Non-VPN printing from outside network?
Posted by Low_Carpenter826@reddit | sysadmin | View on Reddit | 30 comments
I recently purchased an HP printer with a print anywhere feature for my outside security staff to be able to print back to the network without having to create a ton of VPN accounts. Just found out this only works if the printer is on the same network as the laptop otherwise you have to use the HP app to locate a saved file in order to print it, which works, but is a hassle if you have to print something off a webpage.
Any ideas where they could access one single printer from off the network without having it be a security disaster?
Envelope_Torture@reddit
For a printer to be usable from anywhere (without a VPN) you need one of two things
1) It has to be accessible from anywhere
2) It has to phone home to some kind of service, and the client has to be configured to use said service
You clearly don't want #1, and you also don't want to seem to want #2. There is no solution.
Low_Carpenter826@reddit (OP)
PaperCut is the solution that worked
statikuz@reddit
We use this so our remote users (no VPN, they don't need it for anything) can print to a plotter at the office.
Mobility Print | PaperCut
Low_Carpenter826@reddit (OP)
That's a really neat solution. I've got working already. I assume you just stick with the free version versus the paid one? Any issues with the software so far as long as the server software keeps running?
statikuz@reddit
I have not looked into any of their paid products as this one met our needs. No issues.
Low_Carpenter826@reddit (OP)
Thank you I will look into this further
St0nywall@reddit
ThinPrint
Hefty-Ad2513@reddit
TP's connection service would allow for this and also have the option to encrypt the print data also.
RestinRIP1990@reddit
Microsoft Universal Print
Low_Carpenter826@reddit (OP)
Is there a way to tie this into OneDrive? The reason I ask is my security staff is in the field and they use a laptop that does not log into our domain but they do log into OneDrive with their credentials.
RestinRIP1990@reddit
I have Aadj only devices that utilize one drive, and universal print l. However they also utilize Global Secure Access, Purview Information Protection, and Purview DLP to make sure access is secure , and any sensitive files get blocked from external printing or sharing unless via our encrypted mail function. the aadj device needs no direct access to the printer or print server .
Low_Carpenter826@reddit (OP)
I have to check my licenses. I'm not sure I have access to all of the options you mentioned above via Microsoft 365. Appreciate the info.
RestinRIP1990@reddit
this link should help you see if you already have the license , and what to buy if you don't want to Get access to Universal Print | Microsoft Learn https://share.google/IlWO01LlXhNtuFgZS
SecondOrigins@reddit
We do this and it is super easy to setup / manage
RestinRIP1990@reddit
It's super easy and helps a lot with dlp when used with other security solutions
Low_Carpenter826@reddit (OP)
Thank you for the suggestion I will look into this further
Hollow3ddd@reddit
What’s with the “I” and “they” thing going on here
Low_Carpenter826@reddit (OP)
???
thewunderbar@reddit
I'm curious as to how you thought that print from anywhere would just work without some kind of app solution.
Low_Carpenter826@reddit (OP)
I didn’t think it would work without an absolution. HP has an app called HP share which I created an account and I linked the Printer to. If both the printer and the computer are on the same network within word, you can do file print and the printer shows up as HP share referencing the app. You hit the print button then it prints automatically.
If you are off the network you you have to open the HP share app select the print button then you have to locate the already saved file in order to print it. So both scenarios use the app but scenario two makes it more difficult. If one of my staff is in the field. It needs to print something off a website that requires them to save it as a PDF then locate it via the app.
Low_Carpenter826@reddit (OP)
I didn’t think it would work without an absolution. HP has an app called HP share which I created an account and I linked the Printer to. If both the printer and the computer are on the same network within word, you can do file print and the printer shows up as HP share referencing the app. You hit the print button then it prints automatically.
If you are off the network you you have to open the HP share app select the print button then you have to locate the already saved file in order to print it. So both scenarios use the app but scenario two makes it more difficult. If one of my staff is in the field. It needs to print something off a website that requires them to save it as a PDF then locate it via the app.
AgentSecHQ@reddit
A few options that don't require full VPN:
Tailscale — dead simple to set up. Install on the printer's host machine (or a small box next to it) and on the remote laptops. They'll be on the same virtual network with zero port forwarding or firewall config. The printer shows up like it's local. Free for up to 100 devices.
Cloudflare Tunnel + CUPS — if you want something more enterprise-friendly, set up a CUPS print server on a small Linux box or the printer's host, expose it through a Cloudflare Tunnel with access policies. Remote users authenticate through Cloudflare Access (SSO, email OTP, etc.) and print through IPP.
Google Cloud Print replacement — if these are managed Chromebooks or Google Workspace users, look at PaperCut Mobility Print. It handles the remote-to-local bridging without VPN.
The HP Print Anywhere feature is really designed for consumer use cases, not enterprise. For "one printer, multiple remote users, no VPN" — Tailscale is honestly the fastest path. 10-minute setup and it's secure by default (WireGuard under the hood).
Whatever you do, don't expose the printer directly to the internet. That's how you end up on Shodan with someone printing ASCII art on your office HP.
AntFirm4593@reddit
Dont all wireless printers only work on the same network..???
unless it has some direct-bluetooth feature
Low_Carpenter826@reddit (OP)
If you read what I posted hp offers a print from anywhere feature but requires the app first. If you’re on the same network it shows up as a printer listed
IlPassera@reddit
Yeah... that's been the standard for over a decade. You're managing security staff? Jfc
Low_Carpenter826@reddit (OP)
Nothing fills me with joy more than someone acting like a prick in response to a technical question. Jfc
JeopPrep@reddit
The Internet Printing Protocol was designed for this challenge.
Elensea@reddit
We use universal print because it’s included with our business premium licenses.
andocromn@reddit
Until something goes wrong and the printer decides that 1 page job was actually 100000 pages of random text and uses up its entire 5000 sheet reservoir of paper printing useless garbage all weekend
shiranugahotoke@reddit
Option A: Get a real printer and use VLAN’s, L3 routing, and ACL’s. Option B: Use a print service with a real print from anywhere feature. Probably also need an enterprise class printer for driver support.