Deploying YSoft SafeQ Client v3 in the Server Mode

YSoft SafeQ Client v3 in the Server Mode is a mode which receives print jobs and print job metadata from non-spooling clients and stores them locally on the server.

Requirements

  • TLS Certificate - you can use the same one as YSoft SafeQ Job Service uses

    • The certificate will be used for the HTTPS communication between YSoft SafeQ Client v3 in the Client Non-Spooling mode and YSoft SafeQ Client v3 in the Server mode

    • images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/warning.svg This certificate must be trusted by the workstation

  • YSoft SafeQ FlexiSpooler service must be disabled or YSoft SafeQ Client v3 must use different ports for print job reception.

  • YSoft SafeQ Client v3 in the Server Mode must be configured to connect to YSoft SafeQ Job Service via localhost, i.e. SiteServerHosts must be set to localhost (or 127.0.0.1). This means that the certificate validation has to also be disabled by using DisableCertificateValidation. This doesn’t have any security implications because the communication is only on localhost.

Installation

Example of script usage

Following is a command which will install YSoft SafeQ Client v3 in the Server Mode

.\install.ps1 -SiteServerHosts localhost -DisableCertificateValidation -SpoolerMode "Server" -HttpsCertificateStoreLocation "LocalMachine" -HttpsCertificateStoreName "My" -HttpsCertificateThumbprint "2E69C921F3F417C176A299F1CC9A163FC925C019"

Note that the communication between YSoft SafeQ Spooler and YSoft SafeQ Job Service is happening entirely over the loopback network interface. As it is very uncommon for the TLS certificate of YSoft SafeQ Job Service to be issued for the "localhost" DNS name, the validation of its certificate should be disabled.

Receiving print jobs over IPP

  • YSoft SafeQ Client v3 in the Server Mode will by default also listen on 631 port for print jobs sent over IPP.

  • YSoft SafeQ Client v3 will by default use IPPS with the TLS certificate configured during installation.

  • You can use following options to configure the IPP receiving in the `local.json` file

    IPP Configuration
    {
    ...
     
    "JobReceivingOptions": {
    "IppReceivingEnabled": true, // Enables/disables IPP receiving
    "UseIpps": true, // Enables/disables IPPS
    "IppPort": 631 // Sets the port over which the client will receive IPP requests
    }
     
    ...
    }

Receiving print jobs over LPR


YSoft SafeQ Client v3 in the Server Mode will by default also listen on 515 port for print jobs sent over LPR.

images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/warning.svg The port 515 is the default port for LPR, and also YSoft FlexiSpooler will be listening to the same port in case it is installed on the same machine. One can either change the port for spooler or disable FlexiSpooler in order to use the 515 port, or disable LPR receiving for spooler.

You can use following options to configure the LPR receiving in the `local.json` file

LPR Configuration
{
...
 
"JobReceivingOptions": {
"LprReceivingEnabled": true, // Enables/disables LPR receiving
"SQLPRPrt": 515 // Sets the port over which the server will receive LPR requests
}
 
...
}

Security Remark for print job reception over LPR

These are the consideration that Admins should keep in mind when activating the LPR interface

  • There is no authentication available to a user, so everyone is effectively anonymous

  • An attacker could make it look like a job is coming from a different user

  • An attacker could trick a user into print a modified document instead of his own

  • An attacker could access the user's data by impersonating the server