Xerox WorkCentre 7220 Information page 25

SNMP traffic may be secured if an IPSec tunnel has been established between the agent (the device) and the
manager (i.e. the user's PC).
The device supports SNMPv3, which is an encrypted version of the SNMP protocol that uses a shared secret. Secure
Sockets Layer must be enabled before configuring the shared secret needed for SNMPv3.
2.8.2.11. Port 389, LDAP
This is the standard LDAP port used for address book queries in the Scan to Email feature.
2.8.2.12. Port 396, Netware
This configurable port is used when Novell Netware is enabled to run over IP.
2.8.2.13. Port 427, SLP
When activated, this port is used for service discovery and advertisement. The device will advertise itself as a printer
and also listen for SLP queries using this port. It is not configurable. This port is explicitly enabled / disabled in the
Properties tab of the device's web pages.
2.8.2.14. Port 443, HTTPS - HTTP over SSL/TLS
This is the default port for Secure Sockets Layer communication. This port can be configured via the device's web
pages. SSL must be enabled before setting up either SNMPv3 or IPSec or before retrieving the audit log (see Sec.
4.2). SSL must also be enabled in order to use any of the Web Services (Scan Template Management, Automatic
Meter Reads, or Network Scanning Validation Service).
SSL should be enabled so that the device can be securely administered from the web UI. When scanning, SSL can be
used to secure the filing channel to a remote repository.
SSL uses X.509 certificates to establish trust between two ends of a communication channel. When storing scanned
images to a remote repository using an https: connection, the device must verify the certificate provided by the
remote repository. A Trusted Certificate Authority certificate should be uploaded to the device in this case.
To securely administer the device, the user's browser must be able to verify the certificate supplied by the device. A
certificate signed by a well-known Certificate Authority (CA) can be downloaded to the device, or the device can
generate a self-signed certificate. In the first instance, the device creates a Certificate Signing Request (CSR) that
can be downloaded and forwarded to the well-known CA for signing. The signed device certificate is then uploaded
to the device. Alternatively, the device will generate a self-signed certificate. In this case, the generic Xerox root CA
certificate must be downloaded from the device and installed in the certificate store of the user's browser.
The device supports only server authentication.
Port 445, NETBIOS (Microsoft – DS)
2.8.2.15.
This port is open and used only when NETBIOS (Microsoft Networking/Active Directory) is enabled.
2.8.2.16. Ports 500/4500, ISAKMP
ISAKMP defines the procedures for authenticating a communicating peer, creation and management of Security
Associations, key generation techniques, and threat mitigation (e.g. denial of service and replay attacks). ISAKMP
defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. ISAKMP
can be implemented over any transport protocol. All implementations must include send and receive capability for
ISAKMP using UDP on port 500. Port 500 will only be open on the device if the IPsec service is enabled.
2.8.2.17. Port 515, LPR
This is the standard LPR printing port, which only supports IP printing. It is a configurable port, and may be explicitly
enabled or disabled in the Properties tab of the device's web pages.
Ver. 1.0, January 2013
WorkCentre 7220-7225 Information Assurance Disclosure Paper
Page 25 of 61