Transcription
Subject of the test: ThinPrint gatewaysTPG60 and TPG 65 from SEHPrint servers for ThinPrintenvironmentsDr. Götz GüttichThe SEH ThinPrint gateways are able to receive ThinPrint print jobs for groups ofclient computers and printers, to decompress, decrypt and then forward these printjobs in a local network to the relevant target printer. IAIT has examined how theseproducts perform in practice.The ThinPrint server engine fromCortado reduces the printingvolume in terminal server andvirtual environments. To do this,the system connects mobile,virtual and web based desktopsto centralized IT resources. Italso supports Thin clients and theprotocols RDP, ICA, HDX,PCoIP and TCP/IP. It is also ableto compress and encrypt the printdata. This results in a much fasterprinting process than in normalenvironments with, at the sametime, less bandwidth and moresecurity. In addition, the solutionfrom Cortado reduces the amountof administration. The driver freeprinting thus significantly sim plifies the management of printerdrivers in the network.In practice, printing in ThinPrintenvironments works as follows:Users send their print jobs fromtheir Thin clients or virtualdesktops to the ThinPrint serverengine that, in turn, limits thebandwidth of the print jobs,compresses the print jobs andencrypts them, if necessary. Theengine then transfers the printjobs to a ThinPrint client, forexample via a WAN. The Thin Print client then decrypts, de compresses and forwards theprint jobs in the right format tothe intended printer. The Thin Print client, in turn, can be a Thinclient. It is also possible to installthe appropriate software to a PCor to use a compatible printserver.The ThinPrint gatewaysThis is where the ThinPrint gate ways from SEH come into play.They serve as ThinPrint clientsand print servers in the networkand thus render additional Thin Print clients superfluous. This isespecially of great advantage innetworks without ThinPrintclients and where the print jobsare transmitted in an encryptedway. If there were no ThinPrintgateways available in such an1environment, printing would eit her be impossible or the admi nistrators would have to installthe ThinPrint client to each enddevice together with the certi ficates that are required for theencryption. If a ThinPrint ga teway is used instead of multipleend devices, the certificates haveto be installed only once, re sulting in a significant reductionin the amount of work. This way,even systems without ThinPrintclient can be seamlessly in tegrated into the printing en vironment.SEH offers four different ver sions of its TPG gateway. TheTPG60 works with six external
network printers, the TPG120with twelve. In addition, thereare two products from the latestseries, the TPG 25 for two prin ters and the TPG 65 for six. The se two solutions use a differentuser interface and come with ad ditional features. We will dealwith this later in greater detail.with the printers. Finally, we setup a ThinPrint environment witha central print server in the versi on 8.6 with Windows Server2008 in the 32 bit version.We connected an – initially unen crypted – ThinPrint port to thisprint server and added a sharedThe security settings of the TPG60 can be configured in a way that allows onlycertain systems within the network to access the print serverSince we only set up two printersin our test environment, theTPG60 and the TPG 65 weremore than enough in order to ta ke a close look at all the functi ons. Apart from the number ofaddressable printers, the TPG60and the TPG120 on the one sideand the TPG 25 and the TPG 65on the other side are identical.The testFor our test, we needed the twonetwork printers mentioned abo ve, the ThinPrint gateways and aThinPrint print server. First, weset up the network printers andinstalled the TPG60 – moreabout this later. We then configu red the TPG60 in such a way asto allow for the communicationdefault printer to the operatingsystem that used this ThinPrintport. This printer sent its print da ta to the TPG60.During the test, we first analyzedthe printing environment withoutencryption, worked with theTPG60 and made sure everythingworked fine. We then configuredan encryption environment withcertificates and encrypted ourprint jobs.Next, we set up our second prin ter and checked if all print jobsfrom all clients arrived at the des tination printer, as expected.Last, but not least, we had a closelook at the TPG 65 with its newfeatures and its user interface.2InstallationThe installation of the ThinPrintEngine runs, as is normal withWindows, with the help of a wi zard and will almost certainlyfunction everywhere with noproblems. For this reason, we candirectly move on to the SEH so lution. The initial operation pro cedure of the TPG60 is also fairlysimple. After the responsible em ployees have connected the pro duct to the network, it searchesfor an IP address via DHCP orBOOTP when booting. If no ap propriate server is available inthe network, you can manuallyassign an IP address via the In terCon NetTool from SEH. Inour network there was a DHCPserver, so we could directly ac cess the TPG60 after bootingusing the URL http:// {IP addressof the system}. When the brow ser has established a connectionto the web interface of theTPG60, the administrator will bedirected to a homepage where hecan choose the language for theweb interface. The homepage al so includes information such asthe phone number of the supportteam of the manufacturer or alink to the sales department. Bythe way: the system supportsChinese, English, French, Ger man, Italian, Japanese, Korean,Portuguese and Spanish.On the right side of the browserwindow there is a menu bar viawhich the administrators can ac cess the other functions of theconfiguration tool. It contains alink to the product documentationon the SEH website as well as thethree options "Status", "Configu ration" and "Options".Under "Status" the responsibleemployees see general informati on such as the serial number,
