Q I would like to configure a firewall on the server. What ports does PaperCut use? The main network TCP ports used by PaperCut are:
9191 for HTTP connections 9192 for secure HTTP/SSL connection 9193 for device RPC (only used for embedded copier/MFP solutions) 443 for HTTPS connections to the Global Entitlements Service at https://mf.cloud.papercut.com/* (used in PaperCut MF version 24.0 and later) UDP ports are not used for connections from PaperCut client to the sever, only standard TCP. All connections are made inbound from clients and secondary servers to the primary server. No outbound connections are made by the primary server to any workstation or secondary server.
PaperCut uses standard HTTP XML WebServices for client-server and server-server communication XML-RPC. Sensitive data is sent over SSL/HTTPS on port 9192. The PaperCut installer on Windows and macOS will endeavor to make sure these ports are open. Linux systems running firewalls may need to manual open these ports to local network IP addresses as appropriate.
Card Readers Elatec TWN3 Reader and TCP Converter Outbound 7778 RFIDeas Lantronix Outbound 10001 RFIdeas Ethernet 241 Outbound 2000 External Database PaperCut makes use of the jTDS JDBC driver for Microsoft SQL server and SQL Server Express, the postgresql JDBC driver for PostgreSQL, Oracle JDBC for Oracle and MySQL JDBC for MySQL.
You may specify a custom port, the defaults are below.
Oracle: 1521 Microsoft SQL Server: 1433 Microsoft SQL Server Express: 1450 MySQL: 3306 PostgreSQL: 5432 Google Cloud Directory PaperCut NG and PaperCut MF will use Secure LDAP to communicate with the Google Cloud Directory service:
636 TCP (LDAPS), with outbound connections to: ldap.google.com Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.
See Synchronize user and group details with Google Cloud Directory for more information on configuring this sync source.
Azure Active Directory with Secure LDAP PaperCut NG and PaperCut MF will use Secure LDAP to communicate with the Azure Active Directory service:
636 TCP (LDAPS), with outbound connections to the Azure LDAP External Address populated in PaperCut, configured in the Azure Portal. Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.
See Synchronize user and group details with Azure AD Secure LDAP for more information on configuring this sync source.
Azure Active Directory with Microsoft Graph PaperCut NG and PaperCut MF will use SSL to communicate with the Azure Active Directory service:
443 TCP, with outbound connections to: graph.microsoft.com Note: make sure any firewall rules allow “any” as source port for the PaperCut server in this case. The source/client port is dynamically allocated, and not meaningful.
See Synchronize user and group details with standard Azure AD for more information on configuring this sync source.
LDAP Directory Service PaperCut NG and PaperCut MF can synchronise user accounts from a directory which supports LDAP (e.g. Active Directory, Open Directory, Novell eDirectory, etcetera).
389 TCP (LDAP) or 636 TCP (LDAPS) See Synchronize user and group details with LDAP for more information on configuring this sync source.
Active Directory PaperCut NG and PaperCut MF can synchronise user accounts with native Windows Active Directory from a domain joined Application Server.
445 TCP & UDP, Server Message Block (SMB) 88 TCP & UDP, Kerberos 389 UDP, LDAP 53 TCP & UDP, DNS 135 TCP, RPC - unless restricted, a dynamically assigned TCP port in range 49152-65535 also used for RPC See Synchronize user and group details with Active Directory for more information on configuring this sync source.
PaperCut MF - Global Entitlements Service In PaperCut MF version 24.0 and later, the Application Server connects to the Global Entitlements Service (GES), which is required when upgrading the Application Server to version 24 or updating entitlements. See Important points to know about PaperCut MF licensing (Internet connection requirements) for more information.
443 TCP (HTTPS), with connection to: https://mf.cloud.papercut.com/* For troubleshooting steps, manual connection tests and proxy server configuration, see General troubleshooting for Global Entitlements Service connections .
PaperCut MF Cloud Services (Integrated Scanning with Scan to Cloud and/or Cloud OCR) For a PaperCut server to have content processed by PaperCut MF Cloud Services it must be able to form an outgoing connection to the following endpoints:
443 TCP (HTTPS), with connection to: https://*.papercut.com/* https://storage.googleapis.com/* the following specific URLs are used, depending on your PaperCut version and PaperCut MF Cloud Services hosting region, in case you are unable to use a wildcard in the domain part:
443 TCP (HTTPS), with connection to: https://scan.cloud.papercut.com/* https://ocr.cloud.papercut.com/* https://scan.au.cloud.papercut.com/* https://ocr.au.cloud.papercut.com/* https://scan.eu.cloud.papercut.com/* https://ocr.eu.cloud.papercut.com/* https://scan.us.cloud.papercut.com/* https://ocr.us.cloud.papercut.com/* https://scan.uk.cloud.papercut.com/* https://ocr.uk.cloud.papercut.com/* https://scan.papercut.com/* (legacy) Email Delivery Service - SendGrid
IP Address: 168.245.53.86 Domain: papercut.com See Configure Integrated Scanning / scan actions for more information on setting up Integrated Scanning actions.
Integrated Scanning - Self-Hosted Document Processing (FKA On-prem OCR, locally hosted) 9181 TCP (HTTPS) inbound on the Self-Hosted Document Processing Server (The Windows Firewall is configured automatically by the installer. Manual configuration is only required if using an off-box or 3rd party software firewall.)
The following port and URL endpoint must be externally available for auto updating of the Self-Hosted Document Processing server:
443 TCP (HTTPS), with connection to: https://update.ocr.cloud.papercut.com/client-version/v3/check-update/pc-ocr/win/ See Set up self-hosted Document Processing for more information on setting up self-hosted document processing.
