Xerox WorkCentre 5755 Manual

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide161
6. In the Authentication Server page, select [LDAP] from the Authentication Type drop-down 
menu and click on the [Add New] button.
7. To configure LDAP, refer to LDAP on page 115.
a. When you have configured LDAP settings, click on the [Save] button to return to the 
Authentication Configuration: LDAP page.
b. Click on the [Save] button and return to the Xerox Access Setup page.
8. To set Authentication to control access to individual Services, In the table displaying a list of 
related configuration setting pages, click on the [Edit..] button for Tools and Feature Access 
(Lock/Unlock).
a. On the Tools & Feature Access page, in the Presets area, select either [Open Access] to allow 
all users access to all pathways and features or [Custom Access] and lock or unlock the 
various pathways and features as required.
9. Click [Save] to confirm the changes and return to the Xerox Access Setup page..
10. Select [Logout] in the upper right corner of your screen if you are still logged in as Administrator, 
and click on the [Logout] button.
Configure Authorization Access (by groups) for LDAP 
Used when Remotely on the Network is selected for Authorization.
LDAP server user groups can be used to control access to certain areas of the Xerox device. For example, 
the LDAP server may contain a group of users called ‘Admin’. You can configure the ‘Admin’ group on 
the device so that the members of that group will have administrator access to the device. When a user 
logs in at the device with their network authentication account, the device performs an LDAP look-up 
to determine if the user is a member of any groups. (LDAP server will find members nested up to five 
levels down a group. For example, if LDAP searches for a user within the Admin Group, it may not find 
that user, but may find another group. It will also look for the user in that group as well and so on). If 
the LDAP server confirms that the user is a member of the ’Admin’ group, the user will have 
administrator access to the device. 
1. If you have already logged out of Internet Services or closed your browser, at a networked 
workstation open the web browser and enter the IP Address (or Host Name) of the device in the 
Address bar, and press . 
2. Click the [Properties] tab. 
3. If prompted, enter the Administrator User ID and Password. The default is [admin] and [1111].
4. Click on the [Login] button.
5. Click on the [Connectivity] link.
6. Click on the 
[Protocols] link.
7. Select [LDAP] in the directory tree.
8. Click on [Add New].
9. Click on the [Authorization Access] heading tab under the LDAP title. 
a. Select the [User Roles] tab. Use this tab to define the access groups that are authorized for 
the following roles:
•For the System Administrator Access [Access Group] field, enter the name of a group, 
defined at the LDAP server, that you want to provide with System Administrator access 
to the device.  
						

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 162
•In the Accounting Administrator Access [Access Group] field, enter the name of a 
group, defined at the LDAP server, that you want to provide with accounting 
administrator access to the device. 
b. To verify either group, enter a name of one of the members of the LDAP server group in the 
[User Name box], then click on the [Test] button.
Under the Test Results column, it will display Access. If the test result displays No Access, 
this will mean that the user name is not a member of the Access Group, or the Access Group 
name was misspelled, or that the Access Group does not exist.
Note:When an access group is entered in one of the Access Group fields, only the members from 
that group will have access to those features. When two or more groups are entered, they must be 
separated by commas. When no access group is listed, all members will have access.
10. Select the [Device Access] tab. 
a. For Services Pathway [Access Group] field, enter the name of a group, defined at the LDAP 
server, that you want to provide with Service access to the device. 
b. Repeat the process for Job Status Pathway and Machine Status Pathway. 
c. To verify any of these groups, enter a name of one of the members of the LDAP server groups 
in the [Enter User Name] field, then click on the [Test] button.
Under the Test Results column, it will display Access. If the test result displays No Access, 
this will mean that the user name is not a member of the Access Group, or the Access Group 
name was misspelled, or that the Access Group does not exist
Note:When an access group is entered in one of the Access Group fields, only the members from 
that group will have access to those features. When two or more groups are entered, they must be 
separated by commas. When no access group is listed, all members will have access.
11. Select the [Service Access] tab. Use this tab to define the groups that are authorized to access 
various device functions and services.
a. Enter the names of LDAP groups, as required in the Access Group field, to allow access to 
individual device services.
Note:By default everybody has access to all of the services on the device. By entering a group 
name in any of the services, access is then restricted to those users belonging to that group.
b. Verify each group by entering a group user in the Enter User Name field, and click on the 
[Test] button.
Under the Test Results column, it will display Access. If the test result displays No Access, 
this will mean that the user name is not a member of the Access Group, or the Access Group 
name was misspelled, or that the Access Group does not exist
Note:When an access group is entered in one of the Access Group fields, only the members from 
that group will have access to those features. When two or more groups are entered, they must be 
separated by commas. When no access group is listed, all members will have access.
c. When done, click on [Close]. 
Local Authentication
With Local Authentication enabled, the System Administrator defines passwords via a web browser, for 
users to use to authenticate to the system and use restricted services. 
						

