Quick install: Windows
This guide assumes that you are using Windows Server 2008. The process is similar for other Windows operating systems. If you're upgrading from a previous PaperCut NG/MF version, refer to the directions outlined in Upgrade from a previous version.
Step 1: System requirements & network setup
Before installing PaperCut NG/MF for either evaluation or production use, verify the system requirements:
The operating system version supported and patches up-to-date (see
PaperCut MF System Requirements).
PaperCut NG/MF needs to be installed on the system directly hosting the printer(s), that is, the print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as file serving.
Printers are configured correctly and work before installing PaperCut NG/MF.
In workgroup environments (i.e. where no domain is present), some additional configuration is required. For more details see Running in a Workgroup environment.
Step 2: Print queue configuration
When using Release Stations or account selection popups, PaperCut pauses jobs on the Windows print queueA print queue displays information about documents that are waiting to be printed, such as the printing status, document owner, and number of pages to print. You can use the print queue to view, pause, resume, restart, and cancel print jobs. to hold jobs prior to printing. It is important, especially in charging environments, that the queue is secured to prevent users from resuming jobs themselves and bypassing PaperCut. There are two ways a Windows print queue can be secured:
Configure the queue using the PaperCut TCP/IP Port.
Restrict the print queue security permissions to prevent users from performing management functions.
Using the PaperCut TCP/IP port
Queues configured to use the PaperCut TCP/IP Port automatically ensure that manually resumed jobs will not be printed. You will already be using a PaperCut TCP/IP Port if you are using hardware page countHardware page counts allow PaperCut to determine the actual number of pages printed rather than just the page count from the spool file. The hardware page count is used when jobs do not print completely, for example, the print job is canceled. These checks are performed at the hardware-level by communicating with the printer via SNMP (Simple Network Management Protocol). validation. You can see which port is being used in the Ports tab under Printer Properties. If you are not currently using PaperCut TCP/IP ports, see Windows printer queue configuration.
Restricting Windows print queue security permissions
This method works for most versions of Windows. However, it might interfere with printing on Windows 8.1 and Windows 2012R2. On these systems you should secure printing using PaperCut TCP/IP ports.
To restrict security permissions for a queue:
Log onto the server hosting the printers as an Administrator.
Open the printer configuration screen: Start > Printers
Right-click a printer; then select Printer properties.
Select the Security tab.
- Select the CREATOR OWNER user.
In the Permissions area, clear the Manage Documents check box.
Perform these steps for each of the monitored printers.
When using Windows 2008 Server, use the Server Manager, navigate to the Print Management Console and globally set the security permissions by right-clicking the Print Server(s) > Properties > Security and editing the permissions there. This applies only to printers added after the global permissions are changed, not for pre-existing printers.
Windows Server 2008 R2 only
Windows Server 2008 R2 installations can experience an issue where print jobs are not removed from the print queue when completed. These jobs stay in the queue with a status of 'Sent to Printer'. To work around this, configure the Printer Driver Isolation so that jobs are removed from the queue when completed.
Log onto the server hosting the printers as an Administrator.
Using the Server Manager, navigate to the Print Management Console: Server Manager > Roles > Print and Document Services > Print Management > Print Servers > PrintServerName > Drivers
Right-click a printer driverA printer driver or a print processor is a piece of software that converts the data to be printed to the form specific to a printer. The purpose of printer drivers is to allow applications to do printing without being aware of the technical details of each printer model.; then select Set Driver Isolation > None.
Perform these steps for each of the monitored printers drivers.
Windows 2008 R2 installations might require hotfix KB2906850 to be installed. Consult with your Microsoft experts regarding the suitability of this hotfix.
If you receive an "Access denied" error when changing both the CREATOR OWNER permissions and the Print Driver Isolation settings, turn off the Render print jobs on client computers found under the Sharing Tab for that printer.
Step 3: Download and install PaperCut NG/MF
PaperCut NG/MF is supplied as a standard Windows pcng-setup-<version>.exe install program. You can download the latest version from https://portal.papercut.com/products/mf/https://www.papercut.com/products/ng/download/. After the download is complete, run the setup wizard as an administrator. A system restart is not usually required, but you should install on live production systems during periods of low activity, for example, not during backup operations or other administration activities.
Double-click the pcng-setup-<version>.exe install program.
- Read the End User License Agreement (EULA).
- Select I accept the agreement; then click Next.
- Read the installation information; then click Next.
- Select the installation location; then click Next.
