Network communication overview
This page provides a complete list of ports and protocols that must be enabled on firewalls in order to ensure YSoft SafeQ system functionality.
Network communication overview
Workstation to server communication (server inbound rules)
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory | TCP | 80/443 | HTTP/HTTPS | for access to YSoft SafeQ administration/reporting web interface |
Optional | TCP | 8005 |
| server shutdown port listener for tomcat |
Optional (if using workstation client) | TCP | 9100 | proprietary compressed | job reception from client workstations (YSoft SafeQ Client Protocol) |
Optional (if using Local Monitor) | TCP | 9100 | proprietary | accounting information from Local Monitor installed on workstation or server |
Optional (if using workstation client) | TCP | 515 | LPR | job reception from client workstations (LPR) |
Optional | TCP | 4097 | proprietary SSL | Access verification and data transfer with job print from client workstations (YSoft SafeQ Port Protocol Level 1-3 only) Used when YSoft SafeQ configuration property useSSLProxy is enabled. The property can be disabled when YSoft SafeQ Client protocol level 4 is used. |
Optional (if using central reporting) | TCP | 2382/2383 | OLAP | for access to Central Reporting Services OLAP interface (MS SQL Analysis service) |
Optional / Recommended from Localhost (monitoring only) | TCP | 19898 | JMX | CML system health monitoring via JConsole. Port number is configurable by cmlJmxServerPort property and port binding via cmlJmxNetworkInterface property in SafeQ system settings. By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost (monitoring only) | TCP | 9797 | JMX | CML DBSync system health monitoring via JConsole. Port number is configurable by dbSyncJmxServerPort property and port binding via dbSyncJmxNetworkInterface property in DBSync configuration file (cmldb-cluster.conf). By default bound to localhost (127.0.0.1) network interface. |
Recommended from Localhost | TCP | 9696 | JMX | CML LDAP Replicator system health monitoring via JConsole and communication between CML and LDAP Replicator itself. Port number is configurable by ldapReplicatorServicePort property and port binding via ldapJmxNetworkInterface property in SafeQ system settings. By default bound to localhost (127.0.0.1) network interface. |
Recommended from Localhost | TCP | 9002 | JMX | CML LDAP Replicator auxiliary internal port used by JMX server. Port number is configurable by ldapJmxRmiServerPort property and port binding via ldapJmxNetworkInterface property in SafeQ system settings. By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost (monitoring only) | TCP | 9898 | JMX | ORS, CRS system health monitoring via JConsole. ORS only: Port number is configurable by orsJmxServerPort property and port binding via orsJmxNetworkInterface property in SafeQ system settings. CRS only: Port number is configurable by crsJmxServerPort property and port binding via crsJmxNetworkInterface property in CRS configuration file (crs.conf). By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost (monitoring only) | TCP | 9999 | JMX | ORS Web (distributed layer) system health monitoring via JConsole. |
Optional / Recommended from Localhost | TCP | 9000 | JMX | CML, ORS, CRS auxiliary internal port used by JMX server. CML only: Port number is configurable by jmxRmiServerPort property and port binding via cmlJmxNetworkInterface property in SafeQ system settings. ORS only: Port number is configurable by jmxRmiServerPort
property and port binding via orsJmxNetworkInterface property
in SafeQ system settings. CRS only: Port number is configurable by jmxRmiServerPort
property and port binding via crsJmxNetworkInterface property
in CRS configuration file (crs.conf). By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost
| TCP | 9005 | JMX | CML DBSync auxiliary internal port used by JMX server. Port number is configurable by dbSyncRmiServerPort property and port binding via dbSyncJmxNetworkInterface property in DBSync configuration file (cmldb-cluster.conf). By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost | TCP | 19044 | JMX | ORS Web auxiliary internal port used by JMX server . |
Optional (if using workstation client) | TCP | 4096 | proprietary 1kB - per request | Information regarding queues for YSoft SafeQ Client configuration |
Server to printer communication (server outbound rules)
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory | TCP | 9100 | proprietary | Job data delivery to printer (Raw TCP) |
