Cortado AGAlt-Moabit 91 a/b10559 BerlinGermany/Alemania

Cortado, Inc.7600 Grandview AvenueSuite 200Denver, Colorado 80002USA/EEUU

Cortado Pty. Ltd.Level 20, The Zenith Centre, Tower A821 Pacific HighwayChatswood, NSW 2067Australia

E-Mail: info@team.cortado.comWeb: www.thinprint.com

Issued: June 6, 2012 (v29)

Tips for Configuring ThinPrint

Technical Information

Cortado AGAlt-Moabit 91 a/b10559 BerlinGermany/Alemania

Cortado, Inc.7600 Grandview AvenueSuite 200Denver, Colorado 80002USA/EEUU

Cortado Pty. Ltd.Level 20, The Zenith Centre, Tower A821 Pacific HighwayChatswood, NSW 2067Australia

© CopyrightThis document is the intellectual property of Cortado AG. This document may be copied in whole or in part, provided this Copyright notice is included in every copy.

® Registered Trade Marks All hardware and software names mentioned in this document are the registered trademarks of their respective companies or should be regarded as such.

E-mail: info@team.cortado.comWeb: www.thinprint.com

Issued: June 6, 2012 (v29)

Contents

Configuring ThinPrint Technical Information 3

© C

orta

do A

G 2

01

2

Introduction ................................................................................................................ 4

Which protocol for printing? ................................................................................ 4

Protocols ....................................................................................................................... 4

Where is ThinPrint Client installed? ................................................................. 6

Addressing .................................................................................................................... 6

Possible ThinPrint Client installations ............................................................................... 6

Printer drivers: native or Output Gateway? ................................................... 7

Output Gateway: requirements ......................................................................................... 7

Output Gateway ............................................................................................................. 7

Native drivers ................................................................................................................ 8

V-Layer ......................................................................................................................... 8

Are other ThinPrint components needed? ...................................................... 9

Virtual Channel Gateway ................................................................................................. 9

Connection Service ......................................................................................................... 9

ThinPrint Management Center ......................................................................................... 9

Should AutoConnect be used? .......................................................................... 10

Basic constellations for AutoConnect .............................................................................. 10

Recommendations ........................................................................................................ 11

Is SSL encryption necessary? ............................................................................ 12

Introduction

4 Technical Information Configuring ThinPrint

© C

ortado AG

20

12

IntroductionTo use ThinPrint, you should have an exact overview of your printing architecture. This white paper explains the most important questions that may arise before a pur-chase or (test) installation. Depending on the protocol you use for printing, other ThinPrint products may come into consideration. Choice of protocol also determines whether you require additional ThinPrint components such as the Virtual Channel Gateway or the Connection Service.

You will learn where it is recommended to encrypt print data, where the ThinPrint Client can be installed, for what AutoConnect can be used, and whether it makes bet-ter sense to print with native printer drivers or to use the ThinPrint Output Gateway.

This white paper refers to all ThinPrint Engine products that can be run under Win-dows.

Which protocol for printing?The choice of protocol used for printing is the most important decision when planning the printing architecture. It influences the way printers are addressed, whether encryption is needed, and whether additional ThinPrint components are required. The protocols are listed and explained below. It is important to note whether printing takes place to client networks with NAT (Network Address Translation) and whether local or central print servers that print via TCP/IP are in use.

Protocols

ThinPrint supports printing over different protocols:

TCP/IP without Connection Service1

■ ThinPrint Client necessary■ bandwidth control, compression, and encryption of print data possible

TCP/IP with Connection Service■ ThinPrint Client necessary■ bandwidth control, compression, and encryption of print data possible

ICA■ ThinPrint Client necessary■ bandwidth control, compression, and encryption of print data possible

RDP/PC over IP■ ThinPrint Client necessary■ bandwidth control, compression, and encryption of print data possible

LPR/LPD■ no ThinPrint Client necessary (direct print to device)■ bandwidth control but not compression possible.

1 Connection Service see Page 9

Which protocol for printing?

