Xerox WorkCentre 5735 Secure Installation And Operation page 5

l). To enable HTTPS (SSL) follow the instructions for setting up Secure HTTP (SSL) in the Configure HTTP section on page 122
of the SAG. Before setting up Secure HTTP (SSL) follow the "Security Certificate Management" instructions starting on
page 179 of the SAG to install on the device either a self-signed digital certificate or a digital certificate signed by a
Certificate Authority (CA).
m). When utilizing Secure Sockets Layer (SSL) for secure scanning:
•
SSL should be enabled and used for secure transmission of scan jobs.
•
When storing scanned images to a remote repository using an https connection, a Trusted Certificate Authority
certificate should be uploaded to the device so the device can verify the certificate provided by the remote repository.
•
When an SSL certificate for a remote SSL repository fails its validation checks the associated scan job will be deleted
and not transferred to the remote SSL repository. The System Administrator should be aware that in this case the job
status reported in the Completed Job Log for this job will read: "Job could not be sent as a connection to the server
could not be established".
n). To be consistent with the evaluated configuration, the HTTPS protocol should be used to send scan jobs to a remote IT
product.
o). To be consistent with the evaluated configuration, protocol choices for remote authentication should be limited to
[Kerberos (Solaris)], [Kerberos (Windows 2000/2003)] or [LDAP]. The device supports other protocol options. Choose the
protocol option that best suits your needs.
In the case of LDAP/LDAPS the System Administrator should ensure that SSL is enabled as discussed in Step 6d under "To
Configure LDAP Server" on page 116 in the SAG.
p). To be consistent with the evaluated configuration, the device should be set for local authorization. Remote authorization
was not evaluated since that function is performed external to the system. Choose the authorization option that best suits
your needs.
q). As part of the evaluated configuration, encryption of transmitted and stored data by the device must meet the FIPS 140-2
Standard. To enable the use of encryption in "FIPS 140 mode" and check for compliance of certificates stored on the device
to the FIPS 140-2 Standard follow the "FIPS 140-2 Encryption" instructions on page 172 of the SAG.
r). In viewing the Audit Log the System Administrator should note the following:
•
Deletion of a file from Reprint Saved Jobs folders or deletion of a Reprint Saved Job folder itself is recorded in the Audit
Log.
•
Deletion of a print or scan job or deletion of a scan-to-mailbox job from its scan-to-mailbox folder may not be recorded
in the Audit Log.
•
Extraneous process termination events (Event 50) may be recorded in the Audit Log when the device is rebooted or
upon a Power Down / Power Up.
s). The System Administrator should download and review the Audit Log on a daily basis. In downloading the Audit Log the
System Administrator should ensure that Audit Log records are protected after they have been exported to an external
trusted IT product and that the exported records are only accessible by authorized individuals.
t). Be careful not to create an IP Filtering rule that rejects incoming TCP traffic from all addresses with source port set to 80;
this will disable the Web UI.
IP Filtering is not available for the AppleTalk protocol or the Novell protocol with the 'IPX' filing transport. Also, IP Filtering
will not work if IPv6 is used instead of IPv4.
u). User data encryption is automatically enabled on the device when the device is delivered; no further configuration by the
System Administrator is required. The System Administrator should periodically check the Configuration Report (see
Comment #1b above) to ensure that User Data Encryption remains enabled.
v). The System Administrator should ensure that the Embedded Fax Card and fax software is properly installed in accordance
with the installation and setup instructions in the Embedded Fax chapter on pages 271-272 of the SAG. The System
Administrator can then set Embedded Fax parameters and options via the Local User Interface on the machine. Follow the
instructions in either the Deferred Fax Settings on pages 273 or the Setting Fax Defaults section starting on page 274 in
the SAG or in the Set Fax Defaults section on page 263 and the Fax Settings section starting on page 266 of the User
3
Guide .
w). To enable and configure IPSec, follow the instructions starting on page 183 in the SAG. IPSec should be used to secure
printing jobs; HTTPS (SSL) should be used to secure scanning jobs.
3
Xerox® WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 User Guide, Version 2,0, December 2010
4