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide163
If using this method, you can only determine the User Role. You can not control individual user access 
to items. If authentication is successful, then the user will have access to all locked items (except 
System Administrator items, unless they are a System Administrator).
Note:If users are created locally on the device using the User Information Database, those users 
will be authenticated only if the Authentication Configuration method is set to “Locally on the 
Device”. If the authentication method is switched to “Remotely on the Network”, those users will 
not be authenticated unless their credentials are also accessible remotely.
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click on the [Authentication] link and select [Setup] in the directory tree.
3. The Xerox Access Setup page is displayed. In the Authentication, Authorization and 
Personalization area click on the [Edit...] button.
4. In the Authentication method on the machine's touch interface (Touch UI) area select [User 
Name/Password Validated Locally on the Xerox Machine] from the drop-down menu and click 
on the [Save] button to return to the Xerox Access Setup page.
5. In the table displaying a list of related configuration setting pages, click the [Edit...] button on the 
Local User Information Database row.
6. In the User Information Database area, click on the [Add New User] button.
a. In the User Identification area, enter details of the new user in the [User Name], [Friendly 
Name], [Password] and [Retype Password] fields.
b. In the [User Role] area, select one of the following roles:
•System Administrator
•Accounting Administrator
•User
c. Click on the [Add New User] button to add the user.
Note:You can also Edit user credentials, as well as Delete users, from the User Information 
Database screen. If using this method, you can only determine the user role to items if 
Authentication is successful. User will have access to all locked items if they have System 
Administrator access.
7. To set Authentication to control access to individual Services, In the table displaying a list of 
related configuration setting pages, click on the [Edit..]
 button for Tools and Feature Access 
(Lock/Unlock).
a. On the Tools & Feature Access page, in the Presets area, select either [Open Access] to allow 
all users access to all pathways and features or [Custom Access] and lock or unlock the 
various pathways and features as required.
8. Click [Save] to confirm the changes and return to the Xerox Access Setup page..
9. Select [Logout] in the upper right corner of your screen if you are still logged in as Administrator, 
and click on the [Logout] button. 
						

