Lexmark X952 Common Criteria Installation Supplement and Administrator Guide
Lexmark X952 Manual
View all Lexmark X952 manuals
Add to My Manuals
Save this manual to your list of manuals |
Lexmark X952 manual content summary:
- Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 1
Common Criteria Installation Supplement and Administrator Guide November 2011 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. All other trademarks are the property of their respective - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 2
programs described may be made at any time. For Lexmark technical support, visit support.lexmark.com. For information on supplies and downloads, visit www.lexmark.com. If you don't have access to the Internet, you can contact Lexmark by mail: Lexmark International, Inc. Bldg 004-2/CSC 740 New Circle - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 3
18 Shutting down port access...18 Other settings and functions...19 Network Time Protocol...19 Kerberos...19 Security audit logging ...20 E-mail ...22 Fax...24 Configuring security reset jumper behavior ...25 User access...25 Creating user accounts through the EWS ...25 Configuring LDAP+GSSAPI...27 - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 4
using the EWS 34 Troubleshooting 37 Login issues...37 "Unsupported USB Device" error message ...37 The printer home screen fails to return unknown" error message ...40 Login does not respond at "Getting User Info 40 User is logged out almost immediately after logging in 40 LDAP issues...41 - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 5
MFP touch screen, see"Appendix A: Using the touch screen" on page 44. Supported devices This guide describes how to implement an evaluated configuration on the following models: • Lexmark X548 • Lexmark XS548 • Lexmark X792 • Lexmark XS796 • Lexmark X925 • Lexmark XS925 • Lexmark X950 • Lexmark X952 - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 6
and maintenance of the network environment including-but not limited to-operating systems, network protocols, and security policies and procedures. • Authorized administrators are trusted to use their access rights appropriately. • Audit records exported from the MFP to another trusted location are - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 7
removed, and the security jumper cannot be accessed without causing visible damage to the device. Note: If you are using a Lexmark 6500e scanner with a T650, T652, T654, or T656 printer, then you must attach a lock to both the scanner and the printer. 1 Verify that the MFP case is closed. 2 Locate - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 8
MFP is in Configuration mode by locating the Exit Config Menu icon in the lower right corner of the touch screen. 4 Scroll through the configuration menus to locate the disk has been encrypted, the MFP will return to the Enable/Disable then touch Exit Config Menu. The MFP will undergo a power‑on reset - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 9
evaluated configuration on a non-networked (standalone) device in just "Administering the device" on page 15. After completing the pre user accounts. 3 Create security templates. 4 Restrict access to device functions. 5 Disable home screen icons. Configuring disk wiping Disk wiping is used to remove - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 10
, and then you will apply a security template to each device function to control access to that function. The MFP supports a maximum of 250 user accounts and 32 user groups. Step 1: Defining groups 1 From the home screen, touch > Security > Edit Security Setups > Edit Building Blocks > Internal - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 11
> Edit Security Setups > Edit Building Blocks > Internal Accounts > 2 On the General Settings screen, set Required User Credentials to User ID and password, and then touch Submit. The MFP will return to the Internal Accounts screen. 3 Select Manage Internal Accounts > Add Entry. 4 Type the - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 12
Templates. • To remove all security templates, touch Delete List. • To remove an individual security what they do, see "Access controls" on page 47. 1 From the home screen, touch access to a function for all users and administrators. • Not applicable-The Service Engineer Menus at the Device Service - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 13
access only Network/Ports Menu Remotely Administrator access only Manage Shortcuts at the Device Authenticated users only Manage Shortcuts Remotely Authenticated users only Supplies Menu at the Device Authenticated users only Supplies Menu Remotely Authenticated users only Option - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 14
applicable-USB port disabled Authenticated users only Note: When eSF applications are configured, Solution 1 controls access to Held Jobs. Administrator access only Administrator access only Disabling home screen icons The final step is to remove unneeded icons from the MFP home screen. 1 From the - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 15
