Administration guide

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Administration guide"

Transcription

1 Administration guide PlotWave - ColorWave Systems Security information

2 Copyright 2014, Océ All rights reserved. No part of this work may be reproduced, copied, adapted, or transmitted in any form or by any means without written permission from Océ. Océ makes no representation or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Further, Océ reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation to notify any person of such revision or changes. Edition GB

3 Trademarks Océ, and its wide-format printing systems are registered trademarks of Océ. Microsoft, Windows, Windows XP, Windows XP embedded, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012, Windows Embedded Standard 2009 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds. McAfee is a registered trademark or trademark of McAfee, Inc. or its subsidiaries in the United States and other countries. Symantec and Norton are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Products in this publication are referred to by their general trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks of their respective companies.

4

5 Contents Contents Chapter 1 Océ Security policy... 9 The Océ Security policy Downloads and support for your product...12 Overview of the security features available per Océ System Chapter 2 Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave Security on Océ PlotWave 300/350, PlotWave 900 R1.x and ColorWave Overview...18 Security overview for the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and the Océ ColorWave 300 systems...18 System and Network security Ports - Protocols...19 Security Patches Security levels...26 Prevent any outgoing connection to the Internet Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300)...30 Antivirus Roles and Passwords Data Security E-Shredding IPsec (on Océ PlotWave 300/350, Océ PlotWave and higher 1.x, Océ ColorWave 300) Prevent USB Direct Print and Scan to USB (Océ PlotWave 300/350, Océ ColorWave 300)...54 HTTPS with Océ PlotWave 900 R1.x Smart Inbox management...60 Security on Océ PlotWave 750 and Océ PlotWave 900 R2.x...61 Overview...61 Security overview for the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems System and Network security Ports - Protocols...62 Security Patches Security levels...70 Prevent any outgoing connection to the Internet Antivirus Roles and Passwords Audit log...76 Data Security E-Shredding IPsec...80 HTTPS (on Océ PlotWave 750 and PlotWave 900 R2.x) Smart Inbox management and job management...93 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340/ Overview Security overview for the Océ PlotWave 500 and PlotWave 340/360 systems

6 Contents System and Network security Ports - Protocols Applications, protocols and ports used in the Océ PlotWave 500 and PlotWave 340/360 systems...97 Security Patches Install the Océ Remote patch Protocol protection Network protocols protection Prevent any outgoing connection to the Internet Security of the USB connection The USB connection on the printer user interface Antivirus Roles and Passwords Roles and profiles Passwords policy and behaviour in the Océ PlotWave 500 and PlotWave 340/360 systems Access control Audit log Data security E-Shredding in Océ PlotWave 500 and PlotWave 340/360 systems E-shredding presentation Enable the e-shredding in Océ Express WebTools E-shredding process and system behaviour IPsec IPsec presentation Configure the IPsec settings in the Océ controller Configure the IPsec settings on a workstation or a print server Troubleshooting: Disable 'Access control' and IPsec (Océ PlotWave 500 and PlotWave 340/360 systems) HTTPS (for Océ PlotWave 500 and PlotWave 340/360) Encrypt print data and manage the system configuration using HTTPS Request and import a CA-signed certificate Prevent 'Print from USB' and/or 'Scan to USB' on Océ PlotWave 500 and PlotWave 340/ How to prevent 'Print from USB' and/or 'Scan to USB' Smart Inbox management and job management Chapter 4 Security on Océ ColorWave 550/600/650 (and Poster Printer) Security on Océ ColorWave 550, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster Printer) Overview Security overview for the Océ ColorWave 600/650 (Poster Printer) and the Océ ColorWave 550 systems System and Network security Ports - Protocols Security Patches Protocol protection Prevent any outgoing connection to the Internet Security of the USB connection Operating System and software protection Roles and Passwords Access control Data Security E-Shredding on Océ ColorWave 600 and Océ ColorWave 650 (PP) and Océ ColorWave IPsec on Océ ColorWave 550 v2.3.1 and higher and Océ ColorWave 650 (PP) v2.3.1 and higher How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) Smart Inbox management and job management Security on Océ ColorWave 650 R3.x Overview

7 Contents Security overview for the Océ ColorWave 650 R3.x system System and Network security Ports - Protocols Security Patches Protocol protection Prevent any outgoing connection to the Internet Security of the USB connection Antivirus Roles and Passwords Access control Audit log Data security E-Shredding IPsec HTTPS (on Océ ColoWave 650 R3.x) How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) Smart Inbox management and job management Index

8 Contents 8

9 Chapter 1 Océ Security policy

10 The Océ Security policy The Océ Security policy Definition At Océ, security is an integral part of system development, and the company is taking a proactive approach to the improvement of security-related issues. Océ is working to address security requirements across all of its digital document systems. For its printing systems connected to the network, Océ strives to ensure the: - Security of the system on the network - Security of the data sent to the printers, with a focus on protecting sensitive documents from being captured by un-authorised persons - Security of the configuration and data on the controller NOTE See the Table of the security features on page 13 to get an overview of the security features available per Océ system. System security and security on the network Faced with system vulnerabilities, viruses, worms and in order to maximise the protection of the Océ print systems from hackers and networking attacks, Océ has reinforced the security of the Océ systems by: Introducing the Océ Security levels to offer network security protection against virus / worm attacks or system vulnerabilities (on Windows Operating Systems). Once the Security Interface is activated, you can define the level of security according to your system needs. Notice that the higher level of security you set, the fewer printing and scanning functionalities you get. Implementing network protocols protection features (by use of the Océ Security levels filtering or by configuring each network protocol for firewall filtering) Protecting the system roles and passwords. The main network and system settings are protected against change. Only authorised users can configure or change these settings Regularly checking the relevance of Microsoft flaws and delivering security patches whenever it is necessary. Providing OS and software protection mechanism. The internal system software is protected against alteration Make the USB connection secure (on systems with USB slot) Restricting the access to the printer to allowed stations only Allowing the installation of an Antivirus software on the Océ system controller Being compliant with IPv6 and then benefiting from IPv6 secured assets NOTE The availability of the security features depends on the products. See the Overview of the security features available per Océ System on page 13. Data security on the network To ensure the security of the print data sent on the network, Océ has implemented: The HTTPS (HTTP over SSL) protocol to encrypt the configuration management data, submitted print data and saved scan data: Find all information about Use the Océ self-signed certificate with Internet Explorer on page Chapter 1 - Océ Security policy

11 The Océ Security policy The e-shredding feature to overwrite any user data (print/copy/scan) when it is deleted from the system. This feature prevents the recovery of any deleted user data. The IPsec configuration, that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. The Smart Inbox and Job protection by: - Limiting and restricting the access to the print and scan job data with the Smart Inbox management capability - Managing the visibility of jobs and their availability through job submission tools with the job management settings Chapter 1 - Océ Security policy 11

12 Downloads and support for your product Downloads and support for your product Downloads User guides, printer drivers and other resources can change without prior notice. To stay up-todate, you are advised to download the latest resources from: " Before you use your product, you must always download the latest safety information for your product: make sure that you read and understand all safety information in the manual entitled 'Safety Guide'. Support For support information please contact your Canon local representative. Find your local contact for support from: " 12 Chapter 1 - Océ Security policy

13 Overview of the security features available per Océ System Overview of the security features available per Océ System Security features in the Océ PlotWave and Océ ColorWave 300 systems Océ PlotWave 300 Océ PlotWave 350 Océ PlotWave 900 R1.x Océ ColorWave 300 Océ PlotWave 340 Océ PlotWave 360 Océ PlotWave 500 Océ PlotWave 750 Océ PlotWave 900 R2.x Operating System Windows Embedded Standard 2009 or Windows XP embedded SP3 See Security overview on page 18 Windows Embedded Standard 7 SP1 Firewall Yes Yes Yes MS Security flaws / Security patches Network protocols protection OS and software integrity mechanism Antivirus Yes Yes Yes Océ Security levels - 3 levels Yes. Protection configurable per protocol Compatible with 2 antivirus brands Compatible with 2 antivirus brands Windows Embedded Standard 7 SP1 Océ Security levels - 4 levels Compatible with 2 antivirus brands IPv6 Yes (IPV6 and IPV4 combination) Yes (IPv6 only or IPv6 and IPv4 combination) Yes (IPv6 only or IPv6 and IPv4 combination) SMB authentication NTLMV1 NTLMV2 NTLMV2 Feature to encrypt data on the network IPsec for: Océ PlotWave 300 Océ PlotWave 350 Océ PlotWave and higher Océ ColorWave 300 HTTPS for: Océ PlotWave IPsec - HTTPS - IPsec - HTTPS Password protection Yes for: - User settings - Administration settings - Settings on the printer user panel Yes for: - User settings - Administration settings - Settings on the printer user panel Yes for: - User settings - Administration settings - Settings on the printer user panel Data overwrite E-shredding E-shredding E-shredding Access control - IP filtering - 4 Chapter 1 - Océ Security policy 13

14 Overview of the security features available per Océ System Smart Inbox management - Smart Inbox restriction - Remote view restriction (except Océ Plot- Wave 900) - Smart Inbox capability can be disabled - Remote view restriction - Smart Inbox capability can be disabled - Remote view restriction Océ Publisher Express access - Access restriction Access restriction Actions on jobs - Remote action restriction Remote action restriction Security features in the Océ ColorWave systems (except Océ ColorWave 300) Operating System Océ ColorWave 600 (PP) Océ ColorWave 650 R2.x Océ ColorWave 650 PP Océ ColorWave 550 Linux and WES 2009 for: - Océ ColorWave 650 (multifunctional) - Océ ColorWave 550 (multifunctional) Linux for: - Océ ColorWave 650 (printer only) - Océ ColorWave 550 (printer only) - Océ ColorWave 600 (PP) - Océ ColorWave 650 PP Océ ColorWave 650 R3.x Windows Embedded Standard 7 SP1 Firewall Yes Yes MS Security flaws / Security patches Network protocols protection Yes for Océ ColorWave 650 / 550 (multifunctional) N/A for Océ ColorWave 600 (PP), ColorWave 650 PP, Océ Color- Wave 650 (printer only) and Océ ColorWave 550 (printer only) Yes. Protection configurable per protocol Yes Yes. Protection configurable per protocol OS and software integrity mechanism Yes - Antivirus - Compatible with 2 antivirus brands IPv6 Yes (IPv6 only or IPv6 and IPv4 combination) Yes (IPv6 only or IPv6 and IPv4 combination) SMB authentication NTLMV1 NTLMV2 or NTLMV1 (can be set in Océ Express WebTools) 4 14 Chapter 1 - Océ Security policy

15 Overview of the security features available per Océ System Feature to encrypt data on the network IPsec for: Océ ColorWave 550 v2.3.1 and higher Océ ColorWave 650 v2.3.1 and higher Océ ColorWave 650 PP v2.3.1 and higher - IPsec - HTTPS Password protection Yes for: - User settings - Administration settings - Settings on the printer user panel Yes for: - User settings - Administration settings - Settings on the printer user panel Data overwrite Access control E-shredding for: Océ ColorWave and higher Océ ColorWave 650 PP 2.1 and higher Océ ColorWave and higher Océ ColorWave 600 PP and higher Océ ColorWave and higher Access restriction to the printer for: Océ ColorWave 550 v2.3.1 and higher Océ ColorWave 650 v2.3.1 and higher Océ ColorWave 650 PP v2.3.1 and higher E-shredding IP filtering Smart Inbox management Océ Publisher Express access - - Smart Inbox capability can be disabled - Remote view restriction - Access restriction Actions on jobs Remote action restriction Remote action restriction Chapter 1 - Océ Security policy 15

16 Overview of the security features available per Océ System 16 Chapter 1 - Océ Security policy

17 Chapter 2 Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

18 Security on Océ PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300 Security on Océ PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300 Overview Security overview for the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and the Océ ColorWave 300 systems Introduction The Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 are equipped with the following security features: Security overview Operating System Firewall Network protocols protection MS Security patches Antivirus IPV6 Data encryption on the network Data overwrite Password protection - Windows XP Service Pack 3 for all versions of Océ PlotWave 300, Océ PlotWave 350, and Océ ColorWave 300 prior to R1.5 and Océ PlotWave 900 R1.x - Windows Embedded Standard 2009 for Océ PlotWave 300 R1.5, Océ PlotWave 350 R1.5, Océ ColorWave 300 R1.5 and higher versions Yes 3 Océ Security Levels Océ released patches Compatible with 2 Antivirus brands Yes - IPsec for Océ PlotWave 300, Océ PlotWave 350, Océ PlotWave 900 from R1.2, and Océ ColorWave HTTPS for Océ PlotWave 900 E-shredding Yes for: - User settings - Administration settings - Settings on the printer user panel* * Except on Océ PlotWave 900 R Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

19 System and Network security System and Network security Ports - Protocols Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Printing applications: security levels, ports and protocols used by the Océ systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* H* Océ Wide-format Printer Driver for Microsoft Windows (WPD or WPD2) Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 515 TCP TCP 80 UDP 515 x (1) TCP 515 TCP TCP 80 x (2) TCP 515 TCP 515: LPR TCP 65200: Océ back-channel (**) TCP 80: HTTP (for advanced accounting) UDP 515: Océ protocol (for printer discovery) Océ Adobe Post- Script 3 driver Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 515 x TCP 515 x TCP 515 TCP 515: LPR Océ Publisher Express Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 80 x TCP 80 TCP 80: HTTP Océ Publisher Express over SSL Océ PlotWave 900 x TCP 443 x TCP 443 x TCP 443 TCP 443: HTTPS Océ Publisher Select Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 515 TCP TCP 80 UDP 515 x TCP 515 TCP TCP 80 TCP 80: HTTP TCP 65200: Océ back-channel (**) TCP 515: LPR UDP 515: Océ protocol (for printer discovery) 4 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

20 Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* H* Océ Publisher Mobile Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 515 TCP 4242 ICMP UDP 515 TCP 21 (4) TCP 515: LPR (3) TCP 21: FTP (4) TCP 4242: FTP passive mode (6) ICMP: ping UDP 515: Océ protocol (for printer discovery) Océ Mobile WebTools Océ PlotWave 350 Océ PlotWave 900 R1.2 and higher x TCP 80 x TCP 80 TCP 80: HTTP Océ ReproDesk Studio Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 515 TCP x TCP 515 TCP TCP 515: LPR TCP 65200: Océ back-channel (**) Novell NDPS printing Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 515 x TCP 515 x TCP 515 TCP 515: LPR LPR printing (command line) Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 515 x TCP 515 x TCP 515 TCP 515: LPR FTP printing Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900R1.x Océ ColorWave 300 x TCP 21 TCP 4242 x (5) TCP 21 TCP 21: FTP TCP 4242: FTP (6) Notes: * Levels: N: Normal - M: Medium - H: High (**) Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. (1) LPR printing with back-channel and advanced accounting (2) LPR printing. No back-channel. No advanced accounting (3) Océ Publisher Mobile v 2.2 and later for Android, and for Océ Publisher Mobile v 2.3 and later for ios (4) Only for Océ Publisher Mobile v 2.0 to v 2.2 for ios (5) FTP active mode only (6) Data channel for FTP passive mode 20 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

21 Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Scanning / copying applications: security levels, ports and protocols used by the Océ systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* H* Scan to File Remote SMB Scan to File Remote FTP Océ PlotWave 300/ PlotWave 350 Océ ColorWave 300 Océ PlotWave 900 R1.x Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x - x x x - x x (1) x (1) - Scan data retrieval by FTP Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 21 TCP 4242 x (2) TCP 21 TCP 21: FTP TCP 4242: FTP (3) Scan data retrieval from Smart Inbox (Scans) Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 80 x TCP 80 TCP 80: HTTP Scan data retrieval from Smart Inbox (Scans) over SSL Océ PlotWave 900 R1.x x TCP 443 x TCP 443 x TCP 443 TCP 443: HTTPS Océ Matrix Logic Océ PlotWave 900 R1.x x TCP 80 TCP 443 x TCP 80 TCP 443 x TCP 443 TCP 80: HTTP TCP 443: HTTPS Notes: * Levels: N: Normal - M: Medium - H: High (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive mode (2) FTP active mode only (3) Data channel for FTP passive mode Control management: security levels, ports and protocols used by the Océ systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* H* PING Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x x x ICMP 4 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

22 Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* H* SNMP based applications Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x UDP 161 UDP 161: SNMP WSD Océ PlotWave 350 x TCP 80 UDP 3702 x TCP 80 UDP 3702 x TCP 80 UDP 3702 TCP 80: HTTP UDP 3702: WSD discovery Océ Express WebTools Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 80 x TCP 80 TCP 80: HTTP Océ Express WebTools over SSL Océ PlotWave 900 R1.x x TCP 443 x TCP 443 x TCP 443 TCP 443: HTTPS Name resolution (**) Océ PlotWave 300/ PlotWave 350 Océ ColorWave 300 Océ PlotWave 900 R1.x x x x x Outgoing connection: - local port (on controller): UDP(/TCP) <dynamic value> - remote port (on DNS server): UDP(/ TCP) 53 DHCP Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x x x Outgoing connection: - local port (on controller) : UDP 68 - remote port (on DNS server): UDP 67 Océ Account Center Advanced accounting (WPD) Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 80 x TCP 80 TCP 80: HTTP Accounting information retrieval by FTP Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 21 TCP 4242 x (1) TCP 21 TCP 21: FTP TCP 4242: FTP (2) Browse Océ systems on the network with Windows network neighbourhood Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x UDP 137 UDP 137: NetBios over TCP/IP 4 22 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

23 Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* H* Océ Service Logic Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x TCP 21 TCP 4242 x (1) TCP 21 TCP 21: FTP TCP 4242: FTP (2) IPsec Océ PlotWave 300/ PlotWave 350 Océ ColorWave 300 Océ PlotWave 900 R1.2 and higher x UDP 500 UDP 4500 UDP 500 UDP 4500 Océ Remote Meter Reading Manager Océ PlotWave 300/ PlotWave 350/ Plot- Wave 900 R1.x Océ ColorWave 300 x UDP 161 UDP 161: SNMP Océ Remote Service Océ PlotWave 300 R1.5 and higher PlotWave 350 R1.5 and higher Océ PlotWave 900 R1.x Océ ColorWave 300 R1.5 and higher x x x HTTPS outgoing connection required: TCP/IP port 443 (3) Notes: * Levels: N: Normal - M: Medium - H: High (**) The name resolution is mainly used to determine the IP address of the scan destination during Scan fo File operation (1) FTP active mode only (2) Data channel for FTP passive mode (3) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure firewall. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

24 Security Patches Security Patches Install the Océ Remote patch (on Océ PlotWave 300/350, PlotWave 900 R1.x and Océ ColorWave 300) Introduction You can install the Océ Remote patches (Security patches) in the following versions of the systems: Océ PlotWave and higher Océ PlotWave and higher Océ PlotWave x Océ ColorWave and higher Before you begin Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Install the Océ Remote patch Procedure 1. Open the Océ Express Webtools 2. Open the 'Support' tab 3. Select 'Update' The Authentication window opens. 24 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

25 Install the Océ Remote patch (on Océ PlotWave 300/350, PlotWave 900 R1.x and Océ ColorWave 300) 4. Log in as the System administrator or Power user All the patches successfully applied (when any) are displayed 5. Click on the 'Update' icon (top right corner) to open the wizard 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update The system restarts to apply the patch. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

26 Security levels Security levels Security levels presentation Introduction Océ defined 3 levels of security according to the customer needs. The presentation below can help you to select the most suitable level. High security level The High level is the most secure mode for printing and scanning. The compliant applications are based on: the LPR protocol for printing the HTTPS protocol (Océ PlotWave 900 only) for printing the FTP protocol for scanning. Target: This level provides you the most secure mode while using the basic feature for printing and scanning. Only some Océ applications are available. See the security levels supported per application/functionality on page 19. This security level may also be used when you want to be protected whenever a vulnerability has been discovered and the corresponding patch cannot be yet installed. As soon as the patch can be installed, you can go back to the original security level. Medium security level The Medium level is compliant with all the Océ applications available for printing and scanning which do not present a high risk (as reported by most popular network scanners). Target: This level is recommended if you need to be secured while you want to use the Océ applications for printing and/or scanning (you can use the system including more functions than with the High security level). Normal security level This mode offers all the functionalities. Target: You can select this level if you want to use some features not covered by MEDIUM security level. This level is more dedicated for small network infrastructure where security is less required versus features. Set the security level in Océ PlotWave 300, Océ PlotWave 350 and Océ ColorWave 300 Introduction The [Security] wizard on the printer user panel gives the option to check or change the security level of the system. 26 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

27 Protect the security level by a password Before you begin The System Administrator or a Power User can protect the security settings with a password. When the protection is activated, you must type the password in the printer user panel before you can change the security level. Procedure 1. From the [HOME] screen select the [System] tab. 2. Select the [Setup] tab. 3. Use the scroll wheel to go to the [Security]([Configure settings]) wizard. 4. Open this section with the confirmation button. 5. The screen displays the security level and the active network access options: 6. Two options are possible: Press the [Back] key in case you only want to check the security settings. Press the [Next >] key in case you want to adapt the security level. Enter the password if requested and follow the wizard to adapt the security level. Protect the security level by a password Procedure 1. Open the Océ Express Webtools in a web browser ( IP address or hostname) 2. In the 'Preferences' tab, select 'System settings' 3. In the 'Printer Properties', goes to 'Password to change security level' 4. Click on the value to edit it 5. Log in as the System Administrator or as a Power User 6. Select 'New' 7. Type and re-type a numeric password 8. Confirm to activate the password. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

28 Set the security level in Océ PlotWave 900 R1.1 and higher R1.x versions Result You must type the password in the printer user panel when you want change the security level. Set the security level in Océ PlotWave 900 R1.1 and higher R1.x versions Introduction The security user interface is available through the Océ Express WebTools application. NOTE You need to be logged on as the System Administrator to access the security level interface and change the security levels. Procedure 1. Open the Océ Express Webtools in a web browser ( IP address or hostname) 2. On the [Configuration] tab, select [Connectivity] 3. Go to the Security section 4. Click on 'Edit' or double click on the value to open the [Security level] window 5. Set the security level and click 'OK' 6. Restart the printer when prompted Result After you set the Security level to 'High', you must open Océ Express Web Tools by means of the HTTPS protocol: type IP address or hostname in the web browser. 28 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

29 Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some features of the following systems allow or request a connection over the Internet to work properly: Océ PlotWave 300 R1.5 and higher Océ PlotWave 350 R1.5 and higher Océ ColorWave 300 R1.5 and higher When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions in Express WebTools: St ep In the Express WebTools section 1 Support - Remote Service - Remote assistance 2 Preferences - System Defaults - Service related information 3 Configuration - Scan destination [X] 4 Support - About - Shutdown - Restart Action Stop the Remote assistance if is activated Disable Online Services Delete any scan destination going to the Internet: FTP sites reachable through the Internet Restart the system Detail Click 'Stop remote assistance' until it changes into 'Allow remote assistance'. The two blinking arrows on the right side disappear. Set 'Océ Online Services connection enabled' to 'Disabled' Uncheck 'Scan destination [X]: enabled' Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

30 Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300) Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300) The USB connection on the Local user interface Introduction A USB connection is available on the Océ PlotWave 300, Océ PlotWave 350 and Océ ColorWave 300 Local user interface. This USB connection is used to: Install and upgrade the controller software Backup and restore the controller configuration Scan to the USB storage device Print from the USB storage device Security on the USB port General USB port protection: Booting from the USB device is not possible. Executing any programme present on the USB device is not possible The Autorun is disabled and no operation on the controller can execute a programme on the USB device. Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from / write to USB device protection Protection of the USB READ operation: - when restoring a controller configuration from the Local User Interface. In that case, any file infected by a virus appears as an invalid backup file. The controller software detects it and rejects the restore operation. - when printing from the USB device. Any print file infected by a virus will never compromise controller's software integrity. Protection of the USB WRITE operation: - during the backup of the controller configuration, from the Local User Interface. The backup is performed by the internal controller software. It cannot contaminate the USB device by any threat. - when making a Scan To File to the USB device: The Scan To File operation to USB device is performed by the internal controller software. It cannot contaminate the USB device by any threat. Disable the USB features You can disable: The direct printing operation from USB. See How to prevent 'Print from USB' on page 54 The scanning operation to USB. See 1- Disable any 'USB stick' scan destination on page Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

