Network Printing

1. Installation and setup of network printers

This document is intended to be a step-by-step guide to the installation and setup of HP Network printers and relevant Unix software. It covers common problems associated with network printing using a TCP/IP network connection. Although this howto was written using the HP 4000N Printer as a guide, the information and steps should be similar for all comparable printers made by Hewlett-Packard.

2. Setup

The interface card is designed to take multiple inputs (a network connection, direct parallel connection to either a UNIX workstation or an Intel-based PC, and/or a direct serial connection to a UNIX or Macintosh machine). Consult the printer manuals for instructions on setup and operation with PC and Macintosh platforms.

3. Configuration alternatives

There are two main network printing configuration techniques for setting options such as the IP address and subnet mask:

• Manually using the control panel on the printer.
• Remotely, where information is obtained from a nearby machine via Dynamic Host Control Protocol (DHCP).

Each method has advantages and disadvantages, which will be discussed.

While the printer supports several network protocols, only TCP/IP is covered in this document.

3.1. Configuration Advantages and Disadvantages

The main advantage of manual configuration is that you don't have to set up or edit config files on a workstation. All information is entered directly on the printer's control panel and setup is complete, making manual configuration slightly less complicated. More importantly, remote configuration uses DHCP and tftp (trivial ftp), which are considered security risks.

On the other hand, manual configuration is not as flexible as DHCP. DHCP can use allow lists (to specify which hosts can or cannot print to the printer) and lets you set SNMP config options (set-community-name, get-community-name, etc.).

3.2. Manual Configuration

Under the EIO [1/2] JetDirect menu,
Find the option labeled Config Network.
Change the value to Yes and press Select.

Press the Item button until you see TCP/IP.

Change the value to On and press Select.

Find the menu selection Config TCP/IP
Set the value to Yes and press Select.

Make sure the Bootp option is set to off. If this is on, the printer will broadcast for a BOOTP server and attempt to automatically configure itself (discussed in section 4).

You will then be presented with several options:

IP BYTE [1-4] -> IP address bytes
SM BYTE [1-4] -> Subnet Mask bytes
LG BYTE [1-4] -> Syslog Server bytes
GW BYTE [1-4] -> Router Bytes
Timeout -> Generally left at default

In order to set up your printer manually, you will need to know:

• The IP address that will be assigned to the printer
• The subnet mask for the network on which the printer will reside
• The IP address of a Syslog server (optional; see details below)
• The IP address of the router for the network

For example, a printer with an IP address of 204.71.200.75 would be set up as follows:

IP BYTE 1 = 204
IP BYTE 2 = 71
IP BYTE 3 = 200
IP BYTE 4 = 75

All other options are set just like the IP address. Make sure you press Select after you set EACH address byte.

If you would like to save printer-related messages (e.g., printer offline notification), you can set the syslog server IP address. Then printer messages will be stored in a file on the specified machine. Depending on your operating system, and the way syslog.conf is configured, the file will be one of the following:

/var/adm/syslog/syslog.log
/var/log/messages
/var/adm/messages

If you don't have a syslog machine to send messages to, the Syslog Server IP address can be set to 0.0.0.0.

Also keep in mind that there is no way to set an allow list using manual configuration. That means that anyone in the world can print to your printer if they know the IP address. If you would like to restrict printing to your local network, set the GW address to 0.0.0.0. This prevents your printer from responding to attempted connections from machines outside your local network.

Once you have the IP address and subnet mask set, you can telnet directly to the printer on the standard telnet port (23) and configure other options. Consult the printer's manual for more information.

4. Remote configuration (BOOTP)

One major feature of the HP 4000N is that it can be set to request its addresses and configuration each time the printer is turned on. Remote configuration will require you to set some options both on the printer and on the boot server.

4.1. On the Printer

On the printer under the TCP/IP config menu on the printer, set BOOTP=YES

Next, determine the printer's IP address (assigned by your network administrator) and the hardware address of the printer's network card. The hardware address can be found in one of two ways.

