Firewall Configuration - Ports Used by PaperCut NG and PaperCut MF

Q I would like to configure a firewall on the server. What ports does PaperCut use?

The main network TCP ports used by PaperCut are:

• 9191 for HTTP connections
• 9192 for secure HTTP/SSL connection
• 9193 for device RPC (only used for embedded copier/MFP solutions)

UDP ports are not used for connections from PaperCut client to the sever, only standard TCP. All connections are made inbound from clients and secondary servers to the primary server. No outbound connections are made by the primary server to any workstation or secondary server.

PaperCut uses standard HTTP XML WebServices for client-server and server-server communication (XML-RPC). Sensitive data is sent over SSL/HTTPS on port 9192. The PaperCut installer on Windows and Mac will endeavor to make sure these ports are open. Linux systems running firewalls may need to manual open these ports to local network IP addresses as appropriate.

Complete List of Ports Used by PaperCut

PaperCut also uses ports for a variety of other protocols.

SNMP (for toner level retrieval)

• Outbound (PaperCut connecting to the device)
  • 161 UDP

Cross-Server Job Redirection

Windows Spooler service uses the following ports for redirecting print jobs between a Primary and Secondary server.

• 445 TCP, Server Message Block

If using NetBIOS:

• 137/138 UDP, Name and Datagram Services
• 139 TCP, Session Services

Mobility Print

The following ports must be available for internal communications:

• 9163 HTTP
• 9164 HTTPS
• 53 DNS
• 5353 mDNS

The following port and URL endpoints must be externally available for auto updating:

• 443 TCP (HTTPS), with connections to:
  • https://mobility-print.papercut.com/*
  • https://storage.googleapis.com/pc-mobility-print.appspot.com/*

Google Cloud Print

PaperCut NG and PaperCut MF need to be able to communicate to the Google Cloud Print services. This is done on:

• 443 TCP (HTTPS), with connections to:
  • https://www.googleapis.com/*
  • https://accounts.google.com/*
  • https://www.google.com/cloudprint/*
• 5222 TCP (XMPP, using STARTTLS), with a persistent connection to:
  • talk.google.com

By default, this needs to be achievable without the use of a proxy, unless that proxy is “transparent” on TCP ports 80 and 443, and requires no authentication. If running version 17.3 or later of PaperCut NG or PaperCut MF, a proxy server which is not “transparent” may be able to be configured using the instructions found in the following section of the User Manual.

Google Cloud Directory

PaperCut NG and PaperCut MF will use Secure LDAP to communicate with the Google Cloud Directory service:

• 636 TCP (LDAPS), with outbound connections to:
  • ldap.google.com

Job Ticketing

The following port and URL endpoints must be externally available for auto updating:

• 443 TCP (HTTPS), with connections to:
  • https://pc-job-ticketing.appspot.com/*
  • https://storage.googleapis.com/pc-job-ticketing.appspot.com/*

PaperCut Cloud Services

The following port and URL endpoints must be externally available for a PaperCut server to upload files to PaperCut Cloud Services:

• 443 TCP (HTTPS), with connection to:
  • https://storage.googleapis.com/*
  • https://scan.papercut.com/* (Scan to Cloud Storage)
  • https://ocr.cloud.papercut.com/* (Integrated Scanning - OCR)

Database connections

PaperCut makes use of the jTDS JDBC driver for Microsoft SQL server and SQL Server Express, the postgresql JDBC driver for PostgreSQL, Oracle JDBC for Oracle and MySQL JDBC for MySQL.

You may specify a custom port, the defaults are below.

• Oracle: 1521
• Microsoft SQL Server: 1433
• Microsoft SQL Server Express: 1450
• MySQL: 3306
• PostgreSQL: 5432

Device Connections

PaperCut MF uses a variety of port for connecting to copiers, MFPs and other devices. These are listed below by device.

Brother

• Inbound (device connecting to PaperCut)
  • 9191 TCP/HTTP

Canon

• Inbound (device connecting to PaperCut)
  • 9191
  • 9193

Dell (AIP)

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
• Outbound (PaperCut connecting to the device)
  • 443

HP

• Inbound
  • 9191
  • 9192
  • 9193
• Outbound connections from PaperCut to the HP devices on port:
  • 7627 (TCP/HTTPS)
  • 80 / 443

Fuji-Xerox (AIP)

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
• Outbound (PaperCut connecting to the device)
  • 80
  • 443

Konica-Minolta

• Inbound (device connecting to PaperCut)
  • 9191
  • 9192
  • 9195 (Required for SHA2 on MF v18.3 onwards)
• Outbound (connecting to the device)
  • 50003
  • 80/443

Kyocera

• Inbound
  • 9191 (if using custom logos)
  • 9193

Lexmark

• Inbound
  • 9191 (if using custom logos)
  • 9193

Ricoh SDK/J

• Inbound
  • 9191 (if configured to use port 9193 and Integrated Scanning)
  • 9192
  • 9193
  • 51443 (for setup with Remote Operation Client)

Ricoh SmartSDK

• Inbound
  • 9192
  • 51443 (for setup with Remote Operation Client)

Samsung

• Inbound
  • 9191 (if using custom logos)
  • 9193

Sharp

• Inbound
  • 9191
  • 9192
• Outbound
  • 80
  • 443

Toshiba

• Inbound
  • 9191 TCP - for EWB
  • 9192 TCP - secure messages for EWB
  • 10389 TCP (LDAP)
  • 10636 TCP (LDAPS)
  • 162 UDP (SNMP traps) for SDK1 only
• Outbound
  • 161 UDP (SNMP) for SDK1 only
  • 49629 TCP (HTTP) for SDK2 and RD30 only
  • 49630 TCP (HTTPS) for SDK2 and RD30 only

VCC Terminals

• Outbound
  • 1234
  • 1235

Xerox

• Inbound
  • 9191
  • 9192
• Outbound
  • 80
  • 443

Elatec TWN3 Reader and TCP Converter

• Outbound
  • 7778

RFIDeas Lantronix

• Outbound
  • 10001

RFIdeas Ethernet 241

• Outbound
  • 2000

Categories: Implementation / Deployment, Architecture

keywords: port, TCP, fire wall, firewall rules, anti virus