Canon Oce PlotWave 750 Скачать руководство пользователя страница 1

Страница: 1 / 410

Administration guide

PlotWave - ColorWave Systems

Security information

Содержание Oce PlotWave 750

Страница 1: ...Administration guide PlotWave ColorWave Systems Security information ...

Страница 2: ...CT INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY NATURE OR LOSSES OR EXPENSES RESULTING FROM THE USE OF THE CONTENTS OF THIS PUBLICATION Océ reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation to notify any person of such revision or changes Language Original instructions that are in British English Trademarks Océ Océ ColorWave ...

Страница 3: ...swords 34 Data Security 37 E Shredding 37 IPsec on Océ PlotWave 300 350 Océ PlotWave 900 1 2 and higher 1 x Océ ColorWave 300 40 Prevent USB Direct Print and Scan to USB Océ PlotWave 300 350 Océ ColorWave 300 56 HTTPS with Océ PlotWave 900 R1 x 58 Smart Inbox management 62 Security on Océ PlotWave 750 and Océ PlotWave 900 R2 x 63 Overview 63 Security overview for the Océ PlotWave 750 and the Océ P...

Страница 4: ...ystems 132 HTTPS 134 Encrypt print data and manage the system configuration using HTTPS 134 Request and import a CA signed certificate 139 Prevent Print from USB and or Scan to USB 145 How to prevent Print from USB and or Scan to USB 145 Smart Inbox management and job management 146 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 147 Overview 148 Security overview for the Océ P...

Страница 5: ... ColorWave 550 ColorWave 600 Poster Printer ColorWave 650 R2 x Poster Printer 236 Overview 236 Security overview for the Océ ColorWave 600 650 Poster Printer and the Océ ColorWave 550 systems 236 System and Network security 238 Ports Protocols 238 Security Patches 241 Protocol protection 243 Prevent any outgoing connection to the Internet 244 Security of the USB connection 245 Operating System and...

Страница 6: ...and scanning operations with the User authentication 318 User authentication the standard workflows 322 Authentication by Smart card 328 Authentication by user name and password 334 Log out 339 Troubleshooting 342 Hard disk encryption 345 E Shredding 347 E shredding presentation 347 Enable the e shredding in Océ Express WebTools 348 E shredding process and system behaviour 350 IPsec 351 IPsec pres...

Страница 7: ...s protection 389 Prevent any outgoing connection to the Internet 391 Security of the USB connection 392 The USB connection on the printer user interface 392 Roles and Passwords 393 Roles and profiles 393 Audit log 395 Data security 396 HTTPS 396 Encrypt print data and manage the system configuration using HTTPS 396 Request and import a CA signed certificate 401 Index 407 Contents 7 ...

Страница 8: ...Contents 8 ...

Страница 9: ...Chapter 1 Océ Security policy ...

Страница 10: ...work protocols protection features by use of the Océ Security levels filtering or by configuring each network protocol for firewall filtering Protecting the system roles and passwords The main network and system settings are protected against change Only authorised users can configure or change these settings Regularly checking the relevance of Microsoft flaws and delivering security patches whene...

Страница 11: ...any deleted user data The IPsec configuration that provides authentication data confidentiality and integrity in the network communication between devices A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network The Smart Inbox and job protection by Limiting and restricting the access to the print and scan job data with the Smart Inbox manageme...

Страница 12: ...he latest safety information for your product make sure that you read and understand all safety information in the manual entitled Safety Guide Support For support information please contact your Canon local representative Find your local contact for support from http www canon com support From the Canon support page you can also download the printer drivers for the Canon printers their related us...

Страница 13: ... Windows Embedded Standard 2009 Windows Embedded Standard 7 SP1 for Océ PlotWave 340 Océ PlotWave 360 Océ PlotWave 500 Windows Embedded Standard 8 64 bit for Océ PlotWave 345 Océ PlotWave 365 Océ PlotWave 450 Océ PlotWave 550 Océ ColorWave 500 Océ ColorWave 700 Windows Embedded Standard 7 SP1 Firewall Yes Yes Yes MS Security flaws Security patches Yes Yes Yes Network protocols protection Océ Secur...

Страница 14: ... ColorWave 300 IPsec HTTPS IPsec HTTPS Password protection Yes for User settings Administration set tings Settings on the print er user panel Yes for User settings Administration set tings Settings on the print er user panel Yes for User settings Administration set tings Settings on the print er user panel Data overwrite E shredding E shredding E shredding Access control IP filtering Smart Inbox m...

Страница 15: ... ColorWave 650 R3 x Operating System Linux and WES 2009 for Océ ColorWave 650 multifunc tional Océ ColorWave 550 multifunc tional Linux for Océ ColorWave 650 printer only Océ ColorWave 550 printer only Océ ColorWave 600 PP Océ ColorWave 650 PP Windows Embedded Standard 7 SP1 Firewall Yes Yes MS Security flaws Security patches Yes for Océ ColorWave 650 550 multifunctional N A for Océ ColorWave 600 ...

Страница 16: ...Océ ColorWave 650 R2 0 1 and higher Océ ColorWave 650 PP R2 1 and higher Océ ColorWave 600 R1 5 and high er Océ ColorWave 600 PP R1 6 1 and higher Océ ColorWave 550 R2 2 and high er E shredding Access control Access restriction to the printer for Océ ColorWave 550 R2 3 1 and higher Océ ColorWave 650 R2 3 1 and higher Océ ColorWave 650 PP R2 3 1 and higher IP filtering Smart Inbox manage ment Smart...

Страница 17: ...ty related events Data encryption on the network HTTPS for administration Océ Express WebTools and for job submission through Océ Publisher Express Password protection Yes for User settings Administration settings Océ Publisher Express access Access restriction Overview of the security features available per Océ System Chapter 1 Océ Security policy 17 ...

Страница 18: ...Overview of the security features available per Océ System 18 Chapter 1 Océ Security policy ...

Страница 19: ...Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Страница 20: ...mbedded Standard 2009 for Océ PlotWave 300 R1 5 Océ PlotWave 350 R1 5 Océ ColorWave 300 R1 5 and higher versions Firewall Yes Network protocols protection 3 Océ Security Levels MS Security patches Océ released patches Antivirus Compatible with 2 Antivirus brands IPV6 Yes Data encryption on the network IPsec for Océ PlotWave 300 Océ PlotWave 350 Océ PlotWave 900 from R1 2 and Océ Col orWave 300 HTT...

Страница 21: ... Océ back channel TCP 80 HTTP for advanced account ing UDP 515 Océ proto col for printer dis covery Océ Adobe Post Script 3 driver Océ PlotWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x TCP 515 x TCP 515 x TCP 515 TCP 515 LPR Océ Publisher Express Océ PlotWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x TCP 80 x TCP 80 TCP 80 HTTP Océ Publisher Express over SSL Océ PlotWa...

Страница 22: ...tWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x TCP 515 x TCP 515 x TCP 515 TCP 515 LPR FTP printing Océ PlotWave 300 PlotWave 350 Plot Wave 900R1 x Océ ColorWave 300 x TCP 21 TCP 4242 x 5 TCP 21 TCP 21 FTP TCP 4242 FTP 6 Notes Levels N Normal M Medium H High Océ back channel is an Océ proprietary protocol used to retrieve information from the printer status media loaded and to displ...

Страница 23: ...ieval from Smart Inbox Scans over SSL Océ PlotWave 900 R1 x x TCP 443 x TCP 443 x TCP 443 TCP 443 HTTPS Océ Matrix Logic Océ PlotWave 900 R1 x x TCP 80 TCP 443 x TCP 80 TCP 443 x TCP 443 TCP 80 HTTP TCP 443 HTTPS Notes Levels N Normal M Medium H High 1 FTP passive mode only the FTP server on the remote workstation must support FTP passive mode 2 FTP active mode only 3 Data channel for FTP passive ...

Страница 24: ...server UDP TCP 53 Océ PlotWave 900 R1 x x x x DHCP Océ PlotWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x x x Outgoing connec tion local port on con troller UDP 68 remote port on DNS server UDP 67 Océ Account Center Advanced accounting WPD Océ PlotWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x TCP 80 x TCP 80 TCP 80 HTTP Accounting informa tion retrieval by FTP Océ Plot...

Страница 25: ...rvice Océ PlotWave 300 R1 5 and higher PlotWave 350 R1 5 and higher Océ PlotWave 900 R1 x Océ ColorWave 300 R1 5 and higher x x x HTTPS outgoing connection required TCP IP port 443 3 Notes Levels N Normal M Medium H High The name resolution is mainly used to determine the IP address of the scan destination during Scan fo File operation 1 FTP active mode only 2 Data channel for FTP passive mode 3 T...

Страница 26: ...lotWave 900 1 x Océ ColorWave 300 1 2 1 and higher Before you begin Find the Océ Security patch from the Océ Downloads website on http downloads oce com Open the product page and go to the Security tab to download the available security patches Install the Océ Remote patch Procedure 1 Open the Océ Express Webtools 2 Open the Support tab 3 Select Update The Authentication window opens Security Patc...

Страница 27: ...orner to open the wizard 6 Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update The system restarts to apply the patch Install the Océ Remote patch on Océ PlotWave 300 350 PlotWave 900 R1 x and Océ ColorWave 300 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 27 ...

Страница 28: ...alled you can go back to the original security level Medium security level The Medium level is compliant with all the Océ applications available for printing and scanning which do not present a high risk as reported by most popular network scanners Target This level is recommended if you need to be secured while you want to use the Océ applications for printing and or scanning you can use the syst...

Страница 29: ... in case you only want to check the security settings Press the Next key in case you want to adapt the security level Enter the password if requested and follow the wizard to adapt the security level Protect the security level by a password Procedure 1 Open the Océ Express Webtools in a web browser http Printer IP address or hostname 2 In the Preferences tab select System settings 3 In the Printer...

Страница 30: ...ss Webtools in a web browser http Printer IP address or hostname 2 On the Configuration tab select Connectivity 3 Go to the Security section 4 Click on Edit or double click on the value to open the Security level window 5 Set the security level and click OK 6 Restart the printer when prompted Result After you set the Security level to High you must open Océ Express Web Tools by means of the HTTPS ...

Страница 31: ...v ice Remote assistance Stop the Remote assistance if is ac tivated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disap pear 2 Preferences System Defaults Service rela ted information Disable Online Services Set Océ Online Services connection enabled to Disabled 3 Configuration Scan destination X Delete any scan destination go...

Страница 32: ...roller configuration from the Local User Interface In that case any file infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Protection of the USB WRITE operation during the backup of the controller configu...

Страница 33: ...n ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 33 ...

Страница 34: ...he Océ PlotWave 300 350 and Océ ColorWave 300 Introduction There are 2 groups of passwords The passwords used in Océ Express WebTools The passwords used in the printer user panel also named Local User Interface Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect The roles The Scan to File remote user name The security settings preshared key for IPsec Password modif...

Страница 35: ...mo and test prints Change of the hardware software configuration Start of the scanner calibration Password backup restore policy with the Save Set Open Set features Some passwords are stored into the backup set made with the Save Set feature of Océ Express WebTools the passwords for the printer panel Password backup table for Océ PlotWave 300 350 and Océ ColorWave 300 Password pincode for Backup w...

Страница 36: ...emote user name Password modification table for Océ PlotWave 900 R1 x Password for Can be changed by Key operator Key operator or Power user System administrator System administrator or Power user Power user Power user Any ScanToFile remote user name System administrator or Power user Any preshared key for IPsec System administrator or Power user Mobile printing with Océ Mobile WebTools System adm...

Страница 37: ... in the Océ Express Webtools and the Printed jobs in Smart Inbox job lifetime is set When the time for the cleanup of the Scans in Smart Inbox is reached When a Clear system Remove all jobs is performed on the printer local interface E shredding algorithms Select one of the three e shredding behaviours DOD 5220 22 M 3 pass overwriting algorithm compliant with the US Department of Defense directive...

Страница 38: ...ributes is deleted from the system the e shredding process occurs For a while the E shredding feedback returns as busy On the printer user panel Océ PlotWave 300 350 and Océ ColorWave 300 an indication is displayed in the System menu E shredding busy In the Océ Express WebTools window roll the mouse over the e shredding icon to display the E shredding busy status Once the e shredding data processe...

Страница 39: ...ocess for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy print jobs has been processed perform the following actions to make sure all the files are e shredded 1 Unplug the system from the network 2 Check that Saved print jobs in Smart Inbox is disabled 3 Delete any job from the Scans...

Страница 40: ...The printer copier system is physically connected to the network but communicates only with a dedicated station a Print Server or Scan Server for example The Print Server receives the print request from the workstations via IP on the network The Print Server send the print requests to the printer copier system via IPsec The workstations cannot communicate directly with the printer copier system NO...

Страница 41: ... traffic is denied except the HTTP traffic for Océ Ex press WebTools with any workstation this allows to change some IP sec settings via Océ Express WebTools from any workstation When the option is Disabled with IPsec enabled only the network traffic defined by the IPsec configuration rules is authorised All other network traffic is denied Default preshared key You can define a default preshared k...

