No subject

No subject

cmanros at cp10.es.xerox.com cmanros at cp10.es.xerox.com
Mon Aug 3 04:00:09 EDT 1998


>From ipp-owner at pwg.org Fri Jul 31 17:27:20 1998
Received: from mailhub.btwebworld.com [193.113.211.246] 
	by tantalum with smtp (Exim 1.70 #1)
	id 0z2I1Y-0003p0-00; Fri, 31 Jul 1998 17:27:20 +0100
Received: from mail.btwebworld.com by mailhub.btwebworld.com (SMI-8.6/SMI-SVR4)
	id RAA22974; Fri, 31 Jul 1998 17:28:17 +0100
Received: by mail.btwebworld.com (SMI-8.6/SMI-SVR4)
	id RAA28246; Fri, 31 Jul 1998 17:27:00 +0100
Received: from lists.underscore.com (actually host uscore-1.mv.com) by mail.btwebworld.com with SMTP (Messageware MTA (NEXOR)) with ESMTP; Thu, 30 Jul 1998 16:26:58 -2400
Received: from localhost (daemon at localhost) by lists.underscore.com (8.7.5/8.7.3) with SMTP id MAA02361 for <C.Lacey at datatrade.co.uk>; Fri, 31 Jul 1998 12:28:04 -0400 (EDT)
Received: by pwg.org (bulk_mailer v1.5); Fri, 31 Jul 1998 12:27:31 -0400
Received: (from daemon at localhost) by lists.underscore.com (8.7.5/8.7.3) id MAA02278 for ipp-outgoing; Fri, 31 Jul 1998 12:21:18 -0400 (EDT)
Message-ID: <3683AF7E2328D211A2BA00805F15CE8505CC33 at x-crt-es-ms1.cp10.es.xerox.com>
From: "Manros, Carl-Uno B" <cmanros at cp10.es.xerox.com>
To: ipp at pwg.org
Subject: RE: IPP> SEC - How could IPP work over firewalls?
Date: Fri, 31 Jul 1998 09:16:48 PDT
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
Sender: owner-ipp at pwg.org

Paul,

You are right. This is a new piece of software that you cannot get from
stock.
This is why I stated: "This software will need to be tailored and
written to handle IPP". 

Carl-Uno

> -----Original Message-----
> From: Paul Moore [mailto:paulmo at microsoft.com]
> Sent: Friday, July 31, 1998 8:33 AM
> To: 'Carl-Uno Manros'; ipp at pwg.org
> Subject: RE: IPP> SEC - How could IPP work over firewalls?
> 
> 
> Step 2 - Inbound proxies are unusual - I have never heard of one. Does
> anybody have a product names for one.
> 
> > -----Original Message-----
> > From:	Carl-Uno Manros [SMTP:manros at cp10.es.xerox.com]
> > Sent:	Thursday, July 30, 1998 5:59 PM
> > To:	ipp at pwg.org
> > Subject:	IPP> SEC - How could IPP work over firewalls?
> > 
> > We have held a meeting with some firewall and proxy experts 
> today to get
> > their views on how IPP could work over firewalls. Here is a short
> > description of the scenario that came out of those discussions: 
> > 
> > When a print request (or other IPP request) comes in to the 
> domain, in
> > which the IPP Printer is located, it goes through the 
> following steps: 
> > 
> > 1) The firewall inspects the request on the TCP layer and 
> typically checks
> > the host address and the port number. If it finds that this 
> matches, it
> > redirects the request to a particular proxy server. This is standard
> > firewall software. The proxy server may be dedicated to handle only
> > HTTP/IPP, or could handle several application level protocols. 
> > 
> > 2) The proxy server includes an IPP specific application 
> process, which
> > would check that the request is a valid IPP request, e.g. 
> that it is an
> > HTTP POST and that it contains the MIME type "application/ipp". This
> > software will need to be tailored and written to handle IPP. 
> > 
> > 3) If TLS  is used, the proxy server can also perform the 
> authentication
> > and decryption services. 
> > 
> > 4) The proxy server then redirects the request to the IPP 
> server inside
> > the domain. Note that the previous steps are performed 
> before the request
> > is accepted into the domain. 
> > 
> > There are various configuration alternatives, e.g. the 
> firewall and proxy
> > server may be integrated in the same box.  
> > 
> > A couple of other observations and bits of advice: 
> > 
> > - If you want unlimited access to an IPP printer, simply 
> put it outside
> > the firewall, or on the domain border, so it can be 
> accessed from both
> > outside and inside the domain. 
> > 
> > - If you want to let requests come in through your firewall 
> at all, you
> > will probably *always* use TLS for requests from outside 
> the domain. If
> > you let the proxy server handle authentication and 
> encryption, there is no
> > real need to use TLS between the proxy server and the IPP 
> server. This
> > means that clients from inside the domain do not need to 
> use TLS, when
> > accessing the IPP server. 
> > 
> > Comments? 
> > 
> > Carl-Uno 
> > 
> > Carl-Uno Manros 
> > Principal Engineer - Advanced Printing Standards - Xerox 
> Corporation 
> > 701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231 
> > Phone +1-310-333 8273, Fax +1-310-333 5514 
> > Email: manros at cp10.es.xerox.com
> 




More information about the Ipp mailing list