Configuring ThinPrint Technical Information 5

© C

orta

do A

G 2

01

2

Protocols: criteria for choiceThinPrint recommends printing via TCP/IP or with the Connection Service when tech-nically possible. The advantage of TCP/IP is its more efficient data transfer. Client devices can be addressed directly and are therefore available to different users. The print data is separated from the terminal session or virtual desktop session data, which improves session performance.

The following points should be considered when choosing a protocol:

Which protocoldoes the network

architecture allow?

■ Print performance is best with TCP/IP because the least protocol data must be transmitted. Data traffic is divided into print data and session data and print data transmission is completely independent from the session

■ With ICA /RDP, print data is transmitted in the respective session protocol.Advantage: All tasks executed with the session protocol (e. g., encryption) are also applied to print data. Disadvantage: Print data traffic is session-dependent; this complicates, for example, Quality of Service (QoS). Print jobs are only sent to the computer on which the session is running.

■ For TCP/IP, NAT ( IP masking) can only be used if Connection Service is also installed. If a firewall is in place, an TCP port in outgoing direction must be opened. These restrictions do not apply to ICA /RDP.

■ For RDP, a Windows 2003/2008/2008 R2 server is necessary as terminal server; or a Windows XP, Vista or Windows 7 desktop. Clients machines must be installed with RDP clients 5 or higher.

■ When TCP/IP is used as the printing protocol, the printers can be automatically created on the print server with ThinPrint Management Center (see Page 9).

AvailableThinPrint Clients

■ For Windows Vista/2003/2000 , ThinPrint Clients are available for all proto-cols.

■ For Linux, Mac and Java ThinPrint Clients are currently available for TCP/IP.■ For thin clients (Windows CE or Linux), ThinPrint Clients are currently available

for TCP/IP, RDP, and ICA; for Linux, only for TCP/IP.■ Internal and external print servers/print boxes of network printers (e.g., Inter-

mate, Lexmark ThinPrint Card, InterCon Print Server)■ Other ThinPrint Client solutions for network printers (e.g., the gateway appli-

ances TPG60/120 or ISD400 by SEH).■ ThinPrint Clients embedded in printer device (Ricoh, Lexmark, Kyocera)

Where are Thin-Print Clients

installed?

■ TCP/IP can be run in all constellations, also for local print server (ThinPrint Cli-ent Gateways), also for printers which are not installed on the individual work-station (such as shares or network printers).

■ TCP/IP with Connection Service can be used for local print server in masked networks (Connected Gateways)

■ ICA /RDP can not be used for local print servers (ThinPrint Client Gateways). The printers must be installed in some form on the client where the session is started (particularly for shares and network printers).

Where is ThinPrint Client installed?

6 Technical Information Configuring ThinPrint

© C

ortado AG

20

12

Administration ■ With TCP/IP more printer objects are necessary on the server than with ICA /RDP. This chore can be greatly minimized, however, by using AutoConnect (automatically created printers) or Management Center.

Where is ThinPrint Client installed?Addressing

Print data is sent from ThinPrint Engine to ThinPrint Client and from there is then sent on to the printer (regardless of how the printer is configured to the client).

Addressing print data to the correct client is effected according to different princi-ples:

■ TCP/IPPrinter names on the server determine which client receives print data.

■ TCP/IP with Connection ServiceThe ThinPrint Connection Service port on the server defines the server (where Connection Service is running) to which print jobs will be sent; the ThinPrint Clients will also connect with this server. Each client is given a client ID that is listed in the printer name. This tells the Connection Service where to send print data.

■ ICA /RDPNo client information in printer names on the server; print data is sent automat-ically to the client from whose session printing was initiated.

Consequences from the addressingTCP/IP With TCP/IP (with and without Connection Service) it is possible to print to any client

machine, independent from the client session. ThinPrint Client for TCP/IP can there-fore also be installed onto machines on which no user is working or has opened a session. Printers can be configured to any machine with ThinPrint Client installed; installation on user workstation is not necessary. However, a printer object on the server (or on a virtual desktop) only prints to a specific client printer.