Страница 42: ...inter scanner controller Procedure 1 Open a web browser and enter the system URL https hostname to open the Océ Express WebTools 2 Open the Configuration Connectivity page 3 In IPsec generic section click Edit 4 Check IPsec 5 Keep Failsafe option checked during the phase you configure the IPSec In case of need this allows to be able to connect to the Océ Express WebTools from any workstation in or...

Страница 43: ...ter lowercase upper case a z A Z the following special characters _ NOTE Write it down this preshared key will be required during the IPsec configuration on the workstation NOTE In the TCP IP IPv6 section make sure TCP IP IPv6 is disabled Result The IPsec settings are configured on the controller for a connection to a workstation which can be a print server Configure the IPsec settings in the Océ ...

Страница 44: ...ilter list on page 46 4 Define the filter actions and security negotiation on page 48 5 Define the security rule on page 49 6 Assign the security policy on page 51 NOTE The procedure below shows the configuration steps on Windows server 2008 The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 Add the security snap in Procedure 1 In the Start R...

Страница 45: ...The security snap in is added click OK Create the security policy Procedure 1 In the console right click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard Create the security policy Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 45 ...

Страница 46: ... Edit properties and click Finish Create the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions Create the filter list 46 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Страница 47: ...zard 5 Check the Mirrored checkbox and click Next 6 Select My IP address as the Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller Create the filter list Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 47 ...

Страница 48: ...efine the filter actions and security negotiation Procedure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation 48 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Страница 49: ... the Settings button 7 Configure the settings as below 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add 2 Click Next Define the security rule Chapter 2 Security on Océ PlotWave 300 350 P...

Страница 50: ...pe select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule 50 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Страница 51: ...cé controller on page 42 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 51 ...

Страница 52: ...ed on the print server Point Print to print jobs Pre requisites When advanced accounting is required make sure you configured Account Center BEFORE disabling the Failsafe mode on the printer controller Consequences of the IPsec configuration on the client workstation The back channel information printer status feed data is not retrieved from the printer It is not displayed in the driver interface ...

Страница 53: ...Océ ColorWave 300 Via Océ Express WebTools on the printer controller monitor for Océ PlotWave 900 R1 2 and higher 1 x Disable IPsec on the printer user panel Océ PlotWave 300 350 and Océ ColorWave 300 Procedure 1 On the printer printer user panel click on System 2 Select Setup 3 Roll down to the Security item and open the Security menu The status is IPsec is enabled 4 Click Next several times to o...

Страница 54: ...fails between the controller and the identified hosts you can disable IPsec in Océ Express WebTools only via the printer controller monitor Procedure 1 On the printer controller open Océ Express WebTools and log in as System administrator 2 Open the Configuration Connectivity tab 3 Go to the IPsec section 4 Click on Edit in the upper right hand corner of the section Disable IPsec on the controller...

Страница 55: ...sult IPsec is disabled You can open Océ Express WebTools remotely from a workstation HTTP Disable IPsec on the controller monitor Océ PlotWave 900 R1 2 and higher 1 x Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 55 ...

Страница 56: ...open the USB direct print window 5 Log in 6 Select Disabled and Ok How to prevent Scan to USB Introduction You can neutralize the Scan to File to USB storage device capability 2 step procedure to prevent scanning to USB destination 1 Disable any USB stick scan destination 2 Remove the USB destination from all Scan templates 1 Disable any USB stick scan destination Introduction You can neutralize t...

Страница 57: ...or each scan destination from Scan destination 3 to Scan destination 10 make sure that the scan destination type is NOT Local to USB storage device 2 Remove the USB destination from all Scan templates Procedure 1 In Océ Express WebTools open the Preferences Scan job defaults page 2 In each Scan template File section check that the Destination is not USB stick 3 When the destination is USB stick ed...

Страница 58: ...eb browser will generate security error messages In order to easily and securely use the self signed certificate in your web browser you must View and check the self signed certificate in your web browser Configure your web browser to trust the self signed certificate Use the Océ self signed certificate with Internet Explorer Procedure 1 On a workstation type the URL address of your printer in Int...

Страница 59: ...certificate into your web browser 1 Place the certificate in the Trusted Root Certification Authorities folder 2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWav...

Страница 60: ...d on the address bar Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors Us...

Страница 61: ... Océ Organization Unit OU WFPS 6 The certificate is issued to Océ Express WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation ba...

Страница 62: ...stem capabilities go to the Preferences System settings to disable or restrict for example The remote view of the Smart Inboxes The printing from the Smart Inboxes The storage of the job data in the Smart Inboxes Depending on your printer capabilities you can also disable the printing from Océ Publisher Express Smart Inbox management 62 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotW...

Страница 63: ...nation Antivirus Compatible with 2 Antivirus brands SMB authentication NTLMV2 Data encryption on the network IPsec HTTPS for administration and for job submis sion through Publisher Express Data overwrite E shredding Password protection Yes for User settings Administration settings Settings on the printer user panel Smart Inbox management Can be enabled disabled Remote view restriction Delete scan...

Страница 64: ...65200 Océ back channel TCP 80 HTTP for advanced ac counting UDP 515 Océ pro tocol for printer discovery Océ Adobe Post Script 3 driver Océ Plot Wave 750 PlotWave 900 R2 x x TCP 515 x TCP 515 x TCP 515 x TCP 515 TCP 515 LPR Océ Publisher Express Océ Plot Wave 750 PlotWave 900 R2 x x TCP 80 x TCP 80 TCP 80 HTTP Océ Publisher Express over SSL Océ Plot Wave 750 PlotWave 900 R2 x x TCP 443 x TCP 443 x ...

Страница 65: ...x TCP 515 TCP 515 LPR LPR printing com mand line Océ Plot Wave 750 PlotWave 900 R2 x x TCP 515 x TCP 515 x TCP 515 x TCP 515 TCP 515 LPR FTP printing Océ Plot Wave 750 PlotWave 900 R2 x x TCP 21 TCP 4242 x 3 TCP 21 TCP 21 FTP TCP 4242 FTP 4 Notes Levels N Normal M Medium M H Medium High H High Océ back channel is an Océ proprietary protocol used to retrieve information from the printer status medi...

Страница 66: ... 900 R2 x x TCP 443 x TCP 443 x TCP 443 x TCP 443 TCP 443 HTTPS Océ Matrix Logic Océ PlotWave 750 PlotWave 900 R2 x x TCP 80 TCP 443 x TCP 80 TCP 443 x TCP 443 x TCP 443 TCP 80 HTTP TCP 443 HTTPS Notes Levels N Normal M Medium M H Medium High H High 1 FTP passive mode only the FTP server on the remote workstation must support FTP passive mode 2 FTP active mode only 3 Data channel for FTP passive m...

Страница 67: ...0 PlotWave 900 R2 x x x x x Outgoing con nection local port on controller UDP 68 remote port on DNS server UDP 67 Océ Account Center Advanced accounting WPD Océ PlotWave 750 PlotWave 900 R2 x x TCP 80 x TCP 80 TCP 80 HTTP Accounting informa tion retrieval by FTP Océ PlotWave 750 PlotWave 900 R2 x x TCP 21 TCP 4242 x 1 TCP 21 TCP 21 FTP TCP 4242 FTP 2 Browse Océ systems on the network with Windows ...

Страница 68: ...IP port 443 3 WSD print WSD dis covery Océ PlotWave 750 x x x UDP 3702 TCP 5357 Notes Levels N Normal M Medium M H Medium High H High The name resolution is mainly used to determine the IP address of the scan destination during Scan to File operation 1 FTP active mode only 2 Data channel for FTP passive mode 3 TCP IP port 443 must be opened and must allow response back on the IT infrastructure fir...

Страница 69: ...Before you begin Find the Océ Security patch from the Océ Downloads website on http downloads oce com Open the product page and go to the Security tab to download the available security patches Install the Océ Remote patch Procedure 1 Open the Océ Express Webtools 2 Open the Support tab 3 Select Update The Authentication window opens Security Patches Chapter 2 Security on Océ PlotWave 300 350 Plot...

Страница 70: ...played 5 Click on the Update icon top right corner to open the wizard 6 Click OK 7 Browse to the Océ Remote patch and click OK to install it Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2 x 70 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Страница 71: ...8 Click OK to confirm the update Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2 x Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 71 ...

Страница 72: ... the corresponding patch cannot be yet installed As soon as the patch can be installed you can go back to the original security level NOTE Attention when you set the Medium high or High security level through the HTTP protocol the communication immediately stops Open Océ Express Web Tools by means of the HTTPS protocol type https Printer IP address or hostname in the web browser and restart the sy...

Страница 73: ...otWave 750 or océ PlotWave 900 R2 x Refer to Set the security level on Océ PlotWave 900 R1 1 and higher on page 30 Security levels presentation Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 73 ...

Страница 74: ...e Stop the Remote assistance if it is activated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disap pear 2 Preferences System Defaults Service rela ted information Disable Online Services Set Océ Online Services connection enabled to Disabled 3 Configuration Scan destination X Disable all scan destinations to FTP sites reachab...

Страница 75: ...n ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 75 ...

Страница 76: ... Océ PlotWave 750 and Océ PlotWave 900 R2 x Introduction In Océ Express WebTools the passwords protect The roles The Scan to File remote user name The security settings preshared key for IPsec The mobile printing password On the printer panel a password protects the administration settings Passwords in Océ Express WebTools Password modification table for Océ PlotWave 750 and Océ PlotWave 900 R2 x ...

Страница 77: ...e them only through the standard user interface on the controller Password on the printer panel for Océ PlotWave 750 You can activate the password to restrict the access to the Administrator settings from the printer panel this password is fixed and cannot be changed refer to the Océ PlotWave 750 Operation Guide to know more about the password Printer panel protection Introduction From Océ Express...

Страница 78: ...sec settings Network services enable disable settings Creation modification removal of scan destinations Changes of passwords used to protect security related settings Key operator System administrator Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin a...

Страница 79: ...Webtools and the Printed jobs in Smart Inbox job lifetime is set When the time for the cleanup of the Scans in Smart Inbox is reached When a Clear system or Clear memory job removal is performed on the printer local interface E shredding algorithms Select one of the three e shredding behaviours DOD 5220 22 M 3 pass overwriting algorithm compliant with the US Department of Defense directive Gutmann...

Страница 80: ...n the Océ Express WebTools window a new icon is added to the list of icons bottom right Each time data file s content or attributes is deleted from the system the e shredding process occurs For a while the E shredding feedback returns as busy Once the e shredding data processed is complete the status comes back to E shredding ready in the Océ Express WebTools roll over the icon on a workstation or...

Страница 81: ... and scan jobs by the system timeout disabled Smart Inbox cleanup When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy print jobs has been processed perform the following act...

Страница 82: ...ected to the network but communicates only with a dedicated station a Print Server or Scan Server for example The Print Server receives the print request from the workstations via IP on the network The Print Server send the print requests to the printer copier system via IPsec The workstations cannot communicate directly with the printer copier system NOTE In this configuration the back channel co...

Страница 83: ...denied except the HTTP traffic for Océ Ex press WebTools with any workstation this allows to change some IP sec settings via Océ Express WebTools from any workstation When the option is Disabled with IPsec enabled only the network traffic defined by the IPsec configuration rules is authorised All other network traffic is denied Default preshared key You can define a default preshared key that will...

Страница 84: ...ure 1 Open a web browser and enter the system URL https hostname to open the Océ Express WebTools 2 Open the Configuration Connectivity page 3 In IPsec generic section click Edit 4 Check IPsec 5 Keep Failsafe option checked during the phase you configure the IPSec In case of need this allows to be able to connect to the Océ Express WebTools from any workstation in order to be able to change parame...

Страница 85: ...pper case a z A Z the following special characters _ NOTE Write it down this preshared key will be required during the IPsec configuration on the workstation NOTE IPsec can be used only with IPv4 IP type set to IPv4 only or IPV4 and IPv6 both enabled In the Connectivity Network adapter section make sure IPv6 only is NOT enabled before you configure IPsec on the controller Configure the IPsec setti...

Страница 86: ...ver 2008 The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 The impact of IPsec when you print using Océ WPD through a print server Introduction When you use WPD on a print server with advanced accounting activated the use of IPsec has an impact on the workflow When the following conditions are gathered A print server is configured as an IPse...

Страница 87: ...ode on the controller Then the accounting window will be displayed on the client workstation and the accounting information can be entered to print the job Troubleshooting emergency procedure to disable IPsec Introduction In the following case IPsec is enabled and activated on the printer scanner controller and The Failsafe mode is disabled and The communication between the controller and the IPse...

Страница 88: ...rtificate provides encryption of the print data sent through Publisher Express and of the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol...

Страница 89: ...Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is not issued by a trusted certificate authority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificat...

Страница 90: ...the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 90 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Страница 91: ... signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is not trusted ...

Страница 92: ... window that the padlock is displayed In the navigation bar the Océ certificate is registered as an exception The identity of the remote controller and the encryption of the data on the network are secured Request and import a CA signed certificate Description of the overall procedure to request and import a CA signed certificate Introduction By default the first certificate delivered for the use ...

