NETWORK COMMUNICATION This page provides a complete list of the ports and protocols that must be enabled on firewalls in order to ensure YSoft SafeQ 6 system functionality. NETWORK COMMUNICATION OVERVIEW

Workstation to server communication (server inbound rules)

Required? Typ Port Communicati Description e on type (communication from the data volume user)

Mandatory TCP 80/443 HTTP/HTTPS For access to the YSoft SafeQ administration/reporting web interface

Mandatory TCP 9090/9443 HTTP/HTTPS For access to the End User UI web interface

Optional TCP 9100 proprietary Job reception from client compressed workstations (TCP/raw (if using a workstation 10 kB–1 GB communication) client) per print job

Optional TCP 515 LPR Job reception from client 10 kB–1 GB workstations (LPR) (If spooling on a per print job server)

Optional/Recommend TCP 19898 JMX Management Service system ed from Localhost health monitoring via JConsole (monitoring only) Configurable by the cmlJmxServerPort propert y in YSoft SafeQ system settings.

Optional/Recommend TCP 9696/9002 JMX Management Service LDAP ed from Localhost replicator system health monitoring via JConsole (monitoring only)

Optional/Recommend TCP 9898 JMX SpoolerController system ed from Localhost health monitoring via JConsole (monitoring only) Required? Typ Port Communicati Description e on type (communication from the data volume user)

SpoolerController only: Configurable by the orsJmxServerPort propert y in YSoft SafeQ system settings

Optional/Recommend TCP 9999 JMX SpoolerController group ed from Localhost system health monitoring via JConsole (monitoring only)

Optional/Recommend TCP 9000 JMX Management Service auxiliary ed from Localhost internal port used by JMX server Management service only: Configurable by the jmxRmiServerPort propert y in YSoft SafeQ system settings

Optional/Recommend TCP 19044 JMX The SpoolerController group ed from Localhost service auxiliary internal port used by JMX server

Optional/Recommend TCP 4000 HTTP/HTTPS Communication between ed from Localhost Terminal Server and Workflow Processing System

Optional TCP 5559 YMQ Communication between Non–spooling FlexiSpooler (If spooling on a and Spooling FlexiSpooler server)

Mandatory on Site TCP 5555 YMQ Communication between Server FlexiSpooler (and its Desktop Interface) to Spooler Controller

Mandatory for a TCP 137/139/44 SMB Shared folder for uploading FlexiSpooler shared 5 jobs UDP folder 137/138 Server to Communication (Server Outbound Rules)

Required? Typ Port Communicatio Description (communication from e n type the user) data volume

Optional TCP 631/80 IPP Jobdata delivery to printer (IPP) (required with server spooling)

Optional TCP 9100 RAW Job data delivery to printer (Raw (required 10 kB–1 GB per TCP) with server print job spooling)

Optional TCP 80/443 IPP/SSL Job data delivery to printer (IPP over (if using 10 kB–1 GB per SSL) print data print job encryption)

Optional TCP 515 LPR Job data delivery to printer (LPR) (if using 10 kB–1 GB per LPR print job backend)

Optional TCP 9100 proprietary SSL Job data delivery to printer (if using 10 kB–1 GB per (compressed via YSoft SafeQ print data print job Terminal Professional) encryption)

Optional UDP 64099 proprietary YSoft SafeQ Terminal Professional / broadcast UltraLight discovery (only within one subnet)

Optional TCP 4095 proprietary YSoft SafeQ Terminal Professional / UltraLight remote configuration

Mandatory TCP 50001/5000 proprietary WS Embedded (KM, , Sharp) for 3 SSL remote configuration embedded terminals

Mandatory TCP 80, 443, proprietary YSoft SafeQ Embedded Terminal for with YSoft 8080, 51443 installation and automatic SafeQ configuration used by RXOP 64098 Embedded libraries Required? Typ Port Communicatio Description (communication from e n type the user) data volume

Terminal YSoft SafeQ Embedded Terminal for for Ricoh Ricoh configuration

Mandatory UDP 161 SNMP Online accounting of network printer for online MFD print/copy tracking

Mandatory TCP 49629, HTTP/HTTPS YSoft SafeQ Embedded Terminal for with YSoft 49630 installation SafeQ Embedded Terminal for Toshiba

