You are here: Administration > System management > Setting system security options

Setting system security options

The default installation of PaperCut NG is configured to be secure by default. After initial installation only the admin user-defined during the setup process is permitted to administer the system. To allow additional users to administer PaperCut NG follow the instructions defined in Assigning administrator level access.

Application Server connections

By default PaperCut NG runs an internal web server on port 9191. All communication with the server uses HTTP to this port and includes connections by:

It is therefore important that all of the above clients can access this port on the server from across the entire network. If your organization uses firewalls between departments or campuses, then allow inbound HTTP connections on port 9191 to the PaperCut NG Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more..

You can change the Application Server port from 9191 to any other value.

Change the Application Server port

  1. On the server, navigate to the [app-path]\server\ directory.

  2. Open the file server.properties.

  3. Change the server.port to setting to the desired port.

  4. Change the server port in all providers installed on your network. The server port is set in the print-provider.conf file in the provider directory.

  5. Change the server port in the User Client config file:

    [app-path]\client\config.properties.

    Important:

    If the client is installed locally on workstations, then change the config file on each workstation. On Linux/Unix systems, the server runs under the privilege of a non-root account. Some systems prevent non-root users from binding to ports lower than 1024. An alternate option is to use kernel level TCP port redirection (e.g. iptables).

  6. Restart the Application Server. (See Stopping and starting the Application Server).

Provider connection security

The PaperCut NG architecture (see Architecture Overview and Print monitoring architecture) involves having a central Application Server and multiple information providers that send data to the server to process. One example of a provider is the Print Provider, which monitors printing and sends the printer activity to the central server.

PaperCut NG supports an unlimited number of information providers and they can be located on anywhere on the network. By default PaperCut NG allows these providers to connect from any machine on the network. You can restrict this to a reduced set of machines by specifying a list of IP addresses or subnets that are allowed to submit information to the Application Server.

Define the list of addresses that providers can connect from

  1. Select Options > Advanced.

    The Advanced page is displayed.

  2. In the Security area, enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  3. Click Apply.

  4. It is then recommended to test all providers to ensure that they can still submit information to the Application Server. To test the Print Provider, perform a test print job to the server that the provider is running on.

Release Station connection security

You can restrict the address ranges from which standard Release Stations (see Standard Release Station) access the Application Server. This measure only applies to standard Release Stations and does not affect print release at an embedded device or from a web browser.

  1. Click the Options tab.

    The General page is displayed.

  2. In the Actions menu, click Config editor (advanced).

    The Config EditorThe Config Editor stores information used by PaperCut to configure advanced options and functions. This information is stored in config keys, which are editable by an administrator. page is displayed.

  3. Search for the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor.: auth.release-station.allowed-addresses

  4. Enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).

  5. Click Update.

  6. It is then recommended to test all standard Release Stations to ensure that they can still successfully start-up and connect to the Application Server.

Web session inactivity timeout

For security reasons all the web sessions log out (timeout) after periods of inactivity. Clicking a link or refreshing a page resets the inactivity timer. Closing the browser window/tab also ends the session (i.e. the session cookies are not persistent). The default timeout periods for different login types are described in the table below:

Table 93: Default Web Session Inactivity Timeout Values
Login Type Default value
Admin web interface 1440 minutes (24 hours)
Web based Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity. 1440 minutes (24 hours)
Web CashierWeb Cashier is a basic Point of Sale (POS) system to charge items to PaperCut accounts and deposit funds into users' accounts. 1440 minutes (24 hours)
User web interfaceThe User web interface provide a range of services for users, including a summary of usage and balance history, a list of the shared accounts that the user can use for printing, the current costs for printing usage, ability to add balance by using a TopUp/Pre-Paid Card or an external payment system (when using the payment gateway module), transfer funds to other users, view a history of balance transactions, view a list of the user's recent printing, and view print jobs pending release (when using a Release Station). 60 minutes (1 hour)

These timeout values (a period given in minutes) are configurable via the config keys below. A value of 0 indicates that the session never times out. The special value DEFAULT indicates that the PaperCut defaults (in the above table) are used (the PaperCut defaults might change in future versions).

Table 94: Timeout Web Session Config Keys
Config name Description
web-login.admin.session-timeout-mins Inactivity timeout for the admin web interface.
web-login.web-cashier.session-timeout-mins Inactivity timeout for Web Cashier.
web-login.release.session-timeout-mins Inactivity timeout for the web based Release Station.
web-login.user.session-timeout-mins Inactivity timeout for the user web interface.

See Using the Config Editor for information about changing config keys.

Changing the inactivity timeout values take effect the next time users log in. Note that some pages periodically refresh the page (or data on the page), such as the dashboard and the web based Release Station. A session does not time out if a browser is left on these pages, as it is considered active.