Xerox Multifunction Devices

Customer Tips
dc06cc0390 August 4, 2006

for the user

IPSec Client/Server Configuration Using PreShared Keys in Windows Environments

Overview
This document applies to the Xerox products indicated in the table below. For some products, it is assumed that your device is equipped with the appropriate option to support this document.
x x x WC 7655/7665 WC Pro 232/238/245/ 255/265/275 WC 232/238/245/255/ 265/275 WC Pro C2128/C2636/ C3545 WC Pro 165/175 WC M165/M175 WC Pro 32/40 Color WC Pro 65/75/90 WC Pro 35/45/55 WC M35/M45/M55 DC 555/545/535 DC 490/480/470/460 DC 440/432/425/420

A client can use an IPSec tunnel as one method of secure printing available to Xerox devices. The IPSec protocol uses strong cryptography to provide both authentication and encryption services. By using the service you create a secure tunnel to transfer data safely through un-trusted networks. In essence you are creating a VPN (virtual private network). This document includes the following information: Configuration of the IPSec client/server in Windows 2000 with Service Pack 4, 2003 Server and XP environments A test of the client setup Configuration of IPSec on a Xerox device

IPSec Terminology
This section is part of an article in Microsofts Knowledge Base (Article 301284). It defines some of the terms you may encounter while setting up IPSec. Authentication: The process to determine if the identity of a computer is legitimate. Windows 2000/XP IPSec supports three kinds of authentication: Kerberos, certificates, and preshared keys. Kerberos authentication can work only if both endpoints (computers) are in the same Windows 2000/XP domain. If the computers are in different domains, or at least one of them is not in a domain, you must use either certificates or preshared keys. Certificates can work only if each endpoint contains a certificate that is signed by an authority that the other endpoint trusts. Preshared keys have the same problems that passwords do: They do not remain secret for a very long period of time. If the endpoints are not in the same domain and you cannot obtain certificates, preshared keys are your only authentication option. Encryption: The process of making data indistinct in preparation for transmission between two endpoints. By using well-tested algorithms, each endpoint constructs and exchanges cryptographic keys. The process ensures that only the endpoints know the

dc06cc0390 Customer Support

Page 1

keys; and if any key-exchange sequences are intercepted, the interceptor obtains nothing of value. Xerox devices support DES and 3DES encryption types. Filter: A description of the Internet Protocol (IP) addresses and protocols that can trigger the establishment of an IPSec security association. Filter action: The security requirements that are enabled when the traffic matches the filters in a filter list. Filter list: A collection of filters. Internet Protocol security policy: The collection of rules that describe how communications between computers are secured. Rule: The link between a filter list and a filter action. When the traffic matches a filter list, the corresponding filter action is triggered. An IPSec policy can contain multiple rules. Security association: The collection of authentication and encryption methods that the endpoints negotiate to establish a secure session.

Local Security Policies

To access Local Security Policies, select Start>Settings>Control Panel>Administrative Tools>Local Security Policy. When displayed, select IP security policies on Local Machine (some selection titles vary with operating system version). The current default policies are displayed in the right pane.

To create a new policy and the rules that go with it, first define the filter lists and filter actions.

Page 2

dc06cc0390 Customer Support

Adding a Filter List

1. Right-click on IP security policies on Local Machine and select Manage IP filter lists and filter actions. The window that appears contains two tabs, Manage IP Filter Lists and Manage Filter Actions.

2. On the Manage IP Filter Lists tab click Add. 3. On IP Filter List enter a Name for the filter list, for example, My Xerox Printer Filter. Click Add again to start the IP Filter Wizard.

dc06cc0390 Customer Support

Page 3

4. Click Next. For the Source Address select My IP Address.

5. Click Next. For the Destination Address select A specific IP Address and enter in the IP address of the Xerox device.

Page 4

dc06cc0390 Customer Support

6. Click Next. For Select a protocol type select Any. This forces any protocol using TCP/IP to run over IPSec through the connection from the Source Address to the Destination Address.

7. Click Next. Click Finish then OK. The name of the filter list you created, for example, My Xerox Printer Filter, appears in the list of available IP filters on the Manage IP filter lists and filter actions window.

Adding a Filter Action

1. With the Manage IP filter lists and filter actions window displayed, select the Manage Filter Actions tab.

2. Click Add to start the Filter Action Wizard, then click Next. dc06cc0390 Customer Support

Page 5

3. Enter a name for the filter action, for example, My Xerox Printer Action, then click Next.

4. In General Options select Negotiate Security, then click Next.

Page 6

dc06cc0390 Customer Support

5. Verify Do not communicate with computers that do not support IPSec is selected, then click Next.

6. For IP Traffic Security select Custom, then click Settings.

dc06cc0390 Customer Support

Page 7

7. In the Encryption algorithm field select 3DES. Leave other settings/entries as they are.

8. Click OK. If a security warning appears, click OK then click Next. 9. Click Finish. The filter action you created, for example, My Xerox Printer Action, appears in the list of available Filter Actions. 10. Double-click the action you just created to edit its Properties.

11. Verify the Accept unsecured communication, but always respond using IPSec.and Allow unsecured communication with non-IPSec-aware computer are not checked. 12. Check Session key perfect forward secrecy (PFS). dc06cc0390 Customer Support

Page 8

13. Click OK. 14. Click Close to finish.

Creating an IP Security Policy Rule

To use an IPSec policy at least one rule that links a filter list to a filter action is required. 1. In the Local Security Settings window right click IP Security Policies on Local Machine and select Create IP Security Policy, to start the IP Security Policy Wizard. 2. Click Next. Enter a name for the policy, for example My Xerox Printer Policy.