• Temporarily configure the printer manually and telnet to the printer. Listing the printer options will give you the hardware address.
• Turn off the printer and look on the network card for a sticker labelled "AD=<Hardware address>"

4.2. On the Boot Server

The first step in remote configuration is to install the BOOTP and tftp daemons if you don't already have them.

In your /etc/inetd.conf, you should have two entries--one for the BOOTP daemon and one for the tftpdaemon. They will look something like this (absolute paths may vary by machine):

tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /server/tftpboot
bootps dgram udp wait root /usr/sbin/bootpd bootpd

If tcp wrappers are installed, the lines will look something like this:

tftp dgram udp wait root /usr/local/sbin/tcpd in.tftpd -s /server/tftpboot
bootps dgram udp wait root /usr/local/sbin/tcpd bootpd

If these lines are not already in /etc/inetd.conf, you will need to add them and kill -HUP inetd in order for it to recognize the changes.

As root, type ps -ef | grep inetd
Find the inet daemon's process id number
Type kill -HUP <process-id-number>

Now you will need to set up the bootptab for the BOOTP daemon so that it knows to respond to the printer's request. If you do not have a file called /etc/bootptab, you will need to make one by adding the following lines.

printer1:\
	:ht=ether:\
    	:ha=0060c02a995c:\
    	:sm=255.255.255.0:\
    	:gw=120.154.87.1:\
    	:lg=120.154.87.242:\
    	:hn:\
    	:ip=120.154.87.19:\
    	:T144="hpnp/printer1.cfg":\
    	:vm=rfc1048:
		      

What does all that mean?

printer1 -> The title of the printer. Set this to anything you want.
ht -> The hardware type. Leave this at ether.
ha -> The printer's hardware address. Change this to your hardware address as determined earlier.
sm -> Subnet mask for the printer's network.
gw -> Gateway. The router for the network.
lg -> Log server. This line can be omitted if you don't have a syslog server.
hn
ip -> The printer's Internet Protocol address, available from the network administrator.
T144 -> Path to the config file.
vm -> RFC1048 defines the BOOTP protocol.

Now kill -HUP any running BOOTP daemon so that it reloads its config file.

One last file to set up is the printer's config file. This file can be found by looking at the directory after the "-s" of the tftp line in the /etc/inetd.conf file plus the T144 line of the bootptab file. For example, if you used the lines out of this HOWTO, the printer config file should be found in

/server/tftpboot/hpnp/printer1.cfg

The printer config file is where you set various printer options. The following example is for a fictional printer (gutenberg) with a config file named /services/tftpboot/hpnp/gutenberg.cfg

allow: 120.154.87.191 # ink.italic.net 
allow: 120.156.87.148 # kern.italic.net (temporary)
telnet: 1
idle-timeout: 120 # in seconds
location: 1473 Square Building 
contact: Pat Schreiber, ps@italic.net
get-community-name: public # all machines are allowed to read 
 	  	           # gutenberg's SNMP options
set-community-name: ink # only members of the ink community are allowed to
		        # set gutenberg's SNMP options 
authentication-trap: on # enables SNMP authentication traps
		    

Up to ten machines can be included in the allow line, meaning that only those machines may print to your printer. If no allow line is set, any machine can print to the printer. Consult your manual for other commands and their explanations.

After you have set up the printer config file, you will need to restart the printer. If it is not set up correctly, check your config files to make sure everything is properly configured. You can test the printer as follows:

telnet <printer-hostname> 9100
Type a brief test message.
When you close the connection, the printer should print your test message.

5. HP JetAdmin software

HP JetAdmin is a commonly used software package designed to help configure and manage print servers and network printers. The main advantages of using JetAdmin are that it can automatically convert ASCII files to PostScript for printing (rather than having to convert the files manually) and allows you to check the print queue once a print request has been sent. It is currently available for Solaris, HP/UX, and Red Hat Linux and can be found on the web at http://www.hp.com/ or via anonymous ftp at ftp.hp.com.

