A Best Practice Guide for Hybrid Cloud Print Deployment

This Best Practice Guide is designed to guide you through the best way to plan for, and deploy EveryonePrint HCP, in a proof of value, or production environment.


This will show the need for correct planning, ensuring that the environment, print devices, and end user computers are going to function first time, and provide an easy and smooth implementation.

The guide is split into three phases and should be followed in order. This ensures the environment is correct, the gateway and authentication are functional before installation of devices.

The indented audience for this document is technical pre and post sales consultants/technicians.

This document is for EveryonePrint HCP partners / resellers only

Design & Documentation - Phase 1


Ensure pre-sales questionnaire is completed to gain valuable information from the customer.

Ensure pre-deployment documentation / planning including the following points below, and success criteria are completed.


Please consult the manual and ensure that the required ports are open for communication internally, from PC to Printer, Printer to Gateway / Primary and ensure these ports are communicated to the customer beforehand.


Ensure you understand the client infrastructure. Examples are internet only, or corporate LAN/WAN connectivity. Create a solution diagram to ensure your customer is aware of the overall design and data flow.

Access Control & Authentication

Plan access control requirements for the deployment.

Understanding Authentication Provider Groups are necessary for a successful deployment of HCP.  Attempting to deploy using local accounts, then moving to the auth provider group may cause issues, and delays with customers having to create the groups required.

An HCP tenant is pre-set with Access Controls by default to help for a quick start.

Add new [Local Groups] for example when needing several individual to be Administrators of the tenant, and add the users in this group - Access Control will then be setup for this group instead of many different individual users. Remove any duplicate or unused Access Controls to keep the list logical, simple and easy to maintain.

Ensure your customer is aware of the requirements to configure Authentication. 

Set up - Phase 2

The set-up phase is important to complete before the installation on the customers hardware. This will allow for troubleshooting prior to the installation, allowing the install time to be used effectively.

Set up the gateway (if required), secure queue, authentication, access control and PC Client. Below are further details on these best practices.


Gateways can be virtual, physical or a combination of both depending on the client requirements. Gateways are classed as an endpoint, so once installed, you need to ensure that the gateway authorised in the portal prior to continuing. Also, the gateway needs to be fully mapped in the web portal to a fully qualified domain name, or IP address. Add this into the "domains" section in Settings, and in the Gateway Settings, use the drop down to assign the FQDN or IP address to the gateway. 

High Availability Requirements

HCP provides an array of features to implement a highly available and scalable solution. How this is achieved is primarily dependent on the customer requirements and infrastructure availability. Features include:

  • PC Client Direct Offline Printing as of version 3.16. Further reading can be in the product documentation.
  • Secondary Gateway Server offline cache
  • Application-level load balancing and redundancy distributes requests across two or more Secondary Gateway Servers in a round robin configuration automatically within HCP. The following HCP services support application-level load balancing and failover:
    • API
    • IPP
    • Authentication
    • Converter
    • Document Output
    • Mobile Print
    • Message
  • Support for load balancing of HCP services including Terminal Client Services using dedicated Network Load Balancers[1]
    • More information on NLBs to be released shortly. 

Careful consideration must be made when weighing these options against features within a customer’s environment such as VM HA/Snapshots and Cold Spare servers to implement a solution which meets the customers RTO (Return Time Objective) and RPO (Return Point Objective).

[1] Note: Web Based Embedded Client applications such as Xerox and Sharp are not supported as the device manufacturers application platform does not provide the necessary features to make this possible.

Queues and Printers

Ensure a single Secure Print / Pull Queue is created at this stage.

If your customer has a large number of printers to set up, using our API can allow for bulk creation of printers. Planning for API for all printers is a useful task to undertake. 


The authentication provider should have been defined in the documentation phase and should be set up and tested.

This includes Azure AD and information on Conditional Access Policy can be found in the linked article. 

Access Control

Using the details provided in the planning stage, make sure you set access control before moving on.

Utilising the correct accounts and groups now ensures a smooth deployment.

Simple errors such as users not getting provided the queues are normally down to access control configuration is not set correctly.

PC Client

To test the connection between the client computers and the cloud environment manually install the PC client and complete the connection test.

Now set the client to the preferred authentication provider and ensure the single secure print queue has synchronised correctly.

Send a print job and ensure you can see this in “pending jobs” within the portal.  

With a functional PC Client at this stage, define the silent installation flags needed for the customers' preferred deployment mechanism. Ensure your customer knows how to create an MSI if using SCCM.


Ensure that the customers SMTP server is set up in messaging. For a production environment it is not best practice to use an unauthenticated SMTP server.

Get this set up before you move into production, so any e-mail issues are not your responsibility!

This functionality is not a required aspect and is generally only used for generating items such as a ShortID or a One Time Password for the user accounts, and in some instances scan-to-email via the embedded application. You may skip this step if it is not applicable to your configuration, and leave the settings as they are.

Installation - Phase 3

Once the configuration of the portal has been completed following the above steps, now is the time to configure the hardware. Many installations that have had issues, are when hardware is not configured correctly, or set up before other important parts of the solution. 

Printer Hardware Configuration

Many devices have their own set of pre-requisites and best practices. We have listed the major brands here, and continue to add to this section


  • Latest Firmware
  • Mandatory Factory Reset
  • No other Print Management applications installed / active.
  • Be aware of the device admin password in order to install the embedded software
    • Workpath
      • Make sure that Mobileprint within HCP has been enabled and set to the cloud service.
      • Install Workpath apps from the Command Center
      • The authentication app needs to point to the correct HCP instance/tenant, this setup can be done in Command Center prior to the installation.
      • Lock device via the Embedded Web Server or similar tool.
    • OXPD
      • Ensure that the HP device and gateway can communicate using DNS
      • Create a certificate within HCP, based on the DNS name of the gateway.

Ricoh SOP

  • Latest Firmware
  • Preferred Factory Reset
  • No other Print Management applications installed / active.
  • Follow the KB Article for best practice installations.

Konica Minolta OpenAPI

  • Latest Firmware
  • Preferred Factory Reset
  • No other Print Management applications installed / active.
  • Ensure the Web Browser is enabled (Networking --> Web Browser --> Web Browser Settings)
  • Ensure that TCP Sockets is enabled for SSL (Networking --> TCP Sockets)
  • Ensure that OpenAPI is set to SSL Mode and using the default port 50003 (Networking --> OpenAPI Settings)
  • Ensure that the ‘Print Without Authentication’ option is set to allow Color (User Auth --> Print without Authentication) otherwise all print traffic will print as Black and White.


  • Latest Firmware
  • Preferred Factory Reset
  • No other Print Management applications installed / active.
  • Mobileprint Service active on HCP portal
  • Ensure KM IWS tool is on a PC on the local network to the MFD device
  • Ensure default port 8091 is open between IWS Install tool and MFD
  • Follow instructions in the technical manual.


  • Latest Firmware
  • Preferred Factory Reset
  • No other Print Management applications installed / active.

Embedded Deployment

Once you have prepared the device(s) for the installation, please ensure the password is correct within the Embedded Configuration, as an incorrect password will cause an error.

Test on a single device for a deployment.

Allow devices to fully reboot and show in portal as installed before attempting to log in – devices may be setting up comms channels and logging in early could affect this configuration step.

If the installation is not successful, check the log files on the gateway (if applicable) for issues.