AU-211P CAC/PIV Solution: Users Guide
AU-211P CAC/PIV Solution: Users Guide
AU-211P CAC/PIV Solution: Users Guide
Users Guide
Introduction
1
1 Introduction
Thank you for choosing this device.
This guide provides descriptions of the installation, operating procedures
and precautions for using Authentication Unit (IC Card Type) AU-211P.
Carefully read this User’s Guide before using this device.
The actual screens that appear may be slightly different from the screen
images used in this User’s Guide.
Trademark/copyright acknowledgements
- Microsoft® and Windows® are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other
countries.
- All other company names and product names mentioned in this
User’s Guide are either registered trademarks or trademarks of their
respective companies.
Restrictions
- Unauthorized use or reproduction of this User’s Guide, whether in its
entirety or in part, is strictly prohibited.
- The information contained in this User’s Guide is subject to change
without notice.
AU-211P 4
Introduction
1
1.1 Safety Information
Carefully read this information.
- Before using this device, carefully read this information and follow it
to operate the device correctly.
Important information
- The reprinting or reproduction of the content of this publication, either
in part or in full, is prohibited without prior permission.
- The content of this publication is subject to change without notice.
- This publication was created with careful attention to content;
however, if inaccuracies or errors are noticed, please contact your
sales representative.
- The marketing and authorization to use our company’s product
mentioned in this information are provided entirely on an “as is” basis.
- Our company assumes no responsibility for any damage (including
lost profits or other related damages) caused by this product or its
use as a result of operations not described in this information. For
disclaimers and warranty and liability details, refer to the User’s Guide
Authentication Unit (IC Card Type AU-211P).
- This product is designed, manufactured and intended for general
business use. Do not use it for applications requiring high reliability
and which may have an extreme impact on lives and property.
(Applications requiring high reliability: Chemical plant management,
medical equipment management and emergency communications
management)
- Use with other authentication devices is not guaranteed.
- In order to incorporate improvements in the product, the
specifications concerning this product are subject to change without
notice.
AU-211P 5
Introduction
1
Regulation notices
USER INSTRUCTIONS FCC PART 15 - RADIO FREQUENCY DEVICES
(For U.S.A. Users)
NOTE:
This equipment has been tested and found to comply with the limits for a
Class B digital device, pursuant to Part 15 of the FCC Rules.
These limits are designed to provide reasonable protection against harmful
interference in a residential installation. This equipment generates, uses and
can radiate radio frequency energy and, if not installed and used in
accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not
occur in a particular installation. If this equipment does cause harmful
interference to radio or television reception, which can be determined by
turning the equipment off and on, the user is encouraged to try to correct the
interface by one or more of the following measures:
- Reorient or relocate the receiving antenna.
- Increase the separation between the equipment and receiver.
- Connect the equipment into an outlet on a circuit different from that
to which the receiver is connected.
- Consult the dealer or an experienced radio/TV technician for help.
WARNING:
The design and production of this unit conform to FCC regulations, and any
changes or modifications must be registered with the FCC and are subject
to FCC control. Any changes made by the purchaser or user without first
contacting the manufacturer will be subject to penalty under FCC
regulations.
AU-211P 6
Introduction
1
INTERFERENCE-CAUSING EQUIPMENT STANDARD (ICES-003 ISSUE
4) (For Canada Users)
(This device complies with RSS-Gen of IC Rules.) Operation is subject to the
following two conditions: (1) this device may not cause interference, and (2)
this device must accept any interference, including interference that may
cause undesired operation of this device.
This Class B digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe B est conforme à la norme NMB-003 du
Canada.
AU-211P 7
How to Use the Authentication Unit
5
5.1.1 Login
Use the following steps to log into the MFP.
1 Insert a CAC/PIV card in the reader.
AU-211P 68
How to Use the Authentication Unit
5
!
Detail
If an incorrect PIN code is entered, "No. of Allowable Auth Failure"
appears on the screen. After 3 consecutive authentication failures the
CAC/PIV card will be locked for security reasons. For details on how to
unlock the CAC/PIV card, contact your PKI card administrator.
3 Press [OK].
This starts authentication. Successful authentication grants a user
access the MFP.
!
Detail
When Account Track is enabled, use the CAC/PIV card to perform user
authentication before account authentication. When Account Track is
enabled on the MFP that supports this system, user authentication is
forcibly associated with account authentication.
!
Detail
You can log in as a public user if Public User Access is enabled.
If logging into the MFP as an administrator or User Box administrator,
press [ID & PW], and enter the password
!
Detail
If you log into the MFP as an administrator, you can check or delete the
desired job. If you log into the MFP as a User Box administrator, you can
view the contents of all the created User Boxes regardless of whether a
password has been specified.