ICA /RDP With ICA /RDP it is only possible to print to a machine from which a user has opened a session. Printer(s) must be installed in some form on this machine. The same printer (i. e., same printer object) on the server or on the virtual desktop can be used from any number of clients – provided the printer driver on the server/the virtual desk-top is suitable for each client printer.

Possible ThinPrint Client installations

All ThinPrint Clients Windows can also be installed unattended using a script, .mst files.

TCP/IP With TCP/IP a ThinPrint Client is installed on any computer, from which it is possible to print to any printer. ThinPrint Client for TCP/IP can thus be installed on workstation PCs as well as local print servers (ThinPrint Client Gateways).

Printer drivers: native or Output Gateway?

Configuring ThinPrint Technical Information 7

© C

orta

do A

G 2

01

2

When using Connection Service, ThinPrint Client Gateway (local print server) becomes a Connected Gateway.

ICA /RDP With ICA /RDP, ThinPrint Client must be installed on the workstation computer. Printer(s) must be installed on this computer. The ThinPrint Client (RDP and PC over IP) is also part of the VMware View agents.

Printer drivers: native or Output Gateway?With ThinPrint, there are basically two types of printer drivers possible on the server or on the virtual desktop (with ThinPrint Engine):

■ ThinPrint Output Gateway (driver simulator) (see Page 7)■ normal printer drivers (native driver)■ V-Layer (combination of native driver and Output Gateway).

The ThinPrint Output Gateway is a virtual printer driver from ThinPrint that enables Driver Free Printing. No printer drivers are necessary on the server (or on the virtual desktop) because the print data is first rendered on the client side. Output Gateway and V-Layer are part of ThinPrint Engine.

Output Gateway: requirements

ThinPrint Output Gateway can be run if the following requirements are met:

■ ThinPrint Engine on a terminal server, a central print server, or a virtual desktop■ Client is a PC (= rich client) or a thin client with Windows Embedded■ Client has Windows 2000/XP/2003/Vista/2008/2008 R2/Windows 7as oper-

ating system■ Client has relevant printer driver(s).

If none of these apply and you would still like to keep the central server free of printer drivers, you can use V-Layer (see Page 8).

Output Gateway

Advantages ■ No more normal (native) printer drivers necessary on terminal servers or on vir-tual desktops (i. e., safeguards against conflicts, etc.)

■ No administration of drivers on server/virtual desktop■ Smaller load on terminal server

(server is relieved of print data rendering)■ Page preview possible on client■ Use of ThinPrint Viewture technology

(save files, later open, view, print, independent of session).■ Automatic application of all client printer properties at the server or virtual desk-

top

Printer drivers: native or Output Gateway?

8 Technical Information Configuring ThinPrint

© C

ortado AG

20

12

■ higher compression of print data

Disadvantages ■ Higher load on client (relevant, among others, for ThinPrint Client Gateways)

■ Cannot be run on thin clients (without Windows Embedded) or on client oper-ating systems other than Windows 2000/XP/2003/Vista/Windows 7. Excep-tion: V-Layer, see Page 8.

Native drivers

Advantages ■ Can be run in all ThinPrint configurations (even on central dedicated print serv-ers, with thin clients, on systems other than Windows)

■ Minimal load on client.

Disadvantages ■ Normal (native) drivers must be installed on terminal servers or on the virtual desktops (exception: V-Layer, see below)

■ Greater driver administration on server compared to ThinPrint Output Gateway■ Print data rendered on the virtual desktop or terminal server (increased load)■ No document preview on client■ No use of ThinPrint Viewture technology possible.

V-Layer

V-Layer means that the terminal server or the virtual desktop is free of printer drivers (Driver Free Printing) but it is still possible to print to clients using native printer driv-ers. This requires a central print server.

