Lexmark Multifunction Laser Common Criteria Installation Supplement and Admini
Lexmark Multifunction Laser Manual
View all Lexmark Multifunction Laser manuals
Add to My Manuals
Save this manual to your list of manuals |
Lexmark Multifunction Laser manual content summary:
- Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 1
Common Criteria Installation Supplement and Administrator Guide November 2011 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. All other trademarks are the property of their respective - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 2
programs described may be made at any time. For Lexmark technical support, visit support.lexmark.com. For information on supplies and downloads, visit www.lexmark.com. If you don't have access to the Internet, you can contact Lexmark by mail: Lexmark International, Inc. Bldg 004-2/CSC 740 New Circle - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 3
3 Contents Overview and first steps 5 Overview...5 Using this guide...5 Supported devices ...5 Operating environment ...6 Before configuring the device (required 6 Verifying physical interfaces and installed firmware 6 Attaching a lock ...7 Encrypting the hard disk ...7 Disabling the USB buffer - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 4
the EWS ...32 Controlling access to device functions...33 Configuring PKI Held Jobs ...33 Controlling access to device functions using the EWS 34 Troubleshooting 37 Login issues...37 "Unsupported USB Device" error message ...37 The printer home screen fails to return to a locked state when not in - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 5
page 44. Supported devices This guide describes how to implement an evaluated configuration on the following models: • Lexmark X548 • Lexmark XS548 • Lexmark X792 • Lexmark XS796 • Lexmark X925 • Lexmark XS925 • Lexmark X950 • Lexmark X952 • Lexmark X954 • Lexmark XS955 • Lexmark 6500e scanner with - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 6
6 Operating environment The instructions provided in this guide are based on the following assumptions and find additional interfaces, or if a DLE card has been installed, then contact your Lexmark representative before proceeding. 6 To verify the firmware version, under Device Information, locate - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 7
and system board cannot be removed, and the security jumper cannot be accessed without causing visible damage to the device. Note: If you are using a Lexmark 6500e scanner with a T650, T652, T654, or T656 printer, then you must attach a lock to both the scanner and the printer. 1 Verify that the MFP - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 8
8 3 Verify that the MFP is in Configuration mode by locating the Exit Config Menu icon in the lower right corner of the touch screen. 4 Scroll through the configuration menus to locate the Disk Encryption menu selection. 5 Touch Disk Encryption > Enable. Warning: Enabling disk encryption will erase - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 9
9 Installing the minimum configuration You can achieve an evaluated configuration on a non-networked (standalone) device in just a few steps. For this configuration, all tasks are performed at the device, using the touch screen. Configuring the device Configuration checklist This checklist outlines - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 10
more of these groups, and then you will apply a security template to each device function to control access to that function. The MFP supports a maximum of 250 user accounts and 32 user groups. Step 1: Defining groups 1 From the home screen, touch > Security > Edit Security Setups > Edit Building - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 11
11 Group name Authenticated_Users Type of user group would be selected for • Administrators permitted to access all device functions • Administrators permitted to use device functions and access the Reports menu • Administrators permitted to use device functions and access the Security menu • Non‑ - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 12
Access controls and required levels of protection Access control Security Menu at the Device Security Menu Remotely Service Engineer Menus at the Device Service Engineer Menus Remotely Configuration Menu Level of protection Administrator access only Administrator access only Administrator access - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 13
13 Access control Level of protection Paper Menu at the Device Authenticated users only Paper Menu Remotely Authenticated users only Reports Menu at the Device Administrator access only Reports Menu Remotely Administrator access only Settings Menu at the Device Administrator access only - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 14
14 Access control Held Jobs Access Use Profiles Change Language from Home Screen Cancel Jobs at the Device PictBridge Printing Solution 1 Solutions 2‑10 New Solutions Level of protection Disabled Authenticated users only Authenticated users only Administrator access only Not applicable-USB port - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 15
