Introduction

Oracle Fusion applications, such as Business Intelligence (BI), have the ability for customers to print directly to an on-premise printer.  Oracle Fusion has detailed instructions on how to setup this printing using two options:

1. Print from Oracle Fusion over the public Internet to an on-premise printer or print server in a Demilitarized Zone (DMZ) and securing it via Secure Sockets Layer (SSL) certificates

2. Using a Virtual Private Network (VPN) tunnel from Oracle Fusion to on-premise

There are some customers that have asked for another option for them to perform this on-premise printing in secure way.  This blog will outline an alternative solution using Oracle Cloud Infrastructure (OCI).

For more information on the Oracle Fusion on-premise printing setup and instructions see the below link:

https://support.oracle.com/knowledge/Oracle%20Cloud/1964157_1.html

Solution Components and Design

The solution includes the below components:

• Virtual Cloud Network (VCN) with a public subnet

• Public Load Balancer

• Internet Gateway

• FastConnect or VPN tunnel from OCI to on-premise

• On-premise printer and/or print server (recommended)

The diagram below uses Ashburn as the OCI region, however you can deploy this in any OCI region.

Solution Requirements

The requirements for this solution are outlined below and are assumed to be existing.  The steps to perform these are not included in this blog.

• Existing OCI tenancy

  • If you do not have an existing OCI tenancy, reach out to your Oracle account team for assistance with obtaining one

• VCN using non-overlapping Classless Inter-Domaing Routing (CIDR) with your on-premise network

  • VCN Documentation (https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingVCNs_topic-Overview_of_VCNs_and_Subnets.htm)

• Public subnet with an Internet Gateway, Dynamic Routing Gateway, and associated route table rules

• FastConnect or VPN from OCI to on-premise

  • VPN (https://docs.oracle.com/en/solutions/connect-onprem-vpn/index.html)

  • FastConnect (https://docs.oracle.com/en/solutions/connect-onprem-fastconnect/index.html)

• External Domain Name Service (DNS) zone that you can create an 'A' record that resolves to the public IP address of the public load balancer

• The print server must present a valid SSL certificate signed by a trusted Certificate Authority (CA) such as Go Daddy, Verisign etc.  Please ensure you are using only those certificates, which are supported by Fusion. Please refer to Doc ID 2406398.1 for additional details and list of supported CA certificates. Self-signed SSL certificates are NOT supported.

  • This certificate can be loaded on the print server (recommended) or alternatively you can load it onto the public load balancer.  The steps below will assume the certificate has already been loaded on the print server on-premise.

Implementation Steps

Provision the public load balancer

1. Under Networking in the OCI console select Load Balancers and click Create Load Balancer

2. Select the standard Load Balancer as the type and click Create Load Balancer

3. Give the Load Balancer a name

4. Select Public as the visibility type

5. Select either Ephemeral (Default) or Reserved for the IP address.  Ephemeral will assign an IP address for the life of the load balancer, when you terminate the load balancer in the future the IP will go back into the pool.  A reserved IP address can be reused for something else after you terminate this load balancer.

6. Select Flexible Shapes as the shape

7. Select the minimum and maximum bandwidth for the flexible shape.  For the purposes of this solution, the smallest bandwidth option of 10Mbps should be sufficient however the bandwidth required will depend on your actual usage.

8. Select the VCN and the public subnet for this load balancer and click Next

9. For Backends, the Load Balancing Policy does not matter for this solution because we will only have one backend so you can leave it on the default Weighted Round Robin.

10. Do not add backends at this time, we will add the print server as the backend later. 
    NOTE: If you add a backend at this page it will only allow you to add an OCI instance as a backend and we want to add a backend via an IP address for the on-premise print server.  You can only add a backend as an IP address after you provision the load balancer (see next section).

11. For health check policy, select tcp and 443 as the port and click next
    NOTE: You must have routing and security lists to allow TCP/443 from this load balancer to the on-premise print server.  This includes any egress security list or network security groups for the public subnet, routing over the FastConnect or VPN, and any on-premise firewalls.

12. Give the listener a name

13. Select TCP as the listener type and 443 as the port and click next. 
    NOTE: Selecting HTTPS as the listener is another option, however this will force you to install the SSL certificate on the load balancer to terminate the SSL session.  For this blog, we want the load balancer to tunnel the SSL to the on premise print server where the SSL certificate will be installed.     

14. You can leave the logs as default on the next page and select create load balancer

Add the on-premise as the backend

1. Under Networking in the OCI console select Load Balancers and select the load balancer you created above

2. Click Backend Sets on the left side menu under Resources

3. Click on the Backend Set

4. Click on Backends on the left side menu under Resources

5. Click Add Backend

6. Select IP Addresses at the top

7. Enter the IP Address of your on-premise print server, enter port 443, and click the Add button

If everything is working correctly, you should see your backend health go green and OK after a few minutes which means the load balancer can successfully reach the on-premise server via TCP/443.  You may need to adjust your security lists, network security groups, on-premise firewalls, and routing to make sure the backend communication is successful.

Update the network security list, external DNS, and SSL certificate

1. Add an ingress rule to the security list that is applied to the public subnet where the load balancer is.  Allow traffic from the public Fusion BI subnet on IP Protocol TCP and destination port 443.

   1. See the following link for the public IP ranges https://support.oracle.com/knowledge/Oracle%20Cloud/1964157_1.html

2. Create or modify your external DNS to resolve to the public IP of the load balancer

   1. For example, Create a DNS A record for printer.customer.com that resolves to the public IP of your load balancer

3. Install the SSL certificate with hostname printer.customer.com on your on-premise print server

Configure the Fusion BI Publisher Printer

1. Log into 'BI Publisher' application with a user with ‘BI Administrator’ Role.

2. Click on the ‘Administration’ link on the top-right corner of the UI.

3. Click on ‘Printer’ link under ‘Delivery’.

4. Click on ‘Add Server’ to setup a new printer

5. Enter the following required fields to setup the printer and click Apply

   1. Server Name - Enter a unique name. Example: FinancePrinter

   2. URI - Enter the Uniform Resource Identifier for the printer.  Example: ipp://printer.customer.com/printers/.printer1

   3. Enter printer credentials and select Authentication Type and save the printer

You should now be able to print from Fusion BI Publisher to your on-premise print server through the public load balancer.