Quick install: Windows
This guide assumes that you are using Windows Server 2008. The process is similar for other Windows operating systems. If you're upgrading from a previous PaperCut NG/MF version, refer to the directions outlined in Upgrade from a previous version.
Step 1: System requirements & network setup
Before installing PaperCut NG/MF for either evaluation or production use, verify the system requirements:
The operating system version supported and patches up-to-date (see
PaperCut MF System Requirements).
PaperCut NG/MF needs to be installed on the system directly hosting the printer(s), that is, the print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as file serving.
Printers are configured correctly and work before installing PaperCut NG/MF.
In workgroup environments (i.e. where no domain is present), some additional configuration is required. For more details see Running in a Workgroup environment.
Step 2: Print queue configuration
When using Release Stations or account selection popups, PaperCut pauses jobs on the Windows print queueA print queue displays information about documents that are waiting to be printed, such as the printing status, document owner, and number of pages to print. You can use the print queue to view, pause, resume, restart, and cancel print jobs. to hold jobs prior to printing. It is important, especially in charging environments, that the queue is secured to prevent users from resuming jobs themselves and bypassing PaperCut. There are two ways a Windows print queue can be secured:
Configure the queue using the PaperCut TCP/IP Port.
Restrict the print queue security permissions to prevent users from performing management functions.
Using the PaperCut TCP/IP port
Queues configured to use the PaperCut TCP/IP Port automatically ensure that manually resumed jobs will not be printed. You will already be using a PaperCut TCP/IP Port if you are using hardware page countHardware page counts allow PaperCut to determine the actual number of pages printed rather than just the page count from the spool file. The hardware page count is used when jobs do not print completely, for example, the print job is canceled. These checks are performed at the hardware-level by communicating with the printer via SNMP (Simple Network Management Protocol). validation. You can see which port is being used in the Ports tab under Printer Properties. If you are not currently using PaperCut TCP/IP ports, see Windows printer queue configuration.
Restricting Windows print queue security permissions
This method works for most versions of Windows. However, it might interfere with printing on Windows 8.1 and Windows 2012R2. On these systems you should secure printing using PaperCut TCP/IP ports.
To restrict security permissions for a queue:
Log onto the server hosting the printers as an Administrator.
Open the printer configuration screen: Start > Printers
Right-click a printer; then select Printer properties.
Select the Security tab.
- Select the CREATOR OWNER user.
In the Permissions area, clear the Manage Documents check box.
Perform these steps for each of the monitored printers.
When using Windows 2008 Server, use the Server Manager, navigate to the Print Management Console and globally set the security permissions by right-clicking the Print Server(s) > Properties > Security and editing the permissions there. This applies only to printers added after the global permissions are changed, not for pre-existing printers.
Windows Server 2008 R2 only
Windows Server 2008 R2 installations can experience an issue where print jobs are not removed from the print queue when completed. These jobs stay in the queue with a status of 'Sent to Printer'. To work around this, configure the Printer Driver Isolation so that jobs are removed from the queue when completed.
Log onto the server hosting the printers as an Administrator.
Using the Server Manager, navigate to the Print Management Console: Server Manager > Roles > Print and Document Services > Print Management > Print Servers > PrintServerName > Drivers
Right-click a printer driverA printer driver or a print processor is a piece of software that converts the data to be printed to the form specific to a printer. The purpose of printer drivers is to allow applications to do printing without being aware of the technical details of each printer model.; then select Set Driver Isolation > None.
Perform these steps for each of the monitored printers drivers.
Windows 2008 R2 installations might require hotfix KB2906850 to be installed. Consult with your Microsoft experts regarding the suitability of this hotfix.
If you receive an "Access denied" error when changing both the CREATOR OWNER permissions and the Print Driver Isolation settings, turn off the Render print jobs on client computers found under the Sharing Tab for that printer.
Step 3: Download and install PaperCut NG/MF
PaperCut NG/MF is supplied as a standard Windows pcng-setup-<version>.exe install program. You can download the latest version from https://portal.papercut.com/products/mf/https://www.papercut.com/products/ng/download/. This installer automatically detects whether your operating system is 32-bit or 64-bit and installs a version of the software optimized for your system. After the download is complete, run the setup wizard as an administrator. A system restart is not usually required, but you should install on live production systems during periods of low activity, for example, not during backup operations or other administration activities.
Double-click the pcng-setup-<version>.exe install program.
- Read the End User License Agreement (EULA).
- Select I accept the agreement; then click Next.
- Read the installation information; then click Next.
- Select the installation location; then click Next.
- Select Standard installation (primary server); then click Next.
- Select whether or not you want to create a desktop shortcut; then click Next.
- Click Install.
Step 4: Run the Configuration Wizard
After you install PaperCut NG/MF, a web browser is displayed with the PaperCut NG/MF Configuration Wizard Welcome screen.
If the Configuration Wizard Welcome screen is not displayed, you can access it by going to the following URL:
- Complete the following fields:
Password—enter the master password for the main in-built admin account. This password is independent of the operating system or domain passwords. The password must be at least six characters.Tip:
Keep this password secure. If you forget your password, you can reset it. For more information, see Resetting the Admin Password.
- Verify password—re-enter the password.
- Location—select the system's physical location and language.
The Organization type screen is displayed.
This selection determines which system defaults are used.
- Select your organization type.
Default cost for printing
The Default costs for printing screen is displayed.
For an education implementation, where users are charged for their printing, leave these values as zero during the implementation stage, otherwise, students will not be able to print as they cannot yet add credit to their account.
If required, you can change this setting after installation.
- Complete the following fields:
- Color (cost per page)—enter the default cost per page for color printing on all printers.
- Grayscale (cost per page)—enter the default cost per page for grayscale printing on all printers.
Initial user credit (Education organization type only)
If you selected Education as the organization type, the Initial user credit screen is displayed.
If you selected Small/Medium Enterprise (SME) or Corporate) or Professional (Client Billing) as the organization type, go to step 5.
Complete the following fields:
- Initial user credit—enter the amount of credit each/quota each user will receive when the system is first enabled. You can change these settings after setup.
Deny access when users run out of credit/quota—select this check box to prevent users from printing when they run out of credit/quota.Tip:
If you are evaluating PaperCut NG/MF it might be appropriate not to disable printing when a users funds run out. This way you can be assured that user printing is not disrupted during the evaluation.
- Click Next.
The User/group synchronization screen is displayed.
PaperCut NG/MF extracts user information out of your user directory. PaperCut NG/MF automatically tries to detect the available directory services, saving you hours of configuration time.
To speed up the installation, you can click Skip this step and synchronize the users/groups later.
In User source, select the source of user data:
- Windows Standard
- Windows Active Directory
- LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model.
- Azure AD Secure LDAP
- Google Cloud Directory
Select one of the following options:
- Import all users—import all domain user accounts. This includes all system accounts as well as user accounts. Importing all users is suitable for organizations that do not have user groups (user groups are not imported into PaperCut NG/MF with this options), and does not have a large number of system account.
- Import users from selected groups—import users from selected user groups. This is useful when:
- only a subset of users will use the printers
- you want to report on individual user groups or apply different policies or pricing to different groups
- you have many system accounts
- Click Next.
- For LDAP and Azure AD Secure LDAP, the Server Details page is displayed.
- For Google Cloud Directory, the Google Cloud Directory Details page is displayed.
Complete the following as required:LDAP
Azure AD Secure LDAP
- Complete the following fields:
LDAP Server Type—Determines which LDAP fields are used to get user and group information. PaperCut NG/MF supports the following server types:
Unix / Open Directory
Microsoft Active Directory
Novell eDirectoryAlso called Netware Directory Services, Novell eDirectory is directory service software that is used to centrally managing access to resources on multiple servers and computers within a network. The eDirectory software is part of the Novell Compliance Management Platform.
However, it is easy to support other server types by adjusting the LDAP fields PaperCut NG/MF searches. For more information, see Advanced LDAP configuration.
LDAP Server Address—The hostname or IP address of the LDAP server.
