Transcription
Xerox Device AgentSecurity and Evaluation GuideNovember 2014Version 5.1
2014 Xerox Corporation. All rights reserved.Xerox and Xerox and Design , WorkCentre , and Phaser are trademarks of XeroxCorporation in the United States and/or other counties.Microsoft , Windows , Windows Vista , SQL Server , Microsoft .NET, WindowsServer , Internet Explorer , Access , and Windows NT are either registeredtrademarks or trademarks of Microsoft Corporation in the United States and/or othercountries.Linux is a registered trademark of Linus Torvalds.Macintosh is a registered trademark of Apple Inc.Hewlett-Packard, JetDirect , and HP LaserJet are trademarks of Hewlett-PackardDevelopment Company, L.P.UNIX is a registered trademark of The Open Group.VMware is a registered trademark of VMware, Inc. in the United States and/or otherjurisdictions.Changes are periodically made to this document. Changes, technical inaccuracies, andtypographic errors will be corrected in subsequent editions.
Table of Contents1Overview and How to Use this Guide .1-1Goals and Objectives . 1-1Intended Audience . 1-1Using This Guide . 1-1Limits to this Guide . 1-22Introduction to Xerox Device Agent .2-3Product Overview . 2-3Deployment Requirements . 2-4Xerox Device Agent System Component Architecture . 2-4Recommended Hardware and Operating System Requirements . 2-5Unsupported Configurations . 2-6Database Requirements . 2-6Browser Requirements . 2-6Printer Requirements . 2-6Network Printer Discovery/Monitoring Requirements . 2-6Direct Printer Requirements . 2-73Security .3-8Application . 3-8Install . 3-8Licensing . 3-8Post Install Normal Operation. 3-9Network Printer . 3-9SNMP v1-v2 Security . 3-9SNMP v3 Security . 3-9Xerox Back Office Integration . 3-10Device Information Communicated to Xerox . 3-11Xerox Device Agent Site Information Sent to Xerox . 3-12Xerox Services Manager Initiated Remote Commands to Xerox Device Agent . 3-12Xerox Device Agent Remote Configuration . 3-12Corporation Security Mode . 3-134Network Impact .4-14Discovery. 4-15Device Discovery Method . 4-15i
Discover SNMP v3 Devices . 4-16Queue-based Discovery . 4-18Xerox Print Agent Integration . 4-18Managing Discovery . 4-18Discovery Network Data Calculations . 4-18Manufacturer Applicability . 4-20Xerox Services Manager Integration . 4-21Registration . 4-21Device List Import . 4-22Site Settings Export . 4-22Site Settings Import . 4-22Site Status Export . 4-22Device Information Export . 4-22Remote Command Check . 4-22Auto Update . 4-23Version Check . 4-23Update Download . 4-23ii
Tables and FiguresFigure 1 Typical Xerox Device Agent Deployment . 2-4Table 1 Printer Data Communicated to Xerox . 3-11Table 2 Xerox Device Agent Site Information Sent to Xerox . 3-12Table 3 Remote Configuration . 3-13Table 4 Xerox Device Agent Ports . 4-14Table 5 Data Sizes . 4-19Table 6 Data Gathering Frequencies . 4-19iii
1 Overview and How to Usethis GuideGoals and ObjectivesNetwork and data security are one of the many challenges that businesses face on a daily basis.Recognizing this, Xerox continues to engineer and design all of its products to ensure the highest level ofsecurity possible.This document provides additional background on the Xerox Device Agent software capabilities, andspecifically focuses on the software’s security aspects. This document covers all Xerox Device Agentconfigurations, and some items may not apply to the version you have. This document will help youbetter understand how the application functions and will help you feel confident that it transmits devicedata in a secure and accurate manner. This guide will help you certify, evaluate, and approve thedeployment of Xerox Device Agent in support of your contract. It includes information on theapplication’s potential impact on security and network infrastructure as well as calculations of theoreticalnetwork traffic.We recommend that you read this document in its entirety and take appropriate actions consistent withyour information technology security policies and practices. You have many issues to consider indeveloping and deploying a security policy within your organization. Since these requirements will varyfrom customer to customer, you have the final responsibility for all implementations, re-installations, andtesting of security configurations, patches, and modifications.Intended AudienceIt is expected that this guide will be used by your network administrator before installing Xerox DeviceAgent. In order to get the most from this guide, you should have an understanding of: the network environment where you will install Xerox Device Agent, any restrictions placed on applications that are deployed on that network, and the Microsoft Windows operating systemUsing This GuideThere are two main scenarios for using this guide: if you are a customer who does not have acceptanceand evaluation procedures for this type of software or if you are a customer who has defined guidelines.In both cases, the three identified areas of concern are security, impact to the network infrastructure, andwhat other resources might be required to install, use, and support Xerox Device Agent.1-1
