Google Cloud Print Firewall Settings

[Pa...@obgynindiana.com]

I need to allow Google Cloud print to function inside a corporate network. I found the article that states which ports must be opened to allow cloud print to work. Ports 80, 443 & 5222. However, it doesn't state anything further. I need answers for the following.

1. I need the outside IP(s) that these ports need opened to on Google's side. Obviously I can't open these ports to everything on the Internet. I need to map both inside/outside ports/IPs for this to get setup.
2. Am I correct in that these ports only need opened on the Google Cloud Print server, not on each client trying to print to Google Cloud Print?
3. For ports 80/443, is this outgoing, incoming or both? I currently have outgoing allowed, but incoming is blocked for these.
4. For port 5222, is this outgoing, incoming or both?

[jgal...@kingchavez.org]

I am trying to find the same thing. Have you found a solution to set up google cloud print?

[Paul Stage]

Negative. I cannot open those ports until I'm able to verify those outside IPs, as I will not open that door to everything.

Thanks,

Paul Stage
IT Manager
Obstetrics & Gynecology of Indiana

317.575.7311 (office)
574.806.2718 (mobile)
pa...@obgynindiana.com
obgynindiana.com

Setting the Standard for Excellence

 

[kdLucas]

​Google's IP address is a range of addresses and is dependent on physical location. Ports 80 and 443 are needed for clients and Google, port 5222 is needed on both sides, as the client will get alerts from Google, and the client needs to keep the connection open so we know the printer is online.

Kelly

Liberating one printer at a time...

kdLucas

--
You received this message because you are subscribed to the Google Groups "Google Cloud Print Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gcp-developer...@googlegroups.com.
Visit this group at http://groups.google.com/group/gcp-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/cd84ab87-b41a-423d-a20b-97ad9f14970b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jgal...@kingchavez.org]

All of those ports are opened in my organization. When I try to register the device to my e-mail it gives me an error. Unable to connect to Google. Please check your network settings.

[aa...@whereisaaron.com]

According to Google no incoming ports are required, as you'd expect (see link and quote below). The printer/server opens an XMPP+STARTTLS TCP connection to talk.google.com, and Google notifies print jobs over that persistent connection. It is up to the printer/server to stay connected to talk.google.com, and reconnect as needed. Reading the web there are many printers that do not achieve keeping that connection alive. Some fail whenever their DHCP assigned IP changes. Some fail when they wake up from power sleep modes and don't reconnect. Some fail because they just don't attempt to reconnect if the connection gets lost for any reason. Some like the Canon MX922 (firmware 3.01) I have here require you to manually reconnect from the menu every day.

I just read a ton of forum posts and many GCP certified printers have these problems. The GCP certification program don't not appear to pick up the inability to reliably maintain or reconnect the outward TCP connection to talk.google.com. It appears to be poor vendor implementations of GCP that Google certification approves. A Google person also mentioned other implementation issues like not supporting security token lengths that GCP certification also doesn't pick up.

Reading the Internet I can give a general summary what printer owners have said - at least about consumer inkjet/laser printers.

- Canon: Completely broken GCP implementation(s), unable to maintain a connection, requires manual reconnection through the menu, usually at least daily

- Brother: Works if you assign fixed IP to the printer

- HP: Works because it uses ePrint -> GCP rather than GCP on the printer

- Epson: Only recent printers support GCP, but apparently they do work, e.g. XP 410 given a positive review for this issue

I've yet to own a GCP printer that works reliably :-(. In my experience HP printers do work because they don't use GCP on the printer, they use HP ePrint to HP servers, which in turn connect to GCP. Maybe I'll try that Epson next!

You could blame the vendors for their implementation, but then what is Google GCP certification for if not to identify bad implementations?

https://support.google.com/a/answer/3179170?hl=en

--------

> Is Port 5222 required inbound for the print server?

No, only 5222 outbound is required.

443 TCP (HTTPS), with connections to:

https://www.googleapis.com/*

https://accounts.google.com/*

https://www.google.com/cloudprint/*

5222 TCP (XMPP, using STARTTLS), with a persistent connection to:

talk.google.com

--------

[Overtone]

Your post was the best I've ever seen on overcoming this problem.  Thanks!

I just figured out how to get my Brother printer to work with Google Cloud Print.   One more step is needed.

1) Give it a static IP address   (that was your recommendation)

2) Put google's DNS (8.8.8.8) as the primary name server into the Brother printer.  

The settings page where you do this is TCP/IP Advanced Settings.  The field is Primary DNS Server IP Address.

Based on what I see with wireshark, the brother printer software appears to be ignoring a DNS response if it was a forwarded query (which is what my home router does, and probably most home routers, which is the setup you get when the printer boots with DHCP).

John

[Marcos Alano]

I don't get it.

I'm trying to access from my college my home printer which uses a cloudprint proxy to print on my local network printer.
The question is what ports and what direction I need to open ports in each side?
For now I have:
College (where I accessing from. This is the client side):
80 and 443 outbound for sure
5222 outbound (I don't have sure about this)
No inbound ports (because I don't manage the network)

Home (where are my printers):
80,443 and 5222 outbound for sure
No inbound traffic for now. I would like to know if I need to open any port

I try to print and Google shows the jobs on queue, but always occurs a error (I don't know which error because Google doesn't say).

