SafeQ CML Server pre-installation check list
SafeQ CML Server pre-installation check list
Following features has to be installed and available on the server for SafeQ CML server installation
To see list of supported platforms, please visit Software requirements page.
No Web server may be installed on the computer. (If installed, it must not listen on TCP port 80).
Windows Installer 4.5 must be installed in order to use embedded MS SQL 2008 Express installation.
The latest version of web browser shall be installed (IE, Chrome or Firefox).
No other software shall be installed, except as agreed by YSOFT.
IP addresses for the local SafeQ CML servers are prepared before the installation of MFPs and terminals.
Dedicated shared folder accessible from all SafeQ CML nodes is set up and reachable from all SafeQ CML server nodes (necessary for installation from network folder).
CML servers (all nodes of the clusters) meets minimum requirements. See Hardware requirements for details.
Latest security patches installed on operating system.
See Antivirus Settings page to make sure system performance is not affected by Antivirus software.
There is no other software that can interfere with SafeQ installed on the servers, especially database (unless it's intended for SafeQ), or other print solution, except as specified in this document.
In case of external database server SafeQ uses 2 service accounts (mandatory name for one of the accounts is: sync) and 2 databases to run for each CML node.
Administrator rights are required in order to perform the installation.
"LPD service" not installed in case "Print Server" role is used.
External user source for replication (LDAP) requirements
Primary LDAP server IP address
Domain name(s)
DN of container(s) with users
LDAP contains user login information
LDAP contains user name and surname information
Department number is available in following attribute
Card numbers are available in following attribute
Unique user ID is available in following attribute
User email addresses are available in LDAP
Data replication from LDAP to SafeQ is preferred. Frequency of replication is configurable (for example: full replication is executed once a day, and differential replication is executed each hour).
Administrator will be available to provide LDAP server access credentials. User account with 'list all records' and 'read attributes' credentials must be available as integration account for SafeQ.
Network communication overview
For proper functionality of the SafeQ environment following ports have to be opened on the server side.
Network communication overview
Workstation to server communication (server inbound rules)
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory | TCP | 80/443 | HTTP/HTTPS | for access to YSoft SafeQ administration/reporting web interface |
Optional (if using workstation client) | TCP | 9100 | proprietary compressed | job reception from client workstations (YSoft SafeQ Client Protocol) |
Optional (if using Local Monitor) | TCP | 9100 | proprietary | accounting information from Local Monitor installed on workstation or server |
Optional (if using workstation client) | TCP | 515 | LPR | job reception from client workstations (LPR) |
Optional | TCP | 4097 | proprietary SSL | Access verification and data transfer with job print from client workstations (YSoft SafeQ Port Protocol Level 1-3 only) Used when YSoft SafeQ configuration property useSSLProxy is enabled. The property can be disabled when YSoft SafeQ Client protocol level 4 is used. |
Optional (if using central reporting) | TCP | 2382/2383 | OLAP | for access to Central Reporting Services OLAP interface (MS SQL Analysis service) |
Optional / Recommended from Localhost (monitoring only) | TCP | 19898 | JMX | CML system health monitoring via JConsole. Port number is configurable by cmlJmxServerPort property and port binding via cmlJmxNetworkInterface property in SafeQ system settings. By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost (monitoring only) | TCP | 9797 | JMX | CML DBSync system health monitoring via JConsole. Port number is configurable by dbSyncJmxServerPort property and port binding via dbSyncJmxNetworkInterface property in DBSync configuration file (cmldb-cluster.conf). By default bound to localhost (127.0.0.1) network interface. |
