The following architecture overview diagrams provide an overview of the key components/ services and the general data flow of uniFLOW Online.
uniFLOW Online overview
uniFLOW Online is delivered as a pure Software-as-a-Service (SaaS) built natively on the Microsoft Azure Web Service platform.
Microsoft Azure data centers ensure maximum security by encrypting data according to industry-standard protocols. TLS 1.2 protects data in transit between Microsoft cloud services, and TLS 1.2 is the minimum protocol for all uniFLOW Online deployments and the components involved in the solution. TLS 1.3 with Perfect Forward Secrecy (PFS) is used for Canon imageRUNNER and Canon imageFORCE devices, and browser connections where supported. All uniFLOW Online client components connect to the solution via HTTPS and are authenticated using OAuth 2.0 to ensure authenticity. Connections are only ever outbound from the customers' network to uniFLOW Online.
All uniFLOW Online customer data at rest is stored in Azure Storage Accounts and is encrypted and decrypted transparently using 256-bit AES encryption.
As part of the uniFLOW Online service offering, customers can integrate their components/ infrastructure into the configuration. This includes email communication and print and scan data storage. If implemented, these components will replace the respective services provided by uniFLOW Online. All connections are established via HTTPS and are using industry-standard protocols and technologies.
User authentication is handled via recognized standard protocols, WS-Federation and OpenID Connect. This ensures the customer can integrate their identity management solutions with uniFLOW Online and completely control the security and policies applied to end-users regarding login and authentication (Conditional access, MFA, etc.).
uniFLOW Online Web Services – These are the core web services that support the uniFLOW Online solution, which utilizes Azure Web Services.
NTWOIS – This is the NT-ware OAuth Identification Service. The service is responsible for issuing, validating, and refreshing the access tokens required by all components to authenticate securely with uniFLOW Online.
Real-time connection platform (IoT Hub) – This managed service acts as a central message hub for bidirectional communication between uniFLOW Online and the supported client components (devices) it manages, such as the uniFLOW SmartClient and Canon MEAP/ AddOn Platform devices.
Filing Assist/ Scan Center – This is the uniFLOW Online scan job automation/ workflow processing service, which allows the end-user to handle scan workflows that require manual user interaction directly from their computer instead of having to finish and send each scan at the device itself.
**Multi-vendor embedded applet support is currently available on Lexmark devices. See our documentation for further details.
Device onboarding process
To connect a device to uniFLOW Online, an onboarding process is required, which is handled via the Device Setup Utility (DSU). The DSU is provided in two different formats.
Both DSU options can be used to register a device with uniFLOW Online. The required option depends on the customer's requirements and environment/ network setup.
DSU – Local UI Version: Only requires the device being onboarded to have an internet connection.
Overview of the onboarding process
Option 1: DSU - Local UI Version
1a. - A device registration key is entered into the setup utility on the printer UI. This identifies which uniFLOW Online tenant the device will be connected to.
1b. - The Local UI Version is downloaded from the Canon Content Delivery Service (device02.c-cdsknn.net, device.c-cdsknn.net, a02.c-cdsknn.net).
1c. Device-specific information needs to be checked and validated to ensure the correct applications are delivered and installed on the device. The printer-specific information is already known as the device setup utility applet is installed directly onto the printer.
1d. - Connection is made to the NT-ware Global Hosted Services. The printer connects via HTTPS port 443 to (nt-ware.com) to determine which applications must be installed on the printer. The check is done based on the device's serial number/ specification ID (obtained in step 1c).
1e. - The local setup utility provides a link to download the required applications (download.nt-ware.net). The download is via HTTPS on port 443. Some legacy device models need to download the applets via HTTP on port 80.
1f. - Applications are downloaded/installed onto the device directly.
1g. - Once the applets are installed and running, the device will register with uniFLOW Online and has to request a valid access token (NTWOIS) for authentication with uniFLOW Online.
1h. - The device is successfully registered and connected to uniFLOW Online.
Option 2: DSU - Windows Version
2a. - A device registration key is entered into the Windows Device Setup Utility. This identifies which uniFLOW Online tenant the device will be connected to.
2b. Device-specific information needs to be checked and validated to ensure the correct applications are delivered and installed on the device. The printer IP address is entered into the DSU UI, and then the printer is queried via the local network via the CPCA protocol to retrieve the required device information.
2c. - Connection is made to the NT-ware Global Hosted Services via HTTPS port 443 (nt-ware.com) to determine which applications must be installed on the printer. The check is done based on the device's serial number/specification ID (obtained in step 2b).
2d. - The setup utility provides a link to download the required applications (download.nt-ware.net). The download is via HTTPS on port 443. Some legacy device models need to download the applets via HTTP on port 80.
2e. - The device is instructed by the DSU to download the apps via the provided links.
2f. - The device downloads the required applications via the provided links.
2g. Alternatively, the applications are downloaded to the DSU, and the device is instructed to download the applets from the local PC. They are then sent via the local network to the device*.
2h. - Once the applets are installed and running, the device will register with uniFLOW Online and has to request a valid access token (NTWOIS) for authentication with uniFLOW Online.
2i. - The device is successfully registered and connected to uniFLOW Online.
*By default, the DSU Windows Version will provide the download link for the applets to the printer to download directly. If the “Enable Administrative Privileges” option is selected in the DSU, the applets are downloaded to the PC running the DSU first and are then transferred to the device via the local network.
