Lexmark X950 Common Criteria Installation Supplement and Administrator Guide
Lexmark X950 Manual
View all Lexmark X950 manuals
Add to My Manuals
Save this manual to your list of manuals |
Lexmark X950 manual content summary:
- Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 1
Common Criteria Installation Supplement and Administrator Guide November 2011 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. All other trademarks are the property of their respective - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 2
programs described may be made at any time. For Lexmark technical support, visit support.lexmark.com. For information on supplies and downloads, visit www.lexmark.com. If you don't have access to the Internet, you can contact Lexmark by mail: Lexmark International, Inc. Bldg 004-2/CSC 740 New Circle - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 3
and installed firmware 6 Attaching a lock ...7 Encrypting the hard disk ...7 Disabling the USB buffer ...8 Installing the minimum configuration 9 Configuring the device...9 Configuration checklist ...9 Configuring disk wiping...9 Enabling the backup password (optional) ...9 Creating user accounts - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 4
using the EWS 34 Troubleshooting 37 Login issues...37 "Unsupported USB Device" error message ...37 The printer home screen fails to return Unable to determine Windows User ID" error message 42 "There are no jobs available for [USER]" error message 42 Jobs are printing out immediately ... - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 5
page 44. Supported devices This guide describes how to implement an evaluated configuration on the following models: • Lexmark X548 • Lexmark XS548 • Lexmark X792 • Lexmark XS796 • Lexmark X925 • Lexmark XS925 • Lexmark X950 • Lexmark X952 • Lexmark X954 • Lexmark XS955 • Lexmark 6500e scanner with - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 6
information will print. 4 In the Installed Features section, verify that no Download Emulator (DLE) option cards have been installed. 5 If you find additional interfaces, or if a DLE card has been installed, then contact your Lexmark representative before proceeding. 6 To verify the firmware version - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 7
cannot be accessed without causing visible damage to the device. Note: If you are using a Lexmark 6500e scanner with a T650, T652, T654, or T656 printer, then you must attach a lock to both the scanner and the printer. 1 Verify that the MFP case is closed. 2 Locate the security slot, and then attach - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 8
the encryption process. Doing so may result in loss of data. 7 Touch Back, and then touch Exit Config Menu. The MFP will undergo a power‑on reset, and then return to normal operating mode. Disabling the USB buffer Disabling the USB buffer disables the USB host port on the back of the - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 9
a standalone device: 1 Set up disk wiping. 2 Create user accounts. 3 Create security templates. 4 Restrict access to device to Multi‑pass. 4 Touch Submit. Enabling the backup password (optional) Warning: Using a backup password is strongly discouraged because it can degrade the overall security - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 10
and password to each user, but also segmenting users into groups. When configuring security templates, you will select one or more of these groups, and then you will apply a security template to each device function to control access to that function. The MFP supports a maximum of 250 user accounts - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 11
Internal Accounts > 2 On the General Settings screen, set Required User Credentials to User ID and password, and then touch Submit. The MFP will return to the access to specific device functions, then select all groups in which the administrator should be included. • For all other users, add only - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 12
set to No Security. • Disabled-This disables access to a function for all users and administrators. • Not applicable-The function has been disabled by another setting. at the Device Security Menu Remotely Service Engineer Menus at the Device Service Engineer Menus Remotely Configuration Menu Level - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 13
Authenticated users only Option Card Configuration at the Device Administrator access only Option Card Configuration Remotely Administrator access only Web Import/Export Settings Disabled Solutions Configuration Administrator access only Remote Management Administrator access only Firmware - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 14
Jobs Access Use Profiles Change Language from Home Screen Cancel Jobs at the Device PictBridge Printing Solution 1 Solutions 2‑10 New Solutions Level of protection Disabled Authenticated users only Authenticated users only Administrator access only Not applicable-USB port disabled Authenticated - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 15