Xerox Device Agent Security and Evaluation GuideUse this guide to gather information about these areas and determine if you need to investigate Xerox Device Agent further. This document is divided into these areas: This overview An introduction to Xerox Device Agent Potential security-related impacts to a typical customer environment including: –Security information, implications, and recommendations–Roles and permission requirements of Xerox Device Agent usersInformation about features that impact the network, which may include estimates of generated traffic,changes to the network infrastructure, or other required resources.Limits to this GuideThis guide is meant to help you evaluate this application, but it cannot be a complete information sourcefor all potential customers. This guide proposes a hypothetical customer printer environment; if yournetwork environment differs from the hypothetical environment, your network administration team andXerox Support Representative must understand the differences and decide on any certificationmodifications and/or future steps. Additionally: This guide only describes those features within the application that have some discernible impact tothe overall customer network environment, whether it be the overall network, security, or othercustomer resources. The guide’s information is related to the application's current release. Although much of thisinformation will remain constant through the software’s life cycle, some of the data is revision-specific,and will be revised periodically. IT organizations should check with the Xerox Support Representativeto obtain the appropriate version.1-2
2 Introduction to Xerox Device AgentProduct OverviewXerox Device Agent discovers and monitors printing devices, specifically office printers and multifunction devices.The application features a built-in alert detection system and has the capability to send an e-mailmessage to an appropriate user when certain conditions exist in the monitored devices. It also providesclear and concise status of all networked printers.You can do the following from Xerox Device Agent: Discover printers Monitor printers for status and alert conditions Notify users via e-mail when faults occurThe application supports industry-SNMP MIBs for network printers; however, the amount and type ofmanagement that it can provide is dependent on the printer’s level of conformance to those standards.The following features conform to these standards: Printer identity (i.e. model, serial number, manufacturer, etc.) Printer properties (i.e. input trays, output bins, serial number, etc.) Printer status including overall state, detailed status, UI messages, etc. Consumables and levels (toner, fuser, print cartridge and device unique parts) Supported print protocols (LPD, HTTP, Port 9100) TCP/IP protocol suite (SNMP, TCP, UDP, IP, NIC details)Note: A single instance of Xerox Device Agent supports a maximum of 2000 network print devices.Consumers with more than 2000 network print devices will install the application on a different server orPC to support the remaining networked print devices.2-3
Xerox Device Agent Security and Evaluation GuideDeployment RequirementsTo deploy the application, install it on a desktop computer or server that has internet access and sharesthe network with those printers that you want to monitor.Note: The scheduled events for meter reads and alert activity may be affected by the software'sconnectivity.Xerox Device Agent System Component ArchitectureThis diagram shows a typical configuration that a customer may deploy within their network. In thisexample, Xerox Device Agent runs on a networked computer that can access the printers through thelocal network.Figure 1 Typical Xerox Device Agent Deployment2-4
Recommended Hardware and Operating System RequirementsOperating System (32-bit and 64-bit) Windows Server 2003 with Service Pack 2 Windows Server 2008 with Service Pack 1and 2008 R2 with Service Pack 1 Windows Server 2012, 2012 R2 Windows 8, Windows 8 Pro, Windows 8 Enterprise, Windows 8.1 Windows 7 Professional, Enterprise, Ultimate, Home Basic and Home Premium Windows Vista Service Pack 2 Ultimate, Business, and EnterpriseMemory Minimum 512 MB RAM (1 GB RAM Recommended) for Windows Server 2003 Minimum 2 GB RAM (3 GB RAM Recommended) for Windows Vista , Windows 7, Windows 8,and Windows Server 2008 and 2008 R2, 2012, 2012 R2Processor: 1.7 GHz processor or betterMicrosoft .NET framework 3.5 with Service Pack 1 installedHard Disk: minimum free space is approximately 100 MB for the application and up to 500 MB for theMicrosoft .NET framework, if not previously installed.Minimum Resolution: 1024x768Permissions: You must install the software on the client machine using the administrative account or anaccount with administrative privileges.Internet connection: RequiredNotes: We recommend that you update your host computers with the latest critical patches and servicereleases from Microsoft Corporation. The Network Transmission Control Protocol/Internet Protocol (TCP/IP) must be loaded andoperational. Requires SNMP-enabled devices and the ability to route SNMP over the network. It is not required toenable SNMP on the computer where Xerox Device Agent will be installed or any other networkcomputers. You must install Microsoft .NET 3.5 with Service Pack 1 before you install the application. The application should not be installed on a PC where other SNMP-based applications or other Xeroxprinter management tools are installed, since they may interfere with each other’s operation.2-5