31 Antivirus Antivirus Compatibility and recommendations The following 2 antivirus programmes can be installed on your Océ systems: Symantec AntiVirus Endpoint Protection McAfee VirusScan Enterprise Edition / epolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure. NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

32 Roles and Passwords Roles and Passwords Roles and profiles in the Océ PlotWave 300/350, Océ Plotwave 900 R1.x and Océ ColorWave 300 Roles description In the system, the main network and system settings are protected against change. Only authorised users can configure/change these settings. 4 roles are available: Key operator: The Key operator can manage the jobs and the device settings System administrator The System administrator can manage the Configuration settings such as the Network settings, scan destinations settings, security settings (e-shredding, IPsec), and the hardware/software configuration settings... Power user The Power user has both the rights of the Key operator and the System administrator Service This role is used exclusively by the Canon Service technician Passwords policy and behaviour in the Océ PlotWave 300/350 and Océ ColorWave 300 Introduction There are 2 groups of passwords: The passwords used in Océ Express WebTools The passwords used in the printer user panel (also named Local User Interface) Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect: The roles The Scan to File remote user name The security settings (preshared key for IPsec) Password modification table for Océ PlotWave 300/350 and Océ ColorWave 300 Password for Can be changed by Key operator System administrator Power user Any ScanToFile remote user name Any preshared key for IPsec Mobile printing with Océ Mobile WebTools Key operator or Power user System administrator or Power user Power user System administrator or Power user System administrator or Power user System administrator or Power user Password policy A password can be made of 256 characters maximum. 32 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

33 Passwords policy and behaviour in the Océ PlotWave 300/350 and Océ ColorWave 300 For Océ PlotWave 300 v1.2.1 and higher, Océ PlotWave 350 and Océ ColorWave and higher, all MS Windows characters are allowed in a password. For previous versions of Océ PlotWave 300 and Océ ColorWave 300 the passwords can be made of: Any number [0-9] Any letter lowercase/uppercase [a-z][a-z] the following special characters: _ - # $ % ^ *? { } ( ) = +,. ; : [ ] / \ Passwords used on the Océ printer user panel (Océ Plotwave 300/350 and Océ ColorWave 300) Important: These passwords can only be made of numbers. NOTE Keep these passwords. The loss of these passwords may require the intervention of Canon Service. Printer panel passwords modification table for Océ PlotWave 300/350 and Océ ColorWave 300 Printer user panel password for Can be changed by Change of the Network Settings Change of the security level Clear of the system Print of demo and test prints System administrator or Power user Change of the hardware/software configuration Start of the scanner calibration Password backup/restore policy with the 'Save Set'/'Open Set' features Some passwords are stored into the backup set made with the 'Save Set' feature of Océ Express WebTools (the passwords for the printer panel) Password backup table for Océ PlotWave 300/350 and Océ ColorWave 300 Password / pincode for Backup with 'Save set'? Restore with 'Open set'? Change of the Network Settings Yes, encrypted (1) Yes (2) Change of the security level Yes, encrypted (1) Yes (2) Clear of the system Yes, encrypted (1) Yes (2) Print of demo and test prints Yes, encrypted (1) Yes (2) Change of the hardware/software configuration Yes, encrypted (1) Yes (2) Start of the scanner calibration Yes, encrypted (1) Yes (2) Any preshared key for IPsec No - Mobile printing with Océ Mobile WebTools No - Any ScanToFile remote user name No - 4 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

34 Passwords policy and behaviour in the Océ PlotWave 900 R1.x Password / pincode for Backup with 'Save set'? Restore with 'Open set'? Key operator No - System administrator No - Power user No - (1) : - When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the backup file. It is not encrypted - The passwords are stored in the backup file whatever the login used when making the 'Save Set' operation (System administrator, the Key operator, or the Power user) (2) - The passwords are restored only when the System administrator or the Power user makes the 'Open Set' operation - When a password has been stored with 'Auto' value, it is restored with the 'No password' value Passwords policy and behaviour in the Océ PlotWave 900 R1.x Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect: The roles The Scan to File remote user name Password modification table for Océ PlotWave 900 R1.x Password for Key operator System administrator Power user Any ScanToFile remote user name Any preshared key for IPsec Mobile printing with Océ Mobile WebTools Remote Service proxy setting Can be changed by Key operator or Power user System administrator or Power user Power user System administrator or Power user System administrator or Power user System administrator or Power user System administrator or Power user Password policy 256 characters maximum Any 'Microsoft Windows' characters Password backup/restore policy with the 'Save Set'/'Open Set' features None of the passwords for Power user, System administrator, Key operator, ScanToFile remote user, Preshared key, Mobile printing or Remote Service proxy setting is stored in the back up file with the 'Save Set' feature. 34 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

35 Data Security Data Security E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/ scan) when it is deleted from the system. This feature prevents the recovery of any deleted user data (files' content and attributes) A deleted job is a job that cannot be retrieved from any user interface. When is a job deleted? A job is deleted either: When it is manually deleted from a Smart Inbox After it was successfully printed and was not saved in a Smart Inbox ('Save printed jobs in a Smart Inbox' system setting is disabled in the Océ Express Webtools) After a 'ScanToFile to remote destination' has been successfully performed After a 'ScanToFile to USB stick' has been performed successfully or not (only on Océ PlotWave 300/350 and Océ ColorWave 300) When it is automatically deleted after a timeout: - When the end of the job lifetime in the Smart Inbox is reached ('Save printed jobs in a Smart Inbox' system setting is enabled in the Océ Express Webtools and the 'Printed jobs in Smart Inbox: job lifetime' is set) - When the time for the cleanup of the 'Scans in Smart Inbox' is reached When a 'Clear system Remove all jobs' is performed on the printer local interface E-shredding algorithms Select one of the three e-shredding behaviours: DOD M: 3-pass overwriting algorithm (compliant with the US Department of Defense directive): Gutmann: 35-pass overwriting algorithm with random data Custom: set the number of passes, from 1 to 35. NOTE The e-shredding feature has been designed to minimise impact of the global system performance. However the more passes selected, the more impact it has on general performance. It is recommended to minimise the number of passes when document production is required. Enable the e-shredding Before you begin You must be logged as a System Administrator or a Power user. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

36 Enable the e-shredding NOTE When you enable the e-shredding, the system automatically disables the 'Save printed jobs in a Smart Inbox' setting. The jobs previously printed and stored in the Smart Inbox are deleted. They are not e-shredded. Enable/disable the e-shredding (Océ Express WebTools) Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section 3. Click Edit 4. Check 'E-shredding' feature to enable it 5. Select the algorithm. When you select 'Custom', set the number of passes Result When the E-shredding feature is enabled, an indication is displayed at 2 locations in the system: On the printer user panel (Océ PlotWave 300/350 and Océ ColorWave 300), an indication is displayed in the System menu: 'E-shredding enabled' In the Océ Express WebTools window, a new icon is added to the list of icons (bottom right) Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns as 'busy': On the printer user panel (Océ PlotWave 300/350 and Océ ColorWave 300), an indication is displayed in the System menu: 'E-shredding busy' In the Océ Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-shredding busy' status Once the e-shredding data processed is complete, the status comes back to: 'E-shredding enabled' in the printer user panel (Océ PlotWave 300/350 and Océ ColorWave 300) 'E-shredding ready' in the Océ Express WebTools (roll over the icon) 36 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

37 E-shredding process and system behaviour NOTE In case some scanned files have a 'Scan destination file name' composed of more than 256 characters, on the controller or on the remote destination, they will be deleted, but they will not be e-shredded (too long name). E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding, the system starts the e-shredding process for all print/scan jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded as soon as they are deleted: - After a manual deletion from the Smart Inbox - After an automatic deletion of the print and scan jobs by the system (timeout, disabled Smart Inbox, cleanup) When you disable the e-shredding When you disable the e-shredding, the system: Terminates the e-shredding process for files which are being e-shredded Will not e-shred the new deleted files Make sure all the scan/copy/print jobs are completely e-shredded Once a batch of scan/copy/print jobs has been processed, perform the following actions to make sure all the files are e-shredded: 1- Unplug the system from the network 2- Check that 'Saved print jobs in Smart Inbox' is disabled 3- Delete any job from the 'Scans' Smart Inbox 4- Make a 'Clear System' on the Printer User interface 5- Wait until the e-shredder status comes back to 'Ready' (in Océ Express WebTools) 6- Restart the system 7- Wait until the e-shredder status displays 'Ready' (in Océ Express WebTools) Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

38 IPsec (on Océ PlotWave 300/350, Océ PlotWave and higher 1.x, Océ ColorWave 300) IPsec (on Océ PlotWave 300/350, Océ PlotWave and higher 1.x, Océ ColorWave 300) IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. IPsec is particularly suitable in a configuration where you need to create a dedicated secure link between the printer/copier system and a workstation which can be dedicated as a Print Server (or a Scan Server). You can connect up to 5 IPsec stations to the printer/copier system. In this configuration below: The printer/copier system is physically connected to the network but communicates only with a dedicated station (a Print Server or Scan Server for example) The Print Server receives the print request from the workstations via IP on the network The Print Server send the print requests to the printer/copier system via IPsec The workstations cannot communicate directly with the printer/copier system NOTE In this configuration, the back-channel communication between a workstation and the printer is unavailable (the back-channel information is not displayed in the Océ WPD driver). NOTE IPsec is compatible with IPv4 only. Make sure IPv6 is 'Disabled' before you configure IPsec on the controller. 38 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

39 IPsec presentation Illustration IPsec parameters in the Océ Express WebTools (EWT) The following IPsec parameters are available in the Océ Express WebTools : IPsec Generic section: IPSec Enabled/Disabled Failsafe option Enabled/Disabled Default preshared key Other settings General setting to enable or disable IPsec. Once enable, only the network traffic defined by the IPsec configuration rules is authorised. Keep this option enabled during the IPsec configuration, until the complete and successful IPsec communication between the printer/copier system and the configured station. - When the option is Enabled (with IPsec enabled), only the network traffic defined by IPsec configuration rules is authorised. All other network traffic is denied except the HTTP traffic* for Océ Express WebTools with any workstation: this allows to change some IPsec settings via Océ Express WebTools, from any workstation. - When the option is Disabled (with IPsec enabled): only the network traffic defined by the IPsec configuration rules is authorised. All other network traffic is denied. You can define a default preshared key that will be used for all the stations connected by IPsec to the printer/scanner system. You can display the other IPsec generic settings ('See all'). Keep them unchanged. * and HTTPS traffic for Océ Plotwave 900. IPsec stations section: You can configure a maximum of 5 IPsec communications between the printer/copier system and 5 workstations. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

40 Configure the IPsec settings on the Océ controller Enable and configure the parameters for each required station. The parameters can be different for each different workstation: - the IP address - the preshared key (keep the generic default one or set a custom one) Configure the IPsec settings on the Océ controller Before you begin You must be logged as a System Administrator or a Power user. Activate and configure IPsec on the printer/scanner controller Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page 3. In 'IPsec generic' section, click 'Edit' 4. Check 'IPsec' 5. Keep 'Failsafe option' checked during the phase you configure the IPSec. In case of need, this allows to be able to connect to the Océ Express WebTools from any workstation in order to be able to change parameters. 6. Keep the other parameters as they are. 40 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

41 Configure the IPsec settings on the Océ controller 7. In the 'IPsec stations' section, click 'Edit' 8. Select '"IPsec station 1: Enable' 9. Enter the 'IPsec station 1: IP address' of the workstation 10. Create and enter the 'IPsec station 1: Preshared key' using the following policy: 256 characters maximum Any number [0-9] Any letter lowercase/upper-case [a-z][a-z] the following special characters: _ - # $ % ^ *? { } ( ) = +,. ; : [ ] / \ NOTE Write it down, this preshared key will be required during the IPsec configuration on the workstation. NOTE In the 'TCP/IP: IPv6' section, make sure TCP/IP (IPv6) is disabled. Result The IPsec settings are configured on the controller for a connection to a workstation (which can be a print server). Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

42 Configure the IPsec settings on a workstation or a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation. On the workstation, perform the 6 following actions: 1- Add the security snap-in on page Create the security policy on page Create the filter list on page Define the filter actions and security negotiation on page Define the security rule on page Assign the security policy on page 49 NOTE The procedure below shows the configuration steps on Windows server The procedure is similar on other Operating Systems (Windows Server 2003, Windows XP, Windows Vista, Windows 7) Add the security snap-in Procedure 1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console 2. In the top menu select 'File' - 'Add/Remove Snap-in' 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console 42 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

43 Create the security policy 4. Keep 'Local computer' checked and click 'Finish' The security snap-in is added, click 'OK' Create the security policy Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security Policy' 2. Click 'Next' to open the wizard 3. Enter the name for the policy and click 'Next' Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

44 Create the filter list 4. Uncheck 'Activate the default response rule' 5. Uncheck 'Edit properties' and click 'Finish' Create the filter list Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions ' 2. In the 'Manage IP filter lists' tab click 'Add' 44 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

45 Create the filter list 3. Enter a filter name and a description and click 'Add' 4. Click 'Next' to open the wizard 5. Check the 'Mirrored' checkbox and click 'Next' 6. Select 'My IP address' as the 'Source address and click 'Next' 7. Select 'A specific IP address or subnet' as 'Destination address' and enter the IP address of the controller 8. Select 'Any' as the 'IP Protocol Type' and click 'Next' Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

46 Define the filter actions and security negotiation 9. Click 'Finish' 10. In the 'IP filter list' window, click OK The filter list is set Define the filter actions and security negotiation Procedure 1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard. 2. Click 'Next' 3. Give a name to the filter actions and click 'Next' 4. Select 'Negotiate security' and click 'Next' 46 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

47 Define the security rule 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next' 6. Select 'Custom' and click on the 'Settings...' button 7. Configure the settings as below 8. Click 'OK' and 'Next', then 'Finish' Define the security rule Procedure 1. In the console, right click on the IP security policy just created and select 'Properties' to open the wizard (On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on "Add") 2. Click 'Next' 3. Select 'This rule does not specify a tunnel', and click 'Next' Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

48 Define the security rule 4. As the Network type, select 'All network connections' and click 'Next' 5. Select the filter previously created then click 'Next' 6. Select the filter action previously created then click 'Next' 7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)' 48 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

49 Assign the security policy 8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings on the Océ controller on page 40), then click 'Next' 9. Click 'Finish' 10. Click 'OK' to validate the Security rule Assign the security policy Procedure 1. In the console, right click on the security policy just created and select 'Assign' The configuration is activated on the IPsec station (workstation): Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

50 The impact of IPsec when you print using Océ WPD through a print server 2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec station to the printer/scanner controller When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/ scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner system. NOTE In case you use the WPD driver, see The impact of IPsec when you print using Océ WPD through a print server on page 50. The impact of IPsec when you print using Océ WPD through a print server Introduction When you use WPD on a print server, with advanced accounting activated, the use of IPsec has an impact on the workflow. When the following conditions are gathered: A print server is configured as an IPsec station. Océ WPD is installed on the print server. IPsec is activated and the 'Failsafe mode' is disabled on the printer controller. The client workstation is not configured as an IPsec station. The client workstation uses the Océ WPD shared driver installed on the print server (Point & Print) to print jobs. Pre-requisites When advanced accounting is required, make sure you configured Account Center BEFORE disabling the 'Failsafe mode' on the printer controller. Consequences of the IPsec configuration on the client workstation: The back-channel information (printer status, feed data) is not retrieved from the printer. It is not displayed in the driver interface. On the workstation, when the job is sent with Océ WPD: The required accounting information is not requested when submitting the job. The submitted job is stored in the Smart Inbox. It is not printed since accounting information is missing. Open the Inbox in Océ Express WebTools (on an IPsec station) to enter the required accounting information and print the job. NOTE To be able to enter the accounting information and print directly from the workstation, enable the 'Failsafe mode' on the controller. Then, the accounting window will be displayed on the client workstation, and the accounting information can be entered to print the job. Troubleshooting: emergency procedure to disable IPsec Introduction In the following case: IPsec is enabled and activated on the printer/scanner controller and 50 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

51 Troubleshooting: emergency procedure to disable IPsec The 'Failsafe mode' is disabled and The communication between the controller and the IPsec stations fails You cannot open remotely Océ Express WebTools to change the settings. The system is unreachable. Then you can use the emergency procedure to disable IPsec: Via the printer User panel on the printer/scanner system, for Océ PlotWave 300/350 and Océ ColorWave 300 Via Océ Express WebTools on the printer controller monitor for Océ PlotWave 900 R1.2 and higher 1.x Disable IPsec on the printer user panel (Océ PlotWave 300/350 and Océ ColorWave 300) Procedure 1. On the printer printer user panel, click on 'System' 2. Select 'Setup' 3. Roll down to the Security item and open the Security menu The status is 'IPsec is enabled' 4. Click 'Next' several times to open the IPsec window NOTE Enter the password if required (Password to change the security level - depends on the configuration of the access to the Security menu). Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

52 Disable IPsec on the controller monitor (Océ PlotWave 900 R1.2 and higher 1.x) 5. Select 'Disabled' to deactivate IPsec 6. Click 'Next' to the end of the procedure 7. Restart the controller Result IPsec is disabled. After the restart, you will be able to open Océ Express WebTools remotely from a workstation (HTTP). Disable IPsec on the controller monitor (Océ PlotWave 900 R1.2 and higher 1.x) When to do When communication fails between the controller and the identified hosts, you can disable IPsec in Océ Express WebTools only via the printer controller monitor. Procedure 1. On the printer controller, open Océ Express WebTools and log in as System administrator. 2. Open the Configuration - Connectivity tab. 3. Go to the IPsec section 4. Click on Edit, in the upper right hand corner of the section. 5. Change the IPsec setting from 'Enabled' to 'Disabled': 52 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

53 Disable IPsec on the controller monitor (Océ PlotWave 900 R1.2 and higher 1.x) Result IPsec is disabled. You can open Océ Express WebTools remotely from a workstation (HTTP). Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

54 Prevent USB Direct Print and Scan to USB (Océ PlotWave 300/350, Océ ColorWave 300) Prevent USB Direct Print and Scan to USB (Océ PlotWave 300/350, Océ ColorWave 300) How to prevent 'Print from USB' Introduction You can disable any access to the USB device by preventing printing from / scanning to the USB device. Illustration [1] USB direct print: Disabled How to disable the 'USB direct print' feature Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Preferences' - 'System settings' page and select the 'Printer properties' section 3. Go to the 'USB direct print' setting 4. Click on the value to open the 'USB direct print' window 5. Log in 6. Select 'Disabled' and 'Ok' How to prevent 'Scan to USB' Introduction You can neutralize the 'Scan to File to USB storage device' capability. 2-step procedure to prevent scanning to USB destination: 1. Disable any 'USB stick' scan destination 2. Remove the USB destination from all Scan templates 1- Disable any 'USB stick' scan destination Introduction You can neutralize the 'Scan to File to USB storage device' capability. To prevent scanning to USB destination you must: 1. Disable any 'USB stick' scan destination 2. Remove the USB destination from all Scan templates 54 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

55 2- Remove the USB destination from all Scan templates Purpose Prevent any user from scanning to a USB device. Illustration [2] Disable the 'Scan to USB' Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Scan destinations' page 3. Edit the 'Scan destination 2: Local to USB storage device' 4. Uncheck the setting 'Scan destination 2 enabled' and click 'Ok' 5. For each scan destination from 'Scan destination 3' to 'Scan destination 10', make sure that the scan destination type is NOT 'Local to USB storage device' 2- Remove the USB destination from all Scan templates Procedure 1. In Océ Express WebTools open the 'Preferences' - 'Scan job defaults' page 2. In each 'Scan template: File' section, check that the 'Destination' is not 'USB stick' 3. When the destination is 'USB stick', edit the setting to change it Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

56 HTTPS with Océ PlotWave 900 R1.x HTTPS with Océ PlotWave 900 R1.x Encrypt print data using HTTPS with the Océ self-signed certificate Introduction On Océ PlotWave 900 you can use the HTTPS protocol with the default Océ self-signed certificate: - to send encrypted print data to the printer controller via Océ Publisher Express - to securely manage the configuration of the system through Océ Express WebTools The HTTPS protocol is available with all security levels. All settings and options available through HTTP are also available through HTTPS. NOTE Only the Océ self-signed certificate is supported (this excludes the Certificate Authority signed certificates). Before you begin The first time you use a self-signed certificate, your web browser will generate security error messages. In order to easily and securely use the self-signed certificate in your web browser, you must: - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: Name or PrinterHostname or PrinterIPaddress] A warning window opens. It displays 2 errors: The certificate is not issued by a trusted certificate authority. The Common Name in the certificate does not match the printer hostname (or IP Address) you typed in the address bar. 2. In order to view and check the self-signed certificate, continue to the website 56 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

57 Use the Océ self-signed certificate with Internet Explorer 3. Click on 'Certificate error': 4. Click 'View certificates' 5. The certificate is issued to 'OcéExpress WebTools' by 'Océ Express WebTools' 6. Click 'Install Certificate...' 7. Follow the Wizard's instructions to import the certificate into your web browser: 1. Place the certificate in the 'Trusted Root Certification Authorities' folder 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

58 Use the Océ self-signed certificate with Mozilla Firefox 8. Open the Tools menu\internet options\advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer ( Name or PrinterHostname or PrinterIPaddress]). Result The padlock is displayed on the address bar, Océ self-signed certificate guarantees: The identity of the remote computer (controller) The encryption of the print data on the network Use the Océ self-signed certificate with Mozilla Firefox Procedure 1. On a workstation, type the URL address of your printer in Mozilla Firefox ( Name or PrinterHostname or PrinterIPaddress]). 58 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

59 Use the Océ self-signed certificate with Mozilla Firefox A warning window opens. It displays 2 errors: The certificate is not trusted because it is self-signed 2. In order to view and check the self-signed certificate, continue to add an exception. 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server. The 'Wrong site' and 'Unknown Identity' errors are displayed. 5. Click 'View...' to see the content of the certificate. Check the following values: Common Name (CN) = Océ Express WebTools Organization (O) = Océ Organization Unit (OU) = WFPS 6. The certificate is issued to 'Océ Express WebTools' by 'Océ Express WebTools', so you can confirm the security exception (permanent or temporary exception). 7. A security warning window may pop-up. Click 'Yes' to continue. Result The Océ Express WebTools software opens. You can check in the status bar (at the bottom of the window) that the padlock is displayed. In the navigation bar, the Océ certificate is registered as an exception. The identity of the remote controller and the encryption of the data on the network are secured. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

60 Smart Inbox management Smart Inbox management Configure the Smart Inboxes to manage the access to job data Use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Depending on your system capabilities, go to the 'Preferences'/'System settings' to disable or restrict, for example: The remote view of the Smart Inboxes The printing from the Smart Inboxes The storage of the job data in the Smart Inboxes Depending on your printer capabilities, you can also disable the printing from Océ Publisher Express. 60 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

