Wireless Access

Hi, 

I would like to ask, our customer has an RAP at the branch, and controller at HO.
The user at the branch wasnt able to print using the IP printer there, but was able to ping.
I suspect that this is the problem of ports. Is there any way to open firewall port on Controller?
On Palo firewall, the port needed for pritning is already opened

Thank you.

------------------------------
AA
------------------------------

This depends on what your exact setup is. If the RAP is tunneled to the controller, you should allow the print traffic in the role for the user on the controller, and on the devices (like firewall/VPN/WAN) between the controller and the printer. If the SSID is bridged/split-tunnel, the role for the user needs to allow the print traffic.

To start with, draw out the data-path, how the traffic will exactly flow, and then find out what traffic flows are required and follow that flow over the data-path to find where it is blocked. Also relevant is how the printer is connected. If that is on the same (tunneled) SSID wireless, the focus could be more on the controller and the branch is more or less out of scope.

Some printers use multicast for the discovery of the printer. What also is important to understand is if in your situation the printer is not discovered by the client, or that the print traffic is blocked/dropped somewhere. From your question, I assume the second, but important to understand the actual problem. If it is the discovery part where the failure is, you may need to tweak broadcast/multicast or AirGroup. If you can't figure out where the issue is, I would do a Wireshark packet capture on the client to see what the client is sending out and then investigate where it may be blocked.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 01, 2021 12:37 AM
From: Aria adhiguna
Subject: Failed to print with IP Printer with RAP

Hi, 

I would like to ask, our customer has an RAP at the branch, and controller at HO.
The user at the branch wasnt able to print using the IP printer there, but was able to ping.
I suspect that this is the problem of ports. Is there any way to open firewall port on Controller?
On Palo firewall, the port needed for pritning is already opened

Thank you.

------------------------------
AA
------------------------------

Hi Herman,

Thank you for your answer.
The RAP is tunneled to controller, and i already tried to change the policy to allow all.
The IP Printer is connected via LAN, and the Wireless Client was able to ping the IP printer, but failed to print. I assume the problem is the second one you mentioned, which is blocked/dropped.

------------------------------
AA
------------------------------

Original Message:
Sent: Mar 01, 2021 03:16 AM
From: Herman Robers
Subject: Failed to print with IP Printer with RAP

This depends on what your exact setup is. If the RAP is tunneled to the controller, you should allow the print traffic in the role for the user on the controller, and on the devices (like firewall/VPN/WAN) between the controller and the printer. If the SSID is bridged/split-tunnel, the role for the user needs to allow the print traffic.

To start with, draw out the data-path, how the traffic will exactly flow, and then find out what traffic flows are required and follow that flow over the data-path to find where it is blocked. Also relevant is how the printer is connected. If that is on the same (tunneled) SSID wireless, the focus could be more on the controller and the branch is more or less out of scope.

Some printers use multicast for the discovery of the printer. What also is important to understand is if in your situation the printer is not discovered by the client, or that the print traffic is blocked/dropped somewhere. From your question, I assume the second, but important to understand the actual problem. If it is the discovery part where the failure is, you may need to tweak broadcast/multicast or AirGroup. If you can't figure out where the issue is, I would do a Wireshark packet capture on the client to see what the client is sending out and then investigate where it may be blocked.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 01, 2021 12:37 AM
From: Aria adhiguna
Subject: Failed to print with IP Printer with RAP

Hi, 

I would like to ask, our customer has an RAP at the branch, and controller at HO.
The user at the branch wasnt able to print using the IP printer there, but was able to ping.
I suspect that this is the problem of ports. Is there any way to open firewall port on Controller?
On Palo firewall, the port needed for pritning is already opened

Thank you.

------------------------------
AA
------------------------------

If the printer and client are in different VLANs, which probably is the case if the client is tunneled and the printer is in the branch LAN, and the printer is not recognized/discovered by the client, what works often is to manually add the printer on IP or DNS name. Most network printers allow 'JetDirect' on port 9100.

