Set up Web Print: Sandbox mode
Web PrintWeb Print enables printing from user-owned devices without the need to install printer drivers and manage server authentication. Sandbox mode runs the Web Print software on one or more dedicated servers, often virtual machines. Documents are opened and rendered by standard applications, such as Adobe Reader and Microsoft Office applications.
Use Sandbox mode to:
Support printing of Microsoft Office documents from Web Print
Support printing of Microsoft Office documents from Email to PrintEmail to Print allows any device to print documents by sending an email to your network's print devices.
Render documents in a secure, sandbox environment away from your main server
Increase reliability and throughput of your Web Print system with multiple servers.
Sandbox mode takes a little more time to configure, but offers several advantages, such as support for Microsoft Office formats, increased throughput with the use of multiple servers, and improved security. Security is gained by opening and printing documents on an isolated system, separate from the Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more.; with the only connection between the two being a simple file share / mapped drive.
PaperCut is shipped with a high quality rendering engine for PDF documents. However, document rendering by Adobe Reader is also supported. Simply install Adobe Reader in your Web Print Sandbox.
Your Web Print deployment can be scaled to meet the needs of your organization, removing bottlenecks and improving reliability. Web Print scaling through the use of multiple Web Print servers, increases throughput and minimizes users’ wait time for print jobs. Using multiple servers also provides resilience against possible network and server outages.
While you can use a single Web Print Server, we recommend a minimum of two. Using only one Web Print server causes a single point of failure and potential bottlenecks. Best practices in server management recommend building redundancy into your network and monitoring the health of your environment.
The use of multiple Web Print servers is available in PaperCut NG/MF 16.2 and later.
Web Print scaling also allows you to select the applications supported on each server based on your file type printing usage. This means you do not need to install all supported applications on all Web Print servers.
The Print System Health interface includes endpoints to monitor the health of your Web Print environment with your existing monitoring tool, giving you peace of mind that users can print and that waiting times in queues are low. For more information about the Print System Health interface, see Monitor print system health.
One or more dedicated, standalone, cleanly installed systems or virtual machines.
Windows operating system (Windows Vista or later).
Adobe Reader 9 or later (optional)
Microsoft Office 2007, 2010, 2013, 2016, and 365 (to support Office formats)
Microsoft Standalone XPS Viewer / XPS Essentials Pack (to support Microsoft XPS) - download here
Set up Web Print in Sandbox mode
Setting up Web Print in Sandbox mode involves the following steps:
- Set up a Web Print server
- Install Web Print
- Install applications on the Web Print server
- Enable Web Print at the system level
- Enable Web Print on printers
- Test the Web Print setup
Step 1 to 3 need to be performed on each Web Print server.
Step 1: Set up a Web Print server
Web Print Sandbox mode is supported only on Windows servers, however, your Application Server can be on any operating system.
Disable Default mode:
On a Windows Application Server
- Stop and disable the PaperCut Web Print Server System Service (set its Startup type to Disabled).
On a Mac or Linux Application Server
Open the following file in a text editor:
- Change the setting enabled to enabled=off.
- Save the file.
Stop service pc-web-print.
Set up a new virtual machine using VMware Server, Microsoft Virtual Server or VirtualBox, or set up a standalone system e.g. a dedicated desktop PC. This system houses the Web Print server software and any required printing applications, and is called the Web Print server.
This system does not need access to all network resources, but needs access to the hot folder share. This is created later. It also needs access to printer shares if used for Web Print (not Email to Print).
Create a new user account called webprint (or equivalent). Set the password for this account to never expire. At a minimum, this account needs access to the printers, the ability to run local programs, and the ability to access the hot folder share (created in step 6).
Ensure that the Web Print server can print to all Web Print enabled printers.
Skip this step if using the Sandbox for Email to Print only.
- Log in as the webprint user.
- Add print queues for the printers that you want to make available to users via Web Print.
- Add the print queues in the same way you would to a computer. They should point to the print queues hosted on the print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as file serving, i.e. a network printer mapped to \\server\printer-share. It is important that the jobs pass via the queue on the server - do not add a local printer. Add the printers using the print server's machine name and not an IP address.
Configure the Web Print server to automatically log in as the webprint user on startup. The service then runs when Windows is started, and is logged in as this user. For more information, see Automatic logon for Windows.
Windows Vista/7 machines on a domain might require direct editing of the registry, as described here: Microsoft Technet - Configuring Accounts to Autologon. You might want to consider a Group Policy Object (GPO) to make the registry changes.
The Application Server and the software on the Web Print server communicate via a standard network file share. On the PaperCut NG/MF Application Server, share the folder web-print-hot-folder located at [app-path]\server\data\web-print-hot-folder\. The hot folder facilitates communication between the primary server and the Web Print server.Tip:
By default, Web Print uses this folder, not a sub-folder. You do not need to create a sub-folder in this folder.
SambaSamba is a Windows interoperability suite of programs for Linux and Unix. It is used to integrate Linux/Unix servers and desktops into Active Directory environments. It can function as both a domain controller or as a regular domain member. sharing on a Linux Application Server
On a Linux PaperCut NG/MF Application Server, name the share PCWebPrint, and adjust both the Sharing and Security (NTFS/file) permissions of the PCWebPrint share to allow the webprint user read and write access.