Mandatory | TCP | 515 | LPR | Job data delivery to printer (LPR) |
Optional | TCP | 80/443 | IPP/SSL | Job data delivery to printer (IPP over SSL) |
Optional | TCP | 9100 | proprietary SSL | Job data delivery to printer (compressed via Terminal Professional) |
Optional | UDP | 64099 | proprietary broadcast | Terminal Professional/UltraLight discovery |
Optional | TCP | 4095 | proprietary | Terminal Professional/UltraLight remote configuration |
Mandatory for embedded terminals | TCP | 50001/50003 | proprietary WS SSL | Embedded (KM, Xerox, Sharp) remote configuration |
Mandatory with YSoft SafeQ Embedded Terminal for Ricoh ESA | TCP | 80, 443, 8080, 51443 64098 | proprietary | YSoft SafeQ Embedded Terminal for Ricoh installation and automatic configuration used by RXOP libraries YSoft SafeQ Embedded Terminal for Ricoh configuration |
Mandatory for online print/copy tracking | UDP | 161 | SNMP | Online accounting of network printer MFP |
Mandatory with YSoft SafeQ Embedded Terminal for Toshiba | TCP | 49629, 49630 | HTTP/HTTPS | YSoft SafeQ Embedded Terminal for Toshiba installation |
Mandatory with YSoft SafeQ Embedded Terminal for Xerox/Fuji-Xerox | TCP | 80, 443 | HTTP/HTTPS | YSoft SafeQ Embedded Terminal for Xerox/Fuji-Xerox installation |
Mandatory with YSoft SafeQ Embedded Terminal for Konica Minolta | TCP | 80, 50003 | HTTP, proprietary WS SSL | YSoft SafeQ Embedded Terminal for Konica Minolta installation |
Mandatory with YSoft SafeQ Embedded Terminal for Sharp | TCP | 80/443 | HTTP/HTTPS | YSoft SafeQ Embedded Terminal for Sharp installation and during authentication |
Mandatory with YSoft SafeQ Embedded Terminal for Samsung | TCP | 80 | HTTP | YSoft SafeQ Embedded Terminal for Samsung installation |
Mandatory with YSoft SafeQ Embedded Terminal for HP | TCP | 7627 | HTTPS | YSoft SafeQ Embedded Terminal for HP installation |
Mandatory for YSoft SafeQ Embedded Terminal installation | UDP | 161 | SNMP | YSoft SafeQ Embedded Terminal installation MFP check |
Mandatory with YSoft SafeQ Embedded Terminal for Lexmark | TCP | 80, 21 | HTTP, FTP | YSoft SafeQ Embedded Terminal for Lexmark installation |
Optional - Active FTP transfer (for embedded terminal scanning) | TCP | >1023 | FTP | Range of ports for active FTP transfers (whether passive or active transfer is used is controlled by MFD, range of port on MFD side controlled by MFD, range of ports on server side defined by operating system - e.g. https://support.microsoft.com/cs-cz/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista) |
Printer to server communication (server inbound rules)
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory with Terminal Professional | TCP | 4096 | Proprietary SSL low volume, low latency | Terminal Professional/UltraLight authentication and session control |
Optional (if using time synchronization with Terminal Professional) | UDP | 37 | Time protocol | Time synchronization between Terminal Professional and the server. When the system parameter timeServerEnable is enabled, server is listening on UDP port 37. Terminal connects to this port upon restart. |
Mandatory with YSoft SafeQ Embedded Terminal for Ricoh | TCP | 5012, 5021, 5022 | Proprietary low volume, low latency | YSoft SafeQ Embedded Terminal (Accounting and charging) YSoft SafeQ Terminal Application communication |
Mandatory with YSoft SafeQ Embedded Terminal for Browser | TCP | 5011, 5012, 5013 | HTTP/HTTPS | YSoft SafeQ Embedded Terminal browser communication |
Mandatory with YSoft SQTA or YSoft SafeQ Embedded Terminal for Browser (HP/Sharp/Toshiba EAL) | TCP | 5021, 5022 | HTTP/HTTPS | YSoft SafeQ Terminal Application communication |
Mandatory with YSoft SafeQ Embedded Terminal for KM | TCP | 5014-5019 | WS SSL low volume, low latency | YSoft SafeQ Embedded Terminal (KM) authentication and session control |
Mandatory with YSoft SafeQ Embedded Terminal for HP | TCP | 5025 | HTTP/HTTPS | Webservices for YSoft SafeQ Embedded Terminal (HP) |
Mandatory with YSoft SafeQ Embedded Terminal for Xerox/Toshiba | TCP | 389 | LDAP | Internal LDAP for YSoft SafeQ Embedded Terminal for Toshiba When 389 is blocked (by already running AD on a domain controller), SafeQ 5 GUI installer will display warning and use 390 port instead |
Mandatory with Network Card Reader | TCP | 5011/5012 | Proprietary SSL | Network Card Reader authentication |
Optional | TCP | 5020 | Proprietary | Preview provider for Terminal Professional (optional, depending on SafeQ setting, configurable by preview-provider-port) |