is not readily apparent, then you can find it by printing a network setup page. Printing a network setup page From the home screen, touch > Reports > Network and for SSL support in LDAP. Each certificate must be in a separate PEM (.cer) file. Setting certificate defaults The values entered here - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 16
Management. 3 Select a certificate from the list. The details of the certificate are displayed in the Device Certificate Management window. 4 Do any of the following: • Delete-Remove a previously stored certificate. • Download To File-Download or save the certificate as a PEM (.cer) file. - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 17
the following format: -----BEGIN CERTIFICATE----MIIE1jCCA76gAwIBAgIQY6sV0KL3tIhBtlr4gHG85zANBgkqhkiG9w0BAQUFADBs ... l3DTbPe0mnIbTq0iWqKEaVne1vvaDt52iSpEQyevwgUcHD16rFy+sOnCaQ== -----END CERTIFICATE----- • Download Signing Request-Download or save the signing request as a .csr file. • Install Signed - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 18
(SNMP) • TCP 631 (IPP) • TCP 5000 (XML) • TCP 5001 (IPDS) • TCP 6110/UDP6100/TCP6100 • TCP 9000 (Telnet) • UDP 9300/UDP 9301/UDP 9302 (NPAP) • TCP 9500/TCP 9501 (NPAP) • TCP 9600 (IPDS) • UDP 9700 (Plug‑n‑Print) • TCP 10000 (Telnet) • ThinPrint • TCP 65002 (WSD Print Service) • TCP 65004 (WSD Scan - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 19
that NTP settings are not automatically provided by the DHCP server before manually configuring NTP settings. Using the EWS 1 From the Embedded Web Server If you will be using LDAP+GSSAPI or Common Access Cards to control user access to the MFP, then you must first configure Kerberos. Using the - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 20
20 3 Under Simple Kerberos Setup, for KDC Address, type the IP address or host name of the KDC (Key Distribution Center) IP. 4 For KDC Port, type the number of the port used by the Kerberos server. 5 For Realm, type the realm used by the Kerberos server. Note: The Realm entry must be typed in all - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 21
21 3 Type the IP address or host name of the Remote Syslog Server, and then select the Enable Remote Syslog check box. Note: The Enable Remote Syslog check box is unavailable until an IP address or host name is entered. 4 Type the Remote Syslog Port number used on the destination server. 5 For - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 22
settings. For information about SMTP settings, see "E-mail" on page 22. E-mail User data sent by the MFP using e-mail must be sent as an attachment. Using -This must be blank. • Password-This must be blank. • Path-This must be "/". • File Name-This must be "image" (default). • Web Link-This must be - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 23
Use Device SMTP Credentials. 10 From the User‑Initiated E‑mail list, select the option most appropriate for your network or server environment • Login-This must be blank. • Password-This must be blank. • Path-This must be "/". • File Name-This must be "image" (default). • Web Link-This must be blank. - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 24
mail to Use Device SMTP Credentials. 10 For User‑Initiated E‑mail, select the option most appropriate for your network or server environment. page. 5 Under Fax Send Settings, clear the Driver to fax check box. 6 Under Fax Receive Settings, select Print from the Fax Forwarding list. 7 Click Submit. - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 25
any of the following: • Access controls = "No security"-This removes security only from function access controls. • Reset factory security defaults-This restores all security settings to default values. • No Effect-This removes access to all security menus (use with caution). 3 Touch Submit to save - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 26
Copy Color Printing Fax Function When creating internal accounts in Scenario 1, you would select the group that corresponds to the user's department. Advanced Security Setup, Step 1, click Internal Accounts. 3 From the Required User Credentials list, select User ID and password. 4 Click Submit. - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 27
user ID. • Re‑enter password-Retype the password. • E‑mail-Type the user services already deployed on the network. User credentials and group designations can be pulled from your existing system, making access to the MFP as seamless as other network services. Supported server. The default LDAP port is - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 28
User Input-Select either User ID and Password or User ID to specify which credentials a user must provide when attempting to access a function protected by the LDAP building block. Device Credentials (optional) • Use Active Directory Device Credentials-Click to select or clear. When the printer - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 29
