Documentation / Knowledge Base
Printing to devices behind an Enclave Gateway¶
When printing to a network printer located behind an Enclave Gateway, print jobs may fail even though the Gateway Access Policy appears to be correctly configured. This article explains why this occurs and how to configure printers and policies for reliable printing through an Enclave Gateway.
Symptoms¶
- Print jobs fail or time out when sent to printers behind an Enclave Gateway
- Printers show as "offline" despite being reachable by IP
- Printing works from some machines (e.g., RDS servers) but not from endpoints
pingto the printer IP works, but printing does not
Cause¶
There are two common causes:
1. WSD printer ports don't work over gateways¶
Windows Web Services for Devices (WSD) uses Layer 2 multicast traffic for printer discovery and communication. Multicast traffic cannot cross Layer 3 network boundaries, so WSD-configured printers will not work through an Enclave Gateway.
To check if a printer is using WSD, run:
Get-PrinterPort | Select-Object Name, PrinterHostAddress, PortMonitor
If PortMonitor shows WSD Port Monitor, the printer is using WSD and must be reconfigured to use a Standard TCP/IP port instead (see Resolution below).
2. Missing SNMP access for printer status¶
Windows polls printers via SNMP (UDP port 161) to check their status. If SNMP traffic is blocked by the Gateway Access Policy, Windows may report the printer as offline even when it's reachable.
To check if SNMP is enabled on a printer port:
Get-PrinterPort | Select-Object Name, PrinterHostAddress, SNMPEnabled
Resolution¶
Step 1: Use Standard TCP/IP ports¶
Reconfigure printers to use Standard TCP/IP ports instead of WSD. This ensures all printer traffic uses unicast TCP, which gateways can forward reliably.
Step 2: Configure Gateway Access Policy ACLs¶
Ensure your Gateway Access Policy allows the required ports. At minimum, include:
| Port | Protocol | Purpose |
|---|---|---|
| 9100 | TCP | Print data (RAW/JetDirect) |
| 161 | UDP | SNMP (printer status) |
If using LPR or IPP instead of RAW printing, substitute port 515 or 631 for 9100.
Other common printer ports:
| Port | Protocol | Description |
|---|---|---|
| 9100 | TCP | RAW / JetDirect (most common) |
| 515 | TCP | LPR / LPD |
| 631 | TCP | IPP (Internet Printing Protocol) |
Step 3: Test connectivity¶
Verify network connectivity to the printer:
# Test TCP connectivity to the print port
Test-NetConnection -ComputerName 192.168.0.x -Port 9100
# Test if IPP is available (if using port 631)
Test-NetConnection -ComputerName 192.168.0.x -Port 631
Replace 192.168.0.x with your printer's IP address.
Step 4: Verify printer status¶
After configuring the policy, check that Windows can see the printer as online:
Get-Printer | Select-Object Name, PrinterStatus, WorkOffline
If WorkOffline is True or PrinterStatus is not Normal, SNMP may still be blocked or the printer port is misconfigured.
Notes¶
-
WSD discovery — WSD is primarily a discovery protocol. Once a printer is configured with a Standard TCP/IP port, WSD is no longer involved in printing.
-
Driver installation — When adding a printer via TCP/IP, you may need to manually select or download the correct printer driver.
-
Multiple printers — If you have many printers behind the gateway, consider using a
/24subnet in your policy rather than individual IP addresses.
Having problems? Contact us at support@enclave.io or get help and advice in our community support channels.
Last updated December 23, 2025