Printing through firewalls
I am trying to configure some local print queues on a Citrix server farm that are hosted by my client for a third party company. The print queues are for a number of different HP Printers (4000, 4050, 8000, 8100).
Firewalls are present at both ends of the link between my client (Checkpoint FW) and their third party associate (PIX FW).
I have tried creating queues on the Citrix servers for the HP printers, using a Windows 'Standard TCP/IP Port' for each and specifying the address of the target printer, but it always fails, seemingly because the printer cannot be contacted.
I have requested that port 9100 be opened on the remote firewall, but that has made no difference (this is the port that Windows states it will use for the printing). I cannot ping the printers, as ping traffic is denied by my client's firewall.
Has anyone else come across the same problems when trying to configure remote printers? Did you have to configure something special on the firewalls to allow printing to occur?
Regards,
Mark
Firewalls are present at both ends of the link between my client (Checkpoint FW) and their third party associate (PIX FW).
I have tried creating queues on the Citrix servers for the HP printers, using a Windows 'Standard TCP/IP Port' for each and specifying the address of the target printer, but it always fails, seemingly because the printer cannot be contacted.
I have requested that port 9100 be opened on the remote firewall, but that has made no difference (this is the port that Windows states it will use for the printing). I cannot ping the printers, as ping traffic is denied by my client's firewall.
Has anyone else come across the same problems when trying to configure remote printers? Did you have to configure something special on the firewalls to allow printing to occur?
Regards,
Mark
ASKER
There is no NATing in place as my client and the third-party use different addressing schemes.
With regards to allowing all traffic for the print server, for the third-party end all I have is IP addresses of the printers themselves (i.e. the JetDirect cards). I cannot resolve the print server that they use, as there is no name resolution available to my client for the third-party infrastructure.
Neither the third-party nor my client will allow their firewalls to be opened across all ports, even for a small address range (such as the three addresses on my client's side that will be outputting print information).
The reason for needing to allow direct communications is an attempt to resolve some printing problems in Citrix for some legacy/bespoke applications. These applications work fine with normal printers, which have been defined with UNC paths, but they do not work with the Citrix auto-created client printers. Therefore, my reasoning is that if queues can be defined locally on the servers, then these can be selected to alleviate the problems.
Mark
With regards to allowing all traffic for the print server, for the third-party end all I have is IP addresses of the printers themselves (i.e. the JetDirect cards). I cannot resolve the print server that they use, as there is no name resolution available to my client for the third-party infrastructure.
Neither the third-party nor my client will allow their firewalls to be opened across all ports, even for a small address range (such as the three addresses on my client's side that will be outputting print information).
The reason for needing to allow direct communications is an attempt to resolve some printing problems in Citrix for some legacy/bespoke applications. These applications work fine with normal printers, which have been defined with UNC paths, but they do not work with the Citrix auto-created client printers. Therefore, my reasoning is that if queues can be defined locally on the servers, then these can be selected to alleviate the problems.
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The IP ranges used are 10.x.x.x (Client) and 172.17.x.x (Third-party), so they are private ranges. There is a tunnel set up between the two firewalls, with firewall-to-firewall encryption.
I requested the remote firewall have port 9100 opened, and as far as I knew, all outgoing ports were opened on the client side, but I will check (as that could be the problem).
I will keep you updated.
Regards,
Mark
I requested the remote firewall have port 9100 opened, and as far as I knew, all outgoing ports were opened on the client side, but I will check (as that could be the problem).
I will keep you updated.
Regards,
Mark
ASKER
D'OH!!!! Can't believe I didn't do this earlier, especially as it even crossed my mind to try it!!
Yes, BOTH ends need to allow traffic on Port 9100, as you said. I have just tried it, and although the Printer Setup Wizard still can't detect the printer NIC, a test print will leave the queue successfully.
But, you made the correct suggestion, so the points are yours!
Thanks,
Mark
Yes, BOTH ends need to allow traffic on Port 9100, as you said. I have just tried it, and although the Printer Setup Wizard still can't detect the printer NIC, a test print will leave the queue successfully.
But, you made the correct suggestion, so the points are yours!
Thanks,
Mark
Not alot to play with if routing and ports are correct. Glad to see it worked out.
If possible arrange the setup to allow all traffic in and out for the IP of the print server for testing purposes, then scale back and start blocking ports.