Recommended from Localhost | TCP | 9696 | JMX | CML LDAP Replicator system health monitoring via JConsole and communication between CML and LDAP Replicator itself. Port number is configurable by ldapReplicatorServicePort property and port binding via ldapJmxNetworkInterface property in SafeQ system settings. By default bound to localhost (127.0.0.1) network interface. |
Recommended from Localhost | TCP | 9002 | JMX | CML LDAP Replicator auxiliary internal port used by JMX server. Port number is configurable by ldapJmxRmiServerPort property and port binding via ldapJmxNetworkInterface property in SafeQ system settings. By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost (monitoring only) | TCP | 9898 | JMX | ORS, CRS system health monitoring via JConsole. ORS only: Port number is configurable by orsJmxServerPort property and port binding via orsJmxNetworkInterface property in SafeQ system settings. CRS only: Port number is configurable by crsJmxServerPort property and port binding via crsJmxNetworkInterface property in CRS configuration file (crs.conf). By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost (monitoring only) | TCP | 9999 | JMX | ORS Web (distributed layer) system health monitoring via JConsole. By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost | TCP | 9000 | JMX | CML, ORS, CRS auxiliary internal port used by JMX server. CML only: Port number is configurable by jmxRmiServerPort property and port binding via cmlJmxNetworkInterface property in SafeQ system settings. ORS only: Port number is configurable by jmxRmiServerPort
property and port binding via orsJmxNetworkInterface property
in SafeQ system settings. CRS only: Port number is configurable by jmxRmiServerPort
property and port binding via crsJmxNetworkInterface property
in CRS configuration file (crs.conf). By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost
| TCP | 9005 | JMX | CML DBSync auxiliary internal port used by JMX server. Port number is configurable by dbSyncRmiServerPort property and port binding via dbSyncJmxNetworkInterface property in DBSync configuration file (cmldb-cluster.conf). By default bound to localhost (127.0.0.1) network interface. |
Optional / Recommended from Localhost | TCP | 19044 | JMX | ORS Web auxiliary internal port used by JMX server . |
Optional (if using workstation client) | TCP | 4096 | proprietary 1kB - per request | Information regarding queues for YSoft SafeQ Client configuration |
Server to printer communication (server outbound rules)
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory | TCP | 9100 | proprietary | Job data delivery to printer (Raw TCP) |
Mandatory | TCP | 515 | LPR | Job data delivery to printer (LPR) |
Optional | TCP | 80/443 | IPP/SSL | Job data delivery to printer (IPP over SSL) |
Optional | TCP | 9100 | proprietary SSL | Job data delivery to printer (compressed via Terminal Professional) |
Optional | UDP | 64099 | proprietary broadcast | Terminal Professional/UltraLight discovery |
Optional | TCP | 4095 | proprietary | Terminal Professional/UltraLight remote configuration |
Mandatory for embedded terminals | TCP | 50001/50003 | proprietary WS SSL | Embedded (KM, Xerox, Sharp) remote configuration |
Mandatory with YSoft SafeQ Embedded Terminal for Ricoh ESA | TCP | 80, 443, 8080, 51443 64098 | proprietary | YSoft SafeQ Embedded Terminal for Ricoh installation and automatic configuration used by RXOP libraries YSoft SafeQ Embedded Terminal for Ricoh configuration |
Mandatory for online print/copy tracking | UDP | 161 | SNMP | Online accounting of network printer MFP |
Mandatory with YSoft SafeQ Embedded Terminal for Toshiba | TCP | 49629, 49630 | HTTP/HTTPS | YSoft SafeQ Embedded Terminal for Toshiba installation |
Mandatory with YSoft SafeQ Embedded Terminal for Xerox/Fuji-Xerox | TCP | 80, 443 | HTTP/HTTPS | YSoft SafeQ Embedded Terminal for Xerox/Fuji-Xerox installation |
Mandatory with YSoft SafeQ Embedded Terminal for Konica Minolta | TCP | 80, 50003 | HTTP, proprietary WS SSL | YSoft SafeQ Embedded Terminal for Konica Minolta installation |
Mandatory with YSoft SafeQ Embedded Terminal for Sharp | TCP | 80/443 | HTTP/HTTPS | YSoft SafeQ Embedded Terminal for Sharp installation and during authentication |
Mandatory with YSoft SafeQ Embedded Terminal for Samsung | TCP | 80 | HTTP | YSoft SafeQ Embedded Terminal for Samsung installation |
Mandatory with YSoft SafeQ Embedded Terminal for HP | TCP | 7627 | HTTPS | YSoft SafeQ Embedded Terminal for HP installation |
