The ThinPrint server engine fromCortado reduces the printingvolume in terminal server andvirtual environments. To do this,the system connects mobile,virtual and web­based desktopsto centralized IT resources. Italso supports Thin clients and theprotocols RDP, ICA, HDX,PCoIP and TCP/IP. It is also ableto compress and encrypt the printdata. This results in a much fasterprinting process than in normalenvironments with, at the sametime, less bandwidth and moresecurity. In addition, the solutionfrom Cortado reduces the amountof administration. The driver­freeprinting thus significantly sim­plifies the management of printerdrivers in the network.In practice, printing in ThinPrintenvironments works as follows:Users send their print jobs fromtheir Thin clients or virtualdesktops to the ThinPrint serverengine that, in turn, limits thebandwidth of the print jobs,compresses the print jobs andencrypts them, if necessary. Theengine then transfers the printjobs to a ThinPrint client, forexample via a WAN. The Thin­Print client then decrypts, de­compresses and forwards theprint jobs in the right format to

the intended printer. The Thin­Print client, in turn, can be a Thinclient. It is also possible to installthe appropriate software to a PCor to use a compatible printserver.The ThinPrint gatewaysThis is where the ThinPrint gate­ways from SEH come into play.They serve as ThinPrint clientsand print servers in the networkand thus render additional Thin­Print clients superfluous. This isespecially of great advantage innetworks without ThinPrintclients and where the print jobsare transmitted in an encryptedway. If there were no ThinPrintgateways available in such an

environment, printing would eit­her be impossible or the admi­nistrators would have to installthe ThinPrint client to each enddevice together with the certi­ficates that are required for theencryption. If a ThinPrint ga­teway is used instead of multipleend devices, the certificates haveto be installed only once, re­sulting in a significant reductionin the amount of work. This way,even systems without ThinPrintclient can be seamlessly in­tegrated into the printing en­vironment.SEH offers four different ver­sions of its TPG gateway. TheTPG60 works with six external

Subject of the test: ThinPrint gateways

Print servers for ThinPrintDr. Götz Güttich

The SEH ThinPrint gateways are able to receive ThinPrint print jobs for groups ofclient computers and printers, to decompress, decrypt and then forward these printjobs in a local network to the relevant target printer. IAIT has examined how theseproducts perform in practice.

1

environmentsTPG60 and TPG­65 from SEH

network printers, the TPG120with twelve. In addition, thereare two products from the latestseries, the TPG­25 for two prin­ters and the TPG­65 for six. The­se two solutions use a differentuser interface and come with ad­ditional features. We will dealwith this later in greater detail.

Since we only set up two printersin our test environment, theTPG60 and the TPG­65 weremore than enough in order to ta­ke a close look at all the functi­ons. Apart from the number ofaddressable printers, the TPG60and the TPG120 on the one sideand the TPG­25 and the TPG­65on the other side are identical.The testFor our test, we needed the twonetwork printers mentioned abo­ve, the ThinPrint gateways and aThinPrint print server. First, weset up the network printers andinstalled the TPG60 – moreabout this later. We then configu­red the TPG60 in such a way asto allow for the communication

with the printers. Finally, we setup a ThinPrint environment witha central print server in the versi­on 8.6 with Windows Server2008 in the 32­bit version.We connected an – initially unen­crypted – ThinPrint port to thisprint server and added a shared

default printer to the operatingsystem that used this ThinPrintport. This printer sent its print da­ta to the TPG60.During the test, we first analyzedthe printing environment withoutencryption, worked with theTPG60 and made sure everythingworked fine. We then configuredan encryption environment withcertificates and encrypted ourprint jobs.Next, we set up our second prin­ter and checked if all print jobsfrom all clients arrived at the des­tination printer, as expected.Last, but not least, we had a closelook at the TPG­65 with its newfeatures and its user interface.

InstallationThe installation of the ThinPrintEngine runs, as is normal withWindows, with the help of a wi­zard and will almost certainlyfunction everywhere with noproblems. For this reason, we candirectly move on to the SEH so­lution. The initial operation pro­cedure of the TPG60 is also fairlysimple. After the responsible em­ployees have connected the pro­duct to the network, it searchesfor an IP address via DHCP orBOOTP when booting. If no ap­propriate server is available inthe network, you can manuallyassign an IP address via the In­terCon­NetTool from SEH. Inour network there was a DHCPserver, so we could directly ac­cess the TPG60 after bootingusing the URL http:// {IP addressof the system}. When the brow­ser has established a connectionto the web interface of theTPG60, the administrator will bedirected to a homepage where hecan choose the language for theweb interface. The homepage al­so includes information such asthe phone number of the supportteam of the manufacturer or alink to the sales department. Bythe way: the system supportsChinese, English, French, Ger­man, Italian, Japanese, Korean,Portuguese and Spanish.On the right side of the browserwindow there is a menu bar viawhich the administrators can ac­cess the other functions of theconfiguration tool. It contains alink to the product documentationon the SEH website as well as thethree options "Status", "Configu­ration" and "Options".Under "Status" the responsibleemployees see general informati­on such as the serial number,

