Four Solutions for Secure Printing from the Cloud (SaaS)

This is the third installment in the Apps Associates series on items to consider when migrating your EBS data to a SaaS solution. In this series we’re highlighting what we’ve learned from more than 70 customer migrations and identifying the top things to consider upfront to save you time and effort in the long run.

In this article, we are covering secure printing. Printing is often lower on the priority list and something customers only think of after they have migrated from EBS once it comes time to, well… print something. Creating a strategy for printing at the onset of your project helps avoid unnecessary headaches down the line.

Below, we’ll detail four solutions that your organization could implement to ensure security in your cloud printing processes. These solution designs were created to simplify the printing process at one of our customers, in which the requirement was a method to print from the cloud directly to on-premises printers.

The solution designs were built with flexibility in mind and can be customized to your own deployment needs. This table represents the different criteria and considerations for the various solutions.

Solution 1 Overview: On-Premises Printing over Public Internet

SaaS/PaaS environments frequently use Internet Printing Protocol (IPP) to enable a customer to print directly to an on-premises printer or print server. Note that for your business, there could be limitations on your printer(s) or print server(s), your network configuration or security-based restrictions for exposing a printer or print server to the internet. Discuss with your data security or IT teams before choosing a path.

Solution components and design

• On-premises printer(s) and/or print server(s)* that support IPP
• A valid SSL certificate signed by a trusted CA to be installed on each printer and/or print server. Self-signed SSL certificates are NOT supported.
• Firewall:
  • Perform 1:1 NAT (public to private IP address) for each printer or print server
  • Security policy to only allow access from trusted source IP range of the SaaS printer service
• External DNS zone with ‘A’ record resolving to public IP for each printer/print server

*Using a print server is highly recommended. It reduces the quantity of required SSL certificates, public IP’s, security holes, etc.

Solution 2 overview: On-Premises Printing over SaaS VPN

This design has fewer requirements from a network perspective and is more secure because printing communication is encrypted with a Site-to-Site IPSec VPN tunnel.

Solution components and design

• On-premises printer(s) and/or print server(s)* that support IPP
• A valid SSL certificate signed by a trusted CA to install on each printer and/or print server. Self-signed SSL certificates are NOT supported.
• Firewall:
  • For Site-to-Site IPSec VPN termination from the SaaS service (subject to availability).
  • Security policy to only allow access from trusted source IP range of the SaaS printer service
• SaaS Site-to-Site IPSec VPN setup coordinated between customer and SaaS provider.

*Using a print server is highly recommended. It reduces the quantity of required SSL certificates, public IP’s, security holes, etc.

Solution 3 overview: On-premises Printing over VPN/FastConnect

This solution allows connectivity into the on-premises environment via a Site-to-Site IPSec VPN tunnel or via a private connection (Oracle FastConnect) and allows the SaaS environment to print to a public IP associated with an Oracle Cloud Infrastructure (OCI) load balancer which has a backend configured to point at a printer or print server on-premises.

Solution components and design

• Existing OCI tenancy
• VCN using non-overlapping CIDR with your on-premises network
• Public subnet, IGW, DRG, route table, public LB, NSG, SL
• FastConnect or VPN tunnel from OCI to on-premises
• External DNS zone with ‘A’ record resolving to public load balancer
• On-premises printer and/or print server* (recommended)
• A valid SSL certificate signed by a trusted CA. Self-signed SSL certificates are NOT supported.

*Using a print server is highly recommended. It reduces the quantity of required SSL certificates, public LB(s), security holes, etc.

Solution 4 overview: On-Premises Printing over VPN/FastConnect with CloudVM Print Server(s)

This solution allows connectivity into the on-premises environment via a Site-to-Site IPSec VPN tunnel or via a private connection (Oracle FastConnect).

It allows the SaaS environment to print to a public IP associated with an OCI load balancer which has a backend configured to point at a print server hosted on an OCI Compute VM which can then communicate with the on-premises printers.

Solution components and design

• Existing OCI tenancy
• VCN using non-overlapping CIDR with your on-premises network
• Public subnet, IGW, DRG, route table, public LB, NSG, SL
• FastConnect or VPN tunnel from OCI to on-premises
• External DNS zone with ‘A’ record resolving to public load balancer
• Cloud Virtual Machine (VM) print server(s)* (recommended)
• A valid SSL certificate signed by a trusted CA. Self-signed SSL certificates are NOT supported.

*Using a print server is highly recommended. It reduces the quantity of

required SSL certificates, public LB(s), security holes, etc.

You have many options when considering how to print from your cloud-based solution to on-premises locations. The solution you choose should fit your technical and security needs; you should consult your IT and data security team members to ensure you are in alignment.

A full-service technology partner can be hugely impactful in determining the solutions that are right for your business. Apps Associates provides services from advisory to implementation and managed services and can help you make a big impact on your business.

Contact Apps today to learn more.