Lexmark 6500e Installation Supplement Manual
Lexmark 6500e Installation Supplement Manual

Lexmark 6500e Installation Supplement Manual

Common criteria installation supplement and administrator guide
Hide thumbs Also See for 6500e:
Table of Contents

Advertisement

Common Criteria
Installation Supplement and Administrator Guide
November 2011
www.lexmark.com
Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries.
3065326-001
All other trademarks are the property of their respective owners.
© 2011 Lexmark International, Inc.
All rights reserved.
740 West New Circle Road
Lexington, Kentucky 40550

Advertisement

Table of Contents
loading

Summary of Contents for Lexmark 6500e

  • Page 1 Installation Supplement and Administrator Guide November 2011 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. 3065326-001 All other trademarks are the property of their respective owners. © 2011 Lexmark International, Inc.
  • Page 2 November 2011 The following paragraph does not apply to any country where such provisions are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
  • Page 3: Table Of Contents

    Contents Overview and first steps................5 Overview..............................5 Using this guide..............................5 Supported devices ..............................5 Operating environment ............................6 Before configuring the device (required)....................6 Verifying physical interfaces and installed firmware..................6 Attaching a lock ..............................7 Encrypting the hard disk .............................7 Disabling the USB buffer .............................8 Installing the minimum configuration............9 Configuring the device..........................9 Configuration checklist ............................9...
  • Page 4 Creating security templates using the EWS ......................32 Controlling access to device functions....................33 Configuring PKI Held Jobs ..........................33 Controlling access to device functions using the EWS..................34 Troubleshooting..................37 Login issues.............................37 “Unsupported USB Device” error message ......................37 The printer home screen fails to return to a locked state when not in use .............37 Login screen does not appear when a Smart Card is inserted................37 “The KDC and MFP clocks are different beyond an acceptable range;...
  • Page 5: Overview And First Steps

    Lexmark 6500e scanner with T656 printer Note: If you are using a Lexmark 6500e scanner with a T650, T652, T654, or T656 printer, then you must complete the setup and configuration steps in the Setup Guide that came with the scanner before following the instructions in...
  • Page 6: Operating Environment

    > Reports > Menu Settings Page. Several pages of device information will print. In the Installed Features section, verify that no Download Emulator (DLE) option cards have been installed. If you find additional interfaces, or if a DLE card has been installed, then contact your Lexmark representative before proceeding.
  • Page 7: Attaching A Lock

    Once a lock is attached, the metal plate and system board cannot be removed, and the security jumper cannot be accessed without causing visible damage to the device. Note: If you are using a Lexmark 6500e scanner with a T650, T652, T654, or T656 printer, then you must attach a lock to both the scanner and the printer.
  • Page 8: Disabling The Usb Buffer

    Verify that the MFP is in Configuration mode by locating the Exit Config Menu icon in the lower right corner of the touch screen. Scroll through the configuration menus to locate the Disk Encryption menu selection. Touch Disk Encryption > Enable. Warning: Enabling disk encryption will erase the contents of the hard disk.
  • Page 9: Installing The Minimum Configuration

    Installing the minimum configuration You can achieve an evaluated configuration on a non-networked (standalone) device in just a few steps. For this configuration, all tasks are performed at the device, using the touch screen. Configuring the device Configuration checklist This checklist outlines the steps required to implement an evaluated configuration on a standalone device. For information about additional configuration options, see “Administering the device”...
  • Page 10: Creating User Accounts

    Retype the password, and then touch Done to save the new password and return to the Edit Backup Password screen. Set Use Backup Password to On. Touch Submit. Creating user accounts Creating internal (device) accounts for use with the evaluated configuration involves not only assigning a user ID and password to each user, but also segmenting users into groups.
  • Page 11: Creating Security Templates

    Group name Type of user group would be selected for Authenticated_Users • Administrators permitted to access all device functions • Administrators permitted to use device functions and access the Reports menu • Administrators permitted to use device functions and access the Security menu •...
  • Page 12: Controlling Access To Device Functions

    Type a unique name to identify the template. Use a descriptive name, such as ”Administrator_Only” or “Authenticated_Users,” and then touch Done. On the Authentication Setup screen, select the internal accounts building block, and then touch Done. On the Authorization Setup screen, select the internal accounts building block, and then touch Done. Select one or more groups to be included in the template, and then touch Done to save your changes and return to the Edit Security Templates screen.
  • Page 13 Access control Level of protection Paper Menu at the Device Authenticated users only Paper Menu Remotely Authenticated users only Reports Menu at the Device Administrator access only Reports Menu Remotely Administrator access only Settings Menu at the Device Administrator access only Settings Menu Remotely Administrator access only Network/Ports Menu at the Device...
  • Page 14: Disabling Home Screen Icons

