6 Replies Latest reply on Jan 12, 2016 12:11 PM by John Siegel

    Pop ups and firewalls

    Steve Yount Adventurer

      We use pop ups to allow customers to print from their personal computers. Currently, they can submit a job, however if they type in a wrong password or username they do not get the error message that is returned. I know that this is not showing due to hardware firewalls, as the error message does appear if I move my computer onto the same subnet as our servers.

       

      Does anyone know what ports I need to have in place and to which server components to show the error messages to a customer (and which direction - server > client, client > server, or both)? All I see about firewalls in the configuration guide under pop ups is port 515, which is open.

       

      Thank you!

        • Re: Pop ups and firewalls
          Steven English Guide

          Steve Yount,

           

          I am not sure why it is not listed in the documentation under popup client, but notifications are sent back down to the workstation on port 28201.  The server initiates the connection so the workstation must allow an inbound connection on 28201, and the server will be reaching down to the workstation by the IP address it reports itself to be.  This can get complicated or fail to work for workstations with multiple IP addresses (e.g., VPN connections).

           

          Regards,

          Steven

          2 of 2 people found this helpful
            • Re: Pop ups and firewalls
              Steve Yount Adventurer

              Thank you for this info. I passed it on to the person that I am working with on the security team. Hopefully we can get this working soon.

              • Re: Pop ups and firewalls
                Steve Yount Adventurer

                Based on what I have found, it appears that with the way that this is currently set up we will be unable to provide notifications for our pop-up users.

                 

                We have many subnets set up on our network, and we use hardware firewalls with them. This port is blocked from incoming traffic based on the default firewall rule set that is applied to all new zones. In order to allow the clients to accept an inbound connection on port 28201, we would need to add allow rules on potentially thousands of firewall zones (I have been told that this will not be happening).

                 

                I would like to make a feature request that the check for notifications be able to be initiated by the client and not the server so that a new, inbound connection to the client does not need to be made. This is a major inconvenience for our users, we get help tickets daily about people that cannot print because they were using the wrong password (we force password changes on a regular basis and allow users to save their password on pop-ups). Since they do not get the notifications, they only find out about the error after going to release their print job, and contacting us after finding their queue empty.

                 

                -Steve

              • Re: Pop ups and firewalls
                John Siegel Guide

                            Or networks like ours that have multiple zones and lousy DNS resolution. Any chance updating the lmhost files to resolve the server location fixes the problem? Is this happening on Windows machines only or MAC as well? Used to be Pharos had a reg hack that opened all the necessary ports. Not sure if that still exists.

                 

                           We've also seen the same type of behavior when a server is not listed in a zone, and the DNS doesn't roll over to search additional zones. It just pops up the 28201 cannot connect to server error, or doesn't respond at all.

                 

                           It can also be related to the security levels of the network, for example at CU we have a secure wireless network that requires authentication, and a guest wireless network that does not. Sending jobs via the guest wireless will get a popup 28201 error unless the user connects via VPN since it has ports restricted via the ironport firewall.

                 

                ~John