Sharp MX-PE10 FIERY (serv.man47) Regulatory Data ▷ View online
5
3 Network Security
Standard network security features on the Fiery server include
the ability to permit only authorized users and groups to access
and print to the output device, limiting device communications
to designated IP addresses, and controlling the availability of
individual network protocols and ports as desired.
the ability to permit only authorized users and groups to access
and print to the output device, limiting device communications
to designated IP addresses, and controlling the availability of
individual network protocols and ports as desired.
3.1 Network Ports
The Fiery server allows the network administrator the ability
to selectively enable and disable the following IP ports. As a
result, unwanted device communication and system access
via specific transport protocols can be effectively blocked.
to selectively enable and disable the following IP ports. As a
result, unwanted device communication and system access
via specific transport protocols can be effectively blocked.
TCP
UDP
Port Name
Dependent Service(s)
20-21
FTP
80
HTTP
WebTools, IPP
135
MS RPC
Microsoft
®
RPC Service
(Windows 7 Professional
only). An additional port in
the range 49152-65536 will
be opened to provide SMB
related point and print service.
only). An additional port in
the range 49152-65536 will
be opened to provide SMB
related point and print service.
137-139
NETBIOS
Windows Printing
161, 162
SNMP
WebTools, Fiery Central,
some legacy utilities, other
SNMP-based tools
some legacy utilities, other
SNMP-based tools
427
SLP
443
HTTPS
WebTools, IPP/s
445
SMB/IP
SMB over TCP/IP
500
ISAKMP
IPsec
515
LPD
LPR printing, some legacy
utilities (such as WebTools,
older versions of CWS)
utilities (such as WebTools,
older versions of CWS)
631
IPP
IPP
3050
Firebird
4500
IPsec NAT
IPsec
5353
Multicase DNS
Bonjour
6310
8010
8021-8022
8090
9906
18021
18022
18081
18082
21030
22000
8010
8021-8022
8090
9906
18021
18022
18081
18082
21030
22000
9906
EFI ports
Command WorkStation 4
and 5, Fiery Central, EFI
SDK-based tools, Fiery
Printer Driver bi-di functions,
WebTools, and Fiery Direct
Mobile Printing, and Native
Document Conversion.
and 5, Fiery Central, EFI
SDK-based tools, Fiery
Printer Driver bi-di functions,
WebTools, and Fiery Direct
Mobile Printing, and Native
Document Conversion.
3389
RDP
Remote Desktop (Windows
Fiery servers only)
Fiery servers only)
9100-9103
Printing Port
Port 9100
Other TCP ports, except those specified by the engine
manufacturers, are disabled. Any service dependent on a
disabled port cannot be accessed remotely.
The Fiery Administrator also can enable and disable the
different network services provided by the Fiery server.
The local administrator can define SNMP read and write
community names and other security settings.
manufacturers, are disabled. Any service dependent on a
disabled port cannot be accessed remotely.
The Fiery Administrator also can enable and disable the
different network services provided by the Fiery server.
The local administrator can define SNMP read and write
community names and other security settings.
3.2 IP Filtering
The Administrator can restrict authorized connections with
the Fiery server from those hosts whose IP addresses fall
within a particular IP range. Commands or jobs sent from
non-authorized IP addresses are ignored by the Fiery server.
the Fiery server from those hosts whose IP addresses fall
within a particular IP range. Commands or jobs sent from
non-authorized IP addresses are ignored by the Fiery server.
3.3 Network Encryption
3.3.1 IPsec
IPsec or Internet Protocol security provides security to
all applications over IP protocols through encryption and
authentication of each and every packet.
The Fiery server uses pre-shared key authentication to
establish secure connections with other systems over IPsec.
Once secure communication is established over IPsec
between a client computer and a Fiery server, all
communications — including print jobs — are securely
transmitted over the network.
IPsec or Internet Protocol security provides security to
all applications over IP protocols through encryption and
authentication of each and every packet.
The Fiery server uses pre-shared key authentication to
establish secure connections with other systems over IPsec.