Страница 93: ...A3 Save the content of the certifi cate request Send this content to the Certification Authority to re quest a CA signed certificate The Certification Authority will check the request and re ply If the request is valid go to step A4 if the request is not valid make a new request A2 ac cording to the remarks corrections suggested by the CA request feedback A4 Restart the controller A5 Back up the p...

Страница 94: ...ghly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and a private key on page 140 Other procedures Procedure When to do Restore a certificate and a private key You can restore the certificate and the private key at any moment in case of need See Restore a certificate and a private key on page 144 Reset t...

Страница 95: ...remote view of the Smart Inboxes Remote Smart Inbox view When set to Login needed you restrict the view on the Smart Inboxes to the Key operator or Power user only logging needed to view the Smart In box The ability to print from Smart Inbox and to make queue operations Printing from Smart Inbox and queue operations When set to Login needed all remote actions on jobs in the Smart Inboxes and queue...

Страница 96: ...Smart Inbox management and job management 96 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Страница 97: ...Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Страница 98: ...tivirus Yes IPv6 Yes IPV6 only or IPV6 IPV4 combination Data overwrite E shredding Data encryption on the network IPsec HTTPS for administration Océ Express WebTools and for Job submission through Océ Publisher Express Password protection Yes for User settings Administration settings Settings on the printer user panel Access control IP filtering SMB authentication NTLMV2 Smart Inbox management Sma...

Страница 99: ...cé Publisher Express TCP 80 HTTP TCP 443 HTTPS Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515 LPR 1 TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery TCP 21 FTP 2 Océ Reprodesk Studio TCP 515 LPR TCP 80 Océ back channel WAVE Novell NDPS printing TCP 515 LPR LP...

Страница 100: ... and protocols used by the system Application Functionality INBOUND ports on the con troller protocol OUTBOUND ports from the controller protocol Scan to File SMB TCP 139 445 UDP 137 138 445 Scan to File FTP FTP command 1 Local TCP any Remote TCP 21 FTP Data 1 Local TCP any Remote TCP any Scan to File Cloud WebDAV TCP 80 HTTP TCP 443 HTTPS TCP web proxy port 2 TCP WebDAV port Scan data retrieval f...

Страница 101: ... TCP web proxy port 1 NetBios over TCP IP UDP 137 TCP 139 445 UDP 138 WSD TCP 80 HTTP UDP 3702 for WSD discovery TCP 5357 for WSD eventing WAVE TCP 80 HTTP OBIS TCP 80 HTTP for back channel Océ Publisher Select IPsec UDP 500 UDP 4500 Notes 1 When there is a proxy Additional built in Windows firewall rules Inbound rules Core Networking Dynamic Host Configuration Protocol DHCP In Core Networking Dyn...

Страница 102: ...ecurity tab to download the available security patches Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of the Operating system patches section to open the wizard Secur...

Страница 103: ...6 Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 103 ...

Страница 104: ...le Disable For LPR printing Océ WAVE interface HTTP Enable Disable Used for Océ back channel for WPD2 Account Center Reprodesk Web Services on De vices WSD HTTP Enable Disable For WSD device discovery OCI interfaces Océ propri etary interfa ces Enable Disable Allow interaction with Océ Publisher Select HTTP Enable Disable Used only for Océ Publish er Select backchannel Océ Express WebT ools via HT...

Страница 105: ...nnot be disabled Allow automatic up date of Océ Service in formation HTTP HTTPS Enable Disable Outbound connection Océ Online Services connection enabled or Remote Service con nection HTTPS Enable Disable Outbound connection used by Remote Service Note To disable a network protocol or network service go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol ...

Страница 106: ...able Online Services or Remote Service Set Océ Online Services con nection enabled or Remote Service connection to Disa bled 3 Configuration Con nectivity Other net work interfaces Disable the automatic update of the embedded Service information Set Allow automatic update of Océ service information or Allow automatic update of embedded Service docu mentation to Disabled 4 Configuration Exter nal l...

Страница 107: ...file infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Protection of the USB WRITE operation during the backup of the controller configuration from the Local User Interface The backup is performed by the ...

Страница 108: ...rprise Edition ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus 108 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Страница 109: ...ervice operations Allow Service technician to reset passwords Allow software reinstallation from USB Allow an update or patch installation by Service Allow Service to access licenses information Allow automatic update of embedded Service documentation Each of these permissions can be disabled in the Permissions for Service section of the Security Configuration page in Océ Express WebTools The Syst...

Страница 110: ...he system update The following settings and functions are protected by the Key operator or Power user password on the user panel The print density The Clear system function The Install additional hardware function The scanner calibration On Océ PlotWave 340 360 up to R1 1 In Océ Express Webtools he System administrator or the Power user can configure the Password to change network settings This pa...

Страница 111: ...operation the passwords for any external location remote user name are stored encrypted in the file exportExternalLocationTemplates xml included in the file exportExternalLocationTemplates zip The Import templates operation restores the passwords Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system a Canon representative gener...

Страница 112: ...rver in the list of the Access control stations Otherwise the DNS protocol is disabled you can configure the path of the external locations with the IP address instead of a hostname NOTE When configuring the Access control station IPv6 address use the IPv6 static address instead of a dynamic stateless or stateful one You can define up to 5 hosts For each of the hosts you can decide whether the com...

Страница 113: ...trator Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin account firewall port Smart Inbox enable disable Allow Service Technician to reset passwords on off Save retrieved job data for service on off HTTPS settings enable disable change of certificate H...

Страница 114: ...stick has been performed successfully or not When it is automatically deleted after a time out the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox and Expiration time out for Smart Inbox copy and scan jobs set in the job management settings of the Océ Express WebTools When a Clear system is performed o...

Страница 115: ...ors settings 5 Check the Save received jobdata for Service setting is disabled 6 On the printer user panel make a Clear system Enable the e shredding Procedure 1 In Océ Express Webtools open the Configuration Connectivity page and select the E shredding section 2 Click Edit 3 Check E shredding feature to enable it 4 Select the algorithm 5 When you select Custom set the number of passes Result When...

Страница 116: ...he Océ Express WebTools window roll the mouse over the e shredding icon to display the E shredding busy status Once the e shredding data process is complete the status comes back to E shredding ready in the Océ Express WebTools roll over the icon Enable the e shredding in Océ Express WebTools 116 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Страница 117: ...he first e shredding pass is performed immediately after the job is deleted Subsequent passes are performed in background When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy...

Страница 118: ...Psec enabled IPsec disabled Access control enabled IP filtering Encryption are acti vated Only the stations configured with IPsec can connect to the system No other stations can communicate with the print scan system The system can communicate only with the IPsec stations Communication and data are encrypted IP filtering is activated no en cryption Only the stations configured for Access control i...

Страница 119: ...and configure the parameters for each required station The parameters can be different for each different workstation the IP address the preshared key keep the generic default one or set a custom one You can define a default preshared key that will be used for all the IPsec stations connected to the print scan system NOTE The following IPsec parameters cannot be changed IKE Diffie Hellman group 2 ...

Страница 120: ...nd Access control behaviour on page 118 5 Enable IPsec station 1 Tip When you enable Access control it is recommended to declare the workstation from which you remotely configure the system at least during the configuration time IPsec is not needed 6 Enter the IPsec preshared key or keep it empty to use the default preshared key The IPsec default preshared key setting is available at the bottom of...

Страница 121: ...ult The IPsec settings are configured on the controller for a connection to a workstation Configure the IPsec settings in the Océ controller Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 121 ...

Страница 122: ...ter actions and security negotiation on page 126 5 Define the security rule on page 127 6 Assign the security policy on page 129 7 Customize the IPsec settings on page 130 NOTE The procedure below shows the configuration steps on Windows server 2008 for an Océ ColorWave 300 system The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 and for oth...

Страница 123: ...click Finish The security snap in is added click OK Create the security policy Procedure 1 In the console right click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard Create the security policy Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 123 ...

Страница 124: ...ule 5 Uncheck Edit properties and click Finish Create the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions Create the filter list 124 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Страница 125: ...o open the wizard 5 Check the Mirrored checkbox and click Next 6 Select My IP address as the Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller Create the filter list Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 125 ...

Страница 126: ...list is set Define the filter actions and security negotiation Procedure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation 126 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Страница 127: ...ton 7 Configure the settings as below Data and address integrity without encryption AH setting is not mandatory 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add Define the security rule ...

Страница 128: ... 4 As the Network type select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule 128 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Страница 129: ...ings in the Océ controller on page 120 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 129 ...

Страница 130: ...Firewall Advanced settings to open the Windows Firewall with Advanced Security window 2 In the Actions section on the right hand side click on Windows Firewall with Advanced Security on Local Computer to expand the menu 3 Select Properties 4 In the IPsec Settings tab click on the Customize button of the IPsec defaults Customize the IPsec settings 130 Chapter 3 Security on Océ PlotWave 500 and Plot...

Страница 131: ...0 550 and OcéColorWave 500 550 650 650R3 700 Remove your workstation from the IPsec Access control configuration when it must not remain in the list of connected stations For all other printers When the test works properly it is recommended to disable the Failsafe mode on the printer scanner controller So only the IPsec station is allowed to communicate with the printer scanner system Customize th...

Страница 132: ...ble Then use the emergency procedure to disable IPsec and Access control via the printer user panel Disable Access control on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 For Océ PlotWave 500 enter the System administrator or Power user password For Océ PlotWave 340 360 enter the Password to change networks settings if set ...

Страница 133: ...roller Result Access control and IPsec functions are disabled After the restart you will be able to remotely open Océ Express WebTools from any workstation HTTP Troubleshooting Disable Access control and IPsec Océ PlotWave 500 and PlotWave 340 360 systems Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 133 ...

Страница 134: ...gh Publisher Express and of the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivered by a Certification...

Страница 135: ...issued by a trusted certificate authority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Fol...

Страница 136: ...der 2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 136 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Страница 137: ... bar Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is...

Страница 138: ...on Unit OU WFPS 6 The certificate is issued to OcéExpress WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation bar the Océ certif...

Страница 139: ...ill using HTTPS follow these 2 procedures step by step Overall procedure to prepare and generate the CA signed certificate request Step Description A1 Back up the current certificate and private key if any The current certificate can be the original Océ self signed certificate embedded a CA signed certificate delivered by a Certification Authority you previously installed See Back up a certificate...

Страница 140: ...he CA Root certificate in the Trusted Root certificates list of the web browser on each workstation See Check and import the Root certificate into the work stations browser on page 143 B5 Back up the certificate and pri vate key Back up and store the certificate and the private key Note It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in a...

Страница 141: ...enerate a CA signed certificate request Purpose Create a certificate request Use this function only when you want to request a new CA certificate Pre requisites Back up the current Certificate and Private key already installed on the controller see Back up a certificate and a private key on page 140 Generate a certificate request NOTE Step A2 of the Description of the overall procedure to request ...

Страница 142: ...l procedure to request and import a CA signed certificate on page 92 Procedure 1 Copy and paste the content of the request in a csr file named certificate_request csr by default 2 Send the content of this request to the Certification Authority Import a CA signed certificate into the controller and workstations Introduction overall procedure 1 Import the CA signed certificate into the controller Im...

Страница 143: ... to the certificate file 3 Select Yes to validate the certificate against Java root certificates and click Import 4 When the message Certificate successfully imported pops up restart the controller Result Result The certificate is now installed on the server Check and import if needed the CA Root certificate also into the workstations web browser That will secure the complete data workflow between...

Страница 144: ...store a self signed certificate NOTE Prefer the restoration of the original self signed certificate that requests a preliminary back up of the original self signed certificate See Back up a certificate and a private key on page 140 Each Reset certificate action generates a new self signed certificate with a new private and public key So each time you reset the certificate you must import the new c...

Страница 145: ...onfiguration External locations page 3 Log in as a System administrator or Power user 4 Edit the USB type 5 In the Enabled functionalities drop down list select None to disable print from and scan to capabilities Print from only to enable to print from USB and disable Scan to USB capability Scan to only to enable to scan to USB and disable Print from USB capability Note Select Print from and scan ...

Страница 146: ... When disabled the job submission capability through Express WebTools is completely de activated The remote actions on jobs to the Operator Restrict remote actions on jobs to the Key Operator When enabled all remote actions on jobs in the queue are restricted to the Key Operator or Power user only The display of Smart Inboxes in Océ Express WebTools When enabled all users of Express WebTools can s...

Страница 147: ...Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Страница 148: ...r name and password Smart card Contactless card for Océ PlotWave 345 365 450 550 1 1 and higher versions Scan to Home folder Yes when User authentication by user name and pass word is enabled Hard Disk encryption Yes 2 modes Full disk encryption Normal encryption Data overwrite E shredding Data encryption on the network IPsec HTTPS for administration Océ Express WebTools and for Job submission thr...

Страница 149: ...ations made by Service under the control of the System Administrator Security overview for the Océ PlotWave 345 Océ PlotWave 365 Océ PlotWave 450 and Océ PlotWave 550 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 149 ...