    Access control Level of protection Held Jobs Access Disabled Use Profiles Authenticated users only Change Language from Home Screen Authenticated users only Cancel Jobs at the Device Administrator access only PictBridge Printing Not applicable—USB port disabled Solution 1 Authenticated users only Note: When eSF applications are configured, Solution 1 controls access to Held Jobs.
  • Page 15: Administering The Device

    Administering the device This chapter describes how to configure additional settings and functions that may be available on your device. Using the Embedded Web Server Many settings can be configured using either the Embedded Web Server (EWS) or the touch screen. Accessing the EWS Type the device IP address or host name in the address field of your Web browser using the secure version of the page (with the address beginning “https://”).
  • Page 16 • Country/Region—Type the country or region where the company or organization issuing the certificate is located (2‑character maximum). • Province Name—Type the province where the company or organization issuing the certificate is located. • City Name—Type the city where the company or organization issuing the certificate is located. •...
  • Page 17: Setting Up Ipsec

    The contents of the file should be in the following format: -----BEGIN CERTIFICATE----- MIIE1jCCA76gAwIBAgIQY6sV0KL3tIhBtlr4gHG85zANBgkqhkiG9w0BAQUFADBs … l3DTbPe0mnIbTq0iWqKEaVne1vvaDt52iSpEQyevwgUcHD16rFy+sOnCaQ== -----END CERTIFICATE----- • Download Signing Request—Download or save the signing request as a .csr file. • Install Signed Certificate—Upload a previously signed certificate. Installing a CA certificate A Certificate Authority (CA) certificate is required if you will be using the PKI Authentication application.
  • Page 18: Disabling The Appletalk Protocol

    Disabling the AppleTalk protocol IP is the only network protocol permitted under this evaluation. The AppleTalk protocol must be disabled. Using the EWS Note: For information about accessing the EWS, see “Using the Embedded Web Server” on page 15. From the Embedded Web Server, click Settings > Network/Ports > AppleTalk. Verify that the Activate check box is cleared, and then click Submit.
  • Page 19: Other Settings And Functions

    Click Submit. Other settings and functions Network Time Protocol Use Network Time Protocol (NTP) to automatically sync MFP date and time settings with a trusted clock so that Kerberos requests and audit log events will be accurately time‑stamped. Note: If your network uses DHCP, then verify that NTP settings are not automatically provided by the DHCP server before manually configuring NTP settings.
  • Page 20: Security Audit Logging

    Under Simple Kerberos Setup, for KDC Address, type the IP address or host name of the KDC (Key Distribution Center) IP. For KDC Port, type the number of the port used by the Kerberos server. For Realm, type the realm used by the Kerberos server. Note: The Realm entry must be typed in all uppercase letters.
  • Page 21 Type the IP address or host name of the Remote Syslog Server, and then select the Enable Remote Syslog check box. Note: The Enable Remote Syslog check box is unavailable until an IP address or host name is entered. Type the Remote Syslog Port number used on the destination server. For Remote Syslog Method, select Normal UDP or Stunnel (if implemented on the destination server).
  • Page 22: E-Mail

    If you want the MFP to add a digital signature to e-mail alerts, then set “Digitally sign exports” to On. For “Severity of events to log,” select 5 ‑ Notice. The chosen severity level and anything higher (0–4) will be logged. If you want the MFP to send all events regardless of severity to the remote server, then set “Remote Syslog non‑logged events”...
  • Page 23 Type the Primary SMTP Gateway Port number of the destination server. If you are using a secondary or backup SMTP server, then type the IP address or host name and SMTP port for that server. For SMTP Timeout, type the number of seconds (5–30) the device will wait for a response from the SMTP server before timing out.
  • Page 24: Fax

    If you want to receive responses to messages sent from the MFP (in case of failed or bounced messages), then provide a Reply Address. Set Use SSL to Disabled, Negotiate or Required to specify whether e-mail will be sent using an encrypted link. If the SMTP server requires user credentials, then select a method for SMTP Server Authentication.
  • Page 25: Configuring Security Reset Jumper Behavior

    Setting up a fax storage location (optional) Turn off the MFP using the power switch. Simultaneously press and hold the 2 and 6 keys on the numeric keypad while turning the MFP back on. It takes approximately a minute to boot into the Configuration menu. Once the MFP is ready, the touch screen displays a list of functions instead of standard home screen icons such as Copy and Fax.
  • Page 26 Example: Employees in the warehouse will be given access to black‑and‑white printing only, administrative office staff will be able to print in black and white and send faxes, and employees in the marketing department will have access to black‑and‑white printing, color printing, and faxing. Scenario 1: Creating groups based on department Security template Groups included in template...
  • Page 27: Configuring Ldap+Gssapi

