Installing network printers on Linux - part 2: IPP/IPPS and cups-browsed

August

2025

Installing network printers on Linux - part 2: IPP/IPPS and cups-browsed

Linux

1 August 2025 15:12

Continued. See part 1, continued part 3. ending part 4.

3.1.2. IPP and IPPS printing protocols

IPP is short for "Internet Printing Protocol" and IPPS is short for "Internet Printing Protocol over HTTPS". These protocols are the main ones for transferring print jobs to network printers.

IPP protocol developed by the American company Novell, which specializes in software for network infrastructure. Novell is located in Provo, Utah, USA. The main emphasis of IPP is on security and correct implementation. IPP (IPPS) has the concept of "Printer" at a high level, objects of the "Job" and "Document" types. Security in IPPS: authentication mechanisms are implemented for secure printing on a local network or via the Internet: it is possible to install an electronic signature certificate and a secret key on a printer that provides encrypted printing using the IPPS protocol, including to office or home printers, via the Internet. The IPP and IPPS protocols are very common among multifunction device and printer software and are supported in Linux CUPS software. Current protocol versions are 2.0, 2.1 and 2.2.

Protocol IPP uses port:
*80/TCP- to detect, add and configure a printer in a local Ethernet or Wi-Fi network, using the protocol ipp://*(described in the standard RFC 2911). It is not difficult to guess that port 80 is also used for www servers on the Internet. The commonality between IPP and HTTP protocols is that both operate on port 80 and are application-level protocols.
631/TCP**- for transferring tasks. Also, when accessing a printer via HTTPS, the client is redirected to port 631.

Since IPP:// port 80 is mapped to port 631, the following entries are equivalent:

ipp://host/ipp/print
http://host:631/ipp/print

Protocol IPPS uses ports:
*443/TCP- to discover, add and configure a network printer on an Ethernet or Wi-Fi local area network that supports protocol printing ipps://*(S - secured, i.e. protected).
631/UDP**- to detect a printer on a local area network (printer discovery).
*631/TCP- for transferring jobs for printing, i.e. to send document pages to the printer. Source RFC 7472).

Since IPPS:// port 443 is mapped to port 631, the following entries are equivalent:

ipps://host:443/ipp/print
https://host/ipp/print

ipps://server.example.com/ipp/print/printer3
https://server.example.com:631/ipp/print/printer3

From this it can be seen that in order to print from the Internet, you need to configure the “forwarding” of ports 443 and 631 in the Wi-Fi router to the internal (local) IP address of the printer behind the router. Apparently, a router on the Internet must either have a fixed “white” IP address or use DDNS technology.

Advantages of IPP and IPPS:

IPPS is much more secure than AppSocket. Due to encryption, the data cannot be intercepted.
IPP and IPPS are widely supported by network printer manufacturers for use in home and office local networks
it is possible to connect to a remote printer via the Internet by entering a URL like this in the printer parameters:
uses standard ports 80 and 443, which are hiddenly mapped to port 631. When connecting to a printer, you can access IPS port 443 or HTTPS to send print jobs.
- ipp://printer.example.com/ipp
- ipps://printer2.example.com:443/ipp/print
- ipps://server.example.com/ipp/print/printer3
- http://printer.example.com:631/ipp
- https://printer2.example.com/ipp
- https://server.example.com:631/ipp
In advanced installation options "IPP Everywhere^TM" and DNSSD, after searching for a printer on the local network, the printer name is automatically entered into the CUPS form when adding a printer.

Disadvantages:

when used on a local network, reference is made to the DNS name in the pseudo-domain
.local. For example:
- ipps://printer_name.local/
- ipps://Kyocera%20ECOSYS%20M2035dn._ipps._tcp.local/
connecting to a printer may not work at addresses such as ipps://printer_name.local or ipp://printer_name.local. Solution: if you plan to connect via a printer `printer_name.local`, то нужно добавить в файл `/etc/hosts` for the fixed IP address of the printer 192.168.1.123 a line like:
```
192.168.1.123 printer_name.local
```
then install the printer in CUPS. For example, if the printer name is KM31DC19.local, I added the line 192.168.1.123 KM31DC19.local to the hosts file, went to the CUPS administration:
```
http://localhost:631/admin
```
, where I clicked the "Add printer" button, "Internet Printing Protocol (ipp)" -> "Continue" and entered the connection string to the printer by name:
ipp://KM31DC19.local/ipp -> “Continue”, then to install the driver I specified the company Kyocera -> “Continue”, printer model “M2540dn”. Printing from a computer to this network printer works!

