Firewall Ports used by NG & MF

The main network TCP ports used by PaperCut are:

• 9191 for HTTP connections
• 9192 for secure HTTP/SSL connection
• 9193 for device RPC (only used for embedded copier/MFP solutions)
• 443 for HTTPS connections to the Global Entitlements Service at https://mf.cloud.papercut.com/* (used in PaperCut NG and PaperCut MF version 24.0 and later)

UDP ports are not used for connections from PaperCut client to the sever, only standard TCP. All connections are made inbound from clients and secondary servers to the primary server. No outbound connections are made by the primary server to any workstation or secondary server.

PaperCut uses standard HTTP XML WebServices for client-server and server-server communication XML-RPC. Sensitive data is sent over SSL/HTTPS on port 9192. The PaperCut installer on Windows and macOS will endeavor to make sure these ports are open. Linux systems running firewalls may need to manual open these ports to local network IP addresses as appropriate.

Card readers

Elatec TWN3 Reader and TCP Converter

• Outbound
  • 7778

RFIDeas Lantronix

• Outbound
  • 10001

RFIdeas Ethernet 241

• Outbound
  • 2000

External database

PaperCut makes use of the jTDS JDBC driver for Microsoft SQL server and SQL Server Express, the postgresql JDBC driver for PostgreSQL, Oracle JDBC for Oracle and MySQL JDBC for MySQL.

You may specify a custom port, the defaults are below.

• Oracle: 1521
• Microsoft SQL Server: 1433
• Microsoft SQL Server Express: 1450
• MySQL: 3306
• PostgreSQL: 5432

Google Cloud Directory

PaperCut NG and PaperCut MF will use Secure LDAP to communicate with the Google Cloud Directory service:

• 636 TCP (LDAPS), with outbound connections to:
  • ldap.google.com

Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.

See Synchronize user and group details with Google Cloud Directory for more information on configuring this sync source.

Azure Active Directory with Secure LDAP

PaperCut NG and PaperCut MF will use Secure LDAP to communicate with the Azure Active Directory service:

• 636 TCP (LDAPS), with outbound connections to the Azure LDAP External Address populated in PaperCut, configured in the Azure Portal.

Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.

See Synchronize user and group details with Azure AD Secure LDAP for more information on configuring this sync source.

Azure Active Directory with Microsoft Graph

PaperCut NG and PaperCut MF will use SSL to communicate with the Azure Active Directory service:

• 443 TCP, with outbound connections to:
  • graph.microsoft.com

Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.

See Synchronize user and group details with standard Azure AD for more information on configuring this sync source.

LDAP Directory Service

PaperCut NG and PaperCut MF can synchronise user accounts from a directory which supports LDAP (e.g. Active Directory, Open Directory, Novell eDirectory, etcetera).

• 389 TCP (LDAP) or 636 TCP (LDAPS)

See  Synchronize user and group details with LDAP for more information on configuring this sync source.

Active Directory

PaperCut NG and PaperCut MF can synchronise user accounts with native Windows Active Directory from a domain joined Application Server.

• 445 TCP & UDP, Server Message Block (SMB)
• 88 TCP & UDP, Kerberos
• 389 UDP, LDAP
• 53 TCP & UDP, DNS
• 135 TCP, RPC - unless restricted, a dynamically assigned TCP port in range 49152-65535 also used for RPC

See  Synchronize user and group details with Active Directory for more information on configuring this sync source.

PaperCut NG/MF - Global Entitlements Service

In PaperCut NG/MF version 24.0 and later, the Application Server connects to the Global Entitlements Service (GES), which is required when upgrading the Application Server or updating entitlements. See Important points to know about PaperCut NG/MF licensing (Internet connection requirements) for more information.

• 443 TCP (HTTPS), with connection to:
  • https://mf.cloud.papercut.com/*

For troubleshooting steps, manual connection tests and proxy server configuration, see General troubleshooting for Global Entitlements Service connections .

PaperCut MF Cloud Services (Integrated Scanning with Scan to Cloud and/or Cloud OCR)

For a PaperCut server to have content processed by PaperCut MF Cloud Services it must be able to form an outgoing connection to the following endpoints:

• 443 TCP (HTTPS), with connection to:
  • https://*.papercut.com/*
  • https://storage.googleapis.com/*

the following specific URLs are used, depending on your PaperCut version and PaperCut MF Cloud Services hosting region, in case you are unable to use a wildcard in the domain part:

• 443 TCP (HTTPS), with connection to:
  • https://scan.cloud.papercut.com/*
  • https://ocr.cloud.papercut.com/*
  • https://scan.au.cloud.papercut.com/*
  • https://ocr.au.cloud.papercut.com/*
  • https://scan.eu.cloud.papercut.com/*
  • https://ocr.eu.cloud.papercut.com/*
  • https://scan.us.cloud.papercut.com/*
  • https://ocr.us.cloud.papercut.com/*
  • https://scan.uk.cloud.papercut.com/*
  • https://ocr.uk.cloud.papercut.com/*
  • https://scan.ca.cloud.papercut.com/*
  • https://ocr.ca.cloud.papercut.com/*
  • https://scan.papercut.com/* (legacy)

Email Delivery Service - SendGrid

• IP Address: 168.245.53.86
• Domain: papercut.com

See  Configure Integrated Scanning / scan actions for more information on setting up Integrated Scanning actions.

Integrated Scanning — Self-Hosted Document Processing (FKA On-prem OCR, locally hosted)

• 9181 TCP (HTTPS) inbound on the Self-Hosted Document Processing Server

(The Windows Firewall is configured automatically by the installer. Manual configuration is only required if using an off-box or 3rd party software firewall.)