Optional | TCP | 25 | SMTP | Scanning from MFPs via e-mail (optional, depending on MFP capabilities) |
Mandatory for WebDAV scanning | TCP | 443 | Secured WebDAV/HTTPS | Scanning from MFPs via scan workflow (optional, depending on MFP capabilities) |
Optional | TCP | 139 | SMB | Scanning from MFPs via scan to folder (optional, depending on MFP capabilities) |
Mandatory for embedded terminal scanning | TCP | 21 | FTP | Scanning from MFPs via scan to folder (optional, depending on MFP capabilities) |
Optional - Passive FTP transfer (for embedded terminal scanning) | TCP | >1023 | FTP | Range of ports for passive FTP transfers (optional, whether passive or active transfer is used is controlled by MFD - range of ports depending on SafeQ configuration parameter ftpPassivePorts) |
Inter-server communication (inbound and outbound rules)
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory for cluster | TCP | 4099 | CML > CML proprietary ~1kB per print job | Application-level cluster synchronization |
Mandatory for cluster | TCP | 4111, | CML > CML proprietary ~1kB per print job | Application-level cluster DB synchronization |
Mandatory for ORS | TCP | 6010 | ORS > CML proprietary ~40 - 60 kB per print job | ORS-to-CML communication and synchronization |
Mandatory for Central Reporting | TCP | 4139 | CML > CRS proprietary ~1kB per print job | Reporting data collection |
Mandatory | TCP | 5556 | TS > server (CML/ORS) (localhost) proprietary | Terminalserver (TS) component (required for YSoft SafeQ embedded terminal support), communication with server application |
Mandatory for job roaming | TCP | 8000 | ORS > ORS | Job data transfer for roaming jobs (uncompressed) |
Mandatory for load balancing | TCP | 6020 | CML > CML | Internal communication between CMLs |
Mandatory for near job roaming | UDP Multicast | configurable | ORS > ORS | Near Roaming Group synchronization. |
Mandatory for near job roaming | TCP | 7800 | ORS > ORS | Near Roaming Group synchronization. Required for roaming groups up to 10 ORS servers. |
Mandatory for web status information | TCP | 20222 | CML/MPS > CML | RMI registry port used by web for SafeQRemote listening and binding. This port is opened upon installation, consider blocking it for inbound connections, see firewall settings. |
Mandatory for web status information | TCP | 20223 | CML/MPS > CML | RMI registry port used by web for incoming connections. This port is opened upon installation, consider blocking it for inbound connections, see firewall settings. |
Mandatory for web status information | TCP | 20224 | CML/MPS > CML | RMI registry port used by web for UserManagerRemote binding and listening. This port is opened upon installation, consider blocking it for inbound connections, see firewall settings. |
Mandatory for web status information | TCP | 20225 | CML/MPS > CML | RMI registry port used by web for PaymentManagerRemote binding and listening. This port is opened upon installation, consider blocking it for inbound connections, see firewall settings. |
Mandatory for AP Connector | TCP | 9100 | AP > CML, ORS | AP Connector to CML/ORS via client protocol |
Mandatory for AP Connector | TCP | 5556 | AP > CML, ORS | AP Connector (AP) component, communication with server application |
Optional for etcd | TCP | 2380 | etcd > etcd | Default value of port for communication between etcd nodes (either between CML nodes in the cluster or between ORS nodes in near roaming group) |
Optional for etcd | TCP | 2379 | TS > etcd | Default value of port used by the Terminal Server to communicate with the local etcd |
Mandatory for roaming groups with 10+ ORS servers.Other communication
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory for LDAP synchronization | TCP | 636 | CML > LDAP | LDAP integration (server > LDAP controller) secured over SSL |
Optional | TCP | 389 | CML > LDAP | LDAP integration (server > LDAP controller) |
Optional | TCP | 3268 | CML > LDAP | LDAP integration (server > LDAP controller) |
Optional | TCP | 4100 | Terminal > SafeQ | Port where the terminal update service is running (configurable by rs-terminal-update-port) |
Optional | TCP | 4444 | Rech. Station > CML | YSoft SafeQ Payment Machine (QuickChip); not supported by YSoft SafeQ5 |
Optional | TCP | 4196 | YSoft SafeQ Payment Machine > YSoft Payment System | Management connection |
Optional | TCP | 4197 | YSoft SafeQ Payment Machine > YSoft Payment System | Management connection over SSL (e.g. time synchronization) - this port is needed to setup in SPM service menu during configuring of Payment System server address |