- Select Standard installation (primary server); then click Next.
- Select whether or not you want to create a desktop shortcut; then click Next.
- Click Install.
Step 4: Run the Configuration Wizard
After you install PaperCut NG/MF, a web browser is displayed with the PaperCut NG/MF Configuration Wizard Welcome screen.
If the Configuration Wizard Welcome screen is not displayed, you can access it by going to the following URL:
- Complete the following fields:
Password—enter the master password for the main in-built admin account. This password is independent of the operating system or domain passwords. The password must be at least six characters.Tip:
Keep this password secure. If you forget your password, you can reset it. For more information, see Resetting the Admin Password.
- Verify password—re-enter the password.
- Location—select the system's physical location and language.
The Organization type screen is displayed.
This selection determines which system defaults are used.
- Select your organization type.
Default cost for printing
The Default costs for printing screen is displayed.
For an education implementation, where users are charged for their printing, leave these values as zero during the implementation stage, otherwise, students will not be able to print as they cannot yet add credit to their account.
If required, you can change this setting after installation.
- Complete the following fields:
- Color (cost per page)—enter the default cost per page for color printing on all printers.
- Grayscale (cost per page)—enter the default cost per page for grayscale printing on all printers.
Initial user credit (Education organization type only)
If you selected Education as the organization type, the Initial user credit screen is displayed.
If you selected Small/Medium Enterprise (SME) or Corporate) or Professional (Client Billing) as the organization type, go to step 5.
Complete the following fields:
- Initial user credit—enter the amount of credit each/quota each user will receive when the system is first enabled. You can change these settings after setup.
Deny access when users run out of credit/quota—select this check box to prevent users from printing when they run out of credit/quota.Tip:
If you are evaluating PaperCut NG/MF it might be appropriate not to disable printing when a users funds run out. This way you can be assured that user printing is not disrupted during the evaluation.
- Click Next.
The User/group synchronization screen is displayed.
PaperCut NG/MF extracts user information out of your user directory. PaperCut NG/MF automatically tries to detect the available directory services, saving you hours of configuration time.
To speed up the installation, you can click Skip this step and synchronize the users/groups later.
In User source, select the source of user data:
- Windows Standard
- Windows Active Directory
- LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model.
- Azure AD Secure LDAP
- Google Cloud Directory
Select one of the following options:
- Import all users—import all domain user accounts. This includes all system accounts as well as user accounts. Importing all users is suitable for organizations that do not have user groups (user groups are not imported into PaperCut NG/MF with this options), and does not have a large number of system account.
- Import users from selected groups—import users from selected user groups. This is useful when:
- only a subset of users will use the printers
- you want to report on individual user groups or apply different policies or pricing to different groups
- you have many system accounts
- Click Next.
- For LDAP and Azure AD Secure LDAP, the Server Details page is displayed.
- For Google Cloud Directory, the Google Cloud Directory Details page is displayed.
Complete the following as required:LDAP
Azure AD Secure LDAP
- Complete the following fields:
LDAP Server Type—Determines which LDAP fields are used to get user and group information. PaperCut NG/MF supports the following server types:
Unix / Open Directory
Microsoft Active Directory
Novell eDirectoryAlso called Netware Directory Services, Novell eDirectory is directory service software that is used to centrally managing access to resources on multiple servers and computers within a network. The eDirectory software is part of the Novell Compliance Management Platform.
However, it is easy to support other server types by adjusting the LDAP fields PaperCut NG/MF searches. For more information, see Advanced LDAP configuration.
LDAP Server Address—The hostname or IP address of the LDAP server.
Use SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.—Indicates if an encrypted SSL connection is used to connect to the LDAP server. The LDAP server requires SSL support to be enabled and should accept connections on the standard LDAPS port 636.
Base DN—The Base DN of the LDAP server. This is the equivalent of the "suffix" config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is "domain.com", then the Base DN might be DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some older Novell eDirectory installations require a blank Base DN to operate. Some examples:
Admin DN—The DN of the user who has permission to connect to and query the LDAP server. This is typically an administrative user, although it can be a user that only has read-only access to the LDAP server. An example of the DN of the Administrator user on a Windows AD domain "domain.com", would be CN=Administrator,CN=Users,DC=domain,DC=com. The exact format of the DN depends on the LDAP server. Some examples:
Windows Active Directory: CN=Administrator,CN=Users,DC=domain,DC=com
Windows Active Directory (in organizational unit):
Mac Open Directory: uid=diradmin,CN=users,DC=domain,DC=com
Unix Open LDAP: uid=root,DC=domain,DC=com, or uid=ldapadmin,DC=domain,DC=com
Novell eDirectory: CN=root,DC=domain,DC=com, or CN=ldapadmin,OU=users,DC=domain,DC=com.