I think I need to open some ports in my home for inbound traffic, I just don't know what is this ports.

Thanks!

[Lisa Fitz]

Just for everyone's knowledge out there, you also have to be sure a web filter, like one used at work or school is not blocking Jabber. Jabber is listed as a Chat Application but Google Cloud Printing uses it for some reason. This was causing all of our school's printers to show off line in Cloud Printing though they could print locally through the wifi.

LF

[ccla...@gmail.com]

While I know this conversation is a little dated, I like many others came to this looking for information on blocking outgoing sevices from my home network and I have a Google enabled printer that would go offline that I want to use.  I wanted to share what has worked for me.  While it entirely makes sense that the IPs I'm talking to are geographically selected (I'm in Colorado) I have found 5 distinct ranges that my printer will try and speak with over time.  While it's not as tight of a firewall filter as I would like, it does work and still restricts port 5222 outbound which is the goal.  

As others have said, 80 and 443 are needed, but I'm sure already allowed.  5222 TCP outbound is also needed and I'm filtering to 5 different networks (all owned by Google).

74.125.0.0/16

173.194.0.0/16

64.233.160.0/19

108.177.0.0/17

209.85.128.0/17

My printer has been running now for awhile with no "offline" issues with this filter in place.  Hope that is of some value to someone.

[Ed]

+1 for the 8.8.8.8 DNS. This single change put my Brother MFP back online, after a long quest for the issue. Thanks !

[Bill Prehl]

John et. al., 

I can't believe this but for some reason my home router's DNS worked fine for the Brother MFC-J6920DW for years until the beginning of March 2018.  I've had EERO routers for several months prior so I can only assume EERO made an update that caused the DNS lookup change because the Brother has had no updated firmware for a long time (years).

+infinity for the 8.8.8.8 primary DNS solution.  I was on the support line with Brother and their front line support put me on hold for 2-3 minutes.  In that time I found this post and tried the 8.8.8.8 DNS setting and VIOLA! I could re-register the printer with Google Cloud Print.  Unreal in this day that DNS query lookups are still an issue.

Thank you everyone for the pro tips on this topic.

[TS]

On Thursday, 8 March 2018 00:15:34 UTC, Bill Prehl wrote:

I can only assume EERO made an update that caused the DNS lookup change because the Brother has had no updated firmware for a long time (years).

I think the blame for the DNS lookup failure should be attributed to your ISP not your router. Usually if you don't explicitly specify a DNS server or servers, then all DNS requests end up with ISP DNS servers.

[Vincent Fumo]

Just a tip for those of you with this issue, none of those things worked for me. After some time with Brother support, it turns out that I needed to turn off ipv6 support, turn off the printer for 15s and back on .. 

That, for some reason fixed the issue. 

It's unclear weather one can turn ipv6 back on after registration. I haven't tried.

This was on a : HL-L2395DW

[Kieren Smith]

Vincent, I love you.  I have spent the last 4 hours trying to solve this problem and butting up against what looked increasingly like a fault at Google's end, but this (disabling IPv6 support) in the printer management interface fixed it - the printer immediately registered instead of returning an error every time I tried.  I have since been able to get everything that I needed to print to it to work.

For the reference of others, this was a newly purchased HL-L2350DW, running firmware 1.30 (the latest available).

[David Eikenmeyer]

seconded.  I only spent 2 hours and tried everything else in this thread but this is the one that worked as of June 15 2018

For the record, I've had similar troubled experience with GCP.  I've used primarily HP and Brother (more luck with Brother) as well as Epson.  Each works for a while, shares through the organization easily, prints (almost) everything and then suddenly goes offline, requiring the unit be removed and re-registered.

Google, please focus on stabilizing the printing.  It is literally the one thing holding back further implementation of the entire G-suite and ChromeOS ecosystem in our various organizations.  I have attorneys, teachers and engineers who avoid it wherever possible because of the printing issues.  Every time one goes "offline" without warning, it causes a ripple effect of people not using the system for the next month.

[Rhonda Webb]

Thirded! Our school will not finish our 1:1 chromebook initiative unless printing is stabilized. Our teachers and students won’t use chrome devices when any other options are available because of printing issues.

[jgoo...@galaxybraincenter.com]

Adding my vote to this. I am IT Administrator for multiple businesses, and would love to implement a Gsuite-Chromebook standard architecture but I have so many issues with GCP at all my sites, there is no way I can convince them to move forward in the process. Come on Google. This is a simple function that is paramount if you want to have a legitimate business solution with GSuite, not to mention any hope of using Chromebooks in the business sector.

thanks, 

[Stuart Alexander Zimble]

Agree also. Since it is not possible to add individual drivers, we are a bit stuck with GCP or adding local printers to a local network, or if the printer company makes an android app (Samsung has one that seens to work...). But all are relatively clunky solutions. 

I am hopeful G will develop solutions, although they are slooooowwwww.

--

You received this message because you are subscribed to the Google Groups "Google Cloud Print Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gcp-developer...@googlegroups.com.

Visit this group at https://groups.google.com/group/gcp-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/b0776e09-e032-4266-a798-e4147cdea9be%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Stuart Alexander Zimble

World Health Organization 

(WHE/EMO/OSL)

+41 76 493 0666 

+30 699 978 8275