certificates Certificates are needed for domain controller verification and for SSL support in LDAP. Each certificate must be in a separate PEM defaults The values entered here will be present in all new certificates generated in the Certificate Management task. 1 From the Embedded Web Server, - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 16
.255 or a DNS address using the format DNS:ldap.company.com. Leave this field blank if you want to use the IPv4 address. 4 Click Generate New Certificate. Note: All fields accept a maximum of 128 characters, except where noted. Viewing, downloading, and deleting a certificate 1 From the Embedded Web - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 17
17 The contents of the file should be in the following format: -----BEGIN CERTIFICATE----MIIE1jCCA76gAwIBAgIQY6sV0KL3tIhBtlr4gHG85zANBgkqhkiG9w0BAQUFADBs ... l3DTbPe0mnIbTq0iWqKEaVne1vvaDt52iSpEQyevwgUcHD16rFy+sOnCaQ== -----END CERTIFICATE----- • Download Signing Request-Download or save the signing - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 18
/UDP 9301/UDP 9302 (NPAP) • TCP 9500/TCP 9501 (NPAP) • TCP 9600 (IPDS) • UDP 9700 (Plug‑n‑Print) • TCP 10000 (Telnet) • ThinPrint • TCP 65002 (WSD Print Service) • TCP 65004 (WSD Scan - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 19
accurately time‑stamped. Note: If your network uses DHCP, then verify that NTP settings are not automatically provided by the DHCP server before manually configuring NTP settings. Using the EWS 1 From the Embedded Web Server, click Settings > Security > Set Date and Time. Note: For information about - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 20
20 3 Under Simple Kerberos Setup, for KDC Address, type the IP address or host name of the KDC (Key Distribution Center) IP. 4 For KDC Port, type the number of the port used by the Kerberos server. 5 For Realm, type the realm used by the Kerberos server. Note: The Realm entry must be typed in all - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 21
21 3 Type the IP address or host name of the Remote Syslog Server, and then select the Enable Remote Syslog check box. Note: The Enable Remote Syslog check box is unavailable until an IP address or host name is entered. 4 Type the Remote Syslog Port number used on the destination server. 5 For - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 22
22 9 If you want the MFP to add a digital signature to e-mail alerts, then set "Digitally sign exports" to On. 10 For "Severity of events to log," select 5 ‑ Notice. The chosen severity level and anything higher (0-4) will be logged. 11 If you want the MFP to send all events regardless of severity - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 23
23 3 Type the Primary SMTP Gateway Port number of the destination server. 4 If you are using a secondary or backup SMTP server, then type the IP address or host name and SMTP port for that server. 5 For SMTP Timeout, type the number of seconds (5-30) the device will wait for a response from the SMTP - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 24
24 6 If you want to receive responses to messages sent from the MFP (in case of failed or bounced messages), then provide a Reply Address. 7 Set Use SSL to Disabled, Negotiate or Required to specify whether e-mail will be sent using an encrypted link. 8 If the SMTP server requires user credentials, - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 25
not be able to access the security menus. To regain access to the security menus, a service call will be required to replace the device RIP card (motherboard). User access Administrators and users control access to that function. The MFP supports a maximum of 250 user accounts and 32 user groups. - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 26
26 Example: Employees in the warehouse will be given access to black‑and‑white printing only, administrative office staff will be able to print in black and white and send faxes, and employees in the marketing department will have access to black‑and‑white printing, color printing, and faxing. - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 27
credentials and group designations can be pulled from your existing system, making access to the MFP as seamless as other network services. Supported devices can store a maximum of five LDAP+GSSAPI configurations. Each configuration must have a unique name. Note: You must configure Kerberos before - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 28
select or clear. When the printer authenticates to the LDAP server, it can provide Active Directory device credentials in addition to supporting anonymous binding or the specified credentials in the MFP's Kerberos Username and MFP's Password fields. • MFP's Kerberos Username-Type the distinguished - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 29
