Solved

network printing from iSeries in DMZ

Posted on 2011-03-06
4
1,479 Views
Last Modified: 2013-12-06
We had to move our iSeries to a DMZ and we applied firewall rules to allow necessary traffic on specified ports from the internal network to the DMZ. For network printing from the iSeries, we have opened iSeries as-netprt port 8474.  
Other ports open for pc5250 emulation and data tranfers are
449, 23, 8470-8476.

When trying to print from iSeries, we get message CPD337F Remote device rejected an attempt by the writer to open a connection.

What am I missing?  What other port(s) need to be opened for iSeries network printing? This is not my area of expertise and I've had a crash course in AS400 communications and operations.
0
Comment
Question by:bjordon35
  • 2
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Gary Patterson earned 500 total points
ID: 35051673
The NetPrint service that you opened up is probably not what you think it is.  

NetPrint is a AS/400-hosted service that allows you to print to AS/400-connected printers from PC applications.  For example, you could print from Excel to an AS/400 printer.  This service RECEIVES incoming traffic (inbound to the AS/400) from PC clients on port 8474.

Here's the IBM Troubleshooter for your problem:

http://www-01.ibm.com/support/docview.wss?uid=nas11e61e34f2505754f862566e20051c3de

How are your AS/400 printers configured?  The most common printing configuration uses LPR on the AS/400 to talk to LPD servers running on the printer.  LPD typically runs on TCP port 515.  This isn't the only protocol that is supported, so if you use PJL, SNMP or IPP printing, you'll need to adjust the port number appropriately.  

PJL (Usually 9100): http://www-01.ibm.com/support/docview.wss?uid=nas100e3c3d5af21afa6862565c2007d437f
SNMP (Usually 9100): http://www-01.ibm.com/support/docview.wss?uid=nas187a5b328400bbd37862569030070431d
IPP (Usually 631): http://www-01.ibm.com/support/docview.wss?uid=nas1562a677c16d08a0286256be2007323c2

So if your AS/400 is in the DMZ, and you are using LPR/LPD to talk to printers on your protected LAN network, then you need to open up TCP destination port 515 between the as/400 DMZ address and the printer LAN address.  Here's a Cisco-style example:

access-list 123 permit tcp as400.address.dmz printer.address.lan eq 515
 
If you use PJL, SNMP, or IPP, you'll need to adjust 515 to the appropriate destination port.

- Gary Patterson
0
 

Author Comment

by:bjordon35
ID: 35052236
This is very helpful.
The port number in the printer device description on the iSeries is 9100.
The port settings on the network print server are protocol RAW, port 9100, LPR settings are blank. and SNMP status is enabled.

Which direction does traffic need to flow through this port on the firewall? From the iSeries in the DMZ to the internal network where the printers are? Or from the internal network to the DMZ?  
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 35053152
From the iSeries (source) in the DMZ to printer(s) in the internal network (destination).  The host initiates connections to the printers.  Of course, the printers respond to the iSeries with acknowledgments, but most firewalls are stateful, and allow the responses back through for the duration of the connection.

- Gary Patterson
0
 

Author Comment

by:bjordon35
ID: 35056240
Thank you!
Added firewall rule -  allow port 9100 from DMZ to internal network.
Printing from AS400 to network printers is working now.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question