    Click Settings > Security > Security Setup > Internal Accounts. Click Add an Internal Account, and then provide the information needed for each account: • Account Name—Type the user's account name (example: “Jack Smith”). • User ID—Type an ID for the account (example: “jsmith”). •...
  • Page 28 • Mail Attribute—Type the mail attribute. • Full Name Attribute—Type the full name attribute. • Search Base—Specify the node in the LDAP server where user accounts reside. Multiple search bases can be entered, separated by semicolons. Note: A search base consists of multiple attributes, such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain), separated by semicolons.
  • Page 29 • Full Name Attribute—Type the full name attribute. • Search Base—Specify the node in the LDAP server where user accounts reside. Multiple search bases can be entered, separated by semicolons. Note: A search base consists of multiple attributes, such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain), separated by semicolons.
  • Page 30: Configuring Common Access Card Access

    Configuring Common Access Card access A set of Public Key Infrastructure (PKI) embedded applications comes installed on the MFP. These applications provide for additional functionality, including the use of Smart Cards such as the Department of Defense Common Access Card (CAC).
  • Page 31 • Domain—This is the card domain that should be mapped to the specified realm. This is the principal name used on the card and should be listed by itself, followed by a comma, a period, and then the principal name again. This value is case‑sensitive and usually appears in lowercase.
  • Page 32: Creating Security Templates Using The Ews

    Creating security templates using the EWS A security template is assigned to each device function to control which users are permitted to access that function. At a minimum, you must create two security templates: one for "Administrator_Only" and one for "Authenticated_Users."...
  • Page 33: Controlling Access To Device Functions

    Notes: • Clicking Delete List from the Manage Security Templates screen will delete all security templates on the MFP, regardless of which one is selected. To delete an individual security template, select it from the list, and then click Delete Entry. •...
  • Page 34: Controlling Access To Device Functions Using The Ews

    • Verify Job Expiration—This can be set to Off, Same as Confidential Print, or one of four intervals ranging from one hour to one week. • Repeat Job Expiration—This can be set to Off, Same as Confidential Print, or one of four intervals ranging from one hour to one week.
  • Page 35 Access control Level of protection Network/Ports Menu at the Device Administrator access only Network/Ports Menu Remotely Administrator access only Manage Shortcuts at the Device Authenticated users only Manage Shortcuts Remotely Authenticated users only Supplies Menu at the Device Authenticated users only Supplies Menu Remotely Authenticated users only Option Card Configuration at the Device...
  • Page 36 Access control Level of protection Use Profiles Authenticated users only Change Language from Home Screen Authenticated users only Cancel Jobs at the Device Administrator access only PictBridge Printing Not applicable–USB port disabled Device Solutions Access control Level of protection Solution 1 Authenticated users only Note: When eSF applications are configured, Solution 1 controls access to Held Jobs.
  • Page 37: Troubleshooting

    If the authentication token is installed but is not running, then select the check box next to the application name, and then click Start. • If the authentication token does not appear in the list of installed solutions, then contact the Lexmark Solutions Help Desk for assistance. PKI A...
  • Page 38: The Kdc And Mfp Clocks Are Different Beyond An Acceptable Range; Check The Mfp's Date And Time" Error Message

    “The KDC and MFP clocks are different beyond an acceptable range; check the MFP's date and time” error message This error indicates that the printer clock is more than five minutes out of sync with the domain controller clock. ERIFY THE DATE AND TIME ON THE PRINTER From the Embedded Web Server, click Settings >...
  • Page 39: The Domain Controller Issuing Certificate Has Not Been Installed" Error Message

    “The Domain Controller Issuing Certificate has not been installed” error message AKE SURE THAT THE CORRECT CERTIFICATE HAS BEEN INSTALLED ON THE PRINTER For information on installing, viewing, or modifying certificates, see “Creating and modifying digital certificates” on page 15. “The KDC did not respond within the required time”...
  • Page 40: Realm On The Card Was Not Found In The Kerberos Configuration File" Error Message

    “Realm on the card was not found in the Kerberos Configuration File” error message This error occurs during Smart Card login. PLOAD A ERBEROS CONFIGURATION FILE AND MAKE SURE THE REALM HAS BEEN ADDED TO THE FILE The PKI Authentication settings do not support multiple Kerberos Realm entries. If multiple realms are needed, then you must create and upload a krbf5.conf file containing the needed realms.
  • Page 41: Ldap Issues