Mandatory TCP 80, 443 HTTP/HTTPS YSoft SafeQ Embedded Terminal for with YSoft Xerox/Fuji–Xerox installation SafeQ Embedded Terminal for Xerox/Fuji –Xerox

Mandatory TCP 80, 50003 HTTP, YSoft SafeQ Embedded Terminal for with YSoft proprietary WS installation SafeQ SSL Embedded Terminal for

Mandatory TCP 80/443 HTTP/HTTPS YSoft SafeQ Embedded Terminal for with YSoft Sharp installation and during SafeQ authentication on terminal Embedded Terminal for Sharp

Mandatory TCP 80 HTTP YSoft SafeQ Embedded Terminal for with YSoft Samsung installation SafeQ Required? Typ Port Communicatio Description (communication from e n type the user) data volume

Embedded Terminal for Samsung

Mandatory UDP 161 SNMP YSoft SafeQ Embedded Terminal for YSoft installation MFD check SafeQ Embedded Terminal installation

Mandatory TCP 80, 21 HTTP, FTP YSoft SafeQ Embedded Terminal for with YSoft Lexmark installation SafeQ Embedded Terminal for Lexmark

Mandatory TCP 7627 HTTPS YSoft SafeQ Embedded Terminal for with YSoft HP installation SafeQ Embedded Terminal for HP

Mandatory TCP 80, 443 HTTP/HTTPS YSoft SafeQ Embedded Terminal for with YSoft installation SafeQ Embedded Terminal for Epson

Optional TCP >1023 FTP Range of ports for active FTP - Active transfers (choice of passive/active FTP FTP made by MFD, range of port on transfers MFD side controlled by MFD, range of ports on server side defined by (for operating system - embedded e.g. https://support.microsoft.com/cs terminal -cz/help/929851/the-default- scanning) Required? Typ Port Communicatio Description (communication from e n type the user) data volume

dynamic-port-range-for-tcp-ip-has- changed-in-windows-vista)

Mandatory TCP 22 SSH Manages configuration of Terminal with Pro 4/eDEE/SafeQube/FlexiSpooler Terminal during terminal installation Pro 4 (communication Site Server to HW appliance) Printer to server communication (server inbound rules)

Required? Type Port Communication Description (communication from type the user) data volume

Mandatory with TCP 4096 Proprietary SSL Terminal Professional/UltraLight Terminal authentication and session control low volume, low Professional / latency Ultralight

Optional UDP 37 Time protocol Time synchronization between a Terminal Professional and the server. (if using time When the system synchronization parameter timeServerEnable is with a Terminal enabled, the server is listening on Professional) UDP port 37. The terminal connects to this port upon restart.

Mandatory with TCP 5021, HTTP/HTTPS YSoft SafeQ Terminal Application all embedded 5022 communication, YSoft SafeQ Mobile terminals, Terminal. Terminal Pro 4 and Mobile Terminal except YSoft SafeQ Embedded Terminal for KM native and YSoft SafeQ Embedded Terminal for Samsung Required? Type Port Communication Description (communication from type the user) data volume

Mandatory with TCP 5011, HTTP/HTTPS Vendor-specific web services YSoft SafeQ 5012 Embedded Terminal for Sharp, Toshiba, Xerox and Fuji-Xerox

Mandatory with TCP 5012 HTTP/HTTPS Accounting and charging YSoft SafeQ Embedded Terminal for Ricoh

Mandatory with TCP 5014– WS SSL YSoft SafeQ Embedded Terminal YSoft SafeQ 5019 (KM) authentication and session low volume, low Embedded control latency Terminal for KM

Mandatory with TCP 5025 HTTP/HTTPS Webservices for YSoft SafeQ YSoft SafeQ Embedded Terminal (HP) Embedded Terminal for HP

Mandatory with TCP 5023, HTTP/HTTPS Webservices for YSoft SafeQ YSoft SafeQ 5024 Embedded Terminal (Epson) Embedded Terminal for Epson

Mandatory with TCP 389 LDAP Internal LDAP for YSoft SafeQ YSoft SafeQ Embedded Terminal for Toshiba Embedded When 389 is blocked (by an already Terminal for running AD on a domain controller), Toshiba YSoft SafeQ 6 installer will display a warning and use 390 port instead