Mandatory for YSoft SafeQ Embedded Terminal installation | UDP | 161 | SNMP | YSoft SafeQ Embedded Terminal installation MFP check |
Optional - Active FTP transfer (for embedded terminal scanning) | TCP | >1023 | FTP | Range of ports for active FTP transfers (whether passive or active transfer is used is controlled by MFD, range of port on MFD side controlled by MFD, range of ports on server side defined by operating system - e.g. https://support.microsoft.com/cs-cz/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista) |
Printer to server communication (server inbound rules)
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory with Terminal Professional | TCP | 4096 | Proprietary SSL low volume, low latency | Terminal Professional/UltraLight authentication and session control |
Optional (if using time synchronization with Terminal Professional) | UDP | 37 | Time protocol | Time synchronization between Terminal Professional and the server. When the system parameter timeServerEnable is enabled, server is listening on UDP port 37. Terminal connects to this port upon restart. |
Mandatory with YSoft SafeQ Embedded Terminal for Ricoh | TCP | 5012, 5021, 5022 | Proprietary low volume, low latency | YSoft SafeQ Embedded Terminal (Accounting and charging) YSoft SafeQ Terminal Application communication |
Mandatory with YSoft SafeQ Embedded Terminal for Browser | TCP | 5011, 5012, 5013 | HTTP/HTTPS | YSoft SafeQ Embedded Terminal browser communication |
Mandatory with YSoft SQTA or YSoft SafeQ Embedded Terminal for Browser (HP/Sharp/Toshiba EAL) | TCP | 5021, 5022 | HTTP/HTTPS | YSoft SafeQ Terminal Application communication |
Mandatory with YSoft SafeQ Embedded Terminal for KM | TCP | 5014-5019 | WS SSL low volume, low latency | YSoft SafeQ Embedded Terminal (KM) authentication and session control |
Mandatory with YSoft SafeQ Embedded Terminal for HP | TCP | 5025 | HTTP/HTTPS | Webservices for YSoft SafeQ Embedded Terminal (HP) |
Mandatory with YSoft SafeQ Embedded Terminal for Xerox/Toshiba | TCP | 389 | LDAP | Internal LDAP for YSoft SafeQ Embedded Terminal for Toshiba When 389 is blocked (by already running AD on a domain controller), SafeQ 5 GUI installer will display warning and use 390 port instead |
Mandatory with Network Card Reader | TCP | 5011/5012 | Proprietary SSL | Network Card Reader authentication |
Optional | TCP | 5020 | Proprietary | Preview provider for Terminal Professional (optional, depending on SafeQ setting, configurable by preview-provider-port) |
Optional | TCP | 25 | SMTP | Scanning from MFPs via e-mail (optional, depending on MFP capabilities) |
Mandatory for WebDAV scanning | TCP | 443 | Secured WebDAV/HTTPS | Scanning from MFPs via scan workflow (optional, depending on MFP capabilities) |
Optional | TCP | 139 | SMB | Scanning from MFPs via scan to folder (optional, depending on MFP capabilities) |
Mandatory for embedded terminal scanning | TCP | 21 | FTP | Scanning from MFPs via scan to folder (optional, depending on MFP capabilities) |
Optional - Passive FTP transfer (for embedded terminal scanning) | TCP | >1023 | FTP | Range of ports for passive FTP transfers (optional, whether passive or active transfer is used is controlled by MFD - range of ports depending on SafeQ configuration parameter ftpPassivePorts) |
Inter-server communication (inbound and outbound rules)
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory for cluster | TCP | 4099 | CML > CML proprietary ~1kB per print job | Application-level cluster synchronization |
Mandatory for cluster | TCP | 4111, | CML > CML proprietary ~1kB per print job | Application-level cluster DB synchronization |
Mandatory for ORS | TCP | 6010 | ORS > CML proprietary ~40 - 60 kB per print job | ORS-to-CML communication and synchronization |
Mandatory for Central Reporting | TCP | 4139 | CML > CRS proprietary ~1kB per print job | Reporting data collection asdf |
Mandatory | TCP | 5556 | TS > server (CML/ORS) (localhost) proprietary | Terminalserver (TS) component (required for YSoft SafeQ embedded terminal support), communication with server application |
Mandatory for job roaming | TCP | 8000 | ORS > ORS | Job data transfer for roaming jobs (uncompressed) |
Mandatory for load balancing | TCP | 6020 | CML > CML | Internal communication between CMLs |
