Knowledgebase
Knowledgebase: PaperCut > Security and Privacy
Installing an IPPS printer in Windows
Last modified on 08 March 2018 12:34 PM

Since version 18.1, PaperCut NG and PaperCut MF support IPPS printers. Printing over IPPS ensures print traffic to the printer is encrypted. This guide focuses on the steps to add an IPPS printer on a Windows Print Server.

Follow this end-to-end print security guide to protect print traffic from clients to the server, and also read about measures you can put in place to protect your organization……FOREVER.

Installing an IPPS printer in Windows

Firstly, to set up printing from a Windows print server to an IPPS printer, the printer’s SSL certificate will need to be installed onto the server. Follow the printer user manual on how to retrieve or create an SSL certificate on the printer.

Below is an example of a Ricoh printer with an existing self-signed certificate. On this interface for example, the certificate can be exported and downloaded.

 

1. Download the certificate onto the print server, and double click on it.

2. Add the certificate to the ‘Trusted Root Certification Authorities’ certificate store.

If the certificate is a self-signed certificate, also add the certificate to the “Third-Party Root Certification Authorities” certificate store.

 

3. Make sure your certificate is OK, by clicking on the Certification Path tab:

 

4. Ensure Internet Printing Client is enabled on your server via Windows Features in the Control Panel.

 

5. Now add the printer, select “Add a network, wireless or Bluetooth printer”.

 

6. Select the ‘The printer that I want isn’t listed’ button

 

7. Select the 2nd option, “Select a shared printer by name” and enter in: https://<hostname>:443/printer or: https://<hostname>/ipp.

 

8. Once added, the printer should appear in the list of available printers. Below is a couple of examples of IPP names that will be used for different manufacturers.

 

9. From your print server, check whether you can successfully print to the printer. So, at this stage PaperCut MF/NG is not involved yet, you are just checking whether the certificate was correctly loaded and the printer was correctly installed.

10. Once you have setup your IPPS printers, you can validate that print jobs are indeed encrypted by following this guide.

IPPS printers in PaperCut NG and MF

Prepare

Before you can track and control IPPS print queues in PaperCut MF and NG, you need to run the Print Provider using a domain administrator service account rather than the local system account:

  1. Navigate to Control Panel → Administrative Tools → Computer Management → System Tools → Local Users and Groups and create a new domain administrator service account/ local user account with domain administrator level access.
  2. Enable the option Password never expires.
  3. Navigate to Control Panel → Administrative Tools → Services →
  4. Right click on PaperCut Print Provider → select Properties→ navigate to Log On tab.
  1. Select the option Log on as: This account:
  2. Enter the credentials for the newly created account.
  3. Click OK.
  4. Restart the service.
  5. Use the domain administrator service account just created while logging in and running the PaperCut Application Server.

Configure

Note, the IPPS printer shouldn’t be shared directly to users and instead, you’ll have to set up another queue (a Find Me queue) that will be shared to the users, and print jobs from that queue will be redirected to the IPPS queue.

Why can’t I just share the original IPPS printer you ask… Well firstly, Windows will tell you that you can’t share an IPPS printer, secondly, if you are clever enough to hack it to still share the printer, due to optimisation of network printers in a Windows environment, the client will not send the spool file via the server and will instead send the spool file directly to the printer. If that happens, then PaperCut MF and NG won’t be able to record, block or manipulate that print job.

To make sure PaperCut MF and NG processes every job, we’ve introduced an additional feature in Version 18.1 to only make non-shared IPPS printers available in the Admin interface.

NOTE: You will not see IPP printers in the PaperCut Admin interface, only IPPS printers will be made available.

Once you can see your IPPS printer in PaperCut, configure it as a destination queue in your Find Me environment.

 

Troubleshooting

  • If this error occurs whilst adding a printer:

a) Check whether IPPS is enabled on the device. On some devices IPPS is off by default.
b) Try restarting the Print Spooler service

 

c) Check to see if you need the FQN of the device (e.g. hp-m4555.papercutsoftware.com), rather than just the hostname (hp-m4555) when adding the device. You can check this when pinging the device.

  • If you print a test page, and PaperCut MF or PaperCut NG logs the print job, but you do not get a physical print job at the printer, then it could be that the PaperCut Print Provider does not have sufficient privileges. Follow the guide above and ensure that the Print Provider is running under a user account with domain administrator level access