The easiest way to begin is by downloading the HP JetAdmin software

Open an ftp connection to ftp.hp.com
cd to /pub/networking/software
Get INSTALL.UNX, README.UNX, and the appopriate JetAdmin package for your system (e.g., hpwj_solaris_en.tar.Z)
As root, set up and install JetAdmin according to the instructions provided in INSTALL.UNX

The default JetAdmin installation changes the permissions on /etc to 775 (-rwxrwxr-x), starts bootpd, and adds the following /etc/inetd/inetd.conf:

bootps	dgram	udp	wait	root	/usr/sbin/bootpd   bootpd

Keep in mind that newer versions of sendmail do not function properly if /etc is group writable, so you may wish to change permissions on /etc back to 755.

When you invoke JetAdmin, you will see the main menu:

1) Configuration (super-user only):
	- configure printer, add printer to spooler

2) Diagnostics:
	- diagnose printing problems

3) Administration (super-user only):
	- manage HP printer, JetDirect

4) Administration (super-user only):
	- manage JetAdmin

5) Printer Status:
	- show printer status, location, and contact

		?) Help		q) Quit
			

Selection 1 is used to add a local spooler for the printer(s) you have just set up. Simply refer to the printer by its IP address to create the spooler, or by its spooler name to modify the print queue. Although this selection allows you to configure BOOTP as well, the non-JetAdmin method described earlier is easier. This selection contains most of the options you will need to get the printer up and running.

Selection 2 is used to diagnose print problems. From here you can print test pages and verify the installation of software and hardware.

Selection 3 can be used to get information about the printer, lock the console, and change most of the options for the printer. Please note that most of the options will need to be set in the config file, not just in this menu selection, to make them permanent.

Selection 4 is rarely used, but allows you to manage the JetAdmin software itself. It includes options such as updating the SNMP password database and the device monitor.

Selection 5 allows you to list physical information about the printer. This includes the location and contact number set in the config file as well as the status of the printer.

6. Setting up remote print servers

Remote print servers are useful when you need to allow more than ten machines to print to the printer. The idea is to have one machine that is actually allowed to print to the printer, and all other machines send their print jobs to that print server. Access to the print server is controlled by tcp wrappers. The print server can be any machine you choose, but in most cases, it will be the machine that also acts as the printer's bootp server.

When you set up a print queue with HP's JetAdmin software, done by choosing the "Configuration" option followed by "Add printer to local spooler" from the JetAdmin menu, JetAdmin automatically installs several filters and processing scripts for your printer. These scripts convert files to PostScript and process the options you give lp or lpr. By installing the queue on one machine and using that machine as a print server, you bypass the need to install the queue and its accompanying scripts on each machine that will need to use the printer. All of the filtering will be done by the print server, eliminating the need to preprocess the printout before sending it to the print server.

On the machine from which the printer boots, edit the printer's config file (described in the example in section 4 as /server/tftpboot/hpnp/printer1.cfg) to contain allow lines for the print servers. In most cases this should be only one machine.

Begin by installing tcp wrappers on the print server. Tcp wrappers are very easy to install and are used to allow or deny connections to any service started by inetd. Tcp wrappers are available in encap format from the encap page: http://encap.cites.uiuc.edu/. More information on tcp wrappers is available at

ftp://ftp.porcupine.org/pub/security/index.html

Once you create the print queue and make it the default printer, add the following line to /etc/inetd.conf

printer stream tcp nowait root /usr/local/sbin/tcpd \
	/usr/lib/print/in.lpd

Note that in operating systems other than Solaris, the location and content of this line may vary. Consult your system administrator for help determining where and how to start lpd.

After starting tcp wrappers, you will need to edit your /etc/hosts.allow file to allow printer access to trusted machines. A sample access line follows. For more information on tcp wrappers and editing your hosts.allow file, please refer to the URL above.

# Control access to gutenberg 
in.lpd : localhost akzidenz.italic.net \
	ink.italic.net \
        gill.italic.net goudy.italic.net \
        belton.italic.net fatcap.italic.net outline.italic.net \
        : rfc931 : allow
in.lpd : all : rfc931 : deny

This access line grants the specified machines access to the print daemon. Any print request originating from a machine that is not found in the first "in.lpd" line will be referred to the second line where the request is denied.