    LDAP issues LDAP lookups take a long time and then fail This issue can occur during login (at “Getting User Info”) or during address book searches. Try one or more of the following: ‑SSL) 389 ( 636 (SSL) AKE SURE ARE NOT BLOCKED BY A FIREWALL The printer uses these ports to communicate with the LDAP server.
  • Page 42: Held Jobs/Print Release Lite Issues

    Held Jobs/Print Release Lite issues “You are not authorized to use this feature” Held Jobs error message DD THE USER TO THE APPROPRIATE CTIVE IRECTORY GROUP If user authorization is enabled for Held Jobs, then add the user to an Active Directory group that is included in the authorization list for the Held Jobs function.
  • Page 43: Jobs Are Printing Out Immediately

    If PKI Held Jobs is installed but is not running, then select the check box next to the application name, and then click Start. • If PKI Held Jobs does not appear in the list of installed solutions, then contact the Lexmark Solutions Help Desk for assistance. AKE SURE ALL JOBS ARE REQUIRED TO BE HELD From the Embedded Web Server, click Settings >...
  • Page 44: Appendix A: Using The Touch Screen

    Appendix A: Using the touch screen Understanding the home screen The screen located on the front of the MFP is touch‑sensitive and can be used to access device functions and navigate settings and configuration menus. The home screen looks similar to this (yours may contain additional icons): Release Held Copy E-mail...
  • Page 45 To type a single uppercase or shift character, touch Shift, and then touch the letter or number you need to uppercase. To turn on Caps Lock, touch Caps, and then continue typing. Caps Lock will remain engaged until you touch Caps again. Password &...
  • Page 46: Appendix B: Acronyms

    Appendix B: Acronyms Acronyms used in this guide Certificate Authority Common Access Card Domain Controller DHCP Dynamic Host Configuration Protocol Domain Name Service Department of Defense Evaluation Assurance Level Embedded Web Server Graphic Interchange Format GSSAPI Generic Security Service Applications Programming Interface HTTP Hypertext Transfer Protocol HTTPS...
  • Page 47: Appendix C: Description Of Access Controls

    Appendix C: Description of access controls Access controls Depending on the device type and installed options, some access controls (referred to on some devices as Function Access Controls) may not be available for your printer. Administrative Menus Function access control What it does Configuration Menu This protects access to the Configuration Menu.
  • Page 48 Function access control What it does Settings Menu Remotely This protects access to the General and Print Settings sections of the Settings menu from the Embedded Web Server. Supplies Menu at the Device This protects access to the Supplies menu from the printer control panel. Supplies Menu Remotely This protects access to the Supplies menu from the Embedded Web Server.
  • Page 49 Function access control What it does Create Profiles This controls the ability to create new profiles. E‑mail Function This controls access to the Scan to E‑mail function. Fax Function This controls access to the Scan to Fax function. Flash Drive Color Printing This controls the ability to print color from a flash drive.
  • Page 50: Appendix D: Using Common Access Cards

    Appendix D: Using Common Access Cards Using a Common Access Card to access the printer Insert your Common Access Card into the card reader attached to the printer. When prompted, enter your PIN using the keypad that appears on the touch screen, and then touch Next. It may take a moment for the printer to validate your credentials.
  • Page 51: Notices

    International, Inc. ("Lexmark") that, to the extent your Lexmark product or Software Program is not otherwise subject to a written software license agreement between you and Lexmark or its suppliers, governs your use of any Software Program installed on or provided by Lexmark for use in connection with your Lexmark product. The term "Software Program"...
  • Page 52 (including contract, breach, estoppel, negligence, misrepresentation, or tort), shall be limited to the greater of $5,000 or the money paid to Lexmark or its authorized remarketers for the license hereunder for the Software Program that caused the damages or that is the subject matter of, or is directly related to, the cause of action.
  • Page 53 DFARS 252.227-7013 and in similar FAR provisions (or any equivalent agency regulation or contract clause). CONSENT TO USE OF DATA. You agree that Lexmark, its affiliates, and agents may collect and use information you provide in relation to support services performed with respect to the Software Program and requested by you.
  • Page 54: Index

    Index encryption krb5.conf file IPSec 17 importing 19 access controls environment list of 47 operating 6 setting at the device 12 LDAP+GSSAPI using the EWS to set 34 using 15 configuring 27 acronyms 46 logging AppleTalk configuring the security audit disabling 18 fax forwarding 24 log 20...
  • Page 55 security audit log no jobs available to user 42 configuring 20 not authorized to use Held security certificates Jobs 42 creating and modifying 15 not authorized to use Print security objectives 6 Release Lite 42 security reset jumper printer clock out of sync 38 enabling 25 problem getting user info 40 security slot...
  • Page 56 *3065326* PN 3065326                     Rev. 001...

Table of Contents