System Security Options

The default installation of PaperCut NG is configured to be secure by default. After initial installation only the admin user defined during the setup process is permitted to administer the system. To allow additional users to administer PaperCut NG follow the instructions defined in the section called “Assigning Administrator Level Access”.

Application Server Connections

By default PaperCut NG runs an internal web server on port 9191. All communication with the server uses HTTP to this port and includes connections by:

  • administrators to connect to the administration interface

  • users to connect to the end-user interface

  • the user client to communicate with the server to get the user balance and receive notifications; and

  • the information providers (as discussed in the section called “Key Features”) to send information to the server

It is therefore important that all of the above clients can access this port on the server from across the entire network. If your organization uses firewalls between departments or campuses then it will be necessary to allow inbound HTTP connections on port 9191 to the PaperCut NG application server.

The application server port can be changed from 9191 to any other value.

Important

If the application server port is changed, the port number also must be changed in the applications that connect to the server. i.e, the print provider and the user client.

To change the application server port:

  1. On the server, navigate to the [app-path]\server\ directory.

  2. Open the file server.properties.

  3. Change the server.port to setting to the desired port.

  4. Change the server port in all providers installed on your network. The server port is set in the print-provider.conf file in the provider directory.

  5. Change the server port in the user client config file: [app-path]\client\config.properties.

    Important

    If the client is installed locally on workstations, then the config file will need to be changed on each workstation.

    On Linux/Unix systems, the server runs under the privilege of a non-root account. Some systems may prevent non-root users from binding to ports lower than 1024. An alternate option is to use kernel level TCP port redirection (e.g. iptables).

  6. Restart the application server. (See the section called “Stopping and Starting the Application Server”).

Provider Connection Security

The PaperCut NG architecture (as discussed in the section called “Architecture Overview” and the section called “Print Monitoring Architecture”) involves having a central application server and multiple information providers that send data to the server to process. One example of a provider is the print provider which monitors printing and sends the printer activity to the central server.

PaperCut NG supports an unlimited number of information providers and they can be located on anywhere on the network. By default PaperCut NG allows these providers to connect from any machine on the network. This can be restricted to a reduced set of machines by specifying a list of IP addresses or subnets that are allowed to submit information to the application server.

To define the list of addresses that providers can connect from:

  1. Navigate to OptionsGeneral.

  2. Scroll down to the Security section.

  3. Enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  4. Press Apply.

  5. It is then recommended to test all providers to ensure that they can still submit information to the application server. To test the print provider, perform a test print job to the server that the provider is running on.