IPP> SEC - How could IPP work over firewalls?

IPP> SEC - How could IPP work over firewalls?

IPP> SEC - How could IPP work over firewalls?

Paul Moore paulmo at microsoft.com
Fri Jul 31 11:33:18 EDT 1998


Step 2 - Inbound proxies are unusual - I have never heard of one. Does
anybody have a product names for one.

> -----Original Message-----
> From:	Carl-Uno Manros [SMTP:manros at cp10.es.xerox.com]
> Sent:	Thursday, July 30, 1998 5:59 PM
> To:	ipp at pwg.org
> Subject:	IPP> SEC - How could IPP work over firewalls?
> 
> We have held a meeting with some firewall and proxy experts today to get
> their views on how IPP could work over firewalls. Here is a short
> description of the scenario that came out of those discussions: 
> 
> When a print request (or other IPP request) comes in to the domain, in
> which the IPP Printer is located, it goes through the following steps: 
> 
> 1) The firewall inspects the request on the TCP layer and typically checks
> the host address and the port number. If it finds that this matches, it
> redirects the request to a particular proxy server. This is standard
> firewall software. The proxy server may be dedicated to handle only
> HTTP/IPP, or could handle several application level protocols. 
> 
> 2) The proxy server includes an IPP specific application process, which
> would check that the request is a valid IPP request, e.g. that it is an
> HTTP POST and that it contains the MIME type "application/ipp". This
> software will need to be tailored and written to handle IPP. 
> 
> 3) If TLS  is used, the proxy server can also perform the authentication
> and decryption services. 
> 
> 4) The proxy server then redirects the request to the IPP server inside
> the domain. Note that the previous steps are performed before the request
> is accepted into the domain. 
> 
> There are various configuration alternatives, e.g. the firewall and proxy
> server may be integrated in the same box.  
> 
> A couple of other observations and bits of advice: 
> 
> - If you want unlimited access to an IPP printer, simply put it outside
> the firewall, or on the domain border, so it can be accessed from both
> outside and inside the domain. 
> 
> - If you want to let requests come in through your firewall at all, you
> will probably *always* use TLS for requests from outside the domain. If
> you let the proxy server handle authentication and encryption, there is no
> real need to use TLS between the proxy server and the IPP server. This
> means that clients from inside the domain do not need to use TLS, when
> accessing the IPP server. 
> 
> Comments? 
> 
> Carl-Uno 
> 
> Carl-Uno Manros 
> Principal Engineer - Advanced Printing Standards - Xerox Corporation 
> 701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231 
> Phone +1-310-333 8273, Fax +1-310-333 5514 
> Email: manros at cp10.es.xerox.com



More information about the Ipp mailing list