select or clear. When the printer authenticates to the LDAP server, it can provide Active Directory device credentials in addition to supporting anonymous binding or the specified credentials in the MFP's Kerberos Username and MFP's Password fields. • MFP's Kerberos Username-Type the distinguished - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 30
Authentication provides the login screen and authentication mechanism and supports user authorization to the MFP and its functions. alphanumeric. 6 If you want to, provide a custom Logon Screen Text with special instructions for users or a custom Logon Screen Image. Custom screen images must be in - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 31
for a response from the domain controller before moving to the next one in the list. 11 If users are allowed to log in manually, then provide at least one Manual Login Domain (a Windows Domain Name) to choose from when logging in. Multiple domains can be entered, separated by commas. 12 Select a DC - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 32
32 Creating security templates using the EWS A security template is assigned to each device function to control which users are permitted to access that function. At a minimum, you must create two security templates: one for "Administrator_Only" and one for "Authenticated_Users." If there is a need - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 33
33 Notes: • Clicking Delete List from the Manage Security Templates screen will delete all security templates on the MFP, regardless of which one is selected. To delete an individual security template, select it from the list, and then click Delete Entry. • You can delete a security template only if - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 34
to Administrator access only or Disabled. Administrative Menus Access control Security Menu at the Device Security Menu Remotely Service Engineer Menus at the Device Service Engineer Menus Remotely Configuration Menu Paper Menu at the Device Paper Menu Remotely Reports Menu at the Device Reports - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 35
Access control Network/Ports Menu at the Device Network/Ports Menu Remotely Manage Shortcuts at the Device Manage Shortcuts Remotely Supplies Menu at the Device Supplies Menu Remotely Option Card Configuration at the Device Option Card Configuration Remotely Management Access control Web Import/ - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 36
36 Access control Use Profiles Change Language from Home Screen Cancel Jobs at the Device PictBridge Printing Level of protection Authenticated users only Authenticated users only Administrator access only Not applicable-USB port disabled Device Solutions Access control Solution 1 Solutions 2-10 - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 37
Troubleshooting Login issues "Unsupported USB Device" error message MAKE SURE A SUPPORTED SMART CARD READER IS ATTACHED Only the OmniKey reader that came with the printer is supported the list of installed solutions, then contact the Lexmark Solutions Help Desk for assistance. Login screen does not - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 38
clock. VERIFY THE DATE AND TIME ON THE PRINTER 1 From the Embedded Web Server, click Settings > Security > Set Date and Time. 2 If you have manually configured date and time settings, then verify and correct them as needed. Make sure the time zone and daylight savings time settings are correct. Note - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 39
39 "The Domain Controller Issuing Certificate has not been installed" error message MAKE SURE THAT THE CORRECT CERTIFICATE HAS BEEN INSTALLED ON THE PRINTER For information on installing, viewing, or modifying certificates, see "Creating and modifying digital certificates" on page 15. "The KDC did - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 40
Smart Card login. UPLOAD A KERBEROS CONFIGURATION FILE AND MAKE SURE THE REALM HAS BEEN ADDED TO THE FILE The PKI Authentication settings do not support multiple Kerberos Realm entries. If multiple realms are needed, then you must create and upload a krbf5.conf file containing the needed realms. If - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 41
41 LDAP issues LDAP lookups take a long time and then fail This issue can occur during login (at "Getting User Info") or during address book searches. Try one or more of the following: MAKE SURE PORT 389 (NON‑SSL) AND PORT 636 (SSL) ARE NOT BLOCKED BY A FIREWALL The printer uses these ports to - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 42
• User Principal Name-The Smart Card principal name or the credential provided by manual login is used to set the user ID (userid@domain). • EDI‑PI- The user ID portion of the Smart Card principal name or the credential provided by manual login is used to set the user ID. • LDAP Lookup-The user ID - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 43