network setup page. Printing a network setup page From the home screen, touch > Reports > Network Setup Page. After the network setup page prints, the MFP will return to the home screen. Settings for network-connected devices After attaching the MFP to a network Leave this field blank if you want to - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 16
located. • Subject Alternate Name-Type the alternate name and prefix that conforms to RFC 2459. For example, enter an IP address using the format IP:255.255.255.255. Leave this field blank the Embedded Web Server" on page 15. 2 Click Device following: • Delete-Remove a previously stored certificate - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 17
the EWS, see "Using the Embedded Web Server" on page 15. 2 Click New. 3 Click Browse to locate the Certificate Authority Source file, and then click Submit. Note: The Certificate Authority Source file must be in PEM (.cer) format. 4 Reboot the MFP by turning it off and back on using the power - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 18
helps prevent intruders from accessing the MFP using a network connection. For information about accessing the EWS, see "Using the Embedded Web Server" on page 15. 1 From the Embedded 9700 (Plug‑n‑Print) • TCP 10000 (Telnet) • ThinPrint • TCP 65002 (WSD Print Service) • TCP 65004 (WSD Scan Service) - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 19
MFP date and time settings with a trusted clock so that Kerberos requests and audit log events will be accurately time‑stamped. Note: If your network uses DHCP, then verify that NTP settings are not automatically provided by the DHCP server before manually to control user access to the MFP, then you - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 20
For information about accessing the EWS, see "Using the Embedded Web Server" on page 15. 2 Under Advanced Security Setup, at Step 1, click Kerberos 5. 3 to verify that it is functional. Notes: • Click Delete File to remove the Kerberos configuration file from the selected device. • Click View File to - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 21
. • For "Log full behavior," select Wrap over oldest entries or E‑mail log then delete all entries. • Select E‑mail % full alert if you want the MFP to send an e-mail when log storage space reaches a specified percentage of capacity. • For "% full alert level" (1-99%), specify the percentage of log - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 22
information about SMTP settings, see "E-mail" on page 22. E-mail User data sent by the MFP using e-mail must be sent as an attachment. blank. • Login-This must be blank. • Password-This must be blank. • Path-This must be "/". • File Name-This must be "image" (default). • Web Link-This must be blank - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 23
From the User‑Initiated E‑mail list, select the option most appropriate for your network or server environment. 11 If the MFP must blank. • Login-This must be blank. • Password-This must be blank. • Path-This must be "/". • File Name-This must be "image" (default). • Web Link-This must be blank - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 24
10 For User‑Initiated E‑mail, select the option most appropriate for your network or server environment. 11 If the MFP must provide Click Submit to save your changes and return to the Settings page. 5 Under Fax Send Settings, clear the Driver to fax check box. 6 Under Fax Receive Settings, select - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 25
normal operating mode. Configuring security reset jumper behavior The security reset jumper is a hardware jumper located on the motherboard that can be used to reset the security settings on the device. Note: Using the security reset jumper can remove the MFP from the evaluated configuration. 1 From - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 26
you would select the group that corresponds to the user's department. Scenario 2: Creating groups based on device . Note: For information about accessing the EWS, see "Using the Embedded Web Server" on page 15. 2 Under Advanced Security Setup, Step 1, click Internal Accounts. 3 Click Setup groups - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 27
from your existing system, making access to the MFP as seamless as other network services. Supported devices can store a maximum of five LDAP For information about accessing the EWS, see "Using the Embedded Web Server" on page 15. 2 Under Advanced Security Setup, Step 1, click LDAP+GSSAPI. 3 Click - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 28
select or clear. When the printer authenticates to the LDAP server, it can provide Active Directory device credentials in addition to supporting anonymous binding or the specified credentials in the MFP's Kerberos Username and MFP's Password fields. • MFP's Kerberos Username-Type the distinguished - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 29
