Xerox D Series User manual
Xerox® Application Security Guide and Information Assurance Disclosure
Xerox®
Security Guide
Light Production Mono Class
Copier/Printers
Legacy
Printers
Legacy
Copier/Printers
D-Series®
Copier/Printers
4110, 4112/4127,
4590 Enterprise
Printing System
4110, 4112/4127,
4590 Copier/Printer
D95/D110/D125/D136
Copier/Printer
Xerox® Security Guide for Light Production Mono Class Products
© 2019 Xerox Corporation. All rights reserved. Xerox and Xerox and Design® are trademarks of Xerox
Corporation in the United States and/or other countries. BR26363
Other company trademarks are also acknowledged.
Document Version: 1.0 (February 2019).
Copyright protection claimed includes all forms and matters of copyrightable material and information now
allowed by statutory or judicial law or hereinafter granted including without limitation, material generated
from the software programs which are displayed on the screen, such as icons, screen displays, looks, etc.
Changes are periodically made to this document. Changes, technical inaccuracies, and typographic
errors will be corrected in subsequent editions.
Xerox® Security Guide for Light Production Mono Class Products
Table of Contents
1INTRODUCTION ...................................................................................................................................3
PURPOSE ....................................................................................................................................................3
TARGET AUDIENCE ......................................................................................................................................3
DISCLAIMER.................................................................................................................................................3
PHYSICAL COMPONENTS..............................................................................................................................4
ARCHITECTURE............................................................................................................................................4
USER INTERFACE.........................................................................................................................................5
SCANNER ....................................................................................................................................................5
MARKING ENGINE ........................................................................................................................................6
CONTROLLER ..............................................................................................................................................6
OPTIONAL EQUIPMENT.................................................................................................................................8
2USER DATA PROTECTION .................................................................................................................9
USER DATA PROTECTION WHILE WITHIN PRODUCT .........................................................................................9
USER DATA IN TRANSIT ..............................................................................................................................10
3NETWORK SECURITY.......................................................................................................................12
TCP/IP PORTS &SERVICES.......................................................................................................................12
NETWORK ENCRYPTION .............................................................................................................................19
NETWORK ACCESS CONTROL.....................................................................................................................24
CONTEXTUAL ENDPOINT CONNECTION MANAGEMENT..................................................................................25
FIPS140-2 COMPLIANCE VALIDATION.........................................................................................................25
ADDITIONAL NETWORK SECURITY CONTROLS .............................................................................................25
4DEVICE SECURITY: BIOS, FIRMWARE, OS, RUNTIME, AND OPERATIONAL SECURITY
CONTROLS................................................................................................................................................27
FAIL SECURE VS FAIL SAFE........................................................................................................................27
PRE-BOOT SECURITY.................................................................................................................................28
BOOT PROCESS SECURITY.........................................................................................................................28
RUNTIME SECURITY ...................................................................................................................................28
EVENT MONITORING &LOGGING ................................................................................................................29
OPERATIONAL SECURITY............................................................................................................................29
BACKUP &RESTORE (CLONING).................................................................................................................30
EIP APPLICATIONS.....................................................................................................................................30
5CONFIGURATION & SECURITY POLICY MANAGEMENT SOLUTIONS........................................31
6IDENTIFICATION, AUTHENTICATION, AND AUTHORIZATION.....................................................32
AUTHENTICATION.......................................................................................................................................32
AUTHORIZATION (ROLE BASED ACCESS CONTROLS)...................................................................................35
7ADDITIONAL INFORMATION & RESOURCES.................................................................................38
SECURITY @XEROX®...............................................................................................................................38
RESPONSES TO KNOWN VULNERABILITIES ..................................................................................................38
ADDITIONAL RESOURCES ...........................................................................................................................38
APPENDIX A: PRODUCT SECURITY PROFILES...................................................................................39
LEGACY®4110, 4112/4127, 4590 EPS PRINTERS....................................................................................40
LEGACY®4110, 4112/4127, 4590 COPIER/PRINTERS................................................................................43
D-SERIES®D95A/D110/D125/D136 COPIER/PRINTERS............................................................................46
Xerox® Security Guide for Light Production Mono Class Products
APPENDIX B: SECURITY EVENTS .........................................................................................................51
XEROX LEGACY®SECURITY EVENTS........................................................................................................51
D-SERIES®SECURITY EVENTS ..................................................................................................................67
1
Xerox® Security Guide for Light Production Mono Class Products
1 Introduction
Purpose
The purpose of this document is to disclose information for the Xerox® Legacy (4110/4112/4127) and D-
Series® (D95A/110/125/D136) Light Production Monochrome Class Copier/Printer products (hereinafter
called as “the product” or “the system”) with respect to product security. Product Security, for this paper, is
defined as how image data is stored and transmitted, how the product behaves in a network environment,
and how the product may be accessed both locally and remotely. The purpose of this document is to
inform Xerox customers of the design, functions, and features of the product with respect to Information
Assurance. This document does not provide tutorial level information about security, connectivity, or the
product’s features and functions. This information is readily available elsewhere. We assume that the
reader has a working knowledge of these types of topics.
