Optional, Advanced

How to print to a remote printer securely.

g

On the "head office" side, you have 3 choices to set up a SSH server:
(1) set up a LRP firewall with hard disk option and install sshd.lrp or
(2) setup a Linuxg box on the internal network with an OpenSSH server (called sshd), or
(3) setup a Windows g NT/2000/XP box on the internal network, install cygwin-openssh and
install sshd as a Windows service.

If you choose (2) or (3), set the LRP or firewall to port forward tcp port 22 (ssh traffic) to the ssh
server's IP address.

The LRP-Print Server's IP address is set to 192.168.10.252 by default.

On the "road warrior" laptop, install cygwin and ssh or putty

Next, add a "special" printer that prints to IP=127.0.0.1 and port=9100

Please have the appropriate "printer driver" ready, either on a floppy, or on a hard disk, or on a network shared drive. If your printer is not included in Windows' default list, use the "Have Disk" method.

g Windows XP:
Click Start.. (Control Panel).. Printers and Faxes...Add Printer...Local Printer...(check off Auto Detect PnP)...Next....Create new port...Standard TCP/IP port...
IP address = 127.0.01, port name=PrintSrv, Custom, Settings.. Raw.. Port 9100

g Windows 2000 (method A)
First, install AXIS Print Monitor.
Click Start...Settings, Printers, Add Printers, Local Printer, Create New Port,
Choose AXIS port, choose RAW TCP/IP port,
IP address = 127.0.0.1, port number = 9100

g Windows 2000 (method B)
Click Start...Settings, Printers, Add Printers, Local Printer, Create New Port,
Choose Standard TCP/IP port,
IP address = 127.0.0.1, port name=PrintSrv, Custom, Settings.. Raw.. Port 9100

g Windows 2000 quirks
Sometimes the printer driver becomes corrupted, if that happens, delete the printer driver by re-installing the same printer driver on the LPT1 (local) port. Then repeat method A or method B above. Thanks to Hillie Sample of Ottawa, Canada for this tips.

g Windows NT:
First, install AXIS Print Monitor.
Start...Settings, Printers, Add Printers, "My Computer", Add Port,
Choose AXIS port, choose RAW TCP/IP port, click OK,
IP address = 127.0.0.1, port number = 9100

g Windows 98/ME:
First, install AXIS Print Monitor.
Click Start...Settings, Printers, Add Printers, Local Printer, choose AXIS port
(Windows 98 will ask for the Windows 98 CD, unless c:\windows\options\cabs  is intact).
Right click on the printer icon, choose Properties, Details, Add Port, click Other,
choose AXIS port, click OK, choose RAW (TCP/IP), click OK,
IP address = 127.0.0.1, port number = 9100, click Apply, click OK

g Windows 95
First, install AXIS Print Monitor.
Click Start...Settings...Printers Add Printers ... Local Printer .. install the printer driver on LPT1.
(Windows 95 will ask for the Windows 95 CD, unless c:\windows\options\cabs is intact)
Right click the Printer Icon, choose Properties, Details...Add Port,  click Other,
choose AXIS port, click OK, choose RAW (TCP/IP), click OK,
IP address = 127.0.0.1, port number = 9100
Click OK until you are back to the correct Printer Icon, right click,  Properties, Details,
At the "Print to the Following Port" drop-down box, choose
"127.0.01_9100 AXIS Port", click OK.
 

If you have Windows XP SP2, you need to tweak the "windows firewall" to open
TCP Port 22.
Click Start...Control Panel...(in Category View mode)...Security Centre...Windows Firewall
...Exceptions Tab...Add port....port name ssh, port 22, TCP

Thanks to Stefano of Sardegna, Italy for the XP-SP2 reminder.

When the "road warrior" or "branch office" is ready to print to the remote printer:
Double click the cygwin g icon, a black screen pops up, type
ssh  root@myoffice.com  -L 9100:192.168.10.252:9100  (log on to LRP box as root)
or
 ssh  user@myoffice.com  -L 9100:192.168.10.252:9100  (log on to Linux box or Windows box as user)

Above command invokes ssh to logon to the head office's LRP box or Linux box or Windows box and
setups a "tunnel".
(assuming you setup a DNS to point myoffice.com to the IP address of the LRP)
The -L option says "tunnel port 9100 traffic on the road warriors computer to the other side,
send the TCP traffic to port 9100 of a computer with IP address=192.168.10.252 on the other side".

Printer traffic on port 9100 is now encrypted (tunneled) by the ssh protocol. g
The road warrior can print highly confidential documents to the remote printer safely and securely. g

If the "road warrior" hates g typing long commands, create a g Windows batch file
that has the following content. Double clicking on the batch file icon will do all the typing g

@echo off
c:
cd c:\cygwin\bin
bash --login -c "ssh -l  root  myoffice.com -L  9100:192.168.10.252:9100"

(you can also use an ip address instead of myoffice.com)

If the "road warrior" also hates typing password, set up authentication using RSA public key and
private key, so that the "road warrior" does not have to type password to login to the sshd server.
g Obviously this is a security risk, you have to balance between safety and convenience.
Here is how to set up RSA public key and private key authentication so that password is not required.

g

You can use the same technique to securely access other resources behind a firewall.

For example, if the road warrior or branch office wants to do secure email,
setup a ssh session to the LRP box or Linux box or Windows box in the internal network,
tunnel port 110 to the other side, for POP3 mail  (for most email users)
tunnel port 143 to the other side, for IMAP mail  (only needed by advanced email users)
tunnel port 25 to the other side, for SMTP outbound traffic (to send email via the Linux box)
In this case, configure the road warriors email client software to use
POP3 server = 127.0.0.1
IMAP server = 127.0.0.1
SMTP server = 127.0.0.1
Create a batch file like this example and a desktop icon.
Double click the batch file icon to launch the ssh session and setup tunnels.

g

If you use LRP as the firewall, you may want to adjust LRP Seawall's timeout to lengthen
the ssh session timeout. See this page on how to adjust Seawall's timeout.

Design footnote:
In the above system design, the corporate firewall only opens port 25 and port 22.
This is a better design than exposing port 110 or port 143 of the in-house email server to the outside world.
Personnel behind the firewall can use port 110 or port 143 to read their emails.
Personnel working from home or on the road must come in via SSH and set up tunnels
to read and send corporate emails under the protection of SSH's strong encryption.

SSH uses pure tcp protocol, it does not have the nasty problems of firewall traversal like IPSec or PPTP.
SSH with tunneling is destined to be the foundation technology of second generation VPN designs.
It has not got a name yet, probably called SSH-VPN or SSL-based-VPN.

Disclaimer

© 2002-2005 Nicholas Fong

Last revised:  January 01, 2005