Use SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.—Indicates if an encrypted SSL connection is used to connect to the LDAP server. The LDAP server requires SSL support to be enabled and should accept connections on the standard LDAPS port 636.
Base DN—The Base DN of the LDAP server. This is the equivalent of the "suffix" config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is "domain.com", then the Base DN might be DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some older Novell eDirectory installations require a blank Base DN to operate. Some examples:
Admin DN—The DN of the user who has permission to connect to and query the LDAP server. This is typically an administrative user, although it can be a user that only has read-only access to the LDAP server. An example of the DN of the Administrator user on a Windows AD domain "domain.com", would be CN=Administrator,CN=Users,DC=domain,DC=com. The exact format of the DN depends on the LDAP server. Some examples:
Windows Active Directory: CN=Administrator,CN=Users,DC=domain,DC=com
Windows Active Directory (in organizational unit):
Mac Open Directory: uid=diradmin,CN=users,DC=domain,DC=com
Unix Open LDAP: uid=root,DC=domain,DC=com, or uid=ldapadmin,DC=domain,DC=com
Novell eDirectory: CN=root,DC=domain,DC=com, or CN=ldapadmin,OU=users,DC=domain,DC=com.
The Admin DN and password is optional if your LDAP server allows anonymous binds for querying.
Admin password—The password for the above user.Tip:
Some LDAP servers are configured to allow 'anonymous' LDAP query access. In these situations, you can leave Admin DN and Admin password blank.
- Click Test LDAP settings to test and confirm your settings before continuing.
Google Cloud DirectoryNote:
Complete the following fields as required:
Accept self-signed certificate—Select this check box if you are using a self-signed certificate that does not need to be validated. If you are using a certificate signed by a trusted authority, clear this checkbox.
Azure LDAP External Address—Your LDAP external address copied above from Azure AD Secure LDAP.
Base DN—Your Azure DNS Domain Name. This is the equivalent of the "suffix" config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is "domain.com", then the Base DN might be DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some older Novell eDirectory installations require a blank Base DN to operate. Some examples:
AAD DC Administrator username—The Azure Active Directory DC administrator username. For example, firstname.lastname@example.org.
Admin password—The password for the above user.
- Click Test Settings to test and confirm your settings before continuing.
Remember, this functionality is available for organizations using G Suite Education, G Suite Enterprise for Education, G Suite Enterprise, and Cloud Identity Premium.Important:
Before you start, make sure you can log in to Google as a Super Admin.
- Log in to admin.google.com using your Super Admin user login details. The Google Admin console is displayed.
- Click the Apps tile. The Apps screen is displayed.
- Click the LDAP tile. The LDAP screen is displayed.
- Click ADD CLIENT.
- Type the name and a description of the LDAP you’ll be using to access PaperCut NG/MF; then click CONTINUE. The Access permissions screen is displayed.
- In the Verify user credentials section, select Entire domain <domain name>.
- In the Read user information section, select Entire domain <domain name>.
- In the Read group information section, click the switch to set it to On; then click ADD LDAP CLIENT. Google displays a confirmation message and information about downloading the certificate.
- On the same screen, click Download certificate; then save the downloaded certificate (which is a PDF file) in a secure location.
- Click CONTINUE TO CLIENT DETAILS. The Settings for <LDAP client name> screen is displayed.
- Click anywhere in the Service Status box. The Service Status screen is displayed.
- Select On for everyone. The service status is updated for everyone.
- Click SAVE.
You can find more information about configuring access permissions from Google.Note:
The service status, displayed at the top right of the screen, is initially set to OFF.Note:
Depending on the size of your organization, it can take up to 24 hours for Google Cloud Directory changes to apply.
- Complete the following fields:
User Client options (Professional (Client Billing) organization type only)
If you selected Professional (Client Billing), as the organization type, the User client options screen is displayed.
If you selected Education or Small/Medium Enterprise (SME) or Corporate, go to step 7.
The User client allows users to allocate print jobs to client (shared) accounts. The process works by:
Pausing all jobs that enter the print queues.