Target Audience
The target audience for this document is Xerox field personnel and customers concerned with IT security.
Disclaimer
The information in this document is accurate to the best knowledge of the authors and is provided without
warranty of any kind. In no event shall Xerox be liable for any damages whatsoever resulting from user's
use or disregard of the information provided in this document including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Xerox has been advised of the
possibility of such damages.
Product Description
Xerox® Security Guide for Light Production Mono Class Products
Physical Components
Xerox Legacy (4110/4112/4127) and D-Series® Copier/Printer products consist of an input document
handler and scanner, marking engine, controller, and user interface. Printer products do not have an
input document handler or scanner. A typical configuration is depicted below. Please note that options
including finishers, paper trays, document handers, etc. may vary configuration, however, they are not
relevant to security and are not discussed.
1. Optional High Capacity Feeder.
2. Bypass paper feed tray.
3. Duplex Automatic Document Feeder.
4. Document Cover.
5. Document Glass.
6. User Interface.
7. Optional Standard Finisher.
8. Front Cover.
9. Left Cover.
10. Trays 1-4.
11. Lower Left Cover
12. Front Cover on Optional HCF.
Architecture
Legacy (4110/4112/4127) and D-Series® Copier/Printer products share a common architecture which is
depicted below. The following sections describe components in detail.
Xerox® Security Guide for Light Production Mono Class Products
User Interface
The user interface detects soft and hard button actuations and provides text and graphical prompts to the
user. The user interface is sometimes referred to as the Graphical User Interface (GUI) or Local UI (LUI)
to distinguish it from the remote web server interface (WebUI).
The user interface allows users to access product services and functions. Users with administrative
privileges can manage the product configuration settings. User permissions are configurable through
Role Based Access Control (RBAC) policies, described in section 6Identification, Authentication, and
Authorization.
User image data in the memory on Controller is accessible (Preview Thumbnail feature).
Scanner
The scanner converts documents from hardcopy to electronic data. A document handler moves originals
into a position to be scanned. The scanner provides enough image processing for signal conditioning and
formatting. The scanner does not store scanned images.
The scanner does not have its own control processor. The scanner attribute information is written in
the SEEPROM and the control is performed by the controller. Note that this feature is not available
on Printer.
Name
Purpose/Explanation
SEEPROM
This non-volatile memory has no user data stored in it.
This memory contains:
・Mode setting information on image processing and mechatronics control, and
data on the parts usage status associated with recycling.
User
Interface
Scanner
Controller
Marking
Engine
External
Interfaces
Device
Storage
Optional
Interfaces
Xerox® Security Guide for Light Production Mono Class Products
Marking Engine
The Marking Engine performs copy/print paper feeding and transport, image marking, fusing, and
document finishing. The marking engine is comprised of paper supply trays and feeders, paper transport,
LED scanner, xerographic, and paper output and finishing. The marking engine is only accessible to the
Controller via inter-chip communication with no other access and does not store user data.
Name
Purpose/Explanation
Flash ROM
All operating system and application executable control code related to Marking
Engine resides here (e.g. boot loader, paper path, and xerographic).
SRAM
(Static RAM)
This is a Work RAM used to develop the program and parameters in the
above-mentioned Flash ROM. No user data is stored in this memory.
Controller
The controller manages document processing using proprietary hardware and algorithms to process
documents into high-quality electronic and/or printed reproductions. Documents may be temporarily
buffered in RAM during processing. Some models may be equipped with additional storage options such
as magnetic Hard Disk Drive (HDD), Solid State Disk (SSD), SD Card, or Flash media. For model
specific details please see Appendix A: Product Security Profiles. Legacy and D-Series® products
encrypt user data and include media sanitization (overwrite) options that ensure that erased data cannot
be recovered, described further in section 2User Data Protection.
In addition to managing document processing the controller manages all network functions and services.
Details can be found in section Network Security.
The controller handles all I/O communications with connected products. The following section provides a
description of each interface. Please note that not all interfaces are supported on all models; details
about each model can be found in Appendix A: Product Security Profiles.