Once secure communication is established over IPsec
between a client computer and a Fiery server, all
communications — including print jobs — are securely
transmitted over the network.
3.3.2 SSL and TLS
SSL/TLS are application level protocol used for transmitting
messages over the Internet securely. The Fiery server
secures http, email and LDAP communication with
SSL v2/v3 and TLS.
The Fiery server uses Lightweight Directory Access Protocol
(LDAP) to get user and group information from the Active
Directory. Simple LDAP authentication is in clear text, so it is
unsecured. The Adminstrator can secure the LDAP traffic by
enabling SSL/TLS option on Fiery server.
The Fiery server provides the Adminstrator options to
enable SSL/TLS to establish secure communication with
an email server.
The Fiery server requires a certificate for LDAP
communication over SSL or TLS. The Fiery server only
supports importing certificates and does not support
certificate generation for SSL.
SSL/TLS are application level protocol used for transmitting
messages over the Internet securely. The Fiery server
secures http, email and LDAP communication with
SSL v2/v3 and TLS.
The Fiery server uses Lightweight Directory Access Protocol
(LDAP) to get user and group information from the Active
Directory. Simple LDAP authentication is in clear text, so it is
unsecured. The Adminstrator can secure the LDAP traffic by
enabling SSL/TLS option on Fiery server.
The Fiery server provides the Adminstrator options to
enable SSL/TLS to establish secure communication with
an email server.
The Fiery server requires a certificate for LDAP
communication over SSL or TLS. The Fiery server only
supports importing certificates and does not support
certificate generation for SSL.
6
3.3.3 Certificate Management
Certificates are used by the network clients to authenticate
themselves in network activities that perform identity
verifications. The certification method is supported by SSL/
TLS that implements authentication through the exchange
of certificates based on public/private keys according to the
X509 standard.
In the Fiery server, certificate management allows the
Fiery Administrator to do the following:
Certificates are used by the network clients to authenticate
themselves in network activities that perform identity
verifications. The certification method is supported by SSL/
TLS that implements authentication through the exchange
of certificates based on public/private keys according to the
X509 standard.
In the Fiery server, certificate management allows the
Fiery Administrator to do the following:
• Add, load or browse for available digital certificates
created by a trusted authority and private keys.
• Create self-signed digital certificates.
• View details for available digital certificates.
• Assign or associate an available digital certificate for
• View details for available digital certificates.
• Assign or associate an available digital certificate for
a particular service, such as Web Services.
• Add trusted certificates created by a trusted authority.
3.4 IEEE 802.1x
802.1x is an IEEE standard protocol for port-based network
access control. This protocol provides authentication to
devices attached to a LAN port and establishes a point-to-point
connection only if authentication is successful.
When 802.1x is enabled, the Fiery server uses one of the
two EAP methods to seek authentication from an 802.1x
authentication server (such as a RADIUS server), often
through an intermediate access point (an authenticator).
The Fiery server seeks this authentication at start-up time or
when the Ethernet cable is disconnected and reconnected.
Once authenticated, the Fiery server is granted access to
the network.
access control. This protocol provides authentication to
devices attached to a LAN port and establishes a point-to-point
connection only if authentication is successful.
When 802.1x is enabled, the Fiery server uses one of the
two EAP methods to seek authentication from an 802.1x
authentication server (such as a RADIUS server), often
through an intermediate access point (an authenticator).
The Fiery server seeks this authentication at start-up time or
when the Ethernet cable is disconnected and reconnected.
Once authenticated, the Fiery server is granted access to
the network.
3.5 SNMP v3
The Fiery server supports SNMPv3 as it is a secured
network protocol for managing devices on IP networks.
SNMPv3 communication packets can be encrypted to
ensure confidentiality. It also ensures message integrity
and authentication.
The Fiery Administrator can select from three levels of security
using SNMPv3. The Fiery Administrator also has the option to
require authentication before allowing SNMP transactions and
to encrypt SNMP user names and passwords.
network protocol for managing devices on IP networks.