Why V-Layer? ■ Printing with ThinPrint Output Gateway (Driver Free Printing) although native drivers are used on the client side

■ No Windows clients necessary for Driver Free Printing■ No drivers on the terminal server or on the virtual desktop■ Support for print servers (print boxes) and ThinPrint Gateway Appliances

Areas of application are environments where native printer drivers are technically necessary or desired but the terminal server (or the virtual desktop) should still be kept free of drivers. This is particularly the case with computes without Windows, which otherwise would not be able to use ThinPrint Output Gateway. Another com-mon example is with USB or bidirectional printers that require their native drivers for full functionality. This is often the case with multifunctional devices (fax, scanner, copier, and printer in one machine).

You can print to clients with ThinPrint Client as well as directly to clients with none, such as network printers. If a ThinPrint Client can be installed, you also have the following ThinPrint advantages: bandwidth control, SSL encryption, compres-sion, and streaming.

Are other ThinPrint components needed?

Configuring ThinPrint Technical Information 9

© C

orta

do A

G 2

01

2

Are other ThinPrint components needed?Other ThinPrint components may be required depending on the network environ-ment.

Virtual Channel Gateway

Virtual Channel Gateway is only necessary if ThinPrint Engine is installed on a central (dedicated) print server and print data must be sent over ICA, RDP or PC over IP (PCoIP)1.

■ If ThinPrint Engine is installed on a terminal server or virtual desktop, no Virtual Channel Gateway is necessary.

■ If ThinPrint Engine is installed on a central (dedicated) print server and print data is sent over TCP/IP or LPR/LPD, no Virtual Channel Gateway is necessary.

When printing with ThinPrint over ICA /RDP, print data is automatically sent to the client from whose session the print job was initiated. Therefore, session information is needed – information which is, however, only available on the terminal server (or on the virtual desktop), and not the print server. If ThinPrint Engine is installed onto a print server and print data is sent over ICA /RDP, print data is for the above reason first sent through a Virtual Channel Gateway at the terminal server/the virtual desk-top. The Virtual Channel Gateway detects session information and sends the print data to the correct ThinPrint Client.

For virtual desktop environments with central print servers there is a special ver-sion of Virtual Channel Gateway available. This is part of Desktop Extension or the virtual printing component of VMware View.

Connection Service

When printing via TCP/IP, ThinPrint Clients are addressed by IP address or computer name. This is not possible in networks with NAT. If you nevertheless want to print via TCP/IP (e.g., because local or central dedicated printers are in use), the Connection Service enables client addressing via TCP/IP. The ThinPrint Client (Connected Gate-way) will actively maintain a connection with the server, forming a sort of tunnel for print data (see Connected Gateway manual).

ThinPrint Management Center

ThinPrint Management Center allows you to centrally administer all ThinPrint prin-ters. With a single mouse click the printers of all branches can be displayed and con-figured. The respective configuation values (bandwidth, ports, printer driver etc) are entered in an SQL data base. At the touch of a button all printers are automatically installed on the central print server (Illus. 1). For further information please refer to the ThinPrint Management Center manual.

1 here described as ICA/RDP

Should AutoConnect be used?

10 Technical Information Configuring ThinPrint

© C

ortado AG

20

12

Illus. 1

Should AutoConnect be used?ThinPrint Engine is installed on the server or on the virtual desktops. Printers are here installed on ThinPrint Ports. (Exceptions are possible for V-Laver.) They can be installed manually or created with AutoConnect. In almost every case, both options are possible. Management Center can be used on central print servers. AutoConnect is absolutely necessary in the following scenario only:

Print data is sent over TCP/IP, clients have dynamic IP addresses (DHCP), and there is no name resolution for client names (i. e., IP addresses can’t be used in printer names at the server because they change; client names also won’t work in printer names because they can’t be resolved to each respectively current IP address). In this case, printers must be dynamically created for each session with AutoConnect, which uses each respectively current IP address for printer names.

Basic constellations for AutoConnect

Configuration with AutoConnect varies depending on whether a central dedicated print server is used for ThinPrint or not:

Illus. 1 Functional principle of ThinPrint Management Center

Should AutoConnect be used?