The details of the memory devices in the Controller are:
Name
Purpose/Explanation
DRAM
The executable software is loaded in this memory and is run. This memory is
also used for temporary storage of user data such as data files and images.
Such data is not backed up and is deleted when a job is completed. And the all
data is lost when the power to the device is removed.
Flash ROM
This Flash memory contains the code necessary to boot the system, all
executable code (operating system, PostScript interpreter, network protocols,
document scheduler, etc.), and the installed fonts. A power-on self-test is
performed and the bootstrap OS is loaded. This memory never contains any
user data or document data.
Operating system and application executable control code resides here. All
codes except for the code of boot loader are compressed and are extracted
into DRAM to be executed. No user image data is stored in this memory.
NVRAM
This non-volatile memory has no image data stored in it. User data such as
system setting information, mailbox information, job memory, user
management information, and various types of logs are recorded in it. The data
is written in the memory after it is encrypted.
Xerox® Security Guide for Light Production Mono Class Products
Controller
Hard disk
This device contains numerous types of data including user data:
1) Data of the documents scanned in upon copying.
2) Data of spooled documents in PDL format from the network.
3) Data of the documents used in security print, sample print, and delayed-
start print.
4) Data of the scanned-in documents
5) Job logs.
6) Downloaded fonts and forms.
For the formatting of the hard disk, the file system included in VxWorks is used.
The format, however, is not accessible even when the hard disk is connected
to PC. When a job is completed, its reference in the directory table is deleted
but the image data remains on the disk until overwritten by a subsequent job.
Image Overwrite feature enables an overwrite of the used data with
meaningless data. Also, Data Encryption feature enables a data encryption of
the HDD data.
Page Memory
This is a volatile memory used to store image data temporarily.
SEEP ROM
This memory contains the system’s setting information.
Controller External Interfaces
Front Panel USB (Type A) port(s)
One or more USB ports may be located on the front of the product, near the user interface. Front USB
ports may be enabled or disabled by a system administrator. The front USB port supports the following:
Walk-up users may insert a USB thumb drive to store or retrieve documents for scanning and/or
printing from a FAT formatted USB device. The controller will only allow reading/writing of a
limited set of known document types (such as DOC, PDF, PNG, JPEG, TIFF, etc.). Other file
types including binary executables are not supported.
Note that features that use the front USB ports (such as Scan To USB) can be disabled
independently or restricted using role-based access controls.
Connection of optional equipment such as NFC or CAC readers.
Firmware updates may be submitted through the front USB ports. (Note that the product must be
configured to allow local firmware updates, or the update will not be processed.
10/100/1000 MB Ethernet RJ-45 Network Connector
This is a standard RJ45 Ethernet network connector and confirms to IEEE Ethernet 802.3 standards.
Rear USB (Type B) Target port
A USB type B port located on the controller board at the rear of the product. This port supports the
following:
USB target connector used for printing
Note: This port can be disabled completely by a system administrator.
Xerox® Security Guide for Light Production Mono Class Products
Optional Equipment
RJ-11 Analog Fax and Telephone
The analog fax module connects to the controller. The fax connection supports the Fax Modem T.30
protocol only and will not accept data or voice communication attempts. An external (EXT) is available to
connect an external handset. In this configuration, the FAX card acts as a passive relay.
Wireless Network Connector
Xerox Legacy (4110/4112/4127) and D-Series® Copier/Printer products do not offer a wireless connector
option.
Near Field Communications (NFC) Reader
The system supports an installable RFID reader for authentication and convenience in certain
configurations. D-Series® products accept the RFID reader via USB on the front of the product. This
communication cannot write or change any settings on the system. The data exchanged is not encrypted
and may include information including system network status, IP address and product location. NFC
functionality can be disabled using the embedded web server of the product. NFC functionality requires a
software plugin that can be obtained from Xerox sales and support. NFC functionality is supported via
optional touch screen user interface or optional dedicated NFC USB dongle.
Information shared over NFC includes: IPv4 Address, IPv6 Address, MAC Address, UUID (a unique
identifier on the NFC client), and Fully qualified domain name
SMART CARD –CAC/PIV
All D-Series® products support CAC/PIV login by enabling the Plug-in feature and then enabling the
appropriate plug-in. Additional plug-ins can be downloaded from Xerox.com in the product Support area
online.
Foreign Product Interface
This port is used to connect optional equipment to control access to the machine. A typical application is
a coin-operated product where a user must deposit money to enable the machine to print. The
information available via the Foreign Product Interface is limited to optically-isolated pulses that can be
used to count impressions marked on hardcopy sheets. No user data is transmitted to or from this
interface.
