You are here: Administration > System management > Set system security options > Restrict access to the Application Server

Restrict access to the Application Server

You can restrict access to the Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. by the following components:

Restrict access to the Application Server by SysAdmins

After initial installation only the admin user, defined during the setup process, is permitted to administer the system. To allow additional users to administer PaperCut NG follow the instructions defined in Assigning administrator level access.

You can also lock down access to the Admin web interface so that admins can log in only from a subset of network addresses.

  1. Select Options > Advanced.

    The Advanced page is displayed.

  2. In the Security area, in Allowed admin IP addresses, enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Test that admins can access the Application Server Admin interface from the allowed network addresses.

Restrict access to the Application Server by MFDs

You can restrict the devices that can to communicate with the Application Server.

  1. Select Options > Advanced.

    The Advanced page is displayed.

  2. In the Security area, in Allowed device IP addresses, enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Perform a test login or print job release from each MFD to ensure they can still communicate to the Application Server.

Restrict access to the Application Server by print servers

The PaperCut NG architecture (see Architecture Overview and Print monitoring architecture) involves having a central Application Server and possibly multiple print servers sending data back to the Application Server to process. The PaperCut NG components on the print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as file serving that are responsible for sending this data back to the Application Server include Print Providers and Mobility Print.

PaperCut NG supports an unlimited number of information providers and they can be located anywhere on the network. By default, PaperCut NG allows these providers to connect from any machine on the network. You can restrict this to a reduced set of machines by specifying a list of IP addresses or subnets that are allowed to submit information to the Application Server.

  1. Select Options > Advanced.

    The Advanced page is displayed.

  2. In the Security area, in Allowed remote provider IP addresses (eg. secondary print servers), enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Test all providers to ensure that they can still submit information to the Application Server. To test the Print ProviderA Print Provider is a monitoring service installed on a secondary print server to allow PaperCut to control and track printers. This monitoring component intercepts the local printing and reports the use back to the primary Application Server., perform a test print job to the server that the provider is running on.

Restrict access to the XML Web Services

You can lock down access so that only a subset of network addresses can call the XML Web Services APIApplication Programming Interface (API) is a set of routines, protocols, and tools for building software and applications. An API expresses a software component in terms of its operations, inputs, outputs, and underlying types, defining functionalities that are independent of their respective implementations, which allows definitions and implementations to vary without compromising the interface..

  1. Select Options > Advanced.

    The Advanced page is displayed.

  2. In the Security area, in Allowed XML Web Services callers, enter the list of IP addresses or subnet masks to allow access to the XML Web Services API. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Perform a test XML Web Services call from the allowed network addresses.

Set up trusted proxy servers for Mobile Client access

The PaperCut NG Mobile Client (iPhone/iPad App) uses the originating IP address to identify the user when printing from an iPhone or iPad. If you are accessing the PaperCut NG server via a proxy server, the originating IP address may be obscured by the proxy. As a result, no jobs are displayed in the iPhone/iPad App.

Most proxy servers do retain the originating source address in an X-Forwarded-For HTTP header. This header lists the originating source address plus the address of each proxy server forwarding the message.

For security reasons, PaperCut NG by default does not trust the X-Forwarding-For header. To make use of this header and get your mobile clients to work via a proxy server, you must first add your proxy servers to PaperCut NG’s list of trusted proxy servers. PaperCut NG will use the remote IP address provided by the X-Forwarding-For header only if all hops are through a trusted proxy server and the final proxy server matches the source address of the message.

You can set up trusted proxy servers for Mobile Client access.

  1. Select Options > Advanced.

    The Advanced page is displayed.

  2. In the Security area, in Trusted Proxy Servers for Mobile Client access, enter the list of IP addresses or subnet masks to allow access to the server via a proxy. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. Test access from the Mobile Client from all network addresses.

Restrict access to the Application Server by Release Stations

You can restrict the address ranges from which standard Release Stations (see Standard Release Station) access the Application Server. This measure only applies to standard Release Stations and does not affect print release at an embedded device or from a web browser.

  1. Click the Options tab.

    The General page is displayed.

  2. In the Actions menu, click Config editor (advanced).

    The Config EditorThe Config Editor stores information used by PaperCut to configure advanced options and functions. This information is stored in config keys, which are editable by an administrator. page is displayed.

  3. Search for the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor.: auth.release-station.allowed-addresses

  4. Enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  5. Click Update.

  6. Test all standard Release Stations to ensure they can still successfully start-up and connect to the Application Server.


Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.