Firewall Ports used by NG & MF

Q I would like to configure a firewall on the server. What ports does PaperCut use?

The main network TCP ports used by PaperCut are:

  • 9191 for HTTP connections
  • 9192 for secure HTTP/SSL connection
  • 9193 for device RPC (only used for embedded copier/MFP solutions)

UDP ports are not used for connections from PaperCut client to the sever, only standard TCP. All connections are made inbound from clients and secondary servers to the primary server. No outbound connections are made by the primary server to any workstation or secondary server.

PaperCut uses standard HTTP XML WebServices for client-server and server-server communication (XML-RPC). Sensitive data is sent over SSL/HTTPS on port 9192. The PaperCut installer on Windows and Mac will endeavor to make sure these ports are open. Linux systems running firewalls may need to manual open these ports to local network IP addresses as appropriate.

Card Readers

Elatec TWN3 Reader and TCP Converter

  • Outbound
    • 7778

RFIDeas Lantronix

  • Outbound
    • 10001

RFIdeas Ethernet 241

  • Outbound
    • 2000

External Database

PaperCut makes use of the jTDS JDBC driver for Microsoft SQL server and SQL Server Express, the postgresql JDBC driver for PostgreSQL, Oracle JDBC for Oracle and MySQL JDBC for MySQL.

You may specify a custom port, the defaults are below.

  • Oracle: 1521
  • Microsoft SQL Server: 1433
  • Microsoft SQL Server Express: 1450
  • MySQL: 3306
  • PostgreSQL: 5432

Google Cloud Directory

PaperCut NG and PaperCut MF will use Secure LDAP to communicate with the Google Cloud Directory service:

  • 636 TCP (LDAPS), with outbound connections to:
    • ldap.google.com

Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.

Azure Active Directory with Secure LDAP

PaperCut NG and PaperCut MF will use Secure LDAP to communicate with the Azure Active Directory service:

  • 636 TCP (LDAPS), with outbound connections to the Azure LDAP External Address populated in PaperCut, configured in the Azure Portal.

Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.

Azure Active Directory with Microsoft Graph

PaperCut NG and PaperCut MF will use SSL to communicate with the Azure Active Directory service:

  • 443 TCP, with outbound connections to:
    • graph.microsoft.com

Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.

LDAP Directory Service

PaperCut NG and PaperCut MF can synchronise user accounts from a directory which supports LDAP (e.g. Active Directory, Open Directory, Novell eDirectory, etcetera).

  • 389 TCP (LDAP) or 636 TCP (LDAPS)

Active Directory

PaperCut NG and PaperCut MF can synchronise user accounts with native Windows Active Directory from a domain joined Application Server.

  • 445 TCP & UDP, Server Message Block (SMB)
  • 88 TCP & UDP, Kerberos
  • 389 UDP, LDAP
  • 53 TCP & UDP, DNS
  • 135 TCP, RPC - unless restricted, a dynamically assigned TCP port in range 49152-65535 also used for RPC

Mobility Print - Cloud Print (for server registration & peer-to-peer traffic

To register the server and notify it of incoming jobs

  • 443 TCP to mp.cloud.papercut.com
  • 8883 TCP to mqtt.googleapis.com

To orchestrate the peer-to-peer connection

  • 3478 TCP & UDP to global.stun.twilio.com
  • 443 TCP & 3478 UDP to global.turn.twilio.com

PaperCut MF Cloud Services (Integrated Scanning with Scan to Cloud and/or Cloud OCR)

For a PaperCut server to have content processed by PaperCut MF Cloud Services it must be able to form an outgoing connection to the following endpoints:

  • 443 TCP (HTTPS), with connection to:
    • https://*.papercut.com/*
    • https://storage.googleapis.com/*

the following specific URLs are used, depending on your PaperCut version and PaperCut MF Cloud Services hosting region, in case you are unable to use a wildcard in the domain part:

  • 443 TCP (HTTPS), with connection to:
    • https://scan.cloud.papercut.com/*
    • https://ocr.cloud.papercut.com/*
    • https://scan.au.cloud.papercut.com/*
    • https://ocr.au.cloud.papercut.com/*
    • https://scan.eu.cloud.papercut.com/*
    • https://ocr.eu.cloud.papercut.com/*
    • https://scan.us.cloud.papercut.com/*
    • https://ocr.us.cloud.papercut.com/*
    • https://scan.papercut.com/* (legacy)

Integrated Scanning - Self-Hosted Document Processing (FKA On-prem OCR, locally hosted)

  • 9181 TCP (HTTPS) inbound on the Self-Hosted Document Processing Server

(The Windows Firewall is configured automatically by the installer. Manual configuration is only required if using an off-box or 3rd party software firewall.)