!Note. To install an IPP or IPPS network printer with a driver (as opposed to the "driverless" option), you need to install the printer in CUPS indicate option "use PPD file" and select the PPD printer driver file. It takes up about 1 MB and must be downloaded in advance from the printer manufacturer's website. For example, for Kyocera printers the download link is:KYOCERA Document Solutions - Downloads

Determining and checking the IP address of an IPP printer

If the capabilities of the printer are not known in advance, you need to find out its IP address and check the open IPPS ports on the printer. To determine the presence of IPPS technology:

nmap 192.168.1.113 -p 80

where 192.168.1.113 is the IP address of the printer on the local network.

If the port is “open”, open this IP address using a web browser and find out the device name
The name is indicated in the case of Kyocera in the upper corner. My hostname is:KM31DC19.

Determining and checking the IP address of the IPPS printer

If the capabilities of the printer are not known in advance, you need to find out its IP address and check the open IPPS ports on the printer. To determine the presence of IPPS technology:

nmap 192.168.1.113 -p 443
nmap 192.168.1.113 -p 631
curl -vvI 192.168.1.113

where 192.168.1.113 is the IP address of the printer on the local network, 443 and 631 are IPPS ports, The command curl -vvI ... shows https security.

Just like in the case of IPP, with IPPS we find out the host name by opening the printer address in a web browser http://ip_address:

In my case:
KM31DC19

How to set up a network printer using IPP (old printer or without using IPP Everywhere)

1. On a personal computer running Linux, go to the CUPS settings - in a web browser you need to enter in the address bar:http://localhost:631/.
On the CUPS web page, select the menu item Administration-Add a printer
Then "other network printers"-"IPP", Click Continue
1. Enter manually ipp://KM31DC19.local/ipp (без косой черты в конце!) - replace KM31DC19 with the actual printer hostname. Click Continue
fill in the field "Name"- no spaces. For example. Kyocera_IPP (name must not contain spaces, underscore _ acceptable) Click Continue
In the "create" field, specify the manufacturer, for example Kyocera. Click Continue
indicate in the top list printer driver, corresponding to the model indicated on the back panel of the MFP (printer) or on the packaging. For example, for the Kyocera M2540dn multifunction device model, you can select the driver Kyocera ECOSYS M2540dn (KPDL), driverless, cups-filtersorspecify driver:"use PPD file" and select file *.ppd, downloaded earlier from the printer manufacturer's website. Click "Add printer".
Specify paper size (A4), tray (Automatic or Tray 1), Media type (Automatic), 2-side printing (On Portrait)/Off), paper output Output Tray: Top, Print scaling: Automatic. On the Policies tab, check "retry-printer".
Click Save parameters. the printer has been added.
10.Check that the printer is accessible on the network by name
ping KM31DC19.local
If the execution error is "ping: KM31DC19.local: Unknown name or service", add an entry like this to the hosts file:
192.168.1.115 KM31DC19.local
where 192.168.1.115 is the printer's IP address. Save the hosts file.
11.Now you need to enable the printer and make it “default”:

Start - Administration - Printers - Printer name- right click and install "Active" and "Set as system-wide default printer".

If the job leaves (“Printing”), but the printer does not print (in Start - Administration - Printers - Printer name -"View the print queue" state "Render complete" or "Delayed", "Paused", etc.) - this happens when using a refilled or non-original cartridge with an IPP:// connection. because it is impossible to determine the toner powder or ink level. There is no such problem with another printer ipp://Pantum-4AF471.local/ipp. There is also no problem with Kyocera when using IPPS mode (see next paragraph).

