Page 1 Operating Instructions Security Guide For safe and correct use, be sure to read the Safety Information in Read This First before using the machine.
Page 3: Table Of Contents
TABLE OF CONTENTS 1. Getting Started Before Configuring the Security Function Settings................... 7 Before Using This Machine..........................8 Administrators and Users........................... 9 Administrators..............................10 Configuring Administrator Authentication...................... 11 Specifying Administrator Privileges......................12 Registering and Changing Administrators....................14 Using Web Image Monitor to Configure Administrator Authentication..........16 Administrator Login Method..........................17 Logging in Using the Control Panel......................
Page 4 Auto Registration to the Address Book......................44 Automatically Registered Address Book Items..................44 User Lockout Function............................45 Specifying the User Lockout Function......................46 Canceling Password Lockout........................46 Auto Logout...............................47 3. Restricting Machine Usage Preventing Changes to Administrator Settings....................49 Limiting the Settings that Can Be Changed by Each Administrator............49 Prohibiting Users from Making Changes to Settings.................49 Limiting Available Functions..........................
Page 5 Creating and Installing a Device Certificate from the Control Panel (Self-Signed Certificate)..... 81 Creating and Installing a Device Certificate from Web Image Monitor (Self-Signed Certificate)..82 Creating a Device Certificate (Issued by a Certificate Authority)............83 Installing a Device Certificate (Issued by a Certificate Authority)............83 Installing an Intermediate Certificate (Issued by a Certificate Authority)..........
Page 6 Managing Logs from the Machine.......................145 Specifying Log Collect Settings........................ 145 Disabling Log Transfer to the Log Collection Server................145 Specifying Delete All Logs........................146 Managing Logs from the Log Collection Server..................146 Configuring the Home Screen for Individual Users..................147 Warnings About Using a User's Own Home Screens................147 Configuring the Browser Settings.........................
Page 7 7. Troubleshooting If a Message is Displayed..........................175 If an Error Code is Displayed........................176 Basic Authentication..........................176 Windows Authentication...........................177 LDAP Authentication..........................181 If the Machine Cannot Be Operated......................185 8. List of Operation Privileges for Settings How to Read..............................187 System Settings...............................188 Tray Paper Settings............................195 Edit Home...............................
Page 8 List of Operation Privileges for Address Books....................229 INDEX ................................231...
Page 9: Getting Started
1. Getting Started This chapter describes the precautions you need to take when using the machine's security features and how to configure the administrator settings. Before Configuring the Security Function Settings • If the security settings are not configured, the data in the machine is vulnerable to attack. •...
Page 10: Before Using This Machine
1. Getting Started Before Using This Machine This section explains how to encrypt transmitted data and configure the administrator account. If you want a high level of security, make the following setting before using the machine. Turn the machine on. For details about turning on the main power, see "Turning On/Off the Power", Getting Started.
Page 11: Administrators And Users
Administrators and Users Administrators and Users This section explains the terms "administrator", "supervisor", and "user" as used in this manual. Administrator There are 4 types of administrators for the machine: user administrator, machine administrator, network administrator, and file administrator. Their main role is to specify the settings for operating the machine. Their access privileges depend on the administrator type.
Page 12: Administrators
1. Getting Started Administrators Administrators manage user access to the machine and various other important functions and settings. When an administrator controls limited access and settings, first select the machine's administrator and enable the authentication function before using the machine. When the authentication function is enabled, the login user name and password are required in order to use the machine.
Page 13: Configuring Administrator Authentication
Configuring Administrator Authentication Configuring Administrator Authentication Administrator authentication requires the login user name and password for verifying administrators attempting to specify the machine's settings or access them from a network. When registering an administrator, you cannot use a login user name already registered in the Address Book. Administrators are managed differently from the users registered in the Address Book.
Page 14: Specifying Administrator Privileges
1. Getting Started Users registered in the Address Book can also change and delete their own information. If a user forgets their password, the user administrator can delete it and create a new one, allowing the user to access the machine again. 2.
Page 15 Configuring Administrator Authentication Press [Administrator Authentication Management]. Press [User Management], [Machine Management], [Network Management], or [File Management] to select which settings to manage. Set "Admin. Authentication" to [On]. "Available Settings" appears. Select the settings to manage from "Available Settings". The selected settings will be unavailable to users. The available settings depend on the administrator type.
Page 16: Registering And Changing Administrators
1. Getting Started Registering and Changing Administrators If administrator authentication is specified, we recommend only one person take each administrator role. Sharing administrator tasks facilitates each administrator's tasks while also preventing unauthorized administrator operations. You can register up to 4 login user names (Administrators 1-4) to which you can grant administrator privileges.
Page 17 Configuring Administrator Authentication When allocating administrators' privileges to one person each, select one administrator under each category as shown below. To combine multiple administrator privileges, assign multiple administrator privileges to a single administrator. For example, to assign machine administrator privileges and user administrator privileges to [Administrator 1], press [Administrator 1] in the lines for the machine administrator and the user administrator.
Page 18: Using Web Image Monitor To Configure Administrator Authentication
1. Getting Started • Upper case letters: A to Z (26 characters) • Lower case letters: a to z (26 characters) • Numbers: 0 to 9 (10 characters) • Symbols: (space) ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _` { | } ~ (33 characters) Login user name •...
Page 19: Administrator Login Method
Administrator Login Method Administrator Login Method If administrator authentication is specified, log in using an administrator's login user name and password. Supervisors log in the same way. For information about the user name and password for the administrator and supervisor, ask the administrator.
Page 20: Logging In Using Web Image Monitor
1. Getting Started • If you log in using administrator privileges, the name of the administrator logging in appears. When you log in with a user name that has multiple administrator privileges, one of the administrator privileges associated with that name is displayed. •...
Page 21: Administrator Logout Method
Administrator Logout Method Administrator Logout Method If administrator authentication is specified, be sure to log out after changes to settings are completed. Supervisors log out in the same way. Logging out Using the Control Panel Press the [Login/Logout] key, and then press [Yes]. •...
Page 22: Supervisor
1. Getting Started Supervisor The supervisor can delete an administrator's password and specify a new one. If an administrator forgets or changes his or her password, the supervisor can assign a new password to the administrator. If you log in using the supervisor's user name and password, you cannot use normal functions or specify system settings.
Page 23: Changing The Supervisor
Supervisor Press [Change] for "Login Password". Enter the login password, and then press [OK]. Enter the login password for confirmation again, and then press [OK]. Press [OK] twice. You will be automatically logged out. • The supervisor can change the administrators' login passwords but not their login user names. Changing the Supervisor This section describes how to change the supervisor's login user name and password.
Page 24 1. Getting Started...
Page 25: Configuring User Authentication
2. Configuring User Authentication This chapter describes how to specify user authentication and explains the functions that are enabled by user authentication. Users A user performs normal operations on the machine, such as printing. Users are managed using the information in the machine's Address Book and can only use the functions they are permitted to access by administrators.
Page 26: About User Authentication
2. Configuring User Authentication About User Authentication User authentication is a system requiring the login user name and password for verifying users to operate the machine or access the machine over the network. CZB010 1. User A user performs normal operations on the machine, such as printing. 2.
Page 27: Configuring User Authentication
Configuring User Authentication Configuring User Authentication There are 4 types of user authentication methods: User Code authentication, Basic authentication, Windows authentication, and LDAP authentication. To use user authentication, select an authentication method on the control panel, and then make the required settings for the authentication. The settings depend on the authentication method.
Page 28 2. Configuring User Authentication Type Details Windows authentication Authentication is performed using the domain controller of the Windows server on the same network as the machine. Authentication can be applied to each user. LDAP authentication Authentication is performed using the LDAP server on the same network as the machine.
Page 29: User Code Authentication
User Code Authentication User Code Authentication This is an authentication method for limiting access to functions according to a user code. The same user code can be used by multiple users. For details about specifying user codes, see "Registering a User Code", Connecting the Machine/ System Settings.
Page 30 2. Configuring User Authentication To specify printer job authentication, select [Black & White / Color] or [Color] for "Printer" under "Functions to Restrict". For details about printer job authentication, see page 43 "Printer Job Authentication". Press [OK]. Press the [Login/Logout] key. A confirmation message appears.
Page 31: Basic Authentication
Basic Authentication Basic Authentication Specify this authentication method when using the machine's Address Book to authenticate each user. Using Basic authentication, you can not only manage the machine's available functions but also limit access to the personal data in the Address Book. Under Basic authentication, the administrator must specify the functions available to each user registered in the Address Book.
