Lexmark Color Laser Installation And Administration Manual
  1. Manuals
  2. Brands
  3. Lexmark Manuals
  4. Printer
  5. Color Laser
  6. Installation and administration manual
Lexmark Color Laser Installation And Administration Manual

Lexmark Color Laser Installation And Administration Manual

Common criteria installation supplement and administrator guide
Hide thumbs Also See for Color Laser:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administrator's Manual, User Manual
Common Criteria
Installation supplement and administrator
guide
April 2010
www.lexmark.com
Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries.
3060008-002
All other trademarks are the property of their respective owners.
© 2010 Lexmark International, Inc.
All rights reserved.
740 West New Circle Road
Lexington, Kentucky 40550

Advertisement

Table of Contents
loading

Related Manuals for Lexmark Color Laser

Summary of Contents for Lexmark Color Laser

  • Page 1 April 2010 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. 3060008-002 All other trademarks are the property of their respective owners. © 2010 Lexmark International, Inc.
  • Page 2 This software and any accompanying documentation provided under this agreement are commercial computer software and documentation developed exclusively at private expense. Trademarks Lexmark, Lexmark with diamond design, and MarkVision are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. All other trademarks are the property of their respective owners.

  • Page 3: Table Of Contents

    Contents Overview and first steps..............5 Overview....................................5 Using this guide....................................5 Supported devices.....................................5 Operating environment...................................5 Before configuring the device (required)........................6 Verifying physical interfaces and installed firmware......................6 Attaching a lock....................................6 Encrypting the hard disk.................................7 Disabling the USB Buffer.................................8 Installing the minimum configuration...........9 Configuring the device................................9 Configuration checklist..................................9 Configuring disk wiping..................................9 Enabling the backup password (optional)..........................9...
  • Page 4 Creating security templates using the EWS...........................34 Controlling access to device functions........................35 Configuring PKI Held Jobs................................35 Controlling access to device functions using the EWS......................36 Troubleshooting................39 Login Issues...................................39 “Unsupported USB Device” error message..........................39 The printer home screen does not return to a locked state when not in use............39 Login screen does not appear when a SmartCard is inserted..................39 “The KDC and MFP clocks are different beyond an acceptable range;...

  • Page 5: Overview And First Steps

    Using this guide This guide is intended for use by Lexmark service providers, and network administrators responsible for the management of security appliances and software in their network environment. A working knowledge of Lexmark multifunction printers is required for effective use of this guide.

  • Page 6: Before Configuring The Device (Required)

    Under Installed Features, verify that no Download Emulator (DLE) option cards have been installed. If you find additional interfaces, or if a DLE card has been installed, contact your Lexmark representative before proceeding. To verify the firmware version, under Device Information, locate Base =, and Network =.

  • Page 7: Encrypting The Hard Disk

    The following illustrations show the most common lock port locations: Encrypting the hard disk Note: Not all devices have a hard disk installed. This section applies only to devices containing a hard disk. If your MFP came with a hard disk installed, you must encrypt the hard disk. Hard disk encryption helps prevent the loss of sensitive data in the event your MFP—or its hard disk—is stolen.

  • Page 8: Disabling The Usb Buffer

    A message will be displayed asking you to confirm the action: Contents will be lost. Continue? • Select Yes to proceed with disk wiping and encryption. A status bar will indicate the progress of the encryption task. After the disk has been encrypted, the MFP will return to the Enable/Disable screen. Warning: Do not power off the device during the encryption process.

  • Page 9: Installing The Minimum Configuration

    Installing the minimum configuration You can achieve an evaluated configuration on a non-networked (standalone) device in just a few steps. For this configuration, all tasks are performed at the device, using the touch screen. Configuring the device Configuration checklist This checklist outlines the steps required to implement an evaluated configuration on a standalone device. For information about additional configuration options, see “Administering the device”...