Xerox® Security Guide for Light Production Mono Class Products
2 User Data Protection
Xerox printers and multifunction products receive, process, and may optionally store user data from
several sources including as local print, scan, fax, or copy jobs or mobile and cloud applications, etc.
Xerox products protect user data being processed by employing strong encryption. When the data is no
longer needed, the Image Overwrite (IIO) feature automatically erases and overwrites the data on
magnetic media, rendering it unrecoverable. As an additional layer of protection, an extension of IIO
called On-Demand Image Overwrite (ODIO) can be invoked to securely wipe all user data from magnetic
media.
User Data protection while within product
This section describes security controls that protect user data while it is resident within the product. For a
description of security controls that protect data in transit please refer to the following section that
discusses data in transit; also the Network Security section of this document.
Encryption
All user data being processed or stored to the product is encrypted by default. Note that encryption may
be disabled to enhance performance on both Legacy and D-Series® products (though this is not
recommended in secure environments).
The algorithm used in the product is AES-256. The encryption key is automatically created at start up
and stored in the RAM. The key is deleted by a power-off, due to the physical characteristics of the RAM.
TPM Chip
The Legacy and D-Series® products do not contain a TMP chip. Please refer to Appendix A: Product
Security Profiles for model specific information.
Media Sanitization (Image Overwrite)
Legacy and D-Series® products equipped with magnetic hard disk drives are compliant with NIST
Special Publication 800-88 Rev1: Guidelines for Media Sanitization. User data is securely erased using a
three-pass algorithm as described in the following link:
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-88r1.pdf
Immediate Image Overwrite
When enabled, Immediate Image Overwrite (IIO) will overwrite any temporary files that were created on
the magnetic hard disk that may contain user data. The feature provides continuous automatic
overwriting of sensitive data with minimal impact to performance, robust error reporting, and logging via
the Audit Log.
Note: Solid State storage media such as Solid-State Disk, eMMC, SD-Card, and Flash media cannot be completely
sanitized by multi-pass overwriting methods due to the memory wear mapping that occurs. (Additionally, attempts to do
so would also greatly erode the operational lifetime of solid state media). Solid State media is therefore not
recommended for use in highly secure environments. Please refer to NIST-800-88 “Table A-8: Flash Memory-Based
Storage Product Sanitization” for technical details.
Xerox® Security Guide for Light Production Mono Class Products
On-Demand Image Overwrite
Complementing the Immediate Image Overwrite is On-Demand Overwrite (ODIO). While IIO overwrites
individual files, ODIO overwrites entire partitions. The ODIO feature can be invoked at any time and
optionally may be scheduled to run automatically.
User Data in transit
This section focuses on the protection of user data (print/scan/other jobs) in transit as they are submitted
to the product for processing and/or are sent from the product to other systems. Additional protections
are also discussed in the Network Security section of this document.
Inbound User Data
Print Job Submission
In addition to supporting network level encryption including IPSec and WPA Xerox products also support
encryption of print job data at the time of submission. This can be used to securely transmit print jobs
over unencrypted connections or to enhance existing network level security controls.
Encrypted Transport
Description
IPPS (TLS)
Submit print jobs via Secure Internet Printing Protocol. This protocol is
based on HTTP and utilizes the TLS suite to encrypt data.
HTTPS (TLS)
Securely submit a print job directly to product via the built-in web server.
Xerox Print Stream
Encryption
The Xerox Global Print Driver® supports document encryption when
submitting Secure Print jobs to enabled products. Simply check the box to
Enable Encryption when adding the Passcode to the print job.
Outbound User Data
Scanning to Network Repository, Email, Fax Server
Legacy (4110/4112/4127) and D-Series® Copier/Printer multifunction products support scanning of
hardcopy documents to external network locations including file repositories and email and facsimile
services. In addition to supporting network level encryption including IPSec and WPA Xerox products
support the following.
Protocol
Encryption
Description
HTTP
N/A
Unencrypted HTTP protocol.
HTTPS (TLS)
TLS
HTTP encrypted by TLS
FTP
N/A
Unencrypted FTP.
SFTP (SSH)
SSH
FTP encrypted by SSH
SMBv3
N/A
Not Available
SMBv2
N/A
Unencrypted SMB
SMBv1
N/A
(Not used as a transport protocol. Used for network discovery only)
SMTP (email)
S/MIME
The product uses SMTP to transmit data to the email server. Email
authentication, encryption, and signing are supported. Please refer
to the Network Security section of this document for details.
Xerox® Security Guide for Light Production Mono Class Products
Scanning to User Local USB Storage Product
Scan data is transferred directly to the user’s USB product. Filesystem encryption of user products are
not supported.
