General Printer Configuration
- Review the manufacturer’s documentation for information about securely configuring your printer.
- Change the default username and password for accessing your printer’s configuration.
- Change the default IP address if your printer has one.
- Regularly update your printer’s firmware, only download firmware updates directly from the manufacturer.
- Regularly audit your network for malicious or unfamiliar software.
Isolating a Printer on Your Network
- Isolate your printer(s) on their own subnet. This subnet range should only be used for printers, avoid using the same Local Area Network (LAN) range that your end user devices are using. For example, you can put end users on the range 10.0.0.0/24 (10.0.0.1 - 10.0.0.254) and printers on the range 10.0.10.0/24 (10.0.10.1 - 10.0.10.254). The ranges below are reserved for LANs.
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
- Create a Virtual Local Area Network (VLAN). This is typically done on the device that controls LAN subnets and DHCP pools, in most cases this will be your gateway. Each VLAN should have its own subnet. Depending on the gateway you have, you may not be able to configure multiple subnets. If you are unable to manage multiple subnets on your network, then the printer may be able to route between VLANs through your gateway address.
- Every port between the gateway and your printer should allow traffic on the VLAN, this includes any switches.
- If possible, it is also advisable to prohibit inter-port communication between the port that is carrying traffic for the printer and any other port on the switch that is not an uplink to other networking equipment.
- Verify connectivity between your gateway and/or firewall and the printer.
- Verify that you are unable to reach your printer or any device on its subnet from your client side (end user) subnet.
Allowing External Access to a Printer
- Set a static IP address on your printer. You can set the static IP manually or allow the printer to pull a DHCP address. If you allow the printer to pull a DHCP address you will have to reserve the address for the printer’s MAC address in your DHCP pool. The standard port for TCP/IP printing is 9100.
- Create rules on your gateway and/or firewall that allow port forwarding from an external IP address and port to the internal IP address and port of the printer. You can use the same external and internal port.
- Obtain the public IP address of your instance server from Flex Support. Whitelist your instance server IP address in your gateway and/or firewall.