Страница 150: ...blisher Express TCP 80 HTTP TCP 443 HTTPS Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515 LPR 1 TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery TCP 21 FTP 2 Océ Reprodesk Studio TCP 515 LPR TCP 80 Océ back channel WAVE Novell NDPS printing TCP 515 LPR LPR pri...

Страница 151: ...here is a proxy Scanning applications INBOUND and OUTBOUND ports and protocols used by the system Application Functionality INBOUND ports on the con troller protocol OUTBOUND ports from the controller protocol Scan to File SMB TCP 139 445 UDP 137 138 445 Scan to File FTP FTP command 1 Local TCP any Remote TCP 21 FTP Data 1 Local TCP any Remote TCP any Scan to File Cloud WebDAV TCP 80 HTTP TCP 443 ...

Страница 152: ... authentication by user name and password TCP 88 UDP 88 Kerberos TCP 389 UDP 389 LDAP User authentication by smart card TCP 80 OCSP TCP 80 HTTP or TCP 443 HTTPS Océ Meter Manager UDP 161 SNMP Océ back channel TCP 65200 for OCI back chan nel Océ Remote Service TCP 443 HTTPS TCP web proxy port 1 NetBios over TCP IP UDP 137 TCP 139 445 UDP 138 WSD TCP 80 HTTP UDP 3702 for WSD discovery TCP 5357 for W...

Страница 153: ...e Networking DNS UDP Out Core Networking Dynamic Host Configuration Protocol DHCP Out Core Networking Dynamic Host Configuration Protocol for IPv6 DHCPV6 Out Core Networking IPv6 IPv6 Out Applications protocols and ports Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 153 ...

Страница 154: ...ity tab to download the available security patches Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of the Operating system patches section to open the wizard Security ...

Страница 155: ... Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 155 ...

Страница 156: ...isable For LPR printing Océ WAVE interface HTTP Enable Disable Used for Océ back channel for WPD2 Account Center Reprodesk Web Services on De vices WSD HTTP Enable Disable For WSD device discovery OCI interfaces Océ propri etary interfa ces Enable Disable Allow interaction with Océ Publisher Select HTTP Enable Disable Used only for Océ Publish er Select backchannel Océ Express WebT ools via HTTP H...

Страница 157: ...a tion HTTP HTTPS Enable Disable Outbound connection Océ Online Services connection enabled or Remote Service con nection HTTPS Enable Disable Outbound connection used by Remote Service Note To disable a network protocol or network service go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol or service To disable the connection to Remote Service Océ Onl...

Страница 158: ... rela ted information Disable Online Services or Remote Service Set Océ Online Services con nection enabled or Remote Service connection to Disa bled 3 Security Configura tion Permissions for Service Disable the automatic update of the embedded Service information Set Allow automatic update of embedded Service docu mentation to Disabled 4 Configuration Exter nal location Delete all External locati...

Страница 159: ... infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Protection of the USB WRITE operation during the backup of the controller configuration from the Local User Interface The backup is performed by the inte...

Страница 160: ...se Edition ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus 160 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Страница 161: ...ce operations Allow Service technician to reset passwords Allow software reinstallation from USB Allow an update or patch installation by Service Allow Service to access licenses information Allow automatic update of embedded Service documentation Each of these permissions can be disabled in the Permissions for Service section of the Security Configuration page in Océ Express WebTools The System a...

Страница 162: ...settings The system update The following devices settings and functions are protected by the Key operator or Power user password on the user panel Clear system The scanner The print density The Finishing device Clean the knife folder option NOTE Keep this password The reset of this password may require the intervention of a Service technician Passwords modification Password modification table for ...

Страница 163: ...ation restores the passwords Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system a Canon representative generates a temporary administrative password for the Windows Administrative account This password is valid for 4 hours NOTE The System Administrator must allow the Canon representative to create this password in Express We...

Страница 164: ... manually Add the DNS server in the list of the Access control stations Otherwise the DNS protocol is disabled you can configure the path of the external locations with the IP address instead of a hostname Use the access restriction to limit the access to the printer Enable Access control and set the list of IP addresses of the computers hosts that will be able to communicate with the printer This...

Страница 165: ...tor Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin account firewall port Smart Inbox enable disable Allow Service Technician to reset passwords on off Save retrieved job data for service on off HTTPS settings enable disable change of certificate HTTP...

Страница 166: ...files that are stored locally on the controller User authentication methods One of the three following methods can be used for user authentication User name and password The user name and password are required on the printer panel This authentication method is mainly targeted to Windows based environment Microsoft Active Directory Smart card PKI card compatible with MS Active Directory Certificate...

Страница 167: ...e submission tool can be Océ Publisher Select or a driver within an application e g WPD2 or a LPR or FTP command 3 The owner of the job logs in on the printer user panel Only the job owner can see the job and print it user authentication is required to unlock the printer panel accessibility 4 The job owner launches the print 5 The job owner collects the printed output The scan and copy workflow Se...

Страница 168: ... Inbox Keep a copy of scanned jobs in the Smart Inbox Keep a copy of copy jobs in the Smart Inbox Keep a copy of local print jobs in the Smart Inbox Key operator actions on jobs In Preferences System defaults Job management Restrict remote actions on jobs to the Key Operator Copy job priority In Preferences System defaults Job management Copy job priority OCI interface In Configuration Connectivit...

Страница 169: ...o secure the job data and job ownership on the network during the job submission the job scanning to external locations the use of a secured network IPsec for instance is recommended Impact of the user authentication on the system features and Océ WebTools Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 169 ...

Страница 170: ...2 or a job submitter example Océ Publisher Select 2 3 Authentication on the printer The user logs in on the printer either by typing his her user name and password on the printer pan el or by using his her smart card The credentials used on the printer must be the same as the ones used at the job submission time Example user1 belonging to the domain domain com 4 Job management On the bottom right ...

Страница 171: ...t the user stays close to the printer until all the jobs are completely printed The jobs in Processing state are not printed if the user logs out before they are in Ready to print status Standard workflow for scan and copy Step Action 1 Logging on the printer The user logs in on the printer either by typing his her user name and password on the printer pan el or by using his her smart card Example...

Страница 172: ...o an external location The user authentication in the main job submission workflows Introduction There are several ways to submit print jobs to the printer Find below the recommendations for benefiting from the protection by the user authentication in the recommended job submission workflows Job submission with Océ Publisher Select from version 1 17 Job submission from an application with the Océ ...

Страница 173: ... Example user1 on domain domain com 2 Open the applica tion to open the file 3 Open Océ WPD2 Properties to print the job from the appli cation When the WPD2 driver window opens check the user account name of the job in the top right part of the window This user name is going to be sent along with the job Example user1 domain com NOTE If the user account name is not displayed open the Options Advan...

Страница 174: ...ther submission workflows Job submission by LPR For a file submitted by LPR the system will use the Username tag present in the job ticket of the file if any If there is no job ticket in the file or no Username in the job ticket then the non FQDN user name of the user logged in on the system is used example user1 The LPR command to submit the job is LPR S printer name P printer name x filename NOT...

Страница 175: ...in this field must not be blank The name must be the same as the one that will be used to log in on the system example user domain com NOTE The job owner declared in Publisher Express does not overwrite the Username embedded into the job ticket Other submission workflows Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 175 ...

Страница 176: ...icates Forced URL of OCSP responder setting The PIN of the card if needed Compatible smart card readers HID Global Corporation OMNIKEY 5x2x products Identive infrastructure formerly SCM Microsystems Inc SCR33x products Gemalto IDBridge products formerly GEMPC GEMPLUS Advanced Card Systems Holdings Limited ACR1281U product contact support only HID Global Corporation OMNIKEY 3x2x products Only for O...

Страница 177: ... section select Smart card as the User authentication 4 The restart is required Select Restart now When User access mode is set to Smart card or User name and password the system must be restarted to guarantee the data confidentiality of future incoming jobs Do not select Restart later Configure the smart card settings Configure The trusted certificates The user access settings Procedure 1 Open th...

Страница 178: ...used for job filtering When this setting is activated the FQDN of the user user name domain is requested when the user logs in on the printer panel Once logged in the user sees only the jobs that have been submitted with the same FQDN Example the user user1 domain com logs in on the printer This user can see only the jobs that have been submitted by user1 domain com When this setting is not activa...

Страница 179: ... card on page 180 Authentication on the user panel Introduction Insert the smart card into the card reader The authentication is automatic when the smart card contains a valid user name and no password is needed A login window is displayed when the authentication with the smart card requires a PIN Enter the PIN in the password field A login window is displayed when there is more than one user regi...

Страница 180: ...ssage attach ed to the red cross Possible cause s Actions Error detecting readers Reader not supported or read er not correctly connected Check the connection of the smart card reader Check that the smart card reader is supported Failed connecting with card The Smart card resource manager is not running No smart card is inserted in the smart card reader The smart card is not correctly inserted Ins...

Страница 181: ...XX Type Intermediate or ROOT 2 Check whether you find those cer tificates XXXXXXXXX in your browser then export each certifi cate in your browser 3 Configure in Océ Express WebT ools the trusted certificates you just exported see section Config ure the smart card settings in top ic Configure the Smart card au thentication Revocation status Server is off line The revocation server is re quired but ...

Страница 182: ...lica or Mifare may work The Type of contactless card setting in Océ Express WebTools Security Configuration User access configuration has no influence in this case Additional information Contact your Canon representative in case you want to use a contactless card or a contactless card reader which is not recorded in the above lists Plug the contactless card reader into the USB port contact your lo...

Страница 183: ...t set the advanced settings Suffix for the User Principal Name UPN if there is a custom suffix select Custom and enter it if there are several suffixes in the same domain create as many domains as suffixes Locate LDAP server enter the LDAP server name Fully Qualified Domain Name or IP address and port number if not automatically retrieved by the DNS server LDAP attribute to display on the user pan...

Страница 184: ...qualified name of the job owner setting The user then sees only the jobs that have been submitted with this FQDN The type of the contactless card Felica or Mifare or both Validate the contactless card configuration When to do After you configured the authentication by contactless card validate it Procedure 1 Below the User access mode section click Validate the configuration of the user access mod...

Страница 185: ...d configuration on page 184 Find below the list of possible causes of errors that can occur during the validation of the contactless card configuration Authentication by contactless card errors A red cross in the report indicates an error For error messages with possible causes and actions to solve the error see Error message attach ed to the red cross Possible cause s Actions Domain not correctly...

Страница 186: ...or rect In Océ Express WebTools check the LDAP search base in Security Domains Advanced If a red cross is not reported with the Validate configuration tool but there is an error during authentication with the card please check If the PIN code is correct but authentication fails check that the LDAP attribute for card ID is correctly set in the domain created this may occur in case PIN code setting ...

Страница 187: ...er enter the URL or IP address of the printer to open Océ Express WebTools 2 Open the Security Configuration page Log in as a system administrator if requested 3 In the User access mode section select User name and password as the User authentication 4 The restart is required Select Restart now When User access mode is set to Smart card or User name and password the system must be restarted to gua...

Страница 188: ... on another attribute LDAP search base by default the complete LDAP database defaultNamingContext attribute In case of several LDAP databases it can be worthwhile for performance improvement to indicate another LDAP search base Custom LDAP search base LDAP attribute for Home folder by default the Home directory for product with the Scan to Home folder feature 7 Repeat the creation operation for ev...

Страница 189: ...ob sent by all user1 users if several When logged in on the printer user1 will have access to all jobs submitted by user1 mydomain com user1 user1 anydomain net Validate the configuration When to do After you configured the authentication by user name and password validate it Procedure 1 Below the User access mode section click Validate the configuration 2 Select the domain name 3 Enter a valid us...

Страница 190: ...name and the password After authentication the name of the user is displayed in the top menu Troubleshooting Introduction When an error occurs during the process of authentication by user name and password go to the Security Configuration page and Validate the configuration on page 336 Find below the list of possible causes of errors that can occur during the validation of the configuration Authen...

Страница 191: ... correct Check the user name and pass word Check the Fully Qualified Domain Name FQDN Authenticating user xxx A local error has occur red Additional test Authenticate on the user panel If the authentica tion fails and a Invalid creden tials message is displayed then The date and or time set in the system is not correct In Océ Express WebTools correct the Current date and time in Preferences System...

Страница 192: ... the smart card from the smart card reader NOTE The session is automatically closed when the time out occurs even if the smart card is still in the card reader Pull the card out of the reader and insert it again to start a new session Log out after an authentication by contactless card On the system user panel tap on the user name icon Confirm the log out Special cases a time out pause or error oc...

Страница 193: ...put on hold It is recommended to increase the user session time out The processing time for a batch of jobs is longer than the session time out The time out occurs before all the jobs are processed At least one job is printing The user is automatically logged out Only the jobs in Ready to print and Printing statuses are printed All the jobs that have another status for example Processing are put o...

Страница 194: ...must solve the issue and then must log in to resume the queue A Media request occurs The following combination of settings applies Media request time out Action after media re quest time out When the media is loaded the job restarts and is printed When the time out occurs before the media is loaded this job is put on hold The user must load the media and then must log in to resume the queue Specia...