Add on Apps- Cloud, Google, DropBox, and others
The Xerox App Gallery® contains several additional applications that extend the capabilities of Xerox
products. Discussion of App security is beyond the scope of this document. Xerox Apps utilize the
security framework provided by the 3rd party vendor. (For example, Microsoft O365 or Google apps
would utilize Microsoft & Google’s security mechanisms respectively). Please consult documentation for
individual Apps and 3rd party security for details.
Legacy Printers
Legacy Copier/Printers
D-Series® Copier/Printers
4110, 4112/4127, 4590 EPS
4110, 4112/4127, 4590
D95/D110/D125/D136
Local Data Encryption (HDD, SDD, IC, SD Card)
AES-256
AES-256
AES-256
Federal Information Protection Standard 140-2
Yes
Yes
Yes
Media Sanitization NIST 800-171 (Image Overwrite)
All models use magnetic
HDD
Models with magnetic
HDD. See Appendix A:
Product Security Profiles
Models with magnetic HDD.
See Appendix A: Product
Security Profiles
Print Submission
IPPS (TLS)
Supported
Supported
Supported
HTTPS (TLS)
Supported
Supported
Supported
Xerox Print Stream Encryption
Supported
Supported
Supported
Scan to Repository Server
HTTPS (TLS)
(Not Applicable)
1.2
1.2
SFTP (SSH)
(Not Applicable)
SSH-2
SSH-2
SMB (unencrypted)
(Not Applicable)
v1, v2, v3
v1, v2, v3
SMB (with share encryption enabled)
(Not Applicable)
V3
V3
HTTP (unencrypted)
(Not Applicable)
Supported
Supported
FTP (unencrypted)
(Not Applicable)
Supported
Supported
Scan to Fax Server
HTTPS (TLS)
(Not Applicable)
1.2
1.2
SFTP (SSH)
(Not Applicable)
SSH-2
SSH-2
SMB (unencrypted)
(Not Applicable)
v1, v2, v3
v1, v2, v3
SMB (with share encryption enabled)
(Not Applicable)
V3
V3
S/MIME
(Not Applicable)
Supported
Supported
HTTP (unencrypted)
(Not Applicable)
Supported
Supported
FTP (unencrypted)
(Not Applicable)
Supported
Supported
SMTP (unencrypted)
(Not Applicable)
Supported
Supported
Scan to Email
S/MIME
(Not Applicable)
Supported
Supported
SMTP (unencrypted)
(Not Applicable)
Supported
Supported
Xerox® Security Guide for Light Production Mono Class Products
3 Network Security
Xerox products are designed to offer a high degree of security and flexibility in almost any network
environment. This section describes several aspects of the product related to network security.
TCP/IP Ports & Services
Xerox devices are robust, offering support for a wide array of services and protocols. The devices are
capable of hosting services as well as acting as a client for others. The diagram below presents a high-
level overview of inbound communications (from other hosts on the network into listening services on the
device) and outbound connections initiated by the device (acting as a client to external network services).
Inbound (Listening Services)
Out Bound (Network Client)
Print Services
LPR, IPP, Raw IP, etc.
Management Services
SNMP, Web interface, WebServices,
etc.
Infrastructure & Discovery Services
IPSEC, SSDP, WSD, mDNS,
NetBIOS, etc.
Built-in Scan Services
FTP, HTTP & HTTPS (TLS), SFTP
(SSH), SMB, CIFS, SMTP &
SMTPS, POP3 & POPS, etc.
Authentication Services
LDAP & LDAPS, SMB, Kerberos.
Infrastructure
ISAKMP (IPSec), DHCP & DHCPv6,
etc.
Cloud Services
Dropbox, Google Drive, OneDrive,
and several others.
Listening services (inbound ports)
The following table summarizes all potentially open ports on the product. These ports can be
enabled/disabled within the product configuration.