PaperCut Grows To sync page and tree usage to PaperCut Grows services:
443 TCP to https://grows.papercut.com
See the PaperCut Grows FAQ for more information on PaperCut Grows.
Sign in with Google To allow signing in with Google to the PaperCut web interfaces, the Application Server must be able to form an outgoing connection to the following endpoints:
443 TCP (HTTPS), with connection to: https://accounts.google.com/* https://oauth2.googleapis.com/* Sign in with Microsoft To allow signing in with Microsoft to the PaperCut user/admin web interfaces, the Application Server must be able to form an outgoing connection to the following endpoints:
443 TCP (HTTPS), with connection to: graph.microsoft.com login.microsoftonline.com Job Ticketing Job Ticketing requires the following port to be available on the server:
9111 TCP The following port and URL endpoints must be externally available for auto updating:
443 TCP (HTTPS), with connections to: https://pc-job-ticketing.appspot.com/* https://storage.googleapis.com/pc-job-ticketing.appspot.com/* Print Deploy See the Print Deploy system requirements page which shows the ports and protocols we use.
Mobility Print See the Mobility Print system requirements page which shows the ports and protocols we use, for all the different discovery methods in use, as well as ports and urls needed for Mobility Print Cloud Print.
Multi Function Devices PaperCut MF uses a variety of port for connecting to copiers, MFPs and other devices. These are listed below by device.
Brother Inbound (device connecting to PaperCut) 9191 TCP/HTTP Canon Inbound (device connecting to PaperCut) 9191 9192 9193 Dell (AIP) Inbound (device connecting to PaperCut) 9191 9192 Outbound (PaperCut connecting to the device) 80 443 HP Inbound 9191 9192 9193 Outbound connections from PaperCut to the HP devices on port: 7627 (TCP/HTTPS) 80 / 443 Fujifilm BI Inbound (device connecting to PaperCut) 9191 9192 Outbound (PaperCut connecting to the device) 80 443 Fuji-Xerox (AIP) Inbound (device connecting to PaperCut) 9191 9192 Outbound (PaperCut connecting to the device) 80 443 Konica-Minolta Inbound (device connecting to PaperCut) 9191 9192 9195 (Required for SHA2 on MF v18.3 onwards) Outbound (connecting to the device) 50003 80/443 Kyocera Inbound 9191 9192 9193 Lexmark Inbound 9191 9192 9193 Ricoh SDK/J Inbound 9191 (if configured to use port 9193 and Integrated Scanning) 9192 9193 51443 (for setup with Remote Operation Client) Ricoh SmartSDK Inbound 9191 9192 51443 (for setup with Remote Operation Client) Samsung Inbound 9191 (if using custom logos) 9192 9193 Sharp Inbound 9191 9192 Outbound 80 443 Toshiba Inbound 9191 TCP - for EWB and SOAP events 9192 TCP - secure messages for EWB and SOAP events 10389 TCP (LDAP) for SDK1 and SDK2 only 10636 TCP (LDAPS) for SDK1 and SDK2 only 162 UDP (SNMP traps) for SDK1 only Outbound 161 UDP (SNMP) for SDK1 only 49629 TCP (HTTP) for SDK2, SDK3 and RD30 only 49630 TCP (HTTPS) for SDK2, SDK3 and RD30 only 50083 TCP (HTTP) for SDK3 only (for scanning) VCC Terminals Outbound 1234 1235 Xerox Inbound 9191 9192 Outbound 80 443 SNMP Outbound (PaperCut connecting to the Printer/Device) 161 UDP PaperCut Connector for Microsoft Universal Print Internal (Used for primary and secondary connectors) 9151 TCP For a PaperCut Server running our Universal Print connector to function correctly, it must be able to form an outgoing connection to the following endpoints:
443 TCP (HTTPS), with connection to: https://login.microsoftonline.com/organizations/oauth2/v2.0 https://register.print.microsoft.com/api/v1.0/register https://print.print.microsoft.com/printers https://notification.print.microsoft.com/printers https://us-central1-pc-universal-print-connector.cloudfunctions.net/update-stats The following port and URL endpoint must be externally available for auto updating of the Universal Print connector:
443 TCP (HTTPS), with connection to: https://www.universal-print.papercut.com/client-version/v3/check-update/pc-upconnector/win https://storage.googleapis.com/pc-universal-print-connector.appspot.com/* See Universal Print for more information on setting up the PaperCut Connector for MS Universal Print.
Windows Print Spooler Service The PaperCut Print Provider service will use TCP/IP ports allocated by the Windows Print Spooler service. The Windows Print Service uses the dynamic port range from 49152 to 65535. You will need to retain this port range when redirecting print jobs between a Primary and Secondary server (Cross-Server Redirection).
49152-65535 TCP 445 TCP, Server Message Block (SMB) 135 TCP, Remote Procedure Call, RPC (can result in 0×0000011b and 0×0000007c errors if this is blocked) If using NetBIOS:
137/138 UDP, Name and Datagram Services 139 TCP, Session Services
Articles in this section
- Print Deploy for VDI Best Practices
- Biometric Hardware Support
- System Maintenance August 2024
- End User Support and Resources
- Branch Office Direct Printing
- Using SSL Packet Inspection (Man-in-the-Middle) with PaperCut NG/MF
- Xerox Embedded Troubleshooting
- Important points to know about PaperCut MF version 24
- Setting up application consent in Microsoft Azure for Scan to Microsoft OneDrive and SharePoint Online
- PaperCut NG/MF Security Bulletin (May 2024)
Comments
0 comments
Please sign in to leave a comment.