The Admin DN and password is optional if your LDAP server allows anonymous binds for querying.
Admin password—The password for the above user.Tip:
Some LDAP servers are configured to allow 'anonymous' LDAP query access. In these situations, you can leave Admin DN and Admin password blank.
- Click Test LDAP settings to test and confirm your settings before continuing.
Google Cloud DirectoryNote:
Complete the following fields as required:
Accept self-signed certificate—Select this check box if you are using a self-signed certificate that does not need to be validated. If you are using a certificate signed by a trusted authority, clear this checkbox.
Azure LDAP External Address—Your LDAP external address copied above from Azure AD Secure LDAP.
Base DN—Your Azure DNS Domain Name. This is the equivalent of the "suffix" config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is "domain.com", then the Base DN might be DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some older Novell eDirectory installations require a blank Base DN to operate. Some examples:
AAD DC Administrator username—The Azure Active Directory DC administrator username. For example, email@example.com.
Admin password—The password for the above user.
- Click Test Settings to test and confirm your settings before continuing.
Remember, this functionality is available for organizations using G Suite Education, G Suite Enterprise for Education, G Suite Enterprise, and Cloud Identity Premium.Important:
Before you start, make sure you can log in to Google as a Super Admin.
- Log in to admin.google.com using your Super Admin user login details. The Google Admin console is displayed.
- Click the Apps tile. The Apps screen is displayed.
- Click the LDAP tile. The LDAP screen is displayed.
- Click ADD CLIENT.
- Type a name for the LDAP client connection you’ll be configuring to use for PaperCut NG/MF (for example, "PaperCut MF"), and optionally type a description; then click CONTINUE. The Access permissions screen is displayed.
- In the Verify user credentials section, select either:
- Entire domain <domain name>
- Selected organizational units; then click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)
- In the Read user information section, select either
- Entire domain <domain name>
- Selected organizational units; then either click Copy from Verify user credentials or click Add and select the units from the list. (Use this to limit syncing to users in a subset of groups.)
- In the Read group information section, click the switch to set it to On; then click ADD LDAP CLIENT. Google displays a confirmation message and information about downloading the certificate.
- On the same screen, click Download certificate; then save the downloaded certificate (which is a PDF file) in a secure location.
- Click CONTINUE TO CLIENT DETAILS. The Settings for <LDAP client name> screen is displayed.
- Click anywhere in the Service Status box. The Service Status screen is displayed.
- Select On for everyone. The service status is updated for everyone.
- Click SAVE.
This adds PaperCut NG/MF to the list of permitted LDAP clients. You can find more information about configuring access permissions from Google.Note:
The service status, displayed at the top right of the screen, is initially set to OFF.Note:
Depending on the size of your organization, it can take up to 24 hours for Google Cloud Directory changes to apply.
- Complete the following fields:
User Client options (Professional Client Billing organization type only)
If you selected Professional (Client Billing), as the organization type, the User client options screen is displayed.
If you selected Education or Small/Medium Enterprise (SME) or Corporate, go to step 7.
Every print job must be charged to an account via the process of Account Selection. This may or not require user interaction and is configured at the user level. When Account Selection requires user interaction, then depending on your environment, the user can do so either via the User ClientThe User Client tool is an add-on that resides on a user's desktop. It allows users to view their current account balance via a popup window, provides users with the opportunity to confirm what they are about to print, allows users to select shared accounts via a popup, if administrators have granted access to this feature, and displays system messages, such as the "low credit" warning message or print policy popups. or via the printing device. For more information, see Shared accounts, User Client, and Changing print job settings at the MFD.
In environments where user interaction for Account Selection is required and the user has both these options (User Client and printing device), running the User Client may be optional. Hence, deploying it immediately is also optional. If you choose not to deploy it now, you can still deploy it in the future.
However, in environments where user interaction for Account Selection is required and can only be done via the User Client (and cannot be done at the printing device), running the User Client is mandatory. Hence, deploying it immediately is also mandatory. If not, the user is unable to carry out the configured user interaction for Account Selection, and the job remains paused in the print queue and does not appear on the printing device.