Страница 195: ...name and the domain of the user logged in on the workstation are used to submit the job including the domain when detected If needed log in on the workstation with the relevant user name on the relevant domain example user1 on domain domain com For a job submitted with the WPD2 driver the user account name displayed in WPD2 in the top right part of the window is used Change it if needed example us...

Страница 196: ...e user access mode is enabled and you cannot access Express WebTools you can disable it on the system panel Disable the user authentication on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 Enter the System administrator password The current security configuration is displayed 4 Tap Next to go on and disable a feature 5 Selec...

Страница 197: ...7 Restart the system Result The user authentication is disabled Disable the user authentication Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 197 ...

Страница 198: ...m recommended On a running system which has already processed data 2 encryption modes There are 2 encryption modes Encryption mode Scope Duration Remarks Normal The Normal encryption encrypts the used disk space only It is recommended for new systems at installation time when no print scan data has been processed on the disk around 30 minutes Full The Full encryption encrypts the en tire disk It i...

Страница 199: ... the system is given back At the system s end of life before it is recycled To purge the system from the system user panel 1 In the system settings select Security 2 In the Current Security Configuration window check the encryption mode and tap Next the Next button is displayed only when an encryption mode is active 3 In the list of actions select Purge the System and tap Next 4 A message Purging ...

Страница 200: ...ly or not When it is automatically deleted after a time out the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox and Expiration time out for Smart Inbox copy and scan jobs set in the job management settings of the Océ Express WebTools When a Clear system is performed on the printer user panel When a Cle...

Страница 201: ...g the e shredding 4 Go to the In case of errors settings 5 Check the Save received jobdata for Service setting is disabled 6 On the printer user panel make a Clear system Enable the e shredding Procedure 1 In Océ Express Webtools open the Security Configuration page and select the E shredding section 2 Click Edit 3 Check E shredding feature to enable it 4 Select the algorithm 5 When you select Cus...

Страница 202: ... the E shredding feedback returns busy In the Océ Express WebTools window roll the mouse over the e shredding icon to display the E shredding busy status Once the e shredding data process is complete the status comes back to E shredding ready in the Océ Express WebTools roll over the icon Enable the e shredding in Océ Express WebTools 202 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave...

Страница 203: ...irst e shredding pass is performed immediately after the job is deleted Subsequent passes are performed in background When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy pri...

Страница 204: ... enabled IPsec disabled Access control enabled IP filtering Encryption are acti vated Only the stations configured with IPsec can connect to the system No other stations can communicate with the print scan system The system can communicate only with the IPsec stations Communication and data are encrypted IP filtering is activated no en cryption Only the stations configured for Access control in Ex...

Страница 205: ...igure the parameters for each required station The parameters can be different for each different workstation the IP address the preshared key keep the generic default one or set a custom one You can define a default preshared key that will be used for all the IPsec stations connected to the print scan system NOTE The following IPsec parameters cannot be changed IKE Diffie Hellman group 2 then 1 I...

Страница 206: ...Access control behaviour on page 118 5 Enable IPsec station 1 Tip When you enable Access control it is recommended to declare the workstation from which you remotely configure the system at least during the configuration time IPsec is not needed 6 Enter the IPsec preshared key or keep it empty to use the default preshared key The IPsec default preshared key setting is available at the bottom of th...

Страница 207: ...oller Result The IPsec settings are configured on the controller for a connection to a workstation Configure the IPsec settings in the Océ controller Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 207 ...

Страница 208: ...actions and security negotiation on page 126 5 Define the security rule on page 127 6 Assign the security policy on page 129 7 Customize the IPsec settings on page 130 NOTE The procedure below shows the configuration steps on Windows server 2008 for an Océ ColorWave 300 system The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 and for other O...

Страница 209: ...k Finish The security snap in is added click OK Create the security policy Procedure 1 In the console right click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard Create the security policy Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 209 ...

Страница 210: ...5 Uncheck Edit properties and click Finish Create the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions Create the filter list 210 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Страница 211: ...en the wizard 5 Check the Mirrored checkbox and click Next 6 Select My IP address as the Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller Create the filter list Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 211 ...

Страница 212: ... is set Define the filter actions and security negotiation Procedure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation 212 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Страница 213: ...7 Configure the settings as below Data and address integrity without encryption AH setting is not mandatory 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add Define the security rule Chap...

Страница 214: ...s the Network type select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule 214 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Страница 215: ... in the Océ controller on page 120 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 215 ...

Страница 216: ...wall Advanced settings to open the Windows Firewall with Advanced Security window 2 In the Actions section on the right hand side click on Windows Firewall with Advanced Security on Local Computer to expand the menu 3 Select Properties 4 In the IPsec Settings tab click on the Customize button of the IPsec defaults Customize the IPsec settings 216 Chapter 4 Security on Océ PlotWave 345 365 and Océ ...

Страница 217: ...0 and OcéColorWave 500 550 650 650R3 700 Remove your workstation from the IPsec Access control configuration when it must not remain in the list of connected stations For all other printers When the test works properly it is recommended to disable the Failsafe mode on the printer scanner controller So only the IPsec station is allowed to communicate with the printer scanner system Customize the IP...

Страница 218: ...achable Then use the emergency procedure to disable IPsec and Access control via the printer user panel Disable Access control on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 Enter the System administrator or Power user password 4 A wizard is displayed Follow the instructions 5 Confirm to disable access control Troubleshoot...

Страница 219: ...ntrol and IPsec functions are disabled After the restart you will be able to remotely open Océ Express WebTools from any workstation HTTP Troubleshooting Disable Access control and IPsec Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 219 ...

Страница 220: ...the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivered by a Certification Authority To ensure a fully...

Страница 221: ...ority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Follow the Wizard s instructions to imp...

Страница 222: ...2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 222 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Страница 223: ... Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is not...

Страница 224: ...nit OU WFPS 6 The certificate is issued to OcéExpress WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation bar the Océ certificat...

Страница 225: ...till using HTTPS follow these 2 procedures step by step Overall procedure to prepare and generate the CA signed certificate request Step Description A1 Back up the current certificate and private key if any The current certificate can be the original Océ self signed certificate embedded a CA signed certificate delivered by a Certification Authority you previously installed See Back up a certificat...

Страница 226: ...ser on each workstation See Check and import the root certificate on page 229 B5 Back up the certificate and pri vate key Back up and store the certificate and the private key Note It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and private key on page 226 Other procedures Procedure When to d...

Страница 227: ...ficate Pre requisites Back up the current Certificate and Private key already installed on the controller see Back up a certificate and private key on page 226 Generate a certificate request NOTE Step A2 of the HTTPS Description of the overall procedure on page 225 Procedure 1 In a web browser open Océ Express WebTools https IP address or hostname 2 On the Security HTTPS select Generate a certific...

Страница 228: ...sr by default 2 Send the content of this request to the Certification Authority Import a CA signed certificate into the controller and workstations Introduction overall procedure 1 Import the CA signed certificate into the controller Import the Root certificate Import the Intermediate certificate Import the CA certificate 2 Import the Root certificate into the workstations web browser Import the R...

Страница 229: ...uccessfully imported pops up restart the controller Result Result The certificate is now installed on the server Check and import if needed the CA Root certificate also into the workstations web browser That will secure the complete data workflow between the workstations and the server Check and import the Root certificate into the workstations browser When to do NOTE Step B4 of the HTTPS Descript...

Страница 230: ...e original self signed certificate that requests a preliminary back up of the original self signed certificate See Back up a certificate and private key on page 226 Each Reset certificate action generates a new self signed certificate with a new private and public key So each time you reset the certificate you must import the new certificate into the web browser Reset the certificate Procedure 1 I...

Страница 231: ...alues are correct in Océ Express WebTools Configuration System defaults Refer to Configure the user authentication by user name and password on page 334 for the detailed procedure It is recommended that the System Administrator validates this new configuration by clicking Validate this configuration in Security Configuration see Validate the configuration on page 336 Scan to the Home folder There ...

Страница 232: ...bleshooting When an error occurs during the process of authentication by user name and password follow the procedures below to test and troubleshoot Use the validation tool to validate the configuration See Validate the configuration on page 189 Apply the corrective actions when needed SeeTroubleshooting on page 190 In case the home folder is not accessible Use the validation tool and check in the...

Страница 233: ...guration External locations page 3 Log in as a System administrator or Power user 4 Edit the USB type 5 In the Enabled functionalities drop down list select None to disable print from and scan to capabilities Print from only to enable to print from USB and disable Scan to USB capability Scan to only to enable to scan to USB and disable Print from USB capability Note Select Print from and scan to t...

Страница 234: ...ne is selected the job submission capability through Océ Express WebTools is completely deactivated The remote actions on submitted jobs to the Key operator or Power user Perform job actions in the print queue When set to Login needed only the Key oper ator or Power user can remotely delete or move a submitted job The display of Smart Inboxes in Océ Express WebTools When enabled all users of Océ E...

Страница 235: ...Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 236: ...650 Oce ColorWave 550 offer the following security features Security overview Operating System Linux for Océ ColorWave 550 Océ ColorWave 600 Poster Printer and Océ ColorWave 650 Poster Printer Linux and WES 2009 for Océ ColorWave 650 multifunctional printer and scanner and Océ ColorWave 550 multifunctional printer and scanner Firewall Yes Network protocols protection Yes per protocol through firew...

Страница 237: ...inter for Océ ColorWave 550 R2 3 1 and higher Océ ColorWave 650 R2 3 1 and higher see al so Security on Océ ColorWave 650 R3 x on page 268 Océ ColorWave 650 PP v2 3 1 and higher Security overview for the Océ ColorWave 600 650 Poster Printer and the Océ ColorWave 550 systems Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 237 ...

Страница 238: ...ublisher Express TCP 80 HTTP Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515 LPR 3 TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery TCP 21 FTP 4 Océ Reprodesk Studio TCP 515 LPR TCP 65200 Océ back chan nel Novell NDPS printing TCP 515 LPR LPR printing TCP 515 ...

Страница 239: ...TP passive mode Control management ports and protocols used by the system Application Functionality Port used on the controller protocol Remarks PING ICMP incoming echo request only SNMP based applications UDP 161 SNMP Name resolution Outgoing connection Local port on controller UDP TCP dynamic value Remote port on DNS server UDP TCP 53 Océ Express WebTools TCP 80 HTTP Océ Account Center Ad vanced...

Страница 240: ...response back on the IT infrastructure firewall Applications protocols and ports used in the Océ ColorWave 600 Poster Printer Océ ColorWave 650 Poster Printer Océ ColorWave 550 systems 240 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 241: ...d the Océ Security patch from the Océ Downloads website on http downloads oce com Open the product page and go to the Security tab to download the available security patches Procedure 1 Open the Océ Express Webtools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed Se...

Страница 242: ...perating system patches section to open the wizard 6 Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch 242 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 243: ...etwork protocols Protocols Available Protection FTP Yes Can be disabled SNMP Yes Can be disabled LPR Yes Can be disabled Backchannel Always Enabled Océ proprietary protocol HTTP No always Enabled ICMP No always Enabled DNS No always Enabled To disable a network protocol go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol Protocol protection Chapter 5 S...

Страница 244: ...ess WebT ools section Action Detail 1 Support Remote Serv ice Remote assistance Stop the Remote assistance if it is activated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disap pear 2 Preferences System Properties Service Disable Remote Service connection Set Océ Remote Services connection enabled to Disabled 3 Configuration ...

Страница 245: ...sabled and no operation on the controller can execute a programme on the USB device Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from USB device protection The USB READ operation is protected when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Disable the USB fe...

Страница 246: ...fied except when using the Océ procedures for update Any exploit of the security vulnerability can only affect temporary files A reboot of the system brings it back to the original genuine one Windows Embedded Standard 2009 OS and software protection An additional Operating system is used for scanning on the Océ ColorWave 650 multifunctional printer and scanner and Océ ColorWave 550 multifunctiona...

Страница 247: ...orWave 600 Poster Printer Océ ColorWave 650 Poster Printer Océ ColorWave 550 systems Introduction There are 2 groups of passwords The passwords used in Océ Express WebTools The passwords used in the Printer Operator Panel Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect the roles Password modification table for Océ ColorWave 600 Océ ColorWave 650 and Océ ColorWa...

Страница 248: ...e Power user The passwords are restored only when the System administrator or the Power user makes the Open Set operation When a password has been stored with Auto value it is restored with the No password value Password backup restore policy with the Export templates Import templates features During the Export templates operation the passwords for any ScanToFile remote user name are stored encryp...

Страница 249: ...Océ ColorWave printers on page 253 You can enable Access control in Océ Express WebTools You can disable it in Océ Express WebTools or via the printer user panel NOTE In case DHCP and DNS servers are used Add the DHCP server in the list of the Access control stations Otherwise the DHCP protocol is disabled you can disable the DHCP settings in the Configuration Connectivity settings and configure t...

Страница 250: ... Inbox system setting is disabled in the Océ Express Webtools After a ScanToFile to remote destination has been successfully performed When it is automatically deleted after a timeout the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox set in the job management settings of the Océ Express Webtools When...