Page 32: Authentication Information Stored In The Address Book
2. Configuring User Authentication Authentication Information Stored in the Address Book If you have enabled user authentication, you can specify access limits and usage limits to the machine's functions for each user or group of users. Specify the necessary settings in the Address Book entry of each user.
Page 33 Basic Authentication Press [Auth. Info]. Press [Change] for "Login User Name". Enter a login user name, and then press [OK]. Press [Change] for "Login Password". Enter a login password, and then press [OK]. Re-enter the login password for confirmation, and then press [OK]. Press [OK].
Page 34: Windows Authentication
2. Configuring User Authentication Windows Authentication Specify this authentication when using the Windows domain controller to authenticate users who have their accounts on the directory server. Users cannot be authenticated if they do not have their accounts in the directory server. Under Windows authentication, you can specify the access limit for each group registered in the directory server.
Page 35: Specifying Windows Authentication
Windows Authentication • This function is supported by the operating systems listed below. To obtain user information when Active Directory is running, use LDAP. If you are using LDAP, we recommend you use SSL to encrypt communication between the machine and the LDAP server. SSL encryption is possible only if the LDAP server supports TLSv1 or SSLv3.
Page 36 2. Configuring User Authentication Press [System Settings]. Press [Administrator Tools]. Press [ Next]. Press [User Authentication Management]. Select [Windows Auth.]. If you do not want to enable user authentication, select [Off]. If you want to use Kerberos authentication, press [On]. If you want to use NTLM authentication, press [Off] and proceed to Step 9.
Page 37 Windows Authentication To enable Kerberos authentication, a realm must be registered beforehand. A realm name must be registered in capital letters. For details about registering a realm, see "Programming the Realm", Connecting the Machine/ System Settings. Up to 5 realms can be registered. Press [Change] for "Domain Name", enter the name of the domain controller to be authenticated, and then press [OK].
Page 38: Installing Internet Information Services (Iis) And Certificate Services
2. Configuring User Authentication Users can use the selected functions only. For details about specifying available functions for individuals or groups, see page 50 "Limiting Available Functions". Press [OK]. Press [OK]. Press the [Login/Logout] key. A confirmation message appears. If you press [Yes], you will be automatically logged out. Installing Internet Information Services (IIS) and Certificate Services Specify this setting if you want the machine to automatically obtain user informations registered in Active Directory.
Page 39 Windows Authentication Set the "Certificate database location:" and the "Certificate database log location:" settings to their defaults, and then click [Next>]. Read the notes, and then click [Next>]. Select the role service you want to use, and then click [Next>]. Click [Install].
Page 40: Creating The Server Certificate
2. Configuring User Authentication In "Common name for this CA:", enter the Certificate Authority name, and then click [Next>]. Select the validity period, and then click [Next>]. Set the "Certificate database location:" and the "Certificate database log location:" settings to their defaults, and then click [Next>]. Click [Configure].
Page 41: Ldap Authentication
LDAP Authentication LDAP Authentication Specify this authentication method when using the LDAP server to authenticate users who have their accounts on the LDAP server. Users cannot be authenticated if they do not have their accounts on the LDAP server. The Address Book stored in the LDAP server can be registered to the machine, enabling user authentication without first using the machine to register individual settings in the Address Book.
Page 42 2. Configuring User Authentication • Register the LDAP server to the machine. • To register the LDAP server, specify the following settings: • Server Name • Search Base • Port Number • SSL communication • Authentication Select either Kerberos, DIGEST, or Cleartext authentication. •...
Page 43 LDAP Authentication Press [User Authentication Management]. Select [LDAP Auth.]. If you do not want to enable user authentication, select [Off]. Select the LDAP server to be used for LDAP authentication. Press [ Next]. In "Other Functions", select which of the machine's functions you want to permit. LDAP authentication will be applied to the selected functions.
Page 44 2. Configuring User Authentication Also, if you place an equals sign (=) between two login attributes (for example: cn=abcde, uid=xyz), the search will return only hits that match the attributes. This search function can also be applied when Cleartext authentication is specified. When authenticating using the DN format, login attributes do not need to be registered.
Page 45: Printer Job Authentication
Printer Job Authentication Printer Job Authentication Printer job authentication is a function to apply user authentication to print jobs. User code authentication can be used for printer job authentication. A job can be printed if the user code entered in the printer properties dialog box matches a user code registered in the machine's Address Book and the job is authenticated.
Page 46: Auto Registration To The Address Book
2. Configuring User Authentication Auto Registration to the Address Book The personal information of users logging in via Windows or LDAP authentication is automatically registered in the Address Book. Automatically Registered Address Book Items • Login User Name • Login Password •...
Page 47: User Lockout Function
User Lockout Function User Lockout Function If an incorrect password is entered several times, the User Lockout function prevents further login attempts under the same login user name. Even if the locked out user enters the correct password later, authentication will fail and the machine cannot be used until the lockout period elapses or an administrator or supervisor disables the lockout.
Page 48: Specifying The User Lockout Function
2. Configuring User Authentication Locked out user Unlocking administrator Supervisor Machine administrator Specifying the User Lockout Function Log in as the machine administrator from Web Image Monitor. Point to [Device Management], and then click [Configuration]. Click [User Lockout Policy] under "Security". Set "Lockout"...
Page 49: Auto Logout
Auto Logout Auto Logout After you log in, the machine automatically logs you out if you do not use the control panel within a given time. This feature is called "Auto Logout". Specify how long the machine is to wait before performing Auto Logout.
Page 50 2. Configuring User Authentication • You can specify Auto Logout settings for Web Image Monitor in [Webpage]. For details, see the Web Image Monitor Help.
Page 51: Restricting Machine Usage
3. Restricting Machine Usage This chapter explains how to restrict use of the machine by the user. Preventing Changes to Administrator Settings Limiting the Settings that Can Be Changed by Each Administrator The settings that can be made for this machine vary depending on the type of administrator, allowing the range of operations that can be shared among the administrators.
Page 52: Limiting Available Functions
3. Restricting Machine Usage Limiting Available Functions To prevent unauthorized operations, you can specify who is allowed to access each of the machine's functions. Specify the functions available to registered users. By configuring this setting, you can limit the functions available to users.
Page 53: Preventing Leakage Of Information From Machines
4. Preventing Leakage of Information from Machines This chapter explains how to protect information if it is stored in the machine's memory or on the hard disk. Protecting the Address Book You can specify who is allowed to access the data in the Address Book. To protect the data from unauthorized users, you can also encrypt the data in the Address Book.
Page 54 4. Preventing Leakage of Information from Machines Press [Program/Change/Delete] for "Permissions for Users / Groups", under "Protect Destination". Press [New Program]. Select the users or groups to which to apply access permissions. You can select multiple users. By pressing [All Users], you can select all users. Press [Exit].
Page 55: Encrypting Data In The Address Book
Protecting the Address Book Encrypting Data in the Address Book • The machine cannot be used during encryption. The time it takes to encrypt the data in the Address Book depends on the number of registered users. Encrypting the data in the Address Book may take longer. Log in as the user administrator from the control panel.
Page 56 4. Preventing Leakage of Information from Machines If you press [Stop] during decryption, the data is not decrypted. Normally, once encryption is complete, "Encryption / Decryption is successfully complete. Press [Exit]." appears. Press [Exit]. Press [OK]. Log out. • If you register additional users after encrypting the data in the Address Book, their data is also encrypted.
Page 57: Encrypting Data On The Machine
Encrypting Data on the Machine Encrypting Data on the Machine • Keep SD cards or USB flash memory devices out of reach of children. If a child accidentally swallows an SD card or USB flash memory device, consult a doctor immediately. Even if the memory device or hard disk is stolen, data leakage can be prevented by encrypting the data on the machine, such as Address Book, authentication data, and files.
Page 58: Enabling The Encryption Settings
4. Preventing Leakage of Information from Machines Setting Data to be kept Data to be initialized Required time File System Data • Address Book None Approx. 2 hours Only and 45 minutes • Embedded Software Architecture applications' program/log • Logs •...
Page 59 Encrypting Data on the Machine off while the encryption process is in progress, the hard disk will be damaged and all data on it will be unusable. • The encryption key is required for data recovery if the machine malfunctions. Be sure to store the encryption key safely for retrieving backup data.
Page 60: Backing Up The Encryption Key
4. Preventing Leakage of Information from Machines Press [Encrypt]. Select the data to be carried over to the hard disk and the one not to be deleted. To carry all of the data over to the hard disk, select [All Data]. To carry over the machine settings data only, select [File System Data Only].