  • Page 10: Creating User Accounts

    From the home screen, touch Menus > Security > Edit Security Setups > Edit Backup Password > Password. Type the password you want to use, and then touch Next. Re-enter the password, and then touch Next to save the new password and return to the Edit Backup Password screen.
  • Page 11 Group name Type of user group would be selected for Administrator_Security • Administrators permitted to access all device functions • Administrators permitted to use device functions, and access the Security menu Authenticated_Users • Administrators permitted to access all device functions •...

  • Page 12: Creating Security Templates

    Creating security templates A security template is assigned to each device function, to control which users are permitted to access that function. At a minimum, you must create two security templates: one for "Administrator_Only" and one for "Authenticated_Users". If there is a need to grant access to some administrative functions while restricting others, you can create additional security templates such as “Administrator_Reports”, or “Administrator_Security”.
  • Page 13 Access Control Level of protection Address Book Any valid setting Cancel Jobs at the Device Administrator access only Change Language from Home Any valid setting Screen Color Dropout Any valid setting Configuration Menu Disabled Copy Color Printing Any valid setting Copy Function Any valid setting Create Bookmarks at the Device...

  • Page 14: Disabling Home Screen Icons

    Access Control Level of protection Release Held Faxes Administrator access only Remote Certificate Management Not applicable - all remote access disabled Remote Management Disabled Reports Menu at the Device Any valid setting Reports Menu Remotely Not applicable - all remote access disabled Security Menu at the Device Administrator access only Security Menu Remotely...

  • Page 15: Administering The Device

    Administering the device This chapter describes how to configure additional settings and functions that may be available on your device. Using the Embedded Web Server Access to the Embedded Web Server is disabled as part of the evaluated configuration on network-attached devices. Once a device is in the evaluated configuration, administrators can still adjust many settings using the touch screen.

  • Page 16: Settings For Network-Attached Devices

    Using the EWS Type the device IP address or hostname in the address field of your Web browser using the secure version of the page (with the address beginning “https://”). Use the navigation menu on the left to access configuration and report menus. Note: If the device IP address or hostname is not readily apparent, you can find it by printing a network setup page.

  • Page 17: Creating A New Certificate

    • City Name—Type the name of the city where the company or organization issuing the certificate is located. • Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example, enter an IP address using the format IP:255.255.255.255. Leave this field blank to use the IPv4 address. Note: All fields accept a maximum of 128 characters, except where noted.

  • Page 18: Setting Up Ipsec

    The contents of the file should be in the following format: -----BEGIN CERTIFICATE----- MIIE1jCCA76gAwIBAgIQY6sV0KL3tIhBtlr4gHG85zANBgkqhkiG9w0BAQUFADBs … l3DTbPe0mnIbTq0iWqKEaVne1vvaDt52iSpEQyevwgUcHD16rFy+sOnCaQ== -----END CERTIFICATE----- • Download Signing Request—Download or save the signing request as a .csr file. • Install Signed Certificate—Upload a previously signed certificate. Installing a CA certificate A Certificate Authority (CA) certificate is required if you will be using the PKI Authentication application.

  • Page 19: Disabling Non-Ip Network Protocols

    Disabling non-IP network protocols IP is the only network protocol permitted under this evaluation. The NetWare, AppleTalk, and LexLink protocols must be disabled. Using the EWS Note: For information about accessing the EWS, see “Using the Embedded Web Server” on page 15. Be sure to disable HTTP and HTTPS access after you have finished using the EWS.

  • Page 20: Shutting Down Port Access

    Set Activate to No. Touch Submit. The MFP will return to the LexLink screen. From there you can select Back to return to Std Network Setup, or the home icon to return to the home screen. Shutting down port access Disabling virtual ports helps prevent intruders from accessing the MFP using a network connection.

  • Page 21: Kerberos

    Using the EWS From the EWS, click Settings > Security > Set Date and Time. Note: For information about accessing the EWS, see “Using the Embedded Web Server” on page 15. Be sure to disable HTTP and HTTPS access after you have finished using the EWS. Select the Enable NTP check box, and then type the IP address or hostname of the NTP Server.

