I need to improve hardening of our PaperCut MF server. Do I need to keep port 9192 open for all clients to access? I've tried to find documentation on this but its not clear and the diagrams that show how the communication flows tends to not include port information.

Hey there! Thanks for reaching out to us about this!

We've got a fantastic article covering many different methods for hardening your print server's security. You can check that out here !

As far as port 9192, you can set the default port for the client to use in its config.properties file.

I hope this helps, but if you have further questions, definitely reach out to us via a support ticket at support.papercut.com!

Cheers!

How do you know whether NetBIOS is being used?

Are the alternatives to NetBIOS mDNS or manual DNS configuration?

Hi Josh,

Thank you for reaching out.

I'm afraid this is not something we can determine from the PaperCut Application server, and this should be looked at on the OS level/machine level instead. Are you planning or wanting to disable NetBIOS in your environment? If your using PaperCut MF and you want to discuss this further, please do reach out to your PaperCut Partner/Reseller and they should be able to assist you with this and review your environment accordingly. If not, please send us a query at support.papercut.com so we can assist some more. Cheers.

Thanks, Hans.

We're looking at disabling NetBIOS across our environments as per security recommendations.

I've reached out to our vendor and I'll hopefully have an answer soon.

When listing TCP49152-65535 as "cross server" wouldn't that also be a requirement for communication between the client and server (if using Point & Print via. SMB)?

The client connects to server on 445 and then server (with printer server role) redirect the client to high dynamic port to optimize simultanious communication?

Hi Anders,

Yes, the high port range is used for Windows Point and Print. Windows will use this port range when adding a connection to shared printers. The initial connection is on the high port range, If these are blocked, the spooler on the client will negotiate with the spooler on the server to drop back down to Windows XP / Server 2003 days and then use port 445 for communication flow.

Port 445 will be used when there are files getting copied from the client to the server and from the server to the client.

Spooler to spooler communication occurs on the dynamic ports. The queue view on the client is all over the high ports.

Once again, the initial communication is to the high ports first. If this fails, then the communication can drop back to legacy methods using port 445. This fallback normally takes 45 seconds. PaperCut wants a quick job release, thus the inclusion of these ports for the Cross Server redirection feature to be responsive.

Microsoft recently provided the ability to limit the high range which the Print Spooler can use as detailed by Microsoft.
https://learn.microsoft.com...

Thanks

Hi all, For SQL Always On Availability Groups is there restriction to the port used, ie has to be default 1433?
Thanks
Joe

Hi Joe,

Thanks for reaching out!

Yes the port is still the default 1433. Also you want to make sure the port that is set to the connection URL is not being used elsewhere. You can check out this article for more detailed info of configuring Microsoft SQL Server:
https://www.papercut.com/su...

I hope this helps!

Cheers!

Hi Ray,
The above says you can specify a custom port. So this is for non-cluster install?
For Clustered SQL it has to be 1433?

"External Database
PaperCut makes use of the jTDS JDBC driver for Microsoft SQL server and SQL Server Express, the postgresql JDBC driver for PostgreSQL, Oracle JDBC for Oracle and MySQL JDBC for MySQL.
You may specify a custom port, the defaults are below."

Thanks
Joe

When will you update Ports to show what all ports are needed open for PaperCut Multiverse

Hey John, thanks for your feedback we have submitting it to our Documents team. The 8443 port is used only in the connection of the your browser (the one logged into Multiverse) and the broker in the cloud for remote connections.Additionally, you can check with your Service provider for detailed documentation on this. If you are having problems in connectivity, please feel free to raise a support ticket at support.papercutcom.
Cheers,

Good afternoon, We are going to be deploying epson MFD's and was wondering which ports are required to be open from the APP server to the devices? I do not see the Epson devices on the list above.

Hey Errol.
Thanks for the question. Please see the image below for the relevant https://uploads.disquscdn.c... ports for these devices.

This is taken from the Epson embedded manual which you may be able to obtain from your PaperCut reseller. Because Epson develop their own application, the documentation for it is handled directly by themselves rather than us. If you need any support contacting your PaperCut reseller for installation help, please log a ticket with support@papercut.com quoting your Support ID, and we will point you in the right direction.

Many thanks
Jack

Hi Jack,

Thanks for the info

Hi Jack, the ports 11260/11261 and 11262. where are the open from and where are the going to?

Hi Errol,

This is something you'll really need to speak with your PaperCut Reseller about - as Jack mentioned, we did not develop this embedded Application. I do think from memory that 11260 needs to be open on the PaperCut Application Server itself, but again, your Reseller should be able to assist you with this :)

Should TCP/IP Printing Port 9100 be listed here?

