Solved: Restrict printing by IP - HP Support Community

mltech · ‎02-10-2017

With the M553n I have the ability to block access to the web portal by IP. However, this does not seem to extend to the actual use of the printer - users from blocked IP addresses can still send print jobs directly, unabated.

We use a print server and I want to ensure that only jobs from that server's IP will be accepted by the printer. After going through all of the security/networking menu screens I have been unable to find anything which allows this. Does this feature exist on this printer?

John_Getzke · ‎02-16-2017

>However, in testing, it only restricts access to the web console. Restricted IPs in that list can still print to the printer directly (not going through the print server) which tells me it only blocks the web ports.

Well thats a shame. If the feature doesnt work as advertised then I doubt there is much else we can get HP to do outside of requesting firmware updates to fix it. This would normally be something to start a case on but I've read a few other articles that suggest HP has stopped developing the feature and presses back to use traditional firewall rules as enforcement instead. YMMV.

ACLs are mentioned in HPs best practices documentation on page 50 (54 of the PDF), but focused as a feature of WebJet Admin.

HP Security Best Practices WJA

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03137192-5.pdf

It specifically states:

"When configured, no computer outside the list will have access to the MFP including printing."

Your results tend to suggest otherwise. I could explore this feature with our WJA to verify if I get more time, but that may not help you unless you have access to WJA too. Besides, if the feature direct on the printer doesnt work as advertised I dont see how WJA is going to be any more effective at enforcing the rules.

Experts are not HP Employees. Experts are advanced users, administrators, technicians, engineers or business partners who volunteer their time to answer community questions.

Please mark anything that is helpful with a Kudo.
When you are done troubleshooting, please mark one of the responses as the Solution.
This feedback enhances the community by helping future readers choose between multiple similar responses.

View solution in original post

John_Getzke · ‎02-10-2017

> We use a print server and I want to ensure that only jobs from that server's IP will be accepted by the printer.

You need to restrict network access to the printer by configuring a VLAN/Virtual LAN. Once the VLAN is setup move the print server and the printers to that area. This is the best way to effectivly disable a random person from adding the printer by IP and working around the security on your print server.

Another thought is to work with the Network Admins and shut down all communication to and from the printers except for the print server but this is usually more work than setting up a VLAN.

> Does this feature exist on this printer?

No. This is a setup task for your Network and System Administrators to coordinate.

Experts are not HP Employees. Experts are advanced users, administrators, technicians, engineers or business partners who volunteer their time to answer community questions.

Please mark anything that is helpful with a Kudo.
When you are done troubleshooting, please mark one of the responses as the Solution.
This feedback enhances the community by helping future readers choose between multiple similar responses.

mltech · ‎02-10-2017

Thanks. I actually am the network administrator.

This solution will work in theory, but is not an option on our network as the print server is not dedicated. It shares other duties on the network and separating it with a VLAN would cause issues with other applications.

Another printer we have (a Lexmark) offers this functionality with just a few clicks - I can restrict printing by IP and it works well. Why an 'enterprise' labelled printer from HP requires a VLAN (or more cumbersome network filtering) to enjoy this same functionality is beyond me. I expect this issue on an officejet - not a printer which is supposedly designed for enteprise environments.

John_Getzke · ‎02-10-2017

> Thanks. I actually am the network administrator.

Pleasure to meet you : ) SysAdmin here so I'll divert to your expertise on network specific topics on this thread.

> print server is not dedicated. It shares other duties on the network and separating it with a VLAN would cause issues with other applications.

Gotcha. In this case you need to split off a different device that can function as a print server for you with the new VLAN configuration. Just about any recent Windows OS with Enterprise licensing can function as a print server. All you have to do is enable the Print Management feature and away you go. We use a Win7 laptop in one of our remote offices where it was not deemed reasonable to setup a dedicated server. It works just as good as a normal Win2008 or 2012 dedicated print server for what we need (granted I dont know your print capacity needs).

As I rethink my post it wouldnt make sense to put the print server in the VLAN, then folks wouldnt be able to talk to it. Instead the print server would have to sit outside the VLAN with access to the VLAN restricted to the print server on the normal prod network.

> I expect this issue on an officejet - not a printer which is supposedly designed for enteprise environments.

I took a look at my m527 and found the Networking > Authorization > Access Control menu from the Embedded Web Server. This looks like it should do the trick.

I'll upload a screenshot but it will take a while for HP to approve it:

See if your model has a menu like this after signing into the admin EWS. If not then you may be out of luck and will have to persue some VLAN wizardry as previously suggested.

Experts are not HP Employees. Experts are advanced users, administrators, technicians, engineers or business partners who volunteer their time to answer community questions.

Please mark anything that is helpful with a Kudo.
When you are done troubleshooting, please mark one of the responses as the Solution.
This feedback enhances the community by helping future readers choose between multiple similar responses.

mltech · ‎02-16-2017

I do appreciate your time in responding.

Just about any recent Windows OS with Enterprise licensing can function as a print server. All you have to do is enable the Print Management feature and away you go.

Yes, this is true. While doable (I did a server transfer last year to the new machine) it is a pain. What I was hoping this printer offered was a built-in solution which did not require network reconfiguration.

I took a look at my m527 and found the Networking > Authorization > Access Control menu from the Embedded Web Server. This looks like it should do the trick.

I found this as well before my first post. However, in testing, it only restricts access to the web console. Restricted IPs in that list can still print to the printer directly (not going through the print server) which tells me it only blocks the web ports.

Unfortunately it appears that way. Another project to add to the list, unless I can work up a filter in our NSA to restrict traffic.

Thanks.

John_Getzke · ‎02-16-2017

>However, in testing, it only restricts access to the web console. Restricted IPs in that list can still print to the printer directly (not going through the print server) which tells me it only blocks the web ports.

Well thats a shame. If the feature doesnt work as advertised then I doubt there is much else we can get HP to do outside of requesting firmware updates to fix it. This would normally be something to start a case on but I've read a few other articles that suggest HP has stopped developing the feature and presses back to use traditional firewall rules as enforcement instead. YMMV.

ACLs are mentioned in HPs best practices documentation on page 50 (54 of the PDF), but focused as a feature of WebJet Admin.

HP Security Best Practices WJA

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03137192-5.pdf

It specifically states:

"When configured, no computer outside the list will have access to the MFP including printing."

Your results tend to suggest otherwise. I could explore this feature with our WJA to verify if I get more time, but that may not help you unless you have access to WJA too. Besides, if the feature direct on the printer doesnt work as advertised I dont see how WJA is going to be any more effective at enforcing the rules.

Experts are not HP Employees. Experts are advanced users, administrators, technicians, engineers or business partners who volunteer their time to answer community questions.

Please mark anything that is helpful with a Kudo.
When you are done troubleshooting, please mark one of the responses as the Solution.
This feedback enhances the community by helping future readers choose between multiple similar responses.

imeee · ‎03-27-2019

We faced the same issues on HP printers when restricted printing from the ACL. It can still print from direct IP address.

For lexmark printers works perfect.

imeee · ‎03-27-2019

In order to block local IP's

goto https://printer IPaddress

Create a IPSEC/Firewall rule

Click on add rules and press new :

Name the template -

Choose the Local IP of the printer and

Remote IP should be for your Print server and press ok

Click on the template you created from the list and press next

Choose All print Services

Choose Allow traffic to pass without IPSec/Firewall protection

After clicking finish

Make sure down in default Rule to ALLOW

Restrict printing by IP

Create an account on the HP Community to personalize your profile and ask a question