Page 61: Updating The Encryption Key
Encrypting Data on the Machine Log in as the machine administrator from the control panel. Press [System Settings]. Press [Administrator Tools]. Press [ Next] twice. Press [Machine Data Encryption Settings]. Press [Back Up Encryption Key]. Specify how to back up the encryption key. If you have selected [Save to SD Card], insert an SD card into the media slot on the side of the control panel and press [OK].
Page 62 4. Preventing Leakage of Information from Machines • Once the updating of the encryption key starts, it cannot be stopped. Make sure that the machine's main power is not turned off while the encryption process is in progress. If the machine's main power is turned off while the encryption process is in progress, the hard disk will be damaged and all data on it will be unusable.
Page 63: Canceling Data Encryption
Encrypting Data on the Machine Turn off the main power switch, and then turn on the main power switch again. The machine will start to convert the data on the memory after you turn on the machine. Wait until the message "Memory conversion complete. Turn the main power switch off." appears, and then turn the main power switches off again.
Page 64 4. Preventing Leakage of Information from Machines Turn off the main power switch, and then turn on the main power switch again. For details about turning off the main power, see "Turning On/Off the Power", Getting Started.
Page 65: Deleting Data On The Machine
Deleting Data on the Machine Deleting Data on the Machine You can prevent data leakage by overwriting the data stored on the machine. There are two kinds of overwriting as follows: Auto Erase Memory When you edit or delete data on the machine's hard disk, the data is automatically erased by overwriting so that unnecessary data is not retained.
Page 66 4. Preventing Leakage of Information from Machines Each item of data is overwritten by a random number, then by its complement, then by another random number, and is then verified. • Random Numbers Temporary data is overwritten multiple times with random numbers. The number of overwrites can be selected from 1 to 9.
Page 67 Deleting Data on the Machine Press [Auto Erase Memory Setting]. Press [On]. Select the overwriting method you want to use. If you select [NSA] or [DoD], proceed to Step 10. If you select [Random Numbers], proceed to Step 8. Press [Change]. Enter the number of times that you want to overwrite using the number keys, and then press [ ].
Page 68: Erase All Memory
4. Preventing Leakage of Information from Machines Overwrite icon When Auto Erase Memory is enabled, the Data Overwrite icon will be indicated in the bottom right hand corner of the panel display of your machine. DHD001 Icon Icon name Explanation Dirty This icon is lit when there is temporary data to be overwritten, and flashes during overwriting.
Page 69 Deleting Data on the Machine • If the main power switch is turned off before "Erase All Memory" is completed, overwriting will be stopped and data will be left on the hard disk. • Do not stop the overwrite mid-process. Doing so will damage the hard disk. •...
Page 70 4. Preventing Leakage of Information from Machines • Format The hard disk is formatted. Data is not overwritten. • The default method for erasing is "Random Numbers", and the default number of overwrites is 3. • NSA stands for "National Security Agency", U.S.A. •...
Page 71 Deleting Data on the Machine Press [Yes]. When erasing is completed, press [Exit], and then turn off the main power. For details about turning off the main power, see "Turning On/Off the Power", Getting Started. • If the main power switch is turned off before "Erase All Memory" is completed, overwriting will start over when the main power switch is turned back on.
Page 72 4. Preventing Leakage of Information from Machines...
Page 73: Enhanced Network Security
5. Enhanced Network Security This chapter describes the functions for enhancing security when the machine is connected to the network. Access Control The machine can control TCP/IP access. Limit the IP addresses from which access is possible by specifying an access control range. For example, if you specify an access control range as [192.168.15.16]-[192.168.15.20], the client PC addresses from which access is possible will be from [192.168.15.16] to [192.168.15.20].
Page 74: Enabling And Disabling Protocols
5. Enhanced Network Security Enabling and Disabling Protocols Specify whether to enable or disable the function for each protocol. By making this setting, you can specify which protocols are available and so prevent unauthorized access over the network. Network settings can be specified on the control panel or by using Web Image Monitor, telnet, Device Manager NX, or Remote Communication Gate S.
Page 75 Enabling and Disabling Protocols Protocol Port Setting method When disabled SMTP TCP:25 • Control panel E-mail notification function that require SMTP reception cannot be (variable) • Web Image Monitor used. • Device Manager NX • Remote Communication Gate S HTTP TCP:80 •...
Page 76 5. Enhanced Network Security Protocol Port Setting method When disabled SNMPv3 UDP:161 • Web Image Monitor Functions that require SNMPv3 cannot be used. • telnet You can also specify settings to • Device Manager NX require SNMPv3 encrypted • Remote transmission and restrict the use of Communication Gate S other transmission methods using the...
Page 77: Enabling And Disabling Protocols Using The Control Panel
Enabling and Disabling Protocols Enabling and Disabling Protocols Using the Control Panel Log in as the network administrator from the control panel. Press [System Settings]. Press [Interface Settings]. Press [Effective Protocol]. Select the protocol you want to enable or disable. Press [OK].
Page 78 5. Enhanced Network Security "Updating..." appears. Wait for about one or two minutes, and then click [OK]. If the previous screen does not appear again after you click [OK], wait for a while, and then click the web browser's refresh button. Log out.
Page 79: Specifying Network Security Levels
Specifying Network Security Levels Specifying Network Security Levels This setting allows you to change security levels to limit unauthorized access. You can configure network security level settings using the control panel or Web Image Monitor. Note that the protocols that can be specified differ.
Page 80: Specifying Network Security Level Using Web Image Monitor
5. Enhanced Network Security Press [Network Security Level]. Select the network security level you want. Select [Level 0], [Level 1], [Level 2], or [FIPS140]. Press [OK]. Log out. Specifying Network Security Level Using Web Image Monitor Log in as the network administrator from Web Image Monitor. Point to [Device Management], and then click [Configuration].
Page 81 Specifying Network Security Levels Function Level 0 Level 1 FIPS 140 Level 2 SSL/TLS > Permit SSL/TLS Ciphertext Ciphertext Ciphertext Ciphertext Communication Priority Priority Only Only SSL/TLS Version > TLS1.2 Active Active Active Active SSL/TLS Version > TLS1.1 Active Active Active Active SSL/TLS Version >...
Page 82 5. Enhanced Network Security Function Level 0 Level 1 FIPS 140 Level 2 SNMPv1,v2 Function Active Active Inactive Inactive SNMPv3 Function Active Active Active Active Encryption/ Encryption/ Encryption Encryption Permit SNMPv3 Communication Cleartext Cleartext Only Only TCP/IP Encryption Strength Setting Function Level 0 Level 1...
Page 83: Protecting Communication Paths Via A Device Certificate
Protecting Communication Paths via a Device Certificate Protecting Communication Paths via a Device Certificate This machine can protect its communication paths and establish encrypted communications using SSL/ TLS, IPsec, or IEEE 802.1X. To use these functions, it is necessary to create and install a device certificate for the machine in advance.
Page 84: Creating And Installing A Device Certificate From Web Image Monitor (Self-Signed Certificate)
5. Enhanced Network Security Press [Certificate 1]. Only [Certificate 1] can be created from the control panel. Configure the necessary settings. Press [OK]. "Installed" appears under "Certificate Status" to show that a device certificate for the machine has been installed. Log out.
Page 85: Creating A Device Certificate (Issued By A Certificate Authority)
Protecting Communication Paths via a Device Certificate Creating a Device Certificate (Issued by a Certificate Authority) Create the device certificate using Web Image Monitor. For details about the displayed items and selectable items, see Web Image Monitor Help. This section explains the use of a certificate issued by a certificate authority as the device certificate. Log in as the network administrator from Web Image Monitor.
Page 86: Installing An Intermediate Certificate (Issued By A Certificate Authority)
5. Enhanced Network Security Enter the device certificate contents issued by the certificate authority. Log in as the network administrator from Web Image Monitor. Point to [Device Management], and then click [Configuration]. Click [Device Certificate] under "Security". Check the radio button next to the number of the certificate you want to install. To use SSL/TLS, select [Certificate 1].
Page 87 Protecting Communication Paths via a Device Certificate Wait for about one or two minutes, and then click [OK]. The intermediate certificate will be installed on the device. The "Certificate Details" screen will indicate whether or not the intermediate certificate has been installed. For details about the "Certificate Details"...
Page 88: Configuring Ssl/Tls Settings
5. Enhanced Network Security Configuring SSL/TLS Settings Configuring the machine to use SSL/TLS enables encrypted communication. Doing so helps prevent data from being intercepted, cracked, or tampered with during transmission. Flow of SSL/TLS encrypted communications 1. To access the machine from a user's computer, request the SSL/TLS device certificate and public key.