61 Security on Océ PlotWave 750 and Océ PlotWave 900 R2.x Security on Océ PlotWave 750 and Océ PlotWave 900 R2.x Overview Security overview for the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Introduction The Océ PlotWave 750 and the Océ PlotWave 900 R2.x are equipped with the following security features: Security overview Operating System Firewall Network protocols protection MS Security patches Security logging IPv6 Antivirus SMB authentication Data encryption on the network Data overwrite Password protection Smart Inbox management Océ Publisher Express access Actions on Jobs Windows Embedded Standard 7 SP1 Yes 4 Océ Security Levels Océ released patches Auditing of security related events Yes (IPV6 only or IPV6/IPV4 combination) Compatible with 2 Antivirus brands NTLMV2 - IPsec - HTTPS for administration and for job submission through Publisher Express E-shredding Yes for: - User settings - Administration settings - Settings on the printer user panel - Can be enabled/disabled - Remote view restriction - Delete scan restriction - Display on printer user panel restriction (for Océ PlotWave 750) Access restriction Remote action restriction Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

62 System and Network security System and Network security Ports - Protocols Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Printing applications: security levels, ports and protocols used by the Océ systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* M-H* H* Océ Wide-format Printer Driver for Microsoft Windows (WPD or WPD2) Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 515 TCP TCP 80 UDP 515 x (1) TCP 515 TCP TCP 80 UDP 515 x (2) TCP 515 UDP 515 x (2) TCP 515 TCP 515: LPR TCP 65200: Océ back-channel (**) TCP 80: HTTP (for advanced accounting) UDP 515: Océ protocol (for printer discovery) Océ Adobe Post- Script 3 driver Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 515 x TCP 515 x TCP 515 x TCP 515 TCP 515: LPR Océ Publisher Express Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 80 x TCP 80 TCP 80: HTTP Océ Publisher Express over SSL Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 443 x TCP 443 x TCP 443 x TCP 443 TCP 443: HTTPS Océ Publisher Select Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 515 TCP TCP 80 UDP 515 x TCP 515 TCP TCP 80 UDP 515 TCP 80: HTTP TCP 65200: Océ back-channel (**) TCP 515: LPR UDP 515: Océ protocol (for printer discovery) 4 62 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

63 Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* M-H* H* Océ Publisher Mobile Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 21 TCP 4242 ICMP UDP 515 TCP 21: FTP TCP 4242: FTP passive mode (6) ICMP: ping UDP 515: Océ protocol (for printer discovery) Océ Mobile WebTools Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 80 x TCP 80 TCP 80: HTTP Océ ReproDesk Studio Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 515 TCP x TCP 515 TCP TCP 515: LPR TCP 65200: Océ back-channel (**) Novell NDPS printing Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 515 x TCP 515 x TCP 515 x TCP 515 TCP 515: LPR LPR printing (command line) Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 515 x TCP 515 x TCP 515 x TCP 515 TCP 515: LPR FTP printing Océ Plot- Wave 750 / PlotWave 900 R2.x x TCP 21 TCP 4242 x (3) TCP 21 TCP 21: FTP TCP 4242: FTP (4) Notes: * Levels: N: Normal - M: Medium - M-H: Medium/High - H: High (**) Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. (1) LPR printing with back-channel and advanced accounting (2) LPR printing. No back-channel. No advanced accounting (3) FTP active mode only (4) Data channel for FTP passive mode Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

64 Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Scanning / copying applications: security levels, ports and protocols used by the Océ systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* M-H* H* Scan to File Remote SMB Scan to File Remote FTP Océ PlotWave 750 / PlotWave 900 R2.x Océ PlotWave 750 / PlotWave 900 R2.x x - x x (1) x (1) x (1) - Scan data retrieval by FTP Océ PlotWave 750 / PlotWave 900 R2.x x TCP 21 TCP 4242 x (2) TCP 21 TCP 21: FTP TCP 4242: FTP (3) Scan data retrieval from Smart Inbox (Scans) Océ PlotWave 750 / PlotWave 900 R2.x x TCP 80 x TCP 80 TCP 80: HTTP Scan data retrieval from Smart Inbox (Scans) over SSL Océ PlotWave 750 / PlotWave 900 R2.x x TCP 443 x TCP 443 x TCP 443 x TCP 443 TCP 443: HTTPS Océ Matrix Logic Océ PlotWave 750 / PlotWave 900 R2.x x TCP 80 TCP 443 x TCP 80 TCP 443 x TCP 443 x TCP 443 TCP 80: HTTP TCP 443: HTTPS Notes: * Levels: N: Normal - M: Medium - M-H: Medium/High - H: High (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive mode (2) FTP active mode only (3) Data channel for FTP passive mode Control management: security levels, ports and protocols used by the Océ systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* M-H* H* PING Océ PlotWave 750 / PlotWave 900 R2.x x x x x ICMP 4 64 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

65 Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* M-H* H* SNMP based applications Océ PlotWave 750 / PlotWave 900 R2.x x UDP 161 UDP 161: SNMP Océ Express WebTools Océ PlotWave 750 / PlotWave 900 R2.x x TCP 80 x TCP 80 TCP 80: HTTP Océ Express WebTools over SSL Océ PlotWave 750 / PlotWave 900 R2.x x TCP 443 x TCP 443 x TCP 443 x TCP 443 TCP 443: HTTPS Name resolution (**) Océ PlotWave 750 / PlotWave 900 R2.x x Outgoing connection: - local port (on controller): UDP(/TCP) <dynamic value> - remote port (on DNS server): UDP(/TCP) 53 DHCP Océ PlotWave 750 / PlotWave 900 R2.x x x x x Outgoing connection: - local port (on controller) : UDP 68 - remote port (on DNS server): UDP 67 Océ Account Center Advanced accounting (WPD) Océ PlotWave 750 / PlotWave 900 R2.x x TCP 80 x TCP 80 TCP 80: HTTP Accounting information retrieval by FTP Océ PlotWave 750 / PlotWave 900 R2.x x TCP 21 TCP 4242 x (1) TCP 21 TCP 21: FTP TCP 4242: FTP (2) Browse Océ systems on the network with Windows network neighbourhood Océ PlotWave 750 / PlotWave 900 R2.x x UDP 137 UDP 137: Net- Bios over TCP/IP Océ Service Logic Océ PlotWave 750 / PlotWave 900 R2.x x TCP 21 TCP 4242 x (1) TCP 21 TCP 21: FTP TCP 4242: FTP (2) 4 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

66 Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Application /Functionality System Supported security levels (x) and open port Port used on the controller: protocol N* M* M-H* H* IPsec Océ PlotWave 750 / PlotWave 900 R2.x x UDP 500 UDP 4500 UDP 500 UDP 4500 Océ Remote Meter Reading Manager Océ PlotWave 750 / PlotWave 900 R2.x x UDP 161 UDP 161: SNMP Océ Remote Service Océ PlotWave 750 / PlotWave 900 R2.x x x x x HTTPS outgoing connection required: TCP/IP port 443 (3) WSD print / WSD discovery Océ PlotWave 750 x x x UDP 3702 TCP 5357 Notes: * Levels: N: Normal - M: Medium - M-H: Medium/High - H: High (**) The name resolution is mainly used to determine the IP address of the scan destination during Scan to File operation (1) FTP active mode only (2) Data channel for FTP passive mode (3) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure firewall. 66 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

67 Security Patches Security Patches Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2.x Introduction You can install the Océ Remote patches (Security patches) in the following versions of the systems: Océ PlotWave 750 Océ PlotWave 900 R2.x Before you begin Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Install the Océ Remote patch Procedure 1. Open the Océ Express Webtools 2. Open the 'Support' tab 3. Select 'Update' The Authentication window opens. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

68 Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2.x 4. Log in as the System administrator or Power user The latest patch successfully applied (when any) is displayed 5. Click on the 'Update' icon (top right corner) to open the wizard 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 68 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

69 Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2.x 8. Click OK to confirm the update Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

70 Security levels Security levels Security levels presentation Introduction On Océ PlotWave 750 and Océ PlotWave 900 R2.x Océ defined 4 levels of security according to the customer needs. The presentation below can help you to select the most suitable level High and Medium-High security levels The High and Medium-High levels are the most secure mode for printing and scanning. The compliant applications are based on: the LPR protocol or HTTPS protocol for printing the FTP protocol for scanning. Differences between High and Medium-High The Océ Printer Discovery (Océ UDP 515) is available only in Medium-High level (not in HIGH) WSD Print/WSD Discovery are present only in Medium-High level (for Océ PlotWave 750 only) Target: These levels provides you the most secure mode while using the basic feature for printing and scanning. Only some Océ applications are available. See the security levels supported per application/functionality on page 62. These security levels may also be used when you want to be protected whenever a vulnerability has been discovered and the corresponding patch cannot be yet installed. As soon as the patch can be installed, you can go back to the original security level. NOTE Attention when you set the Medium high or High security level through the HTTP protocol, the communication immediately stops. Open Océ Express Web Tools by means of the HTTPS protocol (type IP address or hostname in the web browser) and restart the system. Then use the HTTPS protocol. Medium security level The Medium level is compliant with all the Océ applications available for printing and scanning which do not present a high risk (as reported by most popular network scanners). Target: This level is recommended if you need to be secured while you want to use the Océ applications for printing and/or scanning (you can use the system including more functions than with the HIGH and Medium-High security levels). Normal security level This mode offers all the functionalities. Target: You can select this level if you want to use some features not covered by MEDIUM security level. This level is more dedicated for small network infrastructure where security is less required versus features. 70 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

71 Security levels presentation Set the security level on Océ PlotWave 750 or océ PlotWave 900 R2.x Refer to Set the security level on Océ PlotWave 900 R1.1 and higher on page 28. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

72 Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some features of the following systems allow or request a connection over the Internet to work properly: Océ PlotWave 750 Océ PlotWave 900 R2.x When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions in Express WebTools: St ep In the Express WebTools section 1 Support - Remote Service - Remote assistance 2 Preferences - System Defaults - Service related information 3 Configuration - Scan destination [X] 4 Support - About - Shutdown - Restart Action Stop the Remote assistance if it is activated Disable Online Services Disable all scan destinations to FTP sites reachable through the Internet Restart the system Detail Click 'Stop remote assistance' until it changes into 'Allow remote assistance'. The two blinking arrows on the right side disappear. Set 'Océ Online Services connection enabled' to 'Disabled' Uncheck 'Scan destination [X]: enabled' 72 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

73 Antivirus Antivirus Compatibility and recommendations The following 2 antivirus programmes can be installed on your Océ systems: Symantec AntiVirus Endpoint Protection McAfee VirusScan Enterprise Edition / epolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure. NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

74 Roles and Passwords Roles and Passwords Roles and profiles in the Océ PlotWave 750 and Océ Plotwave 900 R2.x Roles description In the system, the main network and system settings are protected against change. Only authorised users can configure/change these settings. 4 roles are available: Key operator: The Key operator can manage the jobs and the device settings System administrator The System administrator can manage the Configuration settings such as the Network settings, scan destinations settings, security settings (e-shredding, IPsec), and the hardware/software configuration settings... Power user The Power user has both the rights of the Key operator and the System administrator Service This role is used exclusively by the Canon Service technician Passwords policy and behaviour for Océ PlotWave 750 and Océ PlotWave 900 R2.x Introduction In Océ Express WebTools the passwords protect: The roles The Scan to File remote user name The security settings (preshared key for IPsec) The mobile printing password On the printer panel, a password protects the administration settings. Passwords in Océ Express WebTools Password modification table for Océ PlotWave 750 and Océ PlotWave 900 R2.x Password for Can be changed by Stored in the back up set* Key operator Key operator or Power user No System administrator System administrator or Power user No Power user Power user No Service System administrator or Power user No Mobile printing password (for Océ Mobile WebTools) System administrator or Power user No Any Scan To File remote user name System administrator or Power user No 4 74 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

75 Printer panel protection Password for Can be changed by Stored in the back up set* Any preshared key for IPsec Remote Service Proxy authentication user System administrator or Power user System administrator or Power user No Yes, stored encrypted. * When you make a back up set of your system settings using the 'Save Set' feature in Océ Express WebTools ('Preferences' tab). The passwords are stored in the backup file whatever the role used when making the 'Save Set' operation (as System administrator, Key operator, or Power user). However, the passwords are restored only when the System administrator or the Power user performs the 'Open Set' operation. Password policy 256 characters maximum Any number [0-9] Any letter lowercase/uppercase [a-z][a-z] the following special characters: _ - # $ % ^ *? { } ( ) = +,. ; : [ ] / \ Passwords storage on the controller All passwords are stored encrypted on the controller. There is no open access to the system to change them. You can change them only through the standard user interface on the controller. Password on the printer panel (for Océ PlotWave 750) You can activate the password to restrict the access to the Administrator settings from the printer panel. this password is fixed and cannot be changed (refer to the Océ PlotWave 750 Operation Guide to know more about the password) Printer panel protection Introduction From Océ Express WebTools, you can disable the access to some administration and network settings from the printer panel. When the 'System administration from Printer Panel' feature is disabled in the Configuration - Connectivity settings in Océ Express WebTools, the 'Administrator only' menu is no more displayed on the printer panel. Therefore, the following settings are no more accessible from the printer panel: Network adaptor settings Clear memory (job removal) Activate deactivate buzzer Activate deactivate password (on the printer panel) Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

76 Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the Support - Audit log tab to download the Audit log that contains information on any change made in settings. Collected information on each setting is: NOTE In columns from left to right. 1. Username (if available) 2. IP address of the host or printer user interface from where the modification was done 3. Name of the host or printer user interface from where the modification was done 4. Type of event (create/modify/delete/start/stop/action) 5. Object concerned (setting/template name, service name, operation/action) 6. New value (if applicable, and not logged for password fields) 7. Timestamp in UTC (date&time in ISO-8601 format, yyyy-mm-ddthh:mm:ssz) User (Key operator, System administrator, Power user) and Service settings: IPv4/IPv6 network settings (IP address, Subnet mask, DNS, Gateway, DHCP, ) IPsec settings Network services (enable/disable/settings) Creation/modification/removal of scan destinations Changes of passwords used to protect security-related settings (Key operator, System administrator, Power user, Service, User interface password/pin for network settings, ) Timezone E-shredding settings Remote service online connection (enabled/disabled) 3rd-party software settings (remote desktop, admin account, firewall port) Smart Inbox (enable/disable) Allow Service Technician to reset passwords (on/off) Save retrieved job data for service (on/off) HTTPS settings (enable/disable, change of certificate) HTTP proxy settings (for remote service) Force entry of accounting data for scan/copy/print (on/off) Startup/ shutdown of the audit functionality Tracking info: when someone logs on to view or to change non-security settings Changing date and time Use of restore and 'open set' Service settings only: Retrieval of job data by service Resetting of passwords by service Remote service (Allow remote login) Audit log export Accounting dialog upload (used to implement access control for scan/copy) 76 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

77 Data Security Data Security E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/ scan) when it is deleted from the system. This feature prevents the recovery of any deleted user data (files' content and attributes) A deleted job is a job that cannot be retrieved from any user interface. When is a job deleted? A job is deleted either: When it is manually deleted from a Smart Inbox After it was successfully printed and was not saved in a Smart Inbox ('Save printed jobs in a Smart Inbox' system setting is disabled in the Océ Express Webtools) After a 'ScanToFile to remote destination' has been successfully performed When it is automatically deleted after a timeout: - When the end of the job lifetime in the Smart Inbox is reached ('Save printed jobs in a Smart Inbox' system setting is enabled in the Océ Express Webtools and the 'Printed jobs in Smart Inbox: job lifetime' is set) - When the time for the cleanup of the 'Scans in Smart Inbox' is reached When a 'Clear system' or 'Clear memory' (job removal) is performed on the printer local interface E-shredding algorithms Select one of the three e-shredding behaviours: DOD M: 3-pass overwriting algorithm (compliant with the US Department of Defense directive): Gutmann: 35-pass overwriting algorithm with random data Custom: set the number of passes, from 1 to 35. NOTE The e-shredding feature has been designed to minimise impact of the global system performance. However the more passes selected, the more impact it has on general performance. It is recommended to minimise the number of passes when document production is required. Enable the e-shredding Before you begin You must be logged as a System Administrator or a Power user. NOTE When you enable the e-shredding, the system automatically disables the 'Save printed jobs in a Smart Inbox' setting. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

78 Enable the e-shredding Enable/disable the e-shredding (Océ Express WebTools) Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section 3. Click Edit 4. Check 'E-shredding' feature to enable it 5. Select the algorithm. When you select 'Custom', set the number of passes Result When the E-shredding feature is enabled, an indication is displayed at 2 locations in the system: On the printer user panel, an indication is displayed in the System menu: 'E-shredding enabled' In the Océ Express WebTools window, a new icon is added to the list of icons (bottom right) Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns as 'busy': Once the e-shredding data processed is complete, the status comes back to 'E-shredding ready' in the Océ Express WebTools (roll over the icon) on a workstation or on the controller monitor NOTE In case some scanned files have a 'Scan destination file name' composed of more than 256 characters, on the controller or on the remote destination, they will be deleted, but they will not be e-shredded (too long name). 78 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

79 E-shredding process and system behaviour Example E-shredding and 'Save received job data for Service' feature On Océ PlotWave 750 and PlotWave 900 R2.x, enabling the e-shredding function doesn't impact the feature 'Save received job data for Service'. If 'Save received job data for Service' is activated it is recommended to clean-up the system and delete all job data previously saved for Service: 1. Enable e-shredding 2. In Preferences - Systems settings, go to the Contact section 3. Set the 'Save received job data for Service' setting to 'Off and clear at next reboot' 4. Restart the controller E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding, the system starts the e-shredding process for all print/scan jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded as soon as they are deleted: - After a manual deletion from the Smart Inbox - After an automatic deletion of the print and scan jobs by the system (timeout, disabled Smart Inbox, cleanup) When you disable the e-shredding When you disable the e-shredding, the system: Terminates the e-shredding process for files which are being e-shredded Will not e-shred the new deleted files Make sure all the scan/copy/print jobs are completely e-shredded Once a batch of scan/copy/print jobs has been processed, perform the following actions to make sure all the files are e-shredded: 1. Unplug the system from the network 2. Check that 'Save received job data for Service' setting is set to 'Off and clear at next reboot' 3. Restart the system controller 4. Check that 'Saved print jobs in Smart Inbox' is disabled 5. Delete any job from the 'Scans' Smart Inbox 6. Make a 'Clear system' from Océ Express WebTools (Maintenance section in the Support tab) 7. Wait until the e-shredder status comes back to 'Ready' (in Océ Express WebTools or on the printer panel) 8. Restart the system controller 9. Wait until the e-shredder status displays 'Ready' (in Océ Express WebTools) Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

80 IPsec IPsec IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. IPsec is particularly suitable in a configuration where you need to create a dedicated secure link between the printer/copier system and a workstation which can be dedicated as a Print Server (or a Scan Server). You can connect up to 5 IPsec stations to the printer/copier system. In this configuration below: The printer/copier system is physically connected to the network but communicates only with a dedicated station (a Print Server or Scan Server for example) The Print Server receives the print request from the workstations via IP on the network The Print Server send the print requests to the printer/copier system via IPsec The workstations cannot communicate directly with the printer/copier system NOTE In this configuration, the back-channel communication between a workstation and the printer is unavailable (the back-channel information is not displayed in the Océ WPD driver). NOTE IPsec can be used only with IPv4 (IP type set to 'IPv4 only' or 'IPV4 and IPv6 both enabled'). In the Connectivity - Network adapter section, the IPsec settings are not available when 'IPv6 only' is selected. 80 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

81 IPsec presentation Illustration IPsec parameters in the Océ Express WebTools (EWT) The following IPsec parameters are available in the Océ Express WebTools : IPsec Generic section: IPSec Enabled/Disabled Failsafe option Enabled/Disabled Default preshared key Other settings General setting to enable or disable IPsec. Once enable, only the network traffic defined by the IPsec configuration rules is authorised. Keep this option enabled during the IPsec configuration, until the complete and successful IPsec communication between the printer/copier system and the configured station. - When the option is Enabled (with IPsec enabled), only the network traffic defined by IPsec configuration rules is authorised. All other network traffic is denied except the HTTP traffic for Océ Express WebTools with any workstation: this allows to change some IPsec settings via Océ Express WebTools, from any workstation. - When the option is Disabled (with IPsec enabled): only the network traffic defined by the IPsec configuration rules is authorised. All other network traffic is denied. You can define a default preshared key that will be used for all the stations connected by IPsec to the printer/scanner system. You can display the other IPsec generic settings ('See all'). Keep them unchanged. IPsec stations section: You can configure a maximum of 5 IPsec communications between the printer/copier system and 5 workstations. Enable and configure the parameters for each required station. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

82 Configure the IPsec settings on the Océ controller The parameters can be different for each different workstation: - the IP address - the preshared key (keep the generic default one or set a custom one) Configure the IPsec settings on the Océ controller Before you begin You must be logged as a System Administrator or a Power user. Activate and configure IPsec on the printer/scanner controller Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page 3. In 'IPsec generic' section, click 'Edit' 4. Check 'IPsec' 5. Keep 'Failsafe option' checked during the phase you configure the IPSec. In case of need, this allows to be able to connect to the Océ Express WebTools from any workstation in order to be able to change parameters. 6. Keep the other parameters as they are. 82 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

83 Configure the IPsec settings on the Océ controller 7. In the 'IPsec stations' section, click 'Edit' 8. Select '"IPsec station 1: Enable' 9. Enter the 'IPsec station 1: IP address' of the workstation 10. Create and enter the 'IPsec station 1: Preshared key' using the following policy: 256 characters maximum Any number [0-9] Any letter lowercase/upper-case [a-z][a-z] the following special characters: _ - # $ % ^ *? { } ( ) = +,. ; : [ ] / \ NOTE Write it down, this preshared key will be required during the IPsec configuration on the workstation. NOTE IPsec can be used only with IPv4 (IP type set to 'IPv4 only' or 'IPV4 and IPv6 both enabled'). In the Connectivity - Network adapter section, make sure 'IPv6 only' is NOT enabled before you configure IPsec on the controller. Result The IPsec settings are configured on the controller for a connection to a workstation (which can be a print server). Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

84 Configure the IPsec settings on a workstation or a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation. On the workstation, perform the 6 following actions: 1- Add the security snap-in on page Create the security policy on page Create the filter list on page Define the filter actions and security negotiation on page Define the security rule on page Assign the security policy on page 49 NOTE The procedure below shows the configuration steps on Windows server The procedure is similar on other Operating Systems (Windows Server 2003, Windows XP, Windows Vista, Windows 7) The impact of IPsec when you print using Océ WPD through a print server Introduction When you use WPD on a print server, with advanced accounting activated, the use of IPsec has an impact on the workflow. When the following conditions are gathered: A print server is configured as an IPsec station. Océ WPD is installed on the print server. IPsec is activated and the 'Failsafe mode' is disabled on the printer controller. The client workstation is not configured as an IPsec station. The client workstation uses the Océ WPD shared driver installed on the print server (Point & Print) to print jobs. Pre-requisites When advanced accounting is required, make sure you configured Account Center BEFORE disabling the 'Failsafe mode' on the printer controller. Consequences of the IPsec configuration on the client workstation: The back-channel information (printer status, feed data) is not retrieved from the printer. It is not displayed in the driver interface. 84 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

85 Troubleshooting: emergency procedure to disable IPsec On the workstation, when the job is sent with Océ WPD: The required accounting information is not requested when submitting the job. The submitted job is stored in the Smart Inbox. It is not printed since accounting information is missing. Open the Inbox in Océ Express WebTools (on an IPsec station) to enter the required accounting information and print the job. NOTE To be able to enter the accounting information and print directly from the workstation, enable the 'Failsafe mode' on the controller. Then, the accounting window will be displayed on the client workstation, and the accounting information can be entered to print the job. Troubleshooting: emergency procedure to disable IPsec Introduction In the following case: IPsec is enabled and activated on the printer/scanner controller and The 'Failsafe mode' is disabled and The communication between the controller and the IPsec stations fails You cannot open remotely Océ Express WebTools to change the settings. The system is unreachable. Solution to disable IPsec: Connect to the printer system through the controller monitor (configuration where a keyboard and monitor are plugged on the printer controller) to open Océ Express WebTools and disable IPsec. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