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 164
Xerox Secure Access
System Administrators can configure the device so that users must be authenticated and authorized 
before they can access specific services or areas. Xerox Secure Access provides a means of 
authenticating users via an authentication server and optional card reader.
For further information about Xerox Secure Access, refer to Xerox Secure Access on page 331.
Information Checklist
Before starting the procedure, ensure the following items are available or tasks have been performed:
• Ensure that the device is fully functional on the network. TCP/IP and HTTP protocols must be 
configured so that Internet Services can be accessed.
• Ensure that the Xerox Partner authentication solution (Secure Access Server, Controller, and Card 
Reader) is installed and communicating with the device. Follow the installation instructions from 
the manufacturer of the authentication solution to correctly set the devices up. Make sure to 
securely mount any external user authenticating devices to the device.
• Ensure that SSL (Secure Sockets Layer) is configured on the device. The Xerox Partner 
authentication solution communicates with the device via HTTPS.
• (Optional) Ensure that Network Accounting is configured if you want the device to send user 
account information to a Network Accounting server. For instructions, refer to the Network 
Accounting section of this guide.
• You may also need another Authentication Server to communicate with the Secure Access Server 
providing that server with user credentialing information. A second Authentication Server will be 
necessary for web user interface Authentication, if this feature is additionally desired.
• You will need to configure LDAP communications on the device as stated in the LDAP/LDAPS topic 
in the Authentication section of this guide.
Configure Authentication
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click on the [Authentication] link and select [Setup] in the directory tree.
3. The Xerox Access Setup page is displayed. In the Authentication, Authorization and 
Personalization area click on the [Edit...] button.
4. In the Authentication method on the machine's touch interface (Touch UI) area select [Xerox 
Secure Access Unified ID System] from the drop-down menu.
5. Select the required option from the [Authentication method on the machine's web user 
interface (Web UI)] drop-down menu. 
a. When a user attempts to access Internet Services they are prompted to enter their login 
information. The option selected from the web user interface Authentication menu defines 
how the device will validate the user's rights to access Internet Services. This is required 
because if the user normally authenticates at the device with a card reader, there would be 
no method for the device to authenticate users who access Internet Services from their 
workstations. 
						

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide165
• Select [Locally on the Device] to validate users listed in the Local User Information 
Database. This option requires you to configure accounts in the Local User Information 
Database.
• Select [Remotely on the Network] to validate users via an Authentication Server. This 
option requires you to have a server that will provide authentication of user login details. 
Authentication via Kerberos (Solaris, Windows 2000), NDS (Novell), SMB (Windows 
NT4/2000) or LDAP is supported.
b. Select required method from the [Authorization] drop-down menu. The card reader and 
Authentication Solution authenticates (validates) the user. The Authorization method 
determines which areas of the device a user is allowed to access. There are two options:
• Select [Locally on the Device]: if you want the device to check the Local User 
Information Database for levels of authorization. 
• Select [Remotely on the Network]: if you want to use an LDAP server to determine 
levels of authorization.
If you selected Remotely on the Network (from the Location of Access Rights box), configure LDAP 
communications as stated in the Configure Authentication for LDAP/LDAPS in the Authentication 
section of this guide.
c. Check the [Automatically retrieve user’s e-mail address from LDAP] checkbox under 
Personalization if you want to set the From address to the logged in user's e-mail address 
when they log in via Secure Access.
d. Click on the [Save] button to return to the Xerox Access Setup page.
6. In the table displaying a list of related configuration setting pages, click the [Edit...] button on the 
Xerox Secure Access Setup row.
a. The Xerox Secure Access Setup screen displays. The device will automatically configure itself 
to work with the XSA remote server. Click on the [Manually Configure] button if the XSA 
remote server does not configure automatically.
b. In the Server Communication area, select either [IPv4 Address] or [Hostname].
c. Enter details in the [IP Address: Port] or [Host Name: Port] fields.
d. Enter the details in the [Path] field.
e. Under the Device Log In Methods heading, select one of the following:
•Xerox Secure Access Device Only (e.g., Swipe Cards - if you want to allow the user to 
swipe their swipe cards at the UI.
•Xerox Secure Access Device + alternate on-screen authentication method - if you 
want users to authenticate using the device’s control panel as well as the XSA feature.
When the second option is enabled, a button labelled “Alternate Login” is displayed on 
the “Instructional Blocking Window” providing users with an alternate method to log in. 
For example, this feature can be enabled for users who are unable to use their swipe 
card. When the alternate button is selected, the remote server presents a series of log in 
screens on the local user interface. The remote server is still responsible for 
authenticating the user. All other Xerox Secure Access options are supported with this 
setting. 
f. Under the Accounting Information heading, note that this item will be grayed out if 
Network Accounting is not enabled. If accounting is enabled, select [Automatically apply 
Accounting Codes from the server], if the Secure Access Server has been configured to  
						