Page 89: Enabling Ssl/Tls
Configuring SSL/TLS Settings Create and install a device certificate from the control panel or Web Image Monitor. 2. Enabling SSL/TLS: Enable the SSL/TLS setting using Web Image Monitor. Configuration flow when using an authority issued certificate 1. Creating a device certificate and applying to the authority: After creating a device certificate on Web Image Monitor, apply to the certificate authority.
Page 90: User Setting For Ssl/Tls
5. Enhanced Network Security "Updating..." appears. Wait for about one or two minutes, and then click [OK]. If the previous screen does not appear again after you click [OK], wait for a while, and then click the web browser's refresh button. Log out.
Page 91 Configuring SSL/TLS Settings Encrypted communication mode Description Allows encrypted communication only. Ciphertext Only If encryption is not possible, the machine does not communicate. Performs encrypted communication if encryption is possible. Ciphertext Priority If encryption is not possible, the machine communicates without it. Communicates with or without encryption, Ciphertext / Cleartext according to the setting.
Page 92: Enabling Ssl For Smtp Connections
5. Enhanced Network Security Enabling SSL for SMTP Connections Use the following procedure to enable SSL encryption for SMTP connections. Log in as the network administrator from the control panel. Press [System Settings]. Press [File Transfer]. Press [SMTP Server]. In "Use Secure Connection (SSL)", press [On]. If you are not using SSL for SMTP connections, press [Off].
Page 93: Configuring Ipsec Settings
Configuring IPsec Settings Configuring IPsec Settings For communication security, this machine supports IPsec. IPsec transmits secure data packets at the IP protocol level using the shared key encryption method, where both the sender and receiver retain the same key. This machine uses automatic key exchange to configure the pre-shared key for both parties. Using the auto exchange setting, you can renew the shared key exchange settings within a specified validity period, and achieve higher transmission security.
Page 94: Encryption Key Auto Exchange Settings
5. Enhanced Network Security function supports 2 security protocols: the ESP protocol, which enables both of the IPsec functions at the same time, and the AH protocol, which enables only the authentication function. ESP protocol The ESP protocol provides secure transmission through both encryption and authentication. This protocol does not provide header authentication.
Page 95: Ipsec Settings
Configuring IPsec Settings auto configured. After this, the IPsec SA (Phase 2) settings, which allow actual IPsec transmission, are auto configured. Also, for further security, the SA can be periodically auto updated by applying a validity period (time limit) for its settings. This machine only supports IKEv1 for encryption key auto exchange. Note that it is possible to configure multiple SAs.
Page 96 5. Enhanced Network Security Security level Security level features Authentication Only Select this level if you want to authenticate the transmission partner and prevent unauthorized data tampering, but not perform data packet encryption. Since the data is sent cleartext, data packets are vulnerable to eavesdropping attacks.
Page 97 Configuring IPsec Settings Setting Authentication Only Authentication and Low Authentication and High Level Encryption Level Encryption Phase 1 Diffie- Hellman Group Phase 2 Security Protocol Phase 2 HMAC-SHA1-96/ HMAC-SHA1-96/ HMAC-SHA256-128/ Authentication HMAC- HMAC- HMAC-SHA384-192/ Algorithm SHA256-128/ SHA256-128/ HMAC-SHA512-256 HMAC- HMAC- SHA384-192/ SHA384-192/ HMAC-...
Page 98 5. Enhanced Network Security Setting Description Setting value Local Address Specify the machine's address. The machine's IPv4 or IPv6 If you are using multiple address. addresses in IPv6, you can If you are not setting an also specify an address range. address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address.
Page 99 Configuring IPsec Settings Setting Description Setting value Authentication Method Specify the method for • PSK authenticating transmission • Certificate partners. If you specify "PSK", you must (auto setting) then set the PSK text (using ASCII characters). If you are using "PSK", specify a PSK password using up to 32 ASCII characters.
Page 100 5. Enhanced Network Security Setting Description Setting value Phase 2 Specify the security protocol • ESP to be used in Phase 2. Security Protocol • AH To apply both encryption and • ESP+AH authentication to sent data, specify "ESP" or "ESP+AH". To apply authentication data only, specify "AH".
Page 101: Encryption Key Auto Exchange Settings Configuration Flow
Configuring IPsec Settings Encryption Key Auto Exchange Settings Configuration Flow <Machine> <PC> Set the Security Level on Set the same items on the Web Image Monitor machine Install the device certificate Install the device certificate only when using certificates only when using certificates Activate IPsec settings Activate IPsec settings Confirm IPsec transmission...
Page 102 5. Enhanced Network Security Make encryption key auto exchange settings in [Settings 1]. If you want to make multiple settings, select the settings number and add settings. Click [OK]. Select [Active] for "IPsec" in "IPsec". Set "Exclude HTTPS Communication" to [Active] if you do not want to use IPsec for HTTPS transmission.
Page 103 Configuring IPsec Settings On the [Start] menu, click [Control Panel], click [System and Security], and then click [Administrative Tools]. Under Windows 8, hover the mouse pointer over the top- or bottom-right corner of the screen, and then click [Settings], [Control Panel], [System and Security], and then [Administrative Tools]. Double-click [Local Security Policy].
Page 104 5. Enhanced Network Security Select the protocol type for IPsec, and then click [Next]. If you are using IPsec with IPv6, select "58" as the protocol number for the "Other" target protocol type. Click [Finish]. Click [OK]. Select the IP filter that was just created, and then click [Next]. Click [Add].
Page 105: Telnet Setting Commands
Configuring IPsec Settings Click [Finish]. Click [OK]. The new IP security policy (IPsec settings) is specified. Select the security policy that was just created, right-click, and then click [Assign]. The computer's IPsec settings are enabled. • To disable the computer's IPsec settings, select the security policy, right-click, and then click [Un- assign].
Page 106 5. Enhanced Network Security Display current settings msh> ipsec exclude • Displays the protocols currently excluded from IPsec transmission. Specify protocols to exclude msh> ipsec exclude {https|dns|dhcp|wins|all} {on|off} • Specify the protocol, and then enter [on] to exclude it, or [off] to include it for IPsec transmission.
Page 107 Configuring IPsec Settings • Enter the separate setting number [1-4] or [default] and specify the security policy for the address specified in the selected setting. • To apply IPsec to the relevant packets, specify [apply]. To not apply IPsec, specify [bypass]. •...
Page 108 5. Enhanced Network Security • You must also specify the PSK character string when you select [psk]. • Note that if you select "Certificate", the certificate for IPsec must be installed and specified before it can be used. To install and specify the certificate use Web Image Monitor. PSK character string setting msh>...
Page 109 Configuring IPsec Settings • Separate multiple encryption algorithm entries with a comma (,). The current setting values are displayed in order of highest priority. • Not specifying an authentication algorithm displays the current setting. IPsec SA (phase 2) encryption algorithm setting msh>...
Page 110: Configuring Ieee 802.1X Authentication
5. Enhanced Network Security Configuring IEEE 802.1X Authentication IEEE 802.1X is an authentication standard and it uses the authentication server (RADIUS server). You can select 4 types of EAP authentication method: EAP-TLS, LEAP, EAP-TTLS and PEAP. Note that each EAP authentication method has different configuration settings and authentication procedures. Types and requirements of certificates are as follows: EAP type Required certificates...
Page 111: Selecting The Device Certificate
Configuring IEEE 802.1X Authentication Selecting the Device Certificate Select the certificate you want to use under IEEE 802.1X from among the device certificates created and installed in advance on the machine. For details about creating and installing a device certificate, see page 81 "Protecting Communication Paths via a Device Certificate".
Page 112 5. Enhanced Network Security • Click [Change] in "Phase 2 User Name", and then enter the user name set in the RADIUS server. • Select [CHAP], [MSCHAP], [MSCHAPv2], [PAP], or [MD5] in "Phase 2 Method". Certain methods might not be available, depending on the RADIUS server you want to use. •...
Page 113 Configuring IEEE 802.1X Authentication • If there is a problem with settings, you might not be able to communicate with the machine. In such a case, access [Print List] in [Interface Settings] on the control panel, and then print the network summary to check the status.
Page 114: Snmpv3 Encryption
5. Enhanced Network Security SNMPv3 Encryption When using Device Manager NX or another application that communicates via SNMPv3, you can encrypt the transmitted data. By making this setting, you can protect data from being tampered with. Log in as the network administrator from the control panel. Press [System Settings].
