Secure printing takes advantage of SSL, which requires users to authenticate with their eDirectory usernames and passwords. Users authenticate once per eDirectory tree per session. Between the client and the Print Manager, the print data is encrypted and all print communication uses port 443. Without secure printing, the printer is available to anyone inside the firewall on the network and the print data is not encrypted to the server. Secure printing works in conjunction with the security level set for the printer. All print data between the server and the printer is not encrypted because most printers do not support encrypted data. Also, when you enable iPrint Direct, data is not encrypted between the client and the printer.
If you are using the latest iPrint Client and server software, iPrint automatically attempts to use TLS for printing on port 631. TLS printing supports encrypted and non-encrypted print communication through port 631. Whether or not encryption is used is dependent on the secure printing setting of the Printer Agent. If secure printing is enabled on a printer, the user is required to authenticate, and the print data is encrypted. If secure printing is not enabled, the user does not authenticate and the print data is not encrypted.
Beginning with Open Enterprise Server and the iPrint Client 4.05, both non-secure and secure printing URLs use ipp://.
Prior to Open Enterprise Server, printer URLs were based on http:// and https://. When a non-secure printer using an http:// URL changes to a secure printer, the URL changes to https:// or ipp:// and users must delete the printer and reinstall the new secure printer.
In iManager, click iPrint > Manage Printer.
Browse to and select the Printer object you want to modify.
Click Client Support > iPrint Support.
Select the Enable Secure Printing check box.
Click Apply or OK to update the printer settings.
When users print to a secure printer, they are prompted for the eDirectory username and password. Users can select to have their workstations remember their password for printing.
For more information, see Managing Passwords for Remote iPrint Servers.
To use a proxy with secure printing:
Create a file in /etc/opt/novell/httpd/conf.d named mod_proxy.conf.
Add the following lines to the file:
LoadModule proxy_module /usr/lib/apache2-worker/mod_proxy.so LoadModule proxy_connect_module /usr/lib/apache2-worker/mod_proxy_connect.so LoadModule proxy_http_module /usr/lib/apache2-worker/mod_proxy_http.so # This is the port the proxy will listen on Listen 8080 ProxyRequests On ProxyVia On <Proxy *> Order deny,allow Allow from All </Proxy> AllowCONNECT 631 443
Set the proxy port on the client to 8080.
Restart Apache.
To set up a Squid proxy:
IMPORTANT:Implementing the following changes lets your users print using TLS; however, there are security risks involved. Contact your Security Administrator before completing these steps.
Rename the Squid configuration file by using the following command: mv /etc/squid/squid.conf /etc/squid/squid.conf.orig
Create a new /etc/squid/squid.conf file.
Add the following lines to the file:
http_port 3128 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 80 443 563 631 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 631 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl ipp_access port 631 http_access allow all miss_access allow all http_access allow CONNECT ipp_access http_reply_access allow all icp_access allow all miss_access allow all
Set the proxy port on the client to 3128.
Restart Squid.