Mandatory for near job roaming | UDP Multicast | configurable | ORS > ORS | Near Roaming Group synchronization. |
Mandatory for near job roaming | TCP | 7800 | ORS > ORS | Near Roaming Group synchronization. Required for roaming groups up to 10 ORS servers. |
Mandatory for web status information | TCP | 20222 | CML/MPS > CML | RMI registry port used by web for SafeQRemote listening and binding. This port is opened upon installation, consider blocking it for inbound connections, see firewall settings. |
Mandatory for web status information | TCP | 20223 | CML/MPS > CML | RMI registry port used by web for incoming connections. This port is opened upon installation, consider blocking it for inbound connections, see firewall settings. |
Mandatory for web status information | TCP | 20224 | CML/MPS > CML | RMI registry port used by web for UserManagerRemote binding and listening. This port is opened upon installation, consider blocking it for inbound connections, see firewall settings. |
Mandatory for web status information | TCP | 20225 | CML/MPS > CML | RMI registry port used by web for PaymentManagerRemote binding and listening. This port is opened upon installation, consider blocking it for inbound connections, see firewall settings. |
Mandatory for AP Connector | TCP | 9100 | AP > CML, ORS | AP Connector to CML/ORS via client protocol |
Mandatory for AP Connector | TCP | 5556 | AP > CML, ORS | AP Connector (AP) component, communication with server application |
Optional for etcd | TCP | 2380 | etcd > etcd | Default value of port for communication between etcd nodes (either between CML nodes in the cluster or between ORS nodes in near roaming group) |
Optional for etcd | TCP | 2379 | TS > etcd | Default value of port used by the Terminal Server to communicate with the local etcd |
Mandatory for roaming groups with 10+ ORS servers.Other communication
Required? | Type | Port | Communication type | Description (communication from the user) |
Mandatory for LDAP synchronization | TCP | 636 | CML > LDAP | LDAP integration (server > LDAP controller) secured over SSL |
Optional | TCP | 389 | CML > LDAP | LDAP integration (server > LDAP controller) |
Optional | TCP | 3268 | CML > LDAP | LDAP integration (server > LDAP controller) |
Optional | TCP | 4100 | Terminal > SafeQ | Port where the terminal update service is running (configurable by rs-terminal-update-port) |
Optional | TCP | 4444 | Rech. Station > CML | YSoft SafeQ Payment Machine (QuickChip); not supported by YSoft SafeQ5 |
Optional | TCP | 4196 | YSoft SafeQ Payment Machine > YSoft Payment System | Management connection |
Optional | TCP | 4197 | YSoft SafeQ Payment Machine > YSoft Payment System | Management connection over SSL (e.g. time synchronization) - this port is needed to setup in SPM service menu during configuring of Payment System server address |
Optional | TCP | 4198 | YSoft SafeQ Payment Machine > YSoft Payment System | Main connection |
Optional | TCP | 4199 | YSoft SafeQ Payment Machine > YSoft Payment System | Main connection over SSL |
Optional | TCP | 8080 | CML/TS > YSoft Payment System | web, rest services (APIs) |
Optional | TCP | 8443 | CML/TS > YSoft Payment System | web, rest services (APIs) |
Optional | TCP | 25 | SMTP | SMTP (Scan job delivery, notifications to administrator and users) |
Optional | TCP | 80 | SafeQ Client -> ORS web | ORS web communication with client (billing codes etc.) |
Mandatory | UDP | 1434 | CML > DB | This communication is used to query the SQL server browser service. SQL browser service will respond with the TCP port number that shall be used for the rest of communication. |
Mandatory | TCP | see description | CML > DB | The port number is dynamically assigned by SQL browser service, see http://technet.microsoft.com/en-us/library/cc646023.aspx for more information. |
Mandatory for AP Connector | UDP | 5353 | AP Connector > subnet | AP Connector (AP) component multicast to subnet using Bonjour |
Mandatory for AP Connector | TCP | 8050 | client > AP Connector | Job delivery from iOS or MAC client to AP Connector (AP) over IPPS. 8050 is default but configurable port. |
Cluster installation
Required | Type | Port | Communication type | Description (communication from the user) |
Mandatory | TCP | 4111 | CML > CML | Proprietary DB Sync |
Mandatory | TCP | 6020 | CML > CML | Inter node communication |
Mandatory | TCP | 443 | CML > CML | First replication of CML database |