  • Page 22: Security Audit Logging

    Importing a Kerberos configuration file Using the EWS, you can also import a krb5.conf file rather than configure the Simple Kerberos Setup. From the EWS, click Settings > Security > Security Setup. Note: For information about accessing the EWS, see “Using the Embedded Web Server” on page 15. Be sure to disable HTTP and HTTPS access after you have finished using the EWS.

  • Page 23: Using The Touch Screen

    For Severity of events to log, select 5 - Notice. The chosen severity level and anything higher (0-4) will be logged. To send all events regardless of severity to the remote server, select Remote Syslog non-logged events. To have administrators automatically notified of certain log events, type one or more E-mail addresses (separated by commas) in the Admin's e-mail address field, and then choose how events will be handled: •...

  • Page 24: E-Mail

    If you want the MFP to automatically notify administrators of certain log events, adjust the following settings as needed: • To send an E-mail when the Delete Log button is clicked, set “E-mail log cleared alert” to On. • To send an E-mail when the log becomes full and begins to overwrite the oldest entries, set “E-mail log wrapped alert”...

  • Page 25: Smtp Settings

    For SMTP Timeout, type the number of seconds (5-30) the device will wait for a response from the SMTP server before timing out. If you want to receive responses to messages sent from the MFP (in case of failed or bounced messages), type a Reply Address.

  • Page 26: Fax

    For User-Initiated E-mail, select the option most appropriate for your network/server environment. If the MFP must provide credentials in order to send E-mail, enter the information appropriate for your network in the Device Userid, Device password, and Kerberos 5 Realm or NTLM Domain fields. Touch Submit.

  • Page 27: Configuring Security Reset Jumper Behavior

    Setting up a fax storage location (optional) If your device came with a hard disk installed, you have the option of setting up a fax storage location on the disk, if needed. Note: Not all devices have a hard disk installed. This section applies only to devices containing a hard disk. Turn off the MFP using the power switch.

  • Page 28: Creating User Accounts Through The Ews

    Creating user accounts through the EWS Creating internal (device) accounts for use with the evaluated configuration involves not only assigning a user ID and password to each user, but also segmenting users into groups. You will select one or more of these groups when configuring security templates, and then apply a security template to each device function, to control access to that function.

  • Page 29: Configuring Ldap+Gssapi

    Step 2: Creating accounts From the EWS, click Settings > Security > Security Setup. Under Advanced Security Setup, Step 1, select Internal Accounts. From the Required User Credentials list, select User ID and Password. Click Submit. Return to Settings > Security > Security Setup > Internal Accounts. Select Add an Internal Account, and then provide the information needed for each account: •...

  • Page 30: General Information

    General Information • Setup Name—Used to identify each particular LDAP+GSSAPI Server Setup when creating security templates. • Server Address—The IP address or the hostname of the LDAP server where authentication will be performed. Note: For LDAP+GSSAPI, the LDAP server can be the domain controller, or a separate server. •...
  • Page 31 From the General Information screen, select General Information, and then adjust the following settings as needed: • Setup Name—Used to identify each particular LDAP+GSSAPI Server Setup when creating security templates. • Server Address—The IP address or the hostname of the LDAP server where authentication will be performed. •...

  • Page 32: Configuring Common Access Card Access

    Configuring Common Access Card access A set of Public Key Infrastructure (PKI) embedded applications comes installed on the MFP. These applications provide for additional functionality, including the use of SmartCards such as the Department of Defense Common Access Card (CAC). For more information on using a card reader with your MFP, see “Using a Common Access Card to access the MFP”...
  • Page 33 • Domain—The card domain that should be mapped to the specified Realm. This is the principal name used on the card, and should be listed by itself, followed by a comma, a period, and then the principal name again. This value is case-sensitive, and usually appears in lowercase. Multiple values can be entered, separated by commas.

