HTTPS on port 9192. The PaperCut installer on Windows and Mac will endeavor to make sure these ports are open. Linux systems running firewalls may need to manual open these ports to local network IP addresses as appropriate.

Card Readers

Elatec TWN3 Reader and TCP Converter

• Outbound
  • 7778

RFIDeas Lantronix

• Outbound
  • 10001

RFIdeas Ethernet 241

• Outbound
  • 2000

External Database

PaperCut makes use of the jTDS JDBC driver for Microsoft SQL server and SQL Server Express, the postgresql JDBC driver for PostgreSQL, Oracle JDBC for Oracle and MySQL JDBC for MySQL.

You may specify a custom port, the defaults are below.

• Oracle: 1521
• Microsoft SQL Server: 1433
• Microsoft SQL Server Express: 1450
• MySQL: 3306
• PostgreSQL: 5432

Google Cloud Directory

PaperCut NG and PaperCut MF will use Secure LDAP to communicate with the Google Cloud Directory service:

• 636 TCP (LDAPS), with outbound connections to:
  • ldap.google.com

Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.

Google Cloud Print

PaperCut NG and PaperCut MF need to be able to communicate to the Google Cloud Print services. This is done on:

• 443 TCP (HTTPS), with connections to:
  • https://www.googleapis.com/*
  • https://accounts.google.com/*
  • https://www.google.com/cloudprint/*
• 5222 TCP (XMPP, using STARTTLS), with a persistent connection to:
  • talk.google.com

By default, this needs to be achievable without the use of a proxy, unless that proxy is “transparent” on TCP ports 80 and 443, and requires no authentication. If running version 17.3 or later of PaperCut NG or PaperCut MF, a proxy server which is not “transparent” may be able to be configured using the instructions found in the following section of the User Manual.

PaperCut MF Cloud Services (Integrated Scanning with Scan to Cloud and/or Cloud OCR)

For a PaperCut server to have content processed by PaperCut MF Cloud Services it must be able to form an outgoing connection to the following endpoints:

• 443 TCP (HTTPS), with connection to:
  • https://*.papercut.com/*
  • https://storage.googleapis.com/*

the following specific URLs are used, depending on your PaperCut version and PaperCut MF Cloud Services hosting region, in case you are unable to use a wildcard in the domain part:

• 443 TCP (HTTPS), with connection to:
  • https://scan.cloud.papercut.com/*
  • https://ocr.cloud.papercut.com/*
  • https://scan.au.cloud.papercut.com/*
  • https://ocr.au.cloud.papercut.com/*
  • https://scan.eu.cloud.papercut.com/*
  • https://ocr.eu.cloud.papercut.com/*
  • https://scan.us.cloud.papercut.com/*
  • https://ocr.us.cloud.papercut.com/*
  • https://scan.papercut.com/* (legacy)

Integrated Scanning - Locally hosted OCR (On-premise)

Part of the Project Wollemi percolator.

• 9181 TCP (HTTPS) inbound on the Locally hosted OCR Server

(The Windows Firewall is configured automatically by the installer. Manual configuration is only required if using an off-box or 3rd party software firewall.)

Job Ticketing

The following port and URL endpoints must be externally available for auto updating:

• 443 TCP (HTTPS), with connections to:
  • https://pc-job-ticketing.appspot.com/*
  • https://storage.googleapis.com/pc-job-ticketing.appspot.com/*

Print Deploy

See the Print Deploy system requirements page which shows the ports and protocols we use.

Mobility Print

See the Mobility Print system requirements page which shows the ports and protocols we use.

The following port and URL endpoints must be externally available for auto updating:

• 443 TCP (HTTPS), with connections to:
  • https://mobility-print.papercut.com/*
  • https://storage.googleapis.com/pc-mobility-print.appspot.com/*

The following port and URL endpoints must be externally available for retrieval of the client setup files when setting up Mobility Print with a Known Host:

• 443 TCP (HTTPS), with connections to:
  • https://www.papercut.com/api/product/mobility-print/latest/client/windows
  • https://www.papercut.com/api/product/mobility-print/latest/client/macos
  • https://www.papercut.com/api/product/mobility-print/latest/client/android
  • https://ios-profile-signing-dot-pc-mobility-print.appspot.com/sign-profile/v1

Multi Function Devices

PaperCut MF uses a variety of port for connecting to copiers, MFPs and other devices. These are listed below by device.

Brother

• Inbound (device connecting to PaperCut)
  • 9191 TCP/HTTP

Canon

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
  • 9193

Dell (AIP)

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
• Outbound (PaperCut connecting to the device)
  • 443

HP

• Inbound
  • 9191
  • 9192
  • 9193
• Outbound connections from PaperCut to the HP devices on port:
  • 7627 (TCP/HTTPS)
  • 80 / 443

Fuji-Xerox (AIP)

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
• Outbound (PaperCut connecting to the device)
  • 80
  • 443

Konica-Minolta

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
  • 9195 (Required for SHA2 on MF v18.3 onwards)
• Outbound (connecting to the device)
  • 50003
  • 80/443

Kyocera

• Inbound
  • 9191
  • 9192
  • 9193

Lexmark

• Inbound
  • 9191
  • 9192
  • 9193

Ricoh SDK/J

• Inbound
  • 9191 (if configured to use port 9193 and Integrated Scanning)
  • 9192
  • 9193
  • 51443 (for setup with Remote Operation Client)

Ricoh SmartSDK

• Inbound
  • 9191
  • 9192
  • 51443 (for setup with Remote Operation Client)

Samsung

• Inbound
  • 9191 (if using custom logos)
  • 9192
  • 9193

Sharp

• Inbound
  • 9191
  • 9192
• Outbound
  • 80
  • 443

Toshiba

• Inbound
  • 9191 TCP - for EWB
  • 9192 TCP - secure messages for EWB
  • 10389 TCP (LDAP)
  • 10636 TCP (LDAPS)
  • 162 UDP (SNMP traps) for SDK1 only
• Outbound
  • 161 UDP (SNMP) for SDK1 only
  • 49629 TCP (HTTP) for SDK2 and RD30 only
  • 49630 TCP (HTTPS) for SDK2 and RD30 only
  • 50083 TCP (HTTP) - for V3

VCC Terminals

• Outbound
  • 1234
  • 1235

Xerox

• Inbound
  • 9191
  • 9192
• Outbound
  • 80
  • 443

SNMP

• Outbound (PaperCut connecting to the Printer/Device)
  • 161 UDP

Windows Print Spooler Service

The PaperCut Print Provider service will use TCP/IP ports allocated by the Windows Print Spooler service. The Windows Print Service uses the dynamic port range from 49152 to 65535. You will need to retain this port range when redirecting print jobs between a Primary and Secondary server (Cross-Server Redirection).

• 49152-65535 TCP and UDP
• 445 TCP, Server Message Block

If using NetBIOS:

• 137/138 UDP, Name and Datagram Services
• 139 TCP, Session Services

Categories: Implementation / Deployment, Architecture

keywords: port, TCP, fire wall, firewall rules, anti virus