Port
Type
Service Name
20
TCP
• FTP data (Active) - Client -
20
TCP
• FTP data (FreeFlow)
21
TCP
• FTP – Client -
21
TCP
• FTP data (FreeFlow)
25
TCP
• SMTP
53
TCP/UDP
• DNS – Client -
67
UDP
• BOOTP/DHCP – Client
80
TCP
• HTTP(CWIS)
80
TCP
• HTTP(UPnP Discovery)
Xerox® Security Guide for Light Production Mono Class Products
80
TCP
• HTTP(WSD)
80
TCP
• HTTP(WebDAV)
80
TCP
• HTTP(IPP added port)
88
UDP
• Kerberos – Client
110
TCP
• POP3 – Client
123
UDP
• SNTP – Client
137
UDP
• NETBIOS – Name Service
138
UDP
• NETBIOS –Datagram Service
139
TCP
• NETBIOS
161
UDP
• SNMP
162
UDP
• SNMP trap
389
TCP
• LDAP – Client
427
TCP/UDP
• SLP
443
TCP
• HTTP(CWIS)
443
TCP
• HTTP(IPP)
443
TCP
• HTTP(WebDAV)
443
TCP
• HTTP(Authentication Agent)
445
TCP
• Direct Hosting
465
TCP
• SMTPS – Client
500
UDP
• ISAKMP
515
TCP
• LPR
524
TCP
• NetWare NCP – Client
547
UDP
• DHCPv6 – Client
631
TCP
• IPP (FreeFlow)
636
TCP
• LDAPS – Client
1824
TCP
• HTTPS(OffBox Validation) – Client -
1824
TCP
• Xerox Secure Access
1900
UDP
• SSDP
3702
UDP
• WSD Discovery
5353
UDP
• Mdns
9100
TCP
• raw IP
15000
TCP
• Loopback port for the control of SMTP server
20001
TCP
• Loopback port for HTTP Server
1024
TCP
• NetWare, SLP
“- Client -“: The port number is not for the port on the controller side, but for the port of the
connecting destination. Unless the port number for the controller side is specified, the port number
Xerox® Security Guide for Light Production Mono Class Products
for the controller side is unknown. Also, the port is not open on the controller all the time but will
open only at time of accessing the remote server.
Ports 20, 21: FTP
There are cases where this port is used as an FTP client feature or as an FTP server feature.
When it is used as an FTP client feature, this port is not open all of the time. This port is open only
when sending image data to the FTP server to perform ScanToFTP and MailboxToFTP functions,
or when accessing the FTP server to search for Scan Job Flow Sheets (i.e. Scan job Flow
Sheets). In other cases, no ports are connected to the FTP server.
FTP server feature is activated only when FreeFlow feature is enabled. Port 21 is open at all times
and Port 20 opens only when receiving image data from the FTP client. A service engineer can
configure these port numbers. A system administrator can disable these ports and service (turn
FTP ports OFF/ON) from CentreWare Internet Services.
Port 25: SMTP
This port enables E-mail Print feature, and is open all of the time when the receive protocol is set
to SMTP. Also, this port is open when sending image or message to SMTP server in Scan to E-
mail, or Email Alert feature. When “SMTP Authentication” is set, authentication to the server is
performed. In such case, a password is sent in plain text or as encrypted according to the
information notified by the server. A system administrator can change the port number from
CentreWare Internet Services.
Port 53: DNS
This port is used for DNS. This port is used for name queries to the DNS server when the product
accesses the device designated by the device name. This port is also used to register device
names in DNS server (authoritative server) to update the DNS dynamically. A system
administrator can disable only DNS dynamic update service from CentreWare Internet Services.
Port 67: DHCP
This port is used only when performing DHCP, and is not open all of the time. To permanently
close this port, DHCP must be explicitly disabled. This is done via the Local User Interface or
CentreWare Internet Services by a system administrator.
Port 80: HTTP (CWIS)
This port is used to access embedded web pages through browser. The port number can be
changed from CentreWare Internet Services by a system administrator.
The embedded web pages are used for the following purposes:
to give information on device status to users.
to enable confirmation of the job logs and job queue in the device, and operation of the jobs.
to allow users to download print ready files and program Scan Job Flow Sheets.
to enable management of Mailboxes and operation on the documents in Mailboxes.
to enable import/export of Address Book and import of device certificate.
to allow remote administration of the device. User may view the properties but not change them
without logging into the product with system administrator privileges. When authentication of a
system administrator fails for the specified number of times consecutively, rebooting of the entire
product is required.
Xerox® Security Guide for Light Production Mono Class Products
A read/write of partial system setting information is possible through the unique protocols on the
HTTP port.
The HTTP server can only host the web pages in the device, but cannot substitute for the proxy
server. Through HTTP, the file system of the product cannot be accessed directly.
The embedded HTTP server is a unique implementation.
A system administrator can disable this service (and the port) via Local User Interface or from
CentreWare Internet Services.
Port 80: HTTP (UPnP Discovery)
This port provides the discovery feature using SSDP. The port number is configurable, and a
system administrator can disable this service (and the port) via local UI or from CentreWare
Internet Services.
Port 80: HTTP (SESAMi Manager)
The port number is configurable, and a system administrator can change the port number via local
UI, CentreWare Internet Services, or SSMI. Also, a system administrator can disable this service
via local UI, CentreWare Internet Services, or SSMI.