SNMPv3 communication packets can be encrypted to
ensure confidentiality. It also ensures message integrity
and authentication.
The Fiery Administrator can select from three levels of security
using SNMPv3. The Fiery Administrator also has the option to
require authentication before allowing SNMP transactions and
to encrypt SNMP user names and passwords.
3.6 Email Security
The Fiery server supports the POP and SMTP protocols.
To protect the service against attack and improper use, the
Fiery Administrator can enable additional security features
such as follows.
To protect the service against attack and improper use, the
Fiery Administrator can enable additional security features
such as follows.
3.6.1 POP before SMTP
Some email servers still support unsecured SMTP protocol
that allows anyone to send email without authentication.
To prevent unauthorized access, the Fiery server supports
the ability for the Administrator to enable or disable the POP
authentication before SMTP. POP authentication before
SMTP forces a successful login to a POP server prior to
being able to send email via SMTP.
Some email servers still support unsecured SMTP protocol
that allows anyone to send email without authentication.
To prevent unauthorized access, the Fiery server supports
the ability for the Administrator to enable or disable the POP
authentication before SMTP. POP authentication before
SMTP forces a successful login to a POP server prior to
being able to send email via SMTP.
3.6.2 OP25B
Outbound Port 25 Blocking (OP25B) is an anti-spam ISP
measure by which the ISP checks the IP address and the port
number of all accesses through its routers and blocks access
to port 25 from dynamic IP addresses on its network. The
Fiery server provides the Administrator the ability to specify
different port numbers besides 25 for outgoing email service.
Outbound Port 25 Blocking (OP25B) is an anti-spam ISP
measure by which the ISP checks the IP address and the port
number of all accesses through its routers and blocks access
to port 25 from dynamic IP addresses on its network. The
Fiery server provides the Administrator the ability to specify
different port numbers besides 25 for outgoing email service.
7
4 Access Control
4.1 User Authentication
The Fiery server user authentication feature allows the
Fiery server to:
Fiery server to:
• Authenticate user names.
• Authorize actions based on the user’s privileges.
The Fiery server can authenticate users who are:
• Domain-based: users defined on a corporate server
and accessed via LDAP.
• Fiery-based: users defined on the Fiery server.
The Fiery server authorizes actions based on the privileges
defined for a Fiery group, which the user is a member.
Fiery Groups are groups of users with a predefined set of
privileges. The Fiery Group assigns a set of privileges to a
collection of users.
The Fiery Administrator can modify the membership of
any Fiery Group with the exception of the Administrator,
Operator and Guest users.
For this version of User Authentication, the different privilege
levels that can be edited or selected for a group are as follows:
defined for a Fiery group, which the user is a member.
Fiery Groups are groups of users with a predefined set of
privileges. The Fiery Group assigns a set of privileges to a
collection of users.
The Fiery Administrator can modify the membership of
any Fiery Group with the exception of the Administrator,
Operator and Guest users.
For this version of User Authentication, the different privilege
levels that can be edited or selected for a group are as follows:
• Print in B&W — This privilege allows group members to
print jobs on the Fiery server. If the user does not have the
“Print in Color and B&W” privilege, the Fiery server forces the
job to print in black and white (B&W).
• Print in Color and B&W — This privilege allows group members
to print jobs on the Fiery server with full access to the color and
grayscale printing capabilities of the Fiery servers. Without this or
the Print in B&W privilege, the print job fails to print. Without this
or the Print in B&W privilege, users are not able
to submit the job via FTP (color devices only).
• Fiery Mailbox — This privilege allows group members to have
individual mailboxes. The Fiery server creates a mailbox based
on the username with a mailbox privilege. Access to this
mailbox is only with the mailbox username/password.
Note: User Authentication replaces Member Printing/Group
Printing features.
Printing features.
4.2 Fiery Software Authentication
The Fiery server defines Administrator, Operator, and Guest
users with different privileges. These users are specific to
the Fiery software and are not related to Windows-defined
users or roles. It is recommended that administrators
require passwords to access the Fiery server. Additionally,
EFI recommends that the administrator change the default
password to a different password as defined by the end
user’s security requirements.
