To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Terminal/Remote desktop printing problem

VeliMattiAla
VeliMattiAla Posts: 2 Security Scout

We are running a terminal server environment which hosts POS software for our retail shops (various locations). PSB Workstation 12 in use.

 

We are having problems with remote printing, POS software prints to a local USB receipt printer. I have setup "the usual suspects" IGMP, Windows networking 1 & 2, SMB tcp/udp both ways. And with these settings the printing works...untill I reboot the local machine.

 

After reboot and re-establishing the terminal connection, I keep getting "print spooler service is not running" in the terminal window when I try to print.

 

However, and this is odd, if I toggle off F-Secure firewall, the printing now works, and then re-enable the firewall> printing still works...untill I reboot again.

 

Am I missing something in firewall configuration? I tried a few ready made services (active directoty logon, universal plug'n'play) but couldn't find one that would help with issue.

Comments

  • MJ-perComp
    MJ-perComp Posts: 669 Firewall Master

    Have you tried the Firewall-ruleset "Printer & File Sharing?"

    AFAIK shares and printers are forwared to the client using the standard printer sharing via Network.


    !WARNING: Windows' printer and file sharing are dangerous protocols, often used to install worms and other malware via the network (e.g. wannacry). Do not use that ruleset as default!

     

    Generally I would promote printservers for each printer (most have them built in anyway), so that you would not need to open ports on the client. If that does not work for you do this:

     

    After you confirmed that the "Printer and File Sharing" works for you, create a new profile for the clients in the PSB-Portal under "office" or "office locked" names "POS-Clients". Modify the office firewall ruleset and add the same services as in the standard Office-LAN ruleset, but only allow the terminal server to access those. This will avoid open ports to all other stations in the network but the terminal server. Assign the new profile to all POS-clients.

  • VeliMattiAla
    VeliMattiAla Posts: 2 Security Scout

    That is a pretty accurate description of what I've already done though I have not deployed the policy yet, only to a single shop which is local where I can run tests (furthest is 500 miles away...).

     

    Printer & file sharing ruleset is only set to allow traffic from intranet, more specifically the server subnet, and nowhere else. So that is not my concern.

     

    Problem is, to reiterate, the ruleset works...untill I reboot the local machine.

     

    Printserver is a no-go as the receipt printers are USB-connected. I am aware network printers would not have this issue (I could print to them directly from the terminal server, without the need for any firewall tweaks), but as that is a hardware investment, not my first choice.

  • MJ-perComp
    MJ-perComp Posts: 669 Firewall Master

    @VeliMattiAla wrote:

    Problem is, to reiterate, the ruleset works...untill I reboot the local machine.

    That sounds weird.


    Create a FSDIAG while it works, then reboot and take a second FSDIAG.
    The action.log might reveal more information, why that happens.

    But in the end you will have to create a support ticket as it seems. Please report back how it was resolved.

This discussion has been closed.

Categories