Xerox WORKCENTRE 7755 Information Manual page 17

XEROX WorkCentre 7755/7765/7775 Information Assurance Disclosure Paper
2.8.2.11. Port 427, SLP
When activated, this port is used for service discovery and advertisement. The device will advertise itself as a printer and
also listen for SLP queries using this port. It is not configurable. This port is explicitly enabled / disabled in the Properties tab
of the device's web pages.
2.8.2.12. Port 443, SSL
This is the default port for Secure Sockets Layer communication. This port can be configured via the device's web pages.
SSL must be enabled before setting up either SNMPv3 or IPSec or before retrieving the audit log (see Sec. 4.1). SSL must
also be enabled in order to use any of the Web Services (Scan Template Management, Automatic Meter Reads, or Network
Scanning Validation Service).
SSL should be enabled so that the device can be securely administered from the web UI. If the optional scanning feature
has been purchased, SSL can be used to secure the filing channel to a remote repository.
SSL uses X.509 certificates to establish trust between two ends of a communication channel. When storing scanned images
to a remote repository using an https: connection, the device must verify the certificate provided by the remote repository.
A Trusted Certificate Authority certificate should be uploaded to the device in this case.
To securely administer the device, the user's browser must be able to verify the certificate supplied by the device. A
certificate signed by a well-known Certificate Authority (CA) can be downloaded to the device, or the device can generate a
self-signed certificate. In the first instance, the device creates a Certificate Signing Request (CSR) that can be downloaded
and forwarded to the well-known CA for signing. The signed device certificate is then uploaded to the device. Alternatively,
the device will generate a self-signed certificate. In this case, the generic Xerox root CA certificate must be downloaded
from the device and installed in the certificate store of the user's browser.
The device supports only server authentication.
2.8.2.13. Port 515, LPR
This is the standard LPR printing port, which only supports IP printing. It is a configurable port, and may be explicitly
enabled or disabled in User Tools via the Local User Interface or in the Properties tab of the device's web pages.
2.8.2.14. Port 631, IPP
This port supports the Internet Printing Protocol. It is not configurable. This is disabled when the http server is disabled.
2.8.2.15. Port 1900, SSDP
This port behaves similarly to the SLP port. When activated, this port is used for service discovery and advertisement. The
device will advertise itself as a printer and also listen for SSDP queries using this port. It is not configurable. This port is
explicitly enabled / disabled in the Properties tab of the device's web pages.
2.8.2.16. Port 3003, http/SNMP reply
This port is used when the http server requests device information. The user displays the Web User Interface (WebUI) and
goes to a page where the http server must query the device for settings (e.g. Novell network settings). The http server
queries the machine via an internal SNMP request (hence this port can only open when the http server is active). The
machine replies back to the http server via this port. It sends the reply to the loopback address (127.0.0.0), which is
internally routed to the http server. This reply is never transmitted on the network. Only SNMP replies are accepted by this
port, and this port is active when the http server is active (i.e. if the http server is disabled, this port will be closed). If
someone attempted to send an SNMP reply to this port via the network, the reply would have to contain the correct
sequence number, which is highly unlikely, since the sequence numbers are internal to the machine.
2.8.2.17. Port 9100, raw IP
This allows downloading a PDL file directly to the interpreter. This port has limited bi-directionality (via PJL back channel)
and allows printing only. This is a configurable port, and may be disabled in either (1) User Tools via the Local User
Interface, or (2) in the Properties tab of the device's web pages.
2.8.3. IP Filtering
The devices contain a static host-based firewall that provides the ability to prevent unauthorized network
access based on IP address and/or port number. Filtering rules can be set by the SA using the WebUI. An
authorized SA can create rules to (Accept / Reject / Drop) for ALL or a range of IP addresses. In addition to
specifying IP addresses to filter, an authorized SA can enable/disable all traffic over a specified transport
layer port.
Ver. 1.01, April 2010
17
Page 17 of 40