Port 80 operates as a HTTP server for SSMI. Port 443 operates as a secure channel for SSMI,
and supports TLSv1.1 and TLSv1.2. When SSL/TLS is enabled, HTTP connections to SSMI are
redirected to HTTPS. Since communication through port 443 is encrypted, interception on the
network can be avoided.
Port 80: HTTP (WSD)
This port supports WSD (Web Services on Devices) Print feature.
The port number is configurable and a system administrator can disable this port and service from
the local UI or CentreWare Internet Services.
Port 80: HTTP (WebDAV)
This port is a WebDAV server port that supports features to access Mailbox. The port number is
configurable, and a system administrator can disable this service (and the port) via local UI or
from CentreWare Internet Services.
Port 88: Kerberos
The product employs Kerberos client function that is used to access this product from Local UI.
The product supports Kerberos V5 and uses CBC (Cipher Block Changing) of DES (Data
Encryption Standard). The Kerberos code is not used for document encryption.
The authentication data of the user permitted by the product is set in the Kerberos server, and
address information and realm information of the Kerberos server used by the product is set in the
Controller NVRAM.
The following show the difference from the standard Kerberos packaging.
1. Ticket cache
Xerox® Security Guide for Light Production Mono Class Products
In the product, tickets are stored only in a memory, and are deleted automatically by a user log-off or
an automatic log-off due to time-out. When power is turned off during log-on, the tickets will be
deleted.
2. Validity of the ticket
In the product, only the initial ticket is obtained; authentication is considered as successful when the
initial ticket is obtained. Thus, invalidation of the initial ticket is not judged.
Port 110: POP3
This port enables E-mail Print feature and is open at the specified intervals set when receive
protocol is set to POP3. Also, when “POP Before SMTP” is set, POP access is always performed
before sending data such as image to the SMTP server. Usually the POP User ID and the
password are sent in plain text, but the password is encrypted to be sent when “APOP
authentication” is selected.
A system administrator can change the port number from CentreWare Internet Services.
Port 123: SNTP
This port is used to access the server at the specified intervals when time synchronization with the
external time is set on the Local User Interface. The setting can be changed by a system
administrator.
Ports 137, 138, 139, 445: NETBIOS
Port 137 is the standard NetBIOS Name Service port and mainly used by WINS. Port 138
supports the CIFS browsing protocol. Port 445 is a standard direct host port and is used for
communication using SMB protocol that does not use NetBIOS over TCP. A system administrator
can disable each of the 4 ports via Local User Interface or from CentreWare Internet Services. To
use the SMB feature for Scan, all of the above ports need to be available. For Scan, image is sent
to Port 139 or Port 445, both of which are on the remote server.
Ports 161, 162: SNMP
These ports support the SNMPv1, SNMPv2c, and SNMPv3 protocols. SNMPv1 and SNMPv2c
control access to device’s MIB information by using write community string and read community
string. Since these community strings are transmitted on network in plain text, users should note
that the community strings can be read if packets are dumped. It is highly recommended that the
customer changes the community string from the default upon product installation. To solve the
above problem, for SNMPv3, packets on network are authenticated and encrypted, which realizes
safe access. Therefore, users who place importance on security should use SNMPv3. A system
administrator can set enable/disable of the SNMP from the local UI or CentreWare Internet
Services.
Port 389: LDAP
This is the standard LDAP port used for Address Book queries in LDAP authentication and the
Scan to Email feature.
Port 427: SLP
In the product, this port is used to search the NetWare server on the network, on the IP protocol.
This function operates only when the NetWare print function is set to be used on the IP protocol.
Xerox® Security Guide for Light Production Mono Class Products
Port 443: HTTPS
This port operates as a secure channel for HTTP server, and supports TLSv1.1 and TLSv1.2.
When SSL/TLS is enabled, HTTP connections to CentreWare Internet Services are redirected to
HTTPS. Since communication through this port is encrypted, interception on the network can be
avoided. A system administrator can change the port number and/or disable the port via local UI
or from CentreWare Internet Services.
Port 443: HTTPS (IPP)
This port operates as a secure channel for internet print protocol, and supports TLSv1.1 and
TLSv1.2. Since communication through this port is encrypted, interception on the network can be
avoided. A system administrator can change the port number and/or disable the port via local UI
or from CentreWare Internet Services.
Port 443: HTTPS (WebDAV)
This port operates as a secure channel for Web DAV server, and supports TLSv1.1 and TLSv1.2.
When SSL/TLS is enabled, HTTP connections to WebDAV server are redirected to HTTPS. Since
communication through this port is encrypted, interception on the network can be avoided. The
port number is configurable, and a system administrator can disable this service (and the port) via
local UI or from CentreWare Internet Services.