Page 115: Kerberos Authentication Encryption Setting
Kerberos Authentication Encryption Setting Kerberos Authentication Encryption Setting You can specify encrypted transmission between the machine and the key distribution center (KDC) server when Kerberos authentication is enabled. Using Kerberos authentication with Windows or LDAP authentication, ensures safe communication. The supported encryption algorithm differs depending on the type of KDC server. Select the algorithm that suits your environment.
Page 116 5. Enhanced Network Security...
Page 117: Managing The Machine
6. Managing the Machine This chapter describes the functions for enhancing the security of the machine and operating the machine effectively. Managing Log Files Collecting the logs stored in this machine allows you to track detailed access data to the machine, user identities, usage of the machine's various functions, and error histories.
Page 118: Using Web Image Monitor To Manage Log Files
6. Managing the Machine Using Web Image Monitor to Manage Log Files You can specify the types of log to store on the machine and the log collection level. You can also bulk delete or download log files. Logs That Can Be Managed Using Web Image Monitor The following tables explain the items in the job log and access log that the machine creates when you enable log collection using Web Image Monitor.
Page 119 Using Web Image Monitor to Manage Log Files Access Log Item Log Type Attribute Content Access Violation Access Violation Details of failed access attempts. Lockout Lockout Details of lockout activation. Firmware: Update Firmware: Update Details of firmware updates. Firmware: Structure Firmware: Structure Details of structure changes that occurred Change...
Page 120: Attributes Of Logs You Can Download
6. Managing the Machine Access Log Item Log Type Attribute Content Counter Clear Result: Counter Clear Result: Log of when the counters for all users are All Users All Users cleared. Import Device Setting Import Device Setting Log of when a device setting information file is Information Information imported.
Page 121 Using Web Image Monitor to Manage Log Files File output format • Character Code Set: UTF-8 • Output Format: CSV (Comma-Separated Values) • File Names of Job Logs and Access Logs: "machine name +_log.csv" • File names for Eco-friendly Logs: "machine name +_ecolog.csv" Order of log entries Log entries are printed in ascending order according to Log ID.
Page 122 6. Managing the Machine End Date/Time Indicates the end date and time of an operation or event. Log Type Details of the log type. For details about the information items contained in each type of log, see page 116 "Logs That Can Be Managed Using Web Image Monitor".
Page 123 Using Web Image Monitor to Manage Log Files Value Content Password Mismatch An access error has occurred because of a password mismatch. User Not Programmed An access error has occurred because the user is not registered. Other Failures An access error has occurred because of an unspecified failure.
Page 124 6. Managing the Machine Value Content Connection Error A communication error occurred. Specified Server Error An access error has occurred because the server is not configured correctly. Specified Client Error An access error has occurred because the client is not configured correctly.
Page 125 Using Web Image Monitor to Manage Log Files Value Content Memory Full The memory range for processing data is full. Print Data Error An attempt to use a PDL or a port not installed on the machine has been made. Data Transfer Interrupted Cases to be recorded are as follows: •...
Page 126 6. Managing the Machine Value Content 0xffffff80 System operations 0xffffff81 System operations, Operations that were performed by non- authenticated users 0xffffff86 Supervisor 0xffffff87 Administrator 0xffffff88 Administrator 1 0xffffff89 Administrator 2 0xffffff8a Administrator 3 0xffffff8b Administrator 4 User Code/User Name Identifies the user code or name of the user who performed the operation. If an administrator performed the operation, his or her ID contains the login user name of the administrator.
Page 127 Using Web Image Monitor to Manage Log Files Value Content Device Settings Changes made to a setting in the User Tools menu. Authentication Server Name Indicates the name of the server where authentication was last attempted. No. of Authentication Server Switches Indicates the number of times server switching occurred when the authentication server was unavailable.
Page 128 6. Managing the Machine Value Content Machine Administrator Machine administrator Network Administrator Network administrator File Administrator File administrator Supervisor Supervisor Customer Engineer (Service Customer engineer Mode) Others Login requests from users other than those specified above Target User Entry ID Indicates the entry ID of the target user.
Page 129 Using Web Image Monitor to Manage Log Files Lockout/Release Method Indicates the method applied for releasing the lockout. Value Content Manual The machine is unlocked manually. Auto The machine is unlocked by the lockout release timer. Lockout Release Target Administrator Indicates which administrator(s) is (are) released when a lockout release occurs.
Page 130 6. Managing the Machine Value Content Active Access log collection setting is enabled. Inactive Access log collection setting is disabled. Not Changed No changes have been made to the access log collection setting. Collect Eco-friendly Logs Indicates the status of the eco-friendly log collection setting. Value Content Active...
Page 131 Using Web Image Monitor to Manage Log Files Value Content Level 1 Level 1 Level 2 Level 2 User Settings User settings Encryption/Cleartext Indicates whether communication encryption is enabled or disabled. Value Content Encryption Communication Encryption is enabled. Cleartext Communication Encryption is disabled.
Page 132 6. Managing the Machine Value Content Communication Start Request The machine received a request to start communication. Receiver (In) Communication Start Request The machine sent a request to start communication. Sender (Out) Communication Start Log ID Indicates the log ID for the communication start time. This is a hexadecimal ID that indicates the time at which the communication started.
Page 133 Using Web Image Monitor to Manage Log Files Value Content Authentication Error Authentication error Encryption Error Encryption error Network Attack Route Identifies the route of the network attack. Value Content Attack from Control Panel Attack by an unauthorized operation using the machine's control panel Attack from Other than Control Attack by means other than an unauthorized operation using...
Page 134 6. Managing the Machine Machine Data Encryption Key Operation Indicates the type of encryption key operation performed. Value Content Back Up Machine Data An encryption key backup was performed. Encryption Key Restore Machine Data An encryption key was restored. Encryption Key Clear NVRAM The NVRAM was cleared.
Page 135 Using Web Image Monitor to Manage Log Files Value Content WIM Auto Logout Timer Web Image Monitor auto logout timer Extended Security Extended Security Firmware Update Start Firmware Update Configuration Name / Configuration Value Indicates the attributes of the categories. Indicates the values of the attributes.
Page 136 6. Managing the Machine Attribute Description Encryption Key Auto The security level is recorded. Exchange: Setting1-4, Default: When [Authentication Only] is selected, "Authentication Only" Security Level is recorded. When [Authentication and Low Level Encryption] is selected, "Authentication and Low Level Encryption" is recorded. When [Authentication and High Level Encryption] is selected, "Authentication and High Level Encryption"...
Page 137 Using Web Image Monitor to Manage Log Files Value Content Problem with File System There is a problem with the file system. Access Result Indicates the results of logged operations. Value Content Completed An operation completed successfully. Failed An operation completed unsuccessfully. Job log (source) Source Indicates the source of the job file.
Page 138 6. Managing the Machine End Date/Time The event end date and time is recorded. Log Type The type of eco-friendly log is recorded. Value Content Main Power On Main power on Main Power Off Main power off Power Status Transition Result Power status transition result Job Related Information Job related information...
Page 139 Using Web Image Monitor to Manage Log Files Value Content Standby Standby status Low Power Low power status Silent Silent status HDD On HDD on status Engine Off Engine off status Controller Off Controller off status STR status Silent Print Silent print status Low Power Print Low power print status...
Page 140: Specifying Log Collect Settings
6. Managing the Machine Detected Power The power consumption status of the machine is measured and registered in the log while the machine is being used. Value Content Controller Standby Controller standby mode Suspend to RAM (STR) mode Main Power Off The main power is turned off.
Page 141: Downloading Logs
Using Web Image Monitor to Manage Log Files If "Eco-friendly Log Collect Level" is set to [Level 2], all eco-friendly logs are collected. Log in as the machine administrator from Web Image Monitor. Point to [Device Management], and then click [Configuration]. Click [Logs] under "Device Settings".
Page 142: Number Of Logs That Can Be Kept On The Machine
6. Managing the Machine Log out. • Downloaded logs contain data recorded up to the time you click the [Download] button. Any logs recorded after you click the [Download] button will not be downloaded. The "Result" field of the log entry for uncompleted jobs will be blank. •...
Page 143: Notes On Operation When The Number Of Log Entries Reaches The Maximum
Using Web Image Monitor to Manage Log Files Estimated numbers of logs created per day Log types Number of logs created per day Job logs Access logs This number is based on 100 operations such as initialization and access operations over the Web, and 200 job entries (2 entries per job: 1 login and 1 logout).
Page 144 6. Managing the Machine If logs are downloaded without overwriting CJD006 1. Access log 2. Job log 3. Download 4. Downloaded logs If logs are downloaded during overwriting CJD007...
