Enforce HTTPS communication

You can connect to PaperCut MF using either HTTP or HTTPS, however, you can enforce the use of HTTPS in one of the following ways:

• Redirect to HTTPS/SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. if available—Redirect HTTP connections to HTTPS. The redirect is performed every time a user attempts to access PaperCut via HTTP, which can allow some vulnerability around man-in-the-middle attacks.

• Use HTTP Strict Transport Security (HSTSHTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.)—HSTS instructs the browser to only connect via HTTPS and not HTTP for a configured timeout period. The redirect is performed only once in the timeout period when the user first logs in rather than every time the interface is accessed. This minimizes the chance of man-in-the-middle attacks.

To enforce HTTPS communication:

1. Test the connection to PaperCut MF on port 443:

   1. In a browser, connect to https://<Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. address>.

   2. Check that the URL does not include “:9192” at the end.

2. Select Options > Advanced.

   The Advanced page is displayed.

3. In the Security area:

   1. Select the Redirect to HTTPS/SSL if available check box.

      

   2. If you want to connect using HSTS, select the Use HTTP Strict Transport Security check box.

      Important:

      If you select this option, you must use port 443. For more information about changing the port, see Enable ports 80 (HTTP) and 443 (HTTPS).

4. Click Apply.

5. Restart the Application Server. (See Stop and start the Application Server).

6. Perform a test print job to test all MFDs/printers to ensure they can still submit information to the Application Server.

   Note:

   If you cannot connect to the Application Server after enabling HSTS, it is likely due to either:

   • an invalid SSL certificate
   • the Application Server is running on a port other than 443

   You should roll back your changes:

   1. Log in to the server running the PaperCut MF Application Server.

   2. Connect to the PaperCut MF Application Server web interface using localhost, for example, http://localhost:9191. Non-secure HTTP connections are allowed when connecting from localhost.

   3. Clear the Redirect to HTTPS/SSL and Use HTTP Strict Transport Security check boxes.

   4. Restart the Application Server.