name of the print server or servers. • MFP's Password-Type the Kerberos password for the print servers. Touch Done to save the settings and return to the General Information screen. 7 Touch Search Specific Object Classes, and then adjust the following settings as needed (optional): • person-Select - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 30
see "Using a Common Access Card to access the printer" on page 50. Note: You must configure Kerberos login screen and authentication mechanism and supports user authorization to the MFP and realm as configured in Active Directory, typically the Windows Domain Name. The realm must be entered in - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 31
wait for a response from the domain controller before moving to the next one in the list. 11 If users are allowed to log in manually, then provide at least one Manual Login Domain (a Windows Domain Name) to choose from when logging in. Multiple domains can be entered, separated by commas. 12 Select - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 32
." 5 From the Authentication Setup list, select a method for authenticating users. This list will be populated with the authentication building blocks that have " on page 30. 6 Click Add authorization, and then select an option from the Authorization Setup list. This list will be populated with the - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 33
icon on the printer home screen. 3 default icon image, click View Current Value. 5 For Access Control, select Solution‑specific access control 1. 6 Select from the following Release Options to specify how users will be able to release print jobs: • Release Method-Select User Selects job(s) to print - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 34
select the Require All Jobs to be Held and Clear Print Data check boxes. 9 Click Apply. Controlling access to Disabled-This disables access to a function for all users and administrators. • Not applicable-The function has Menu Remotely Service Engineer Menus at the Device Service Engineer Menus - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 35
Remotely Supplies Menu at the Device Supplies Menu Remotely Option Card Configuration at the Device Option Card Configuration Remotely Management Access control Web Import/Export Settings Solutions Configuration Remote Management Firmware Updates PJL Device Setting Changes Operator Panel Lock - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 36
36 Access control Use Profiles Change Language from Home Screen Cancel Jobs at the Device PictBridge Printing Level of protection Authenticated users only Authenticated users only Administrator access only Not applicable-USB port disabled Device Solutions Access control Solution 1 Solutions 2-10 - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 37
Troubleshooting Login issues "Unsupported USB Device" error message MAKE SURE A SUPPORTED SMART CARD READER IS ATTACHED Only the OmniKey reader that came with the printer is supported. Remove the unsupported reader and attach the OmniKey reader. The printer contact the Lexmark Solutions Help Desk - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 38
automatically provided by the DHCP server before manually configuring NTP settings. 3 If you have configured the printer to use an NTP server, then to locate the appropriate krb5.conf file, and then click Submit. Users are unable to authenticate MAKE SURE THE REALM SPECIFIED IN THE KERBEROS SETTINGS - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 39
88 IS NOT BLOCKED BY A FIREWALL Port 88 must be opened between the printer and the KDC for authentication to work. "User's Realm was not found in the Kerberos Configuration file" error message MAKE SURE THE WINDOWS DOMAIN IS SPECIFIED IN THE KERBEROS SETTINGS 1 From the Embedded Web Server, click - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 40
HAS BEEN ADDED TO THE FILE The PKI Authentication settings do not support multiple Kerberos Realm entries. If multiple realms are needed, then you error indicates that the KDC being used to authenticate the user does not recognize the User Principal Name specified in the error message. VERIFY THAT - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 41
then fail This issue can occur during login (at "Getting User Info") or during address book searches. Try one or more of the following: MAKE SURE PORT 389 (NON‑SSL) AND PORT 636 (SSL) ARE NOT BLOCKED BY A FIREWALL The printer uses these ports to communicate with the LDAP server. The ports - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 42
, specify how the Windows user ID will be obtained when a user attempts to log in: • None-The user ID is not set. You can select this option if the user ID is not needed by other applications. • User Principal Name-The Smart Card principal name or the credential provided by manual login is used to - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 43