86 HTTPS (on Océ PlotWave 750 and PlotWave 900 R2.x) HTTPS (on Océ PlotWave 750 and PlotWave 900 R2.x) Encrypt print data and manage the system configuration using HTTPS Introduction On the Océ PlotWave 750 and Océ PlotWave 900 R2.x systems, you can use the HTTPS protocol to: - to send encrypted print data to the printer controller via Océ Publisher Express - to save encrypted scan jobs from the printer controller (Scans Inbox) - to securely manage the configuration of the system through Océ Express WebTools Certificates are used to check the identity of the workstations and controller during the communication. The HTTPS protocol is always available. All settings and options available through HTTP are also available through HTTPS. The Océ self-signed certificate and the CA-signed certificate 2 types of certificates can be used: By default, Océ delivers an Océ self-signed certificate. This certificate provides encryption of the print data (sent through Publisher Express) and of the configuration settings (accessed through Océ Express WebTools) between the client and the controller. It can be easily used. This self-signed certificate has not been signed by a Certification Authority, consequently the web browser will display a 'Certificate Error' message the first time you use the HTTPS protocol. The CA-signed certificate is delivered by a Certification Authority. The administrator can request and import a CA-signed certificate when the security policy recommends it. Configure the HTTPS settings Go to Configuration - Remote security and log on as the System administrator to manage the certificates. NOTE On the controller monitor (screen/keyboard connected directly to the controller) only the 'Reset Certificate' item is displayed on the Remote security page. 86 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

87 Use the Océ self-signed certificate with Internet Explorer Before you begin The first time you use a self-signed certificate, your web browser will generate security error messages. In order to easily and securely use the self-signed certificate in your web browser, you must: - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: Name or PrinterHostname or PrinterIPaddress] A warning window opens. It displays 2 errors: The certificate is not issued by a trusted certificate authority. The Common Name in the certificate does not match the printer hostname (or IP Address) you typed in the address bar. 2. In order to view and check the self-signed certificate, continue to the website 3. Click on 'Certificate error': 4. Click 'View certificates' 5. The certificate is issued to 'OcéExpress WebTools' by 'Océ Express WebTools' 6. Click 'Install Certificate...' 7. Follow the Wizard's instructions to import the certificate into your web browser: 1. Place the certificate in the 'Trusted Root Certification Authorities' folder Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

88 Use the Océ self-signed certificate with Internet Explorer 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK. 8. Open the Tools menu\internet options\advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 88 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

89 Use the Océ self-signed certificate with Mozilla Firefox 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer ( Name or PrinterHostname or PrinterIPaddress]). Result The padlock is displayed on the address bar, Océ self-signed certificate guarantees: The identity of the remote computer (controller) The encryption of the print data on the network Use the Océ self-signed certificate with Mozilla Firefox Procedure 1. On a workstation, type the URL address of your printer in Mozilla Firefox ( Name or PrinterHostname or PrinterIPaddress]). A warning window opens. It displays 2 errors: The certificate is not trusted because it is self-signed 2. In order to view and check the self-signed certificate, continue to add an exception. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

90 Request and import a CA-signed certificate 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server. The 'Wrong site' and 'Unknown Identity' errors are displayed. 5. Click 'View...' to see the content of the certificate. Check the following values: Common Name (CN) = Océ Express WebTools Organization (O) = Océ Organization Unit (OU) = WFPS 6. The certificate is issued to 'Océ Express WebTools' by 'Océ Express WebTools', so you can confirm the security exception (permanent or temporary exception). 7. A security warning window may pop-up. Click 'Yes' to continue. Result The Océ Express WebTools software opens. You can check in the status bar (at the bottom of the window) that the padlock is displayed. In the navigation bar, the Océ certificate is registered as an exception. The identity of the remote controller and the encryption of the data on the network are secured. Request and import a CA-signed certificate Description of the overall procedure to request and import a CA-signed certificate Introduction By default the first certificate delivered for the use of HTTPS is an Océ self-signed certificate. To ensure a fully trusted authentication, you can request and import a certificate delivered by a Certification Authority (CA-signed certificate). Information about certificates When you generate a CA-signed certificate request on a controller: A new private key is created: this key stays in the controller The certificate request containing the public key is created. Send it to the Certification Authority. 90 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

91 Description of the overall procedure to request and import a CA-signed certificate The CA-signed certificate you will receive also contains the public key. This public key is linked to the private key already stored in the controller. In the controller, the private key and the public key must match to enable a secure HTTPS protocol. To request and then import a CA-signed certificate while you are still using HTTPS, follow these 2 procedures, step by step: Overall procedure to prepare and generate the CA-signed certificate request Step A1- Back up the current certificate and private key Description The current certificate can be: the original Océ self-signed certificate embedded a CA-signed certificate (delivered by a Certification Authority) you previously installed See Back up a certificate and a private key on page 138. A2- Generate the certificate request Make this step when you want to request and install a CA-signed certificate. During the creation of the request, a new private key is created. See Generate a CA-signed certificate request on page 139. A3- Save the content of the certificate request Send this content to the Certification Authority to request a (CA-signed) certificate The Certification Authority will check the request and reply. - If the request is valid, go to step A4 - if the request is not valid, make a new request (A2) according to the remarks/corrections suggested by the CA request feedback A4- Restart the controller Overall procedure to import the new CA-signed certificate Step B1- Save and store the new CA-signed certificate B2- Import the new CA-signed certificate into the controller Description Save the CA-signed certificate you received from the Certification Authority. Import the CA-signed certificate (Root and/or Intermediate and CA-signed certificates). See Import a CA-signed certificate (into the controller and workstations) on page 140. B3- Restart the controller 4 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

92 Description of the overall procedure to request and import a CA-signed certificate Step B4- Import the Root certificate into the web browsers of the workstations B5- Back up the certificate and private key Description The Root certificate identifies the Certification Authority. By default, the web browsers contain a list of wellknown and trusted Root certificates. In case the Root certificate of the Certification Authority is not in this list, install the CA Root certificate in the 'Trusted Root certificates' list of the web browser, on each workstation. See Check and import the Root certificate into the workstations browser on page 141. Back up and store the certificate and the private key. Note: It is highly recommended to back up the CA-signed certificate and the private key since they are not saved in any system backup. See Back up a certificate and a private key on page 138. Other procedures Procedure Restore a certificate and a private key Reset the current certificate When to do You can restore the certificate and the private key at any moment, in case of need. See Restore a certificate and a private key on page 141 You can reset the certificate after a certificate request or at any moment when you want to restore a self-signed certificate. This procedure creates a new Océ self-signed certificate. See Reset the current certificate on page Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

93 Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes and the job management settings You can use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Configure the job management settings to manage the visibility of jobs and their availability through Océ Express WebTools Smart Inbox and job management configuration: Go to the 'Preferences'/'System properties' to disable or restrict: The use of the Smart Inboxes ('Smart Inbox capability') The remote view of the Smart Inboxes ('Remote Smart Inbox view') The ability to print from Smart Inbox and to make queue operations ('Printing from Smart Inbox and queue operations') The use of Publisher Express to create jobs ('Create print job via Publisher Express') The ability to delete scans from the Smart Inbox ('Delete scans from the Smart Inbox') When the 'Smart Inbox capability' is set to 'Disabled' the incoming jobs are temporary displayed grey out in the Smart Inbox and sent to the print job queue. The jobs are removed from the Smart Inbox as soon as they are printed. Recommendation Before disabling the Smart Inbox capability it is advised to cleanup the jobs: Clear the temporary store Clear the system When set to 'Login needed', you restrict the view on the Smart Inboxes to the Key operator or Power user only (logging needed to view the Smart Inbox). When set to 'Login needed', all remote actions on jobs in the Smart Inboxes and queue are restricted to the Key Operator or Power user only. When set to 'no one', the job submission capability (through Express WebTools) is completely deactivated. When the login is needed, only the System administrator, the Power user or the Key operator can log to use Publisher Express. When set to 'Login needed', only the Key Operator or Power user can log to delete scans from an inbox. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave

94 Smart Inbox management and job management 94 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300

95 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340/360

96 Overview Overview Security overview for the Océ PlotWave 500 and PlotWave 340/360 systems Introduction The Océ PlotWave 500 and PlotWave 340/360 systems are equipped with the following security features: Security overview Operating System Firewall Network protocols protection MS security patches Security logging Antivirus IPv6 Data overwrite Data encryption on the network Password protection Access control SMB authentication Smart Inbox management Océ Publisher Express access Actions on jobs Windows Embedded Standard 7 SP1 Yes Yes (per protocol, through firewall) Océ released patches Auditing of security related events Yes Yes (IPV6 only or IPV6/IPV4 combination) E-shredding IPsec HTTPS for administration (Océ Express WebTools) and for Job submission through Océ Publisher Express Yes for: - User settings - Administration settings - Settings on the printer user panel IP filtering NTLMV2 - Smart Inbox capability can be disabled - Remote view restriction Access restriction Remote action restriction 96 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

97 System and Network security System and Network security Ports - Protocols Applications, protocols and ports used in the Océ PlotWave 500 and PlotWave 340/360 systems Printing applications with Océ PlotWave 500 and PlotWave 340/360: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality Océ Wide-format Printer Driver for Microsoft Windows (WPD2) Océ PostScript 3 driver Océ Publisher Express Publisher Select INBOUND ports on the controller: protocol TCP 515: LPR TCP 80: HTTP for back-channel* and Advanced accounting UDP 515: Océ protocol for Printer Discovery TCP 515: LPR TCP 80: HTTP TCP 443: HTTPS TCP 80: HTTP UDP 515: Océ protocol for Printer Discovery OUTBOUND ports from the controller: protocol UDP 515: Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515: LPR (1) TCP 4242: FTP passive mode (for data channel in FTP passive mode) ICMP: ping UDP 515: Océ protocol for Printer Discovery TCP 21: FTP (2) Océ Reprodesk Studio Novell NDPS printing LPR printing FTP printing TCP 515: LPR TCP 65200: Océ back-channel (OCI) TCP 515: LPR TCP 515: LPR TCP 21: FTP TCP 4242 (for data channel in FTP passive mode) Print from SMB TCP 139, 445 UDP 138, Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360 97

98 Applications, protocols and ports used in the Océ PlotWave 500 and PlotWave 340/360 systems Application /Functionality INBOUND ports on the controller: protocol OUTBOUND ports from the controller: protocol Print from FTP FTP command (3) : - Local: TCP any - Remote: TCP 21 FTP Data (3) : - Local : TCP any - Remote: TCP any Print from Cloud: WebDAV TCP 80: HTTP TCP 443: HTTPS TCP web proxy port (4) TCP WebDAV port Notes: * Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. (1) For Océ Publisher Mobile v 2.2 and later for Android, and for Océ Publisher Mobile v 2.3 and later for ios (2) Only for Océ Publisher Mobile v 2.0 to v2.2 for ios (3) FTP passive mode only (FTP active mode not supported). (4) When there is a proxy. Scanning applications with Océ PlotWave 500 and PlotWave 340/360: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the controller: protocol OUTBOUND ports from the controller: protocol Scan to File: SMB TCP 139, 445 UDP 137, 138, 445 Scan to File: FTP FTP command (1) : - Local: TCP any - Remote: TCP 21 FTP Data (1) : - Local : TCP any - Remote: TCP any Scan to File: Cloud (WebDAV) TCP 80: HTTP TCP 443: HTTPS TCP web proxy port (2) TCP WebDAV port Scan data retrieval from Smart Inbox (Scans) TCP 80: HTTP TCP 443: HTTPS Notes: (1) FTP passive mode only (FTP active mode not supported). (2) When there is a proxy. 98 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

99 Applications, protocols and ports used in the Océ PlotWave 500 and PlotWave 340/360 systems Control management with Océ PlotWave 500 and PlotWave 340/360: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality PING IPv4 INBOUND ports on the controller: protocol ICMPv4 OUTBOUND ports from the controller: protocol PING IPv6 ICMPv6 nslookup SNMP based applications Name resolution Océ Express WebTools Océ Account Center Accounting information retrieval Océ Meter Manager Océ back-channel Océ Remote Service UDP local port : any UDP remote port : 53 UDP 161: SNMP Outgoing connection: Local port (on controller): UDP(/TCP) <dynamic value> TCP 80: HTTP TCP 443: HTTPS TCP 80: HTTP TCP 80: HTTP UDP 161: SNMP TCP for OCI back-channel Remote port (on DNS server): UDP(/TCP) 53 TCP 443: HTTPS TCP web proxy port (1) NetBios over TCP/IP UDP 137 TCP 139, 445 UDP 138 WSD WAVE OBIS TCP 80: HTTP UDP 3702 for WSD discovery TCP 5357 for WSD eventing TCP 80: HTTP TCP 80: HTTP for back-channel (Océ Publisher Select) IPsec UDP 500 UDP 4500 Notes: (1) When there is a proxy. Additional built-in Windows 7 firewall rules Inbound rules: Core Networking - Dynamic Host Configuration Protocol (DHCP-In) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) Outbound rules: Core Networking - DNS (UDP-Out) Core Networking - Dynamic Host Configuration Protocol (DHCP-Out) Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out) Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360 99

100 Applications, protocols and ports used in the Océ PlotWave 500 and PlotWave 340/360 systems Core Networking - IPv6 (IPv6-Out) 100 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

101 Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in your Océ system. Before you begin Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Install a patch Procedure 1. Open Océ Express WebTools 2. Open the 'Support' tab 3. Select 'Update' The Authentication window opens. 4. Log in as the System administrator or Power user The latest patch successfully applied (when any) is displayed 5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the wizard 6. Click OK Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

102 Install the Océ Remote patch 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update 102 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

103 Protocol protection Protocol protection Network protocols protection Introduction In the Océ PlotWave 500 and PlotWave 340/360 systems, you can completely disable some protocols in order to protect them against attacks. HTTPS (inbound), ICMP (ping), DNS protocols cannot be completely disabled. List of network protocols Protocols or Network services Protocol basis Available protection Remarks 'FTP' FTP Enable/Disable For FTP printing (the controller acts as a FTP server). Not applicable to Print from/scan to FTP features. 'SNMP' SNMP Enable/Disable 'LPR/LPD' LPR Enable/Disable For LPR printing 'Océ WAVE interface' HTTP Enable/Disable Used for: - Océ back-channel for WPD2 - Account Center ' Web Services on Devices (WSD)' HTTP Enable/Disable For WSD device discovery 'OCI interfaces' Océ proprietary interfaces Enable/Disable Used for Reprodesk Server 'Allow interaction with Océ Publisher Select' 'Océ Express WebTools via HTTP' 'Locking of the user panel via the Océ Wave interface' HTTP Enable/Disable Used only for Océ Publisher Select backchannel HTTP Enable/Disable For Océ Express WebTools and Publisher Express HTTP Enable/Disable When this setting is enabled, 'Océ Wave interface' setting must be enabled 4 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

104 Network protocols protection Protocols or Network services Protocol basis Available protection HTTP (inbound) HTTP There is no specific setting to disable the HTTP protocol. Inbound HTTP is enabled as long as at least one of the following services is enabled: - 'Océ Wave interface' - 'Web Services for Devices' - 'Allow interaction with Océ Publisher Select' - 'Océ Express Web Tools via HTTP' Inbound HTTP is totally disabled when ALL aforementioned network services are disabled. HTTPS (inbound) HTTPS Always Enabled - Cannot be disabled. Remarks ' Allow automatic update of Océ Service information' HTTP/ HTTPS Enable/Disable Outbound connection 'Océ Online Services connection enabled' HTTPS Enable/Disable Outbound connection used by Remote Service Note: To disable a network protocol or network service, go to the Configuration / Connectivity section of the Océ Express WebTools and uncheck the protocol or service. To disable 'Océ Online Services connection enabled', go to Preferences / System defaults / System related information. 104 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

105 Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some system features allow or request a connection over the Internet to work properly. When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions in Express WebTools: St ep In the Express WebTools section 1 Support - Remote Service - Remote assistance 2 Preferences - System Defaults - Service related information 3 Configuration - Connectivity - Other network interfaces 4 Configuration - External location 5 Configuration - Connectivity - Proxy settings 6 Support - About - Shutdown - Restart Action Stop the Remote assistance if it is activated Disable Online Services Disable the automatic update of Océ Service information Delete all External locations going to the Internet: External cloud through WebDAV protocol FTP sites reachable through the Internet Disable the proxy (recommended as an additional security measure) Restart the system Detail Click 'Stop remote assistance' until it changes into 'Allow remote assistance'. The two blinking arrows on the right side disappear. Set 'Océ Online Services connection enabled' to 'Disabled' Set ' Allow automatic update of Océ service information' to 'Disabled' Set 'Proxy enabled' to 'Disabled' Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

106 Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the Océ PlotWave 500 and PlotWave 340/360 touch screen. This USB connection is used to: Install the controller software Backup and restore the controller configuration Scan to the USB storage device Print from the USB storage device Security on the USB port General USB port protection: Booting from the USB device is not possible. Executing any programme present on the USB device is not possible The Autorun is disabled and no operation on the controller can execute a programme on the USB device. Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from / write to USB device protection Protection of the USB READ operation: - when restoring a controller configuration from the Local User Interface. In that case, any file infected by a virus appears as an invalid backup file. The controller software detects it and rejects the restore operation. - when printing from the USB device. Any print file infected by a virus will never compromise controller's software integrity. Protection of the USB WRITE operation: - during the backup of the controller configuration, from the Local User Interface. The backup is performed by the internal controller software. It cannot contaminate the USB device by any threat. - when making a Scan To File to the USB device: The Scan To File operation to USB device is performed by the internal controller software. It cannot contaminate the USB device by any threat. Disable the USB features You can disable: The direct printing operation from USB only The scanning operation to USB only Both of the printing and scanning operations from USB Refer to Prevent 'Print from USB' and/or 'Scan to USB' on Océ PlotWave 500 and PlotWave 340/360 on page Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

107 Antivirus Antivirus Compatibility and recommendations The following 2 antivirus programmes can be installed on your Océ systems: Symantec AntiVirus Endpoint Protection McAfee VirusScan Enterprise Edition / epolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure. NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

108 Roles and Passwords Roles and Passwords Roles and profiles Roles description 4 different roles exist in the product. Each of them has the ability to configure or modify some system settings. The roles are: Key operator: The Key operator can manage the jobs and the device settings. System administrator The System administrator can manage the configuration settings, such as the network settings. Power user The Power User has both the rights of the Key operator and the System administrator. Service This role is used exclusively by the Canon Service technician. 108 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

109 Passwords policy and behaviour in the Océ PlotWave 500 and PlotWave 340/360 systems Passwords policy and behaviour in the Océ PlotWave 500 and PlotWave 340/360 systems Introduction There are 2 groups of passwords: The passwords used in Océ Express WebTools The passwords used on the printer user panel Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect: The roles Name of the user of an external location The Proxy authentication passwords The security settings (preshared key for IPsec) Password policy 256 characters maximum all MS Windows characters are allowed Passwords used on the user panel On Océ PlotWave 500 The following settings are protected by the System administrator or Power user password on the user panel: The network settings The security settings The following settings and functions are protected by the Key operator or Power user password on the user panel: The print density The 'Clear system' function The 'Install additional hardware' function The scanner calibration On Océ PlotWave 340/360 In Océ Express Webtools, configure the 'Password to change network settings'. This password is used on the printer user panel to protect: the network settings the security settings NOTE Keep this password. The reset of this password may require the intervention of a Service technician. Passwords modification Password modification table for Océ PlotWave 500 and PlotWave 340/360 Password for/to Can be changed by Key operator Key operator or Power user System administrator System administrator or Power user 4 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

110 Passwords policy and behaviour in the Océ PlotWave 500 and PlotWave 340/360 systems Password for/to Power user User name of external locations Any preshared key for IPsec Change network settings Proxy authentication (for Océ Remote Services and for External location) Can be changed by Power user System administrator or Power user System administrator or Power user System administrator or Power user System administrator or Power user Password backup/restore policy with the 'Save Set'/'Open Set' features The 'Password to change network settings' and the 'Proxy authentication: password' (for Océ Remote Services and for External location) are stored encrypted into the backup set made with the 'Save Set' feature of Océ Express WebTools. The roles passwords are not stored in the backup set. NOTE - When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the backup file. It is not encrypted - When a password has been stored with 'Auto' value, it is restored with the 'No password' value - The passwords are stored in the backup file whatever the login used when making the 'Save Set' operation (System administrator, Key operator, or Power user) - The passwords are restored only when the System administrator or the Power user makes the 'Open Set' operation (see the general behavior below) NOTE General behavior: The package generated by the 'Save Set' feature is always the same, whatever the profile of the user logged in (Key operator, System administrator or Power user). However the settings restored with the 'Open set' operation depend on the profile of the user logged in: a profile is able to restore only the settings it is able to edit and change. Password backup/restore policy with the 'Export templates'/'import templates' features During the "Export templates" operation, the passwords for any external location remote user name are stored encrypted in the file 'exportexternallocationtemplates.xml' (included in the file 'exportexternallocationtemplates.zip'). The 'Import templates' operation restores the passwords. Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system, a Canon representative generates a temporary administrative password for the Windows Administrative account. This password is valid for 4 hours. 110 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

111 Access control Access control Introduction Access control allows to limit the access to the Océ system according to IP filtering method. Use the access restriction to limit the access to the printer NOTE Important: ALWAYS define the hosts before enabling Access control. In case Access control is enabled without any host configured, communication is blocked. Go to the printer user panel to disable Access control. Enable 'Access control' and set the list of IP addresses of the computers (hosts) that will be able to communicate with the printer. This action sets the IP filtering. The access restriction is then applied to print operations (for which a host workstation contacts the printer) as well as scan operations (the scanner contacts the external location). To benefit from the full Access control, the DHCP protocol must be disabled. Manually enter the static network settings (IP address, gateway, ) in the Connectivity settings. NOTE When configuring the 'Access control station: IPv6 address', use the IPv6 static address (instead of a dynamic stateless or stateful one) You can define up to 5 hosts. For each of the hosts you can decide whether the communication from this host to the system needs to be encrypted by IPsec (see IPsec on page 80) You enable 'Access control' in Océ Express WebTools. You can disable it in Océ Express WebTools or via the printer user panel. NOTE 'Configuration' of the 'Access control' settings is only available to the 'System administrator' and 'Power user'. To prevent unauthorised access to these settings via the printer user panel: - on Océ PlotWave 340/360, ensure that the 'Password to change network settings' is set - on Océ PlotWave 500, you must log in as a System administrator to edit the network settings When you enable Access control and/or IPsec, configure the path of the external locations with the IP address instead of a hostname (the DNS protocol is disabled). Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

112 Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the Support - Audit log tab to download the Audit log that contains information on any change made in settings. Collected information on each setting is: 1. Username (if available) 2. Host (IP address and name) or printer user interface from where the modification was done 3. Type of event (create/modify/delete/start/stop/action) 4. Object concerned (setting/template name, service name, operation/action) 5. New value (if applicable, and not logged for password fields) 6. Timestamp in UTC (date&time in ISO-8601 format, yyyy-mm-ddthh:mm:ssz) User (Key operator, System administrator, Power user) and Service settings: IPv4/IPv6 network settings (IP address, Subnet mask, DNS, Gateway, DHCP, ) IPsec settings Network services (enable/disable/settings) Creation/modification/removal of external locations Changes of passwords used to protect security-related settings (Key operator, System administrator, Power user, Service, User interface password/pin for network settings, ) Timezone E-shredding settings Remote service online connection (enabled/disabled) 3rd-party software settings (remote desktop, admin account, firewall port) Smart Inbox (enable/disable) Allow Service Technician to reset passwords (on/off) Save retrieved job data for service (on/off) HTTPS settings (enable/disable, change of certificate) HTTP proxy settings (for Cloud and remote service) USB print (on/off) Scan to USB (on/off) Force entry of accounting data for scan/copy/print (on/off) TSM auto updates of code/content from internet (on/off) Startup/ shutdown of the audit functionality Tracking info: when someone logs on to view or to change non-security settings Changing date and time Use of restore and 'open set' Each log-in operation by the System administrator, the Key operator, and the Power user is also stored into the audit log. Service settings only: Retrieval of job data by Service Resetting of passwords by Service Remote service (Allow remote login) Audit log export Accounting dialog upload (used to implement access control for scan/copy) Manual update of the Service Information content (from Internet) 112 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

113 Data security Data security E-Shredding in Océ PlotWave 500 and PlotWave 340/360 systems E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user print data and any user print/copy/scan data when it is deleted from the system. This feature prevents the recovery of any deleted user data (file's content and attributes). A deleted job is a job that cannot be retrieved from any user interface. When is a job deleted? A job is deleted either: When it is manually deleted from a Smart Inbox After it was successfully printed and was not saved in a Smart Inbox ( 'Keep completed jobs in the Smart Inbox', 'Keep a copy of copy jobs in Smart Inbox', 'Keep a copy of scanned jobs in Smart Inbox' and 'Keep a copy of local print jobs in the Smart Inbox' system settings are disabled in the Océ Express WebTools) After a 'ScanToFile to external location' has been successfully performed After a 'ScanToFile to USB stick' has been performed successfully or not When it is automatically deleted after a time-out: the end of the job lifetime in the Smart Inbox is reached ('Keep completed jobs in the Smart Inbox' is enabled, with 'Expiration time-out for Smart Inbox' and 'Expiration time-out for Smart Inbox copy and scan jobs' set in the job management settings of the Océ Express WebTools) When a 'Clear system' is performed on the printer user panel When a 'Clear system at next start-up' is selected in Express WebTools and the system is restarted. E-shredding algorithms Select one of the three e-shredding behaviours: DOD M: 3-pass overwriting algorithm (compliant with the US Department of Defense directive): Gutmann: 35-pass overwriting algorithm with random data Custom: set the number of passes, from 1 to 35. NOTE The e-shredding feature has been designed to minimise impact of the global system performance. However the more passes selected, the more impact it has on general performance. It is recommended to minimise the number of passes when document production is required. Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

114 Enable the e-shredding in Océ Express WebTools Enable the e-shredding in Océ Express WebTools Before you begin You must be logged as a System Administrator or a Power user. Perform the following actions: 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. In Océ Express Webtools ('Preferences' - 'System Defaults') go to the 'Job Management' settings 3. Disable 'Keep completed jobs in the Smart Inbox' (so that all the print jobs will be automatically deleted after successful printing) before enabling the e-shredding. 4. Go to the 'In case of errors' settings 5. Check the 'Save received jobdata for Service' setting is disabled. 6. On the printer user panel, make a 'Clear system' Enable the e-shredding Procedure 1. In Océ Express Webtools, open the 'Configuration' - 'Connectivity' page and select the 'Eshredding' section 2. Click Edit 3. Check 'E-shredding' feature to enable it 4. Select the algorithm. When you select 'Custom', set the number of passes: Result When the E-shredding feature is enabled: A new icon is added to the list of icons (bottom right) in the Océ Express WebTools window: On the printer user panel, an indication is displayed in the System menu: 'E-shredding enabled': 114 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

115 Enable the e-shredding in Océ Express WebTools Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns 'busy'. In the Océ Express WebTools window, roll the mouse over the e-shredding icon to display the 'Eshredding busy' status Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in the Océ Express WebTools (roll over the icon). Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

116 E-shredding process and system behaviour E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding feature, the system starts the e-shredding process for all scan/ copy/print jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded after they are deleted: - After a manual deletion from the Smart Inbox - After an automatic deletion of the print or scan jobs by the system (time-out, disabled Smart Inbox, cleanup) NOTE When you enable the e-shredding feature, the 'Save received job data for Service' feature (in Preferences - System defaults - In case of errors) is automatically disabled, to avoid any storage of job data that would not be automatically deleted. The first e-shredding pass is performed immediately after the job is deleted. Subsequent passes are performed in background. When you disable the e-shredding When you disable the e-shredding, the system: Terminates the e-shredding process for files which are being e-shredded Will not e-shred the new deleted files Make sure all the scan/copy/print jobs are completely e-shredded Once a batch of scan/copy/print jobs has been processed, perform the following actions to make sure all the files are e-shredded: 1- Unplug the system from the network 2- Delete all jobs from all the Smart Inboxes 3- Make a 'Clear System' on the printer user panel 4- Wait until the e-shredder status comes back to 'Ready' (in Océ Express WebTools) 5- Restart the system 6- Wait until the e-shredder status displays 'Ready' (in Océ Express WebTools) 116 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

117 IPsec IPsec IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. You can connect up to 5 IPsec stations to the print/scan system. Illustration IPsec and Access control behavior Find below the 4 combinations of Access control with IPsec : Access control enabled IPsec enabled IP filtering + Encryption are activated. Only the stations configured with IPsec can connect to the system. No other stations can communicate with the print/ scan system. The system can communicate only with the IPsec stations. Communication and data are encrypted. IPsec disabled IP filtering is activated, no encryption. Only the stations configured for Access control in Express WebTools can communicate with the print/scan system. The system can communicate only with the stations configured for Access control. The communication is not encrypted. 4 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

118 IPsec presentation IPsec enabled IPsec disabled Access control disabled Encryption between the print/ scan system and IPsec stations is activated. All stations can communicate with the system. The system can communicate with all stations. The communication is encrypted ONLY with the stations configured as IPsec stations. No filtering. No encryption. IPsec parameters in the Océ Express WebTools The following IPsec parameters are available on the Océ Express WebTools - Configuration - Connectivity tab, Network security section: Enable and configure the parameters for each required station. The parameters can be different for each different workstation: - the IP address - the preshared key (keep the generic default one or set a custom one) You can define a default preshared key that will be used for all the IPsec stations connected to the print/scan system. NOTE The following IPsec parameters cannot be changed: IKE Diffie-Hellman group : 2 then 1 IKE SA lifetime : s IKE security method : 3DES then MD5 IKE hash : SHA1 then MD5 ESP encryption : 3DESthen DES ESP hash : SHA1 then MD5 then None AH hash : SHA1 the MD5 Encpasulation type : Transport Protocol SA lifetime : 3600 s 118 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

119 Configure the IPsec settings in the Océ controller Configure the IPsec settings in the Océ controller Before you begin You must be logged as a System Administrator or a Power user. To benefit from the full IPsec mechanism, the DHCP protocol must be disabled. Manually enter the static network settings (IP address, gateway, ) in the Connectivity settings. Activate and configure IPsec in the system controller Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page 3. In the 'Access control' section, click on the general 'Edit' 4. Check the 'Enable/Disable IPsec' box to enable 'IPsec' You can also activate the Access control (see the combinations of IPsec and Access Control in IPsec and Access control behaviour on page 117) 5. Enable 'IPsec control station 1' Tip: When you enable Access control, it is recommended to declare the workstation from which you remotely configure the system, at least during the configuration time (IPsec is not needed). 6. Enter the IPsec preshared key or keep it empty to use the default preshared key. You can configure the default preshared key at the bottom of the Network security section. 256 characters maximum Any MS character Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

120 Configure the IPsec settings in the Océ controller NOTE Write down this preshared key. It will be required during the IPsec configuration on the workstation. 7. Click OK Note: The settings are applied as soon as 'OK' is validated (and before the restart). You may lose the remote connection to the system when your workstation is not part of the configured stations. 8. Restart the controller Result The IPsec settings are configured on the controller for a connection to a workstation. 120 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

121 Configure the IPsec settings on a workstation or a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation. On the workstation, perform the 6 following actions: 1- Add the security snap-in on page Create the security policy on page Create the filter list on page Define the filter actions and security negotiation on page Define the security rule on page Assign the security policy on page 128 NOTE The procedure below shows the configuration steps on Windows server 2008 for an Océ ColorWave 300 system. The procedure is similar on other Operating Systems (Windows Server 2003, Windows XP, Windows Vista, Windows 7) and for other Océ printers. Add the security snap-in Procedure 1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console 2. In the top menu select 'File' - 'Add/Remove Snap-in' 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

122 Create the security policy 4. Keep 'Local computer' checked and click 'Finish' The security snap-in is added, click 'OK' Create the security policy Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security Policy' 2. Click 'Next' to open the wizard 3. Enter the name for the policy and click 'Next' 122 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

123 Create the filter list 4. Uncheck 'Activate the default response rule' 5. Uncheck 'Edit properties' and click 'Finish' Create the filter list Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions ' 2. In the 'Manage IP filter lists' tab click 'Add' Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

124 Create the filter list 3. Enter a filter name and a description and click 'Add' 4. Click 'Next' to open the wizard 5. Check the 'Mirrored' checkbox and click 'Next' 6. Select 'My IP address' as the 'Source address and click 'Next' 7. Select 'A specific IP address or subnet' as 'Destination address' and enter the IP address of the controller 8. Select 'Any' as the 'IP Protocol Type' and click 'Next' 124 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

125 Define the filter actions and security negotiation 9. Click 'Finish' 10. In the 'IP filter list' window, click OK The filter list is set Define the filter actions and security negotiation Procedure 1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard. 2. Click 'Next' 3. Give a name to the filter actions and click 'Next' 4. Select 'Negotiate security' and click 'Next' Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

126 Define the security rule 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next' 6. Select 'Custom' and click on the 'Settings...' button 7. Configure the settings as below 'Data and address integrity without encryption (AH)' setting is not mandatory. 8. Click 'OK' and 'Next', then 'Finish' Define the security rule Procedure 1. In the console, right click on the IP security policy just created and select 'Properties' to open the wizard (On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on "Add") 2. Click 'Next' 126 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

127 Define the security rule 3. Select 'This rule does not specify a tunnel', and click 'Next' 4. As the Network type, select 'All network connections' and click 'Next' 5. Select the filter previously created then click 'Next' 6. Select the filter action previously created then click 'Next' 7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)' Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

128 Assign the security policy 8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the Océ controller on page 119), then click 'Next' 9. Click 'Finish' 10. Click 'OK' to validate the Security rule Assign the security policy Procedure 1. In the console, right click on the security policy just created and select 'Assign' The configuration is activated on the IPsec station (workstation): 128 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

129 Assign the security policy 2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec station to the printer/scanner controller After you finish For all printers except Océ PlotWave 340/360, Océ PlotWave 500 and Océ ColorWave 650 R3.x: When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/ scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner system. For Océ PlotWave 340/360, Océ PlotWave 500 and Océ ColorWave 650 R3.x: Remove your workstation from the IPsec/Access control configuration when it must not remain in the list of connected stations. Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

130 Troubleshooting: Disable 'Access control' and IPsec (Océ PlotWave 500 and PlotWave 340/360 systems) Troubleshooting: Disable 'Access control' and IPsec (Océ PlotWave 500 and PlotWave 340/360 systems) Introduction In the following case: Access control and IPsec have been enabled without any station defined and The communication between the controller and the host stations fails Any remote connection to Océ Express WebTools is impossible. The system is unreachable. Then, use the emergency procedure to disable IPsec and Access control via the printer user panel. Disable Access control on the printer user panel Procedure 1. On the user panel, tap the upper right corner, to display the menu 2. Select 'Security' 3. For Océ PlotWave 500, enter the System administrator (or Power user) password For Océ PlotWave 340/360 enter the 'Password to change networks settings' if set. 4. A wizard is displayed. Follow the instructions 130 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

131 Troubleshooting: Disable 'Access control' and IPsec (Océ PlotWave 500 and PlotWave 340/360 systems) 5. Confirm to disable access control 6. Press 'Finish' 7. Restart the controller Result Access control and IPsec functions are disabled. After the restart, you will be able to remotely open Océ Express WebTools from any workstation (HTTP). Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

132 HTTPS (for Océ PlotWave 500 and PlotWave 340/360) HTTPS (for Océ PlotWave 500 and PlotWave 340/360) Encrypt print data and manage the system configuration using HTTPS Introduction In the Océ PlotWave 500 and PlotWave 340/360 systems, you can use the HTTPS protocol to: - send encrypted print data to the printer controller via Océ Publisher Express - save encrypted scan jobs from the printer controller (Scans Inbox) - securely manage the configuration of the system through Océ Express WebTools Certificates are used to check the identity of the workstations and controller during the communication. The HTTPS protocol is always available. All settings and options available through HTTP are also available through HTTPS. The Océ self-signed certificate and the CA-signed certificate 2 types of certificates can be used: By default, Océ delivers an Océ self-signed certificate. This certificate provides encryption of the print data (sent through Publisher Express) and of the configuration settings (accessed through Océ Express WebTools) between the client and the controller. It can be easily used. This self-signed certificate has not been signed by a Certification Authority, consequently the web browser will display a 'Certificate Error' message the first time you use the HTTPS protocol. The CA-signed certificate is delivered by a Certification Authority. The administrator can request and import a CA-signed certificate when the security policy recommends it. Configure the HTTPS settings Go to Configuration - Remote security and log on as the System administrator to manage the certificates. Before you begin The first time you use a self-signed certificate, your web browser will generate security error messages. In order to easily and securely use the self-signed certificate in your web browser, you must: 132 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

133 Use the Océ self-signed certificate with Internet Explorer - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: Name or PrinterHostname or PrinterIPaddress] A warning window opens. It displays 2 errors: The certificate is not issued by a trusted certificate authority. The Common Name in the certificate does not match the printer hostname (or IP Address) you typed in the address bar. 2. In order to view and check the self-signed certificate, continue to the website 3. Click on 'Certificate error': 4. Click 'View certificates' 5. The certificate is issued to 'OcéExpress WebTools' by 'Océ Express WebTools' 6. Click 'Install Certificate...' 7. Follow the Wizard's instructions to import the certificate into your web browser: 1. Place the certificate in the 'Trusted Root Certification Authorities' folder Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

134 Use the Océ self-signed certificate with Internet Explorer 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK. 8. Open the Tools menu\internet options\advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 134 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

135 Use the Océ self-signed certificate with Mozilla Firefox 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer ( Name or PrinterHostname or PrinterIPaddress]). Result The padlock is displayed on the address bar, Océ self-signed certificate guarantees: The identity of the remote computer (controller) The encryption of the print data on the network Use the Océ self-signed certificate with Mozilla Firefox Procedure 1. On a workstation, type the URL address of your printer in Mozilla Firefox ( Name or PrinterHostname or PrinterIPaddress]). A warning window opens. It displays 2 errors: The certificate is not trusted because it is self-signed 2. In order to view and check the self-signed certificate, continue to add an exception. Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

136 Use the Océ self-signed certificate with Mozilla Firefox 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server. The 'Wrong site' and 'Unknown Identity' errors are displayed. 5. Click 'View...' to see the content of the certificate. Check the following values: Common Name (CN) = Océ Express WebTools Organization (O) = Océ Organization Unit (OU) = WFPS 6. The certificate is issued to 'OcéExpress WebTools' by 'Océ Express WebTools', so you can confirm the security exception (permanent or temporary exception). 7. A security warning window may pop-up. Click 'Yes' to continue. Result The Océ Express WebTools software opens. You can check in the status bar (at the bottom of the window) that the padlock is displayed. In the navigation bar, the Océ certificate is registered as an exception. The identity of the remote controller and the encryption of the data on the network are secured. 136 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

137 Request and import a CA-signed certificate Request and import a CA-signed certificate Description of the overall procedure to request and import a CA-signed certificate Introduction By default the first certificate delivered for the use of HTTPS is an Océ self-signed certificate. To ensure a fully trusted authentication, you can request and import a certificate delivered by a Certification Authority (CA-signed certificate). Information about certificates When you generate a CA-signed certificate request on a controller: A new private key is created: this key stays in the controller The certificate request containing the public key is created. Send it to the Certification Authority. The CA-signed certificate you will receive also contains the public key. This public key is linked to the private key already stored in the controller. In the controller, the private key and the public key must match to enable a secure HTTPS protocol. To request and then import a CA-signed certificate while you are still using HTTPS, follow these 2 procedures, step by step: Overall procedure to prepare and generate the CA-signed certificate request Step A1- Back up the current certificate and private key Description The current certificate can be: the original Océ self-signed certificate embedded a CA-signed certificate (delivered by a Certification Authority) you previously installed See Back up a certificate and a private key on page 138. A2- Generate the certificate request Make this step when you want to request and install a CA-signed certificate. During the creation of the request, a new private key is created. See Generate a CA-signed certificate request on page 139. A3- Save the content of the certificate request Send this content to the Certification Authority to request a (CA-signed) certificate The Certification Authority will check the request and reply. - If the request is valid, go to step A4 - if the request is not valid, make a new request (A2) according to the remarks/corrections suggested by the CA request feedback A4- Restart the controller Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

138 Back up a certificate and a private key Overall procedure to import the new CA-signed certificate Step B1- Save and store the new CA-signed certificate B2- Import the new CA-signed certificate into the controller B3- Restart the controller B4- Import the Root certificate into the web browsers of the workstations B5- Back up the certificate and private key Description Save the CA-signed certificate you received from the Certification Authority. Import the CA-signed certificate (Root and/or Intermediate and CA-signed certificates). See Import a CA-signed certificate (into the controller and workstations) on page 140. The Root certificate identifies the Certification Authority. By default, the web browsers contain a list of wellknown and trusted Root certificates. In case the Root certificate of the Certification Authority is not in this list, install the CA Root certificate in the 'Trusted Root certificates' list of the web browser, on each workstation. See Check and import the Root certificate into the workstations browser on page 141. Back up and store the certificate and the private key. Note: It is highly recommended to back up the CA-signed certificate and the private key since they are not saved in any system backup. See Back up a certificate and a private key on page 138. Other procedures Procedure Restore a certificate and a private key Reset the current certificate When to do You can restore the certificate and the private key at any moment, in case of need. See Restore a certificate and a private key on page 141 You can reset the certificate after a certificate request or at any moment when you want to restore a self-signed certificate. This procedure creates a new Océ self-signed certificate. See Reset the current certificate on page 142 Back up a certificate and a private key When to do You must back up the certificate and private key: BEFORE you generate a certificate request (step A1 of the Description of the overall procedure to request and import a CA-signed certificate on page 90): To save your current certificate and private key. AFTER you import the new certificate (step B5): To save your new certificate and private key, in order to be able to restore them if needed. 138 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

139 Generate a CA-signed certificate request Back up the current certificate and private key Procedure 1. In a web browser, open Océ Express WebTools (http(s):\\[ip address or hostname]) 2. Log on as the printer system administrator 3. On the Configuration - Océ Remote Security page, select [Backup certificate and private key] 4. To save the server certificate and private key, enter a password made of 6 characters at least ([Password used to encrypt the private key]) 5. Confirm the password 6. Click 'Save' 7. Download and store the back up file (.jks). Generate a CA-signed certificate request Purpose Create a certificate request. Use this function only when you want to request a new CA-certificate. Pre-requisites Back up the current Certificate and Private key already installed on the controller (see Back up a certificate and a private key on page 138). [Generate a certificate request] NOTE Step A2 of the Description of the overall procedure to request and import a CA-signed certificate on page 90. Procedure 1. In a web browser, open Océ Express WebTools ( address or hostname]) 2. On the Configuration - Remote Security page, select 'Generate a certificate request' 3. Fill out the form with the requested information NOTE Attention : In the certificate request: The Common name MUST be the hostname or the Fully Qualified Domain Name (FQDN) of the printer (e.g.: or 'PlotWave360' or 'PlotWave360.mycompany.com'). This Common Name will be used in the URL (e.g.: ' The country name MUST follow the ISO 3166 standard and be composed of 2 characters (e.g.: 'us' for United States) 4. Click 'Generate'. Result The web server generates a certificate request. The content of the request is displayed (plain text). Example (fake request): -----BEGIN NEW CERTIFICATE REQUEST----- Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

140 Save and send the request MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV J TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M DAtNzQw LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM d HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4 yqbqhenynyws0c2obxcq3yksf74+xio0swhoa2yfdp4t+luf3wxys8luh3zhhkoyg= END NEW CERTIFICATE REQUEST----- Save and send the request When to do NOTE Step A3 of the Description of the overall procedure to request and import a CA-signed certificate on page 90. Procedure 1. Copy and paste the content of the request in a.csr file (named 'certificate_request.csr' by default) 2. Send the content of this request to the Certification Authority. Import a CA-signed certificate (into the controller and workstations) Introduction: overall procedure 1. Import the CA-signed certificate into the controller: Import the 'Root certificate' Import the 'Intermediate certificate' Import the CA-certificate 2. Import the Root certificate into the workstations web browser Import the [Root certificate] into the controller NOTE Step B2 of the Description of the overall procedure to request and import a CA-signed certificate on page 90 Save locally or on the network all the CA-signed certificate files the Certification Authority sent you. Procedure 1. In a web browser, open Océ Express WebTools ( address or hostname]) 2. On the Configuration - Remote Security page, select 'Import CA-signed certificate' 3. Select [Root certificate] 4. Browse to the Root certificate file and click [Import] 140 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

141 Import the [Intermediate certificate] NOTE The Root certificate may already exist in the web server certificates list. 5. Validate to confirm the import 6. When the message [Certificate successfully imported.] pops up, go on to import the [Intermediate certificate] Import the [Intermediate certificate] Procedure 1. Select [Intermediate certificate] 2. Browse to the Intermediate certificate file and click [Import] 3. When the message [Certificate successfully imported.] pops up, go back to the main page to import the [CA-signed certificate] Import the [CA-signed certificate] Procedure 1. Select [CA-signed certificate] 2. Browse to the certificate file 3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import' 4. When the message [Certificate successfully imported.] pops up, restart the controller. Result Result: The certificate is now installed on the server. Check and import (if needed) the CA Root certificate also into the workstations web browser. That will secure the complete data workflow between the workstations and the server. Check and import the [Root certificate] into the workstations browser When to do NOTE Step B4 of the Description of the overall procedure to request and import a CA-signed certificate on page 90. Procedure 1. On each workstation, open the web browser 2. In the Tools - Internet Options - Content window, open the 'Certificates' 3. Check if the CA [Root certificate] is already displayed in the 'Trusted Root Certification Authorities' list 4. If it is not in the list, import the CA Root certificate. Restore a certificate and a private key When to do You can restore the certificate and the private key at any moment, in case of need. Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

142 Reset the current certificate Restore the certificate and private key Procedure 1. In a web browser, open Océ Express WebTools (http(s):\\[ip address or hostname]) 2. On the Configuration - Remote security page, select [Restore certificate and private key] 3. Browse to the back up file 4. Enter the password of the back up file 5. Click 'Restore' 6. A dialog box opens: [This action will overwrite the current certificate. Continue?] Click 'OK' 7. When the key and the certificate are successfully restored, restart the controller. Reset the current certificate Purpose This procedure creates a new Océ self-signed certificate. When to do You can reset the certificate after a certificate request or at any moment when you want to restore a self-signed certificate. NOTE Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of the original self-signed certificate. See Back up a certificate and a private key on page 138): Each 'Reset certificate' action generates a new self-signed certificate (with a new private and public key). So each time you reset the certificate, you must import the new certificate into the web browser. Reset the certificate Procedure 1. In a web browser, open Océ Express WebTools (http(s):\\[ip address or hostname]) 2. On the Configuration - Remote security page, select [Reset certificate] 3. Click the 'Reset' button 4. When the reset is successful ([Certificate successfully reset]), restart the controller Result A new self-signed certificate has been generated on the controller. Configure your web browser to use it (see Use the Océ self-signed certificate with Internet Explorer on page 133) 142 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