The User Client can be deployed directly from a network share (which is automatically configured on Windows). There is also the option to install the software locally on each workstation, however, this is not usually recommended because it makes the process of updating the User Client more complicated.
Depending on the Account Selection configuration for users (whether or not user interaction is required and whether or not your environment caters for this on the User Client AND on the printing device), select an appropriate User Client deployment strategy
Minimal impact (Initial single user testing)—the Account Selection option requiring user interaction is enabled only for a single user for testing purposes. You need to nominate the testing account; this can be an existing system/domain account used for testing purposes or your own user account. The username should be in the format used to log in to the domain/system (usually the short form). Depending on the environment, you can test the user interaction for Account Selection either on the User Client or on the printing device. The minimal impact strategy allows you to test Account Selection with user interaction using the nominated test system/domain user account, after which you can configure other users with similar Account Selection options.
Immediate implementation (Enable for all users)—the Account Selection option requiring user interaction is enabled only for all users. If you have configured your users with Account Selection that requires user interaction, and this can only be done on the User Client (and cannot be done on the printing device), then you must install the User Client on all user desktops immediately to prevent disruption of user printing services.
If in doubt, select the minimal impact strategy. This ensures the impact is isolated to only the nominated test account.
Confirm setup options
The Confirm setup options screen is displayed.
- Check the settings you have entered. If you want to change anything, you can return to any of the configuration screens to alter the options.
The Initial user import screen is displayed.
After completing the configuration wizard you are presented with a user synchronization status screen, showing the progress and results of the setup.
- Click Login to access the Admin web interface and begin familiarizing yourself with the options and features available.
Click Login to access the interface and begin familiarizing yourself with the options and features available. Take some time to explore, and refer back to the relevant sections of this manual as required.
Step 5: Check printer configuration
PaperCut NG/MF automatically detects the print queues on the print server on which PaperCut NG/MF is installed. To view the printer list:
Click the Printers tab.
The Printer List page is displayed.
- If the printers are not displayed, print a document. The first job triggers registration of the printer with PaperCut NG/MF.
Step 6: Sharing the User Client Software (optional)
The PaperCut NG/MF client software install package is located in the following directory:
- Share this software over the network so workstations can access/install the client application. The directory is automatically shared in read-only form as PCClient as part of the install process.
Confirm that you can access the client software via the network by browsing to:
Step 7: User Client deployment (optional)
The PaperCut User Client can now be deployed if required. Some features of the User Client are:
Display of notification messages, such as why a print job was denied.
Display of print policies, such as to encourage duplex printing.
Allowing users to carry out Account Selection with user interaction, such as searching for and locating a specific shared accountA shared account is an account that is shared by multiple users. For example, in business, shared accounts can be used to track printing costs by business unit, project, or client. Organizations like legal firms, engineering firms, or accounting offices often have long lists of accounts, projects, clients, or matters. In a school or university, shared accounts can be used to track printing by departments, classes, or subjects. and assigning it to a job.
Allowing users to confirm the details and/or cost of their print job before printing.
Display of users' current balance (useful in schools where print quotas are used).
Allowing user authentication when printing from public terminals or other unauthenticated systems.
Every print job must be charged to an account via the process of Account Selection. This may or not require user interaction and is configured at the user level. When Account Selection requires user interaction, then depending on your environment, the user can do so either on the User Client or on the printing device.
In environments where user interaction for Account Selection is required and the user has both these options (User Client and printing device), running the User Client is optional. Hence, deploying it immediately is also optional. If you choose not to deploy it now, you can still deploy it in the future. However, in environments where user interaction for Account Selection is required and can only be done on the User Client (and cannot be done on the printing device), running the User Client is mandatory. Hence, deploying it immediately is also mandatory. If not, the user is unable to carry out the configured user interaction for Account Selection, and the job remains paused in the print queue and does not appear on the printing device. The User Client can be deployed directly from a network share (which is automatically configured on Windows). There is also the option to install the software locally on each workstation, however, this is not usually recommended because it makes the process of updating the User Client more complicated. For more information about the Account Selection options with and without user interaction (via the User Client or printing device), see Shared accounts, User Client, and Changing print job settings at the MFD.
Step 8: Testing
Following a fresh installation, it is highly recommended to test core features of the system. For further details, see Testing the installation.
Take some time to explore the features of PaperCut NG/MF before continuing reading at Implementation by example or Tour. Business users might be interested in trying the popup client software as covered in Client software. If desired, the client software should also be deployed to other workstations. This procedure is detailed in User Client.