Special considerations on Terminal Server / Citrix / VDI (FAQs)

Special considerations on Terminal Server / Citrix / VDI

PaperCut works well on Microsoft Terminal Server (2000, 2003, 2008+, 2008 R2, 2012 and 2019) and CITRIX servers and a number of organizations are successfully using it to manage their printing and quotas. As a general rule, we recommend deploying PaperCut server software on a separate server (e.g. a print server) other than the terminal server itself. The reason for this is that Terminal Server / CITRIX systems can be very resource hungry and leave little resources left for PaperCut’s use. This is however not too much of an issue with good high-spec hardware.

 

PaperCut Client Considerations:

Sites planning on using advanced PaperCut features such as the account selection popup, may need to make a minor system configuration change. This is particularly true for sites running versions prior to version 8. Version 8+ uses more advanced logic and in most cases will work “out of the box” in all environments.

By default, PaperCut uses the client’s IP address to help match print jobs to the client (the client software running on the user’s screen). Under a terminal server, this assumption is often not valid as multiple users can be logged in under the one IP address at any one time. The symptom is that the account selection popup or other popup messages may appear on multiple terminals at once.

 

Running the PaperCut client and applications (e.g. MS Word) on the Terminal Server:

This scenario is suitable if the user is launching the PaperCut client from the Terminal server, and the user is running the application that they’re printing from (e.g. MS Word) on the terminal server. Both the PaperCut client and the application are running on the same IP address.

The solution is to change the system configuration as follows:

 
  1. Log into the administration interface as the admin user.
  2. Navigate to Options and select the Config Editor (Advanced) Action from the left set of Actionlinks.
  3. Use the Quick find: to locate the key: client.allow-match-on-machine-or-ip-only
  4. Change the value to N (no) and press the Update button.

The above change will mean that PaperCut will not match on machine only or IP only. But it will match on the combination of IP address and username (together).

That setting change will work for terminal server environments where the user is running the PaperCut client and the application they are printing from, on the same terminal server.

 

Running the PaperCut client locally, and applications (e.g. MS Word) on the Terminal Server:

This scenario is suitable if the user is launching the PaperCut client from the local workstation, and the user is running the application that they’re printing from (e.g. MS Word) on the terminal server. The PaperCut client and the application are not running on the same IP address.

This is because the combination of the username/IP address from the client will not match the combination of the username/IP address from the application that they’re printing from.

‘HOWEVER’: using the client on a network where you can’t uniquely identify the machine via IP is limited:

  • No popup authentication
  • No possibility of running multiple clients for the one user
  • Cannot handle lab situations where many machines are using same username

The solution is to change the system configuration as follows.

 
  1. Log into the administration interface as the admin user.
  2. Navigate to Options and select the Config Editor (Advanced) Action from the left set of Actionlinks.
  3. Use the Quick find: to locate the key: client.allow-match-on-machine-or-ip-only
  4. Change the value to N (no) and press the Update button.
  5. Use the Quick find: to locate the key: client.allow-match-on-user-only
  6. Change the value to Y (yes) and press the Update button.

The above change will mean that PaperCut will not match on machine only, or IP address only, but in addition it will be able to match the job with a user client based on username alone. The username in this case becomes the only piece of unique information to match on.

 

Other considerations to keep in mind:

 

Run Minimized

In some circumstances, if the client is not minimized in the Citrix session it may stay active when the published application is closed.

The PaperCut User client, pc-client-local-cache.exe should be run with the —minimized option. Login scripts should set this option.

 

Starting the client or release station software under CITRIX

If the PaperCut client software is set to automatically start under CITRIX via the Run registry key:

 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

this client software may prevent CITRIX sessions from correctly terminating. CITRIX has acknowledged this problem and the topic is discussed in detail at:

 

The solution is to add a new registry key and this is discussed at the bottom of the page linked above.

 

Unauthenticated Terminals

In some scenarios administrators may not want users to have to log on at the terminal. For this case, terminals can be configured to auto-logon to the server with a pre-set username that is configured once for each terminal.

In order to allow PaperCut print authentication please make sure that each terminal logs on to the terminal server with a different username so that PaperCut can determine the origin of the print job. Also make sure that these usernames are marked “unauthenticated” in PaperCut and that the PaperCut client is running in each terminal session so that users can supply their printing credentials when sending off a print job.

 

Terminal Services Easy Print driver

Users have reported that when the Terminal Services Easy Print driver is used that there are inconsistent page analysis results. This is because the print job is no longer rendered in the original printer language (PCL, PostScript etc).

In order to allow PaperCut access to the original print language, we suggest that this feature is not used.

 

Incorrect owner of print job

In late 2011, two customers of PaperCut Software running Windows 2008 with Citrix/Terminal Services noticed that some print jobs had the incorrect owner assigned by the operating system. If you are encountering this issue follow the steps below to remedy the issue.

Please note that these are general instructions and may not apply directly to your situation. Please contact PaperCut Support for more information.

 
1) The customer initially upgraded to Windows 2008 SP1 and applied this fix, this may not be applicable for you, review the hotfix documentation (see below).
 
2) Make the following changes in the registry for Print server and Terminal Server.

Key: HKLM\SYSTEM\CurrentControlSet\Control\Print REG Value: “DisableRpcTcp” REG_DWORD 1

 
3) On the Terminal Server also make the following changes to the registry.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\ Right-click Printers, point to New, and then click DWORD. Type EnabledProtocols. Right-click EnabledProtocols. In the Value data box, type 6. Close Registry Editor. Restart the Spooler.

 
4) Install Hotfix KB958741 (May need to be requested from Microsoft as it is not currently mentioned on their support site). Please carefully review the hotfix documentation before installing.

Please note that this is general advice. We recommend contacting Microsoft specifically to confirm that your situation will be fixed by the above changes.

As a footnote, there is this discussion on Microsoft’s Technet site about a possibly similar issue.

 

Suspicious User Client Activity

As of PaperCut MF and PaperCut NG version 15.0, there’s a built-in check that looks for multiple failed logins from a client on the same IP address (looks like suspicious activity). You may then see a message on the client (and in the App.Log tab) saying:

 
“Server has detected suspicious user client activity from IP “x.x.x.x” and temporarily denied requests from this address”

This will show up a lot more on Terminal server environments because you may have a number of user clients running on a single IP address. To avoid that issue, go into Options → Config Editor, and search for client.api.security.rate-limit.enabled and set this to N, then update the key.

 

Link to original article