Optional | TCP | 4198 | YSoft SafeQ Payment Machine > YSoft Payment System | Main connection |
Optional | TCP | 4199 | YSoft SafeQ Payment Machine > YSoft Payment System | Main connection over SSL |
Optional | TCP | 8080 | CML/TS > YSoft Payment System | web, rest services (APIs) |
Optional | TCP | 8443 | CML/TS > YSoft Payment System | web, rest services (APIs) |
Optional | TCP | 25 | SMTP | SMTP (Scan job delivery, notifications to administrator and users) |
Optional | TCP | 80 | SafeQ Client -> ORS web | ORS web communication with client (billing codes etc.) |
Mandatory | UDP | 1434 | CML > DB | This communication is used to query the SQL server browser service. SQL browser service will respond with the TCP port number that shall be used for the rest of communication. |
Mandatory | TCP | see description | CML > DB | The port number is dynamically assigned by SQL browser service, see http://technet.microsoft.com/en-us/library/cc646023.aspx for more information. |
Mandatory for AP Connector | UDP | 5353 | AP Connector > subnet | AP Connector (AP) component multicast to subnet using Bonjour |
Mandatory for AP Connector | TCP | 8050 | client > AP Connector | Job delivery from iOS or MAC client to AP Connector (AP) over IPPS. 8050 is default but configurable port. |
Cluster installation
Required | Type | Port | Communication type | Description (communication from the user) |
Mandatory | TCP | 4111 | CML > CML | Proprietary DB Sync |
Mandatory | TCP | 6020 | CML > CML | Inter node communication |
Mandatory | TCP | 443 | CML > CML | First replication of CML database |
Typical communication overview
The following diagram is for reference only and does not show all possible options.
Terminal Communication overview
The HW terminals communicate with the YSoft SafeQ server over an Ethernet network (default communication port 4096). RJ45 connectors connect the terminal to the network. MFPs and printers communicate with the SafeQ server via the terminal. Each terminal has a MAC address allocated by Y Soft.
DHCP Support
Terminals can be configured in static IP or dynamic IP (DHCP) mode.
Terminal Professional
Uses UDHCP Client ver. 1.2.1. If DHCP server is not available then DHCP client keeps running in background.Terminal boots normally but no connection to network is available.
Terminal Ultralight
Uses DHCP client according to RFC 2131 and RFC 1533.If DHCP server is not available then zero network configuration according to RFC 3927 is started within 2 seconds. (Terminal stays in the "initializing" dialog (green leds animated around).Terminal TCP server (TCP port 4095) and UDP locator (UDP port 64099) are available during zero network configuration.The DHCP client continues operating in the background. As soon as the DHCP client gets a valid DHCP lease, the zero network configuration is shut down and the terminal continues in standard operation.)
Server connection timeouts
Terminal Professional
Multi-threaded connection to SafeQ servers: 500ms before next deploy, maximum number of servers in cluster: 10, total connection timeout: 15-22s depending on node count. Timeout for established SafeQ server connection: 20s-2min depending on protocol state.Closing connection causes immediate user session end.
Terminal Ultralight
Timeout for connecting per SafeQ server: 2s, number of connection attempts per server: 3, maximum number of servers in cluster: 5. Timeout for established SafeQ server connection: 30s. Timeout for established SafeQ server connection, before sending user authentication data: 1s. Closing connection causes immediate user session end.
IPv6 Support
At present, YSoft SafeQ 5 does not support IPv6 across all system components.
Job Delivery process
Workstation to SafeQ Job Delivery
LPR according to RFC 1179
SafeQ Port Protocol according to SafeQ Workstation Client Protocol Specification
SafeQ to MFP Job Delivery
Regardless of CML/ORS, the job is delivered to MFP by means of delivery backends. Backends are used for encapsulating delivery protocol. Currently supported protocols for job delivery are:
LPR
JetDirect
TCP RAW/9000
New versions may bring support for new delivery protocols (e.g. IPP/IPP over SSL).
In SafeQ 5, backends are also augmented with Decorators. Backend Decorators act as filters which are applied in sequence to the delivered jobs. These filters are used for many things, like injecting PJL headers into a job, removing or changing PJL headers, modifying contents of the print job