The three levels of passwords on the Fiery server allow
access to the following functionality:
users with different privileges. These users are specific to
the Fiery software and are not related to Windows-defined
users or roles. It is recommended that administrators
require passwords to access the Fiery server. Additionally,
EFI recommends that the administrator change the default
password to a different password as defined by the end
user’s security requirements.
The three levels of passwords on the Fiery server allow
access to the following functionality:
• Administrator — Gets full control over all the Fiery server’s
functionality.
• Operator — Has the same privileges as the Administrator,
except he/she has no access to some server functions, such as
set-up, and cannot delete the job log.
• Guest (default; no password) — Has the same privileges as
Operator, except he/she cannot access the job log, cannot
make edits or cannot make status changes to print jobs and
preview jobs.
8
5 Operating System Environment
5.1 Start-up Procedures
The operating system and Fiery system software are loaded
from the local HDD during startup.
The BIOS resident on the Fiery motherboard is read-only
and stores the information needed to boot up the operating
system. Changes to the BIOS (or removal of the BIOS)
prevent the Fiery server from functioning properly.
The Configuration Page lists the values specified during
set-up. Some information, such as FTP proxy information,
password information, and SNMP Community Names, are
not included on the Configuration Page.
from the local HDD during startup.
The BIOS resident on the Fiery motherboard is read-only
and stores the information needed to boot up the operating
system. Changes to the BIOS (or removal of the BIOS)
prevent the Fiery server from functioning properly.
The Configuration Page lists the values specified during
set-up. Some information, such as FTP proxy information,
password information, and SNMP Community Names, are
not included on the Configuration Page.
5.2 Linux
Linux systems do not include a local interface that allows
access to the operating system.
access to the operating system.
5.2.1 Linux Anti-Virus Software
The Linux operating system used on integrated Fiery
servers is a dedicated OS for integrated Fiery servers only.
It has all OS components needed by a integrated Fiery
server, but not some OS components on some general
purpose Linux systems, such as Ubuntu. In addition to
having better performance, this dedicated OS is not subject
to the same virus vulnerability as a general purpose Linux
system and Microsoft OS. The anti-virus software designed
for general purpose Linux OS may not be able to run on
integrated Fiery servers.
The Linux operating system used on integrated Fiery
servers is a dedicated OS for integrated Fiery servers only.
It has all OS components needed by a integrated Fiery
server, but not some OS components on some general
purpose Linux systems, such as Ubuntu. In addition to
having better performance, this dedicated OS is not subject
to the same virus vulnerability as a general purpose Linux
system and Microsoft OS. The anti-virus software designed
for general purpose Linux OS may not be able to run on
integrated Fiery servers.
5.3 Windows 7 Professional
The Windows-based Fiery server ships with a default
Windows 7 Administrator password. It is recommended for
the administrator to change the password upon installation.
It is also highly recommended to change the password
regularly to comply with the organization’s IT policy.
Administrator password gives a user full access to the
Fiery server locally and/or from a remote workstation.
That includes, but is not limited to, the file system, system
security policy, and registry entries. In addition, this user
can change the administrator password and to deny anyone
else access to the Fiery server.
Windows 7 Administrator password. It is recommended for
the administrator to change the password upon installation.
It is also highly recommended to change the password
regularly to comply with the organization’s IT policy.
Administrator password gives a user full access to the
Fiery server locally and/or from a remote workstation.
That includes, but is not limited to, the file system, system
security policy, and registry entries. In addition, this user
can change the administrator password and to deny anyone
else access to the Fiery server.
5.3.1 Microsoft Security Patches
Microsoft regularly issues security patches to address
potential security holes in the Windows 7 operating system.
The default setting of Windows Updates is to notify users
of patches but don’t download. The Fiery Administrator can
change the default setting in Windows Update or install
manually the security patches.
Microsoft regularly issues security patches to address
potential security holes in the Windows 7 operating system.