Page 145: Deleting All Logs
Using Web Image Monitor to Manage Log Files 1. Access log 2. Job log 3. Download 4. Downloaded logs 5. Overwriting 6. Deleted by overwriting Check the message in the last line of the downloaded logs to determine whether or not overwriting occurred while the logs were downloading, •...
Page 146 6. Managing the Machine Select [Inactive] in the [Transfer Logs] area under "Common Settings for All Logs". Click [OK]. Log out.
Page 147: Managing Logs From The Machine
Managing Logs from the Machine Managing Logs from the Machine You can specify settings such as the log collection setting, whether or not to transfer logs to the log collection server, and whether or not to delete all logs. Specifying Log Collect Settings Enable the collection settings for each log type.
Page 148: Specifying Delete All Logs
6. Managing the Machine Specifying Delete All Logs Use the following procedure to delete all logs stored on the machine. Deleting all logs from the machine as a batch can be performed only if the log collection server is in use or if the Web Image Monitor setting has been specified to collect job log, access log or eco-friendly log.
Page 149: Configuring The Home Screen For Individual Users
Configuring the Home Screen for Individual Users Configuring the Home Screen for Individual Users This allows each user to use his or her home screen. When a user logs in, the personalized home screen is displayed. Log in as the machine administrator from the control panel. Press [System Settings].
Page 150 6. Managing the Machine • Because each user can customize his or her home screen, the administrator cannot check the home information of each user.
Page 151: Configuring The Browser Settings
Configuring the Browser Settings Configuring the Browser Settings Precautions for Using the Browser Function Communication between the machine and the server via a web browser is exposed to eavesdropping and data tampering. Because of this, it is recommended to install the site certificates issued for the websites the machine is allowed to browse and enable the machine's Site Certificate Check function in advance.
Page 152 6. Managing the Machine Messages • "This site has a security problem. The certificate has expired." • "This site has a security problem. The root certificate for verification does not exist." • "This site has a security problem. Verification of the server to connect to cannot be performed." •...
Page 153: Managing Device Information
Managing Device Information Managing Device Information • Keep SD cards or USB flash memory devices out of reach of children. If a child accidentally swallows an SD card or USB flash memory device, consult a doctor immediately. The machine's device information can be set by an administrator with privileges to manage devices, users, networks and files.
Page 154: Exporting Device Information
6. Managing the Machine • Import and export is possible between machines only if their models, region of use, and the following device configurations match. • Input Tray • Output Tray • Whether or not equipped with the duplex function •...
Page 155: Importing Device Information
Managing Device Information Press [Device Setting Information: Export (Memry Strge Devc)]. Set the export conditions. • Specify whether to [Include] or [Exclude] the "Device Unique Information". "Device Unique Information" includes the IP address, host name, etc. • Specify an encryption key. Press [Run Export].
Page 156: Periodically Importing Device Information
6. Managing the Machine Log in from the control panel as an administrator with user administrator, machine administrator, network administrator, and file administrator privileges. Press [System Settings]. Press [Administrator Tools]. Press [ Next] 3 times. Press [Device Setting Information: Import (Memry Strge Devc)]. Configure the import conditions.
Page 157: Manually Importing The Device Setting Information File Of A Server
Managing Device Information Press [Administrator Tools]. Press [ Next] 3 times. Press [Device Setting Information: Import Setting (Server)]. Configure the import conditions. • Select the source for importing files. Configure settings such as the URL, user name, password, etc., using the detail settings of the server. •...
Page 158: Troubleshooting
6. Managing the Machine Log in from the control panel as an administrator with user administrator, machine administrator, network administrator, and file administrator privileges. Press [System Settings]. Press [Administrator Tools]. Press [ Next] 3 times. Press [Device Setting Information: Run Import (Server)]. Press [OK].
Page 159 Managing Device Information Example of a log file "1.0.0" "ExecType", "Date", "SerialNo",PnP", "Model", "Destination","IP","Host","Storage","FileNam e","FileID","TotalItem","NumOfOkItem","ResultCode","ResultName","Identifier" "IMPORT" "20XX-07-05T15:29:16+09:00" "3C35-7M0014" "Brand Name" "Product Name" "0" "10" "10.250.155.125" "RNP00267332582D" "SD" "20XX07051519563C35-710220.csv" "20XX07051519563C35-710220" " 0" " 0" " 2" "INVALID REQUEST" "TargetID","ModuleID","PrefID","Item","NgCode","NgName" CJD023 If you cannot resolve the problem or do not know how to resolve it after checking the code, write down the error log entry, and then contact your service representative.
Page 160 6. Managing the Machine ResultCode Cause Solutions 10 (LOG ERROR) Failed to write the log Contact your service representative. file. The hard disk is faulty. 20 (PART FAILED) Failed to import some The reason for the failure is recorded in settings.
Page 161: Managing Eco-Friendly Counter
Managing Eco-friendly Counter Managing Eco-friendly Counter When user authentication is being used, information on the eco-friendly counter is displayed at login. The eco-friendly counter indicates how often color, duplex and combine printing is used to the total number of printed sheets. Also, the eco-friendly index indicates how much toner and paper are being saved.
Page 162: Resetting A Machine's Eco-Friendly Counter
6. Managing the Machine Display Information Screen Specify whether or not to display the information screen at user login. Default: [Off] Display Time Specify when the information screen is displayed. Default: [Every Time Login] Resetting a Machine's Eco-friendly Counter A machine's eco-friendly counter can be reset. Log in as the machine administrator from the control panel.
Page 163: Managing The Address Book
Managing the Address Book Managing the Address Book Specifying Auto Deletion for Address Book Data Specify how the machine processes a request for auto registration after the registered data in the Address Book reaches the limit. If you set this to [On], new user accounts are added by automatically deleting old user accounts. Accounts that have not been used for the longest time are deleted first.
Page 164: Specifying The Extended Security Functions
6. Managing the Machine Specifying the Extended Security Functions In addition to providing basic security through user authentication and each administrator's specified limits to access the machine, security can also be increased by encrypting transmitted data and data in the Address Book. Log in from the control panel as an administrator with privileges.
Page 165 Specifying the Extended Security Functions For details, see page 51 "Protecting the Address Book". Default: [Off] Enhance File Protection The file administrator can specify this. By specifying "Enhance File Protection", files are locked and inaccessible if an invalid password is entered ten times.
Page 166 6. Managing the Machine If it is set to [Proh. Some Services], it becomes impossible to change settings via a remote connection, providing optimally secure operation. Default: [Do not Prohibit] Update Firmware The machine administrator can specify this. This setting is to specify whether or not to allow firmware updates on the machine. A service representative updates the firmware, or firmware updates are performed via the network.
Page 167 Specifying the Extended Security Functions Default: [30] • Measurement Time Specify the interval between repeated authentication attempts that result in authentication failures. When the measurement time elapses, the records of authentication attempts are cleared. Use the number keys to specify the value between "1" and "10", and then press [ ]. Default: [5] •...
Page 168 6. Managing the Machine Default: [200] • Status Monitor Interval Specify the monitoring interval of "Managed User Host Limit" and "Password Entry Host Limit". Use the number keys to specify the value between "1" and "10", and then press [ ]. Default: [3] •...
Page 169 Specifying the Extended Security Functions Specify the number of acceptable authentication attempts when authentications are delayed due to an access violation. Use the number keys to specify the value between "50" and "200", and then press [ ]. Default: [200] •...
Page 170: Other Security Functions
6. Managing the Machine Other Security Functions This section explains the settings for preventing information leakage. System Status Pressing the [Check Status] key on the control panel allows you to check the machine's current status and settings. If administrator authentication has been specified, [Machine Address Info] is displayed in [Maintnc./Inquiry/Mach.
Page 171: Restricting A Customer Engineer Operation
Restricting a Customer Engineer Operation Restricting a Customer Engineer Operation You can restrict the customer engineer's access to the service mode. A customer engineer uses service mode for inspection or repair. If you set "Service Mode Lock" to [On], service mode cannot be used unless the machine administrator logs on to the machine and cancels the service mode lock to allow a customer engineer to operate the machine for inspection and repair.
Page 172: Additional Information For Enhanced Security
6. Managing the Machine Additional Information for Enhanced Security This section explains the settings that you can configure to enhance the machine's security. Settings You Can Configure Using the Control Panel Use the control panel to configure the security settings shown in the following table. System Settings Item Setting...
Page 173: Settings You Can Configure Using Web Image Monitor
Additional Information for Enhanced Security Item Setting Administrator Extended Security "Complexity Setting": Level 1 or higher, Tools Password Policy "Minimum Character No.": 8 or higher See page 162 "Specifying the Extended Security Functions". Administrator Network Security Level Level 2 Tools To acquire the machine status through printer driver or Web Image Monitor, enable "SNMP"...
