Novell Home

Securing Access to the iPrint Web Page outside of the Network

Novell Cool Solutions: Tip
By Chris Premo

Rate This Page

Reader Rating  stars  from 1 ratings

Digg This - Slashdot This

Posted: 27 Jul 2007 		 

Problem:

We were enabling our users to access iPrint from the outside (requires a firewall filter, but doable). However, we wanted to "Secure" access to the WEB page. Opened a SR with Novell since I couldn't find any TID on this issue. After working with the Tech I was able to accomplish this. This is how we did it.

Solution:

Firewall Filter:

Current BM Filters ServerID Source Interface Source Address Protocol Destination Port 
Source Port ackFilt stFilt Destination Interface Destination Address Comments 
1 PUBLIC  TCP 631  0 1 PRIVATE XXX.XXX.XXX.XXX To allow iPrint services

ConsoleOne Settings:

Properties of LDAP Server - IPrintServerName - SSL/TLS Configuration Tab -Uncheck the 
"Require TLS for all Operations".
                                             - Restrictions - Bind Restrictions is set
to "None" and all "Limit" and "Timeout" options are set to "0".

Server Apache2 Settings:

Edit the \\ServerName\sys\Apache2\iprint\ipp.conf file and make the following changes. (Search for the "IfModule mod_ipp.c" section and edit.)

************************************************************
# Changed this to require login
# this is the default config for secure printing
<IfModule mod_ipp.c>
   <Location /ipp>
     #Require valid-user
     Order allow,deny
     #Allow from all
      #Type in the IP Segment for your Environment
     Allow from XXX.XXX
     Require valid-user
     Satisfy Any
     AuthType Basic
     AuthName "Tree_Name"
     AuthLDAPURL "ldaps://localhost:636/???(objectClass=user)"
     AuthLDAPRemoteUserIsDN on
     <IfModule mod_auth_ldap.c>
        AuthLDAPEnabled ON
     </IfModule>
     AuthLDAPDNAuthoritative On
     AuthLDAPAllowDNAuth On
   </Location>

   <Location /ipps>
      Require valid-user
      Order allow,deny
      #Type in the IP Segment for your Environment
      Allow from XXX.XXX 
      Require valid-user
      #Satisfy Any
      AuthType Basic
      AuthName "Tree_Name"
      AuthLDAPURL "ldaps://localhost:636/???(objectClass=user)"
      AuthLDAPRemoteUserIsDN on
      <IfModule mod_auth_ldap.c>
         AuthLDAPEnabled ON
  #Off
      </IfModule>
      AuthLDAPDNAuthoritative On
      AuthLDAPAllowDNAuth On
   </Location>
</IfModule>
*************************************************************

Stop and restart your Apache services. I used two NCFs to stop and then start Apache.

AP2WEBDN.NCF
***********************
# Shutdown for Apache Web Server for Netware

unload address space = os apache2
***********************
AP2WEBUP.NCF
***********************
# Startup for Apache Web Server for Netware
# This is called from autoexec.ncf

# Make sure that httpstk isn't listening on 80
httpcloseport 80 /silent

load apache2 -E sys:\apache2\logs\startup.err
************************

Now users who access our iPrint WEB Page from outside of our Network are prompted to log into NetWare via LDAP to access the page:

https://XXX.XXX.XXX.XXX/ipps

They would use their NetWare login name and their NetWare password.

Environment:

NetWare 6.5 SP 5 and Apache2

Reader Comments

  • Great tip! I've gotten IPrint working inside the firewall, now this will help with those connecting from their homes. Thanks!

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

Novell® Making IT Work As One

© 2008 Novell, Inc. All Rights Reserved.