Страница 251: ...enter the system URL http hostname to open the Océ Express WebTools 2 Open the Configuration Connectivity page and select the E shredding section 3 Click Edit 4 Check E shredding feature to enable it 5 Select the algorithm When you select Custom you must set the number of passes On Océ ColorWave 650 PP 550 click on the value of E shredding custom number of passes to set the number of passes 5 Set ...

Страница 252: ... Smart Inbox After an automatic deletion of the print or scan jobs by the system timeout disabled Smart Inbox cleanup When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure a file is completely e shredded e shredding enabled Perform the following actions to...

Страница 253: ...ion below The printer copier system is physically connected to the network but communicates only with a dedicated station a print server or scan server for example The print server receives the print request from the workstations via IP on the network The print server send the print requests to the printer copier system via IPsec The workstations cannot communicate directly with the printer copier...

Страница 254: ...one or set a custom one You can define a default preshared key that will be used for all the stations connected by IPsec to the printer scanner system Configure the IPsec settings in the Océ controller Before you begin You must be logged as a System Administrator or a Power user DHCP must be disabled Activate and configure IPsec in the printer scanner controller Procedure 1 Open a web browser and ...

Страница 255: ...e following special characters _ NOTE Write it down This preshared key will be required during the IPsec configuration on the workstation 9 Restart the controller Result The IPsec settings are configured on the controller for a connection to a workstation which can be a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the cont...

Страница 256: ...icy on page 263 NOTE The procedure below shows the configuration steps on Windows server 2008 The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 Add the security snap in Procedure 1 In the Start Run window enter mmc to open the management console 2 In the top menu select File Add Remove Snap in 3 Select IP Security Policy Management and click...

Страница 257: ...click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard 3 Enter the name for the policy and click Next Create the security policy Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 257 ...

Страница 258: ...ate the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions 2 In the Manage IP filter lists tab click Add Create the filter list 258 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 259: ... Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller 8 Select Any as the IP Protocol Type and click Next 9 Click Finish 10 In the IP filter list window click OK The filter list is set Create the filter list Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 259 ...

Страница 260: ...ure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation 260 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 261: ...d click on the Settings button 7 Configure the settings as below 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add 2 Click Next Define the security rule Chapter 5 Security on Océ ColorWav...

Страница 262: ...Network type select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule 262 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 263: ...s on the Océ controller on page 42 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 263 ...

Страница 264: ...bled and activated on the printer scanner controller of Océ ColorWave 650 550 v2 3 1 and higher and The communication between the controller and the host stations fails You cannot open remotely Océ Express WebTools to change the settings The system is unreachable Then you can use the emergency procedure to disable Access control Via the printer user panel on the printer scanner system Disable Acce...

Страница 265: ...as also activated on the controller it is also disabled with this operation After the restart you will be able to open Océ Express WebTools remotely from a workstation HTTP Troubleshooting Disable Access control and IPsec Océ ColorWave 650 550 systems Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 265 ...

Страница 266: ...a web browser and enter the system URL http hostname to open the Océ Express WebTools 2 Open the Preferences System properties page and select the Printer properties section 3 Go to the USB direct print setting 4 Click on the value to open the USB direct print window 5 Log in as a Key Operator or Power User 6 Select Disabled and Ok How to prevent Print from USB on Océ ColorWave 550 650 and PP 266 ...

Страница 267: ...le The remote view of the Smart Inboxes The display of the Smart Inboxes on the printer panel The storage of the job data in the Smart Inboxes Set the job management settings The Job management settings are available on the Preferences System properties tab Configure the job management settings to manage the visibility of jobs and their availability in Océ Express WebTools or in the printer operat...

Страница 268: ... or IPV6 IPV4 combination Data overwrite E shredding Data encryption on the network IPsec HTTPS for administration Océ Express WebTools and for job submission through Océ Publisher Express Password protection Yes for User settings Administration settings Settings on the printer user panel Access control IP filtering SMB authentication NTLMV2 or NTLMV1 can be set in Océ Express WebT ools Smart Inbo...

Страница 269: ... TCP 515 LPR Océ Publisher Express TCP 80 HTTP TCP 443 HTTPS Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 21 FTP TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery Océ Reprodesk Studio TCP 515 LPR TCP 65200 Océ back channel OCI Novell NDPS printing TCP 515 LPR LP...

Страница 270: ...FTP passive mode only FTP active mode not supported Control management with Océ ColorWave 650 R3 x0 INBOUND and OUTBOUND ports and protocols used by the system Application Functionality INBOUND ports on the con troller protocol OUTBOUND ports from the controller protocol PING IPv4 ICMPv4 PING IPv6 ICMPv6 nslookup UDP local port any UDP remote port 53 SNMP based applications UDP 161 SNMP Name resol...

Страница 271: ...500 Notes 1 When there is a proxy Additional built in Windows 7 firewall rules Inbound rules Core Networking Dynamic Host Configuration Protocol DHCP In Core Networking Dynamic Host Configuration Protocol for IPv6 DHCPV6 In Outbound rules Core Networking DNS UDP Out Core Networking Dynamic Host Configuration Protocol DHCP Out Core Networking Dynamic Host Configuration Protocol for IPv6 DHCPV6 Out ...

Страница 272: ...ity tab to download the available security patches Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of the Operating system patches section to open the wizard Security ...

Страница 273: ... Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 273 ...

Страница 274: ...ing Océ WAVE interface HTTP Enable Disable Used for Océ back channel for WPD2 Account Center Account dialog upload interface HTTP Enable Disable When both this Account dialog interface AND Océ WAVE interface are disa bled any interaction with Océ Account Center is disa bled Web Services for De vices WSD HTTP Enable Disable For WSD device discovery OCI interfaces Océ propri etary interfa ces Enable...

Страница 275: ...es Allow interaction with Océ Publisher Select Océ Express Web Tools via HTTP Inbound HTTP is totally disabled when ALL afore mentioned network serv ices are disabled HTTPS HTTPS Always Enabled Cannot be disabled Note To disable a network protocol or network service go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol or service Network protocols protec...

Страница 276: ...ess WebT ools section Action Detail 1 Support Remote Serv ice Remote assistance Stop the Remote assistance if it is activated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disap pear 2 Preferences System Properties Service Disable Remote Service connection Set Océ Remote Services connection enabled to Disabled 3 Configuration ...

Страница 277: ...sabled and no operation on the controller can execute a programme on the USB device Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from USB device protection The USB READ operation is protected when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Disable the USB fe...

Страница 278: ...se Edition ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus 278 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 279: ...llow automatic update of embedded Service documentation Each of these permissions can be disabled in the Permissions for Service section of the Security Configuration page in Océ Express WebTools The System administrator and the Power user control also the connection via a Remote Desktop Protocol needed by a Service technician to install a third party application on the system an antivirus for ins...

Страница 280: ...network settings and the Proxy authentication password are stored encrypted into the backup set made with the Save Set feature of Océ Express WebTools The roles passwords are not stored in the backup set NOTE When a password is configured as No password the information Auto meaning No password is stored in the backup file It is not encrypted The passwords are stored in the backup file whatever the...

Страница 281: ... the communication from this host to the system needs to be encrypted by IPsec see IPsec presentation on page 284 You enable Access control in Océ Express WebTools You can disable it in Océ Express WebTools or via the printer user panel NOTE In case DHCP and DNS servers are used Add the DHCP server in the list of the Access control stations Otherwise the DHCP protocol is disabled you can disable t...

Страница 282: ...ion removal of external locations Changes of passwords used to protect security related settings Key operator System administrator Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin account firewall port Smart Inbox enable disable Allow Service Technicia...

Страница 283: ...ed successfully or not When it is automatically deleted after a time out the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox and Expiration time out for Smart Inbox copy and scan jobs set in the job management settings of the Océ Express WebTools When a Clear system is performed on the printer user pan...

Страница 284: ...c enabled IPsec disabled Access control enabled IP filtering Encryption are acti vated Only the stations configured with IPsec can connect to the system No other stations can communicate with the print scan system The system can communicate only with the IPsec stations Communication and data are encrypted IP filtering is activated no en cryption Only the stations configured for Access control in E...

Страница 285: ...et a custom one You can define a default preshared key that will be used for all the IPsec stations connected to the print scan system NOTE The following IPsec parameters cannot be changed IKE Diffie Hellman group 2 then 1 IKE SA lifetime 28800 s IKE security method 3DES then MD5 IKE hash SHA1 then MD5 ESP encryption 3DESthen DES ESP hash SHA1 then MD5 then None AH hash SHA1 the MD5 Encapsulation ...

Страница 286: ...y MS character NOTE Write down this preshared key It will be required during the IPsec configuration on the workstation 7 Click OK Note The settings are applied as soon as OK is validated and before the restart You may lose the remote connection to the system when your workstation is not part of the configured stations 8 Restart the controller Result The IPsec settings are configured on the contro...

Страница 287: ...indows XP Windows Vista Windows 7 and for other Océ printers Troubleshooting Disable Access control and IPsec Océ ColorWave 650 550 systems Introduction In the following case Access control is enabled and activated on the printer scanner controller of Océ ColorWave 650 550 v2 3 1 and higher and The communication between the controller and the host stations fails You cannot open remotely Océ Expres...

Страница 288: ... to disable access control 5 Press Finish 6 Restart the controller Result Access control is disabled If IPsec was also activated on the controller it is also disabled with this operation Troubleshooting Disable Access control and IPsec Océ ColorWave 650 550 systems 288 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 289: ...will be able to open Océ Express WebTools remotely from a workstation HTTP Troubleshooting Disable Access control and IPsec Océ ColorWave 650 550 systems Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 289 ...

Страница 290: ...rint data sent through Publisher Express and of the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivere...

Страница 291: ...ed by a trusted certificate authority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Follow ...

Страница 292: ...2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 292 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Страница 293: ...r Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is no...

Страница 294: ...tom of the window that the padlock is displayed In the navigation bar the Océ certificate is registered as an exception The identity of the remote controller and the encryption of the data on the network are secured Request and import a CA signed certificate Description of the overall procedure to request and import a CA signed certificate Introduction By default the first certificate delivered fo...

Страница 295: ...page 141 A3 Save the content of the certifi cate request Send this content to the Certification Authority to re quest a CA signed certificate The Certification Authority will check the request and re ply If the request is valid go to step A4 if the request is not valid make a new request A2 ac cording to the remarks corrections suggested by the CA request feedback A4 Restart the controller A5 Back...

Страница 296: ...e It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and a private key on page 140 Other procedures Procedure When to do Restore a certificate and a private key You can restore the certificate and the private key at any moment in case of need See Restore a certificate and a private key on page 1...

Страница 297: ...a web browser and enter the system URL http hostname to open the Océ Express WebTools 2 Open the Preferences System properties page and select the Printer properties section 3 Go to the USB direct print setting 4 Click on the value to open the USB direct print window 5 Log in as a Key Operator or Power User 6 Select Disabled and Ok How to prevent Print from USB on Océ ColorWave 550 650 and PP Chap...

Страница 298: ...n disabled the job submission capability through Express WebTools is completely de activated The remote actions on jobs to the Operator Restrict remote actions on jobs to the Key Operator When enabled all remote actions on jobs in the queue are restricted to the Key Operator or Power user only The display of Smart Inboxes in Océ Express WebTools When enabled all users of Express WebTools can see t...

Страница 299: ...Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 300: ...nd pass word is enabled on Océ ColorWave 500 R4 1 and higher Océ ColorWave 700 R4 1 and higher Hard Disk encryption Yes for Océ ColorWave 500 R4 1 and higher Océ ColorWave 700 R4 1 and higher 2 modes are available Full disk encryption Normal encryption IPv6 Yes IPV6 only or in combination with IPv4 Access control IP filtering Data overwrite E shredding Data encryption on the network IPsec HTTPS fo...

Страница 301: ...trol over Service operations Operations made by Service under the control of the System Administrator on Océ ColorWave 500 R4 1 and higher Océ ColorWave 700 R4 1 and higher Security overview for the Océ ColorWave 500 and ColorWave 700 systems Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 301 ...

Страница 302: ... Publisher Express TCP 80 HTTP TCP 443 HTTPS Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515 LPR 1 TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery TCP 21 FTP 2 Océ Reprodesk Studio TCP 515 LPR TCP 80 Océ back channel WAVE Novell NDPS printing TCP 515 LPR LPR ...

Страница 303: ...UND and OUTBOUND ports and protocols used by the system Application Functionality INBOUND ports on the con troller protocol OUTBOUND ports from the controller protocol Scan to File SMB TCP 139 445 UDP 137 138 445 Scan to File FTP FTP command 1 Local TCP any Remote TCP 21 FTP Data 1 Local TCP any Remote TCP any Scan to File Cloud WebDAV TCP 80 HTTP TCP 443 HTTPS TCP web proxy port 2 TCP WebDAV port...

Страница 304: ...ser authentication by user name and password TCP 88 UDP 88 Kerberos TCP 389 UDP 389 LDAP User authentication by smart card TCP 80 OCSP TCP 80 HTTP or TCP 443 HTTPS Océ Meter Manager UDP 161 SNMP Océ back channel TCP 65200 for OCI back chan nel Océ Remote Service TCP 443 HTTPS TCP web proxy port 1 NetBios over TCP IP UDP 137 TCP 139 445 UDP 138 WSD TCP 80 HTTP UDP 3702 for WSD discovery TCP 5357 fo...