Ports 80, 443: HTTPS (Authentication Agent ASC)
These are used as the destination ports when the product communicates to ApeosWare
Authentication Agent (AWAA). Protocol and port number can be changed from AWAA by a system
administrator (of AWAA) and cannot be changed from local UI or CentreWare Internet Services.
Port 465, SMTPS
This is the secure channel port used to access the SMTP server using SMTPS (SMTP over TLS)
for Scan to Email and Email Alert.
Port 500: ISAKMP
This port is used for IKE in order to establish an IPSec SA (Security Association), and is open all
of the time for IKE communication. When the product communicates to an external device as a
client, the port number of the product and that of the external device are both 500. A system
administrator can disable IPSec via local UI or from CentreWare Internet Services.
Port 515: LPR
This is the standard LPR printing port, which only supports IP printing. The port number is
configurable and a system administrator can disable this service (and the port) via Local User
Interface or from CentreWare Internet Services.
Port 524: NetWare NCP
This is a port on the NetWare server side, and is used to provide print service through IP
connection to NetWare server. After connection, the port is used until the power is turned off. The
port number cannot be changed. A system administrator can disable the service via local UI or
from CentreWare Internet Services.
Xerox® Security Guide for Light Production Mono Class Products
Ports 546, 547: DHCPv6
These ports are used for DHCPv6. When querying the IPv6 DNS server address, the product
accesses port 547 of DHCPv6 server and receives the result from DHCPv6 server at port 546.
The product can query the IPv6 DNS server address when the auto acquisition of IPv6 DNS
server address is enabled, and a system administrator can disable it from CentreWare Internet
Services.
Ports 80, 631: IPP (FreeFlow)
These ports support the Internet Print protocols(IPP). 631 is the standard port number for IPP and
80 is an added port number. The added port number is configurable. A system administrator can
disable this service and port 80 (turn IPP port OFF/ON) via Local User Interface or from
CentreWare Internet Services. IPP is also used in FreeFlow print. In FreeFlow print, only port 631
is used. A system administrator can disable this port and service (turn FreeFlow port OFF/ON)
from CentreWare Internet Services.
Port 636: LDAPS
This is the secure channel port used to access LDAP server using LDAPS (LDAP over TLS) for
LDAP authentication and for Address Book queries in the Scan to Email feature.
Port 1824: HTTPS (OffBox Validation)
This port is used to communicate with OffBox Validation server. The protocol and port number can
be changed by a system administrator on the OffBox Validation server side and cannot be
changed via local UI or from CentreWare Internet Services.
Port 1900: SSDP
This port provides the discovery feature that complies with SSDP (Simple Service Discovery
Protocol). This port number cannot be changed. Whether this port opens depends on whether the
UPnP discovery feature is/are enabled or disabled.
Port 3702, WSD Discovery
This port provides the WSD (Web Services on Devices) discovery feature. This port number
cannot be changed. Whether this port opens depends on whether the WSD print feature is
enabled or not.
Port 5353: mDNS
This port provides the discovery feature using Multicast DNS. The port number is fixed to 5353. A
system administrator can disable this service via local UI or from CentreWare Internet Services.
Port 9100: raw IP
This port has a bidirectional function (via pjl back channel), and only allows printing. The port is a
configurable port and a system administrator can disable this service (and the port) via Local User
Interface or from CentreWare Internet Services.
This manual suits for next models
9
Table of contents
Other Xerox Printer manuals
Xerox
Xerox B310 User manual
Xerox
Xerox 7500DX - Phaser Color LED Printer User manual
Xerox
Xerox COLORQUBE 8570 User manual
Xerox
Xerox Phaser 6360 User manual
Xerox
Xerox DocuPrint 4635 User manual
Xerox
Xerox Phaser 7800 Operating manual
Xerox
Xerox Phaser 3020 Operating manual
Xerox
Xerox Phaser 200I User manual
Xerox
Xerox Phaser 6500 Operating manual
Xerox
Xerox Z740/N - Phaser 740 Color Laser Printer User manual
Xerox
Xerox Phaser 3010 User manual
Xerox
Xerox PHASER 6130 User manual
Xerox
Xerox DocuPrint 65 Manual
Xerox
Xerox 3600DN - Phaser B/W Laser Printer User manual
Xerox
Xerox Document Centre 400 series User manual
Xerox
Xerox Phaser 6100 User manual
Xerox
Xerox Phaser 7400 User manual
Xerox
Xerox WorkCentre 385 User manual
Xerox
Xerox Phaser 6500 Operating manual
Xerox
Xerox Document Centre 255 LP User manual