Xerox Device Agent Security and Evaluation GuideUnsupported Configurations Installation of the application on a computer with another Xerox device management application, suchas Xerox Services Manager. Any Windows system running an existing version of SQL Server, as it will interfere with the SQLServer Compact Edition required by Xerox Device Agent. Any version of Macintosh operating system, Unix operating systems, Windows NT 4.0,Windows Media Center, Windows XP, and Windows 2000. This application has only been tested on VMware Lab Manager /Workstation/vSphereHypervisor environments. This application may work on other virtual environments; however, theseenvironments have not been tested.Database RequirementsXerox Device Agent installs Microsoft SQL Server Compact 3.5 SP2 database engine and databasefiles that store printer data and application settings within the installation directory. No additional licensingis required by the customer for the installation of this software product.Browser RequirementsAlthough Xerox Device Agent is a Windows application that does not require a Web browser, whenaccessing back office systems that may be web-based (e.g., Xerox Services Manager) a Web browsermay be required.Printer RequirementsNetwork Printer Discovery/Monitoring RequirementsFor successful management by the application, all SNMP-based printer devices should support themandatory MIB elements and groups as defined by the following standards: RFC 1157 (SNMP Version 1) RFC 1213 (MIB-II for TCP/IP-based Internet) RFC 2790 (Host Resources MIB v1/v2) RFC 1759 (Printer MIB v 1) RFC 3805 (Printer MIB v 2) RFC 3806 (Printer Finishing MIB)2-6
Direct Printer Requirements Queue-based discovery depends on user permissions on domain and/or across computers, NetBIOSFile and Printer Sharing, Network Discovery, and WMI. Note: This section only applies to Xerox Print Services and Xerox Partner Print Services. Gatheringdirect printer data via integration with Xerox Print Agent depends on deployment of Xerox PrintAgent on each computer with a direct printer. For additional details regarding the integration withXerox Print Agent, please refer to the Xerox Print Agent Security and Evaluation Guide.2-7
3 SecuritySince security is an important consideration when evaluating tools of this class, this section providesinformation about the security methods used by Xerox Device Agent.ApplicationXerox Device Agent is compatible with the security features built into the Windows operating systems.It relies on a background Windows service running under the local system account credentials to enableproactive monitoring of printers, gathering of data, and submission to Xerox Services Manager. Theuser interface that displays the gathered data is accessible only to the power users and administratorswho have login access to the Windows operating system.InstallThe installer requires administrator privileges. A single Windows service, “Xerox Device Agent Service”is installed and configured to run under the local system Windows account. No special system levelconfiguration change is required or made by the installer. Xerox Device Agent is compatible with thesecurity features built into the Windows operating system including: User authentication and authorization Group policy deployment and management Internet Connection Firewall (ICF) including:–Security logging settings–ICMP settingsNote: Make sure that the PC or server that is running Xerox Device Agent is continuously powered onduring core business hours to prevent interruption of automatic communications between Xerox DeviceAgent and Xerox.LicensingThe customer must accept the End User License Agreement (EULA) that is presented upon Xerox Device Agent installation. No additional licensing is required by the customer for installation of theMicrosoft SQL Server Compact 3.5 SP2 database.Note: This section only applies to Xerox Print Services and Xerox Partner Print Services.To successfully operate Xerox Device Agent, you must have a Xerox services contract and an accounton Xerox Services Manager. During the software configuration process, you will need to pair Xerox Device Agent with a Xerox Services Manager account in order to activate Xerox Device Agent. Forthis reason, you are required to use a Xerox Services Manager registration key supplied by Xerox or3-8
your service provider. Depending on your account, you may also be required to use a secondaryregistration key.Post Install Normal OperationThe Xerox Device Agent Windows service runs as a background process even when no user is loggedin. This enables the application to monitor the devices on the network and generate alerts proactively. Ifyou are a power user or an administrator authenticated by Windows and you log in to the system, thenyou have access to the Xerox Device Agent’s user interface. You can monitor the printers, view printerdata, and change settings. The Xerox Device Agent user interface verifies that you are a power user oryou have administrative privilege as you attempt to run the application. If you are not an administrator,Xerox Device Agent will display a message that states you need administrative privileges in order to runthe application.Network PrinterThe Simple Network Management Protocol (SNMP) is the most w
Xerox Device Agent discovers and monitors printing devices, specifically office printers and multi-function devices. The application features a built-in alert detection system and has the capability to send an e-mail message
