Novell Home

Securing Access to the iPrint Web Page outside of the Network

Novell Cool Solutions: Tip
By Chris Premo

Digg This - Slashdot This

Posted: 27 Jul 2007
 

Problem:

We were enabling our users to access iPrint from the outside (requires a firewall filter, but doable). However, we wanted to "Secure" access to the WEB page. Opened a SR with Novell since I couldn't find any TID on this issue. After working with the Tech I was able to accomplish this. This is how we did it.

Solution:

Firewall Filter:

Current BM Filters ServerID Source Interface Source Address Protocol Destination Port 
Source Port ackFilt stFilt Destination Interface Destination Address Comments 
1 PUBLIC  TCP 631  0 1 PRIVATE XXX.XXX.XXX.XXX To allow iPrint services

ConsoleOne Settings:

Properties of LDAP Server - IPrintServerName - SSL/TLS Configuration Tab -Uncheck the 
"Require TLS for all Operations".
                                             - Restrictions - Bind Restrictions is set
to "None" and all "Limit" and "Timeout" options are set to "0". 

Server Apache2 Settings:

Edit the \\ServerName\sys\Apache2\iprint\ipp.conf file and make the following changes. (Search for the "IfModule mod_ipp.c" section and edit.)

************************************************************
# Changed this to require login
# this is the default config for secure printing
<IfModule mod_ipp.c>
   <Location /ipp>
     #Require valid-user
     Order allow,deny
     #Allow from all
      #Type in the IP Segment for your Environment
     Allow from XXX.XXX
     Require valid-user
     Satisfy Any
     AuthType Basic
     AuthName "Tree_Name"
     AuthLDAPURL "ldaps://localhost:636/???(objectClass=user)"
     AuthLDAPRemoteUserIsDN on
     <IfModule mod_auth_ldap.c>
        AuthLDAPEnabled ON
     </IfModule>
     AuthLDAPDNAuthoritative On
     AuthLDAPAllowDNAuth On
   </Location>

   <Location /ipps>
      Require valid-user
      Order allow,deny
      #Type in the IP Segment for your Environment
      Allow from XXX.XXX 
      Require valid-user
      #Satisfy Any
      AuthType Basic
      AuthName "Tree_Name"
      AuthLDAPURL "ldaps://localhost:636/???(objectClass=user)"
      AuthLDAPRemoteUserIsDN on
      <IfModule mod_auth_ldap.c>
         AuthLDAPEnabled ON
  #Off
      </IfModule>
      AuthLDAPDNAuthoritative On
      AuthLDAPAllowDNAuth On
   </Location>
</IfModule>
*************************************************************

Stop and restart your Apache services. I used two NCFs to stop and then start Apache.

AP2WEBDN.NCF
***********************
# Shutdown for Apache Web Server for Netware

unload address space = os apache2
***********************
AP2WEBUP.NCF
***********************
# Startup for Apache Web Server for Netware
# This is called from autoexec.ncf

# Make sure that httpstk isn't listening on 80
httpcloseport 80 /silent

load apache2 -E sys:\apache2\logs\startup.err
************************

Now users who access our iPrint WEB Page from outside of our Network are prompted to log into NetWare via LDAP to access the page:

https://XXX.XXX.XXX.XXX/ipps 

They would use their NetWare login name and their NetWare password.

Environment:

NetWare 6.5 SP 5 and Apache2


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell