Home » Lexmark Manuals » Laser Printers » Lexmark MS818 » Manual Viewer

Lexmark MS818 Embedded Web Server Administrator s Guide - Page 83

RAS and IAS Server

Add to My Manuals
Save this manual to your list of manuals

Page 83 highlights

Appendix 83 Note: The following example usage instructions assume that the Certificate Enrollment Web Services is installed on a Windows 2008 R2 server. 1 Open a web browser, and then type the IP address or host name of the printer in the address field. 2 From the Embedded Web Server, click Settings > Security > Certificate Management > Device Certificate Management. 3 Click Advanced Management to use the Automatic Certificate Enrollment application, and then click Request new Certificate. Note: The screen may refresh for 10 to 15 seconds. During this time, the device is contacting the Certificate Enrollment Web Service on the server and capturing the certificate templates that are available to the device. 4 Return to the Device Certificate Management page, and then click Advanced > Templates. 5 Select any of the following displayed template options to use when requesting a certificate: • IPSec-If you want to install a device certificate that is used for IPSec negotiations. • Web Server-If you want to secure any SSL/TLS connections such as the EWS or LDAP over SSL. • RAS and IAS Server-If you want to install a device certificate that is used for 802.1X negotiations. 6 Click Request Certificate. From this screen, you can customize the certificate for this device. Note: If you want to view the template details first, then click View instead of Request Certificate. 7 If necessary, modify the settings from the Request Certificate page. Notes: • The fields that are filled in with the data and the selected check boxes are the template defaults that were pulled from the CA. You can change them if you choose, but remember that the default templates are generally configured with the appropriate settings by the CA administrator. Changing some settings may cause the request to be denied. • The Collapse/Expand Subject Name link is used to change any of the device information that is used to create or generate a certificate. This includes the same information as the Set Certificate Defaults link under Certificate Management. 8 Click Submit to send the Certificate Signing Request (CSR) to the CA. Note: The screen may refresh for 10 to 15 seconds. During this time, the device is contacting the Certificate Enrollment Web Service requesting the CA signed certificate be generated. 9 If successful, you will return to the Advanced page. The new CA‑signed device certificate with the specified name is included in the list of certificates. If not, an error message is displayed. Note: If a template is specified at the server to require CA administrator approval, then a separate table of pending certificates is displayed. A message indicating that a request is pending admin approval is displayed on the Device Certificate Management screen where the certificate is listed. The certificate is not valid until approved. Once approval is granted, the message disappears and the certificate(s) is displayed in the installed certificates table. If you would like to see the information associated with the new certificate, click the link with the certificate name. The Renew link is used to renew the certificate when the current CA certificate is about to expire (default of 2 years).

Section	Page
Contents	2
Overview	4
Supported devices	4
Simple-security devices	4
Advanced-security devices	4
Supported web browsers	5
Accessing the Embedded Web Server	5
Parts of the Embedded Web Server	5
Understanding helper texts	6
Managing printers	7
Viewing the status of printer	7
Checking the status of parts and supplies from the Embedded Web Server	7
Generating reports and logs	8
Configuring supply notifications from the Embedded Web Server	8
Scanning	10
Creating a scan profile	10
Scanning to a computer using a shortcut number	11
Adding a Scan to Network destination	11
Scan to FTP	11
Configuring the FTP settings	11
Creating an FTP shortcut	12
Scan to e-mail	13
Configuring the e-mail settings	13
Setting up the SMTP server	15
Configuring the weblink option for sending e-mails	16
Configuring the copy settings	16
Configuring the flash drive settings	17
Faxing	20
Setting the fax mode	20
Analog fax setup	20
Configuring the analog fax settings	20
Setting up the fax cover page	21
Configuring the fax send settings	21
Configuring the fax receive settings	22
Configuring the fax log settings	23
Setting the distinctive ring pattern	23
Blocking or banning fax numbers	23
Holding faxes	23
Fax server setup	24
Configuring the fax server e-mail settings	24
Configuring the default scan settings for sending fax though a server	24
Networking	26
Selecting the active network card	26
Connecting to a wireless network	26
Setting up the Address Book	27
Securing printers	28
Understanding the basics	28
Authentication and authorization	28
Groups	29
Access Controls	29
Security Templates	30
Simple-security device access controls	30
Creating a web page password and applying access control restrictions	30
Creating a PIN and applying access control restrictions	31
Advanced-security device access controls	31
Limiting access using Basic Security Setup	31
Advanced-security building blocks	32
Using a security template to control function access	32
Creating a PIN building block for advanced security setup	33
Creating a password building block for advanced security setup	34
Setting up internal accounts	34
Connecting your printer to an Active Directory domain	35
Using LDAP	37
Using LDAP+GSSAPI	39
Configuring Kerberos 5 for use with LDAP+GSSAPI	41
Managing certificates and other settings	42
Installing a Certificate Authority certificate on the device	43
Configuring the device for certificate information	43
Sample certificate request data	44
Creating a new device certificate	44
Viewing, downloading, and deleting a certificate	45
Setting certificate defaults	45
Setting up a Certificate Authority certificate monitor	46
Downloading the Certificate Authority certificates	46
Managing devices remotely	46
Using HTTPS for device management	46
Setting a backup password	47
Setting up SNMP	47
Configuring security audit log settings	48
Updating firmware	50
Managing other access functions	50
Configuring confidential printing	50
Setting login restrictions	51
Enabling and disabling USB host ports	52
Enabling the security reset jumper	53
Enabling Operator Panel Lock	53
Securing network connections	54
Configuring 802.1X authentication	54
Configuring IP security settings	55
Configuring the TCP/IP port access setting	56
Setting the restricted server list	56
Securing data	56
Physical lock	56
Statement of Volatility	57
Erasing volatile memory	58
Erasing non-volatile memory	58
Disk encryption	59
Checking disk encryption status	59
Erasing printer settings	59
Disk file wiping	61
Erasing temporary data files from the hard disk	61
Erasing hard disk data	61
Out-of-service wiping	62
Security solutions	63
Print Release	63
Secure Held Print Jobs	63
Card Authentication	63
Smart Card authentication	63
Security scenarios	64
Scenario: Printer in a public place	64
Scenario: Standalone or small office	65
Scenario: Network running Active Directory	66
Scenario: More security-aware environment (802.1X) and SNMPv3	67
Scenario: Network-based usage restrictions using access card	67
Troubleshooting	69
Embedded Web Server does not open	69
Make sure that the printer IP address is correct	69
Check if the printer is turned on	69
Check if the network connection is working	69
Temporarily disable the web proxy servers	69
Contact your system administrator	69
Login troubleshooting	69
USB device is not supported	69
Make sure that a supported smart card reader is attached	69
Printer home screen fails to return to a locked state when not in use	70
Make sure that the authentication token is installed and running	70
Make sure that Smart Card Authentication is installed and running	70
Login screen does not appear when a smart card is inserted	70
Make sure that the smart card is recognized by the reader	70
KDC and MFP clocks are out of sync	70
Make sure that the date and time settings on the printer are correct	70
Kerberos configuration file is not uploaded	71
Make sure that the Kerberos file has been uploaded	71
Unable to authenticate users	71
Make sure that the Realm specified in the Kerberos settings is in uppercase	71
Domain controller certificate is not installed	71
Make sure that the correct certificate is installed on the printer	71
KDC did not respond within the required time	71
Make sure that the IP address or host name of the KDC is correct	71
Make sure that the KDC is available	71
Make sure that Port 88 is not blocked by a firewall	72
User realm not found in the Kerberos configuration file	72
Make sure that the Windows Domain is specified in the Kerberos settings	72
Cannot find realm on card in the Kerberos configuration file	72
Upload a Kerberos configuration file and make sure that the realm has been added to the file	72
Client is unknown	72
Make sure that the Domain Controller information is correct	72
Login does not respond at “Getting User Info”	72
User is logged out automatically	73
Increase the Panel Login Timeout interval	73
LDAP troubleshooting	73
LDAP lookups take a long time and then fail	73
Make sure that Port 389 (non-SSL) and Port 636 (SSL) are not blocked by a firewall	73
Make sure that the LDAP search base is not too broad in scope	73
LDAP lookups fail almost immediately	73
Make sure that the Address Book Setup contains the host name for the LDAP server	73
Make sure that the Address Book Setup settings are correct	73
Narrow the LDAP search base to the lowest possible scope that includes all necessary users	74
Make sure that the LDAP attributes for the user e-mail address and home directory are correct	74
Held Jobs / Print Release Lite troubleshooting	74
Cannot use the Held Jobs / Print Release feature	74
Add the user to the appropriate Active Directory group	74
Cannot determine Windows user ID	74
Make sure that Smart Card Authentication sets the user ID for the session	74
No jobs available for user	74
Make sure that the Smart Card Authentication sets the correct user ID	74
Make sure that the jobs were sent to the correct printer and were printed	74
Jobs are printing immediately	75
Make sure that Secure Held Print Jobs is installed and running	75
Make sure that all jobs are required to be held	75
Scanning problems	75
A network destination stopped working or is invalid	75
Make sure that the destination is shared and has a valid network address	75
Make sure that the printer is connected to the network	75
Make sure that the user name and password are correct	75
Make sure to specify the domain information of the source file	75
Check the system log	76
Contact your system administrator	76
Cannot scan to the selected destination	76
Make sure that the destination is valid	76
If the printer and destination are in different domains, then make sure that the domain information ...	76
Make sure that the printer is connected to the network	76
Make sure that the user name and password are correct	76
Make sure that the user has permission to save scans to the destination	76
Make sure that a file with the default file name does not exist in the destination	76
Configure the firewall to allow communication with the subnet in which the printer is located	76
Make sure that the printer and destination have the same subnet	77
Make sure that the LDAP settings are configured properly in your printer setup and in the setup dialog	77
Contact your system administrator	77
License error	77
Make sure that the application is licensed	77
Make sure that the license is up-to-date	77
An error occurs when opening a secure PDF file	77
Make sure that the PDF version for the device is not set to A-1a	77
Faxing problems	78
Failure to receive fax from one sender	78
Make sure that the sender used the correct fax number	78
Check if the fax has no caller ID and station name	78
Check if the sender fax number is not blocked	78
Generate fax logs and identify the status message	78
Failure to receive fax from all senders	78
Make sure that the printer is configured to receive faxes	78
If using a distinctive ring service, then confirm that the printer is configured properly to pick up ...	78
Reduce the Max Receive speed	78
Check the fax forwarding setting	79
Make sure that no other phone number is competing with the printer	79
Generate fax logs and identify the status message	79
Failure to send fax to one destination	79
Make sure that you entered the correct fax number	79
Reduce the maximum send speed	79
Generate fax logs and identify the status message	79
Failure to send to all fax destinations	79
Make sure that the printer is not configured for Fax Server mode	79
Make sure that the printer is configured to send faxes	79
Check if you are using a PABX telephone system	80
Confirm that you have entered the proper dialing prefix	80
Reduce the Max Send speed	80
Confirm that you have entered a station ID and station number	80
Generate fax logs and identify the status message	80
Networking problems	80
Printer is not communicating on the network	80
Check the network status	80
Check the printer port access	81
Check the Restricted Server List	81
Make sure that communication is not blocked by a firewall or workplace VPN	81
Appendix	82
Appendix A: CA file creation	82
Appendix B: CA-Signed Device Certificate creation	82
Appendix C: Automatic Certificate Enrollment application	82
Appendix D: Access controls	84
Appendix E: Common Criteria configuration	87
Configuring user access for Common Criteria	87
Notices	89
Edition notice	89
GOVERNMENT END USERS	89
Trademarks	89
GifEncoder	90
ZXing 1.7	90
Apache License Version 2.0, January 2004	90
Glossary of Security Terms	94

Match case Limit results 1 per page

Note:

The following example usage instructions assume that the Certiﬁcate Enrollment Web Services is

installed on a Windows 2008 R2 server.

Open a web browser, and then type the IP address or host name of the printer in the address ﬁeld.

From the Embedded Web Server, click

Settings

Security

Certiﬁcate Management

Device Certiﬁcate

Management

Click

Advanced Management

to use the Automatic Certiﬁcate Enrollment application, and then click

Request new Certiﬁcate

Note:

The screen may refresh for 10 to 15 seconds. During this time, the device is contacting the

Certiﬁcate Enrollment Web Service on the server and capturing the certiﬁcate templates that are available

to the device.

Return to the Device Certiﬁcate Management page, and then click

Advanced

Templates

Select any of the following displayed template options to use when requesting a certiﬁcate:

•

IPSec

—If you want to install a device certiﬁcate that is used for IPSec negotiations.

•

Web Server

—If you want to secure any SSL/TLS connections such as the EWS or LDAP over SSL.

•

RAS and IAS Server

—If you want to install a device certiﬁcate that is used for 802.1X negotiations.

Click

Request Certiﬁcate

. From this screen, you can customize the certiﬁcate for this device.

Note:

If you want to view the template details ﬁrst, then click

View

instead of

Request Certiﬁcate

If necessary, modify the settings from the Request Certiﬁcate page.

Notes:

•

The ﬁelds that are ﬁlled in with the data and the selected check boxes are the template defaults that

were pulled from the CA. You can change them if you choose, but remember that the default

templates are generally conﬁgured with the appropriate settings by the CA administrator. Changing

some settings may cause the request to be denied.

•

The Collapse/Expand Subject Name link is used to change any of the device information that is used

to create or generate a certiﬁcate. This includes the same information as the Set Certiﬁcate Defaults

link under Certiﬁcate Management.

Click

Submit

to send the Certiﬁcate Signing Request (CSR) to the CA.

Note:

The screen may refresh for 10 to 15 seconds. During this time, the device is contacting the

Certiﬁcate Enrollment Web Service requesting the CA signed certiﬁcate be generated.

If successful, you will return to the Advanced page. The new CA

‑

signed device certiﬁcate with the speciﬁed

name is included in the list of certiﬁcates. If not, an error message is displayed.

Note:

If a template is speciﬁed at the server to require CA administrator approval, then a separate table

of pending certiﬁcates is displayed. A message indicating that a request is pending admin approval is

displayed on the Device Certificate Management screen where the certificate is listed. The certificate is

not valid until approved. Once approval is granted, the message disappears and the certiﬁcate(s) is

displayed in the installed certiﬁcates table.

If you would like to see the information associated with the new certiﬁcate, click the link with the certiﬁcate

name. The Renew link is used to renew the certiﬁcate when the current CA certiﬁcate is about to expire (default

of 2 years).

Appendix