Novell Cool Solutions

Securing Access to the iPrint Web Page outside of the Network



By:

July 27, 2007 1:19 am

Reads:4,939

Comments:0

Score:Unrated

Print/PDF

Problem:

We were enabling our users to access iPrint from the outside (requires a firewall filter, but doable). However, we wanted to “Secure” access to the WEB page. Opened a SR with Novell since I couldn’t find any TID on this issue. After working with the Tech I was able to accomplish this. This is how we did it.

Solution:

Firewall Filter:

Current BM Filters ServerID Source Interface Source Address Protocol Destination Port 
Source Port ackFilt stFilt Destination Interface Destination Address Comments 
1 PUBLIC  TCP 631  0 1 PRIVATE XXX.XXX.XXX.XXX To allow iPrint services

ConsoleOne Settings:

Properties of LDAP Server - IPrintServerName - SSL/TLS Configuration Tab -Uncheck the 
"Require TLS for all Operations".
                                             - Restrictions - Bind Restrictions is set
to "None" and all "Limit" and "Timeout" options are set to "0". 

Server Apache2 Settings:

Edit the \\ServerName\sys\Apache2\iprint\ipp.conf file and make the following changes. (Search for the “IfModule mod_ipp.c” section and edit.)

************************************************************
# Changed this to require login
# this is the default config for secure printing
<IfModule mod_ipp.c>
   <Location /ipp>
     #Require valid-user
     Order allow,deny
     #Allow from all
      #Type in the IP Segment for your Environment
     Allow from XXX.XXX
     Require valid-user
     Satisfy Any
     AuthType Basic
     AuthName "Tree_Name"
     AuthLDAPURL "ldaps://localhost:636/???(objectClass=user)"
     AuthLDAPRemoteUserIsDN on
     <IfModule mod_auth_ldap.c>
        AuthLDAPEnabled ON
     </IfModule>
     AuthLDAPDNAuthoritative On
     AuthLDAPAllowDNAuth On
   </Location>

   <Location /ipps>
      Require valid-user
      Order allow,deny
      #Type in the IP Segment for your Environment
      Allow from XXX.XXX 
      Require valid-user
      #Satisfy Any
      AuthType Basic
      AuthName "Tree_Name"
      AuthLDAPURL "ldaps://localhost:636/???(objectClass=user)"
      AuthLDAPRemoteUserIsDN on
      <IfModule mod_auth_ldap.c>
         AuthLDAPEnabled ON
  #Off
      </IfModule>
      AuthLDAPDNAuthoritative On
      AuthLDAPAllowDNAuth On
   </Location>
</IfModule>
*************************************************************

Stop and restart your Apache services. I used two NCFs to stop and then start Apache.

AP2WEBDN.NCF
***********************
# Shutdown for Apache Web Server for Netware

unload address space = os apache2
***********************
AP2WEBUP.NCF
***********************
# Startup for Apache Web Server for Netware
# This is called from autoexec.ncf

# Make sure that httpstk isn't listening on 80
httpcloseport 80 /silent

load apache2 -E sys:\apache2\logs\startup.err
************************

Now users who access our iPrint WEB Page from outside of our Network are prompted to log into NetWare via LDAP to access the page:

https://XXX.XXX.XXX.XXX/ipps 

They would use their NetWare login name and their NetWare password.

Environment:

NetWare 6.5 SP 5 and Apache2

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Categories: Uncategorized

0

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS