Canon I Sensys Mf8540cdn User Guide

							0ALJ-0A4
Enabling SSL Encrypted Communication for the Remote UI
You  can encrypt  communication between  the  machine and  a Web browser  on  the  computer  by using Secure Sockets Layer  (SSL). SSL  is
a mechanism for  encrypting  data sent or received over the  network. SSL  must be enabled  when the  Remote  UI is  used for  specifying
settings for  IPSec (Pre -Shared  Key Method), IEEE  802.1X authentication (TTLS/PEAP), or SNMPv3.  To use SSL  for  the  Remote  UI, you
need to  set a key  pair  and  enable  the  SSL  function.  Generate  or install the  key  pair  for  SSL  before enabling  SSL  (
Configuring
Settings  for Key  Pairs and  Digital Certificates ).
Start  the Remote UI  and  log  on in System Manager Mode.  Starting Remote UI
Click [Settings/Registration].
Click [Network Settings]  [TCP/IP  Settings].
Click [Key and  Certificate...]  in [SSL Settings].
Click [Register Default Key] on the right of the key pair you want to use.
1
2
3
4
5
>à>ß>Ý>Ì>Û>Ì>â>ã>â
 
						

							NOTE:
Viewing details of a certificate
You  can check  the  details of the  certificate or verify the  certificate by clicking  the  corresponding text link  under [Key Name], or
the  certificate icon.  
Verifying  Key  Pairs and  Digital Certificates
Enable SSL for the Remote UI.
1Click [Security  Settings]   [Remote  UI Settings].
2Click [Edit...].
3Select the [Use SSL] check box and  click [OK].
Restart the machine.
Turn  OFF  the  machine, wait  for  at least  10 seconds,  and  turn  it back ON.
NOTE
Using  the operation panel
You  can enable  or disable the  SSL  encrypted  communication from .Use SSL
6
7
>à>ß>Þ>Ì>Û>Ì>â>ã>â
 
						

							Starting the Remote UI  with SSL
If  you try to  start the  Remote  UI when SSL  is  enabled,  a security alert may  be displayed regarding the  security certificate.  In this
case, check  that  the  correct URL is  entered  in the  address field,  and  then  proceed to  display the  Remote  UI screen. Starting
Remote  UI
Enabling  SSL for e-mailing  (MF8580Cdw / MF8550Cdn  / MF8540Cdn  only)
If  the  SMTP server  and  the  POP3  server  support SSL, you can enable  SSL  for  communication with these servers (Configuring
Advanced E- mail  Settings ). For more information  about  the  SMTP server  and  the  POP3  server, contact your Internet  service
provider  or Network Administrator.
LINKS
Generating Key  Pairs
Using  CA- issued Key  Pairs and  Digital Certificates
Configuring  IPSec  Settings
Configuring  IEEE 802.1X Authentication
Monitoring  and  Controlling the Machine  with SNMP
>à>ß>ß>Ì>Û>Ì>â>ã>â
 
						

							0ALJ-0A5
Configuring IPSec Settings
Internet  Protocol Security (IPSec or IPsec) is  a protocol suite for  encrypting  data transported over a network, including Internet  networks.
While SSL  only encrypts data used on  a specific application,  such as a Web browser  or an  e-mail application,  IPSec encrypts either whole
IP  packets  or the  payloads of IP  packets, offering  a more versatile security system. The IPSec of the  machine works in transport  mode,
in which the  payloads of IP  packets  are  encrypted. With this feature, the  machine can connect directly  to  a computer  that  is  in the  same
virtual private network (VPN). Check the  system requirements and  set the  necessary  configuration on  the  computer  before you configure
the  machine.
System Requirements
NOTE
IPSec functional restrictions
IPSec supports communication to  a unicast address (or a single device).
The machine cannot  use both  IPSec and  DHCPv6 at the  same time.
IPSec is  unavailable  in networks in which NAT or IP  masquerade is  implemented.
Using  IPSec with IP address filter
IP  address filter  settings are  applied before the  IPSec policies.
Specifying IP Addresses  for Firewall  Rules
IPSec that  is  supported by the  machine conforms  to  RFC2401, RFC2402, RFC2406, and  RFC4305.
Operating system Windows  XP/Vista/7/8/Server  2003/Server  2008/Server  2012
Connection mode Transport  mode
Key exchange
protocol IKEv1 (main  mode)
Authentication method
Pre -shared  key
Digital signature
Hash algorithm 
(and  key  length) HMAC-SHA1-96
HMAC-SHA2 (256 bits or 384 bits)
Encryption algorithm 
(and  key  length) 3DES-CBC
AES-CBC  (128 bits,  192 bits,  or 256
bits)
Key exchange  algorithm/group  (and  key  length) Diffie -Hellman  (DH)
Group 1  (768 bits)
Group 2  (1024 bits)
Group 14 (2048 bits)
ESP Hash algorithm HMAC-SHA1-96
Encryption algorithm 
(and  key  length)
3DES-CBC
AES-CBC  (128 bits,  192 bits,  or 256
bits)
Hash algorithm/encryption  algorithm (and  key
length) AES-GCM  (128 bits,  192 bits,  or 256 bits)
AH Hash algorithm HMAC-SHA1-96
>à>ß>à>Ì>Û>Ì>â>ã>â
 
