YSoft SafeQ Mobile Integration Gateway troubleshooting

Setting up printing through the YSoft SafeQ Mobile Integration Gateway (MIG) can be a bit challenging the first time, especially due to specific requirements like certificate trust.

In cases where printing via MIG is not functioning after the initial setup, this article outlines the recommended steps to identify and resolve potential issues.

For the start try to connect printer non-securely via IPP as public user

1. Set up non-secure reception

   1. edit <MIG>\bin\MigService.exe.config

      • set use-ipps to "F"

      • set ipp-port to "8051"

      • note: this way only machines used used for this test will be sending unencrypted password to MIG over the network, the rest of clients will be unable to connect

   2. edit <MIG>\bin\services\MdnsService.xml

      • set <Port>8051</Port>

      • set <AdminUrl>https://<MIGserverAddress>:8051/Administration</AdminUrl>

      • note: <MIGserverAddress> needs to be replaced by the real address

2. Set reception from a public user

   1. edit <MIG>\bin\MigService.exe.config

   2. set "allow-public-user" to T (default F)

3. Restart YSoft SafeQ Mobile Integration Gateway service

4. Add printer in Windows client workstation:

   1. add new printer in Windows

   2. select a shared printer by name

   3. use "http://<MIG_address>:8051/ipp/print"

      • the ipp/print can be used even if name in MIG/Bonjour is different

      • alternatively it is possible to use name present in <MIG>\bin\services\MdnsService.xml as http://<MIG_address>:8051/<namefromconfig>

5. Verify the printing works

The allow-public-user is described at Mobile Integration Gateway deployment
This setting allows two options:

Option 1 - set "allow-public-user" to T (default F)

• the job owner on MS Windows is the user who initiated printing

• the job owner on MacOS is the user that is chosen by MacOS as default one, usually the logged in user (but not always)

Option 2 - set "allow-public-user" to F

• the job owner is YSoft SafeQ user whose credentials were defined for IPP queue on workstation

• on MS Windows it is necessary to edit the IPP port and fill in valid SAFEQ username and password manually (option "Use the specified user account"), otherwise the job will not be accepted no matter if the Windows account exists in SAFEQ or not

• on MacOS the user is prompted to enter YSoft SafeQ username and password on the first print attempt

  • if "Hold on Authentication" is shown in IPP print queue:

    • make sure username and password you wish to use works well for authentication in YSoft SafeQ web interface

    • click refresh button next to "Hold on Authentication"

    • fill in the YSoft SafeQ credentials in the new pop-up window

    • if the pop-up window does not appear

      • try to delete cached IPP printer credentials from Keychain Access

      • look for printer name or username inside "Logins", kind is "Network password" and delete it

      • then retry print

    • if the pop-up still does not appear:

      • ensure you have a job showing "Hold for Authentication."

      • open Terminal and run lpstat -s to list printers.

      • find your printer’s name after "device for." Example: device for FollowMe: ipp://... (printer name is FollowMe)

      • run: sudo lpadmin -p [printer-name] -o auth-info-required=username

      • retry printing and provide credentials when prompted

• this is how mig.log would look like if you kept allow-public-user at F and did not fill in account in MS Windows workstation port:
  2022-03-15 09:52:19.2617 INFO 3 | IppServer.Middlewares.IppMiddleware.Invoke | IPP request message with operation id PrintJob
  2022-03-15 09:52:19.2617 INFO 3 | IppServer.Middlewares.IppMiddleware.SendUnauthorized | send unauthorized to 10.0.117.4:8050

Once non-secure printing works, continue with setting up the secure printing over IPPS:

1. revert all changes made above, but keep "allow-public-user" as is (T)

2. restart "YSoft SafeQ Mobile Integration Gateway" service

3. add printer using https://<MIG_address>:8050/ipp/print to the workstation

4. verify the printing works

Once secure printing works, you may also set "allow-public-user" per your needs and repeat the printing test.

One of options to deploy queue to workstations is to use "New IPP(S) printer MSI" at https://quickprint.ysoft.com, but please be sure to follow QuickPrint documentation, for example it says certificate of MIG must be trusted on workstation.

Printing via IPPS (https) requires that workstation trusts the MIG certificate or the Certification Authority (CA) that signed it. 

• The default MIG certificate typically does not fulfill strict trust requirements. We suggest to replace the default certificate by customer's certificate whose CA is trusted on company workstations. For details refer to Mobile Integration Gateway deployment

• MacOS has typically very strict certificate requirements. For details refer to https://support.apple.com/en-us/103769
  

  • To verify that MacOS trusts the certificate of a website (e.g. https://MIG_address:port/administration):

    • Either use Safari browser

      • This is native MacOS browser that uses the same logic for certificate trust as the OS itself, it may easily happen that Chrome or other browser will consider certificate trusted but Safari and MacOS not, because their policies are more strict.

      • Safari may for example show an error: Certificate is not standards compliant

    • Or use Keychain Access app in MacOS to verify the certificate, it provides even more insight on the reasons why the certificate is not trusted:

      • Go > Applications > Keychain Access

      • Keychain Access > Certificate Assistant > Open > View and evaluate certificates

        • SSL (Secure Socket Layer)

        • tick checkbox "Ask Host For certificates"

        • fill in Host Name as: https://<MIG_address>:<port>

        • click Continue

      • on the next screen you will see if the certificate is trusted (check all certificates all chain, they all must be OK) and if there is any issue also more detailed error, like Evaluation Status CSSMERR_TP_CERT_SUSPENDED)

To connect to IPP(s) printer from Windows Server OS, the feature "Internet Printing Client" needs to be enabled and server restarted. Otherwise attempt to add printer will fail instantly.

In case printing via MIG still does not work, collect the following set of data and provide them to our support team through official support channels:

1. Use the configuration from section For the start try to connect printer non securely via IPP as public user

2. Start Wireshark capture on SAFEQ server with MIG and on workstation:

   • on server you can use capture filter: port 8051

   • on workstation use no filter

   • see https://portal.ysoft.com/documentation-and-knowledge-base/knowledge-base?page=Capturing_of_network_traffic_using_Wireshark_tool.html

3. Try to add printer in Windows

   • make a screenshot of the error containing the date/time of event if any error is shown (e.g. of Windows tray clock)

4. Make a print

   • make a screenshot of the error containing the date/time of event if any error is shown (e.g. of Windows tray clock)

5. Wait two minutes

6. Stop Wireshark capture

7. Provide us with

   1. Screenshot from workstation

   2. Wireshark capture (client and server)

   3. msinfo32 from workstation (Start -> Run -> type "msinfo32" without quotes -> OK > go to menu File -> Save)

   4. Logs and configuration files from server per Tips for collecting of YSoft SafeQ 6 log files