As a check, many printers have a web interface and you can check if you can reach the printer over http/https with your browser.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 01, 2021 04:37 AM
From: Aria adhiguna
Subject: Failed to print with IP Printer with RAP

Hi Herman,

Thank you for your answer.
The RAP is tunneled to controller, and i already tried to change the policy to allow all.
The IP Printer is connected via LAN, and the Wireless Client was able to ping the IP printer, but failed to print. I assume the problem is the second one you mentioned, which is blocked/dropped.

------------------------------
AA

Original Message:
Sent: Mar 01, 2021 03:16 AM
From: Herman Robers
Subject: Failed to print with IP Printer with RAP

This depends on what your exact setup is. If the RAP is tunneled to the controller, you should allow the print traffic in the role for the user on the controller, and on the devices (like firewall/VPN/WAN) between the controller and the printer. If the SSID is bridged/split-tunnel, the role for the user needs to allow the print traffic.

To start with, draw out the data-path, how the traffic will exactly flow, and then find out what traffic flows are required and follow that flow over the data-path to find where it is blocked. Also relevant is how the printer is connected. If that is on the same (tunneled) SSID wireless, the focus could be more on the controller and the branch is more or less out of scope.

Some printers use multicast for the discovery of the printer. What also is important to understand is if in your situation the printer is not discovered by the client, or that the print traffic is blocked/dropped somewhere. From your question, I assume the second, but important to understand the actual problem. If it is the discovery part where the failure is, you may need to tweak broadcast/multicast or AirGroup. If you can't figure out where the issue is, I would do a Wireshark packet capture on the client to see what the client is sending out and then investigate where it may be blocked.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 01, 2021 12:37 AM
From: Aria adhiguna
Subject: Failed to print with IP Printer with RAP

Hi, 

I would like to ask, our customer has an RAP at the branch, and controller at HO.
The user at the branch wasnt able to print using the IP printer there, but was able to ping.
I suspect that this is the problem of ports. Is there any way to open firewall port on Controller?
On Palo firewall, the port needed for pritning is already opened

Thank you.

------------------------------
AA
------------------------------

Is there any security implication here?   RAP is secure with everything tunnel back so there is no branch LAN IP need to be known at corporate network (only the ISP addr is known).   By having the printer at the branch level which imply a) firewall port needs to be open from corporate endpoint to branch IP (e.g. 9100) b) branch LAN/VLAN IP needs to be known so the traffics can route back.     Is there a tech note describe how one can securely setup RAP with local printing?

------------------------------
Peter Huang
------------------------------

Original Message:
Sent: Mar 01, 2021 04:46 AM
From: Herman Robers
Subject: Failed to print with IP Printer with RAP

If the printer and client are in different VLANs, which probably is the case if the client is tunneled and the printer is in the branch LAN, and the printer is not recognized/discovered by the client, what works often is to manually add the printer on IP or DNS name. Most network printers allow 'JetDirect' on port 9100.

As a check, many printers have a web interface and you can check if you can reach the printer over http/https with your browser.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 01, 2021 04:37 AM
From: Aria adhiguna
Subject: Failed to print with IP Printer with RAP

Hi Herman,

Thank you for your answer.
The RAP is tunneled to controller, and i already tried to change the policy to allow all.
The IP Printer is connected via LAN, and the Wireless Client was able to ping the IP printer, but failed to print. I assume the problem is the second one you mentioned, which is blocked/dropped.

------------------------------
AA

Original Message:
Sent: Mar 01, 2021 03:16 AM
From: Herman Robers
Subject: Failed to print with IP Printer with RAP

This depends on what your exact setup is. If the RAP is tunneled to the controller, you should allow the print traffic in the role for the user on the controller, and on the devices (like firewall/VPN/WAN) between the controller and the printer. If the SSID is bridged/split-tunnel, the role for the user needs to allow the print traffic.

To start with, draw out the data-path, how the traffic will exactly flow, and then find out what traffic flows are required and follow that flow over the data-path to find where it is blocked. Also relevant is how the printer is connected. If that is on the same (tunneled) SSID wireless, the focus could be more on the controller and the branch is more or less out of scope.