  • Page 34: Creating Security Templates Using The Ews

    Creating security templates using the EWS A security template is assigned to each device function, to control which users are permitted to access that function. At a minimum, you must create two security templates: one for "Administrator_Only" and one for "Authenticated_Users".

  • Page 35: Controlling Access To Device Functions

    Notes: • Clicking Delete List will delete all security templates on the MFP, regardless of which one is selected. To delete an individual security template, select it from the list, and then click Delete Entry in the Settings screen for that template.

  • Page 36: Controlling Access To Device Functions Using The Ews

    Under Advanced Settings, select Require All Jobs to be Held and Clear Print Data. Click Apply. Controlling access to device functions using the EWS Access to MFP functions can be restricted by applying security templates to individual functions. A list of Access Controls and what they do can be found in the “Access Controls”...
  • Page 37 Access Control Level of protection Flash Drive Print Not applicable - USB port disabled Flash Drive Scan Not applicable - USB port disabled FTP Function Any valid setting Held Jobs Access Disabled Manage Shortcuts at the Device Any valid setting Manage Shortcuts Remotely Not applicable - all remote access disabled Network Ports/Menu at the Device...
  • Page 38 Access Control Level of protection Supplies Menu Remotely Not applicable - all remote access disabled Use Profiles Authenticated users Web Import/Export Settings Not applicable - all remote access disabled...

  • Page 39: Troubleshooting

    If the authentication token is installed but not running, select the check box next to the application name, and then click Start. • If the authentication token does not appear in the list of installed solutions, contact the Lexmark Solutions Help Desk for assistance. PKI A UTHENTICATION IS NOT INSTALLED OR RUNNING From the Embedded Web Server, click Settings >...

  • Page 40: The Kdc And Mfp Clocks Are Different Beyond An Acceptable Range; Check The Mfp's Date And Time" Error Message

    “The KDC and MFP clocks are different beyond an acceptable range; check the MFP's date and time” error message This error indicates the printer clock is more than five minutes out of sync with the domain controller clock. Verify the date and time on the printer: From the Embedded Web Server, click Settings >...

  • Page 41: The Kdc Did Not Respond Within The Required Time" Error Message

    “The KDC did not respond within the required time” error message ADDRESS OR HOSTNAME OF THE IS NOT CORRECT From the Embedded Web Server, click Settings > Embedded Solutions > PKI Authentication > Configure. If the Simple Kerberos Setup has been configured in PKI Authentication, verify the IP address or hostname specified for the Domain Controller, and then click Apply to save any needed changes.

  • Page 42: Client [Name] Unknown" Error Message

    “Client [NAME] unknown” error message This error indicates the KDC being used to authenticate the user does not recognize the User Principle Name specified in the error message From the Embedded Web Server, click Settings > Embedded Solutions > PKI Authentication >Configure. If the Simple Kerberos Setup has been configured in PKI Authentication, verify that the IP address or hostname of the Domain Controller is correct.

  • Page 43: Ldap Lookups Fail Almost Immediately

    Click Apply. LDAP SEARCH BASE IS TOO BROAD IN SCOPE Narrow the LDAP search base to the lowest possible scope that will include all necessary users. LDAP lookups fail almost immediately This normally occurs during address book searches, user E-mail address searches, or user home directory searches. LDAP DDRESS ETUP CONTAINS AN...

  • Page 44: Unable To Determine Windows User Id" Error Message

    “Unable to determine Windows User ID” error message This error indicates that PKI Authentication is not setting the userid for the session. From the Embedded Web Server, click Settings > Embedded Solutions > PKI Authentication > Configure. Under User Session and Access Control, select a Session Userid to determine how the Windows Userid will be obtained when a user attempts to log in: •...