5.1.2 Logout
To log out the MFP, pull the CAC or PIV card out of this unit.
!
Detail
If a PKI card is used to log in to the MFP, you cannot log out by pressing
the [ID] key on the control panel.
If the MFP sub power is turned off while logging in using the PKI card, you
will be logged out of the MFP.
AU-211P 69
How to Use the Authentication Unit
5
5.2 Specific MFP Functions Using CAC/PIV Card
Authentication
This section explains the specific MFP functions using the CAC/PIV card
authentication.
Basic functions
AU-211P 70
How to Use the Authentication Unit
5
Ensuring a higher level of security
To ensure a higher level of security, use the Scan To Me and Scan To Home
functions.
2
Note
To use these functions, ask your service engineer to configure settings.
For details, contact your service representative.
AU-211P 71
How to Use the Authentication Unit
5
5.3 Address Search (LDAP)
5.3.1 Overview
This function will allow a CAC/PIV card user to log in to an LDAP server and
perform an address name search. The process utilizes a Kerberos
authentication ticket that is obtained by Active Directory and authenticates
with the CAC/PIV card when searching for a destination via the LDAP server.
Active Directory
(1)
CAC/PIV Card
(2)
LDAP Server
(3)
Address Search
(1) Insert the CAC/PIV card into the MFP to perform Active Directory
authentication.
(2) Obtain the Kerberos authentication ticket.
(3) Use the Kerberos authentication ticket to log in to the LDAP server and
search for the destination.
2
Note
This function is not available when you log in to the MFP as a public user
or User Box administrator.
AU-211P 72
How to Use the Authentication Unit
5
5.3.2 LDAP Related Settings
This section explains how to configure the address search (LDAP) settings
on the MFP that supports this system.
Enabling LDAP
Configure settings to use the LDAP server.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [LDAP Settings] - [Enabling
LDAP].
Item Description
Enabling LDAP Select [ON].
Setting Up LDAP
Register the desired LDAP server to search for the destination.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [LDAP Settings] - [Setting Up
LDAP].
AU-211P 73
How to Use the Authentication Unit
5
Item Description
LDAP Server Name Specify the LDAP server name (up to 32 characters).
Max. Search Results Enter the maximum number of items that can be
received as address search (LDAP) results.
Timeout Specify the timeout period for address search (LDAP).
Initial Setting for Search Specify address search (LDAP) conditions.
Details
Server Address Specify the conditions of address search (LDAP).
Search Base Specify the search starting point in the directory
structure under the LDAP server (up to 255 characters).
This search function also covers subdirectories under
the specified starting point.
SSL Setting Select "ON" to encrypt communication between the
MFP and LDAP server with SSL.
Port Number Specify the LDAP port number.
Port Number (SSL) Enter the desired port number for SSL communication.
Referral Setting Select whether to use the referral function. Match the
LDAP server environment.
Domain Name Specify the domain name to log in to the LDAP server
(up to 64 characters).
!
Detail
On the MFP that supports this system, "Authentication Type" is
automatically set to "GSS-SPNEGO". "Select Server Authentication
Method" is automatically set for user authentication.
2
Note
If address search (LDAP) setting incorrectly configured properly,
[Address Search] will not appear. Check that the address search (LDAP)
setting is configured correctly.
AU-211P 74
How to Use the Authentication Unit
5
When a single LDAP server is registered
Press [Begin Authentication] to perform authentication with the Kerberos
authentication ticket and connect to the LDAP server.
After connecting to the LDAP server, select the desired method to search for
the destination.
2
Note
For details on the address search (LDAP) function, refer to the User's
Guide [Network Scan/Fax/Network Fax Operations] supplied together
with the MFP.
AU-211P 75
How to Use the Authentication Unit
5
5.4 Scan to SMB (Network Share)
5.4.1 Overview
This function allows a user to scan a document into the destination computer
via SMB using a Kerberos authentication ticket that is obtained by Active
Directory and authenticates with the CAC/PIV.
Active Directory
(1)
CAC/PIV Card
(2)
Scanned data
Client PC
(3)
Save in shared folder
(1) Insert the CAC/PIV card into the MFP to perform Active Directory
authentication.
(2) Obtain the Kerberos authentication ticket.
(3) Use the Kerberos authentication ticket to log in to the destination
computer and save scanned data.
2
Note
This function is not available while logged into the MFP as a public user
or as a User Box administrator.
AU-211P 76
How to Use the Authentication Unit
5
5.4.2 Scan to SMB Related Settings
This section explains how to configure the Scan to SMB settings on the MFP.