The default setting of Windows Updates is to notify users
of patches but don’t download. The Fiery Administrator can
change the default setting in Windows Update or install
manually the security patches.
5.3.2 SMS Tools
EFI has its own dedicated system update tool for its Windows-
based systems. This tool handles the retrieval of all applicable
MS security patches and Fiery software updates. The Fiery
server does not support any third-party SMS tools for retrieving
and pushing updates to the Fiery server.
EFI has its own dedicated system update tool for its Windows-
based systems. This tool handles the retrieval of all applicable
MS security patches and Fiery software updates. The Fiery
server does not support any third-party SMS tools for retrieving
and pushing updates to the Fiery server.
5.3.3 Windows Anti-Virus Software
Administrators can install anti-virus software on Fiery
servers with FACI kits. A local GUI is required for proper
configuration of anti-virus software. Anti-virus software is
most useful in a local GUI configuration, where users have
the potential to infect the Fiery server with a virus through
standard Windows actions.
For Fiery servers without a FACI kit, it is still possible to
launch anti-virus software on a remote PC and scan a
shared Fiery hard drive. However, EFI suggests that the
Fiery administrator work directly with the anti-virus software
manufacturer for operational support.
EFI ensures Fiery servers’ compatibility with Anti-Virus
software by testing the latest releases of Norton’s Symantec
Endpoint Protection Small Business Edition, McAfee Virus
Scan Enterprise, Microsoft Security Essentials, and Trend
Micro Worry-Free Business Security Advanced software on
Fiery servers. While EFI does not provide anti-virus software
on Fiery servers, we recommend that administrators refer to
section 3.1 Network Ports in this document when configuring
an anti-virus solution so that legitimate network-based
services on Fiery servers can operate without interruption.
EFI supports the use of anti-virus solutions as long as they
are used in accordance with this specification. EFI does not
support or give any warranty regarding the efficacy of any
anti-virus software.
Administrators can install anti-virus software on Fiery
servers with FACI kits. A local GUI is required for proper
configuration of anti-virus software. Anti-virus software is
most useful in a local GUI configuration, where users have
the potential to infect the Fiery server with a virus through
standard Windows actions.
For Fiery servers without a FACI kit, it is still possible to
launch anti-virus software on a remote PC and scan a
shared Fiery hard drive. However, EFI suggests that the
Fiery administrator work directly with the anti-virus software
manufacturer for operational support.
EFI ensures Fiery servers’ compatibility with Anti-Virus
software by testing the latest releases of Norton’s Symantec
Endpoint Protection Small Business Edition, McAfee Virus
Scan Enterprise, Microsoft Security Essentials, and Trend
Micro Worry-Free Business Security Advanced software on
Fiery servers. While EFI does not provide anti-virus software
on Fiery servers, we recommend that administrators refer to
section 3.1 Network Ports in this document when configuring
an anti-virus solution so that legitimate network-based
services on Fiery servers can operate without interruption.
EFI supports the use of anti-virus solutions as long as they
are used in accordance with this specification. EFI does not
support or give any warranty regarding the efficacy of any
anti-virus software.
5.4 Email Viruses
Typically, viruses transmitted via e-mail require some type
of execution by the receiver. Attached files that are not PDL
files are discarded by the Fiery server. The Fiery server also
ignores e-mail in RTF or HTML or any included JavaScript.
Aside from an e-mail response to a specific user based on
a received command, all files received via e-mail are treated
as PDL jobs. Please see the details on Fiery e-mail printing
workflow in Section 6.4 in this document.
of execution by the receiver. Attached files that are not PDL
files are discarded by the Fiery server. The Fiery server also
ignores e-mail in RTF or HTML or any included JavaScript.
Aside from an e-mail response to a specific user based on
a received command, all files received via e-mail are treated
as PDL jobs. Please see the details on Fiery e-mail printing
workflow in Section 6.4 in this document.
Click on the first or last page to see other MX-PE10 FIERY (serv.man47) service manuals if exist.