						

							Before using IPSec for  encrypted  communication,  you need to  register  security policies (SP).  A security policy consists of the  groups of
settings described below. Up to  10 policies can be registered. After registering  policies, specify  the  order in which they are  applied.
Selector
Selector  defines conditions  for  IP  packets  to  apply  IPSec communication.  Selectable  conditions  include  IP  addresses and  port
numbers  of the  machine and  the  devices to  communicate with.
IKE
IKE configures the  IKEv1 that  is  used for  key  exchange  protocol. Note that  instructions vary depending on  the  authentication me thod
selected.
[Pre- Shared Key  Method]
A key  of up  to  24 alphanumeric  characters  can be shared  with the  other devices.  Enable SSL  for  the  Remote  UI before specifying   this
authentication method (
Enabling  SSL Encrypted Communication for the Remote  UI ).
[Digital Signature Method]
The machine and  the  other devices authenticate each other by mutually verifying their  digital signatures. Generate  or install the  key
pair  beforehand (
Configuring  Settings  for Key  Pairs and  Digital Certificates ).
AH/ESP
Specify the  settings for  AH/ESP,  which is  added to  packets  during IPSec communication.  AH and  ESP can be used at the  same time.
You  can also  select whether  or not  to  enable  PFS  for  tighter security.
Start  the Remote UI  and  log  on in System Manager Mode.  Starting Remote UI
Click [Settings/Registration].
Click [Security  Settings]  [IPSec Settings].
Click [Edit...].
Configuring IPSec Settings
1
2
3
4
>à>ß>á>Ì>Û>Ì>â>ã>â
 
						

							Select the [Use IPSec] check  box and  click [OK].
If  you want the  machine to  only receive packets  that  match one of the  security policies that  you define in the  steps below, clear
the  [Receive  Non-Policy  Packets] check  box.
Click [Register New Policy...].
Specify  the Policy Settings.
1In the [Policy Name]  text  box, enter up  to 24 alphanumeric characters  for a name  that is  used for identifying
the policy.
2Select the [Enable  Policy] check box.
Specify  the Selector Settings.
5
6
7
8
>à>ß>â>Ì>Û>Ì>â>ã>â
 
						

							[Local  Address]
Click the  radio button for  the  type of IP  address of the  machine to  apply  the  policy.[All IP
Addresses] Select to  use IPSec for  all IP  packets.
[IPv4  Address] Select to  use IPSec for  all IP  packets  that  are  sent to  or from the  IPv4  address of the  machine.
[IPv6  Address] Select to  use IPSec for  all IP  packets  that  are  sent to  or from an  IPv6  address of the  machine.
[Remote  Address]
Click the  radio button for  the  type of IP  address of the  other devices to  apply  the  policy. [All IP
Addresses] Select to  use IPSec for  all IP  packets.
[All IPv4
Addresses] Select to  use IPSec for  all IP  packets  that  are  sent to  or from IPv4  addresses of the  other devices.
[All IPv6
Addresses] Select to  use IPSec for  all IP  packets  that  are  sent to  or from IPv6  addresses of the  other devices.
[IPv4  Manual
Settings] Select to  specify  a single IPv4  address or a range of IPv4  addresses to  apply  IPSec. Enter the  IPv4
address (or the  range)  in the  [Addresses to  Set Manually] text box.
[IPv6  Manual
Settings] Select to  specify  a single IPv6  address or a range of IPv6  addresses to  apply  IPSec. Enter the  IPv6
address (or the  range)  in the  [Addresses to  Set Manually] text box.
[Addresses  to Set Manually]
If  [IPv4  Manual Settings] or [IPv6  Manual Settings] is  selected for  [Remote  Address], enter the  IP  address to  apply  the  policy.
You  can also  enter a range of addresses by inserting a hyphen  between  the  addresses.
NOTE:
Entering IP addresses Description Example
Entering a
single address IPv4:
Delimit  numbers  with periods.
192.168.0.10
IPv6:
Delimit  alphanumeric  characters  with colons. fe80::10
Specifying  a
range of
addresses Insert a hyphen  between  the  addresses.
192.168.0.10-
192.168.0.20
Specifying  a
>à>ß>ã>Ì>Û>Ì>â>ã>â
 