Hey Dan. Rather than Ports required for PaperCut i'd potentially see this more as a general Windows printing requirement for the use of TCP/IP printing which is both Cups and Windows standard. I have never known this not to just work when configuring TCP/IP print queues so do not see that you would need to make any changes based on this for printing with direct TCP/IP queues, or redirecting from virtual find-me PaperCut queues.

Thanks. my customer had to oen this port as it was blocked by default (Print Nightmare reasons) and they queried why it wasn't on the PaperCut list.

Hi

might be an idear to show the customer "Print Deploy" as this bypasses issues with "Printer Nightmare" ...

Hi PaperCut!

Im trying to install PaperCut with Mobility print configured with one of our customer. But I encounter some issue when trying to install the mobility client on user's work station (Windows). It prompts "unable to retrieve printer list" so we did try to use the DNS discovery option. We did configure it by entering the domain, subnet. and running the DNS commands on their DNS server. But still, client installer unable to retrieve the printer list.

So we what did next is to check the firewall. We did disable the public and private firewall and change the domain settings to WORKGROUP for troubleshoot. And it worked!
Next, we did try to enable the public and private firewall and let the domain settings remain to WORKGROUP. And it worked.

It seems that the issue only appear when the client pc is connected to the domain.
is there any other way to make it work even if it is connected to the domain?

Hope you could help us with matter
Thank you in advance

Hi an jo,
Sorry for the late reply, this sounds like it could have something to do with the DNS suffix of the PC once it has joined the Domain, It might be worth checking out our DNS troubleshooting KB.
To help more we would need to ask about the suffix, along with a few other questions around your set-up, can I please ask you to reach out to support and we can work through the issue with you.
Cheers
Shane

Hi there. I wonder, why there isn't listed EPSON.
Which ports besides of the in the EPSON manual regarding Papercut mentioned one does Papercut use to communicate with EPSON Devices?
By coincidence (because we didn't find any information) we found out that if you want to use the integrated scanning features, EPSON Devices use a range from port 10000 - ??? to communicate with the Server.
Can this range be changed? And up to which ports does it reach?
Thank you very much in advance!

Hi there!
Thanks for your question about Epson! We here at PaperCut do not develop the PaperCut embedded for Epson printers. It is actually developed and maintained by Epson themselves. Therefore your best bet would be to contact your Epson Supplier directly. You can find some details here on the Epson website for PaperCut. If you have any follow up or concerns, please feel free to log a support ticket @ support.papercut.com and we can provide some more in depth assistance!
Thank you,
Matt

Hi, We have PaperCut printing here at work. PaperCut has Mobility Print feature that allows BYOD to print to the internal print server. This requires opening a port 9163, 9164, 9174 on the firewall/ACL between the BYOD network and the internal network. Users on BYOD are authenticated using their personal Active Directory credentials for the WiFi connectivity. There isn't much details about the security issue of opening these ports on their website. Is there any known security issues opening these ports or what worse can it happening by opening these ports.

SkylightPaycard

Hi there, thank you for reaching out. First thing is port 9174 is a port required for for Print Deploy and not for Mobility Print, in your environment are you using Print Deploy to to push your Mobility Print queues to your BYOD devices?

If there are concerns with opening ports 9163 or 9164 from internal network to BYOD, we can suggest using Mobility Cloud Print for chrome/mac/win, so you'll only need these ports open for outbound traffic. This is documented and suggested in our Security Whitepaper which you can find here https://www.papercut.com/kb.... If you want to discuss this further please do reach out to us at support.papercut.com and we'll be more than happy to help. Cheers!

Hi, we are currently setting up a site with mf on a Konica 450. We are getting a message on the device about certificate error. We are also having trouble scanning to email using 365 smtp. Are these issues relating to firewall
or ports that aren't open? Any advice would be appreciated.

Hi there! Sounds like you are describing 2 different issues that will require investigation. Please open a ticket with us at support.papercut.com. That will allow us provide you with more comprehensive answers to the issues you are describing. Thanks! 😀

Hi
What smb ports Papercut use to communicate with user windows workstation when submitting a print job
Cheers
TR

Hi Tariq,

Thanks for reaching out! The PaperCut server components do not communicate with end-user workstations over SMB when they submit print jobs via SMB. Do you mean which ports support print job delivery via SMB - if so, it's port 445 :)

We also cover related information regarding general printing ports which need to be open in Windows environments to support cross-server redirection above, here:

Windows Print Spooler Service


The PaperCut Print Provider service will use TCP/IP ports allocated by the Windows Print Spooler service. The Windows Print Service uses the dynamic port range from 49152 to 65535. You will need to retain this port range when redirecting print jobs between a Primary and Secondary server (Cross-Server Redirection).


49152-65535 TCP and UDP
445 TCP, Server Message Block


If using NetBIOS:


137/138 UDP, Name and Datagram Services
139 TCP, Session Services

Hopefully this helps!