143 Prevent 'Print from USB' and/or 'Scan to USB' on Océ PlotWave 500 and PlotWave 340/360 Prevent 'Print from USB' and/or 'Scan to USB' on Océ PlotWave 500 and PlotWave 340/360 How to prevent 'Print from USB' and/or 'Scan to USB' Introduction You can disable any access to the USB device by preventing printing from / scanning to the USB device. Illustration [3] USB capability in External locations Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'External locations' page 3. Log in as a System administrator or Power user 4. Edit the 'USB' type 5. In the 'Enabled functionalities' drop down list, select: - 'None' to disable 'print from' and 'scan to' capabilities - 'Print from only' to enable to print from USB and disable 'Scan to USB' capability - 'Scan to only' to enable to scan to USB and disable 'Print from USB' capability Note: Select 'Print from and scan to' to allow both 'print from' and 'scan to' USB capabilities 6. Click 'OK' Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/

144 Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes and the job management settings You can use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Configure the job management settings to manage the visibility of jobs and their availability through Océ Express WebTools. Smart Inbox and job management configuration: Go to the 'Preferences'/'System properties' to disable or restrict: The use of the Smart Inboxes ('Smart Inbox capability') The remote view of the Smart Inboxes ('Restrict remote Smart Inbox view to the Key operator') The remote actions on jobs to the Operator ('Restrict remote actions on jobs to the Key Operator') The use of Publisher Express ('Publisher Express' or 'Enable Publisher Express') When the 'Smart Inbox capability' is set to 'Disabled', all the jobs currently present in the Smart Inboxes are deleted. All incoming print jobs are directly and solely sent to the print job queue. When enabled, you restrict the view on the Smart Inboxes to the Key operator or Power user only (logging needed to view the Smart Inbox). When enabled, all remote actions on jobs in the queue are restricted to the Key Operator or Power user only. When disabled, the job submission capability (through Express WebTools) is completely deactivated. 144 Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

145 Chapter 4 Security on Océ ColorWave 550/600/650 (and Poster Printer)

146 Security on Océ ColorWave 550, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster Printer) Security on Océ ColorWave 550, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster Printer) Overview Security overview for the Océ ColorWave 600/650 (Poster Printer) and the Océ ColorWave 550 systems Introduction The Océ ColorWave 550 and Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) have been designed around the secured Linux Operating System. However any new release of the Linux operating system always embeds the latest security fixes. The Océ ColorWave 650 and Océ ColorWave 550 use Windows Embedded Standard 2009 (WES 2009) operating system for scanning operations. This operating system is not accessible from the network. For Océ ColorWave 650 R3.x, refer to Security on Océ ColorWave 650 R3.x on page 178. The Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650/ Oce ColorWave 550 offer the following security features: Security overview Operating System Firewall Network protocols protection MS security patches OS and software integrity Antivirus IPv6 Data overwrite Data encryption on the network Linux for Océ ColorWave 550, Océ ColorWave 600 (Poster Printer) and Océ ColorWave 650 (Poster Printer) Linux and WES 2009 for Océ ColorWave 650 multifunctional (printer and scanner) and Océ ColorWave 550 multifunctional (printer and scanner) Yes Yes (per protocol, through firewall) Océ released patches Yes No Yes E-shredding for Océ ColorWave 600 R1.5 and higher / Océ ColorWave 650 (PP) and Océ ColorWave 550 IPsec for: - Océ ColorWave 550 R2.3.1 and higher - Océ ColorWave 650 R2.3.1 and higher (see also Security on Océ ColorWave 650 R3.x on page 178) - Océ ColorWave 650 PP R2.3.1 and higher Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

147 Security overview for the Océ ColorWave 600/650 (Poster Printer) and the Océ ColorWave 550 systems Password protection Access control Yes for: - User settings - Administration settings - Settings on the printer user panel Access restriction to the printer for: - Océ ColorWave 550 R2.3.1 and higher - Océ ColorWave 650 R2.3.1 and higher (see also Security on Océ ColorWave 650 R3.x on page 178) - Océ ColorWave 650 PP v2.3.1 and higher Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 147

148 System and Network security System and Network security Ports - Protocols Applications, protocols and ports used in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Printing applications: ports and protocols used by the system Application /Functionality Océ Wide-format Printer Driver for Microsoft Windows (WPD or WPD2) Océ PostScript 3 driver Océ Publisher Express Publisher Select Port used on the controller: protocol TCP 515: LPR TCP 65200: Océ back-channel * for WPD (1) TCP 80: HTTP for: - back-channel for WPD2 (2) - advanced accounting UDP 515: Océ protocol for Printer Discovery TCP 515: LPR TCP 80: HTTP TCP 80: HTTP UDP 515: Océ protocol for Printer Discovery Remarks Printer Discovery: Océ ColorWave 600 R1.3.1 and higher / Océ ColorWave 600 Poster Printer R1.4 and higher / Océ ColorWave 650 (PP) / Océ ColorWave 550 Océ Publisher Mobile TCP 515: LPR (3) TCP 4242: FTP passive mode (for data channel in FTP passive mode) ICMP: ping UDP 515: Océ protocol for Printer Discovery TCP 21: FTP (4) Océ Reprodesk Studio Novell NDPS printing LPR printing TCP 515: LPR TCP 65200: Océ back-channel (*) TCP 515: LPR TCP 515: LPR FTP printing TCP 21 TCP 4242 (for data channel in FTP passive mode) Océ Publisher Copy TCP 80: HTTP Océ ColorWave 600 only * Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. For IPv4 148 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

149 Applications, protocols and ports used in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems (1) Back-channel for Océ ColorWave and lower, and Océ ColorWave and lower, and Océ ColorWave and lower. (2) Back-channel for Océ ColorWave 600 R1.6.1 and higher, Océ ColorWave and higher, Océ ColorWave and higher. (3) For Océ Publisher Mobile v 2.2 and later for Android, and for Océ Publisher Mobile v 2.3 and later for ios (4) Only for Océ Publisher Mobile v 2.0 to v2.2 for ios Scanning applications in Océ ColorWave 650 and Océ ColorWave 550 only: ports and protocols used by the system Application /Functionality Scan to File Remote SMB Scan to File Remote FTP Scan data retrieval from Smart Inbox (Scans) Port used on the controller: protocol Outgoing connection: SMB Outgoing connection: Local port (on controller): UDP(/TCP) <dynamic value> TCP 80: HTTP Remarks FTP passive mode only (1) Notes: (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive mode Control management: ports and protocols used by the system Application /Functionality PING SNMP based applications Name resolution Océ Express WebTools Océ Account Center / Advanced accounting (WPD) Accounting information retrieval Océ Service Logic Port used on the controller: protocol ICMP (incoming echo request only) UDP 161: SNMP Outgoing connection: Local port (on controller): UDP(/TCP) <dynamic value> TCP 80: HTTP TCP 80: HTTP TCP 80: HTTP TCP 21: FTP TCP 4242: FTP passive mode Remarks Remote port (on DNS server): UDP(/TCP) 53 Océ Meter Manager UDP 161: SNMP Océ ColorWave 600 R1.3.1 and higher / Océ ColorWave 600 PP R1.4 and higher / Océ ColorWave 650 (PP) / Océ Color- Wave Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 149

150 Applications, protocols and ports used in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Application /Functionality Port used on the controller: protocol Remarks Océ Remote Service Outgoing connection HTTPS outgoing connection required: TCP/IP port 443 (1) Notes: (1) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure firewall. 150 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

151 Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in the following (versions of the) systems: Océ ColorWave 650 multifunctional (printer and scanner) Océ ColorWave 550 multifunctional (printer and scanner) Before you begin Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Procedure 1. Open the Océ Express Webtools 2. Open the 'Support' tab 3. Select 'Update' The Authentication window opens. 4. Log in as the System administrator or Power user The latest patch successfully applied (when any) is displayed Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 151

152 Install the Océ Remote patch 5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the wizard 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update 152 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

153 Protocol protection Protocol protection Network protocols protection Introduction In the Océ ColorWave 600 (Poster Printer), Océ ColorWave 650 (Poster Printer) and Océ ColorWave 550 systems, you can completely disable some protocols in order to protect them against attacks. List of network protocols Protocols FTP SNMP LPR Backchannel HTTP ICMP DNS Available Protection Yes. Can be disabled* Yes Can be disabled* Yes Can be disabled* Always Enabled Océ proprietary protocol No, always Enabled No, always Enabled No, always Enabled * To disable a network protocol, go to the Configuration / Connectivity section of the Océ Express WebTools and uncheck the protocol. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 153

154 Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some features of the following systems allow or request a connection over the Internet to work properly: Océ ColorWave 550 R2.3 and higher Océ ColorWave 600 R1.6 and higher Océ ColorWave 650 R2.3 and higher Océ ColorWave 650 R3 and higher When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions in Express WebTools: St ep In the Express WebTools section 1 Support - Remote Service - Remote assistance 2 Preferences - System Properties - Service 3 Configuration - Remote destination [X] 4 Support - About - Shutdown - Restart Action Stop the Remote assistance if it is activated Disable Remote Service connection Disable all scan destinations to FTP sites reachable through the Internet Restart the system Detail Click 'Stop remote assistance' until it changes into 'Allow remote assistance'. The two blinking arrows on the right side disappear. Set 'Océ Remote Services connection enabled' to 'Disabled' 154 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

155 Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the Océ ColorWave 650/550 printer panel. This USB connection is used to print from the USB storage device Security on the USB port General USB port protection: Booting from the USB device is not possible. Executing any programme present on the USB device is not possible The Autorun is disabled and no operation on the controller can execute a programme on the USB device. Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from USB device protection The USB READ operation is protected when printing from the USB device. Any print file infected by a virus will never compromise controller's software integrity. Disable the USB features You can disable the direct printing operation from USB only Refer to Prevent Print from USB on page 176. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 155

156 Operating System and software protection Operating System and software protection Linux OS and software protection In the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) and Océ ColorWave 550 systems the Linux operating system and associated software are stored on 'read only' partitions to guaranty the Operating System and software integrity at each reboot. At power on, the original Linux system software is loaded. This original system software cannot be modified (except when using the Océ procedures for update) Any exploit of the security vulnerability can only affect temporary files. A reboot of the system brings it back to the original genuine one. Windows Embedded Standard 2009 OS and software protection An additional Operating system is used for scanning on the Océ ColorWave 650 multifunctional (printer and scanner) and Océ ColorWave 550 multifunctional (printer and scanner): Windows Embedded Standard It is protected by the Linux OS so it is not accessible from the network. 156 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

157 Roles and Passwords Roles and Passwords Roles and profiles in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Roles description 4 different roles exist in the product. Each of them has the ability to configure or modify some system settings. The roles are: Key operator: The Key operator can manage the jobs and the device settings System administrator The System administrator can manage the Configuration settings, such as the Network settings Power user The Power User has both the rights of the Key operator and the System administrator Océ service This role is used exclusively by the Canon Service technician Passwords policy and behaviour in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Introduction There are 2 groups of passwords: The passwords used in Océ Express WebTools The passwords used in the Printer Operator Panel Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect the roles. Password modification table for Océ ColorWave 600, Océ ColorWave 650 and Océ ColorWave 550 Password for Can be changed by Key operator System administrator Power user Any ScanToFile remote user name (Océ ColorWave 550 / 650 only) Key operator or Power user System administrator or Power user Power user Key operator or System administrator or Power user Password policy 256 characters maximum Any number [0-9] Any letter lowercase/uppercase [a-z][a-z] the following special characters: _ - # $ % ^ *? { } ( ) = +,. ; : [ ] / \ Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 157

158 Passwords policy and behaviour in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Password backup/restore policy with the 'Save Set'/'Open Set' features The 'Password to change network settings' is stored encrypted into the backup set made with the 'Save Set' feature of Océ Express WebTools. The roles passwords are not stored in the backup set. NOTE - When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the backup file. It is not encrypted - The passwords are stored in the backup file whatever the login used when making the 'Save Set' operation (System administrator, the Key operator, or the Power user) - The passwords are restored only when the System administrator or the Power user makes the 'Open Set' operation - When a password has been stored with 'Auto' value, it is restored with the 'No password' value Password backup/restore policy with the 'Export templates'/'import templates' features During the "Export templates" operation, the passwords for any ScanToFile remote user name are stored encrypted in the file 'remotedestinationtemplates.xml' (included in the file 'exporttemplates.zip'). The 'Import templates' operation restores the passwords. 158 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

159 Access control Access control Introduction The 'Access control' feature is available on the following printers and versions: - Océ ColorWave 550 v2.3.1 and higher - Océ ColorWave 650 v2.3.1 and higher - Océ ColorWave 650 PP v2.3.1 and higher Use the access restriction to limit the access to the printer Enable 'Access control' and set the list of IP addresses of the computers (hosts) that will be able to communicate with the printer controller, for printing only. Once enabled, you can define up to 5 hosts. In case you use a print server, this server must be declared in the list of hosts to be able to print from this server. For each of the hosts you can decide whether the communication from this host to the system needs to be encrypted by IPsec (see IPsec for Océ ColorWave printers on page 163) You can enable 'Access control' in Océ Express WebTools. You can disable it in Océ Express WebTools or via the printer user panel. NOTE - DHCP must be disabled. - 'Configuration' of the 'Access control' settings is only available to the 'System administrator'. - To prevent unauthorised access to these settings via the printer user panel, ensure that the 'Password to change network settings' is set. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 159

160 Data Security Data Security E-Shredding on Océ ColorWave 600 and Océ ColorWave 650 (PP) and Océ ColorWave 550 E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user print data (for Océ ColorWave 600 / 650 PP) and any user print/copy/scan data (for Océ ColorWave 650 / 550) when it is deleted from the system. This feature prevents the recovery of any deleted user data (files' content and attributes) A deleted job is a job that cannot be retrieved from any user interface. The e-shredding functionality is available on: - Océ ColorWave 600 R1.5 and higher - Océ ColorWave 600 PP R1.6.1 and higher - Océ ColorWave Océ ColorWave 650 Poster Printer - Océ ColorWave 550 When is a job deleted? A job is deleted either: When it is manually deleted from a Smart Inbox After it was successfully printed and was not saved in a Smart Inbox ( 'Keep completed jobs in the Smart Inbox' system setting is disabled in the Océ Express Webtools) After a 'ScanToFile to remote destination' has been successfully performed When it is automatically deleted after a timeout: the end of the job lifetime in the Smart Inbox is reached ('Keep completed jobs in the Smart Inbox' is enabled, with 'Expiration time-out for Smart Inbox' set in the job management settings of the Océ Express Webtools) When a 'Clear system Remove all jobs' is performed on the printer local interface E-shredding algorithms Select one of the three e-shredding behaviours: DOD M: 3-pass overwriting algorithm (compliant with the US Department of Defense directive): Gutmann: 35-pass overwriting algorithm with random data Custom: set the number of passes, from 1 to 35. NOTE The e-shredding feature has been designed to minimise impact of the global system performance. However the more passes selected, the more impact it has on general performance. It is recommended to minimise the number of passes when document production is required. 160 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

161 Enable the e-shredding in Océ Express WebTools Enable the e-shredding in Océ Express WebTools Before you begin You must be logged as a System Administrator or a Power user. Recommendation: in the Océ Express Webtools ('Preferences'), make sure you: - Disable 'Keep completed jobs in the Smart Inbox' in the Job management settings (so that all the print jobs will be automatically deleted after successful printing) before enabling the e- shredding. - Disable 'Save received jobdata for service' in 'In case of errors' settings. Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section 3. Click Edit 4. Check 'E-shredding' feature to enable it 5. Select the algorithm. When you select 'Custom', you must set the number of passes: On Océ ColorWave 650 (PP) / 550, click on the value of 'E-shredding custom number of passes' to set the number of passes [4] Set the number of passes for Océ ColorWave 650 Result When the E-shredding feature is enabled, a new icon is added to the list of icons (bottom right) in the Océ Express WebTools window. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 161

162 E-shredding process and system behaviour Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns 'busy'. In the Océ Express WebTools window, roll the mouse over the e-shredding icon to display the 'Eshredding busy' status Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in the Océ Express WebTools (roll over the icon). E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding, the system starts the e-shredding process for all scan/copy/ print jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded after they are deleted: - After a manual deletion from the Smart Inbox - After an automatic deletion of the print or scan jobs by the system (timeout, disabled Smart Inbox, cleanup) When you disable the e-shredding When you disable the e-shredding, the system: Terminates the e-shredding process for files which are being e-shredded Will not e-shred the new deleted files Make sure a file is completely e-shredded (e-shredding enabled) Perform the following actions to make sure this file is e-shredded: 1- Check the "Save received jobdata for service" setting is 'off' (in Océ Express WebTools/ Preferences/System properties/in case of errors) 2- Send the print file, make a copy or make a scan 3- Once the job has been printed/copied/scanned, make sure it has been deleted from the Smart Inbox (in Océ Express WebTools/Jobs) 4- Shut down the system (e-shredding will terminate the system clean up before the shut down) 162 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

163 IPsec on Océ ColorWave 550 v2.3.1 and higher and Océ ColorWave 650 (PP) v2.3.1 and higher IPsec on Océ ColorWave 550 v2.3.1 and higher and Océ ColorWave 650 (PP) v2.3.1 and higher IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. IPsec is particularly suitable in a configuration where you need to create a dedicated secure link between the printer/copier system and a workstation which can be dedicated as a Print Server (or a Scan Server). IPsec can be enabled only when 'Access Control' is enabled. You can connect up to 5 IPsec stations to the printer/copier system. In this configuration below: The printer/copier system is physically connected to the network but communicates only with a dedicated station (a print server or scan server for example) The print server receives the print request from the workstations via IP on the network The print server send the print requests to the printer/copier system via IPsec The workstations cannot communicate directly with the printer/copier system The printer/copier system cannot communicate directly with the workstations. NOTE In this configuration, the back-channel communication between a workstation and the printer is unavailable (the back-channel information is not displayed in the Océ WPD driver). NOTE - DHCP must be disabled to be able to activate and configure IPsec. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 163

164 Configure the IPsec settings on the Océ controller Illustration IPsec parameters in the Océ Express WebTools (EWT) The following IPsec parameters are available in the Océ Express WebTools : Network security section: The generic 'Access control' must be enabled. The 'Access control station X' must be enabled. Enable and configure the parameters for each required station. The parameters can be different for each different workstation: - the IP address - the preshared key (keep the generic default one or set a custom one) - You can define a default preshared key that will be used for all the stations connected by IPsec to the printer/scanner system. Configure the IPsec settings on the Océ controller Before you begin You must be logged as a System Administrator or a Power user. Activate and configure IPsec on the printer/scanner controller Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page 3. In 'Network security' section, click on the general Edit 164 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

165 Configure the IPsec settings on a workstation or a print server 4. Enable Access control 5. Enable Access control station 1 6. Enter IP address of the station 1 7. Enable IPsec control station 1 8. Enter the IPsec preshared key or keep it empty to use the default preshared key (you can configure at the bottom of the Network security section) 256 characters maximum Any number [0-9] Any letter lowercase/upper-case [a-z][a-z] the following special characters: _ - # $ % ^ *? { } ( ) = +,. ; : [ ] / \ NOTE Write it down. This preshared key will be required during the IPsec configuration on the workstation. 9. Restart the controller Result The IPsec settings are configured on the controller for a connection to a workstation (which can be a print server). Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 165

166 Add the security snap-in Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation. On the workstation, perform the 6 following actions: 1- Add the security snap in on page Create the security policy on page Create the filter list on page Define the filter actions and security negotiation on page Define the security rule on page Assign the security policy on page 173 NOTE The procedure below shows the configuration steps on Windows server The procedure is similar on other Operating Systems (Windows Server 2003, Windows XP, Windows Vista, Windows 7) Add the security snap-in Procedure 1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console 2. In the top menu select 'File' - 'Add/Remove Snap-in' 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console 4. Keep 'Local computer' checked and click 'Finish' The security snap-in is added, click 'OK' 166 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

167 Create the security policy Create the security policy Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security Policy' 2. Click 'Next' to open the wizard 3. Enter the name for the policy and click 'Next' 4. Uncheck 'Activate the default response rule' Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 167

168 Create the filter list 5. Uncheck 'Edit properties' and click 'Finish' Create the filter list Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions ' 2. In the 'Manage IP filter lists' tab click 'Add' 3. Enter a filter name and a description and click 'Add' 168 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

169 Create the filter list 4. Click 'Next' to open the wizard 5. Check the 'Mirrored' checkbox and click 'Next' 6. Select 'My IP address' as the 'Source address and click 'Next' 7. Select 'A specific IP address or subnet' as 'Destination address' and enter the IP address of the controller 8. Select 'Any' as the 'IP Protocol Type' and click 'Next' 9. Click 'Finish' 10. In the 'IP filter list' window, click OK The filter list is set Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 169

170 Define the filter actions and security negotiation Define the filter actions and security negotiation Procedure 1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard. 2. Click 'Next' 3. Give a name to the filter actions and click 'Next' 4. Select 'Negotiate security' and click 'Next' 170 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

171 Define the security rule 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next' 6. Select 'Custom' and click on the 'Settings...' button 7. Configure the settings as below 8. Click 'OK' and 'Next', then 'Finish' Define the security rule Procedure 1. In the console, right click on the IP security policy just created and select 'Properties' to open the wizard (On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on "Add") 2. Click 'Next' 3. Select 'This rule does not specify a tunnel', and click 'Next' Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 171

172 Define the security rule 4. As the Network type, select 'All network connections' and click 'Next' 5. Select the filter previously created then click 'Next' 6. Select the filter action previously created then click 'Next' 7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)' 172 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

173 Assign the security policy 8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings on the Océ controller on page 40), then click 'Next' 9. Click 'Finish' 10. Click 'OK' to validate the Security rule Assign the security policy Procedure 1. In the console, right click on the security policy just created and select 'Assign' The configuration is activated on the IPsec station (workstation): Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 173

174 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) 2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec station to the printer/scanner controller When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/ scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner system. NOTE In case you use the WPD driver, see The impact of IPsec when you print using Océ WPD through a print server on page 50. Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) Introduction In the following case: Access control is enabled and activated on the printer/scanner controller of Océ ColorWave 650/550 v2.3.1 and higher and The communication between the controller and the host stations fails You cannot open remotely Océ Express WebTools to change the settings. The system is unreachable. Then you can use the emergency procedure to disable Access control Via the printer user panel on the printer/scanner system Disable Access control on the printer user panel (Océ ColorWave 650/550) Procedure 1. On the printer user panel, click on 'System' 2. Select 'Setup' 3. Roll down to 'Disable access control' Enter the password if requested (Password to change the network settings). 174 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

175 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) 4. Confirm to disable access control 5. Press 'Finish' 6. Restart the controller Result Access control is disabled. If IPsec was also activated on the controller, it is also disabled with this operation. After the restart, you will be able to open Océ Express WebTools remotely from a workstation (HTTP). Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 175

176 How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) Introduction You can disable any access to the USB device by preventing printing from the USB device. Illustration [5] USB direct print: Disabled How to disable the 'USB direct print' feature Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Preferences' - 'System properties' page and select the 'Printer properties' section 3. Go to the 'USB direct print' setting 4. Click on the value to open the 'USB direct print' window 5. Log in as a 'Key Operator' or 'Power User' 6. Select 'Disabled' and 'Ok' 176 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

177 Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes to manage the access to job data Use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Depending on your system, go to the 'Preferences'/'System properties' to disable or restrict, for example: The remote view of the Smart Inboxes The display of the Smart Inboxes on the printer panel The storage of the job data in the Smart Inboxes Set the job management settings The 'Job management' settings are available on the 'Preferences'/'System properties' tab. Configure the job management settings to manage the visibility of jobs and their availability in Océ Express WebTools or in the printer operator panel. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 177

178 Security on Océ ColorWave 650 R3.x Security on Océ ColorWave 650 R3.x Overview Security overview for the Océ ColorWave 650 R3.x system Introduction The Océ ColorWave 650 R3.x systems are equipped with the following security features: Security overview Operating System Firewall Network protocols protection MS security patches Security logging Antivirus IPv6 Data overwrite Data encryption on the network Password protection Access control SMB authentication Smart Inbox management Océ Publisher Express access Actions on Jobs Windows Embedded Standard 7 SP1 Yes Yes (per protocol, through firewall) Océ released patches Auditing of security related events Yes Yes (IPV6 only or IPV6/IPV4 combination) E-shredding IPsec HTTPS for administration (Océ Express WebTools) and for job submission through Océ Publisher Express Yes for: - User settings - Administration settings - Settings on the printer user panel IP filtering NTLMV2 or NTLMV1 (can be set in Océ Express WebTools) - Can be enabled/disabled - Remote view restriction Access restriction Remote action restriction 178 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

179 System and Network security System and Network security Ports - Protocols Applications, protocols and ports used in the Océ ColorWave 650 R3.x system Printing applications with Océ ColorWave 650 R3.x: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality Océ Wide-format Printer Driver for Microsoft Windows (WPD2) Océ PostScript 3 driver Océ Publisher Express Publisher Select Océ Publisher Mobile Océ Reprodesk Studio Novell NDPS printing LPR printing FTP printing INBOUND ports on the controller: protocol TCP 515: LPR TCP 80: HTTP for back-channel* and Advanced accounting UDP 515: Océ protocol for Printer Discovery TCP 515: LPR TCP 80: HTTP TCP 443: HTTPS TCP 80: HTTP UDP 515: Océ protocol for Printer Discovery TCP 21: FTP TCP 4242: FTP passive mode (for data channel in FTP passive mode) ICMP: ping UDP 515: Océ protocol for Printer Discovery TCP 515: LPR TCP 65200: Océ back-channel (OCI) TCP 515: LPR TCP 515: LPR TCP 21: FTP TCP 4242 (for data channel in FTP passive mode) OUTBOUND ports from the controller: protocol Print from SMB TCP 139, 445 UDP 138, 445 Print from FTP FTP command (1) : - Local: TCP any - Remote: TCP 21 FTP Data (1) : - Local : TCP any - Remote: TCP any Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 179

180 Applications, protocols and ports used in the Océ ColorWave 650 R3.x system Notes: * Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. (1) FTP passive mode only (FTP active mode not supported). Scanning applications with Océ ColorWave 650 R3.x: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the controller: protocol OUTBOUND ports from the controller: protocol Scan to File: SMB TCP 139, 445 UDP 137, 138, 445 Scan to File: FTP FTP command (1) : - Local: TCP any - Remote: TCP 21 FTP Data (1) : - Local : TCP any - Remote: TCP any Scan data retrieval from Smart Inbox (Scans) TCP 80: HTTP TCP 443: HTTPS Notes: (1) FTP passive mode only (FTP active mode not supported). Control management with Océ ColorWave 650 R3.x0: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality PING IPv4 INBOUND ports on the controller: protocol ICMPv4 OUTBOUND ports from the controller: protocol PING IPv6 ICMPv6 nslookup SNMP based applications Name resolution Océ Express WebTools Océ Account Center Accounting information retrieval Océ Meter Manager UDP local port : any UDP remote port : 53 UDP 161: SNMP Outgoing connection: Local port (on controller): UDP(/TCP) <dynamic value> TCP 80: HTTP TCP 443: HTTPS TCP 80: HTTP TCP 80: HTTP UDP 161: SNMP Remote port (on DNS server): UDP(/TCP) 53 Océ back-channel TCP for OCI back-channel Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

181 Applications, protocols and ports used in the Océ ColorWave 650 R3.x system Application /Functionality Océ Remote Service INBOUND ports on the controller: protocol OUTBOUND ports from the controller: protocol TCP 443: HTTPS TCP web proxy port (1) NetBios over TCP/IP UDP 137 TCP 139, 445 UDP 138 WSD WAVE OBIS TCP 80: HTTP UDP 3702 for WSD discovery TCP 5357 for WSD eventing TCP 80: HTTP TCP 80: HTTP for back-channel (Océ Publisher Select) IPsec UDP 500 UDP 4500 Notes: (1) When there is a proxy. Additional built-in Windows 7 firewall rules Inbound rules: Core Networking - Dynamic Host Configuration Protocol (DHCP-In) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) Outbound rules: Core Networking - DNS (UDP-Out) Core Networking - Dynamic Host Configuration Protocol (DHCP-Out) Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out) Core Networking - IPv6 (IPv6-Out) Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 181

182 Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in your Océ system. Before you begin Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Install a patch Procedure 1. Open Océ Express WebTools 2. Open the 'Support' tab 3. Select 'Update' The Authentication window opens. 4. Log in as the System administrator or Power user The latest patch successfully applied (when any) is displayed 5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the wizard 6. Click OK 182 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

183 Install the Océ Remote patch 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 183

184 Protocol protection Protocol protection Network protocols protection Introduction In the Océ ColorWave 650 R3.x system, you can completely disable some protocols in order to protect them against attacks. HTTPS, ICMP (ping), DNS protocols cannot be completely disabled. List of network protocols Protocols or Network services Protocol basis Available protection Remarks FTP FTP Enable/Disable For FTP printing (the controller acts as a FTP server). Not applicable to Print from/scan to FTP features. SNMP SNMP Enable/Disable LPR/LPD LPR Enable/Disable For LPR printing Océ WAVE interface HTTP Enable/Disable Used for: - Océ back-channel for WPD2 - Account Center Account dialog upload interface Web Services for Devices (WSD) HTTP Enable/Disable When both this 'Account dialog interface' AND 'Océ WAVE interface' are disabled, any interaction with Océ Account Center is disabled. HTTP Enable/Disable For WSD device discovery OCI interfaces Océ proprietary interfaces Enable/Disable Used for Reprodesk Server Allow interaction with Océ Publisher Select Océ Express WebTools via HTTP HTTP Enable/Disable Used only for Océ Publisher Select backchannel HTTP Enable/Disable For Océ Express WebTools and Publisher Express Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

185 Network protocols protection Protocols or Network services Protocol basis Available protection HTTP HTTP There is no specific setting to enable disable HTTP protocol. Inbound HTTP is enabled as long as at least one of the following services is enabled: - 'Océ Wave interface' - 'Web Services for Devices' - 'Allow interaction with Océ Publisher Select' - 'Océ Express Web Tools via HTTP' Inbound HTTP is totally disabled when ALL aforementioned network services are disabled. HTTPS HTTPS Always Enabled - Cannot be disabled. Remarks Note: To disable a network protocol or network service, go to the Configuration / Connectivity section of the Océ Express WebTools and uncheck the protocol or service. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 185

186 Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some features of the following systems allow or request a connection over the Internet to work properly: Océ ColorWave 550 R2.3 and higher Océ ColorWave 600 R1.6 and higher Océ ColorWave 650 R2.3 and higher Océ ColorWave 650 R3 and higher When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions in Express WebTools: St ep In the Express WebTools section 1 Support - Remote Service - Remote assistance 2 Preferences - System Properties - Service 3 Configuration - Remote destination [X] 4 Support - About - Shutdown - Restart Action Stop the Remote assistance if it is activated Disable Remote Service connection Disable all scan destinations to FTP sites reachable through the Internet Restart the system Detail Click 'Stop remote assistance' until it changes into 'Allow remote assistance'. The two blinking arrows on the right side disappear. Set 'Océ Remote Services connection enabled' to 'Disabled' 186 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

187 Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the Océ ColorWave 650/550 printer panel. This USB connection is used to print from the USB storage device Security on the USB port General USB port protection: Booting from the USB device is not possible. Executing any programme present on the USB device is not possible The Autorun is disabled and no operation on the controller can execute a programme on the USB device. Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from USB device protection The USB READ operation is protected when printing from the USB device. Any print file infected by a virus will never compromise controller's software integrity. Disable the USB features You can disable the direct printing operation from USB only Refer to Prevent Print from USB on page 176. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 187

188 Antivirus Antivirus Compatibility and recommendations The following 2 antivirus programmes can be installed on your Océ systems: Symantec AntiVirus Endpoint Protection McAfee VirusScan Enterprise Edition / epolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure. NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. 188 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

189 Roles and Passwords Roles and Passwords Roles and profiles Roles description 4 different roles exist in the product. Each of them has the ability to configure or modify some system settings. The roles are: Key operator: The Key operator can manage the jobs and the device settings. System administrator The System administrator can manage the configuration settings, such as the network settings. Power user The Power User has both the rights of the Key operator and the System administrator. Service This role is used exclusively by the Canon Service technician. Passwords policy and behaviour in the Océ ColorWave 650 R3.x systems Introduction There are 2 groups of passwords: The passwords used in Océ Express WebTools The passwords used in the printer user panel Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect: The roles Name of the user of an external location The security settings (preshared key for IPsec) Password policy 256 characters maximum all MS Windows characters are allowed Passwords used on the printer user panel In Océ Express Webtools, configure the 'Password to change network settings'. This password is used on the printer user panel to protect: the network settings the security settings NOTE Keep this password. The reset of this password may require the intervention of an Canon Service technician. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 189

190 Passwords policy and behaviour in the Océ ColorWave 650 R3.x systems Passwords modification Password modification table for Océ ColorWave 650 R3.x Password for/to Can be changed by Key operator System administrator Power user User name of external locations Any preshared key for IPsec Change network settings Proxy authentication for Remote Service Key operator or Power user System administrator or Power user Power user System administrator or Power user System administrator or Power user System administrator or Power user System administrator or Power user Password backup/restore policy with the 'Save Set'/'Open Set' features The 'Password to change network settings' and the 'Proxy authentication: password' are stored encrypted into the backup set made with the 'Save Set' feature of Océ Express WebTools. The roles passwords are not stored in the backup set. NOTE - When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the backup file. It is not encrypted - The passwords are stored in the backup file whatever the login used when making the 'Save Set' operation (System administrator, Key operator, or Power user) - The passwords are restored only when the System administrator or the Power user makes the 'Open Set' operation - When a password has been stored with 'Auto' value, it is restored with the 'No password' value Password backup/restore policy with the 'Export templates'/'import templates' features During the "Export templates" operation, the passwords for any external location remote user name are stored encrypted in the file 'exportexternallocationtemplates.xml' (included in the file 'exportexternallocationtemplates.zip'). The 'Import templates' operation restores the passwords. 190 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

191 Access control Access control Introduction Access control allows to limit the access to the Océ system according to IP filtering method. Use the access restriction to limit the access to the printer NOTE Important: ALWAYS define the hosts before enabling Access control. In case Access control is enabled without any host configured, communication is blocked. Go to the printer user panel to disable Access control. Enable 'Access control' and set the list of IP addresses of the computers (hosts) that will be able to communicate with the printer. This action sets the IP filtering. The access restriction is then applied to print operations (for which a host workstation contacts the printer) as well as scan operations (the scanner contacts the external location). You can define up to 5 hosts. For each of the hosts you can decide whether the communication from this host to the system needs to be encrypted by IPsec (see IPsec presentation on page 194) You enable 'Access control' in Océ Express WebTools. You can disable it in Océ Express WebTools or via the printer user panel. NOTE - 'Configuration' of the 'Access control' settings is only available to the 'System administrator'. - To prevent unauthorised access to these settings via the printer user panel, ensure that the 'Password to change network settings' is set. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 191

192 Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the Support - Audit log tab to download the Audit log that contains information on any change made in settings. Collected information on each setting is: 1. Username (if available) 2. Host (IP address and name) or printer user interface from where the modification was done 3. Type of event (create/modify/delete/start/stop/action) 4. Object concerned (setting/template name, service name, operation/action) 5. New value (if applicable, and not logged for password fields) 6. Timestamp in UTC (date&time in ISO-8601 format, yyyy-mm-ddthh:mm:ssz) User (Key operator, System administrator, Power user) and Service settings: IPv4/IPv6 network settings (IP address, Subnet mask, DNS, Gateway, DHCP, ) IPsec settings Network services (enable/disable/settings) Creation/modification/removal of external locations Changes of passwords used to protect security-related settings (Key operator, System administrator, Power user, Service, User interface password/pin for network settings, ) Timezone E-shredding settings Remote service online connection (enabled/disabled) 3rd-party software settings (remote desktop, admin account, firewall port) Smart Inbox (enable/disable) Allow Service Technician to reset passwords (on/off) Save retrieved job data for service (on/off) HTTPS settings (enable/disable, change of certificate) HTTP proxy settings (for Cloud and remote service) USB print (on/off) Scan to USB (on/off) Force entry of accounting data for scan/copy/print (on/off) Startup/ shutdown of the audit functionality Tracking info: when someone logs on to view or to change non-security settings Changing date and time Use of restore and 'open set' Service settings only: Retrieval of job data by service Resetting of passwords by service Remote service (Allow remote login) Audit log export Accounting dialog upload (used to implement access control for scan/copy) 192 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

193 Data security Data security E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user print data and any user print/copy/scan data when it is deleted from the system. This feature prevents the recovery of any deleted user data (files' content and attributes) A deleted job is a job that cannot be retrieved from any user interface. When is a job deleted? A job is deleted either: When it is manually deleted from a Smart Inbox After it was successfully printed and was not saved in a Smart Inbox ( 'Keep completed jobs in the Smart Inbox' ans 'Keep copies of local print jobs in the Smart Inbox 'system settings are disabled in the Océ Express WebTools) After a 'ScanToFile to external location' has been successfully performed After a 'ScanToFile to USB stick' has been performed successfully or not When it is automatically deleted after a time-out: the end of the job lifetime in the Smart Inbox is reached ('Keep completed jobs in the Smart Inbox' is enabled, with 'Expiration time-out for Smart Inbox' and 'Expiration time-out for Smart Inbox copy and scan jobs' set in the job management settings of the Océ Express WebTools) When a 'Clear system' is performed on the printer user panel E-shredding algorithms Select one of the three e-shredding behaviours: DOD M: 3-pass overwriting algorithm (compliant with the US Department of Defense directive): Gutmann: 35-pass overwriting algorithm with random data Custom: set the number of passes, from 1 to 35. NOTE The e-shredding feature has been designed to minimise impact of the global system performance. However the more passes selected, the more impact it has on general performance. It is recommended to minimise the number of passes when document production is required. Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 193

194 IPsec IPsec IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. You can connect up to 5 IPsec stations to the print/scan system. Illustration IPsec and Access control behavior Find below the 4 combinations of Access control with IPsec : Access control enabled IPsec enabled IP filtering + Encryption are activated. Only the stations configured with IPsec can connect to the system. No other stations can communicate with the print/ scan system. The system can communicate only with the IPsec stations. Communication and data are encrypted. IPsec disabled IP filtering is activated, no encryption. Only the stations configured for Access control in Express WebTools can communicate with the print/scan system. The system can communicate only with the stations configured for Access control. The communication is not encrypted Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

195 Configure the IPsec settings on the Océ controller IPsec enabled IPsec disabled Access control disabled Encryption between the print/ scan system and IPsec stations is activated. All stations can communicate with the system. The system can communicate with all stations. The communication is encrypted ONLY with the stations configured as IPsec stations. No filtering. No encryption. IPsec parameters in the Océ Express WebTools The following IPsec parameters are available on the Océ Express WebTools - Configuration - Connectivity tab, Network security section: Enable and configure the parameters for each required station. The parameters can be different for each different workstation: - the IP address - the preshared key (keep the generic default one or set a custom one) You can define a default preshared key that will be used for all the IPsec stations connected to the print/scan system. NOTE The following IPsec parameters cannot be changed: IKE Diffie-Hellman group : 2 then 1 IKE SA lifetime : s IKE security method : 3DES then MD5 IKE hash : SHA1 then MD5 ESP encryption : 3DESthen DES ESP hash : SHA1 then MD5 then None AH hash : SHA1 the MD5 Encpasulation type : Transport Protocol SA lifetime : 3600 s Configure the IPsec settings on the Océ controller Before you begin You must be logged as a System Administrator or a Power user. Activate and configure IPsec on the system controller Procedure 1. Open a web browser and enter the system URL: to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page 3. In the 'Access control' section, click on the general 'Edit' Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 195

196 Configure the IPsec settings on a workstation or a print server 4. Check the 'Enable/Disable IPsec' box to enable 'IPsec' You can also activate the Access control 5. Enable 'IPsec control station 1' Tip: When you enable Access control, it is recommended to declare the workstation from which you remotely configure the system, at least during the configuration time (IPsec not needed). 6. Enter the IPsec preshared key or keep it empty to use the default preshared key. You can configure the default preshared key at the bottom of the Network security section. 256 characters maximum Any MS character NOTE Write down this preshared key. It will be required during the IPsec configuration on the workstation. 7. Click OK Note: The settings are applied as soon as 'OK' is validated (and before the restart). You may lose the remote connection to the system when your workstation is not part of the configured stations. 8. Restart the controller Result The IPsec settings are configured on the controller for a connection to a workstation. Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. 196 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

197 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation. On the workstation, perform the 6 following actions: 1- Add the security snap-in on page Create the security policy on page Create the filter list on page Define the filter actions and security negotiation on page Define the security rule on page Assign the security policy on page 128 NOTE The procedure below shows the configuration steps on Windows server 2008 for an Océ ColorWave 300 system. The procedure is similar on other Operating Systems (Windows Server 2003, Windows XP, Windows Vista, Windows 7) and for other Océ printers. Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) Introduction In the following case: Access control is enabled and activated on the printer/scanner controller of Océ ColorWave 650/550 v2.3.1 and higher and The communication between the controller and the host stations fails You cannot open remotely Océ Express WebTools to change the settings. The system is unreachable. Then you can use the emergency procedure to disable Access control Via the printer user panel on the printer/scanner system Disable Access control on the printer user panel (Océ ColorWave 650/550) Procedure 1. On the printer user panel, click on 'System' 2. Select 'Setup' Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 197

198 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) 3. Roll down to 'Disable access control' Enter the password if requested (Password to change the network settings). 4. Confirm to disable access control 5. Press 'Finish' 6. Restart the controller Result Access control is disabled. If IPsec was also activated on the controller, it is also disabled with this operation. After the restart, you will be able to open Océ Express WebTools remotely from a workstation (HTTP). 198 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

199 HTTPS (on Océ ColoWave 650 R3.x) HTTPS (on Océ ColoWave 650 R3.x) Encrypt print data and manage the system configuration using HTTPS (on Océ ColorWave 650 R3.x) Introduction On the Océ ColorWave 650 R3.x systems, you can use the HTTPS protocol to: - send encrypted print data to the printer controller via Océ Publisher Express - save encrypted scan jobs from the printer controller (Scans Inbox) - securely manage the configuration of the system through Océ Express WebTools Certificates are used to check the identity of the workstations and controller during the communication. The HTTPS protocol is always available. All settings and options available through HTTP are also available through HTTPS. The Océ self-signed certificate and the CA-signed certificate 2 types of certificates can be used: By default, Océ delivers an Océ self-signed certificate. This certificate provides encryption of the print data (sent through Publisher Express) and of the configuration settings (accessed through Océ Express WebTools) between the client and the controller. It can be easily used. This self-signed certificate has not been signed by a Certification Authority, consequently the web browser will display a 'Certificate Error' message the first time you use the HTTPS protocol. The CA-signed certificate is delivered by a Certification Authority. The administrator can request and import a CA-signed certificate when the security policy recommends it. Configure the HTTPS settings Go to Configuration - Remote security and log on as the System administrator to manage the certificates. Before you begin The first time you use a self-signed certificate, your web browser will generate security error messages. In order to easily and securely use the self-signed certificate in your web browser, you must: Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 199

200 Use the Océ self-signed certificate with Internet Explorer - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: Name or PrinterHostname or PrinterIPaddress] A warning window opens. It displays 2 errors: The certificate is not issued by a trusted certificate authority. The Common Name in the certificate does not match the printer hostname (or IP Address) you typed in the address bar. 2. In order to view and check the self-signed certificate, continue to the website 3. Click on 'Certificate error': 4. Click 'View certificates' 5. The certificate is issued to 'OcéExpress WebTools' by 'Océ Express WebTools' 6. Click 'Install Certificate...' 7. Follow the Wizard's instructions to import the certificate into your web browser: 1. Place the certificate in the 'Trusted Root Certification Authorities' folder 200 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)

201 Use the Océ self-signed certificate with Internet Explorer 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK. 8. Open the Tools menu\internet options\advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 201

Océ Large Format Systems. Optimizing Security. Administrator manual Security information

Océ Large Format Systems. Optimizing Security. Administrator manual Security information - Océ Large Format Systems Optimizing Security o Administrator manual Security information Copyright 2011 Océ All rights reserved. No part of this work may be reproduced, copied, adapted, or transmitted

More information

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File Administration guide Océ LF Systems Connectivity information for Scan-to-File Copyright 2014, Océ All rights reserved. No part of this work may be reproduced, copied, adapted, or transmitted in any form

More information

Acronis Backup & Recovery 11.5 Quick Start Guide

Acronis Backup & Recovery 11.5 Quick Start Guide Acronis Backup & Recovery 11.5 Quick Start Guide Applies to the following editions: Advanced Server for Windows Virtual Edition Advanced Server SBS Edition Advanced Workstation Server for Linux Server

More information

Océ Windows Printer Driver. Make the link. User guide Overview and usage

Océ Windows Printer Driver. Make the link. User guide Overview and usage - Océ Windows Printer Driver Make the link o User guide Overview and usage Copyright 2012, Océ All rights reserved. No part of this work may be reproduced, copied, adapted, or transmitted in any form or

More information

Sophos for Microsoft SharePoint startup guide

Sophos for Microsoft SharePoint startup guide Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning

More information

Release Notes for Websense Email Security v7.2

Release Notes for Websense Email Security v7.2 Release Notes for Websense Email Security v7.2 Websense Email Security version 7.2 is a feature release that includes support for Windows Server 2008 as well as support for Microsoft SQL Server 2008. Version

More information

enicq 5 System Administrator s Guide

enicq 5 System Administrator s Guide Vermont Oxford Network enicq 5 Documentation enicq 5 System Administrator s Guide Release 2.0 Published November 2014 2014 Vermont Oxford Network. All Rights Reserved. enicq 5 System Administrator s Guide

More information

Getting Started with Symantec Endpoint Protection

Getting Started with Symantec Endpoint Protection Getting Started with Symantec Endpoint Protection 20983668 Getting Started with Symantec Endpoint Protection The software described in this book is furnished under a license agreement and may be used only

More information

Net Protector Admin Console

Net Protector Admin Console Net Protector Admin Console USER MANUAL www.indiaantivirus.com -1. Introduction Admin Console is a Centralized Anti-Virus Control and Management. It helps the administrators of small and large office networks

More information

Important. Please read this User s Manual carefully to familiarize yourself with safe and effective usage.

Important. Please read this User s Manual carefully to familiarize yourself with safe and effective usage. Important Please read this User s Manual carefully to familiarize yourself with safe and effective usage. About This Manual This manual describes how to install and configure RadiNET Pro Gateway and RadiCS

More information

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

More information

Connecting Windows 7 to the network

Connecting Windows 7 to the network Connecting Windows 7 to the network This document outlines the procedure for setting up Windows 7 to use the College and University network. It assumes that the computer is set up and working correctly

More information

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide Sharp Remote Device Manager (SRDM) Server Software Setup Guide This Guide explains how to install the software which is required in order to use Sharp Remote Device Manager (SRDM). SRDM is a web-based

More information

Sophos Anti-Virus for NetApp Storage Systems startup guide

Sophos Anti-Virus for NetApp Storage Systems startup guide Sophos Anti-Virus for NetApp Storage Systems startup guide Runs on Windows 2000 and later Product version: 1 Document date: April 2012 Contents 1 About this guide...3 2 About Sophos Anti-Virus for NetApp

More information

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started Getting Started Symantec Client Security About Security Security provides scalable, cross-platform firewall, intrusion prevention, and antivirus protection for workstations and antivirus protection for

More information

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client Astaro Security Gateway V8 Remote Access via L2TP over IPSec Configuring ASG and Client 1. Introduction This guide contains complementary information on the Administration Guide and the Online Help. If

More information

Configuring GTA Firewalls for Remote Access

Configuring GTA Firewalls for Remote Access GB-OS Version 5.4 Configuring GTA Firewalls for Remote Access IPSec Mobile Client, PPTP and L2TP RA201010-01 Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817 Tel: +1.407.380.0220

More information

SecuraLive ULTIMATE SECURITY

SecuraLive ULTIMATE SECURITY SecuraLive ULTIMATE SECURITY Home Edition for Windows USER GUIDE SecuraLive ULTIMATE SECURITY USER MANUAL Introduction: Welcome to SecuraLive Ultimate Security Home Edition. SecuraLive Ultimate Security

More information

Setting Up Scan to SMB on TaskALFA series MFP s.