2

The security settings of the TPG60 can be configured in a way that allows onlycertain systems within the network to access the print server

MAC address, software version,etc. In addition, the employeescan call a job history in a list thatcontains the processed print jobsas well as detailed informationabout the name, date, sender, sta­tus, size, etc. This way, they willget a quick overview of the acti­vities in the printing environ­ment.The configuration menu is evenmore interesting as it includes allthe options for the setup of the

TPG60. The IT managers can, forexample, enter a device descripti­on and information about thedealers. This information willthen appear on the homepage.That said, it is also possible to setup the network configuration forIPv4. In addition to the usual set­tings such as the IP address andnetwork mask, the TPG60 asksfor a host name, a location and acontact person. As mentioned,the system also supports DHCPand BOOTP. If necessary, the ad­ministrators can also enableARP/Ping, ZeroConf and Bon­

jour. In the test, the configurationof these points was completedquickly.The DNS configuration requiresthe IP addresses of the DNS ser­vers to be used whereas the timesettings allow for the setting ofthe time zone and the specificati­on of an SNTP server. Under"Protection" the responsible em­ployees ensure that the access tothe TPG60 is secured. For exam­ple, they can set up a password

for the configuration interface,configure specific IP addresses asauthorized senders (only thesesystems can then send data to thegateway), allow/deny HTTP andFTP traffic or enable the networkauthentication based on EAP­MD5, EAP­TLS, EAP­TTLS,EAP­PEAP or EAP­FAST. Thus,the ThinPrint gateway is also sui­table for the use in environmentswith strict demands regardingnetwork security.The ThinPrint configuration isthe core of the gateway. Here, the

employees responsible for IT setup the printer including ID, class,drivers, remote address, port, etc.In addition, they specify theThinPrint port, define the band­width and the timeout and spe­cify the server address and simi­lar parameters. Under"Certificates" certificate requestscan be created and the certificates(root and TPG certificates) canbe installed.The last menu item "Actions" al­lows you to restart the device andreset it to its default settings. Inaddition, software updates can becarried out at this point. (Thisworked fine in our test). We en­countered no problems with re­gard to the configuration of thesystem. The printers were set upquickly and the unencryptedprinting was carried out withoutproblems.The encryption of print jobsTo encrypt the print jobs betweenthe ThinPrint engine and theTPG60, several additional stepsare required. First of all, threecertificates have to be present, aclient certificate for the TPG60, aserver certificate for the Thin­Print engine and a root certifica­te, also for the server on whichthe ThinPrint engine is running.The client and server certificatesare signed by the root certificate.In practice, the IT staff must setup a CA and generate a root cer­tificate. In our test we used theActive Directory certificate ser­vices on a Windows Server 2008R2. However, it is also possibleto use external certification aut­horities or tools such as Open­SSL.Once the root certificate isavailable, a client certificate will

3

The ThinPrint configuration is the core of the TPG60

be requested on the same serverand then distributed to the ser­

vers and client computers. In en­vironments with very high secu­rity requirements, it may beuseful to create a client certifica­te for each client individually. Inour test environment however,this was not necessary since weonly had the TPG60 as a client.When the certificate­based en­cryption is active, the printingenvironment encrypts all printjobs transferred between theThinPrint engine and the TPG60,regardless of the transport proto­col (TCP/IP or ICA/RDP). Sinceit is possible to encrypt ICA/RDPsessions, the use of the certifica­te­based encryption is especiallyuseful in environments where thedata – at least in part – is trans­mitted via TCP/IP, e.g. whenusing central print servers. Insuch scenarios, the SSL encrypti­on prevents eavesdropping byunauthorized users and makes su­re that the print data is not sent tothe wrong recipient.The Active Directory certificateservices, which – as mentionedabove – were used in our test ascertification authority, createtheir root certificate when instal­ling the relevant role. Thereforewe only had to generate a servercertificate signed by this root cer­tificate for our Windows Server

2008 and a client certificate forthe TPG60 and to install the cer­tificates to the relevant com­ponents.A step­by­step description ofhow to generate and distributecertificates to Windows systemswould exceed the scope of thistest. You can find a very good de­scription of the entire process ina white paper (creating_certifica­tes_en.pdf) on the ThinPrint web­site. We will therefore focus onthe creation and installation ofthe client certificate to theTPG60. Let’s assume that theserver certificates are alreadyavailable on the ThinPrint engineand that we only have to get andinstall the certificate for theTPG60.In order to install a certificate tothe TPG60, the responsible staffmust first go to "Configurati­on/Certificates" in the configura­tion tool of the gateway and dele­te the (already existing)certificate. Then they have toclick on "TPG certificate" and fillin the required fields for the cer­tificate request. After clicking on"Create certificate request" the

TPG60 displays the certificate re­quest in the browser. The certifi­cate request can be used, for ex­ample via copy & paste, torequest a certificate from the cer­tification authority.

Once the certificate is availableas a file, the administrators canupload the certificate and installit to the TPG60 using the samedialog box that contains the cer­tificate request. After that, youhave to create a new port on theThinPrint engine for the encryp­ted printing, enable the encrypti­on for the said port and assign theport to the printers in the printerproperties. In a last step, the re­sponsible employees have to en­ter the two previously installedroot and server certificates in theconfiguration tool of the Thin­Print engine (under ThinPrintEngine/Port manager/AllTasks/Encryption settings) so thatthe engine can use them. Now allprint jobs will be encrypted.The TPG­65The devices TPG­25 and TPG­65come with a new configurationinterface and several new featu­res. However, these products donot replace the other gatewaysTPG60 and TPG120. They addtwo new solutions to the portfolioof the manufacturer.The structure of the configurationinterface of the TPG­65 (and the

TPG­25) is identical to that of theThinPrint reader TPR­10. Thismeans that users who are familiarwith the TPRs will immediatelyget along with the TPGs. Afteropening the browser­based user

4

The encryption of print jobs is done viacertificates

interface, the administrators willbe directed to an overview pagethat allows them to select the lan­guage and view device informati­on such as the firmware version,date, IP address, etc.In addition to this overview page,the management tool offers fourdifferent configuration menus.The first deals with the networkconfiguration and allows you tospecify the IPv4 and IPv6 ad­dresses, configure the DNS set­tings and set up SNMP, Bonjour

as well as date and time (via theSNTP server). Not to mention theemail configuration with POPand SMTP servers. While theSMTP server is used to send no­tifications and alerts, the POPserver can be used to remotelyconfigure the TPG­65. To do this,the administrators send an emailwith a command in the subject li­ne to the email address of theTPG­65. The TPG­65 then col­lects the email from the POP ser­ver and executes the appropriatecommand. This process can besecured via encryption and PINs.This is very useful in environ­ments without direct access tothe web interface, but with a

need for status information andquick configuration changes.The second menu is called "De­vice" and allows the responsibleemployees to establish a connec­tion to the ThinPrint server, tomonitor the ThinPrint printers, tocreate mail alerts and SMTPtraps, etc.Via the "Security" menu, the ac­cess to the configuration menucan be protected via SSL andpasswords. There is also the opti­

on to manage and install certifi­cates, to set up the authenticationvia MD5, TLS, TTLS, PEAP andFAST and to restrict the access tothe gateway using IP and MACwhite lists.Last but not least, the "Mainte­nance" menu offers the basicfunctions for the management ofthe gateway itself: Here, you cancarry out firmware updates, printstatus pages, restart the device,view a job history and performresets. Not to mention the newfeatures for the management ofUSB devices and for the backup.We will deal with these featuresin more detail now.

The new featuresLet’s start with the parameterbackup. This feature allows youto back up all configuration para­meters and to transfer them toother devices. We encountered noproblems with regard to the para­meter backup. The backup canalso be done using a USB flashdrive. In addition, such a flashdrive can be used to buffer printjobs if the printers are not availa­ble. Other new features includethe previously mentioned emailalerts and the possibility to con­figure the gateway with the helpof emails. However, one of themost important features is theend­to­end encryption that nowallows you to not only encryptthe print jobs between the Thin­Print engine and the TPG, but al­so the data transfer between theTPG and the printers.In this case, the encryption bet­ween the ThinPrint engine andthe TPG is done via certificates,as described earlier. The encryp­tion between the TPG and theprinter is done via IPP with SSL,if this is supported by the printdevice.ConclusionThe ThinPrint gateways can takeaway a lot of work from the ITstaff because they render the in­stallation of the ThinPrint clientto all end devices superfluous.This simplifies the configurationand allows for the integration ofprint clients for which there is noThinPrint client. In addition, italso significantly simplifies –thanks to the good documentation– the setting up of encryptedprinting environments. Therefore,the solution is highly recommen­ded for environments with highsecurity requirements and pro­prietary end devices.

5

The configuration interface of the TPG­65