Client Settings
Configure the setting to perform SMB TX.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [SMB Settings] - [Client
Settings].
Item Description
ON/OFF Select [ON].
SMB Auth Setting Select [Kerberos] or [Kerberos/NTLMv2/v1] as the SMB
TX authentication method.
The default is [Kerberos]. In an NTLM authentication
environment, select [Kerberos/NTLMv2/v1].
DFS Setting To perform SMB TX in a DFS (Distributed File System)
environment, select "Enable".
Password Authentication This system applies the user account of the CAC/PIV
Restriction card to perform authentication even if the user ID or
password is registered in the SMB TX address included
in the address book. In this item, specify the action to
be taken when authentication has failed using the user
account of the CAC/PIV card.
If "Limit" is selected, it results in an authentication
failure.
If "Do Not Limit" is selected, enter the user ID and
password on the control panel when sending data.
2
Note
Specify the WINS server or direct hosting service to fit your environment.
For details, refer to the User's Guide [Network Administrator] supplied
together with the MFP.
AU-211P 77
How to Use the Authentication Unit
5
5.4.3 Performing Scan to SMB at the MFP
Use the Fax/Scan screen on the MFP control panel to specify the target SMB
address.
When SMB TX starts, you can use the Kerberos authentication ticket to log
into the destination computer and save scanned data in a shared holder.
2
Note
For details on how to register the SMB address or use SMB TX, refer to
the User's Guide [Network Scan/Fax/Network Fax Operations] supplied
together with the MFP.
AU-211P 78
How to Use the Authentication Unit
5
5.5 Scan to E-mail (S/MIME)
5.5.1 Overview
This function allows a CAC/PIV card user to authenticate and Scan to Email
from the MFP. A user will be able to add a digital signature when sending an
e-mail. Sending an e-mail with a digital signature enables you to prove you
are the e-mail sender.
If a certificate is registered in the target address, you can combine this
function with e-mail encryption when sending an e-mail. Sending an
encrypted e-mail prevents information from being leaked to a third party on
the transmission route.
CAC/PIV Card
Encryption +
Digital Signature
2
Note
This function is not available when you log into the MFP as a public user
or User Box administrator.
AU-211P 79
How to Use the Authentication Unit
5
5.5.2 Scan to Email Related Settings
This section explains how to configure settings to encrypt an e-mail or add
a digital signature on the MFP.
S/MIME Communication Settings
Configure settings to encrypt an e-mail and add a digital signature.
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [Network Settings] - [E-Mail Settings] - [S/MIME
Communication Settings].
Item Description
ON/OFF Select [ON].
Digital Signature To add a digital signature, select "Always add
signature" or "Select when sending". The default is
"Select when sending".
If "Select when sending" is selected, specify whether to
add a digital signature before sending an e-mail.
If "Always add signature" is selected, a digital signature
is automatically added using the CAC/PIV card when
sending an e-mail.
Digital Signature Type Select the digital signature type.
E-Mail Text Encryption Select the e-mail text encryption method.
Method
2
Note
For details on how to configure the settings required to send an e-mail,
refer to the User's Guide [Network Administrator] supplied together with
the MFP.
AU-211P 80
How to Use the Authentication Unit
5
5.5.3 Encrypting an E-Mail and Adding a Digital Signature
Display the Fax/Scan screen on the MFP control panel, and press
[Communication Settings].
- To encrypt an e-mail, press [E-Mail Encryption], and specify the e-
mail address with the certificate registered.
- If "Select when sending" is selected to add a digital signature, press
[Digital Signature] and specify the e-mail address. If "Always add
signature" is selected, a digital signature will be automatically added.
!
Detail
• For details on how to send an e-mail, refer to the User's Guide [Network
Scan/Fax/Network Fax Operations] supplied together with the MFP.
• For details on how to register the certificate in the e-mail address, refer
to the User's Guide [Network Administrator] supplied together with the
MFP.
• When adding a digital signature with a PIV card, enter the PIN code when
sending an e-mail. If the PIV card is locked as a result of an incorrectly
entered PIN code, the e-mail sending job will be discarded.
AU-211P 81
How to Use the Authentication Unit
5
5.6 PKI Card Print
5.6.1 Overview
This function encrypts print data using the CAC/PIV card before sending the
data from the printer driver to the MFP. The print data is saved in the PKI
Encrypted Document User Box of the MFP, when the user authenticates at
the MFP using their CAC/PIV card the print data is decrypted and print is
outputted. The print data is encrypted when it is sent from the printer driver
and can only be printed when authentication at the MFP using the CAC/PIV
card is successful; therefore, this ensures the confidentiality of the
documents.
