Solved

network printing from iSeries in DMZ

Posted on 2011-03-06
4
1,425 Views
Last Modified: 2013-12-06
We had to move our iSeries to a DMZ and we applied firewall rules to allow necessary traffic on specified ports from the internal network to the DMZ. For network printing from the iSeries, we have opened iSeries as-netprt port 8474.  
Other ports open for pc5250 emulation and data tranfers are
449, 23, 8470-8476.

When trying to print from iSeries, we get message CPD337F Remote device rejected an attempt by the writer to open a connection.

What am I missing?  What other port(s) need to be opened for iSeries network printing? This is not my area of expertise and I've had a crash course in AS400 communications and operations.
0
Comment
Question by:bjordon35
  • 2
  • 2
4 Comments
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 500 total points
Comment Utility
The NetPrint service that you opened up is probably not what you think it is.  

NetPrint is a AS/400-hosted service that allows you to print to AS/400-connected printers from PC applications.  For example, you could print from Excel to an AS/400 printer.  This service RECEIVES incoming traffic (inbound to the AS/400) from PC clients on port 8474.

Here's the IBM Troubleshooter for your problem:

http://www-01.ibm.com/support/docview.wss?uid=nas11e61e34f2505754f862566e20051c3de

How are your AS/400 printers configured?  The most common printing configuration uses LPR on the AS/400 to talk to LPD servers running on the printer.  LPD typically runs on TCP port 515.  This isn't the only protocol that is supported, so if you use PJL, SNMP or IPP printing, you'll need to adjust the port number appropriately.  

PJL (Usually 9100): http://www-01.ibm.com/support/docview.wss?uid=nas100e3c3d5af21afa6862565c2007d437f
SNMP (Usually 9100): http://www-01.ibm.com/support/docview.wss?uid=nas187a5b328400bbd37862569030070431d
IPP (Usually 631): http://www-01.ibm.com/support/docview.wss?uid=nas1562a677c16d08a0286256be2007323c2

So if your AS/400 is in the DMZ, and you are using LPR/LPD to talk to printers on your protected LAN network, then you need to open up TCP destination port 515 between the as/400 DMZ address and the printer LAN address.  Here's a Cisco-style example:

access-list 123 permit tcp as400.address.dmz printer.address.lan eq 515
 
If you use PJL, SNMP, or IPP, you'll need to adjust 515 to the appropriate destination port.

- Gary Patterson
0
 

Author Comment

by:bjordon35
Comment Utility
This is very helpful.
The port number in the printer device description on the iSeries is 9100.
The port settings on the network print server are protocol RAW, port 9100, LPR settings are blank. and SNMP status is enabled.

Which direction does traffic need to flow through this port on the firewall? From the iSeries in the DMZ to the internal network where the printers are? Or from the internal network to the DMZ?  
0
 
LVL 34

Expert Comment

by:Gary Patterson
Comment Utility
From the iSeries (source) in the DMZ to printer(s) in the internal network (destination).  The host initiates connections to the printers.  Of course, the printers respond to the iSeries with acknowledgments, but most firewalls are stateful, and allow the responses back through for the duration of the connection.

- Gary Patterson
0
 

Author Comment

by:bjordon35
Comment Utility
Thank you!
Added firewall rule -  allow port 9100 from DMZ to internal network.
Printing from AS400 to network printers is working now.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now