select or clear. When the printer authenticates to the LDAP server, it can provide Active Directory device credentials in addition to supporting anonymous binding or the specified credentials in the MFP's Kerberos Username and MFP's Password fields. • MFP's Kerberos Username-Type the distinguished - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 30
on using a card reader with your MFP, see "Using a Common Access Card to access the printer" on page 50. Note: You must configure Kerberos MFP. 5 Select whether the Card PIN can be numeric only or alphanumeric. 6 If you want to, provide a custom Logon Screen Text with special instructions for users - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 31
, or if some servers are multi‑homed, then under Advanced Settings, click Browse to locate a Hosts File with host name-IP address mappings. 16 Select the Wait for Active Network check box to display Waiting for network on the touch screen after the MFP is turned on. This message disappears when the - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 32
information about accessing the EWS, see "Using the Embedded Web Server" on page 15. 2 Under Advanced Security Setup, Step 2, click Security Template. 3 for authenticating users. This list will be populated with the authentication building blocks that have been configured on the MFP (internal - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 33
MFP, printer until released by an authorized user. page 15. 2 If you want to, specify custom icon text that will appear above the Held Jobs icon on the printer click Browse to locate the image you removed. Depending on how often a specific device polls for state changes, jobs marked for removal - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 34
to device functions using the EWS Access to MFP functions can be restricted by applying security templates be found in "Access controls" on page 47. 1 From the Embedded Web Server access to a function for all users and administrators. • Not applicable-The Service Engineer Menus at the Device Service - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 35
/Ports Menu at the Device Network/Ports Menu Remotely Manage Shortcuts at the Device Manage Shortcuts Remotely Supplies Menu at the Device Supplies Menu Remotely Option Card Configuration at the Device Option Card Configuration Remotely Management Access control Web Import/Export Settings Solutions - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 36
the Device PictBridge Printing Level of protection Authenticated users only Authenticated users only Administrator access only Not applicable-USB port Solution 1 Solutions 2-10 New Solutions Level of protection Authenticated users only Note: When eSF applications are configured, Solution 1 - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 37
Troubleshooting Login issues "Unsupported USB Device" error message MAKE SURE A SUPPORTED SMART CARD READER IS ATTACHED Only the OmniKey reader that came with the printer is supported. Remove the unsupported reader and attach the OmniKey reader. The printer contact the Lexmark Solutions Help Desk - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 38
network uses DHCP, then verify that NTP settings are not automatically provided by the DHCP server before manually configuring NTP settings. 3 If you have configured the printer File, click Browse to locate the appropriate krb5.conf file, and then click Submit. Users are unable to authenticate MAKE - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 39
ON THE PRINTER For information on installing, viewing, or modifying certificates, see "Creating and modifying digital certificates" on page 15. A FIREWALL Port 88 must be opened between the printer and the KDC for authentication to work. "User's Realm was not found in the Kerberos Configuration file - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 40
file, then verify that the Domain Controller entry is correct. Login does not respond at "Getting User Info" For information about LDAP‑related issues, see"LDAP issues" on page 41. User is logged out almost immediately after logging in INCREASE THE PANEL LOGIN TIMEOUT INTERVAL 1 From the Embedded - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 41
User Info") or during address book searches. Try one or more of the following: MAKE SURE PORT 389 (NON‑SSL) AND PORT 636 (SSL) ARE NOT BLOCKED BY A FIREWALL The printer SETUP SETTINGS 1 From the Embedded Web Server, click Settings > Network/Ports > Address Book Setup. 2 Verify or adjust the following - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 42
user ID is not needed by other applications. • User Principal Name-The Smart Card principal name or the credential provided by manual login is used to set the user ID (userid@domain). • EDI‑PI-The user CORRECT PRINTER AND WERE PRINTED The user may have sent the job or jobs to a different printer, or - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 43