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 166
return the accounting User ID and Account ID login. If you want the user to enter these 
values at the local user interface during login, select [User must manually enter accounting 
codes at the device].
g. Under the Device Instructional Blocking Window heading, enter text in the [Window Title] 
and [Instructional Text] fields to create the prompt that will be displayed on the device’s 
user interface informing users how to authenticate themselves at the device. 
Note:If the Title and Prompt have been configured on the Secure Access Server, then this 
information will override the Title and Prompt text entered here.
h. Click on the [Save] button when done.
7. Click on the [Close] button to return to the Authentication Configuration page.
Enable Web User Interface Authentication
A second, networked Authentication Server will be necessary for web user interface Authentication, if 
Remotely on the Network was selected. Full instructions for configuring network authentication, using 
Kerberos, NDS, SMB, and LDAP/LDAPS are contained in the Network Authentication section of this 
guide.
The path to the Authentication Server configuration screen is:
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click on the [Authentication] link and select [Setup] in the directory tree.
3. The Xerox Access Setup page is displayed. In the Authentication, Authorization and 
Personalization area click on the [Edit...] button.
4. In the Authentication method on the machine's web user interface (Web UI) area, select 
[Remotely on the Network] from the drop-down menu. Click on the [Save] button to return to 
the Authentication Configuration page.
5. In the table displaying a list of related configuration setting pages, click the [Edit...] button on the 
Authentication Server row.
6. Follow the instructions to select the required Authentication Type from the drop-down menu.
•See Authentication Configuration for Kerberos (Solaris) on page 157.
•See Authentication Configuration for Kerberos (Windows 2000/2003) on page 158.
•See Authentication Configuration for SMB (Windows NT4) and SMB (Windows 
2000/2003/2008) on page 159.
•See Authentication Configuration for SMB (Windows NT4) and SMB (Windows 
2000/2003/2008) on page 159.
•See Authentication Configuration for LDAP/LDAPS on page 160.
7. When you have configured the required Authentication Type, click on the [Save] button to return 
to the Xerox Access Setup page.
Configure your LDAP Server
Configure LDAP communications on the device as stated in the LDAP/LDAPS topic. See Authentication 
Configuration for LDAP/LDAPS on page 160. 
						

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide167
8. To set Authentication to control access to individual Services, In the table displaying a list of 
related configuration setting pages, click on the [Edit..] button for Tools and Feature Access 
(Lock/Unlock).
a. On the Tools & Feature Access page, in the Presets area, select either [Open Access] to allow 
all users access to all pathways and features or [Custom Access] and lock or unlock the 
various pathways and features as required.
9. Click [Save] to confirm the changes and return to the Xerox Access Setup page..
10. Select [Logout] in the upper right corner of your screen if you are still logged in as Administrator, 
and click on the [Logout] button.
Using Secure Access
1. Read the device’s user interface prompt to determine what needs to be done to be authenticated 
at the device. Authentication methods include swiping a card, placing a proximity card near the 
reader, or entering a user ID or PIN (personal identification number).
2. If the device requests further information such as accounting details, enter this information at the 
user interface.
3. The device will confirm successful authentication allowing access to previously locked system 
fea t ure s.
4. When finished using system features, press the  button on the device’s keypad to close 
your account. 
						

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 168 
						

							WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide169
8Security
This chapter describes how to configure the following Security features for the device:
•Email Encryption and Signing on page 171
•FIPS 140-2 Encryption on page 172
•User Data Encryption on page 173
•User Information Database on page 173
•IP Filtering on page 176
•Audit Log on page 177
•Security Certificate Management on page 179
•IP Sec on page 183
•Security Certificates on page 189
•802.1X on page 191
•System Timeout on page 194
•On Demand Overwrite on page 195
•Immediate Image Overwrite on page 199 
						

							Security @ Xerox
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 170
Security @ Xerox
For the latest information on securely installing, setting up and operating your device see the Xerox 
Security Information website located at www.xerox.com/security.