How to set up a network printer using the IPPS protocol (old printer or without using IPP Everywhere)

1. On a personal computer running Linux, go to the CUPS settings - in a web browser you need to enter in the address bar:http://localhost:631/.
On the CUPS web page, select the menu item Administration-Add a printer
Then "other network printers"-"IPP", Click Continue
1. Enter manually http://KM31DC19.local:631/ipp (без косой черты в конце!) - replace KM31DC19 with the actual printer hostname. Click Continue
fill in the field "Name"- no spaces. For example. Kyocera_IPPS (name must not contain spaces, underscore _ let's say). Click Continue
In the "create" field, specify the manufacturer, for example "Kyocera". Click Continue
indicate in the top list printer driver, corresponding to the model indicated on the back panel of the MFP (printer) or on the packaging. For example, Kyocera ECOSYS M2540dn (KPDL), driverless, cups-filtersorspecify driver:"use PPD file" and select file *.ppd, downloaded earlier from the printer manufacturer's website. Click "Add printer".
Specify paper size (A4), tray (Automatic or Tray 1), Media type (Automatic), 2-side printing (On Portrait)/Off), paper output Output Tray: Top, Print scaling: Automatic. On the Policies tab, check the "Error Policy" parameter - value "retry-job".
Click Save parameters. the printer has been added.
10.Check that the printer is pinged by network name.

ping KM31DC19.local
If the execution error is "ping: KM31DC19.local: Unknown name or service", add an entry like this to the hosts file:
192.168.1.115 KM31DC19.local
where 192.168.1.115 is the printer's IP address. Save the hosts file.
11.Now you need to enable the printer as Active and set it to print by default:

Start - Administration - Printers - Printer name- right-click and check the box "Active", in the menu item "Use as default" -"Set as system-wide default printer" or "Set as default printer for current user".

How to set up a network printer using IPPS (new printer using IPP Everywhere^TM)

1. On a personal computer running Linux, go to the CUPS settings - in a web browser you need to enter in the address bar:http://localhost:631/.
On the CUPS web page, select the menu item Administration-Find a printer or "Add a printer".
Then select the printer that mentions driverless printing "(driverless)". For example, "Kyocera ECOSYS M2540dn (KPDL)(driverless)(Kyocera ECOSYS M2540dn (KPDL))". Click Continue
The next screen will show the connection settings where the full DNS name contains "._ipps._tcp.local/" click Continue.
Correct the field "Name"- no spaces. For example. Kyocera_IPP_Everywhere (name must not contain spaces, underscore _ let's say). Click Continue
select the first line of the list - printer model with mention IPP Everywhere^TM and click below "Add a printer".
Click Save parameters. the printer has been added.

3.1.3 - IPP/IPPS printing using detected printers by the cups-browsed service

The cups-browsed service searches for network printers and multifunction devices (MFPs) that support IPP/IPPS when the computer starts. In the future, found printers are visible when accessing the menu "File" - "Print". The list of printers is dynamic; printer detection time can take several seconds.

The cups-browsed service is developed by development teams OpenPrinting and PWG (Printing Working Group) from the USA. one of the projects that are part of the Linux operating system. Authors cups-browsed: Till Kamppeter, Deepak Patankar. Apache License v2.0.

Setting up the connection manually is not required; it is automatic when you select a printer.
The cups-browsed connection protocol is as follows:implicitclass://printer_name/ in this way. connection to the printer is carried out through a software layer, which greatly facilitates setup and printing to the printer. The downside, as mentioned above, is a slight delay when using cups-browsed and an increased load on the central processor.

Benefits of cups-browsed:

printer setup in the usual sense is not required. You just need to select the desired detected network printer.
after connection, the ipps protocol is used, but its details are hidden from the user.
indifferent to fixed or dynamic IP addresses (DHCP).

Disadvantages of cups-browsed:
menu opening delay File - Print(for example, in Linux Mint or Linux Green) required to discover network printers.
vulnerabilities, because open to the outside port 631. Attackers can send arbitrary UDP packets to port 631, which in the best case leads to a breakdown of the service, and in the worst case, hijacking control of the computer.

To get rid of the delay, you need to install the printer manually and disable the service

sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsed
sudo systemctl restart cups

Enable the service back if we want to detect printers automatically:

sudo systemctl enable cups-browsed
sudo systemctl start cups-browsed

Block port 631 on the firewall from the outside (solving the vulnerability problem).

sudo apt install ufw
sudo ufw enable
sudo ufw deny 631 #block port
sudo ufw status numbered
sudo ufw reload

A Linux distribution that uses Cups-Browsed out of the box is described in Part 4 of this article series.

Blog about Radio and Linux