The aim of this procedure is to secure printing from user workstations to Microsoft print servers using the IPP over TLS protocol.
Prerequisite
- A physical or virtual printer must be installed and shared on the print server.
- A DNS name must be assigned to the print server (in the example below, the name will be GESP-2022.cartadis.local).
- A valid certificate issued by a certification authority, corresponding to the DNS name of the server (failing this, we can create and use a self-signed certificate, which is what we will do in the example below).
The next steps are as follows:
Server:
- Internet printing functionality added
- Creation of a self-signed certificate: optional if the certificate is issued by a certification authority (internal or external)
- Configuring the IIS server
Client computer:
- Import server certificate: optional if the certificate is issued by a certification authority (internal or external)
- Add printer
Server:
- Internet printing functionality added
To add the feature, go to the add roles and features menu:
Then add the following roles:
- Print server
- Internet printing
At the end of the installation, an IIS server is installed.
You need to connect to it to continue the procedure.
To do this, launch the Internet Services Manager (IIS).
- Creation of a self-signed certificate (optional)
This step is optional if the certificate is issued by a certification authority (internal or external).
Click on the server name, then on the Server Certificates menu:
In the right-hand column, click on Create a self-signed certificate :
You will be asked to create a user-friendly name for the certificate. The certificate shop must remain set to Personal :
Click OK, and the certificate is created:
It now needs to be linked to our site.
- Configuring the IIS server
Click on the Sites menu:
Then, in the right-hand menu, select Bindings:
Then click on Add :
In our example we use the default HTTPS port, but we could have customised it.
We specify the host name of our server, and don't forget to select our certificate:
Once the connection has been made, the server is now configured.
You can test the connection from a client workstation via the URL https://<domainname>/Printers.
Client computer:
- Importing the server certificate (optional)
This step is optional if the certificate is issued by a certification authority (internal or external).
If you are using a self-signed certificate, you first need to retrieve the certificate from the IIS server.
To do this, go back to the IIS management menu and click on the server in the right-hand column, then on Server Certificates:
Click on the name of the certificate, then on the Export button in the right-hand column:
Select the export location, a name for the file and a password.
The certificate will be exported in .pfx format.
Then copy this certificate to the client workstation and double-click it to install it.
You must choose to open it with the :
Choose to install it on the local computer :
to import it, you will be asked for the password of the .pfx file you created earlier:
Finally, place the certificate in the trusted root certification authority shop :
⚠️ The user workstation must be restarted for the certificate to be taken into account.
- Add printer
To add the printer on the user workstation, you first need to retrieve the printer URL.
To do this, connect from the client workstation to the following link: https://<domainname>/Printers
Then click on the name of your printer, then on properties to retrieve the URL:
Then open the Printers and Scanners menu on the workstation, select ‘Add’ and wait for the manual add menu to appear:
Choose ‘Select a shared printer by name’ then add the printer URL:
Click Next, your printer is now installed to print IPP over TLS to the printer server.