Print servers for ThinPrint environments - Sysbus
Transcript of Print servers for ThinPrint environments - Sysbus
The ThinPrint server engine fromCortado reduces the printingvolume in terminal server andvirtual environments. To do this,the system connects mobile,virtual and webbased desktopsto centralized IT resources. Italso supports Thin clients and theprotocols RDP, ICA, HDX,PCoIP and TCP/IP. It is also ableto compress and encrypt the printdata. This results in a much fasterprinting process than in normalenvironments with, at the sametime, less bandwidth and moresecurity. In addition, the solutionfrom Cortado reduces the amountof administration. The driverfreeprinting thus significantly simplifies the management of printerdrivers in the network.In practice, printing in ThinPrintenvironments works as follows:Users send their print jobs fromtheir Thin clients or virtualdesktops to the ThinPrint serverengine that, in turn, limits thebandwidth of the print jobs,compresses the print jobs andencrypts them, if necessary. Theengine then transfers the printjobs to a ThinPrint client, forexample via a WAN. The ThinPrint client then decrypts, decompresses and forwards theprint jobs in the right format to
the intended printer. The ThinPrint client, in turn, can be a Thinclient. It is also possible to installthe appropriate software to a PCor to use a compatible printserver.The ThinPrint gatewaysThis is where the ThinPrint gateways from SEH come into play.They serve as ThinPrint clientsand print servers in the networkand thus render additional ThinPrint clients superfluous. This isespecially of great advantage innetworks without ThinPrintclients and where the print jobsare transmitted in an encryptedway. If there were no ThinPrintgateways available in such an
environment, printing would either be impossible or the administrators would have to installthe ThinPrint client to each enddevice together with the certificates that are required for theencryption. If a ThinPrint gateway is used instead of multipleend devices, the certificates haveto be installed only once, resulting in a significant reductionin the amount of work. This way,even systems without ThinPrintclient can be seamlessly integrated into the printing environment.SEH offers four different versions of its TPG gateway. TheTPG60 works with six external
Subject of the test: ThinPrint gateways
Print servers for ThinPrintDr. Götz Güttich
The SEH ThinPrint gateways are able to receive ThinPrint print jobs for groups ofclient computers and printers, to decompress, decrypt and then forward these printjobs in a local network to the relevant target printer. IAIT has examined how theseproducts perform in practice.
1
environmentsTPG60 and TPG65 from SEH
network printers, the TPG120with twelve. In addition, thereare two products from the latestseries, the TPG25 for two printers and the TPG65 for six. These two solutions use a differentuser interface and come with additional features. We will dealwith this later in greater detail.
Since we only set up two printersin our test environment, theTPG60 and the TPG65 weremore than enough in order to take a close look at all the functions. Apart from the number ofaddressable printers, the TPG60and the TPG120 on the one sideand the TPG25 and the TPG65on the other side are identical.The testFor our test, we needed the twonetwork printers mentioned above, the ThinPrint gateways and aThinPrint print server. First, weset up the network printers andinstalled the TPG60 – moreabout this later. We then configured the TPG60 in such a way asto allow for the communication
with the printers. Finally, we setup a ThinPrint environment witha central print server in the version 8.6 with Windows Server2008 in the 32bit version.We connected an – initially unencrypted – ThinPrint port to thisprint server and added a shared
default printer to the operatingsystem that used this ThinPrintport. This printer sent its print data to the TPG60.During the test, we first analyzedthe printing environment withoutencryption, worked with theTPG60 and made sure everythingworked fine. We then configuredan encryption environment withcertificates and encrypted ourprint jobs.Next, we set up our second printer and checked if all print jobsfrom all clients arrived at the destination printer, as expected.Last, but not least, we had a closelook at the TPG65 with its newfeatures and its user interface.