Displaying a popup on the user's workstation asking them to allocate the print job to an account. This is done by selecting the account from a list.
After the user has responded to the popup, the job is released to the printer.
For more information about the account selection process and shared accounts, see Shared accounts.
The account selection popup option is enabled at the user level. Once the option is enabled, the user must run the client software. If the client software is not running, the popup cannot display, and the job remains paused in the print queue. This option is considered high impact. You are presented with two strategies that allow you to choose the implementation approach that best suits your needs.
Select the account implementation strategy:
Minimal impact (Initial single user testing)—the account popup is enabled only for a single user for testing purposes. You need to nominate the testing account; this can be an existing system/domain account used for testing purposes or your own user account. The username should be in the format used to log in to the domain/system (usually the short form).
The minimal impact strategy allows you to test the popup with the nominated test system/domain user account, after which you can enable thepopup for other users as appropriate.
Immediate implementation (Enable for all users)—enables the account selection popup for all users. Once the client has been deployed, the system is operational. If this option is selected, install the client software on user desktops immediately to prevent disruption of user printing services.
If in doubt, select the minimal impact strategy. This ensures the impact is isolated to only the nominated test account.
Confirm setup options
The Confirm setup options screen is displayed.
- Check the settings you have entered. If you want to change anything, you can return to any of the configuration screens to alter the options.
The Initial user import screen is displayed.
After completing the configuration wizard you are presented with a user synchronization status screen, showing the progress and results of the setup.
- Click Login to access the Admin web interface and begin familiarizing yourself with the options and features available.
Click Login to access the interface and begin familiarizing yourself with the options and features available. Take some time to explore, and refer back to the relevant sections of this manual as required.
Step 5: Check printer configuration
PaperCut NG/MF automatically detects the print queues on the print server on which PaperCut NG/MF is installed. To view the printer list:
Click the Printers tab.
The Printer List page is displayed.
- If the printers are not displayed, print a document. The first job triggers registration of the printer with PaperCut NG/MF.
Step 6: Sharing the User Client Software (optional)
The PaperCut NG/MF client software install package is located in the following directory:
- Share this software over the network so workstations can access/install the client application. The directory is automatically shared in read-only form as PCClient as part of the install process.
Confirm that you can access the client software via the network by browsing to:
Step 7: User Client software deployment (optional)
The PaperCut client software can now be deployed if required. The client software is not required for basic print tracking and reporting. Some features the client software provides include:
Displays notification messages, such as why a print job was denied.
Displays print policyPrint policies allow you to remind users via popup to print duplex, route large jobs to dedicated high-volume printers, discourage users from printing emails, discourage printing web pages in color, and print policies can be implemented in PaperCut using advanced scripting. popups, such as to encourage duplex printing.
Displays popups for shared accountA shared account is an account that is shared by multiple users. For example, in business, shared accounts can be used to track printing costs by business unit, project, or client. Organizations like legal firms, engineering firms, or accounting offices often have long lists of accounts, projects, clients, or matters. In a school or university, shared accounts can be used to track printing by departments, classes, or subjects. allocation/charging (department accounts, client billing).
Allow the user to confirm the details and/or cost of their print job before printing.
Shows the user their current balance (useful in schools where print quotas are used).
Can be used for authentication when printing from public terminals or other unauthenticated systems.
For a Professional (Client Billing) installation the client software is required so that users can allocate print jobs to client (shared) accounts via a popup. It is recommended to follow the steps in User Client for best practice client deployment methods. After the client software is deployed, you can enable the account selection popup for all users. For more information, see Enabling the Advanced Account Selection Popup For All Users.
For other installation types the client software is optional. If you choose not to deploy the client software you can still deploy it in the future.
Step 8: Testing
Following a fresh installation, it is highly recommended to test core features of the system. For further details, see Testing the installation.
Take some time to explore the features of PaperCut NG/MF before continuing reading at Implementation by example or Tour. Business users might be interested in trying the popup client software as covered in Client software. If desired, the client software should also be deployed to other workstations. This procedure is detailed in User Client.