Some printers use multicast for the discovery of the printer. What also is important to understand is if in your situation the printer is not discovered by the client, or that the print traffic is blocked/dropped somewhere. From your question, I assume the second, but important to understand the actual problem. If it is the discovery part where the failure is, you may need to tweak broadcast/multicast or AirGroup. If you can't figure out where the issue is, I would do a Wireshark packet capture on the client to see what the client is sending out and then investigate where it may be blocked.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 01, 2021 12:37 AM
From: Aria adhiguna
Subject: Failed to print with IP Printer with RAP

Hi, 

I would like to ask, our customer has an RAP at the branch, and controller at HO.
The user at the branch wasnt able to print using the IP printer there, but was able to ping.
I suspect that this is the problem of ports. Is there any way to open firewall port on Controller?
On Palo firewall, the port needed for pritning is already opened

Thank you.

------------------------------
AA
------------------------------

That depends on the exact architecture and if there is also a WAN connection, and/or if the wired LAN is connected behind the RAP. The Aruba Remote AP VRD seems to be a good document. Check Chapter 11 with RAP Operation Modes, where you can evaluate tunneled/bridged/split-tunneled which all can allow local printing and which is the best depends on the exact situation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 02, 2021 10:21 AM
From: Peter Huang
Subject: Failed to print with IP Printer with RAP

Is there any security implication here?   RAP is secure with everything tunnel back so there is no branch LAN IP need to be known at corporate network (only the ISP addr is known).   By having the printer at the branch level which imply a) firewall port needs to be open from corporate endpoint to branch IP (e.g. 9100) b) branch LAN/VLAN IP needs to be known so the traffics can route back.     Is there a tech note describe how one can securely setup RAP with local printing?

------------------------------
Peter Huang

Original Message:
Sent: Mar 01, 2021 04:46 AM
From: Herman Robers
Subject: Failed to print with IP Printer with RAP

If the printer and client are in different VLANs, which probably is the case if the client is tunneled and the printer is in the branch LAN, and the printer is not recognized/discovered by the client, what works often is to manually add the printer on IP or DNS name. Most network printers allow 'JetDirect' on port 9100.

As a check, many printers have a web interface and you can check if you can reach the printer over http/https with your browser.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 01, 2021 04:37 AM
From: Aria adhiguna
Subject: Failed to print with IP Printer with RAP

Hi Herman,

Thank you for your answer.
The RAP is tunneled to controller, and i already tried to change the policy to allow all.
The IP Printer is connected via LAN, and the Wireless Client was able to ping the IP printer, but failed to print. I assume the problem is the second one you mentioned, which is blocked/dropped.

------------------------------
AA

Original Message:
Sent: Mar 01, 2021 03:16 AM
From: Herman Robers
Subject: Failed to print with IP Printer with RAP

This depends on what your exact setup is. If the RAP is tunneled to the controller, you should allow the print traffic in the role for the user on the controller, and on the devices (like firewall/VPN/WAN) between the controller and the printer. If the SSID is bridged/split-tunnel, the role for the user needs to allow the print traffic.

To start with, draw out the data-path, how the traffic will exactly flow, and then find out what traffic flows are required and follow that flow over the data-path to find where it is blocked. Also relevant is how the printer is connected. If that is on the same (tunneled) SSID wireless, the focus could be more on the controller and the branch is more or less out of scope.

Some printers use multicast for the discovery of the printer. What also is important to understand is if in your situation the printer is not discovered by the client, or that the print traffic is blocked/dropped somewhere. From your question, I assume the second, but important to understand the actual problem. If it is the discovery part where the failure is, you may need to tweak broadcast/multicast or AirGroup. If you can't figure out where the issue is, I would do a Wireshark packet capture on the client to see what the client is sending out and then investigate where it may be blocked.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 01, 2021 12:37 AM
From: Aria adhiguna
Subject: Failed to print with IP Printer with RAP

Hi, 

I would like to ask, our customer has an RAP at the branch, and controller at HO.
The user at the branch wasnt able to print using the IP printer there, but was able to ping.
I suspect that this is the problem of ports. Is there any way to open firewall port on Controller?
On Palo firewall, the port needed for pritning is already opened

Thank you.

------------------------------
AA
------------------------------