InstallationThe installation of the ThinPrintEngine runs, as is normal withWindows, with the help of a wizard and will almost certainlyfunction everywhere with noproblems. For this reason, we candirectly move on to the SEH solution. The initial operation procedure of the TPG60 is also fairlysimple. After the responsible employees have connected the product to the network, it searchesfor an IP address via DHCP orBOOTP when booting. If no appropriate server is available inthe network, you can manuallyassign an IP address via the InterConNetTool from SEH. Inour network there was a DHCPserver, so we could directly access the TPG60 after bootingusing the URL http:// {IP addressof the system}. When the browser has established a connectionto the web interface of theTPG60, the administrator will bedirected to a homepage where hecan choose the language for theweb interface. The homepage also includes information such asthe phone number of the supportteam of the manufacturer or alink to the sales department. Bythe way: the system supportsChinese, English, French, German, Italian, Japanese, Korean,Portuguese and Spanish.On the right side of the browserwindow there is a menu bar viawhich the administrators can access the other functions of theconfiguration tool. It contains alink to the product documentationon the SEH website as well as thethree options "Status", "Configuration" and "Options".Under "Status" the responsibleemployees see general information such as the serial number,
2
The security settings of the TPG60 can be configured in a way that allows onlycertain systems within the network to access the print server
MAC address, software version,etc. In addition, the employeescan call a job history in a list thatcontains the processed print jobsas well as detailed informationabout the name, date, sender, status, size, etc. This way, they willget a quick overview of the activities in the printing environment.The configuration menu is evenmore interesting as it includes allthe options for the setup of the
TPG60. The IT managers can, forexample, enter a device description and information about thedealers. This information willthen appear on the homepage.That said, it is also possible to setup the network configuration forIPv4. In addition to the usual settings such as the IP address andnetwork mask, the TPG60 asksfor a host name, a location and acontact person. As mentioned,the system also supports DHCPand BOOTP. If necessary, the administrators can also enableARP/Ping, ZeroConf and Bon
jour. In the test, the configurationof these points was completedquickly.The DNS configuration requiresthe IP addresses of the DNS servers to be used whereas the timesettings allow for the setting ofthe time zone and the specification of an SNTP server. Under"Protection" the responsible employees ensure that the access tothe TPG60 is secured. For example, they can set up a password
for the configuration interface,configure specific IP addresses asauthorized senders (only thesesystems can then send data to thegateway), allow/deny HTTP andFTP traffic or enable the networkauthentication based on EAPMD5, EAPTLS, EAPTTLS,EAPPEAP or EAPFAST. Thus,the ThinPrint gateway is also suitable for the use in environmentswith strict demands regardingnetwork security.The ThinPrint configuration isthe core of the gateway. Here, the
employees responsible for IT setup the printer including ID, class,drivers, remote address, port, etc.In addition, they specify theThinPrint port, define the bandwidth and the timeout and specify the server address and similar parameters. Under"Certificates" certificate requestscan be created and the certificates(root and TPG certificates) canbe installed.The last menu item "Actions" allows you to restart the device andreset it to its default settings. Inaddition, software updates can becarried out at this point. (Thisworked fine in our test). We encountered no problems with regard to the configuration of thesystem. The printers were set upquickly and the unencryptedprinting was carried out withoutproblems.The encryption of print jobsTo encrypt the print jobs betweenthe ThinPrint engine and theTPG60, several additional stepsare required. First of all, threecertificates have to be present, aclient certificate for the TPG60, aserver certificate for the ThinPrint engine and a root certificate, also for the server on whichthe ThinPrint engine is running.The client and server certificatesare signed by the root certificate.In practice, the IT staff must setup a CA and generate a root certificate. In our test we used theActive Directory certificate services on a Windows Server 2008R2. However, it is also possibleto use external certification authorities or tools such as OpenSSL.Once the root certificate isavailable, a client certificate will
3
The ThinPrint configuration is the core of the TPG60
be requested on the same serverand then distributed to the ser
vers and client computers. In environments with very high security requirements, it may beuseful to create a client certificate for each client individually. Inour test environment however,this was not necessary since weonly had the TPG60 as a client.When the certificatebased encryption is active, the printingenvironment encrypts all printjobs transferred between theThinPrint engine and the TPG60,regardless of the transport protocol (TCP/IP or ICA/RDP). Sinceit is possible to encrypt ICA/RDPsessions, the use of the certificatebased encryption is especiallyuseful in environments where thedata – at least in part – is transmitted via TCP/IP, e.g. whenusing central print servers. Insuch scenarios, the SSL encryption prevents eavesdropping byunauthorized users and makes sure that the print data is not sent tothe wrong recipient.The Active Directory certificateservices, which – as mentionedabove – were used in our test ascertification authority, createtheir root certificate when installing the relevant role. Thereforewe only had to generate a servercertificate signed by this root certificate for our Windows Server
2008 and a client certificate forthe TPG60 and to install the certificates to the relevant components.A stepbystep description ofhow to generate and distributecertificates to Windows systemswould exceed the scope of thistest. You can find a very good description of the entire process ina white paper (creating_certificates_en.pdf) on the ThinPrint website. We will therefore focus onthe creation and installation ofthe client certificate to theTPG60. Let’s assume that theserver certificates are alreadyavailable on the ThinPrint engineand that we only have to get andinstall the certificate for theTPG60.In order to install a certificate tothe TPG60, the responsible staffmust first go to "Configuration/Certificates" in the configuration tool of the gateway and delete the (already existing)certificate. Then they have toclick on "TPG certificate" and fillin the required fields for the certificate request. After clicking on"Create certificate request" the
TPG60 displays the certificate request in the browser. The certificate request can be used, for example via copy & paste, torequest a certificate from the certification authority.