Setting Up Scan to SMB on TaskALFA series MFP s. Setting Up Scan to SMB on TaskALFA series MFP s. There are three steps necessary to set up a new Scan to SMB function button on the TaskALFA series color MFP. 1. A folder must be created on the PC and

More information

Canon WFT-E1 (A) Wireless File Transmitter. Network Support Guide

Canon WFT-E1 (A) Wireless File Transmitter. Network Support Guide 1 Canon WFT-E1 (A) Wireless File Transmitter Network Support Guide Windows XP - Infrastructure Wireless Mode Connection 2 Setting up the WFT-E1A on Windows XP Home or Professional Infrastructure Wireless

More information

Portions of this product were created using LEADTOOLS 1991-2009 LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Portions of this product were created using LEADTOOLS 1991-2009 LEAD Technologies, Inc. ALL RIGHTS RESERVED. Installation Guide Lenel OnGuard 2009 Installation Guide, product version 6.3. This guide is item number DOC-110, revision 1.038, May 2009 Copyright 1992-2009 Lenel Systems International, Inc. Information

More information

How to Configure Windows Firewall on a Single Computer

How to Configure Windows Firewall on a Single Computer Security How to Configure Windows Firewall on a Single Computer Introduction Windows Firewall is a new feature of Microsoft Windows XP Service Pack 2 (SP2) that is turned on by default. It monitors and

More information

Pre-Installation Checks Installation Creating Users and Quick Setup Usage Examples and Settings Appendix

Pre-Installation Checks Installation Creating Users and Quick Setup Usage Examples and Settings Appendix Standard Setup Guide 1 2 3 4 5 Pre-Installation Checks Installation Creating Users and Quick Setup Usage Examples and Settings Appendix Read this manual carefully before you use this product and keep it

More information

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol... Page 1 of 16 Security How to Configure Windows Firewall in a Small Business Environment using Group Policy Introduction This document explains how to configure the features of Windows Firewall on computers

More information

Customer Tips. Xerox Network Scanning TWAIN Configuration for the WorkCentre 7328/7335/7345. for the user. Purpose. Background

Customer Tips. Xerox Network Scanning TWAIN Configuration for the WorkCentre 7328/7335/7345. for the user. Purpose. Background Xerox Multifunction Devices Customer Tips dc07cc0432 October 19, 2007 This document applies to these Xerox products: X WC 7328/7335/7345 for the user Xerox Network Scanning TWAIN Configuration for the

More information

DameWare Server. Administrator Guide

DameWare Server. Administrator Guide DameWare Server Administrator Guide About DameWare Contact Information Team Contact Information Sales 1.866.270.1449 General Support Technical Support Customer Service User Forums http://www.dameware.com/customers.aspx

More information

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1 Quick Install Guide Lumension Endpoint Management and Security Suite 7.1 Lumension Endpoint Management and Security Suite - 2 - Notices Version Information Lumension Endpoint Management and Security Suite

More information

2X SecureRemoteDesktop. Version 1.1

2X SecureRemoteDesktop. Version 1.1 2X SecureRemoteDesktop Version 1.1 Website: www.2x.com Email: info@2x.com Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious

More information

Networking Best Practices Guide. Version 6.5

Networking Best Practices Guide. Version 6.5 Networking Best Practices Guide Version 6.5 Summer 2010 Copyright: 2010, CCH, a Wolters Kluwer business. All rights reserved. Material in this publication may not be reproduced or transmitted in any form

More information

Symantec AntiVirus Corporate Edition Patch Update

Symantec AntiVirus Corporate Edition Patch Update Symantec AntiVirus Corporate Edition Patch Update Symantec AntiVirus Corporate Edition Update Documentation version 10.0.1.1007 Copyright 2005 Symantec Corporation. All rights reserved. Symantec, the Symantec

More information

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report Xerox Multifunction Devices Customer Tips March 15, 2007 This document applies to these Xerox products: X WC 4150 X WCP 32/40 X WCP 35/45/55 X WCP 65/75/90 X WCP 165/175 X WCP 232/238 X WCP 245/255 X WCP

More information

NSi Mobile Installation Guide. Version 6.2

NSi Mobile Installation Guide. Version 6.2 NSi Mobile Installation Guide Version 6.2 Revision History Version Date 1.0 October 2, 2012 2.0 September 18, 2013 2 CONTENTS TABLE OF CONTENTS PREFACE... 5 Purpose of this Document... 5 Version Compatibility...

More information

Desktop Surveillance Help

Desktop Surveillance Help Desktop Surveillance Help Table of Contents About... 9 What s New... 10 System Requirements... 11 Updating from Desktop Surveillance 2.6 to Desktop Surveillance 3.2... 13 Program Structure... 14 Getting

More information

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Configuring SSL VPN on the Cisco ISA500 Security Appliance Application Note Configuring SSL VPN on the Cisco ISA500 Security Appliance This application note describes how to configure SSL VPN on the Cisco ISA500 security appliance. This document includes these

More information

WhatsUp Gold v16.3 Installation and Configuration Guide

WhatsUp Gold v16.3 Installation and Configuration Guide WhatsUp Gold v16.3 Installation and Configuration Guide Contents Installing and Configuring WhatsUp Gold using WhatsUp Setup Installation Overview... 1 Overview... 1 Security considerations... 2 Standard

More information

NETASQ MIGRATING FROM V8 TO V9

NETASQ MIGRATING FROM V8 TO V9 UTM Firewall version 9 NETASQ MIGRATING FROM V8 TO V9 Document version: 1.1 Reference: naentno_migration-v8-to-v9 INTRODUCTION 3 Upgrading on a production site... 3 Compatibility... 3 Requirements... 4

More information

Administration Quick Start

Administration Quick Start www.novell.com/documentation Administration Quick Start ZENworks 11 Support Pack 3 February 2014 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of

More information

Kaseya Server Instal ation User Guide June 6, 2008

Kaseya Server Instal ation User Guide June 6, 2008 Kaseya Server Installation User Guide June 6, 2008 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations. Kaseya's

More information

Contents Notice to Users

Contents  Notice to Users Web Remote Access Contents Web Remote Access Overview... 1 Setting Up Web Remote Access... 2 Editing Web Remote Access Settings... 5 Web Remote Access Log... 7 Accessing Your Home Network Using Web Remote

More information

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2) Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2) Hyper-V Manager Hyper-V Server R1, R2 Intelligent Power Protector Main

More information

avast! Endpoint Protection (Plus) and avast! Endpoint Protection Suite (Plus)

avast! Endpoint Protection (Plus) and avast! Endpoint Protection Suite (Plus) avast! Endpoint Protection (Plus) and avast! Endpoint Protection Suite (Plus) Installation Guide 1 2 Introduction to avast! Endpoint Protection The avast! Endpoint Protection range comprises 4 products

More information

www.novell.com/documentation User Guide Novell iprint 1.1 March 2015

www.novell.com/documentation User Guide Novell iprint 1.1 March 2015 www.novell.com/documentation User Guide Novell iprint 1.1 March 2015 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically

More information

Administrator Operations Guide

Administrator Operations Guide Administrator Operations Guide 1 What You Can Do with Remote Communication Gate S 2 Login and Logout 3 Settings 4 Printer Management 5 Log Management 6 Firmware Management 7 Installation Support 8 Maintenance

More information

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version 2.0.010215. Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version 2.0.010215. Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Comodo MyDLP Software Version 2.0 Installation Guide Guide Version 2.0.010215 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1.About MyDLP... 3 1.1.MyDLP Features... 3

More information

LifeCyclePlus Version 1

LifeCyclePlus Version 1 LifeCyclePlus Version 1 Last updated: 2014-04-25 Information in this document is subject to change without notice. Companies, names and data used in examples herein are fictitious unless otherwise noted.

More information

Plesk 11 Manual. Fasthosts Customer Support

Plesk 11 Manual. Fasthosts Customer Support Fasthosts Customer Support Plesk 11 Manual This guide covers everything you need to know in order to get started with the Parallels Plesk 11 control panel. Contents Introduction... 3 Before you begin...

More information

NETASQ SSO Agent Installation and deployment

NETASQ SSO Agent Installation and deployment NETASQ SSO Agent Installation and deployment Document version: 1.3 Reference: naentno_sso_agent Page 1 / 20 Copyright NETASQ 2013 General information 3 Principle 3 Requirements 3 Active Directory user

More information

PREFACE http://www.okiprintingsolutions.com 07108001 iss.01 -

PREFACE http://www.okiprintingsolutions.com 07108001 iss.01 - Network Guide PREFACE Every effort has been made to ensure that the information in this document is complete, accurate, and up-to-date. The manufacturer assumes no responsibility for the results of errors

More information

File Management Utility User Guide

File Management Utility User Guide File Management Utility User Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held

More information

Print Audit Facilities Manager Technical Overview

Print Audit Facilities Manager Technical Overview Print Audit Facilities Manager Technical Overview Print Audit Facilities Manager is a powerful, easy to use tool designed to remotely collect meter reads, automate supplies fulfilment and report service

More information

Intel Active Management Technology with System Defense Feature Quick Start Guide

Intel Active Management Technology with System Defense Feature Quick Start Guide Intel Active Management Technology with System Defense Feature Quick Start Guide Introduction...3 Basic Functions... 3 System Requirements... 3 Configuring the Client System...4 Intel Management Engine

More information

Legal Notes. Regarding Trademarks. 2012 KYOCERA Document Solutions Inc.

Legal Notes. Regarding Trademarks. 2012 KYOCERA Document Solutions Inc. Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable for any problems arising from

More information

Tharo Systems, Inc. 2866 Nationwide Parkway P.O. Box 798 Brunswick, OH 44212 USA Tel: 330.273.4408 Fax: 330.225.0099

Tharo Systems, Inc. 2866 Nationwide Parkway P.O. Box 798 Brunswick, OH 44212 USA Tel: 330.273.4408 Fax: 330.225.0099 Introduction EASYLABEL 6 has several new features for saving the history of label formats. This history can include information about when label formats were edited and printed. In order to save this history,

More information

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide Legal Notice Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government

More information

Network Scanner Tool R3.1. User s Guide Version 3.0.04

Network Scanner Tool R3.1. User s Guide Version 3.0.04 Network Scanner Tool R3.1 User s Guide Version 3.0.04 Copyright 2000-2004 by Sharp Corporation. All rights reserved. Reproduction, adaptation or translation without prior written permission is prohibited,

More information

Remote Console Installation & Setup Guide. November 2009

Remote Console Installation & Setup Guide. November 2009 Remote Console Installation & Setup Guide November 2009 Legal Information All rights reserved. No part of this document shall be reproduced or transmitted by any means or otherwise, without written permission

More information

IsItUp Quick Start Manual

IsItUp Quick Start Manual IsItUp - When you need to know the status of your network Taro Software Inc. Website: www.tarosoft.com Telephone: 703-405-4697 Postal address: 8829 110th Lane, Seminole Fl, 33772 Electronic mail: Contact1@tarosoft.com

More information

NETWORK PRINT MONITOR User Guide

NETWORK PRINT MONITOR User Guide NETWORK PRINT MONITOR User Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable

More information

Upgrading from Call Center Reporting to Reporting for Contact Center. BCM Contact Center

Upgrading from Call Center Reporting to Reporting for Contact Center. BCM Contact Center Upgrading from Call Center Reporting to Reporting for Contact Center BCM Contact Center Document Number: NN40010-400 Document Status: Standard Document Version: 02.00 Date: June 2006 Copyright Nortel Networks

More information

Secure Installation and Operation of Your Xerox Multi-Function Device. Version 1.0 August 6, 2012

Secure Installation and Operation of Your Xerox Multi-Function Device. Version 1.0 August 6, 2012 Secure Installation and Operation of Your Xerox Multi-Function Device Version 1.0 August 6, 2012 Secure Installation and Operation of Your Xerox Multi-Function Device Purpose and Audience This document

More information

Desktop Release Notes. Desktop Release Notes 5.2.1

Desktop Release Notes. Desktop Release Notes 5.2.1 Desktop Release Notes Desktop Release Notes 5.2.1 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval

More information

2 Downloading Access Manager 3.1 SP4 IR1

2 Downloading Access Manager 3.1 SP4 IR1 Novell Access Manager 3.1 SP4 IR1 Readme May 2012 Novell This Readme describes the Novell Access Manager 3.1 SP4 IR1 release. Section 1, Documentation, on page 1 Section 2, Downloading Access Manager 3.1

More information

PrintFleet Local Beacon

PrintFleet Local Beacon PrintFleet Local Beacon User Guide Version 2.5.15 as of March 3, 2008. 2008 PrintFleet Inc. All rights reserved. Copyright 2008 PrintFleet Inc. All rights reserved. PrintFleet Local Beacon User Guide.

More information

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later Sophos Anti-Virus for NetApp Storage Systems startup guide Runs on Windows 2000 and later Document date: July 2007 Contents About this guide...4 About Sophos Anti-Virus for NetApp Storage Systems...5

More information

Using a VPN with Niagara Systems. v0.3 6, July 2013

Using a VPN with Niagara Systems. v0.3 6, July 2013 v0.3 6, July 2013 What is a VPN? Virtual Private Network or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point to point connection or tunnel

More information

Web Remote Access. User Guide

Web Remote Access. User Guide Web Remote Access User Guide Notice to Users 2005 2Wire, Inc. All rights reserved. This manual in whole or in part, may not be reproduced, translated, or reduced to any machine-readable form without prior

More information

Setup and Configuration Guide for Pathways Mobile Estimating

Setup and Configuration Guide for Pathways Mobile Estimating Setup and Configuration Guide for Pathways Mobile Estimating Setup and Configuration Guide for Pathways Mobile Estimating Copyright 2008 by CCC Information Services Inc. All rights reserved. No part of

More information

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port technical brief in HP Overview HP is a powerful webbased software utility for installing, configuring, and managing networkconnected devices. Since it can install and configure devices, it must be able

More information

DIGITAL MULTIFUNCTIONAL SYSTEM

DIGITAL MULTIFUNCTIONAL SYSTEM MODEL: MX-M283N MX-M363N MX-M453N MX-M503N DIGITAL MULTIFUNCTIONAL SYSTEM Software Setup Guide BEFORE INSTALLING THE SOFTWARE SETUP IN A WINDOWS ENVIRONMENT SETUP IN A MACINTOSH ENVIRONMENT TROUBLESHOOTING

More information

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com CHAPTER: Introduction Microsoft virtual architecture: Hyper-V 6.0 Manager Hyper-V Server (R1 & R2) Hyper-V Manager Hyper-V Server R1, Dell UPS Local Node Manager R2 Main Operating System: 2008Enterprise

More information

Docufide Client Installation Guide for Windows

Docufide Client Installation Guide for Windows Docufide Client Installation Guide for Windows This document describes the installation and operation of the Docufide Client application at the sending school installation site. The intended audience is

More information

Ekran System Help File

Ekran System Help File Ekran System Help File Table of Contents About... 9 What s New... 10 System Requirements... 11 Updating Ekran to version 4.1... 13 Program Structure... 14 Getting Started... 15 Deployment Process... 15

More information

AVG 8.5 Anti-Virus Network Edition

AVG 8.5 Anti-Virus Network Edition AVG 8.5 Anti-Virus Network Edition User Manual Document revision 85.2 (23. 4. 2009) Copyright AVG Technologies CZ, s.r.o. All rights reserved. All other trademarks are the property of their respective

More information

FortKnox Personal Firewall

FortKnox Personal Firewall FortKnox Personal Firewall User Manual Document version 1.4 EN ( 15. 9. 2009 ) Copyright (c) 2007-2009 NETGATE Technologies s.r.o. All rights reserved. This product uses compression library zlib Copyright

More information

ReadyNAS Setup Manual

ReadyNAS Setup Manual ReadyNAS Setup Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA October 2007 208-10163-01 v1.0 2007 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR, the NETGEAR logo,

More information

Freshservice Discovery Probe User Guide

Freshservice Discovery Probe User Guide Freshservice Discovery Probe User Guide 1. What is Freshservice Discovery Probe? 1.1 What details does Probe fetch? 1.2 How does Probe fetch the information? 2. What are the minimum system requirements

More information

Quick Scan Features Setup Guide. Scan to E-mail Setup. See also: System Administration Guide: Contains details about E-mail setup.

Quick Scan Features Setup Guide. Scan to E-mail Setup. See also: System Administration Guide: Contains details about E-mail setup. Quick Scan Features Setup Guide XE3024EN0-2 This guide includes instructions for: Scan to E-mail Setup on page 1 Scan to Mailbox Setup on page 6 Network Scanning Setup on page 9 Scan to PC Setup on page

More information

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started Getting started Corporate Edition Copyright 2005 Corporation. All rights reserved. Printed in the U.S.A. 03/05 PN: 10362873 and the logo are U.S. registered trademarks of Corporation. is a trademark of

More information

About This Manual. 2 About This Manual

About This Manual. 2 About This Manual Ver.4.1 Important This System Guide applies to RadiNET Pro Ver. 4.1. Please read this System Guide and the User s Manual on the RadiNET Pro CD-ROM carefully to familiarize yourself with safe and effective

More information

Installing and Configuring vcenter Multi-Hypervisor Manager

Installing and Configuring vcenter Multi-Hypervisor Manager Installing and Configuring vcenter Multi-Hypervisor Manager vcenter Server 5.1 vcenter Multi-Hypervisor Manager 1.1 This document supports the version of each product listed and supports all subsequent

More information

Universal Management Service 2015

Universal Management Service 2015 Universal Management Service 2015 UMS 2015 Help All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or mechanical, including photocopying, recording,

More information

MobileStatus Server Installation and Configuration Guide

MobileStatus Server Installation and Configuration Guide MobileStatus Server Installation and Configuration Guide Guide to installing and configuring the MobileStatus Server for Ventelo Mobilstatus Version 1.2 June 2010 www.blueposition.com All company names,

More information

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9

More information

Technical Brief for Windows Home Server Remote Access

Technical Brief for Windows Home Server Remote Access Technical Brief for Windows Home Server Remote Access Microsoft Corporation Published: October, 2008 Version: 1.1 Abstract This Technical Brief provides an in-depth look at the features and functionality

More information

Audit Management Reference

Audit Management Reference www.novell.com/documentation Audit Management Reference ZENworks 11 Support Pack 3 February 2014 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of

More information

Lab 8.4.2 Configuring Access Policies and DMZ Settings

Lab 8.4.2 Configuring Access Policies and DMZ Settings Lab 8.4.2 Configuring Access Policies and DMZ Settings Objectives Log in to a multi-function device and view security settings. Set up Internet access policies based on IP address and application. Set

More information

Citrix Access Gateway Plug-in for Windows User Guide

Citrix Access Gateway Plug-in for Windows User Guide Citrix Access Gateway Plug-in for Windows User Guide Access Gateway 9.2, Enterprise Edition Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance

More information

Customer Tips. How to Upgrade, Patch or Clone Xerox Multifunction Devices. for the user. Purpose. Upgrade / Patch / Clone Process Overview

Customer Tips. How to Upgrade, Patch or Clone Xerox Multifunction Devices. for the user. Purpose. Upgrade / Patch / Clone Process Overview Xerox Multifunction Devices Customer Tips January 27, 2009 This document applies to the Xerox products indicated in the table below. For some products, it is assumed that your device is equipped with the

More information

HP Device Manager 4.6

HP Device Manager 4.6 Technical white paper HP Device Manager 4.6 Installation and Update Guide Table of contents Overview... 3 HPDM Server preparation... 3 FTP server configuration... 3 Windows Firewall settings... 3 Firewall

More information

Table of Contents. CHAPTER 1 About This Guide... 9. CHAPTER 2 Introduction... 11. CHAPTER 3 Database Backup and Restoration... 15

Table of Contents. CHAPTER 1 About This Guide... 9. CHAPTER 2 Introduction... 11. CHAPTER 3 Database Backup and Restoration... 15 Table of Contents CHAPTER 1 About This Guide......................... 9 The Installation Guides....................................... 10 CHAPTER 2 Introduction............................ 11 Required

More information

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 What is Trend Micro OfficeScan? Trend Micro OfficeScan Corporate Edition protects campus networks from viruses, Trojans, worms, Web-based

More information

InfoPrint 4247 Serial Matrix Printers. Remote Printer Management Utility For InfoPrint Serial Matrix Printers

InfoPrint 4247 Serial Matrix Printers. Remote Printer Management Utility For InfoPrint Serial Matrix Printers InfoPrint 4247 Serial Matrix Printers Remote Printer Management Utility For InfoPrint Serial Matrix Printers Note: Before using this information and the product it supports, read the information in Notices

More information

LifeSize Control Installation Guide

LifeSize Control Installation Guide LifeSize Control Installation Guide April 2005 Part Number 132-00001-001, Version 1.0 Copyright Notice Copyright 2005 LifeSize Communications. All rights reserved. LifeSize Communications has made every

More information

TANDBERG MANAGEMENT SUITE 10.0

TANDBERG MANAGEMENT SUITE 10.0 TANDBERG MANAGEMENT SUITE 10.0 Installation Manual Getting Started D12786 Rev.16 This document is not to be reproduced in whole or in part without permission in writing from: Contents INTRODUCTION 3 REQUIREMENTS

More information

Novell Open Workgroup Suite

Novell Open Workgroup Suite Novell Open Workgroup Suite Small Business Edition QUICK START GUIDE September 2007 v1.5 Page 1 Introduction This Quick Start explains how to install the Novell Open Workgroup Suite software on a server.

More information

Portions of this product were created using LEADTOOLS 1991-2010 LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Portions of this product were created using LEADTOOLS 1991-2010 LEAD Technologies, Inc. ALL RIGHTS RESERVED. Installation Guide Lenel OnGuard 2010 Installation Guide, product version 6.4. This guide is item number DOC-110, revision 1.045, May 2010 Copyright 1995-2010 Lenel Systems International, Inc. Information

More information

Installation Guide Wireless 4-Port USB Sharing Station. GUWIP204 Part No. M1172-a

Installation Guide Wireless 4-Port USB Sharing Station. GUWIP204 Part No. M1172-a Installation Guide Wireless 4-Port USB Sharing Station 1 GUWIP204 Part No. M1172-a 2011 IOGEAR. All Rights Reserved. PKG-M1172-a IOGEAR, the IOGEAR logo, MiniView, VSE are trademarks or registered trademarks

More information

ecopy ShareScan 4.5 Installation and Setup Guide for Canon ScanFront devices Part Number: 73-00330-1 (01/2009)

ecopy ShareScan 4.5 Installation and Setup Guide for Canon ScanFront devices Part Number: 73-00330-1 (01/2009) ecopy ShareScan 4.5 Installation and Setup Guide for Canon ScanFront devices Part Number: 73-00330-1 (01/2009) Licensing, Copyright, and Trademark Information The information in this document is subject

More information

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012.

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012. Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012. Copyright 1995-2012 Lenel Systems International, Inc. Information

More information

Operating Instructions Driver Installation Guide

Operating Instructions Driver Installation Guide Operating Instructions Driver Installation Guide For safe and correct use, be sure to read the Safety Information in "Read This First" before using the machine. TABLE OF CONTENTS 1. Introduction Before

More information