Active Directory
(5)
(2)
(3)
(1) Insert the CAC/PIV card into the computer to perform Active Directory
authentication.
(2) Encrypt print data using the CAC/PIV card to send it from the printer
driver to the MFP.
(3) Take the CAC/PIV card to the MFP.
(4) Insert the CAC/PIV card into the MFP to perform Active Directory
authentication.
(5) Decrypt print data using the CAC/PIV card, and print it.
AU-211P 82
How to Use the Authentication Unit
5
5.6.2 Installing the Printer Driver
To use PKI Card Print, install a printer driver compatible with this system in
the computer.
Required System Environment
The printer drivers are available in the following environment.
AU-211P 83
How to Use the Authentication Unit
5
Installing the printer driver
Install the printer driver using Add Printer Wizard of the Windows printer.
<Windows Vista>
Installing the printer driver in Windows Vista requires administrator authority.
Click the Start Menu, and then [Control Panel]. Then click [Printer] from
[Hardware and Sound], and click [Add a printer] on the toolbar.
After the Add Printer Wizard appears, complete the installation by following
the on-screen instructions.
<Windows 2000>
Click the Start Menu, and then [Settings] - [Printers]. Double-click [Add
Printer].
After the Add Printer Wizard appears, complete the installation by following
the on-screen instructions.
2
Note
The printer driver installation method varies depending on how the printer
driver is connected to the MFP or which protocol is used. For details,
refer to the User's Guide [Printer Operations] supplied together with the
MFP.
AU-211P 84
How to Use the Authentication Unit
5
5.6.3 Specifying the Print Data Deletion Time
The data encrypted with the CAC/PIV card is deleted from the PKI Encrypted
Document User Box of the MFP after saved in the User Box and printed on
the MFP.
However, if unprinted print data in the PKI Encrypted Document User Box
exceed the User Box upper limit, new data cannot be saved in the User Box.
To avoid this problem, you can configure the setting to automatically delete
data that remains saved in the User Box for a specific length of time.
2
Note
The PKI Encrypted Document User Box can contain up to 200
documents.
PKI Encrypted Document Delete Time Setting
On the MFP control panel, press the [Utility/Counter] key, and then
[Administrator Settings] - [System Setting] - [User Box Settings] - [PKI
Encrypted Document Delete Time Setting].
To specify the deletion time, press [Yes], and enter the time required to
automatically delete print data.
AU-211P 85
How to Use the Authentication Unit
5
5.6.4 Performing PKI Card Print
The following explains how to handle PKI Card Print.
Sending print data (Printer driver setting)
Use the following steps to configure the printer driver setting when
encrypting print data using the CAC/PIV card and sending it to the MFP.
6 Select the "Realm(Domain)" and "IC Card Reader CSP", and click [OK].
– The value of "Realm(Domain)" corresponds to the registration
number of the Active Directory. For example, if the registration
number of an Active Directory is set to "2", the value of "Realm(Do-
main)" is also set to "2".
– PKI Card Print uses authentication information of the CAC/PIV card;
therefore, it disables the authentication information specified in
"User Authentication".
AU-211P 86
How to Use the Authentication Unit
5
– If Account Track is enabled, enter the "Department Name" and
"Password" under "Account Track". To enable Account Track, con-
figure the printer driver setting separately. For details on setting, re-
fer to the User's Guide [Printer Operations] supplied together with
the MFP.
7 Under "Output Method", select "PKI Card Print", and click [OK].
!
Detail
If the MFP is associated with PageScope Authentication Manager, and
the user is not registered in PageScope Authentication Manager or the
user has no print privileges, an authentication failure will occur, and the
print job will be discarded.
AU-211P 87
How to Use the Authentication Unit
5
MFP printing
The following explains how to print data on the MFP.
The MFP provides two printing methods: (1) printing data simultaneously
with authentication and (2) selecting and printing data in the PKI Encrypted
Document User Box after authentication.
- Using method (1), you can insert the CAC/PIV card into the MFP and
perform authentication to easily print the relevant user's data.
- Using method (2), you can select only the required data from the PKI
Encrypted Document User Box to print it. You can also delete
unnecessary data.
2
Note
• Selecting method (1) prints all print documents stored in the user's PKI
Encrypted Document User Box.
• The printed data is deleted from the PKI Encrypted Document User Box
after printing.
% Press [Print & Access], and insert the CAC/PIV card into the
authentication unit attached to the MFP.
– If the CAC/PIV card is inserted, the PIN code entry screen appears.
When authentication succeeds after entering the PIN code, the sys-
tem prints all the relevant user's data and logs into the MFP.
