Blocking IP Printing from Clients?

[Kelemvor]

This is mostly a network issue so maybe someone will know...

We have everyone install printers at our office by creating a TCP/IP port in Windows and linking directly to the printer. However we are setting up a Print Server and would like everyone to print through that. Is there any wya to somehow not let people create IP prots to printers to print on their own so they have to install the printer through the print server?

 

[MiniDoom]

Originally posted by: FrankyJunior
This is mostly a network issue so maybe someone will know...

We have everyone install printers at our office by creating a TCP/IP port in Windows and linking directly to the printer. However we are setting up a Print Server and would like everyone to print through that. Is there any wya to somehow not let people create IP prots to printers to print on their own so they have to install the printer through the print server?

I would change the ip address of the printer, most users probably wouldn?t be able to find out the new ip.

 

[dphantom]

We use print server for roughly 75 printers. Users add printers via Active Directory so we control permissions that way. We do not provide IP addresses to users so they cannot create a TCP/IP port (one that would work anyway).

 

[halfadder]

Changing the IP of the printer sounds like the easiest method.

 

[vi edit]

Unplug the network cable from the jetdirect(or equivalent) card in the printer and hook up the printer to the print server via parallel cable?

 

[Fardringle]

Originally posted by: vi_edit
Unplug the network cable from the jetdirect(or equivalent) card in the printer and hook up the printer to the print server via parallel cable?

That would be very effective, but only if the printer is actually near the server. If it is a true network printer it could be (literally or figuratively) miles away. I'd vote for changing the printer's IP address as well. Network savvy users might still be able to track it down, but normal users would even have a clue where to start looking.

 

[Nothinman]

You could probably push an IPSec policy out via GPO to disallow traffic to port 515, assuming that they're setup to use the lpr protocol.

 

[Kelemvor]

We are going to change the IP addresses. However when a person adds the printer from the server, and then they check the properties of the printer on their PC, they can see the IP address listed in the Port area. Then this cuold be given to anyone.

But yes, hopefully it will be good enough.

And we have printers all around out building so plugging them directly into the server isn't possible.

 

[Hardlin]

HP jetdirect cards allow you to restrict who can print to it. Your best bet is to have the printer only accept jobs from the printer server's IP. That will stop everyone else from printing to it.

 

[spidey07]

Here's a few tips on printer administration.

1) printers only accept jobs from a DNS name, those names are of your print servers (configed on network card of printer)
2) all printers are referenced by DNS name, not IP address
3) all printers receive DHCP reservations based on their mac address
4) control access rights on the print server

so what do you have when you do these things? secure printers that do what the administrator tells them to do and only what the administrator tells them what to do. the dhcp/dns stuff is just plain good IP administration.

 

[Kelemvor]

Do all printers let you configure them to only accept jobs from certain places? Most of our printers are old Lexmarks (T612, S1855). The main one is a Xerox Docucolor 12 with a Fiery box it uses. Not sure what options we have. Overall it's not a huge deal but we are just curious as to what our options are.

Since we are on the Print administration topic, are there any programs to load on the print server that will keep job logs for all the printers and have data on who's printing what and when? Some of our printers have their own logs but the old Lexmarks and such don't have any built in hard drives at all.

 

[yoda291]

how about putting printers in their own vlan and not routing packets from clients to printers directly?