to the application name, and then click Start. • If PKI Held Jobs does not appear in the list of installed solutions, then contact the Lexmark Solutions Help Desk for assistance. MAKE SURE ALL JOBS ARE REQUIRED TO BE HELD 1 From the Embedded Web Server, click Settings > Device Solutions > Solutions - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 44
A: Using the touch screen Understanding the home screen The screen located on the front of the MFP is touch‑sensitive and can be used to access device functions and navigate settings and configuration menus. The home screen looks similar to this (yours may contain additional icons): Copy Release - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 45
45 To type a single uppercase or shift character, touch Shift, and then touch the letter or number you need to uppercase. To turn on Caps Lock, touch Caps, and then continue typing. Caps Lock will remain engaged until you touch Caps again. Password ~ 1! @# $ %^ 23456 &* 7 8 ( 9 ) 0 _ + - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 46
guide CA CAC DC DHCP DNS DoD EAL EWS GIF GSSAPI HTTP HTTPS IP IPSec IPv4 IPv6 KDC LDAP MFP NTLM NTP OCSP PEM PKI PSK RFC SMTP SSL TCP TLS UDP USB Certificate Authority Common Access Card Domain Controller Dynamic Host Configuration Protocol Domain Name Service printer NT LAN Manager Network Time - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 47
to the Security menu from the Embedded Web Server. Service Engineer Menus at the Device This protects access to the Service Engineer menu from the printer control panel. Service Engineer Menus Remotely This protects access to the Service Engineer menu from the Embedded Web Server. Settings Menu - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 48
menu from the Embedded Web Server. This protects access to the Supplies menu from the printer control panel. This protects access to the Supplies menu from the Embedded Web Server. Management Function access control Firmware Updates Operator Panel Lock PJL Device Setting Changes Remote Management - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 49
Scan to Fax function. This controls the ability to print color from a flash drive. Users who are denied will have their print jobs printed in black and white. This controls the ability to update firmware solution‑specific access control installed on the printer. The Solution 1 through Solution 10 - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 50
Common Access Card to access the printer 1 Insert your Common Access Card into the card reader attached to the printer. 2 When prompted, enter your may take a moment for the printer to validate your credentials. After your credentials have been validated, the printer will return to the home screen - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 51
provided by Lexmark for use in connection with your Lexmark product. The term "Software Program" includes machine-readable instructions, audio use, you must limit the number of authorized users to the number specified in your agreement with Lexmark. You may not separate the components of the - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 52
4 TRANSFER. You may transfer the Software Program to another end-user. Any transfer must include all software components, media, printed materials OR CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), AND EVEN IF LEXMARK, OR ITS SUPPLIERS, AFFILIATES, OR REMARKETERS HAVE BEEN ADVISED OF THE - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 53
with the terms of this License Agreement, any other written agreement signed by you and Lexmark relating to your Use of the Software Program). To the extent any Lexmark policies or programs for support services conflict with the terms of this License Agreement, the terms of this License Agreement - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 54
22 Embedded Web Server using 15 encrypting network data 17 encrypting the hard disk 7 encryption IPSec 17 environment operating 6 EWS using 15 F fax forwarding 24 fax settings Driver to fax 24 fax forwarding 24 held faxes 24 fax storage 24 firmware verifying 6 function access using the EWS to - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 55
reset jumper printer 43 jobs print immediately 43 KDC and MFP MFP clock out of sync 38 missing Kerberos realm 40 multiple Kerberos realms 40 no jobs available to user 42 not authorized to use Held Jobs 42 not authorized to use Print Release Lite 42 printer clock out of sync 38 problem getting user - Lexmark X952 | Common Criteria Installation Supplement and Administrator Guide - Page 56
PN 3065326 Rev. 001 www.lexmark.com *3065326*
Common Criteria
Installation Supplement and Administrator Guide
November 2011
www.lexmark.com
Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries.
All other trademarks are the property of their respective owners.
© 2011 Lexmark International, Inc.
All rights reserved.
740 West New Circle Road
Lexington, Kentucky 40550
3065326-001