The following Samba configuration settings might be useful.
comment = PaperCut Web Print Hot Folder
path = /home/papercut/server/data/web-print-hot-folder/
public = no
writeable = yes
read only = no
valid users = webprint
You also need to add the webprint username to Samba via smbpasswd -a [username] and you should consider disabling the [home] shares in your smb.conf.Important:
Ensure that your umask and Samba settings allow for the papercut Linux user to be able to read and write to all files in the web-print-hot-folder. When using Novell and Linux, the Web Print server might create files owned by a user other than the one the PaperCut NG/MF Application Server runs as, preventing the files from being accessed.
Samba sharing on a Mac Application Server
On a Mac PaperCut Application Server, adjust both the Sharing and Security (NTFS/file) permissions of the PCWebPrint share to allow the webprint user read and write access.
Create a user in Users & Groups. This user will be used to read and write to the shared folder. Name the user webprint and assign it to the admin group.
In Sharing > File Sharing, share the folder [app-path]/server/data/web-print-hot-folder/; then add Read & Write permissions for the webprint user.
Click Options on the same menu; then check the webprint user under Windows File Sharing.
Set read access to everyone on the Web Print hot folder and any files under it by creating a new ACL. Open the Terminal app and type under [app-path]/server/data folder:
sudo chmod +ai "everyone allow read,file_inherit" web-print-hot-folder
Log in to the Web Print server as the webprint user.
Map the W: drive to the hot folder share you have defined. Ensure that the option Reconnect at logon is selected when mapping the drive. If your webprint user's credentials on the PaperCut NG/MF Application Server are different from the Web Print server's user, click Connect using different credentials and enter them.
Test that the file share can be accessed and written to by the Web Print server (e.g. by creating a new text file on W:). You should also test in the other direction, and confirm that files created on the Application Server in the folder web-print-hot-folder can be opened/seen by the Web Print server.
Step 2: Install Web Print
Run the main PaperCut NG/MF installer on the Web Print server. Select the Web Print server installation (sandbox mode) install option.
Configure the webprint user to run [app-path]\providers\web-print\win\pc-web-print.exe at login. You can do this by adding a shortcut to the user's Startup folder.
Reboot the system. Ensure the system automatically logs in as the webprint user when it starts up, and that the PaperCut Web Print dialog is displayed shortly afterwards.
If the dialog indicates an error, see Troubleshooting Web Print problems.
Step 3: Install applications on Web Print servers
Install the applications you want to support on the Web Print server. For more information about the supported file formats, see Web Print (driver-less printing via a web browser).
Make sure you permanently acknowledge any license agreement screen, initial-run wizard, or customer experience program dialog during this process.Tip:
When installing Microsoft Office applications, select all optional components for installation. This prevents printing issues occurring due to missing components.
- Microsoft Office macros are allowed by default. To block these macros, set the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor. web-print.disable-macros to Y. For more information, see Advanced Web Print configuration and Using the Config Editor.
Adobe Reader introduced a Protected Mode setting, which prevents printing from the command interface used by Web Print. Using Adobe Reader therefore requires the Protected Mode feature to be disabled. Web Print automatically disables Protected Mode for your webprint user. (You can also disable Protected Mode manually by disabling the Enable Protected Mode at startup setting in Adobe Reader under Edit > Preferences > Security (Enhanced))
- If you are not supporting all of the file formats:
On the Web Print server, open the following file in a text editor:[app-path]\providers\web-print\[platform]\web-print.conf
Comment out the handler for the applications that are not supported. For example:
- Delete the .exe files for the unsupported applications, for example, mso-powerpoint.exe.
As the webprint user, open a file in each of the installed applications, then print to several different printers, ensuring that all work as expected.
- Restart the Web Print service.
Step 4: Enable Web Print at the system level
Select Options > Mobile & BYOD.
The Mobile & BYOD page is displayed.
In the Web Print area, select the Enable Web Print (users may upload documents to print) check box.
The Web Print fields are displayed.
Complete the following fields as required:
- Maximum document/file upload size— If a user uploads a document greater than the specified size (in MB), their upload is rejected.
- Only allow uploads from users in this group—Restrict Web Print access to a particular group of users. When this option is enabled, users not in the specified group do not see the Web Print item in the navigation menu.
- Allowed user IP addresses—Use this option to restrict Web Print access to a selected IP address range. For example, access might be limited to systems on a wireless network (i.e. force users on the wired network to use standard print queues). Address ranges are entered in the format: 220.127.116.11\255.255.255.0.
- Introductory message— The message to be displayed on the first page after a user clicks the Web Print menu option. Use this message to explain the service, offer site-specific advice, or other information to assist the user. HTML is supported, e.g. use <p> tags to start a new paragraph, or an <a> tag to provide a link.
The Web Print option is now available in the navigation menu of the User web interface, and users are able to use Web Print functionality.
Step 5: Enable Web Print on printers
Enable Web Print on all printers to be used for Web Print. For more information, see Enable Web Print on a printer.
Step 6: Test the Web Print setup
Log in as a user and submit a test print job. For more information, see Submit a Web Print job.