Optional TCP 25 SMTP Scanning from MFDs via email (if using scan (optional, depending on MFD via SMTP) capabilities) Required? Type Port Communication Description (communication from type the user) data volume

Mandatory for TCP 5610 Secured Scanning from MFDs via scan WebDAV WebDAV/HTTPS workflow (optional, depending on scanning MFD capabilities, configurable bywebdavPort )

Optional TCP 139 SMB Scanning from MFDs via scan to (if using scan folder (optional, depending on MFD via SMB) capabilities)

Mandatory for TCP 21 FTP Scanning from MFDs via scan to embedded folder (optional, depending on MFD terminal capabilities, configurable by ftp-port ) scanning

Optional— TCP >1023 FTP Range of ports for passive FTP Passive FTP transfers (choice of passive/active transfers FTP made by MFD, range of ports on MFD side controlled by MFD, range of (for embedded ports on server side inherited by YSoft terminal SafeQ from the operating system - scanning) see https://support.microsoft.com/cs- cz/help/929851/the-default-dynamic- port-range-for-tcp-ip-has-changed-in- windows-vista)

Mandatory TCP 5555 proprietary 1 Communication between Spooler kB—per request Controller, Terminal Server and Payment System

SafeQ TCP 7348 HTTP/HTTPS Updates, heartbeat and other infrastructure communication of Terminal Pro service 4/eDEE/SafeQube/FlexiSpooler (communication from HW appliances to Site Servers) Inter–server communication (inbound and outbound rules)

Required? Type Port Communication type Description data path (communication from the user)

Mandatory for TCP 4099 Management Service Application–level cluster Management > Management synchronization Service Required? Type Port Communication type Description data path (communication from the user)

Service proprietary cluster ~1kB per print job

Mandatory for TCP 6010 SpoolerController > Spooler Controller to SpoolerContr Management Service Management Service oller communication and proprietary synchronization ~40–60 kB per print job

Mandatory TCP 5556 TerminalServer > Terminal Server (TS) SpoolerController component (required for YSoft SafeQ Embedded proprietary Terminal support), communication with server application

Mandatory for TCP 6020 Management Service Internal communication load balancing > Management between Management Service Service instances

Mandatory for UDP configurable SpoolerController > Near Roaming Group near job Multica SpoolerController synchronization. roaming st Mandatory for roaming groups with 10+ SpoolerController servers.

Mandatory for TCP 7800 SpoolerController > Near Roaming Group near job SpoolerController synchronization. roaming Required for roaming groups up to 10 SpoolerController servers.

Mandatory for TCP 5556 Mobile Integration Mobile Integration Mobile Gateway > Gateway component, Integration SpoolerController communication with Gateway server application

Optional for TCP 2377 TerminalServer > etcd Default value of port etcd used by the Terminal Required? Type Port Communication type Description data path (communication from the user)

Server to communicate with the local etcd

Optional for TCP 2378 etcd > etcd Default value of port for etcd communication between etcd nodes

Mandatory for TCP 81 SpoolerController > Job roaming via job roaming SpoolerController distributed layer

Mandatory for TCP 137/139/445 SMB Shared folder for FlexiSpooler uploading jobs UDP 137/138 shared folder or Mobile print web uploads

Mandatory for TCP 5559 HTTP/HTTPS Exchanging job data Mobile between spoolers, Integration sending jobs from Mobile Gateway, Print Mobile Print and job transfers

Mandatory on TCP 5555 YMQ Communication between Site Server FlexiSpooler (and its Desktop Interface), Mobile Print to Spooler Controller

Mandatory for TCP 110/143/995/ POP3/IMAP/POP3S/I Mobile Print downloads Mobile print 993 MAPS emails from mail server

SafeQ TCP 7348 HTTPS Managment of Terminal infrastructure Pro service 4/eDEE/SafeQube/FlexiS pooler (communication from IMS Proxy on Site Servers to IMS on Management servers)

Mandatory TCP 5600 HTTP Endpoint for when WPS is communication with installed on Required? Type Port Communication type Description data path (communication from the user)

different between WPS and machine than Terminal Server TS Other communication

Required? Typ Port Communicatio Description (communication e n type from the user) data path