Страница 305: ...Core Networking DNS UDP Out Core Networking Dynamic Host Configuration Protocol DHCP Out Core Networking Dynamic Host Configuration Protocol for IPv6 DHCPV6 Out Core Networking IPv6 IPv6 Out Applications protocols and ports Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 305 ...

Страница 306: ...curity tab to download the available security patches Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of the Operating system patches section to open the wizard Securi...

Страница 307: ...6 Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 307 ...

Страница 308: ...e Disable For LPR printing Océ WAVE interface HTTP Enable Disable Used for Océ back channel for WPD2 Account Center Reprodesk Web Services on De vices WSD HTTP Enable Disable For WSD device discovery OCI interfaces Océ propri etary interfa ces Enable Disable Allow interaction with Océ Publisher Select HTTP Enable Disable Used only for Océ Publish er Select backchannel Océ Express WebT ools via HTT...

Страница 309: ...enta tion HTTP HTTPS Enable Disable Outbound connection Océ Online Services connection enabled or Remote Service con nection HTTPS Enable Disable Outbound connection used by Remote Service Note To disable a network protocol or network service go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol or service To disable the connection to Remote Service Océ ...

Страница 310: ...ble Online Services or Remote Service Set Océ Online Services con nection enabled or Remote Service connection to Disa bled 3 Configuration Con nectivity Other net work interfaces Disable the automatic update of the embedded Service information Set Allow automatic update of Océ service information or Allow automatic update of embedded Service docu mentation to Disabled 4 Configuration Exter nal lo...

Страница 311: ...ile infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Protection of the USB WRITE operation during the backup of the controller configuration from the Local User Interface The backup is performed by the i...

Страница 312: ...prise Edition ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus 312 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 313: ...Power user control the following Service operations Allow Service technician to reset passwords Allow software reinstallation from USB Allow an update or patch installation by Service Allow Service to access licenses information Allow automatic update of embedded Service documentation Each of these permissions can be disabled in the Permissions for Service section of the Security Configuration pag...

Страница 314: ...stem update The following settings and functions are protected by the Key operator or Power user password on the user panel The printer calibration Clear system The Install additional hardware function The scanner calibration The media calibration The roll to roll option NOTE Keep this password The reset of this password may require the intervention of a Service technician Passwords modification P...

Страница 315: ...rtExternalLocationTemplates xml included in the file exportExternalLocationTemplates zip The Import templates operation restores the passwords Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system a Canon representative generates a temporary administrative password for the Windows Administrative account This password is valid f...

Страница 316: ...ngs manually Add the DNS server in the list of the Access control stations Otherwise the DNS protocol is disabled you can configure the path of the external locations with the IP address instead of a hostname Use the access restriction to limit the access to the printer Enable Access control and set the list of IP addresses of the computers hosts that will be able to communicate with the printer T...

Страница 317: ...trator Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin account firewall port Smart Inbox enable disable Allow Service Technician to reset passwords on off Save retrieved job data for service on off HTTPS settings enable disable change of certificate H...

Страница 318: ...ess them Copying and scanning operations are accessible only after the user authenticates on the system user panel You cannot retrieve scanned files that are stored locally on the controller User authentication methods One of the two following methods can be used for user authentication User name and password The sser name and password are required on the printer panel This authentication method i...

Страница 319: ...PD2 or an ONYX application or a LPR or FTP command 3 The owner of the job logs in on the printer user panel Only the job owner can see the job and print it user authentication is required to unlock the printer panel accessibility 4 The job owner launches the print 5 The job owner collects the printed output The scan and copy workflow The Scan and Copy features are accessible only after the user au...

Страница 320: ...art Inbox Keep a copy of copy jobs in the Smart Inbox Keep a copy of local print jobs in the Smart Inbox Key operator actions on jobs In Preferences System defaults Job management Restrict remote actions on jobs to the Key Operator Copy job priority In Preferences System defaults Job management Copy job priority OCI interface In Configuration Connectivity Other network interfaces OCI interfaces Lo...

Страница 321: ...n To secure the job data and job ownership on the network during the job submission the job scanning to external locations the use of a secured network IPsec for instance is recommended Impact of the user authentication on the system features and Océ WebTools Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 321 ...

Страница 322: ...WPD2 or a job submitter example Océ Publisher Select 2 3 Authentication on the printer The user logs in on the printer either by typing his her user name and password on the printer pan el or by using his her smart card The credentials used on the printer must be the same as the ones used at the job submission time Example user1 belonging to the domain domain com 4 Job management On the bottom rig...

Страница 323: ...that the user stays close to the printer until all the jobs are completely printed The jobs in Processing state are not printed if the user logs out before they are in Ready to print status Standard workflow for scan and copy Step Action 1 Logging on the printer The user logs in on the printer either by typing his her user name and password on the printer pan el or by using his her smart card Exam...

Страница 324: ...b to an external location The user authentication in the main job submission workflows Introduction There are several ways to submit print jobs to the printer Find below the recommendations for benefiting from the protection by the user authentication in the recommended job submission workflows Job submission with Océ Publisher Select from version 1 17 Job submission from an application with the O...

Страница 325: ... on Example user1 on domain domain com 2 Open the applica tion to open the file 3 Open Océ WPD2 Properties to print the job from the appli cation When the WPD2 driver window opens check the user account name of the job in the top right part of the window This user name is going to be sent along with the job Example user1 domain com NOTE If the user account name is not displayed open the Options Ad...

Страница 326: ...1 Other submission workflows Job submission by LPR For a file submitted by LPR the system will use the Username tag present in the job ticket of the file if any If there is no job ticket in the file or no Username in the job ticket then the non FQDN user name of the user logged in on the system is used example user1 The LPR command to submit the job is LPR S printer name P printer name x filename ...

Страница 327: ...n com NOTE The job owner declared in Publisher Express does not overwrite the Username embedded into the job ticket Job submission with ONYX For a file submitted with ONYX the system uses the non FQDN user name the user has entered to log in on the workstation example user1 To be able to see the files on the user panel the user must log in on the system with the same user name Other submission wor...

Страница 328: ...tificates Forced URL of OCSP responder setting The PIN of the card if needed Compatible smart card readers HID Global Corporation OMNIKEY 5x2x products Identive infrastructure formerly SCM Microsystems Inc SCR33x products Gemalto IDBridge products formerly GEMPC GEMPLUS Advanced Card Systems Holdings Limited ACR1281U product contact support only HID Global Corporation OMNIKEY 3x2x products Only fo...

Страница 329: ...ode section select Smart card as the User authentication 4 The restart is required Select Restart now When User access mode is set to Smart card or User name and password the system must be restarted to guarantee the data confidentiality of future incoming jobs Do not select Restart later Configure the smart card settings Configure The trusted certificates The user access settings Procedure 1 Open...

Страница 330: ...is used for job filtering When this setting is activated the FQDN of the user user name domain is requested when the user logs in on the printer panel Once logged in the user sees only the jobs that have been submitted with the same FQDN Example the user user1 domain com logs in on the printer This user can see only the jobs that have been submitted by user1 domain com When this setting is not act...

Страница 331: ...art card on page 180 Authentication on the user panel Introduction Insert the smart card into the card reader The authentication is automatic when the smart card contains a valid user name and no password is needed A login window is displayed when the authentication with the smart card requires a PIN Enter the PIN in the password field A login window is displayed when there is more than one user r...

Страница 332: ... message attach ed to the red cross Possible cause s Actions Error detecting readers Reader not supported or read er not correctly connected Check the connection of the smart card reader Check that the smart card reader is supported Failed connecting with card The Smart card resource manager is not running No smart card is inserted in the smart card reader The smart card is not correctly inserted ...

Страница 333: ...XXXXX Type Intermediate or ROOT 2 Check whether you find those cer tificates XXXXXXXXX in your browser then export each certifi cate in your browser 3 Configure in Océ Express WebT ools the trusted certificates you just exported see section Config ure the smart card settings in top ic Configure the Smart card au thentication Revocation status Server is off line The revocation server is re quired b...

Страница 334: ...owser enter the URL or IP address of the printer to open Océ Express WebTools 2 Open the Security Configuration page Log in as a system administrator if requested 3 In the User access mode section select User name and password as the User authentication 4 The restart is required Select Restart now When User access mode is set to Smart card or User name and password the system must be restarted to ...

Страница 335: ...sed on another attribute LDAP search base by default the complete LDAP database defaultNamingContext attribute In case of several LDAP databases it can be worthwhile for performance improvement to indicate another LDAP search base Custom LDAP search base LDAP attribute for Home folder by default the Home directory for product with the Scan to Home folder feature 7 Repeat the creation operation for...

Страница 336: ...e job sent by all user1 users if several When logged in on the printer user1 will have access to all jobs submitted by user1 mydomain com user1 user1 anydomain net Validate the configuration When to do After you configured the authentication by user name and password validate it Procedure 1 Below the User access mode section click Validate the configuration 2 Select the domain name 3 Enter a valid...

Страница 337: ... the user is displayed in the top menu Troubleshooting Introduction When an error occurs during the process of authentication by user name and password go to the Security Configuration page and Validate the configuration on page 336 Find below the list of possible causes of errors that can occur during the validation of the configuration Authentication by user name password errors in the validatio...

Страница 338: ...ully Qualified Domain Name FQDN Authenticating user xxx A local error has occur red Additional test Authenticate on the user panel If the authentica tion fails and a Invalid creden tials message is displayed then The date and or time set in the system is not correct In Océ Express WebTools correct the Current date and time in Preferences System defaults Regional settings Detect search base Failed ...

Страница 339: ...ove the smart card from the smart card reader NOTE The session is automatically closed when the time out occurs even if the smart card is still in the card reader Pull the card out of the reader and insert it again to start a new session Log out after an authentication by contactless card On the system user panel tap on the user name icon Confirm the log out Special cases a time out pause or error...

Страница 340: ...is put on hold It is recommended to increase the user session time out The processing time for a batch of jobs is longer than the session time out The time out occurs before all the jobs are processed At least one job is printing The user is automatically logged out Only the jobs in Ready to print and Printing statuses are printed All the jobs that have another status for example Processing are pu...

Страница 341: ...er must solve the issue and then must log in to resume the queue A Media request occurs The following combination of settings applies Media request time out Action after media re quest time out When the media is loaded the job restarts and is printed When the time out occurs before the media is loaded this job is put on hold The user must load the media and then must log in to resume the queue Spe...

Страница 342: ... and the domain of the user logged in on the workstation are used to submit the job including the domain when detected If needed log in on the workstation with the relevant user name on the relevant domain example user1 on domain domain com For a job submitted with the WPD2 driver the user account name displayed in WPD2 in the top right part of the window is used Change it if needed example user1 ...

Страница 343: ... the user access mode is enabled and you cannot access Express WebTools you can disable it on the system panel Disable the user authentication on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 Enter the System administrator password The current security configuration is displayed 4 Tap Next to go on and disable a feature 5 Se...

Страница 344: ...7 Restart the system Result The user authentication is disabled Disable the user authentication 344 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 345: ...g the installation of a new Océ System recommended On a running system which has already processed data 2 encryption modes There are 2 encryption modes Encryption mode Scope Duration Remarks Normal The Normal encryption encrypts the used disk space only It is recommended for new systems at installation time when no print scan data has been processed on the disk around 30 minutes Full The Full encr...

Страница 346: ...ore the system is given back At the system s end of life before it is recycled To purge the system from the system user panel 1 In the system settings select Security 2 In the Current Security Configuration window check the encryption mode and tap Next the Next button is displayed only when an encryption mode is active 3 In the list of actions select Purge the System and tap Next 4 A message Purgi...

Страница 347: ...fully or not When it is automatically deleted after a time out the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox and Expiration time out for Smart Inbox copy and scan jobs set in the job management settings of the Océ Express WebTools When a Clear system is performed on the printer user panel When a ...

Страница 348: ...ling the e shredding 4 Go to the In case of errors settings 5 Check the Save received jobdata for Service setting is disabled 6 On the printer user panel make a Clear system Enable the e shredding Procedure 1 In Océ Express Webtools open the Security Configuration page and select the E shredding section 2 Click Edit 3 Check E shredding feature to enable it 4 Select the algorithm 5 When you select ...

Страница 349: ...ile the E shredding feedback returns busy In the Océ Express WebTools window roll the mouse over the e shredding icon to display the E shredding busy status Once the e shredding data process is complete the status comes back to E shredding ready in the Océ Express WebTools roll over the icon Enable the e shredding in Océ Express WebTools Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 70...

Страница 350: ...e first e shredding pass is performed immediately after the job is deleted Subsequent passes are performed in background When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy ...

Страница 351: ...sec enabled IPsec disabled Access control enabled IP filtering Encryption are acti vated Only the stations configured with IPsec can connect to the system No other stations can communicate with the print scan system The system can communicate only with the IPsec stations Communication and data are encrypted IP filtering is activated no en cryption Only the stations configured for Access control in...