What is the port (or URL) for the Web Print service?? Every time I waste minutes trying to find out how to do it.

Thanks for posting your question Pepa,

Currently, Web Print is only supported on Windows, you can view the full list of prerequisites here: https://www.papercut.com/su...

As an alternative, have you considered using Mobility Print instead of or Web Print?
You can read more about Mobility print here: https://www.papercut.com/he...

If you would like any assistance or have any further questions then please feel free to open a new support ticket with us here: https://support.papercut.com

Many thanks,

Oh, I meant where I can upload a pdf to be printed. I've done it before, but it's hard to remember the URL.

Apologies for the confusion there Pepa,

As the URL is unique to your infrastructure you may need to reach out to your IT department to confirm the exact URL.

The format of this URL will be either http://hosthame:9191/user or https://hostname:9192/user (depending on if you are using SSL)

If you need any further assistance with this then please don't hesitate to raise a support ticket with us here: https://support.papercut.com

Many thanks,

Yes, that got me somewhere that had a button for "Web Print" (I thought it was called that..!)
So the actual URL is https://SERVER/app?service=page/UserWebPrint (but SERVER/user is way easier to remember!)
Thanks for your help!

Hey, thanks for reaching out! For your users to use the PaperCut Web Print Module, you will need to open TCP Port 9191 and 9192. Also ports 80 and 443 should be open if you have switched PaperCut over to work across these ports.
It's also important to make sure that the standard ports for Windows Printing are not blocked through the firewall.
I hope this answers your question, if you have any queries please let us know.

We have the web interface on 9191 and 9192, but I can never find how to use Web Printing. This is on our LAN, and there are no Windows machines involved here. So I still don't know how to find it. I have turned it on in the admin panel.

I see PaperCut created a 'PaperCut MF Firmware' Windows Firewall rule which is configured for port 5114. Is this required?

Paycheckrecords Login

Since SMB is one of the protocols related to file transfer security, in an environment where SMBv2 is replaced by SMBv3. In this case, can you confirm to me that PaperCut and the processes that take place through it will not stop or will not have any problems?

Hi A.K.,

Thanks for reaching out. PaperCut supports SMB v3 and you shouldn't see any issues with switching over. However, it may be worth logging a support ticket at support.papercut.com if you have questions about a specific part of PaperCut.

All the best,

i understand the MobilityPrint and PrintDeploy-connected printers don't use port 9191 for connecting to server. also, we don't use the client sw, nor are users using their web access.
as far as I understand, there shouldn't be any connection attempts from client computers to our papercut server.
however, I see the connections in the firewall log.
can anyone please clarify, what might be causing this?
thx

Hello Juraj, thank you for contacting us. Port 9191 is used by more than just by the User Client, for Print Deployment and deploying direct queues the DPM must talk to the Application Server, and this is done over 9191. Even if you are not using Print Deployment for direct queues, I can certainly see that there would be some traffic between Print Deployment clients and the App server over 9191 and this should be no cause for concern. Here is a KB doing over the ports in use for Print Deployment.

https://www.papercut.com/su...

Head over to support.papercut.com and open a Support ticket if you have more questions about Print Deployment. Cheers!

Hi Papercut,
Is it possible for more clarity to specify if the ports are inbound,outbound or bidirectional for every ports ?
Thanks in advance.
Kind regards.

Hi Aurelien,

We do specify whether the connections are inbound and outbound. If you need clarification on specific device ports or else please drop us a message at Support.PaperCut.com and we can advise you!

Thanks,

Hi People,
Someone have a exclusion to Antivirus, the path correctly for papercut to Any Antivirus?

Hi Willian,

Thanks for the comment!
The path will vary depending on where you've installed PaperCut. Could I ask you to log a ticket at Support.PaperCut.com so we can find out more about your setup and advise accordingly?

Thanks,

from this article, it would seem like only 53/UDP is needed for DNS (not mDNS!) deployment of mobility print.
however, the 5353 port seems to be important as well for DNS (not mDNS!) deployments. printer discovery doesn't work without 5353 mobility print server port being allowed through firewall.

Hey Juraj,

By the sounds of things you are correct. Port 53 is used for DNS not mDNS and 5353 for mDNS not DNS. If you're using just DNS but needed to allow port 5353 for it to work, something else might be going on. It would be best for you to submit a ticket through to us at support.papercut.com and we'll take it from there.

Cheers,

Hi Papercut. We have just discovered an undocumented port that is required for the remote operation client for Ricoh SmartSDK. Port 80 or 443 is required from the remote operation client to the Ricoh device. This is in addition to the 51443 that is already documented. This tripped us up with a customer that has a very restrictive fire wall.