• If PKI Held Jobs does not appear in the list of installed solutions, then contact the Lexmark Solutions Help Desk for assistance. MAKE SURE ALL JOBS ARE REQUIRED TO BE HELD 1 From the Under Advanced Settings, select the Require All Jobs to be Held and Clear Print Data check boxes. 3 Click Apply. - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 44
as server addresses, user names, and passwords. When an alphanumeric entry is needed, a keyboard appears : Password ~ 1! @# 23 $ 4 5% ^ 6 &* 7 8 ( 9 ) 0 _ + - = @ QWE RT Y U I O P [{ ]} \| : " Caps A S D F G H J K L - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 45
continue typing. Caps Lock will remain engaged until you touch Caps again. Password ~ 1! @# $ %^ 23456 &* 7 8 ( 9 ) 0 _ + - = @ QWE RT Y U I O P [{ ]} \| : " Caps A S D F G H J K L ; Clear Shift Z X C V B N M ? , . / Backspace .com .org Space Cancel Done - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 46
guide CA CAC DC DHCP DNS DoD EAL EWS GIF GSSAPI HTTP HTTPS IP IPSec IPv4 IPv6 KDC LDAP MFP NTLM NTP OCSP PEM PKI PSK RFC SMTP SSL TCP TLS UDP USB Certificate Authority Common Access Card Domain Controller Dynamic Host Configuration Protocol Domain Name Service Protocol Multifunction printer NT LAN - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 47
This protects access to the Service Engineer menu from the printer control panel. Service Engineer Menus Remotely This protects access to the Service Engineer menu from the Embedded Web Server. Settings Menu at the Device This protects access to the General and Print Settings sections of the - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 48
other than a flash drive. Firmware files that are received through FTP, the Embedded Web Server, etc., will be ignored (flushed) when this function is protected. This protects access to the locking function of the printer control panel. If this is enabled, then users with appropriate credentials can - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 49
print color from a flash drive. Users who are denied will have their print jobs printed in black and white. This controls the ability to update firmware from a flash drive. This controls the ability to print profile of each solution‑specific access control installed on the printer. The Solution 1 - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 50
the keypad that appears on the touch screen, and then touch Next. It may take a moment for the printer to validate your credentials. After your credentials have been validated, the printer will return to the home screen. Note: For more information about using the touch screen, see "Appendix A: Using - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 51
Lexmark for use in connection with your Lexmark product. The term "Software Program" includes machine-readable instructions, audio/visual content (such as images and recordings), and associated media, printed of the price paid for the Software Program. 3 LICENSE GRANT. Lexmark grants you the - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 52
download. Use of the Freeware by you shall be governed entirely by the terms and conditions of such license. 4 TRANSFER. You may transfer the Software Program to another end-user. Any transfer must include all software components, media, printed LIABILITY), AND EVEN IF LEXMARK, OR ITS SUPPLIERS, - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 53
with the terms of this License Agreement, any other written agreement signed by you and Lexmark relating to your Use of the Software Program). To the extent any Lexmark policies or programs for support services conflict with the terms of this License Agreement, the terms of this License Agreement - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 54
password using the touch screen to enable 9 before configuring the device verifying firmware settings Driver to fax 24 fax forwarding 24 held faxes 24 fax storage 24 firmware verifying 15 network setup page printing 15 Network Time Protocol firmware 6 verifying physical interfaces 6 S security reset - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 55
42 not authorized to use Held Jobs 42 not authorized to use Print Release Lite 42 printer clock out of sync 38 problem getting user info 40 realm on card not found 40 unable to authenticate 38 unable to determine Windows User ID 42 unexpected logout 40 unknown client 40 unsupported USB device 37 - Lexmark X950 | Common Criteria Installation Supplement and Administrator Guide - Page 56
PN 3065326 Rev. 001 www.lexmark.com *3065326*
Common Criteria
Installation Supplement and Administrator Guide
November 2011
www.lexmark.com
Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries.
All other trademarks are the property of their respective owners.
© 2011 Lexmark International, Inc.
All rights reserved.
740 West New Circle Road
Lexington, Kentucky 40550
3065326-001