Once the certificate is availableas a file, the administrators canupload the certificate and installit to the TPG60 using the samedialog box that contains the certificate request. After that, youhave to create a new port on theThinPrint engine for the encrypted printing, enable the encryption for the said port and assign theport to the printers in the printerproperties. In a last step, the responsible employees have to enter the two previously installedroot and server certificates in theconfiguration tool of the ThinPrint engine (under ThinPrintEngine/Port manager/AllTasks/Encryption settings) so thatthe engine can use them. Now allprint jobs will be encrypted.The TPG65The devices TPG25 and TPG65come with a new configurationinterface and several new features. However, these products donot replace the other gatewaysTPG60 and TPG120. They addtwo new solutions to the portfolioof the manufacturer.The structure of the configurationinterface of the TPG65 (and the
TPG25) is identical to that of theThinPrint reader TPR10. Thismeans that users who are familiarwith the TPRs will immediatelyget along with the TPGs. Afteropening the browserbased user
4
The encryption of print jobs is done viacertificates
interface, the administrators willbe directed to an overview pagethat allows them to select the language and view device information such as the firmware version,date, IP address, etc.In addition to this overview page,the management tool offers fourdifferent configuration menus.The first deals with the networkconfiguration and allows you tospecify the IPv4 and IPv6 addresses, configure the DNS settings and set up SNMP, Bonjour
as well as date and time (via theSNTP server). Not to mention theemail configuration with POPand SMTP servers. While theSMTP server is used to send notifications and alerts, the POPserver can be used to remotelyconfigure the TPG65. To do this,the administrators send an emailwith a command in the subject line to the email address of theTPG65. The TPG65 then collects the email from the POP server and executes the appropriatecommand. This process can besecured via encryption and PINs.This is very useful in environments without direct access tothe web interface, but with a
need for status information andquick configuration changes.The second menu is called "Device" and allows the responsibleemployees to establish a connection to the ThinPrint server, tomonitor the ThinPrint printers, tocreate mail alerts and SMTPtraps, etc.Via the "Security" menu, the access to the configuration menucan be protected via SSL andpasswords. There is also the opti
on to manage and install certificates, to set up the authenticationvia MD5, TLS, TTLS, PEAP andFAST and to restrict the access tothe gateway using IP and MACwhite lists.Last but not least, the "Maintenance" menu offers the basicfunctions for the management ofthe gateway itself: Here, you cancarry out firmware updates, printstatus pages, restart the device,view a job history and performresets. Not to mention the newfeatures for the management ofUSB devices and for the backup.We will deal with these featuresin more detail now.
The new featuresLet’s start with the parameterbackup. This feature allows youto back up all configuration parameters and to transfer them toother devices. We encountered noproblems with regard to the parameter backup. The backup canalso be done using a USB flashdrive. In addition, such a flashdrive can be used to buffer printjobs if the printers are not available. Other new features includethe previously mentioned emailalerts and the possibility to configure the gateway with the helpof emails. However, one of themost important features is theendtoend encryption that nowallows you to not only encryptthe print jobs between the ThinPrint engine and the TPG, but also the data transfer between theTPG and the printers.In this case, the encryption between the ThinPrint engine andthe TPG is done via certificates,as described earlier. The encryption between the TPG and theprinter is done via IPP with SSL,if this is supported by the printdevice.ConclusionThe ThinPrint gateways can takeaway a lot of work from the ITstaff because they render the installation of the ThinPrint clientto all end devices superfluous.This simplifies the configurationand allows for the integration ofprint clients for which there is noThinPrint client. In addition, italso significantly simplifies –thanks to the good documentation– the setting up of encryptedprinting environments. Therefore,the solution is highly recommended for environments with highsecurity requirements and proprietary end devices.
5
The configuration interface of the TPG65