The following port and URL endpoint must be externally available for auto updating of the Self-Hosted Document Processing server:

  • 443 TCP (HTTPS), with connection to:
    • https://update.ocr.cloud.papercut.com/client-version/v3/check-update/pc-ocr/win/

PaperCut Grows

To sync page and tree usage to PaperCut Grows services:

443 TCP to https://grows.papercut.com

Sign in with Google

To allow signing in with Google to the PaperCut web interfaces, the Application Server must be able to form an outgoing connection to the following endpoints:

  • 443 TCP (HTTPS), with connection to:
    • https://accounts.google.com/*
    • https://oauth2.googleapis.com/*

Sign in with Microsoft

To allow signing in with Microsoft to the PaperCut user/admin web interfaces, the Application Server must be able to form an outgoing connection to the following endpoints:

  • 443 TCP (HTTPS), with connection to:
    • graph.microsoft.com
    • login.microsoftonline.com

Job Ticketing

Job Ticketing requires the following port to be available on the server:

  • 9111 TCP

The following port and URL endpoints must be externally available for auto updating:

  • 443 TCP (HTTPS), with connections to:
    • https://pc-job-ticketing.appspot.com/*
    • https://storage.googleapis.com/pc-job-ticketing.appspot.com/*

Print Deploy

See the Print Deploy system requirements page which shows the ports and protocols we use.

Mobility Print

See the Mobility Print system requirements page which shows the ports and protocols we use.

Multi Function Devices

PaperCut MF uses a variety of port for connecting to copiers, MFPs and other devices. These are listed below by device.

Brother

  • Inbound (device connecting to PaperCut)
    • 9191 TCP/HTTP

Canon

  • Inbound (device connecting to PaperCut)
    • 9191
    • 9192
    • 9193

Dell (AIP)

  • Inbound (device connecting to PaperCut)
    • 9191
    • 9192
  • Outbound (PaperCut connecting to the device)
    • 80
    • 443

HP

  • Inbound
    • 9191
    • 9192
    • 9193
  • Outbound connections from PaperCut to the HP devices on port:
    • 7627 (TCP/HTTPS)
    • 80 / 443

Fujifilm BI

  • Inbound (device connecting to PaperCut)
    • 9191
    • 9192
  • Outbound (PaperCut connecting to the device)
    • 80
    • 443

Fuji-Xerox (AIP)

  • Inbound (device connecting to PaperCut)
    • 9191
    • 9192
  • Outbound (PaperCut connecting to the device)
    • 80
    • 443

Konica-Minolta

  • Inbound (device connecting to PaperCut)
    • 9191
    • 9192
    • 9195 (Required for SHA2 on MF v18.3 onwards)
  • Outbound (connecting to the device)
    • 50003
    • 80/443

Kyocera

  • Inbound
    • 9191
    • 9192
    • 9193

Lexmark

  • Inbound
    • 9191
    • 9192
    • 9193

Ricoh SDK/J

  • Inbound
    • 9191 (if configured to use port 9193 and Integrated Scanning)
    • 9192
    • 9193
    • 51443 (for setup with Remote Operation Client)

Ricoh SmartSDK

  • Inbound
    • 9191
    • 9192
    • 51443 (for setup with Remote Operation Client)

Samsung

  • Inbound
    • 9191 (if using custom logos)
    • 9192
    • 9193

Sharp

  • Inbound
    • 9191
    • 9192
  • Outbound
    • 80
    • 443

Toshiba

  • Inbound
    • 9191 TCP - for EWB and SOAP events
    • 9192 TCP - secure messages for EWB and SOAP events
    • 10389 TCP (LDAP) for SDK1 and SDK2 only
    • 10636 TCP (LDAPS) for SDK1 and SDK2 only
    • 162 UDP (SNMP traps) for SDK1 only
  • Outbound
    • 161 UDP (SNMP) for SDK1 only
    • 49629 TCP (HTTP) for SDK2, SDK3 and RD30 only
    • 49630 TCP (HTTPS) for SDK2, SDK3 and RD30 only
    • 50083 TCP (HTTP) for SDK3 only (for scanning)

VCC Terminals

  • Outbound
    • 1234
    • 1235

Xerox

  • Inbound
    • 9191
    • 9192
  • Outbound
    • 80
    • 443

SNMP

  • Outbound (PaperCut connecting to the Printer/Device)
    • 161 UDP

PaperCut Connector for Microsoft Universal Print

  • Internal (Used for primary and secondary connectors)
    • 9151 TCP

Windows Print Spooler Service

The PaperCut Print Provider service will use TCP/IP ports allocated by the Windows Print Spooler service. The Windows Print Service uses the dynamic port range from 49152 to 65535. You will need to retain this port range when redirecting print jobs between a Primary and Secondary server (Cross-Server Redirection).

  • 49152-65535 TCP and UDP
  • 445 TCP, Server Message Block (SMB)
  • 135 TCP, Remote Procedure Call, RPC (can result in 0×0000011b and 0×0000007c errors if this is blocked)

If using NetBIOS:

  • 137/138 UDP, Name and Datagram Services
  • 139 TCP, Session Services

Categories: Reference Articles, Administration, Installing, Uninstalling and Migrating


keywords: port, TCP, fire wall, firewall rules, anti virus

Comments