Page 174: Settings You Can Configure When Ipsec Is Available/Unavailable
6. Managing the Machine Category Item Setting Security User Lockout Active Lockout Policy For details, see page 45 "User Lockout Function". Security User Number of Attempts before 5 times or less. Lockout Policy Lockout For details, see page 45 "User Lockout Function". Security User Lockout Release Timer Set to [Active] or [Inactive].
Page 175 Additional Information for Enhanced Security Control panel settings System Settings Item Setting Interface Settings IPsec Active Interface Settings Permit SSL / TLS Ciphertext Only Communication Web Image Monitor settings Device Management Configuration Category Item Setting Security IPsec Edit Security Level Authentication and High Level Encryption Encryption Key Auto Exchange...
Page 176 6. Managing the Machine...
Page 177: Troubleshooting
7. Troubleshooting This chapter describes what to do if the machine does not function properly. If a Message is Displayed This section explains how to deal with problems if a message appears on the screen during user authentication. If a message not shown below is displayed, follow the message to resolve the problem. "You do not have the privileges to use this function."...
Page 178: If An Error Code Is Displayed
7. Troubleshooting If an Error Code is Displayed When authentication fails, the message "Authentication has failed." appears with an error code. The following lists provide solutions for each error code. If an error code does not appear on the below lists, write down the error code and contact your service representative.
Page 179: Windows Authentication
If an Error Code is Displayed • Create the account again if the account name contains any of these prohibited characters. • If the account name was entered wrongly, enter it correctly and log in again. B0207-001 An authentication error occurred because the Address Book is being used at another location. •...
Page 180 7. Troubleshooting W0400-102 Kerberos authentication failed because the server is not functioning correctly. • Make sure that the server is functioning properly. W0400-200 Due to significant numbers of authentication attempts, all resources are busy. • Wait a few minutes, and then try again. W0400-202: Case 1 The SSL settings on the authentication server and the machine do not match.
Page 181 If an Error Code is Displayed • Make sure the account has been added to user group. • Make sure the user group name registered on the machine and the group name on the DC (domain controller) are exactly the same. The DC is case-sensitive. •...
Page 182 7. Troubleshooting • If the Windows firewall is activated, create a firewall rule in the Windows firewall's "Advanced settings" to authorize ports 137 and 139. • In the Properties window for "Network Connections", open TCP/IP properties. Then click detail settings, WINS, and then check the "Enable NetBIOS over TCP/IP" box and set number 137 to "Open".
Page 183: Ldap Authentication
If an Error Code is Displayed W0612-005 Authentication failed because no more users can be registered. (The number of users registered in the Address Book has reached its maximum.) • Ask the user administrator to delete unused user accounts in the Address Book. W0707-001 An authentication error occurred because the Address Book is being used at another location.
Page 184 7. Troubleshooting L0208-000 / L0208-002 The account is locked because the number of allowed authentication attempts has reached its maximum. • Ask the user administrator to unlock the account. L0307-001 An authentication error occurred because the Address Book is being used at another location. •...
Page 185 If an Error Code is Displayed L0406-202/L0406-203: Case 2 A login user name or password error occurred. • Make sure the login user name and password are entered correctly. • Make sure a usable login name is registered on the machine. Authentication will fail in the following cases: If the login user name contains a space, colon (:), or quotation mark (").
Page 186 7. Troubleshooting • If the authentication server has just been changed, delete the old name on the server. L0606-004 Authentication failed because the user name contains words that cannot be used by general users. • Do not use "other", "admin", "supervisor" or "HIDE*" in general user accounts. L0607-001 An authentication error occurred because the Address Book is being used at another location.
Page 187: If The Machine Cannot Be Operated
If the Machine Cannot Be Operated If the Machine Cannot Be Operated If the following conditions arise while users are operating the machine, provide the instructions on how to deal with them. Problem Cause Solution User authentication is disabled, User authentication might have Enable user authentication yet users registered in the been disabled without "All...
Page 188 7. Troubleshooting...
Page 189: List Of Operation Privileges For Settings
8. List of Operation Privileges for Settings This chapter specifies a list of the administrator and user operation privileges for the machine settings when administrator authentication or user authentication is enabled. How to Read Understanding headers • User The user administrator has privileges for this operation. •...
Page 190: System Settings
8. List of Operation Privileges for Settings System Settings When administrator authentication is specified, restrictions to user operations differ depending on the configurations in "Available Settings". [General Features] Settings User Mach N/W File Unset [Program / Change / Delete User Text] [Panel Key Sound] [Warm-up Beeper] [Function Priority]...
Page 191 System Settings [Timer Settings] Settings User Mach N/W File Unset [Sleep Mode Timer] [Low Power Mode Timer] [System Auto Reset Timer] [Set Date] [Set Time] [Auto Logout Timer] [Fusing Unit Off Mode (Energy Saving) On/ Off] [Weekly Timer] [Binding Glue Heater Auto Off Timer] [Interface Settings] [Network] Settings...
Page 192 8. List of Operation Privileges for Settings Settings User Mach N/W File Unset [Effective Protocol] [SMB Computer Name] [SMB Work Group] [Ethernet Speed] [Ping Command] – – – [Permit SNMPv3 Communication] [Permit SSL / TLS Communication] [Host Name] [Machine Name] [IEEE 802.1X Authentication for Ethernet] [Restore IEEE 802.1X Authentication to –...
Page 193 System Settings Settings User Mach N/W File Unset [Email Communication Port] [Email Reception Interval] [Email Storage in Server] [Auto Email Notify] – – – – *3 Passwords cannot be read. [Administrator Tools] Settings User Mach N/W File Unset [Address Book Management] [Address Book: Program / Change / Delete Group] [Address Book: Change Order]...
Page 194 8. List of Operation Privileges for Settings Settings User Mach N/W File Unset [Enhanced Authentication Management] [Administrator Authentication Management] – *8*9 [Program / Change Administrator] – – [Key Counter Management] [External Charge Unit Management] [Enhanced External Charge Unit Management] [Extended Security] •...
Page 195 System Settings Settings User Mach N/W File Unset [Notify Machine Status] – – – – [Service Mode Lock] [Firmware Version] [Network Security Level] [Auto Erase Memory Setting] [Erase All Memory] – – – – – [Delete All Logs] – – –...
Page 196 8. List of Operation Privileges for Settings Settings User Mach N/W File Unset • [Synchronize with Server] *3 Passwords cannot be read. *4 Only heading changes and user searches are possible. *5 The items that can be executed, changed, and read differ depending on access privileges. *6 Can only be cleared.
Page 197: Tray Paper Settings
Tray Paper Settings Tray Paper Settings This section lists the settings displayed by pressing the [Paper Setting] key on the control panel. When administrator authentication is set, the restrictions to user operations differ depending on the configurations in "Available Settings". [Tray Paper Settings] Settings User...
Page 198: Edit Home
8. List of Operation Privileges for Settings Edit Home When administrator authentication is set, the restrictions to user operations differ depending on the configurations in "Available Settings". [Edit Home] Settings User Mach N/W File Unset [Move Icon] [Delete Icon] [Add Icon] –...
Page 199: Adjustment Settings For Operators
Adjustment Settings for Operators Adjustment Settings for Operators Settings User Mach File Unset [Adjustment Settings for Operators]...
Page 200: Adjustment Settings For Skilled Operators
8. List of Operation Privileges for Settings Adjustment Settings for Skilled Operators Settings User Mach File Unset [Adjustment Settings for Skilled Operators] – – – – –...
Page 201: Browser Features
Browser Features Browser Features When administrator authentication is set, the restrictions to user operations differ depending on the configuration in "Available Settings". Settings User Mach File Unset [Browser Default Settings] [Settings per Users] [View Logs]...
Page 202: Extended Feature Settings
8. List of Operation Privileges for Settings Extended Feature Settings [Extended Feature Settings] Settings User Mach N/W File Unset [Startup Setting] [Install] [Uninstall] [Extended Feature Info] [Administrator Tools] – – – – – [Add.Program Startup Setting] [Install Add.Program] [Uninstall Add.Program] [Add.Program Info]...
Page 203: Maintenance
Maintenance Maintenance When administrator authentication is set, the restrictions to user operations differ depending on the configuration in "Available Settings". [Maintenance] Settings User Mach N/W File Unset [Color Registration] – – – –...
