Xerox Integrated Printer Readiness

READINESS OVERVIEW

This document covers the printer pre-requisites to deploy Sentry Print Services to a Xerox integrated printer. The list of supported Xerox integrated printer models can be found on the Pharos web site: https://www.pharos.com/partners/xerox/#supported-devices

Remove Extended Applications

While this procedure is considered optional for most situations, it is highly recommended for printers that have been previous managed under alternate MPS solutions.  The procedure will remove any 3rd party software and custom configuration settings, returning the printer to a known good, clean state.

1. Select Properties > Custom Apps > Weblet Management.

2. Delete any weblets that have been installed by previous management applications.

Update Device Firmware

While not required, it is good to ensure that the device’s firmware is at the most current version. Updated firmware can enable advanced security features (like TLS 1.2) or normalize previous issues in software that will ensure correct operations going forward.

Xerox firmware and service packs are available publicly. Go to the Xerox Support website and choose your model family, then download the latest software. Once downloaded (this example uses the Xerox AltaLink C8070):

1. Go to Properties > Fleet Orchestrator.

2. Click the “Create / Install File” button and choose install a file.

3. Choose the “Software Upgrade File” option and click the “Choose File” button.

4. Navigate to the downloaded firmware or service pack file and select it.

5. Click the “Install” button.

Configure TCP/IP

Setting the IP Address

The device can be set up for either manual or automatic (DHCP) IP addressing.

1. Select Properties > Connectivity > Setup.

2. Click the “Edit…” button for the “Wired Connection” Profile.

3. Click the “Edit…” button for the “IP (Internet Protocol)” Configuration Setting.

4. Click the “Show IPv4 Settings” button.

5. Choose either DHCP or STATIC under “IP Address Resolution.”

6. If DHCP is Inactive, configure the “Machine IP Address”, “Subnet Mask”, and “Gateway Address” values. NOTE: When configured for DHCP, the value in parentheses next to those fields is the DHCP-supplied value.

7. Click the “Apply” button to save the changes.

NOTE: If you use DHCP, either reserve the IP address configuration for the device or enable Device Scout for more aggressive discovery intervals to ensure that the correct IP address is available for the device in Beacon.

Setting Up DNS

Once it is secured, the Xerox device talks to the Beacon components by fully-qualified DNS name. This means that the device must be configured properly for DNS.

1. Select Properties > Connectivity > Setup.

2. Click the “Edit…” button for the “Wired Connection” Profile.

3. Click the “Edit…” button for the “IP (Internet Protocol)” Configuration Setting.

4. Click the “Show DNS Settings” button. If the machine is set for DHCP, much of this will already be set by the DHCP scope settings. Verify that those values are correct. They can be changed here if needed.

5. Enter a valid host name in “Requested Host Name” and a valid domain name in “Requested Domain Name.” Check the box to “Complete domain name(s) with a dot character” option to improve DNS resolution.

6. Validate the DNS Server(s) specified by DHCP, or specify the IP address(es) of the DNS server(s) for the network in the “DNS Server Addresses” section.

7. Click the “Apply” button to save the changes. The device, based on any changes, may need to restart.

Configure Date and Time

Correct dates and times are necessary when securing the device against Beacon, particularly if using “Active Directory” or “OpenID” authentication types. This ensures that the user can successfully authenticate and either print secured jobs or perform other device functions.

1. Select Properties > General Setup > Date and Time.

2. Date and Time can be configured to use a Network Time Protocol (NTP) server. If the device can reach an Internet resource, time.nist.gov is an excellent and always-available NTP server. Otherwise, an internal NTP resource can be defined. This option can be defined by choosing “Automatic using NTP” for the “Date and Time Setup” property and specifying an NTP resource (and alternate, if available) by either IP address or Host Name and determining a sync interval.

3. If NTP cannot be used, then choose the “Manual” option and set the time and date.

4. Choose the correct Time Zone from the drop down menu.

5. Click the “Apply” button to set the changes. Depending on the changes made, the device may reboot.

Configure the Web Proxy

In some networks, access to web services (even local instances) may require a web proxy. A web proxy is an intermediate service that intercepts HTTP requests by the client and processes them on their behalf. Proxies are typically used to secure intranets and limit the traffic sent to the Internet. This section is only required if a proxy server is required for internal network communications (due to VLAN configuration, etc.)

1. Go to Properties > Connectivity > Setup.

2. Click the “Edit…” button for “Proxy Server.”

3. Tick the “Enabled” box.

4. Specify the IPv4 or Host Name of the proxy server and its port.

5. Save the changes. This may cause the device to reboot.

Configuring TLS Settings

The device communicates with the Beacon components over HTTPS. HTTPS transmissions are controlled by ciphers. Ciphers are protocols that both encrypt and decrypt the communications between nodes on the network. Over time, some ciphers (and versions) have become vulnerable to hacking and so are no longer used. It is important that your devices are configured for the highest cipher available on the server (and, in converse, that the server be configured to accept the cipher supported by the device).

1. Go to Properties > Security > Encryption > TLS Encryption.

2. Choose the highest TLS version compatible with your network. In general, choosing “TLS 1.2 and above” will allow the device the best encryption possible.

3. Click the “Apply” button to set the changes. This will cause the device to reboot.

Proximity Card Reader Support

Xerox devices support a specific set of proximity card readers based on their USB driver. For many models, this driver is preinstalled, but others may require driver installation. This driver may be downloaded for your specific model(s) from the Xerox Support website and installed using their procedure. All card readers must be configured for “keystroking” or “keyboard emulation” mode to work with Sentry Print.

Preparing the Pharos Software

A file, XeroxSettings.xml, is maintained in (by default) C:\ProgramData\PharosSystems\Sentry Print Service\Xerox. This file has several elements that can be configured. These are:

• SnmpV2GetCommunityName. Default: public. This value is encrypted by the Sentry Print service. If changing this value, enter it as clear text and then set the corresponding SnmpV2GetCommunityNameEncrypted value to “false”. When the Sentry Print Service is restarted (to commit the change), it will encrypt the value.

• SnmpV2SetCommunityName. Default: private. This value is encrypted by the Sentry Print service. If changing this value, enter it as clear text and then set the corresponding SnmpV2SetCommunityNameEncrypted value to “false”. When the Sentry Print Service is restarted (to commit the change), it will encrypt the value.

• UseSnmpV3. Default: false. When set to “true”, the Sentry Print service will use the secure SNMPv3 communications protocol to secure and manage the device.

• SnmpV3AdministratorAccountName. Default: Xadmin. This can be whatever name is defined on the Xerox device.

• SnmpV3AdministratorAccountPassword. Default: blank. This is the password for the SNMPv3 Administrator account. This value is encrypted by the Sentry Print service. If changing this value, enter it as clear text and then set the corresponding SnmpV3AdministratorAccountPasswordEncrypted value to “false”. When the Sentry Print Service is restarted (to commit the change), it will encrypt the value.

• SnmpV3PrivacyPassword. Default: blank. This is the password to the private key stored on the device. This value is encrypted by the Sentry Print service. If changing this value, enter it as clear text and then set the corresponding SnmpV3PrivacyPasswordEncrypted value to “false”. When the Sentry Print Service is restarted (to commit the change), it will encrypt the value.

• SnmpV3AuthType. Default: MD5. This element can be configured for MD5 or SHA.

• SnmpV3PrivacyType. Default: DES. This element can be configured for DES or AES.

• LdapUserName. Default: blank. If using Xerox’s LDAP administrative function instead of the default “admin” account to administer devices, enter a valid domain user in the format domain\user here. This will only be used when securing devices.

• LdapPassword. Default: blank. If using Xerox’s LDAP administrative function, enter the password of the domain user here. This value is encrypted by the Sentry Print service. If changing this value, enter it as clear text and then set the corresponding LdapPassword Encrypted value to “false”. When the Sentry Print Service is restarted (to commit the change), it will encrypt the value.

• LdapGroup. Default: bpadministrators. If using Xerox’s LDAP administrative function, enter the name of the LDAP group name defined on the Xerox devices.

• HttpPort. Default: 80. If the Xerox devices’ HTTP port has been set to something other than 80 (for instance, 81), enter that new port number here.

• HttpsPort. Default: 443. If the Xerox devices’ HTTPS port has been set to something other than 443 (for instance, 4433), enter that new port number here.

Customizing the Lock Screen

It may be desirable to affect the display of the blocking screen on the Xerox MFP: to display a message to the user, integrate an organizational theme or logo, or to provide consistency in interface between older and newer Xerox models. Whatever the reason, the “how to” is straight forward.

Considerations Before You Begin

• The blocking screen contains two text areas, one for the Window Title and another for Instructional Text. These appear in different places depending on the model and display size. Our recommendation is that these are empty when using a custom blocking screen. This will have to be managed in the devices’ administrative web application Centreware Internet Services.

• Devices only support PNG or GIF formats, with a preferred 16 bit color depth, although 32 bits is supported. 8 bit images will also work, but often show dithering in areas of color transition.

• There is no automated way to dispatch an image across models. This can only be done by accessing the device’s Centreware administrative web application.

Implementing the Custom Lock Screen

1. Go to each representative model and log in to its Centreware interface as an administrator.

2. Go to Login/Permissions/Accounting > Login Methods > Customize Blocking Screen > Edit to capture the required image file dimensions (older WorkCentre interface on the left; AltaLink interface on the right) as the “Max Dimensions” value:
   
               
    

3. With resolution in tow, create the different size variations for the custom background screen as required.

4. Using the Centreware interface, click the “Choose File” button under the “Background Image Placement” option, browse to the appropriate file, and import.

5. Click the “Reboot” or “Restart” device button.