Setting system security options
The default installation of PaperCut NG is configured to be secure by default. After initial installation only the admin user-defined during the setup process is permitted to administer the system. To allow additional users to administer PaperCut NG follow the instructions defined in Assigning administrator level access.
Application Server connections
By default PaperCut NG runs an internal web server on port 9191. All communication with the server uses HTTP to this port and includes connections by:
administrators to connect to the Admin web interface
users to connect to the end user interface
the User ClientThe User Client tool is an add-on that resides on a user's desktop. It allows users to view their current account balance via a popup window, provides users with the opportunity to confirm what they are about to print, allows users to select shared accounts via a popup, if administrators have granted access to this feature, and displays system messages, such as, the "low credit" warning message or print policy popups. to communicate with the server to get the user balance and receive notifications; and
the information providers (see Key Features) to send information to the server
It is therefore important that all of the above clients can access this port on the server from across the entire network. If your organization uses firewalls between departments or campuses, then allow inbound HTTP connections on port 9191 to the PaperCut NG Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more..
You can change the Application Server port from 9191 to any other value.
If the Application Server port is changed, the port number also must be changed in the applications that connect to the server. i.e, the Print ProviderA Print Provider is a monitoring service installed on a secondary print server to allow PaperCut to control and track printers. This monitoring component intercepts the local printing and reports the use back to the primary Application Server. and the User Client.
Change the Application Server port
-
On the server, navigate to the [app-path]\server\ directory.
-
Open the file server.properties.
-
Change the server.port to setting to the desired port.
-
Change the server port in all providers installed on your network. The server port is set in the print-provider.conf file in the provider directory.
-
Change the server port in the User Client config file:
[app-path]\client\config.properties.
Important:If the client is installed locally on workstations, then change the config file on each workstation. On Linux/Unix systems, the server runs under the privilege of a non-root account. Some systems prevent non-root users from binding to ports lower than 1024. An alternate option is to use kernel level TCP port redirection (e.g. iptables).
-
Restart the Application Server. (See Stopping and starting the Application Server).
Provider connection security
The PaperCut NG architecture (see Architecture Overview and Print monitoring architecture) involves having a central Application Server and multiple information providers that send data to the server to process. One example of a provider is the Print Provider, which monitors printing and sends the printer activity to the central server.
PaperCut NG supports an unlimited number of information providers and they can be located on anywhere on the network. By default PaperCut NG allows these providers to connect from any machine on the network. You can restrict this to a reduced set of machines by specifying a list of IP addresses or subnets that are allowed to submit information to the Application Server.
Define the list of addresses that providers can connect from
-
Select Options > Advanced.
The Advanced page is displayed.
-
In the Security area, enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).
-
Click Apply.
-
It is then recommended to test all providers to ensure that they can still submit information to the Application Server. To test the Print Provider, perform a test print job to the server that the provider is running on.
Release Station connection security
You can restrict the address ranges from which standard Release Stations (see Standard Release Station) access the Application Server. This measure only applies to standard Release Stations and does not affect print release at an embedded device or from a web browser.
-
Click the Options tab.
The General page is displayed.
-
In the Actions menu, click Config editor (advanced).
The Config EditorThe Config Editor stores information used by PaperCut to configure advanced options and functions. This information is stored in config keys, which are editable by an administrator. page is displayed.
-
Search for the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor.: auth.release-station.allowed-addresses
-
Enter the list of IP addresses or subnet masks to allow. The list of addresses is comma separated. The format of the subnet is X.X.X.X/Y.Y.Y.Y (where X represents the address and Y the subnet mask).
-
Click Update.
-
It is then recommended to test all standard Release Stations to ensure that they can still successfully start-up and connect to the Application Server.
Web session inactivity timeout
For security reasons all the web sessions log out (timeout) after periods of inactivity. Clicking a link or refreshing a page resets the inactivity timer. Closing the browser window/tab also ends the session (i.e. the session cookies are not persistent). The default timeout periods for different login types are described in the table below:
These timeout values (a period given in minutes) are configurable via the config keys below. A value of 0 indicates that the session never times out. The special value DEFAULT indicates that the PaperCut defaults (in the above table) are used (the PaperCut defaults might change in future versions).
Config name | Description |
---|---|
web-login.admin.session-timeout-mins | Inactivity timeout for the admin web interface. |
web-login.web-cashier.session-timeout-mins | Inactivity timeout for Web Cashier. |
web-login.release.session-timeout-mins | Inactivity timeout for the web based Release Station. |
web-login.user.session-timeout-mins | Inactivity timeout for the user web interface. |
See Using the Config Editor for information about changing config keys.
Changing the inactivity timeout values take effect the next time users log in. Note that some pages periodically refresh the page (or data on the page), such as the dashboard and the web based Release Station. A session does not time out if a browser is left on these pages, as it is considered active.