MAC address, software version,etc. In addition, the employeescan call a job history in a list thatcontains the processed print jobsas well as detailed informationabout the name, date, sender, sta tus, size, etc. This way, they willget a quick overview of the acti vities in the printing environ ment.The configuration menu is evenmore interesting as it includes allthe options for the setup of thejour. In the test, the configurationof these points was completedquickly.The DNS configuration requiresthe IP addresses of the DNS ser vers to be used whereas the timesettings allow for the setting ofthe time zone and the specificati on of an SNTP server. Under"Protection" the responsible em ployees ensure that the access tothe TPG60 is secured. For exam ple, they can set up a passwordThe ThinPrint configuration is the core of the TPG60TPG60. The IT managers can, forexample, enter a device descripti on and information about thedealers. This information willthen appear on the homepage.That said, it is also possible to setup the network configuration forIPv4. In addition to the usual set tings such as the IP address andnetwork mask, the TPG60 asksfor a host name, a location and acontact person. As mentioned,the system also supports DHCPand BOOTP. If necessary, the ad ministrators can also enableARP/Ping, ZeroConf and Bon for the configuration interface,configure specific IP addresses asauthorized senders (only thesesystems can then send data to thegateway), allow/deny HTTP andFTP traffic or enable the networkauthentication based on EAP MD5, EAP TLS, EAP TTLS,EAP PEAP or EAP FAST. Thus,the ThinPrint gateway is also sui table for the use in environmentswith strict demands regardingnetwork security.The ThinPrint configuration isthe core of the gateway. Here, the3employees responsible for IT setup the printer including ID, class,drivers, remote address, port, etc.In addition, they specify theThinPrint port, define the band width and the timeout and spe cify the server address and simi lar parameters. Under"Certificates" certificate requestscan be created and the certificates(root and TPG certificates) canbe installed.The last menu item "Actions" al lows you to restart the device andreset it to its default settings. Inaddition, software updates can becarried out at this point. (Thisworked fine in our test). We en countered no problems with re gard to the configuration of thesystem. The printers were set upquickly and the unencryptedprinting was carried out withoutproblems.The encryption of print jobsTo encrypt the print jobs betweenthe ThinPrint engine and theTPG60, several additional stepsare required. First of all, threecertificates have to be present, aclient certificate for the TPG60, aserver certificate for the Thin Print engine and a root certifica te, also for the server on whichthe ThinPrint engine is running.The client and server certificatesare signed by the root certificate.In practice, the IT staff must setup a CA and generate a root cer tificate. In our test we used theActive Directory certificate ser vices on a Windows Server 2008R2. However, it is also possibleto use external certification aut horities or tools such as Open SSL.Once the root certificate isavailable, a client certificate will
be requested on the same serverand then distributed to the ser The encryption of print jobs is done viacertificatesvers and client computers. In en vironments with very high secu rity requirements, it may beuseful to create a client certifica te for each client individually. Inour test environment however,this was not necessary since weonly had the TPG60 as a client.When the certificate based en cryption is active, the printingenvironment encrypts all printjobs transferred between theThinPrint engine and the TPG60,regardless of the transport proto col (TCP/IP or ICA/RDP). Sinceit is possible to encrypt ICA/RDPsessions, the use of the certifica te based encryption is especiallyuseful in environments where thedata – at least in part – is trans mitted via TCP/IP, e.g. whenusing central print servers. Insuch scenarios, the SSL encrypti on prevents eavesdropping byunauthorized users and makes su re that the print data is not sent tothe wrong recipient.The Active Directory certificateservices, which – as mentionedabove – were used in our test ascertification authority, createtheir root certificate when instal ling the relevant role. Thereforewe only had to generate a servercertificate signed by this root cer tificate for our Windows Server2008 and a client certificate forthe TPG60 and to install the cer tificates to the relevant com ponents.A step by step description ofhow to generate and distributecertificates to Windows systemswould exceed the scope of thistest. You can find a very good de scription of the entire process ina white paper (creating certifica tes en.pdf) on the ThinPrint web site. We will therefore focus onthe creation and installation ofthe client certificate to theTPG60. Let’s assume that theserver certificates are alreadyavailable on the ThinPrint engineand that we only have to get andinstall the