Mandatory for TCP 636 Management LDAP integration (server > LDAP LDAP Service > LDAP controller) secured over SSL synchronizatio n

Optional TCP 389 Management LDAP integration (server > LDAP Service > LDAP controller)

Optional TCP 3268 Management LDAP integration (server > LDAP Service > LDAP controller) (global catalogue)

Optional TCP 4196 YSoft SafeQ Management connection (if using Payment Payment Machine > YSoft system) Payment System

Optional TCP 4197 YSoft SafeQ Management connection over SSL (if using Payment (e.g. time synchronization) —this Payment Machine > YSoft port is needed to be set up in system) Payment Payment Machine service menu System during the configuring of the Payment System server address

Optional TCP 4198 YSoft SafeQ Main connection (if using Payment Payment Machine > YSoft system) Payment System

Optional TCP 4199 YSoft SafeQ Main connection over SSL (if using Payment Machine > YSoft Required? Typ Port Communicatio Description (communication e n type from the user) data path

Payment Payment system) System

Optional TCP 8080 Terminal Server Web, rest services (APIs) (if using > YSoft Payment Payment system) System

Optional TCP 8443 Terminal Server Web, rest services (APIs) (if using > YSoft Payment Payment system) System

Optional TCP 25 SMTP SMTP (Scan job delivery, (as per scan notifications to administrator and size) users)

Mandatory UDP 1434 Management This communication is used to (if using external Service / query the SQL server browser MS SQL server Payment service. The SQL browser service with named System > will respond with the TCP port instance) MSSQL DB number that will be used for the rest of communication.

Mandatory TCP see Management The port number is dynamically (if using external descriptio Service / assigned by the SQL browser MS SQL server n Payment service, with a named System > see http://technet.microsoft.com/e instance) MSSQL DB n–us/library/cc646023.aspx for more information.

Mandatory for UDP 5353 Mobile Mobile Integration Gateway Mobile Integration component multicast to subnet Integration Gateway > using Bonjour Gateway subnet

Mandatory for TCP 8050 client > Mobile Job delivery from iOS or MAC Mobile Integration client to Mobile Integration Integration Gateway Gateway over IPPS. 8050 is the Gateway default but configurable port.

Mandatory for TCP 5557 SpoolerControlle Requests from SpoolerController TerminalServer r > to TerminalServer. Always TerminalServer localhost. Cluster installation

Required Type Port Communication Description (communication type from the user) data path

Mandatory TCP 4001 Management Internode communication Service

Mandatory for TCP 2379 Management Used by Management installer to Management installer > etcd store/obtain database server Service configuration

Mandatory for TCP 2380 etcd > etcd Communication between etcd Management nodes Service Workstation (outbound connection)

Required Type Port Communication Description type (communication from data path the user)

Mandatory TCP 5555 Management YMQ—Communication Service between FlexiSpooler (and its Desktop Interface) to Spooler Controller

Optional when HTTP(s) 5559 FlexiSpooler > File transfer between not spooling on FlexiSpooler spoolers server

Mandatory YMQ 5558 (localhost only) Internal communication Desktop interface > between FlexiSpooler FlexiSpooler service and Desktop Interface

Optional when TCP 9100 FlexiSpooler > MFD Print printing via raw RAW

Optional when IPP(s) 80/443/631 FlexiSpooler > MFD Print printing via IPP(s)

Optional when TCP 515 FlexiSpooler > MFD Print printing via LPR Required Type Port Communication Description type (communication from data path the user)

Optional when HTTPS 443/(80) FlexiSpooler > Authentication on Azure authenticating on Azure AD AD Azure AD

Optional for SSH 22 Administrator > Administrator connection to Terminal Pro 4 communication with Terminal Pro 4 Terminal Pro 4. Workstation (inbound)

Workstation inbound communication is always within localhost. There is no YSoft SafeQ component that will try to connect directly to the workstation. Required Type Port Communication type Description (communication data path from the user)

Mandatory YMQ 5558 Desktop interface > Internode communication FlexiSpooler

Mandatory LPR 515 Windows Spooler > Receiving jobs FlexiSpooler

Inter–server communication (inbound and outbound rules)