						

							range of
addresses with
a prefix  (IPv6
only)Enter the  address, followed by a slash  and  a number indicating  the  prefix
length.
fe80::1234/64
[Subnet Settings]
When  manually specifying  IPv4  address, you can express the  range by using the  subnet  mask. Enter the  subnet  mask using
periods to  delimit  numbers  (example:"255.255.255.240").
[Local  Port]/[Remote Port]
If  you want to  create separate policies for  each protocol, such as HTTP or SMTP, enter the  appropriate port number for  the
protocol to  determine whether  to  use IPSec.
IMPORTANT:
IPSec  is  not  applied to the following packets Loopback,  multicast,  and  broadcast packets
IKE packets  (using UDP on  port 500)
ICMPv6  neighbor solicitation and  neighbor advertisement packets
Specify  the IKE Settings.
[IKE  Mode]
The mode used for  the  key  exchange  protocol is  displayed.  The machine supports the  main  mode,  not  the  aggressive mode.
[Authentication Method]
Select [Pre -Shared  Key Method] or [Digital Signature  Method] for  the  method used when authenticating the  machine. You  need to
enable  SSL  for  the  Remote  UI before selecting [Pre -Shared  Key Method] (
Enabling  SSL Encrypted Communication for the
Remote  UI ). You  need to  generate  or install a key  pair  before selecting [Digital Signature  Method] (Configuring  Settings  for
Key  Pairs and  Digital Certificates ).
[Valid for]
Specify how long a session lasts  for  IKE SA (ISAKMP SA). Enter the  time  in minutes.
[Authentication]/[Encryption]/[DH Group]
Select an  algorithm from the  drop-down list. Each  algorithm is  used in the  key  exchange.
[Authentication] Select the  hash  algorithm.
[Encryption] Select the  encryption algorithm.
[DH Group] Select the  Diffie -Hellman  group, which determines  the  key  strength.
Using  a pre -shared key for authentication
1Click the [Pre- Shared Key  Method]  radio button for [Authentication Method]  and  then  click [Shared Key
Settings...].
2Enter  up to 24 alphanumeric characters  for the pre - shared key and  click [OK].
9
>à>ß>ä>Ì>Û>Ì>â>ã>â
 
						

							3Specify  the [Valid for] and  [Authentication]/[Encryption]/[DH Group]  settings.
Using  a key pair and  preinstalled CA certificates for authentication
1Click the [Digital Signature Method]  radio button for [Authentication Method]  and  then  click [Key  and
Certificate...].
2Click [Register  Default  Key]  on  the right  of a key pair you want to use.
NOTE:
Viewing details of a key pair or certificate
You  can check  the  details of the  certificate or verify the  certificate by clicking  the  corresponding text link  under [Key
Name], or the  certificate icon.  
Verifying  Key  Pairs and  Digital Certificates
3Specify  the [Valid for] and  [Authentication]/[Encryption]/[DH Group]  settings.
Specify  the IPSec Network  Settings.
[Use PFS]
Select the  check  box to  enable  Perfect Forward  Secrecy  (PFS)  for  IPSec session keys. Enabling PFS  enhances the  security while
increasing  the  load on  the  communication.  Make  sure  that  PFS  is  also  enabled  for  the  other devices.
[Specify  by Time]/[Specify by Size]
Set the  conditions  for  terminating a session for  IPSec SA. IPSec SA is  used as a communication tunnel. Select either or both  of the
check  boxes  as necessary. If  both  check  boxes  are  selected,  the  IPSec SA session is  terminated when either of the  conditions  has
been satisfied.
[Specify  by
Time] Enter a time  in minutes  to  specify  how long a session lasts.
[Specify  by
Size] Enter a size in megabytes to  specify  how much data can be transported in a session.
10
>à>ß>å>Ì>Û>Ì>â>ã>â
 
						

							[Select Algorithm]
Select the  [ESP], [ESP (AES-GCM)], or [AH (SHA1)] check  box(es)  depending on  the  IPSec header  and  the  algorithm used. AES-
GCM  is  an  algorithm for  both  authentication and  encryption. If  [ESP] is  selected,  also  select algorithms  for  authentication and
encryption from the  [ESP Authentication] and  [ESP Encryption]  drop-down lists.[ESP
Authentication] To enable  the  ESP authentication,  select [SHA1] for  the  hash  algorithm.  Select [Do Not Use] if  you want
to  disable the  ESP authentication.
[ESP
Encryption] Select the  encryption algorithm for  ESP. You  can select [NULL] if  you do not  want to  specify  the
algorithm,  or select [Do Not Use] if  you want to  disable the  ESP encryption.
[Connection Mode]
The connection mode of IPSec is  displayed.  The machine supports transport  mode,  in which the  payloads of IP  packets  are
encrypted. Tunnel  mode,  in which whole  IP  packets  (headers and  payloads) are  encapsulated is  not  available.
Click [OK].
If  you need to  register  an  additional security policy,  return to  step 6.
Arrange  the order of policies listed under [Registered IPSec Policies].
Policies are  applied from one at the  highest position  to  the  lowest. Click [Up] or [Down] to  move a policy up  or down the  order .
NOTE:
Editing  a policy
Click the  corresponding text link  under [Policy  Name] for  the  edit screen.
Deleting  a policy
Click [Delete] on  the  right of the  policy name you want to  delete  
click [OK].
Restart the machine.
Turn  OFF  the  machine, wait  for  at least  10 seconds,  and  turn  it back ON.
NOTE
You  can enable  or disable the  IPSec communication from .Use IPSec
LINKS
Configuring  Settings  for Key  Pairs and  Digital Certificates
IPSec  Policy List
11
12
13
>à>à>Ü>Ì>Û>Ì>â>ã>â