How to print to a remote printer securely using a ssh tunnel

How to print to a remote printer securely using a ssh tunnel

On the "head office" side, you have 3 choices to set up a SSH server:
(1) [Legacy] set up a LRP firewall with hard disk option and install sshd or
(2) Setup a Linux box on the internal network with an openSSH server (called sshd), or
(3) Setup a Windows XP box on the internal network, install cygwin-openssh and install sshd as a Windows service.

If you choose (2) or (3), set your router or firewall to port forward tcp port 22 (ssh traffic) to the
internal ssh server's IP address.

On the "road warrior" laptop, install cygwin and ssh or putty

Next, add a "special" printer that prints to IP=127.0.0.1 , port=9100

Please have the appropriate "printer driver" ready, either on a floppy, or on a hard disk, or on a network shared drive. If your printer is not included in Windows' default list, use the "Have Disk" method. Windows XP: Click Start.. (Control Panel).. Printers and Faxes...Add Printer...Local Printer...(check off Auto Detect PnP)...Next....Create new port...Standard TCP/IP port... IP address = 127.0.0.1, port name=PrintSrv, Custom, Settings.. Raw.. Port 9100 Windows 2000 (method A) First, install AXIS Print Monitor. Click Start...Settings, Printers, Add Printers, Local Printer, Create New Port, Choose AXIS port, choose RAW TCP/IP port, IP address = 127.0.0.1, port number = 9100 Windows 2000 (method B) Click Start...Settings, Printers, Add Printers, Local Printer, Create New Port, Choose Standard TCP/IP port, IP address = 127.0.0.1, port name=PrintSrv, Custom, Settings.. Raw.. Port 9100 Windows 2000 quirks Sometimes the printer driver becomes corrupted, if that happens, delete the printer driver by re-installing the same printer driver on the LPT1 (local) port. Then repeat method A or method B above. Thanks to Hillie Sample of Ottawa, Canada for this tips. Windows NT: First, install AXIS Print Monitor. Start...Settings, Printers, Add Printers, "My Computer", Add Port, Choose AXIS port, choose RAW TCP/IP port, click OK, IP address = 127.0.0.1, port number = 9100 Windows 98/ME: First, install AXIS Print Monitor. Click Start...Settings, Printers, Add Printers, Local Printer, choose AXIS port (Windows 98 will ask for the Windows 98 CD, unless c:\windows\options\cabs is intact). Right click on the printer icon, choose Properties, Details, Add Port, click Other, choose AXIS port, click OK, choose RAW (TCP/IP), click OK, IP address = 127.0.0.1, port number = 9100, click Apply, click OK Windows 95 First, install AXIS Print Monitor. Click Start...Settings...Printers Add Printers ... Local Printer .. install the printer driver on LPT1. (Windows 95 will ask for the Windows 95 CD, unless c:\windows\options\cabs is intact) Right click the Printer Icon, choose Properties, Details...Add Port, click Other, choose AXIS port, click OK, choose RAW (TCP/IP), click OK, IP address = 127.0.0.1, port number = 9100 Click OK until you are back to the correct Printer Icon, right click, Properties, Details, At the "Print to the Following Port" drop-down box, choose "127.0.0.1_9100 AXIS Port", click OK.

If you have Windows XP SP2, you need to tweak the "windows firewall" to open
TCP Port 22.
Click Start...Control Panel...(in Category View mode)...Security Centre...Windows Firewall
...Exceptions Tab...Add port....port name ssh, port 22, TCP

Thanks to Stefano of Sardegna, Italy for the XP-SP2 reminder.

When the "road warrior" or "branch office" is ready to print to the remote printer:
Double click the cygwin icon, a black screen pops up, type
ssh root@myoffice.com -L 9100:192.168.1.252:9100 (log on to LRP box as root)
or
ssh user@myoffice.com -L 9100:192.168.1.252:9100 (log on to Linux box or Windows box as user)

Above command invokes ssh to logon to the head office's ssh server and creates a "tunnel".
(assuming you setup a DNS to point myoffice.com to the IP address of the LRP)
The -L option says "tunnel port 9100 traffic on the road warrior's computer to the remote side,
send the road warrior's TCP traffic to port 9100 of a computer with IP address=192.168.1.252 on the remote side".

Printer traffic on port 9100 is now encrypted (tunneled) by the ssh protocol.
Now the road warrior can print confidential documents to the remote printer safely and securely.

If the "road warrior" hates typing long commands, create a Windows batch file
that has the following content. Double clicking on the batch file icon will do all the typing

@echo off c: cd c:\cygwin\bin bash --login -c "ssh -l root myoffice.com -L 9100:192.168.1.252:9100"

(you can also use an ip address instead of myoffice.com)

If the "road warrior" also hates typing password, set up authentication using RSA public key and
private key, so that the "road warrior" does not have to type password to login to the sshd server.
Obviously this is a security risk, you have to balance between safety and convenience.
Here is how to set up RSA public key and private key authentication so that password is not required.

You can use the same technique to securely access other resources behind a firewall.

For example, if the road warrior or branch office wants to do secure email,
setup a ssh session to the LRP box or Linux box or Windows box in the internal network,
tunnel port 110 to the other side, for POP3 mail (for most email users)
tunnel port 143 to the other side, for IMAP mail (only needed by advanced email users)
tunnel port 25 to the other side, for SMTP outbound traffic (to send email via the Linux box)
In this case, configure the road warriors email client software to use
POP3 server = 127.0.0.1
IMAP server = 127.0.0.1
SMTP server = 127.0.0.1
Create a batch file like this example and a desktop icon.
Double click the batch file icon to launch the ssh session and setup tunnels.

If you use LRP as the firewall, you may want to adjust LRP Seawall's timeout to lengthen
the ssh session timeout. See this page on how to adjust Seawall's ssh session timeout.

Design footnote:
In the above system design, the corporate firewall only opens port 25 and port 22.
This is a better design than exposing port 110 or port 143 of the in-house email server to the outside world.
Personnel behind the firewall can use port 110 or port 143 to read their emails.
Personnel working from home or on the road must come in via SSH and set up tunnels
to read and send corporate emails under the protection of SSH's strong encryption.

The world is moving away from plain text protocols by hardening them with TLS or SSL:
newer versions of POP3 has TLS support at port 110, and SSL support at port 995
newer versions of IMAP has TLS support at port 143, and SSL support at port 993
newer versions of SMTP has TLS support at port 25
a version of "smtps" uses port 465 with SLL support, now becomes legacy
newer versions of telnet has SSL support at port 992

SSH uses pure tcp protocol, it does not have the nasty firewall traversal problems like IPSec or PPTP.
SSH with tunneling has become the foundation technology of next generation VPN designs.
This next generation VPN is called SSL VPN.
One excellent SSL VPN implementation is OpenVPN.