to the application name, and then click Start. • If PKI Held Jobs does not appear in the list of installed solutions, then contact the Lexmark Solutions Help Desk for assistance. MAKE SURE ALL JOBS ARE REQUIRED TO BE HELD 1 From the Embedded Web Server, click Settings > Device Solutions > Solutions - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 44
44 Appendix A: Using the touch screen Understanding the home screen The screen located on the front of the MFP is touch‑sensitive and can be used to access device functions and navigate settings and configuration menus. The home screen looks similar to this (yours may contain additional icons): - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 45
45 To type a single uppercase or shift character, touch Shift, and then touch the letter or number you need to uppercase. To turn on Caps Lock, touch Caps, and then continue typing. Caps Lock will remain engaged until you touch Caps again. Password ~ 1! @# $ %^ 23456 &* 7 8 ( 9 ) 0 _ + - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 46
guide CA CAC DC DHCP DNS DoD EAL EWS GIF GSSAPI HTTP HTTPS IP IPSec IPv4 IPv6 KDC LDAP MFP NTLM NTP OCSP PEM PKI PSK RFC SMTP SSL TCP TLS UDP USB Certificate Authority Common Access Card Domain Controller Dynamic Host Configuration Protocol Domain Name Service Security Service Applications - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 47
to the Security menu from the Embedded Web Server. Service Engineer Menus at the Device This protects access to the Service Engineer menu from the printer control panel. Service Engineer Menus Remotely This protects access to the Service Engineer menu from the Embedded Web Server. Settings Menu - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 48
48 Function access control Settings Menu Remotely Supplies Menu at the Device Supplies Menu Remotely What it does This protects access to the General and Print Settings sections of the Settings menu from the Embedded Web Server. This protects access to the Supplies menu from the printer control - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 49
49 Function access control Create Profiles E‑mail Function Fax Function Flash Drive Color Printing Flash Drive Firmware Updates Flash Drive Print Flash Drive Scan FTP Function Held Jobs Access PictBridge Printing Release Held Faxes Use Profiles What it does This controls the ability to create new - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 50
50 Appendix D: Using Common Access Cards Using a Common Access Card to access the printer 1 Insert your Common Access Card into the card reader attached to the printer. 2 When prompted, enter your PIN using the keypad that appears on the touch screen, and then touch Next. It may take a moment for - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 51
provided by Lexmark for use in connection with your Lexmark product. The term "Software Program" includes machine-readable instructions, audio/ dress or intellectual property notice that appears on any computer display screens normally generated by, or as a result of, the Software Program. b Copying. - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 52
OF THE NATURE OF THE CLAIM, INCLUDING BUT NOT LIMITED TO BREACH OF WARRANTY OR CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), AND EVEN IF LEXMARK, OR ITS SUPPLIERS, AFFILIATES, OR REMARKETERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY YOU BASED ON A THIRD - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 53
with the terms of this License Agreement, any other written agreement signed by you and Lexmark relating to your Use of the Software Program). To the extent any Lexmark policies or programs for support services conflict with the terms of this License Agreement, the terms of this License Agreement - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 54
Index A access controls list of 47 setting at the device 12 using the EWS to set 34 acronyms 46 AppleTalk disabling 18 assumptions 6 audit logging configuring 20 authentication token 30 B backup password using the touch screen to enable 9 before configuring the device verifying firmware 6 verifying - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 55
50 SMTP settings configuring 22 supported devices 5 syslog configuring 20 T touch screen using the 44 troubleshooting authentication failure 38 authorization authorized to use Print Release Lite 42 printer clock out of sync 38 problem getting user info 40 realm on card not found 40 unable to guide 5 - Lexmark Multifunction Laser | Common Criteria Installation Supplement and Admini - Page 56
PN 3065326 Rev. 001 www.lexmark.com *3065326*
Common Criteria
Installation Supplement and Administrator Guide
November 2011
www.lexmark.com
Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries.
All other trademarks are the property of their respective owners.
© 2011 Lexmark International, Inc.
All rights reserved.
740 West New Circle Road
Lexington, Kentucky 40550
3065326-001