Configuring ThinPrint Technical Information 11

© C

orta

do A

G 2

01

2

1. ThinPrint Engine on terminal serversAutoConnect creates client printers on the terminal server or on the virtual desk-top (by using templates)

2. ThinPrint Engine on virtual desktopsAutoConnect creates client printers on the virtual desktop by using templates and Group Policy Objects (GPOs).

3. ThinPrint Engine on central (dedicated) print serversPrinters are mostly manually created on ThinPrint ports on the central print server1; AutoConnect maps “network printer objects” on terminal servers or on desktops.

In these cases, AutoConnect creates or maps printers on the server/the desktop; printers are created at the start of the session and deleted at the close of the session. Printers can also be created/deleted at session logon/logoff. AutoConnect is usually installed onto the terminal server/virtual desktop.

Restrictions– AutoConnect cannot be used when connecting over ICA /RDP if different users

are working under the same user name.– For 1.: AutoConnect creates printers which are installed in some form on the

client machine. Print data traffic therefore travels over the client who opened the session. For this reason, in environments with ThinPrint Client Gateways, AutoConnect can be run using a script (with a parameter).

Advantages ■ Printers do not need to be created manually; simpler administration (especially for TCP/IP)

■ Very simple printer mapping; especially together with ThinPrint Output Gate-way, few printer objects needed on servers/desktops

■ User only sees his own printer (objects)■ Automatic creation of user-specific printers with correct printer ID.■ Inheritance of client printer settings for Output Gateway (if the ThinPrint Engine

is installed on the Terminal Server or virtual desktop).■ Import of the configuration (Dynamic Printer Matrix) from AutoConnect is pos-

sible from Management Center.

Disadvantages ■ Selection of printers to be created and possible input of class names in ThinPrint Client necessary (or set registry key), provided that this function cannot be covered by AutoConnect.

Recommendations

AutoConnect is especially recommendable in the following situations:■ Environments with many, especially local client printers and printing over

TCP/IP■ When printing over ICA /RDP, if user-specific printers are to be created on the

server or the virtual desktop with correct printer ID.

1 This can be automated with ThinPrint Management Center, see Page 9.

Is SSL encryption necessary?

12 Technical Information Configuring ThinPrint

© C

ortado AG

20

12

■ When using ThinPrint Output Gateways (only a minimal number of templates necessary; very simple administration).

■ When printing via the Virtual Channel Gateway, if the correct printer is to be used on the central print server but no printer IDs are specified.

Is SSL encryption necessary?When using ThinPrint, it is possible to encrypt the print data between the ThinPrint Engine and the ThinPrint Client. This is useful when the ThinPrint Client is addressed directly via TCP/IP. In that case, the print data are not sent via the ICA or RDP chan-nel. With Citrix (ICA), this virtual channel is already encrypted, and RDP offers the option of encryption1.

If this encryption is not enough for you or if you are printing via TCP/IP, ThinPrint encryption is recommended. Data sent via TCP/IP is normally unencrypted and rela-tively easy to hack.

When you encrypt with ThinPrint, print data is sent from the ThinPrint Engine to the ThinPrint Client with SSL encryption - regardless of the protocol in use. In addi-tion, client authentication is used. That means that the server or virtual desktop checks whether the client is authorized to receive print data. The following SSL cer-tificates are required:

■ Client certificate (per client)■ Root certificate (on the server/virtual desktop)■ Server certificate (on the server/virtual desktop)

You can purchase the certificates from a third-party source (certification authorities) or create them yourself with OpenSSL or Microsoft servers2. To print with encryption, it is enough to import the certificates. You also need to specify in the configuration of ThinPrint Engine that print data is to be encrypted and what the certificates are. On the client computer, enter the name of the client certificate.

1 ICA uses an encryption developed by Citrix. RDP (version 5.2 and later) can be encrypted with SSL as well. Here, too, certificates are required.

2 Instructions can be found in the ThinPrint white paper, Creating SSL certificates for printing with ThinPrint.