certificate for theTPG60.In order to install a certificate tothe TPG60, the responsible staffmust first go to "Configurati on/Certificates" in the configura tion tool of the gateway and dele te the (already existing)certificate. Then they have toclick on "TPG certificate" and fillin the required fields for the cer tificate request. After clicking on"Create certificate request" theTPG60 displays the certificate re quest in the browser. The certifi cate request can be used, for ex ample via copy & paste, torequest a certificate from the cer tification authority.4Once the certificate is availableas a file, the administrators canupload the certificate and installit to the TPG60 using the samedialog box that contains the cer tificate request. After that, youhave to create a new port on theThinPrint engine for the encryp ted printing, enable the encrypti on for the said port and assign theport to the printers in the printerproperties. In a last step, the re sponsible employees have to en ter the two previously installedroot and server certificates in theconfiguration tool of the Thin Print engine (under ThinPrintEngine/Port manager/AllTasks/Encryption settings) so thatthe engine can use them. Now allprint jobs will be encrypted.The TPG 65The devices TPG 25 and TPG 65come with a new configurationinterface and several new featu res. However, these products donot replace the other gatewaysTPG60 and TPG120. They addtwo new solutions to the portfolioof the manufacturer.The structure of the configurationinterface of the TPG 65 (and theTPG 25) is identical to that of theThinPrint reader TPR 10. Thismeans that users who are familiarwith the TPRs will immediatelyget along with the TPGs. Afteropening the browser based user
interface, the administrators willbe directed to an overview pagethat allows them to select the lan guage and view device informati on such as the firmware version,date, IP address, etc.In addition to this overview page,the management tool offers fourdifferent configuration menus.The first deals with the networkconfiguration and allows you tospecify the IPv4 and IPv6 ad dresses, configure the DNS set tings and set up SNMP, Bonjourneed for status information andquick configuration changes.The second menu is called "De vice" and allows the responsibleemployees to establish a connec tion to the ThinPrint server, tomonitor the ThinPrint printers, tocreate mail alerts and SMTPtraps, etc.Via the "Security" menu, the ac cess to the configuration menucan be protected via SSL andpasswords. There is also the opti The configuration interface of the TPG 65as well as date and time (via theSNTP server). Not to mention theemail configuration with POPand SMTP servers. While theSMTP server is used to send no tifications and alerts, the POPserver can be used to remotelyconfigure the TPG 65. To do this,the administrators send an emailwith a command in the subject li ne to the email address of theTPG 65. The TPG 65 then col lects the email from the POP ser ver and executes the appropriatecommand. This process can besecured via encryption and PINs.This is very useful in environ ments without direct access tothe web interface, but with aon to manage and install certifi cates, to set up the authenticationvia MD5, TLS, TTLS, PEAP andFAST and to restrict the access tothe gateway using IP and MACwhite lists.Last but not least, the "Mainte nance" menu offers the basicfunctions for the management ofthe gateway itself: Here, you cancarry out firmware updates, printstatus pages, restart the device,view a job history and performresets. Not to mention the newfeatures for the management ofUSB devices and for the backup.We will deal with these featuresin more detail now.5The new featuresLet’s start with the parameterbackup. This feature allows youto back up all configuration para meters and to transfer them toother devices. We encountered noproblems with regard to the para meter backup. The backup canalso be done using a USB flashdrive. In addition, such a flashdrive can be used to buffer printjobs if the printers are not availa ble. Other new features includethe previously mentioned emailalerts and the possibility to con figure the gateway with the helpof emails. However, one of themost important features is theend to end encryption that nowallows you to not only encryptthe print jobs between the Thin Print engine and the TPG, but al so the data transfer between theTPG and the printers.In this case, the encryption bet ween the ThinPrint engine andthe TPG is done via certificates,as described earlier. The encryp tion between the TPG and theprinter is done via IPP with SSL,if this is supported by the printdevice.ConclusionThe ThinPrint gateways can takeaway a lot of work from the ITstaff because they render the in stallation of the ThinPrint clientto all end devices superfluous.This simplifies the configurationand allows for the integration ofprint clients for which there is noThinPrint client. In addition, italso significantly simplifies –thanks to the good documentation– the setting up of encryptedprinting environments. Therefore,the solution is highly recommen ded for environments with highsecurity requirements and pro prietary end devices.
jobs to a ThinPrint client, for example via a WAN. The Thin Print client then decrypts, de compresses and forwards the print jobs in the right format to the intended printer. The Thin Print client, in turn, can be a Thin client. It is also possible to install the appropriate software to a PC or to use a compatible print server. The .