  • Page 45: Appendix A: Using The Touch Screen

    Appendix A: Using the touch screen The home screen The screen located on the front of the MFP is touch-sensitive, and can be used to access device functions, and navigate settings and configuration menus. The “home screen” looks similar to this (yours may contain additional icons): Touch the Menus icon on the lower right to access settings and configuration menus for the device.
  • Page 46 To type a single upper case or Shift character, touch the up-arrow A, and then touch the letter or number you need to capitalize or shift-select. To turn on caps-lock, touch the up-arrow A with the lock symbol, and then continue typing.

  • Page 47: Appendix B: Acronyms

    Appendix B: Acronyms Acronyms used in this guide Certificate Authority Common Access Card Domain Controller DHCP Dynamic Host Configuration Protocol Domain Name Service Department of Defense Evaluation Assurance Level Embedded Web Server Graphic Interchange Format GSSAPI Generic Security Service Applications Programming Interface HTTP Hypertext Transfer Protocol HTTPS...

  • Page 48: Appendix C: Description Of Access Controls

    Appendix C: Description of Access Controls Access Controls Depending on device type and installed options, some Access Controls (referred to on some devices as Function Access Controls) may not be available for your printer. Function Access Control What it does Address Book Controls the ability to perform address book searches in the Scan to Fax and Scan to Email functions...
  • Page 49 Function Access Control What it does Network Ports/Menu at the Device Protects access to the Network/Ports section of the Settings menu from the printer control panel Network Ports/Menu Remotely Protects access to the Network/Ports section of the Settings menu from the Embedded Web Server NPA Network Adapter Setting When disabled, all network adaptor NPA settings change commands are ignored...
  • Page 50 Function Access Control What it does Supplies Menu at the Device Protects access to the Supplies menu from the printer control panel Supplies Menu Remotely Protects access to the Supplies menu from the Embedded Web Server User Profiles Controls access to Profiles, such as scanning shortcuts, workflows, or eSF applications Web Import/Export Settings Controls the ability to import and export printer settings files (UCF files) from the...

  • Page 51: Appendix D: Using Common Access Cards

    Appendix D: Using Common Access Cards Using a Common Access Card to access the MFP Insert your Common Access Card into the card reader attached to the MFP: Note: The appearance of your MFP, including the location of the card reader, may vary. When prompted, use the number pad located on the touch screen to enter your logon PIN, and then touch Next:...
  • Page 52 It may take a moment for the MFP to validate your credentials: After your logon credentials have been validated, the MFP will return to the home screen: Note: The MFP home screen may contain different icons than the one shown here. For more information about using the touch screen, see “Appendix A: Using the touch screen”...

  • Page 53: Notices

    Lexmark that cannot be excluded or modified. If any such provisions apply, then to the extent Lexmark is able, Lexmark hereby limits its liability for breach of those provisions to one of the following: replacement of the Software Program or reimbursement of the price paid for the Software Program.
  • Page 54 UPGRADES. To Use a Software Program identified as an upgrade, you must first be licensed to the original Software Program identified by Lexmark as eligible for the upgrade. After upgrading, you may no longer use the original Software Program that formed the basis for your upgrade eligibility.
  • Page 55 Software Program and requested by you. Lexmark agrees not to use this information in a form that personally identifies you except to the extent necessary to provide such services.

  • Page 56: Index

    Index using 15 encrypting network data 18 Access Controls Kerberos encrypting the hard disk 7 list of 48 configuring 21 encryption access controls importing a krb5.conf file 21 IPSec 18 setting at the device 12 simple setup 21 environment using the EWS to set 36 keyboard operating 5 acronyms 47...
  • Page 57 PKI Held Jobs LDAP lookup failure 43 configuring 35 LDAP lookups take too long 42 port access login hangs getting user info 42 shutting down 20 login screen does not appear when pre-configuration tasks card is inserted 39 verifying firmware 6 MFP clock out of sync 40 verifying physical interfaces 6 missing Kerberos realm 41...
  • Page 58 www.lexmark.com...

This manual is also suitable for:

30g0400 - t 656dne b/w laser printerT656W850Monochrome laserX463X464 ... Show all

Table of Contents