Since version 18.1, PaperCut NG and PaperCut MF support IPPS printers. Printing via IPPS (i.e. IPP over HTTPS) ensures print traffic to the printer is encrypted. This guide focuses on the steps to add an IPPS printer on a Windows Print Server.
Checking the encryption of print jobs is slightly more involved, and a little bit more fun. You can use Wireshark to analyse network protocols to check for secure IPP traffic. For instructions on how to use Wireshark, follow this guide.
The end-to-end print security guide is a great source of information about how to protect print traffic from clients to the server, and also describes other measures to put in place in order to make your print environment more secure.
Installing an IPPS printer in Windows
Firstly, to set up printing from a Windows print server to an IPPS printer, the printer’s SSL certificate will need to be installed onto the server. Follow the printer user manual on how to retrieve or create an SSL certificate on the printer.
Below is an example of a printer with an existing self-signed certificate. On this interface for example, the certificate can be exported and downloaded.
1. Download the certificate onto the print server, and double click on it.
2. Add the certificate to the ‘Trusted Root Certification Authorities’ certificate store.
If the certificate is a self-signed certificate, also add the certificate to the “Third-Party Root Certification Authorities” certificate store.
3. Make sure your certificate is OK, by clicking on the Certification Path tab:
4. Ensure Internet Printing Client is enabled on your server via Windows Features in the Control Panel.
5. Now add the printer and select the “Add a local or network printer as an administrator” option.
6. Select the ‘The printer that I want isn’t listed’ button
7. Select the 2nd option, “Select a shared printer by name” and enter in: https://<hostname>:443/printer or: https://<hostname>/ipp.
8. Once added, the printer should appear in the list of available printers. Below is a couple of examples of IPP names that will be used for different manufacturers.
9. From your print server, check whether you can successfully print to the printer. So, at this stage PaperCut MF/NG is not involved yet, you are just checking whether the certificate was correctly loaded and the printer was correctly installed.
10. Once you have setup your IPPS printers, you can validate that print jobs are indeed encrypted by following this guide.
IPPS printers in PaperCut NG and MF
Before you can track and control IPPS print queues in PaperCut MF and NG, you need to run the Print Provider under an account with administrator level access.
- Navigate to Control Panel → Administrative Tools → Computer Management → System Tools → Local Users and Groups and create a new local user account with administrator level access.
- Enable the option Password never expires.
- Navigate to Control Panel → Administrative Tools → Services →
- Right click on PaperCut Print Provider → select Properties→ navigate to Log On tab.
- Select the option Log on as: This account:
- Enter the credentials for the newly created account.
- Click OK.
- Restart the service.
- Use the account created in the steps above while logging in and running the PaperCut Application Server.
Note, the IPPS printer shouldn’t be shared directly to users and instead, you’ll have to set up another queue (a Find Me queue) that will be shared to the users, and print jobs from that queue will be redirected to the IPPS queue.
Why can’t I just share the original IPPS printer you ask… Well firstly, Windows will tell you that you can’t share an IPPS printer, secondly, if you are clever enough to hack it to still share the printer, due to optimisation of network printers in a Windows environment, the client will not send the spool file via the server and will instead send the spool file directly to the printer. If that happens, then PaperCut MF and NG won’t be able to record, block or manipulate that print job.
To make sure PaperCut MF and NG processes every job, we’ve introduced an additional feature in Version 18.1 to only make non-shared IPPS printers available in the Admin interface.
You will not see IPP printers in the PaperCut Admin interface, only IPPS printers will be made available.
Once you can see your IPPS printer in PaperCut, configure it as a destination queue in your Find Me environment.
- If this error occurs whilst adding a printer:
a) Check whether IPPS is enabled on the device. On some devices IPPS is off by default.
b) Try restarting the Print Spooler service
c) Add the certificate to the “Third-Party Root Certification Authorities” (follow steps outlined in steps 1, 2, 3 at the start of this article).
d) Check to see if you need the FQDN of the device (e.g. hp-m4555.mycompany.com), rather than just the hostname (hp-m4555) when adding the device. You can check this when pinging the device.
- If you print a test page, and PaperCut MF or PaperCut NG logs the print job, but you do not get a physical print job at the printer, then it could be that the PaperCut Print Provider does not have sufficient privileges. Follow the guide above and ensure that the Print Provider is running under a user account with domain administrator level access
e) If you are printing successfully but find that your job log does not show a record of this, check that you are not printing to the IPPS printer directly and that you have set up a virtual queue that redirects to this IPPS printer instead.
The following is not supported for IPPS printers:
- Printer status display
- Blocking the release of jobs when an IPPS printer is in error on the following release stations: Standard Release Station, web release stations (Web Release, Admin Web Interface, User Web Interface, Mobile Print Release, Unix command-line Release Station client).
- Validating page counts using hardware checks
- Direct Printing
Categories: Security, Encryption
Keywords: ipps, security, encryption, end-to-end encryption, ipp protocol, secure ipp, tls