3. Click Next. Uncheck the Activate the default response rule.

dc06cc0390 Customer Support

Page 9

4. Click Next, then click Finish. 5. The New IP Security Policy Properties window appears. Click Add to start a new rule.

6. Click Next to start the Security Rule Wizard. 7. For the Tunnel Endpoint select This rule does not specify a new tunnel then click Next.

Page 10

dc06cc0390 Customer Support

8. Select Local Area Network (LAN) for Network Type

9. Click Next. Select Use this string to protect the key exchange (preshared key): for the Authentication Method. Note: This document only describes the preshared key authentication method. Other authentication methods are available.

10. Enter a string of alphanumeric characters to serve as the preshared key. IMPORTANT: You must duplicate this string in the Xerox device IPSec configuration process described in the next section, Configuring IPSec on a Xerox Device.

dc06cc0390 Customer Support

Page 11

11. Click Next. Select the filter created earlier (for example, My Xerox Printer Filter) from the list.

12. Click Next. Select the filter action created earlier (for example, My Xerox Printer Action) from the list.

13. Click Next then Finish. 14. Click OK then Close. 15. To activate the policy, on the Local Securities Settings window select IP Security Policies on Local Machine in the left hand pane, then right click on the My Xerox Printer Policy and select Assign.

Page 12

dc06cc0390 Customer Support

Configuring IPSec on a Xerox Device

Before you can configure IPSec on a Xerox device, you must acquire an SSL certificate and enable SSL.

Acquiring an SSL Certificate

The types of SSL certificates available are described in the following list. Use the process in either Create a Self Signed Certficate, or Create a Certificate Signing Request and Upload the Signed Certificate, to acquire an SSL certificate. Self Signed Certificate: Establish a Self Signed Certificate on this machine. This option creates a certificate that is not validated by a Certificate Authority. This type of certificate is used primarily to obtain a key. The information you enter is similar to that required to request an external certificate but it serves no real purpose. A self-signed certificate can expire and still have a valid, usable key. Depending on the security level you require, this selection may not be adequate. Certificate Signing Request: Download a Certificate Signing Request to be processed by a Trusted Certificate Authority. The information on this page is saved in a .pem.txt file that is sent to an external authority who can issue a certificate.

Create a Self Signed Certificate

1. Enter the IP address or host name of the WorkCentre or WorkCentre Pro in a browser Address field. Select the Properties tab, expand Security and select SSL.

2. Click Create New Certificate.

dc06cc0390 Customer Support

Page 13

3. Select Self Signed Certificate: Establish a Self Signed Certificate on this machine then click Continue.

Enter information for a self-signed certificate. The country code field entry is required. 4. Click Apply. The Administrator Authentication screen may appear. Enter the current User Name and Password and click OK. The SSL page appears and shows that the device has a Self Signed Certificate.

Page 14

dc06cc0390 Customer Support

Create a Certificate Signing Request and Upload the Signed Certificate

1. Enter the IP address or host name of the WorkCentre or WorkCentre Pro in a browser Address field. Select the Properties tab, expand Security and select SSL.

2. Click Create New Certificate. Select Certificate Signing Request: Download a Certificate Signing Request to be processed by a Trusted Certificate Authority then click Continue.

3. Enter the information you wish to appear in your Certificate Signing Request.

4. Click Apply. The Administrator Authentication screen may appear. Enter the current User Name and Password and click OK.

dc06cc0390 Customer Support

Page 15

5. The certificate request information you entered is displayed. Below this data, rightclick the link and select Save Target As.

6. Save the .pem.txt file and send it to a trusted certificate authority. A status message appears on the SSL page indicating a Certificate Signing Request is pending.

You receive notification of the signed certificate in a manner that complies with the policy of the authority issuing the certificate (for example, via email). 1. When you receive the signed certificate, access the SSL page again and click Upload Signed Certificate. 2. Click Browse, locate the certificate (.pem file), and click Upload Certificate. 3. Current Status on the SSL page shows a Signed Certificate resides on the device.

Enable SSL
After a certificate exists you can enable SSL. 1. Enter the IP address or host name of the WorkCentre or WorkCentre Pro in a browser Address field. Select the Properties tab, expand Security and select SSL. 2. Select the Protocol Enabled box and click Apply.

Page 16

dc06cc0390 Customer Support

Enable IPSec
1. Enter the IP address or host name of the WorkCentre or WorkCentre Pro in the browser Address field. 2. Select the Properties tab and expand Security. Select IP Sec.

3. Check the Enabled box. 4. If required, click Flush All IP Sec Connections. 5. In the Shared Secret field, enter the pre-shared key string you entered in the Authentication Method screen of the Security Rule Wizard (see Creating an IP Security Policy Rule).

Using Your Secure Connection

To test the secure connection select Start>Run to open up a console window on the client or server configured for IPsec, enter cmd and click OK. Use the ping <IP Address> command where <IP Address> is the IP of the Xerox device. If the configuration is correct you see the Negotiating security messages and then ping exits.

Now, when you send a print job try print to the device from an application, it is using IPSec. dc06cc0390 Customer Support

Page 17

Additional Information
Xerox Customer Support welcomes feedback on all documentation - send feedback via e-mail to: USA.DSSC.Doc.Feedback@mc.usa.xerox.com. You can reach Xerox Customer Support at 1-800-821-2797 (USA), TTY 1-800-855-2880 or at http://www.xerox.com. Other Tips about Xerox multifunction devices are available at the following URL: http://www.office.xerox.com/support/dctips/dctips.html.

XEROX , The Document Company , the digital X , and all Xerox product names are trademarks of XEROX CORPORATION. Other trademarks belong to their respective owners. Copyright XEROX CORPORATION 2006. All Rights Reserved.

Page 18

dc06cc0390 Customer Support