Страница 352: ...onfigure the parameters for each required station The parameters can be different for each different workstation the IP address the preshared key keep the generic default one or set a custom one You can define a default preshared key that will be used for all the IPsec stations connected to the print scan system NOTE The following IPsec parameters cannot be changed IKE Diffie Hellman group 2 then ...

Страница 353: ...nd Access control behaviour on page 118 5 Enable IPsec station 1 Tip When you enable Access control it is recommended to declare the workstation from which you remotely configure the system at least during the configuration time IPsec is not needed 6 Enter the IPsec preshared key or keep it empty to use the default preshared key The IPsec default preshared key setting is available at the bottom of...

Страница 354: ...ntroller Result The IPsec settings are configured on the controller for a connection to a workstation Configure the IPsec settings in the Océ controller 354 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 355: ...er actions and security negotiation on page 126 5 Define the security rule on page 127 6 Assign the security policy on page 129 7 Customize the IPsec settings on page 130 NOTE The procedure below shows the configuration steps on Windows server 2008 for an Océ ColorWave 300 system The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 and for othe...

Страница 356: ...lick Finish The security snap in is added click OK Create the security policy Procedure 1 In the console right click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard Create the security policy 356 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 357: ...le 5 Uncheck Edit properties and click Finish Create the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions Create the filter list Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 357 ...

Страница 358: ... open the wizard 5 Check the Mirrored checkbox and click Next 6 Select My IP address as the Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller Create the filter list 358 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 359: ...ist is set Define the filter actions and security negotiation Procedure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 359 ...

Страница 360: ...on 7 Configure the settings as below Data and address integrity without encryption AH setting is not mandatory 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add Define the security rule 3...

Страница 361: ...4 As the Network type select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 361 ...

Страница 362: ...ngs in the Océ controller on page 120 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy 362 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 363: ...irewall Advanced settings to open the Windows Firewall with Advanced Security window 2 In the Actions section on the right hand side click on Windows Firewall with Advanced Security on Local Computer to expand the menu 3 Select Properties 4 In the IPsec Settings tab click on the Customize button of the IPsec defaults Customize the IPsec settings Chapter 6 Security on Océ ColorWave 500 and Océ Colo...

Страница 364: ... 550 and OcéColorWave 500 550 650 650R3 700 Remove your workstation from the IPsec Access control configuration when it must not remain in the list of connected stations For all other printers When the test works properly it is recommended to disable the Failsafe mode on the printer scanner controller So only the IPsec station is allowed to communicate with the printer scanner system Customize the...

Страница 365: ...nreachable Then use the emergency procedure to disable IPsec and Access control via the printer user panel Disable Access control on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 Enter the System administrator or Power user password 4 A wizard is displayed Follow the instructions 5 Confirm to disable access control Troublesh...

Страница 366: ... control and IPsec functions are disabled After the restart you will be able to remotely open Océ Express WebTools from any workstation HTTP Troubleshooting Disable Access control and IPsec 366 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 367: ...of the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivered by a Certification Authority To ensure a fu...

Страница 368: ...uthority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Follow the Wizard s instructions to ...

Страница 369: ...er 2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 369 ...

Страница 370: ...bar Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is ...

Страница 371: ...n Unit OU WFPS 6 The certificate is issued to OcéExpress WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation bar the Océ certifi...

Страница 372: ...e still using HTTPS follow these 2 procedures step by step Overall procedure to prepare and generate the CA signed certificate request Step Description A1 Back up the current certificate and private key if any The current certificate can be the original Océ self signed certificate embedded a CA signed certificate delivered by a Certification Authority you previously installed See Back up a certifi...

Страница 373: ...rowser on each workstation See Check and import the root certificate on page 229 B5 Back up the certificate and pri vate key Back up and store the certificate and the private key Note It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and private key on page 226 Other procedures Procedure When t...

Страница 374: ...rtificate Pre requisites Back up the current Certificate and Private key already installed on the controller see Back up a certificate and private key on page 226 Generate a certificate request NOTE Step A2 of the HTTPS Description of the overall procedure on page 225 Procedure 1 In a web browser open Océ Express WebTools https IP address or hostname 2 On the Security HTTPS select Generate a certi...

Страница 375: ...t csr by default 2 Send the content of this request to the Certification Authority Import a CA signed certificate into the controller and workstations Introduction overall procedure 1 Import the CA signed certificate into the controller Import the Root certificate Import the Intermediate certificate Import the CA certificate 2 Import the Root certificate into the workstations web browser Import th...

Страница 376: ...e successfully imported pops up restart the controller Result Result The certificate is now installed on the server Check and import if needed the CA Root certificate also into the workstations web browser That will secure the complete data workflow between the workstations and the server Check and import the Root certificate into the workstations browser When to do NOTE Step B4 of the HTTPS Descr...

Страница 377: ... the original self signed certificate that requests a preliminary back up of the original self signed certificate See Back up a certificate and private key on page 226 Each Reset certificate action generates a new self signed certificate with a new private and public key So each time you reset the certificate you must import the new certificate into the web browser Reset the certificate Procedure ...

Страница 378: ...e values are correct in Océ Express WebTools Configuration System defaults Refer to Configure the user authentication by user name and password on page 334 for the detailed procedure It is recommended that the System Administrator validates this new configuration by clicking Validate this configuration in Security Configuration see Validate the configuration on page 336 Scan to the Home folder The...

Страница 379: ...roubleshooting When an error occurs during the process of authentication by user name and password follow the procedures below to test and troubleshoot Use the validation tool to validate the configuration See Validate the configuration on page 189 Apply the corrective actions when needed SeeTroubleshooting on page 190 In case the home folder is not accessible Use the validation tool and check in ...

Страница 380: ...nfiguration External locations page 3 Log in as a System administrator or Power user 4 Edit the USB type 5 In the Enabled functionalities drop down list select None to disable print from and scan to capabilities Print from only to enable to print from USB and disable Scan to USB capability Scan to only to enable to scan to USB and disable Print from USB capability Note Select Print from and scan t...

Страница 381: ...When disabled the job submission capability through Express WebTools is completely de activated The remote actions on jobs to the Operator Restrict remote actions on jobs to the Key Operator When enabled all remote actions on jobs in the queue are restricted to the Key Operator or Power user only The display of Smart Inboxes in Océ Express WebTools When enabled all users of Express WebTools can se...

Страница 382: ...Smart Inbox management and job management 382 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Страница 383: ...Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Страница 384: ...bits Firewall Yes Network protocols protection Yes per protocol through firewall MS security patches Océ released patches Security logging Auditing of security related events Data encryption on the network HTTPS for administration Océ Express WebTools and for job submission through Océ Publisher Express Password protection Yes for User settings Administration settings Océ Publisher Express access ...

Страница 385: ...ng TCP 515 LPR FTP printing TCP 21 FTP TCP 4242 for data channel in FTP passive mode Notes Océ back channel is an Océ proprietary protocol used to retrieve information from the printer status media loaded and to display it in the application or driver Control management INBOUND and OUTBOUND ports and protocols used by the system Application Functionality INBOUND ports on the con troller protocol O...

Страница 386: ...P 443 HTTPS TCP web proxy port 1 NetBios over TCP IP UDP 137 TCP 139 445 UDP 138 WAVE TCP 80 HTTP OBIS TCP 80 HTTP for back channel Océ Publisher Select Additional built in Windows firewall rules Inbound rules Core Networking Dynamic Host Configuration Protocol DHCP In Outbound rules Core Networking DNS UDP Out Core Networking Dynamic Host Configuration Protocol DHCP Out Applications protocols and...

Страница 387: ...e technician installs the patches make sure the System Administrator allows him to do it in Security Configuration Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of t...

Страница 388: ... OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch 388 Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Страница 389: ...ith Océ Publisher Select HTTP Enable Disable Used only for Océ Publish er Select backchannel Océ Express WebT ools via HTTP HTTP Enable Disable For Océ Express WebTools and Publisher Express HTTP inbound HTTP There is no specific setting to disable the HTTP proto col Inbound HTTP is enabled as long as at least one of the following services is enabled Océ Wave interface Allow interaction with Océ P...

Страница 390: ...section of the Océ Express WebTools and uncheck the protocol or service To disable the connection to Remote Service go to Preferences System defaults Service related information Network protocols protection 390 Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Страница 391: ...tion Action Detail 1 Support Remote Service Remote as sistance Stop the Remote assistance if it is activated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disappear 2 Preferences System Defaults Service rela ted information Disable Remote Service Set Remote Service connec tion to Disabled 6 Support About Shut down Restart the ...

Страница 392: ...any infected file present on the USB device plugged on the USB port is not possible Read from write to USB device protection Protection of the USB READ operation when restoring a controller configuration from the Local User Interface In that case any file infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation Any print file infect...

Страница 393: ...technician to reset passwords On the Security Configuration page the System administrator and the Power User define whether they allow the Service technician to Perform the software reinstallation using the USB installation key Install an update or a patch on the system Passwords policy in the Océ ColorWave 810 and ColorWave 910 systems Passwords used in Océ Express WebTools In Océ Express WebTool...

Страница 394: ...by Proxy authentication for Remote Service System administrator or Power user Passwords policy in the Océ ColorWave 810 and ColorWave 910 systems 394 Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Страница 395: ...etwork settings IP address Subnet mask DNS Gateway DHCP Network services enable disable settings Changes of passwords used to protect security related settings Key operator System administrator Power user Service Timezone Remote service online connection enabled disabled Allow Service Technician to reset passwords on off Save retrieved job data for service on off HTTPS settings change of certifica...

Страница 396: ... configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivered by a Certification Authority To ensure a fully tr...

Страница 397: ...a trusted certificate authority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Follow the Wi...

Страница 398: ...pt the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 398 Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Страница 399: ...elf signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is not trust...

Страница 400: ... WFPS 6 The certificate is issued to OcéExpress WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation bar the Océ certificate is r...

Страница 401: ...sing HTTPS follow these 2 procedures step by step Overall procedure to prepare and generate the CA signed certificate request Step Description A1 Back up the current certificate and private key if any The current certificate can be the original Océ self signed certificate embedded a CA signed certificate delivered by a Certification Authority you previously installed See Back up a certificate and ...

Страница 402: ... each workstation See Check and import the root certificate on page 229 B5 Back up the certificate and pri vate key Back up and store the certificate and the private key Note It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and private key on page 226 Other procedures Procedure When to do Rest...

Страница 403: ... Pre requisites Back up the current Certificate and Private key already installed on the controller see Back up a certificate and private key on page 226 Generate a certificate request NOTE Step A2 of the HTTPS Description of the overall procedure on page 225 Procedure 1 In a web browser open Océ Express WebTools https IP address or hostname 2 On the Security HTTPS select Generate a certificate re...

Страница 404: ...default 2 Send the content of this request to the Certification Authority Import a CA signed certificate into the controller and workstations Introduction overall procedure 1 Import the CA signed certificate into the controller Import the Root certificate Import the Intermediate certificate Import the CA certificate 2 Import the Root certificate into the workstations web browser Import the Root ce...

Страница 405: ...fully imported pops up restart the controller Result Result The certificate is now installed on the server Check and import if needed the CA Root certificate also into the workstations web browser That will secure the complete data workflow between the workstations and the server Check and import the Root certificate into the workstations browser When to do NOTE Step B4 of the HTTPS Description of...

Страница 406: ...inal self signed certificate that requests a preliminary back up of the original self signed certificate See Back up a certificate and private key on page 226 Each Reset certificate action generates a new self signed certificate with a new private and public key So each time you reset the certificate you must import the new certificate into the web browser Reset the certificate Procedure 1 In a we...

Страница 407: ...51 Workstation configuration 44 45 46 48 49 51 122 123 124 126 127 129 208 209 210 212 213 215 256 257 258 260 261 263 355 356 357 359 360 362 O Océ Remote Patch 26 69 102 154 241 272 306 387 Océ security policy 10 OS and software protection Linux Océ ColorWave 600 PP 246 OS and software protection Linux WES2009 Océ ColorWave 650 246 P Password LUI passwords 35 Restore 35 36 248 280 Password Backu...

Страница 408: ...2 U USB direct print Disabled 56 145 233 266 297 380 User authentication 166 318 Contactless card 182 Smart card 176 328 Troubleshooting 195 342 User name password 187 334 Workflow 172 324 W Wizard Security 28 Index 408 ...

Страница 409: ......

Страница 410: ...da Inc www canon ca Canon Europe Ltd www canon europe com Canon Latin America Inc www cla canon com Canon Australia PTY Ltd www canon com au Canon China Co Ltd www canon com cn Canon Singapore PTE Ltd www canon com sg Canon Hongkong Co Ltd www canon com hk Océ 2012 2017 ...

Результаты поиска

Содержание Oce PlotWave 750

Отзывы:

Похожие инструкции для Oce PlotWave 750

Бренды по названию

Популярные бренды

Canon Oce PlotWave 750, Руководство администратора

Результаты поиска

Содержание Oce PlotWave 750

Отзывы:

Похожие инструкции для Oce PlotWave 750

Бренды по названию

Популярные бренды