The following port and URL endpoint must be externally available for auto updating of the Self-Hosted Document Processing server:

• 443 TCP (HTTPS), with connection to:
  • https://update.ocr.cloud.papercut.com/client-version/v3/check-update/pc-ocr/win/

See  Set up self-hosted Document Processing for more information on setting up self-hosted document processing.

PaperCut Grows

To sync page and tree usage to PaperCut Grows services:

443 TCP to https://grows.papercut.com

See the PaperCut Grows FAQ for more information on PaperCut Grows.

Sign in with Google

To allow signing in with Google to the PaperCut web interfaces , the Application Server must be able to form an outgoing connection to the following endpoints:

• 443 TCP (HTTPS), with connection to:
  • https://accounts.google.com/*
  • https://oauth2.googleapis.com/*

Sign in with Microsoft

To allow signing in with Microsoft to the PaperCut user/admin web interfaces , the Application Server must be able to form an outgoing connection to the following endpoints:

• 443 TCP (HTTPS), with connection to:
  • graph.microsoft.com
  • login.microsoftonline.com

Job Ticketing

Job Ticketing requires the following port to be available on the server:

• 9111 TCP

The following port and URL endpoints must be externally available for auto updating:

• 443 TCP (HTTPS), with connections to:
  • https://pc-job-ticketing.appspot.com/*
  • https://storage.googleapis.com/pc-job-ticketing.appspot.com/*

Print Deploy

See the Print Deploy system requirements page which shows the ports and protocols we use.

Mobility Print

See the Mobility Print system requirements page which shows the ports and protocols we use, for all the different discovery methods in use, as well as ports and urls needed for Mobility Print Cloud Print.

Multi Function Devices

PaperCut MF uses a variety of port for connecting to copiers, MFPs and other devices. These are listed below by device.

Brother

• Inbound (device connecting to PaperCut)
  • 9191 TCP/HTTP

Canon

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
  • 9193

Dell (AIP)

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
• Outbound (PaperCut connecting to the device)
  • 80
  • 443

HP

• Inbound
  • 9191
  • 9192
  • 9193
• Outbound connections from PaperCut to the HP devices on port:
  • 7627 (TCP/HTTPS)
  • 80 / 443

Fujifilm BI

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
• Outbound (PaperCut connecting to the device)
  • 80
  • 443

Fuji-Xerox (AIP)

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
• Outbound (PaperCut connecting to the device)
  • 80
  • 443

Konica-Minolta

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
  • 9195 (Required for SHA2 on MF v18.3 onwards)
• Outbound (connecting to the device)
  • 50003
  • 80/443

Kyocera

• Inbound
  • 9191
  • 9192
  • 9193

Lexmark

• Inbound
  • 9191
  • 9192
  • 9193

Ricoh SDK/J

• Inbound
  • 9191 (if configured to use port 9193 and Integrated Scanning)
  • 9192
  • 9193
  • 51443 (for setup with Remote Operation Client)

Ricoh SmartSDK

• Inbound
  • 9191
  • 9192
  • 51443 (for setup with Remote Operation Client)

Samsung

• Inbound
  • 9191 (if using custom logos)
  • 9192
  • 9193

Sharp

• Inbound
  • 9191
  • 9192
• Outbound
  • 80
  • 443

Toshiba

• Inbound
  • 9191 TCP - for EWB and SOAP events
  • 9192 TCP - secure messages for EWB and SOAP events
  • 10389 TCP (LDAP) for SDK1 and SDK2 only
  • 10636 TCP (LDAPS) for SDK1 and SDK2 only
  • 162 UDP (SNMP traps) for SDK1 only
• Outbound
  • 161 UDP (SNMP) for SDK1 only
  • 49629 TCP (HTTP) for SDK2, SDK3 and RD30 only
  • 49630 TCP (HTTPS) for SDK2, SDK3 and RD30 only
  • 50083 TCP (HTTP) for SDK3 only (for scanning)

VCC Terminals

• Outbound
  • 1234
  • 1235

Xerox

• Inbound
  • 9191
  • 9192
• Outbound
  • 80
  • 443

SNMP

• Outbound (PaperCut connecting to the Printer/Device)
  • 161 UDP

PaperCut Connector for Microsoft Universal Print

• Internal (Used for primary and secondary connectors)
  • 9151 TCP

For a PaperCut Server running our Universal Print connector to function correctly, it must be able to form an outgoing connection to the following endpoints:

• 443 TCP (HTTPS), with connection to:
  • https://login.microsoftonline.com/organizations/oauth2/v2.0
  • https://register.print.microsoft.com/api/v1.0/register
  • https://print.print.microsoft.com/printers
  • https://notification.print.microsoft.com/printers
  • https://us-central1-pc-universal-print-connector.cloudfunctions.net/update-stats

The following port and URL endpoint must be externally available for auto updating of the Universal Print connector:

• 443 TCP (HTTPS), with connection to:
  • https://www.universal-print.papercut.com/client-version/v3/check-update/pc-upconnector/win
  • https://storage.googleapis.com/pc-universal-print-connector.appspot.com/*

See  Universal Print for more information on setting up the PaperCut Connector for MS Universal Print.

Windows Print Spooler Service

The PaperCut Print Provider service will use TCP/IP ports allocated by the Windows Print Spooler service. The Windows Print Service uses the dynamic port range from 49152 to 65535. You will need to retain this port range when redirecting print jobs between a Primary and Secondary server (Cross-Server Redirection).

• 49152-65535 TCP
• 445 TCP, Server Message Block (SMB)
• 135 TCP, Remote Procedure Call, RPC (can result in 0×0000011b and 0×0000007c errors if this is blocked)

If using NetBIOS:

• 137/138 UDP, Name and Datagram Services
• 139 TCP, Session Services