System Security Options

The default installation of PaperCut MF is configured to be secure by default. After initial installation only the admin user defined during the setup process is permitted to administer the system. To allow additional users to administer PaperCut MF follow the instructions defined in the section called “Assigning Administrator Level Access”.

Application Server Connections

By default PaperCut MF runs an internal web server on port 9191. All communication with the server uses HTTP to this port and includes connections by:

  • administrators to connect to the administration interface

  • users to connect to the end-user interface

  • the user client to communicate with the server to get the user balance and receive notifications; and

  • the information providers (as discussed in the section called “Key Features”) to send information to the server

It is therefore important that all of the above clients can access this port on the server from across the entire network. If your organization uses firewalls between departments or campuses then it will be necessary to allow inbound HTTP connections on port 9191 to the PaperCut MF application server.

The application server port can be changed from 9191 to any other value.

Important

If the application server port is changed, the port number also must be changed in the applications that connect to the server. i.e, the print provider and the user client.

To change the application server port:

  1. On the server, navigate to the [app-path]\server\ directory.

  2. Open the file server.properties.

  3. Change the server.port to setting to the desired port.

  4. Change the server port in all providers installed on your network. The server port is set in the print-provider.conf file in the provider directory.

  5. Change the server port in the user client config file: [app-path]\client\config.properties.

    Important

    If the client is installed locally on workstations, then the config file will need to be changed on each workstation.

    On Linux/Unix systems, the server runs under the privilege of a non-root account. Some systems may prevent non-root users from binding to ports lower than 1024. An alternate option is to use kernel level TCP port redirection (e.g. iptables).

  6. Restart the application server. (See the section called “Stopping and Starting the Application Server”).

Provider Connection Security

The PaperCut MF architecture (as discussed in the section called “Architecture Overview” and the section called “Print Monitoring Architecture”) involves having a central application server and multiple information providers that send data to the server to process. One example of a provider is the print provider which monitors printing and sends the printer activity to the central server.

PaperCut MF supports an unlimited number of information providers and they can be located on anywhere on the network. By default PaperCut MF allows these providers to connect from any machine on the network. This can be restricted to a reduced set of machines by specifying a list of IP addresses or subnets that are allowed to submit information to the application server.

To define the list of addresses that providers can connect from:

  1. Navigate to OptionsAdvanced.

  2. Scroll down to the Security section.

  3. Enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  4. Press Apply.

  5. It is then recommended to test all providers to ensure that they can still submit information to the application server. To test the print provider, perform a test print job to the server that the provider is running on.

Release Station Connection Security

You may restrict the address ranges from which standard release stations (see the section called “Standard Release Station”) may access the application server. This measure only applies to standard release stations and does not affect print release at an embedded device or from a web browser.

  1. Navigate to Options and select Config Editor (Advanced).

  2. Search for the config key: auth.release-station.allowed-addresses

  3. Enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  4. Click Update.

  5. It is then recommended to test all standard release stations to ensure that they can still successfully start-up and connect to the Application Server.

Web Session Inactivity Timeout

For security reasons all the web sessions log out (timeout) after periods of inactivity. Clicking a link or refreshing a page will reset the inactivity timer. Closing the browser window/tab will also end the session (i.e. the session cookies are not persistent). The default timeout periods for different login types are described in the table below:

Login TypeDefault value

Admin web interface

1440 minutes (24 hours)

Web based release station

1440 minutes (24 hours)

Web Cashier

1440 minutes (24 hours)

User web interface

60 minutes (1 hour)

Table 17.15. Default Web Session Inactivity Timeout Values

These timeout values (a period given in minutes) are configurable via the config keys below. A value of 0 indicates that the session will never time out. The special value DEFAULT indicates that the PaperCut defaults (in the above table) are used (the PaperCut defaults may change in future versions).

Config nameDescription

web-login.admin.session-timeout-mins

Inactivity timeout for the admin web interface.

web-login.web-cashier.session-timeout-mins

Inactivity timeout for Web Cashier.

web-login.release.session-timeout-mins

Inactivity timeout for the web based release station.

web-login.user.session-timeout-mins

Inactivity timeout for the user web interface.

Table 17.16. Timeout Web Session Config Keys

Please see the section called “Using the Config Editor” for information about changing config keys.

Changing the inactivity timeout values will take effect the next time users log in. Note that some pages periodically refresh the page (or data on the page), such as the dashboard and the web based release station. A session will not time out if a browser is left on these pages, as it will be considered active.