Page 204: Web Image Monitor: Display Eco-Friendly Counter
8. List of Operation Privileges for Settings Web Image Monitor: Display Eco-friendly Counter These settings are in [Status/Information]. A user can only view their own counter. Settings User Mach File Unset [Download] – – – – – [Device Total Counter] –...
Page 205: Web Image Monitor: Job
Web Image Monitor: Job Web Image Monitor: Job These settings are in [Status/Information]. [Job List] Settings User Mach N/W File Unset [Current/Waiting Jobs] – – – – *1 A user can only view their own job.
Page 206: Web Image Monitor: Device Settings
8. List of Operation Privileges for Settings Web Image Monitor: Device Settings These settings are in [Configuration] in [Device Management]. When administrator authentication is set, the restrictions to user operations differ depending on the configuration in "Available Settings". [System] Settings User Mach N/W File...
Page 207 Web Image Monitor: Device Settings Settings User Mach N/W File Unset [Perfect Binder Interposer Lower Tray] [Low Paper Detection] [Custom Paper] Settings User Mach N/W File Unset [Program/Change] – – – – [Delete] – – – – [Recall Paper Library] –...
Page 208 8. List of Operation Privileges for Settings [Logs] Settings User Mach N/W File Unset [Job Log] [Access Log] [Eco-friendly Logs] [Transfer Logs] [Classification Code] [Delete All Logs] – – – – *2 Can only be changed to [Inactive]. [Download Logs] Settings User Mach N/W...
Page 209 Web Image Monitor: Device Settings Settings User Mach N/W File Unset [SMTP Auth. Password] – – – – [SMTP Auth. Encryption] – – – [POP before SMTP] – – – [POP Email Address] – – – [POP User Name] – –...
Page 210 8. List of Operation Privileges for Settings [On-demand Email Notification] Settings User Mach N/W File Unset [Notification Subject] [Notification Message] [Access Restriction to Information] [Receivable Email Address/Domain Name Settings] [User Authentication Management] Settings User Mach N/W File Unset [User Authentication Management] [User Code Authentication Settings] [Basic Authentication Settings] [Windows Authentication Settings]...
Page 211 Web Image Monitor: Device Settings Settings User Mach N/W File Unset [Network Administrator] – – [File Administrator] – – [Login User Name] – – [Login Password] – – [Encryption Password] – – *4 Administrators can only change their own accounts. [LDAP Server] Settings User...
Page 212 8. List of Operation Privileges for Settings Settings User Mach N/W File Unset [Email Failure Notification] – – – – – – [Number of Retries] – – – – – – [Retry Interval] – – – – – – [Encryption Key] –...
Page 213 Web Image Monitor: Device Settings [Program/Change USB Device List] Settings User Mach N/W File Unset [Device 1] [Device 2]...
Page 214: Web Image Monitor: Interface
8. List of Operation Privileges for Settings Web Image Monitor: Interface These settings are in [Configuration] in [Device Management]. When administrator authentication is set, the restrictions to user operations differ depending on the configuration in "Available Settings". [Interface Settings] Settings User Mach N/W File...
Page 215: Web Image Monitor: Network
Web Image Monitor: Network Web Image Monitor: Network These settings are in [Configuration] in [Device Management]. When administrator authentication is set, the restrictions to user operations differ depending on the configuration in "Available Settings". [IPv4] Settings User Mach N/W File Unset [IPv4] [Host Name]...
Page 216 8. List of Operation Privileges for Settings Settings User Mach N/W File Unset [Domain Name] [Link-local Address] [Stateless Address] [Manual Configuration Address] [DHCPv6] [DHCPv6 Address] [DDNS] [LLMNR] [Details] *2 You cannot disable IPv6 when using Web Image Monitor through an IPv6 connection. [SMB] Settings User...
Page 217 Web Image Monitor: Network Settings User Mach N/W File Unset [Community] – – – – – [SNMPv3] Settings User Mach N/W File Unset [SNMP] – – – – – [Protocol] – – – – – [SNMPv3 Setting] – – – –...
Page 218 8. List of Operation Privileges for Settings [System Log] Settings User Mach N/W File Unset [System Log] –...
Page 219: Web Image Monitor: Security
Web Image Monitor: Security Web Image Monitor: Security These settings are in [Configuration] in [Device Management]. Settings User Mach File Unset [Network Security] – – – – – [Access Control] – – – – – [SSL/TLS] – – – – –...
Page 220 8. List of Operation Privileges for Settings Settings User Mach File Unset • [Device Access Violation] – – – – –...
Page 221: Web Image Monitor: @Remote
Web Image Monitor: @Remote Web Image Monitor: @Remote These settings are in [Configuration] in [Device Management]. Settings User Mach File Unset [Setup RC Gate] – – – – – [Update RC Gate Firmware] – – – – – [RC Gate Proxy Server] –...
Page 222: Web Image Monitor: Webpage
8. List of Operation Privileges for Settings Web Image Monitor: Webpage These settings are in [Configuration] in [Device Management]. When administrator authentication is set, the restrictions to user operations differ depending on the configuration in "Available Settings". [Webpage] Settings User Mach N/W File Unset...
Page 223: Web Image Monitor: Extended Feature Settings
Web Image Monitor: Extended Feature Settings Web Image Monitor: Extended Feature Settings These settings are in [Configuration] in [Device Management]. Settings User Mach File Unset [Startup Setting] – – – – – [Extended Feature Info] [Install] – – – – –...
Page 224: Web Image Monitor: Address Book
8. List of Operation Privileges for Settings Web Image Monitor: Address Book These settings are in [Device Management]. Settings User Mach File Unset [Add User] – – – [Change] – – – [Delete] – – – [Add Group] – – –...
Page 225: Web Image Monitor: Central Address Book Management
Web Image Monitor: Central Address Book Management Web Image Monitor: Central Address Book Management These settings are in [Device Management]. This does not appear if you have user administrator privilege. In this case, specify it by accessing [Device Management] > [Address Book]. Settings User Mach...
Page 226: Web Image Monitor: Main Power Off
8. List of Operation Privileges for Settings Web Image Monitor: Main Power Off These settings are in [Device Management]. Settings User Mach File Unset [Main Power Off Mode] – – – – – [OK] – – – – –...
Page 227: Web Image Monitor: Reset The Machine
Web Image Monitor: Reset the Machine Web Image Monitor: Reset the Machine These settings are in [Device Management]. When administrator authentication is set, the restrictions to user operations differ depending on the configuration in "Available Settings". Settings User Mach File Unset [Reset the Machine] –...
Page 228: Web Image Monitor: Device Home Management
8. List of Operation Privileges for Settings Web Image Monitor: Device Home Management These settings are in [Device Management]. When administrator authentication is set, the restrictions to user operations differ depending on the configuration in "Available Settings". Settings User Mach File Unset [Edit Icons]...
Page 229: Web Image Monitor: Screen Monitoring
Web Image Monitor: Screen Monitoring Web Image Monitor: Screen Monitoring These settings are in [Device Management]. Settings User Mach File Unset [Display Device's Screen] – – – – –...
Page 230: Web Image Monitor: Customize Screen Per User
8. List of Operation Privileges for Settings Web Image Monitor: Customize Screen per User This appears if [User's Own Customization] is set to [Allow]. Users can only change their own settings. Settings User Mach File Unset [Edit Icons] – – –...
Page 231 List of Operation Privileges for Address Books List of Operation Privileges for Address Books Understanding headers • Read Users assigned with read privileges. • Edit Users assigned with editing privileges. • E/D Users assigned with edit/delete privileges. • Full Users assigned with full control privileges. •...
Page 232 8. List of Operation Privileges for Settings Settings Read Edit Full Entry User [Login User Name] – – – – [Login Password] – – – – [Other Functions] – – – – *1 Passwords cannot be read. [Protection] Settings Read Edit Full Entry...
Page 233 INDEX Access Control............IEEE 802.1X............device certificate............. Address Book access permission......Ethernet................Administrator............site certificate..............Administrator privileges........Information for enhanced security..... Administrator registration........Intermediate certificate.......... AH Protocol............. 91, 92 IPsec................ AH Protocol + ESP Protocol......91, 92 IPsec settings............Authenticate Current Job........IPsec telnet setting commands......
Page 234 SSL/TLS encryption mode........Supervisor.............. System status check..........Update Firmware..........User authentication......... 24, 25 User Code authentication........Users............... Windows authentication........M238-1022...

This manual is also suitable for:

Pro c9110

Ricoh Pro C9100 Operating Instructions Manual

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for Ricoh Pro C9100

Summary of Contents for Ricoh Pro C9100

This manual is also suitable for:

Table of Contents