External storage account
Customers can integrate their own Azure infrastructure into a uniFLOW Online configuration. This enables print and scan job data to be stored in an Azure Storage Account outside the uniFLOW Online infrastructure. This gives customers complete control of how print and scan job data is stored and accessed by their uniFLOW Online tenant.
With this configuration, the customer can use their own Customer-managed keys (CMK) for encryption at rest for print and scan job data.
Print and scan job data is uploaded to uniFLOW Online via HTTPS and then securely transferred to the external Azure Storage Account. This process is authenticated/authorized via a Shared Access Secret (SAS token) available to uniFLOW Online via the customer's Azure Key Vault. Access to the key vault and token is strictly controlled via an Azure app registration managed by the customer following the least privileged approach.
uniFLOW Online will retrieve print and scan job data on demand when required e.g. for print job processing/release and scan job processing/delivery to the scan destination. At all other times, the data remains within the customer's Azure Storage Account.
All other customer base data, such as user information, configuration data, printer information, and statistics, is stored in the uniFLOW Online provided Azure Storage Accounts.
Job submission data flow
uniFLOW Online supports an extensive array of job submission options to meet customer requirements.
All job uploads are handled via HTTPS (Minimum TLS 1.2), and all clients are authenticated via OAuth 2.0. The exception is the email print/guest print functionality, where uniFLOW Online receives jobs via email. The protocol used is IMAP (SSL/TLS 993).
The maximum file size that can be uploaded to uniFLOW Online is 150 MB.
Depending on the input method, some print jobs may be subject to a conversion process to convert them into a format that the output printers can understand/process. Due to this, there can be multiple copies of a single job (raw job data, print job data, converted job data). All files are stored encrypted at rest in an Azure Storage Account and are subsequently removed once a job has been successfully printed/deleted from uniFLOW Online.
NOTE: If an External Storage Account is configured for a uniFLOW Online tenant, jobs are stored at rest in the external Azure Storage Account and not in uniFLOW Online.
Print job release – cloud storage
All print job release requests are handled via uniFLOW Online; this communication is via HTTPS (TLS 1.2).
Print jobs stored in uniFLOW Online are first prepared for printing via the job processing service. At this point, we apply the required finishing options to the job, specific to the output printer on which it will be printed. This is using the uniFLOW Universal Driver and DIF concept. During this process, the printer that has requested the job release monitors the progress and waits for confirmation that the job processing is complete and that the job is ready for download.
The device is then instructed to download the job directly* via HTTPS (TLS 1.2), and the job is printed out.
*This applies to Canon MEAP/AddOn Platform, eULM, and Canon SFP devices. For any third-party devices connected via uniFLOW Release Station, a uniFLOW SmartClient for Windows is required to download and process the print job.
Print job release – local storage
By default, all print job release requests are handled via uniFLOW Online, which communicates via HTTPS (TLS 1.2). This applies to jobs stored in the cloud and print jobs held locally, e.g. on the uniFLOW SmartClient for Windows.
If the print job is stored locally on the end-user's PC (uniFLOW SmartClient for Windows), once uniFLOW Online has received the release request, a print job processing event is sent to the real-time connection platform (IoT Hub). The uniFLOW SmartClient will then receive this notification via its IoT Hub connection that a local print job needs to be processed and sent directly to an output printer. Communication with the IoT Hub is via standard protocols like MQTT (either native or via WebSocket). The native connection is via port 8883 (TLS), and the WebSocket is via HTTPS port 443.
Once a job has been prepared for printing (the same process as in uniFLOW Online), it is sent directly to the output printer. The protocol and port used depend on the output printer's capabilities.
Scanning overview
All uniFLOW Online scanning components communicate using HTTPS (TLS 1.2) to ensure the security of customers' scan data. The destinations available to the user depend on the tenant configuration.
Apart from the scan to myself/email scan profiles, all users have to complete a connection process before they can scan to a cloud destination. This authorization process is based on OAuth 2.0. This allows the scan job to be sent in the context of the logged-in user and guarantees that only authorized users can access the scanning feature.
The scan process is summarized below and accounts for the user already completing the connection process.
1. User logs into the device and performs a scan; the scanned images are uploaded to uniFLOW Online via HTTPS (TLS 1.2).
2. The image files are temporarily stored in an Azure Storage Account encrypted at rest.
3. The scan is processed based on the configured scan profile parameters defined within the uniFLOW Online tenant.
4. The Scan Processing Service handles any image processing/conversion. This includes, but is not limited to, operations like Zone OCR, scan conversion to the required output format, e.g. PDF, document splitting, and image clean-up.
5. The finalized scan is uploaded to the chosen cloud destination via its respective REST API, the communication is via HTTPS (TLS 1.2), and is authenticated via OAuth 2.0 using the token granted by the end user via the connection process they completed before scanning.
5a. For any jobs that need to be sent to a local system via the “Scan to local folder” scan profiles the real-time communication platform (IoT Hub) will notify the Local Server Agent for uniFLOW Online that is running in the customers local network that a scan job and metadata (optional) are available for download. The scan job is downloaded via HTTPS (TLS 1.2)
5b. The Local Server Agent for uniFLOW Online will transfer the job to a local folder or file server via the SMB protocol using a locally stored (encrypted) username and password with the required permissions to the local folder/file server.
*A uniFLOW server in Hybrid configuration can be configured to pick up scan jobs from the local folder via Hotfolder monitoring, allowing further local scan processing to be applied to meet customers' more complex scanning requirements.