Enabling Internet Printing

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By using Internet printing, you can manage print resources from your Web browser. To be able to print over the Internet, clients within the same Local Area Network (LAN) must use a remote procedure call (RPC) to connect to the print server. For more information about prerequisites for Internet printing, see the Storage Technologies Collection of the Windows Server 2003 Technical Reference (or see the Storage Technologies Collection on the Web at https://www.microsoft.com/reskit).

Installing a Printer from a Web Page

To install a printer for Internet printing, you can either view a Web page to find a printer that is identified by a URL, or — if the client is running Windows Server 2003, Windows XP Professional, Windows 2000, Windows 95, Windows 98, or Windows Millennium Edition — connect to a printer share through a Web page.

Open a web browser, and type: https://servername/printers. Under Printer Actions, click Connect. The installation page displays available options based on your permissions. Windows Server 2003 downloads the printer software to the client, and the printer is displayed in the Printers and Faxes folder on the client.

The installation route depends on whether the client and the print server are on the same intranet and are both running Windows XP Professional, Windows Server 2003, Windows 2000, or Windows NT 4.0. If they are, the client and print server communicate by means of an RPC, and the installed printer continues to use an RPC to link the client and the server even if HTTP is not specified in the address.

The installation uses HTTP instead of RPC in the following instances:

  • The client and server are not on the same intranet.

  • The client is not running Windows Server 2003, Windows XP Professional, Windows 2000, or Windows NT 4.0.

  • The printer contains an internal network adapter, supports Internet Printing Protocol 1.0, and is not connected to a server.

With HTTP, the print server generates a .cab file containing the required .inf and installation files and sends the .cab file to the client. On the client computer, the .cab file starts the Add Printer Wizard to complete the installation. A progress report is displayed in HTML while the wizard is working.

Important

  • Installation is not automatic for Web-based printers with internal network adapters. You must start the Add Printer Wizard, enter the printer’s URL instead of a UNC path, and manually enter information that the wizard requires. You can use this method to install any URL-identified printer by means of HTTP.

Security for Internet Printing

Print server security is provided by IIS, which runs on the print server. IIS allows basic authentication, which all browsers support. The administrator must select basic authentication to enable the print server to support all browsers and all Internet clients. IIS and PWS allow the use of Integrated Windows authentication and Kerberos authentication, both of which are supported by Internet Explorer.

The authentication method for Internet printing in IIS or PWS is set in the print server’s property sheet on the Directory Security tab.

By default, print jobs are sent over HTTP as RAW data. If it is important to keep this data secure, use either a Virtual Private Network (VPN) or Secure Socket Layer (SSL) connection.

To select an authentication method

  1. In the console tree of the IIS console, expand the node for the server, expand the Web Sites node, expand the Default Web Site node, and then expand the Printers node.

  2. Click the icon at the Printers node.

    This node represents a virtual directory that is used to set all security for Internet printing. A list of Application Server Pages (ASP) appears in the details pane.

  3. In the console tree, right-click the printer, click Properties, and then click the Directory Security tab.

  4. Choose one of the following Directory Security options by clicking the respective Edit button:

    • Authentication and access control

    • IP address and domain name restrictions

    • Secure communications

Typically, administrators select Enable anonymous access,which allows a client to access each server resource by impersonating the Anonymous account IUSR_computername. No user action is required. If a user attempts to connect to another domain or proxy server that does not allow anonymous access, a dialog box prompts for the user name and password.

To choose anonymous access authentication

  1. On the Directory Security tab of the Printers Properties page, click the Edit button for Authentication and access control.

  2. Select the Enable Anonymous access check box.

  3. Clear the Windows Integrated authentication check box.

Note

  • Integrated Windows authentication is checked by default and takes precedence over other types of authentication. To ensure that users are authenticated anonymously, clear all check boxes except Enable anonymous access.

Integrated Windows authentication is more secure, because it does not send the password. During Integrated Windows authentication, IIS applies either challenge and response encryption technology, or Kerberos encryption technology, depending on the capability of the client. For more information about IIS security, see the Internet Information Services (IIS) 6.0 Resource Guide of the Windows Server 2003 Resource Kit (or see the Internet Information Services (IIS) 6.0 Resource Guide on the Web at https://www.microsoft.com/reskit).