AU-211P 88
How to Use the Authentication Unit
5
!
Detail
If necessary, this function also prints data in the ID & Print User Box. For
details on ID & Print, refer to the User's Guide [Printer Operations]
supplied together with the MFP.
<Selecting and printing data in the PKI Encrypted Document User Box >
1 Press [Access], and insert the CAC/PIV card into the authentication unit
attached to the MFP.
3 Press the [User Box] key, and then [Use Document] - [System User
Box] - [Encrypted Document User Box] - [OK] - [PKI Encrypted
Document User Box] - [OK].
A login user's print data list is displayed.
AU-211P 89
How to Use the Authentication Unit
5
5.7 Scan To Me
2
Note
To use this function, ask your service engineer to configure appropiate
settings. For details, contact your service representative.
5.7.1 Overview
Scan To Me is a function where, after the CAC/PIV user has successfully
authenticated, via the MFP, to the network, the users own email address is
automaticvally populated in the ‘To’ field. The users email address is
obtained from Active Directory. This function is useful is securing the email
process, the user can only email from the MFP back to their own email
address.
The user can also encrypt an e-mail using the CAC/PIV card or add a digital
signature when sending an e-mail, ensuring a higher level of security.
AU-211P 90
How to Use the Authentication Unit
5
Active Directory
(1)
CAC/PIV Card CAC/PIV Card
(2) (5)
(6)
(3)
Send to the user’s address
(4)
(1) Insert the CAC/PIV card into the MFP to perform Active Directory
authentication.
(2) Obtain the user's e-mail address.
(3) Send the e-mail to the user's e-mail address. If necessary, the user can
use the CAC/PIV card to encrypt an e-mail or add a digital signature.
(4) Take the CAC/PIV card to the computer.
(5) Insert the CAC/PIV card into the computer to perform Active Directory
authentication.
(6) Receive the e-mail. If the user encrypts an e-mail or adds a digital
signature when sending, check the e-mail decoding or digital signature
using the CAC/PIV card.
2
Note
This function is not available when you log in to the MFP as a public user
or User Box administrator.
AU-211P 91
How to Use the Authentication Unit
5
5.7.2 Before Using Scan To Me
Restrictions
Enabling Scan To Me provides a higher level of security by applying the
following restrictions.
- The user cannot directly enter the address using e-mail TX, FTP TX,
SMB TX, WebDAV TX, or Save in User Box.
- The user cannot use Annotation User Box.
- The user cannot save documents using the User Box function.
- The user cannot send documents from User Boxes.
- The user cannot use the URL notification function.
- The user cannot use the TSI distribution function.
Operation settings
To ensure a higher level of security when using Scan To Me, apply the
following settings.
- Disable Address Search (LDAP) (when no LDAP server is registered).
- Disable saving a document in an external memory.
- When Public User Access is enabled, disable scanning in the public
user mode.
2
Note
For details on settings, refer to the User's Guide [Network Administrator]
supplied together with the MFP.
AU-211P 92
How to Use the Authentication Unit
5
5.7.4 Performing Scan To Me
The following explains how to perform Scan To Me on the MFP.
!
Detail
If the correct settings are configured to use Scan To Me, [E-Mail] appears
on the Fax/Scan screen to send data to the user's e-mail address.
3 Press [E-mail].
4 Press [OK].
6 Load the original and press the [Start] key on the control panel.
This scans the original and sends data to the user's e-mail address.
AU-211P 93
How to Use the Authentication Unit
5
2
Note
For details on scan conditions, refer to the User's Guide [Network Scan/
Fax/Network Fax Operations] supplied together with the MFP.
AU-211P 94
How to Use the Authentication Unit
5
5.8 Scan To Home
2
Note
To use this function, ask your service engineer to configure settings. For
details, contact your service representative.
5.8.1 Overview
The Scan To Home function is similar to Scan to Me in that the Home folder
information (UNC) is obtained automatically from Active Directory and
automatically populated in the MFP after the user has successfully
authenticated to the network via the MFP. This function is useful is securing
the scaning process, the user can only scan from the MFP back to their own
designated folder.
Active Directory
(1)
CAC/PIV Card
(2)
Scanned data
User's PC
(3)
Save in home folder
(1) Insert the CAC/PIV card into the MFP to perform Active Directory
authentication.
(2) Obtain the Kerberos authentication ticket and the position of the user's
Home folder.
(3) Use the Kerberos authentication ticket to log into the user's computer
and save scanned data in the Home folder.
AU-211P 95
How to Use the Authentication Unit
5
2
Note
This function is not available when you log in to the MFP as a public user
or as a User Box administrator.
2
Note
For details on settings, refer to the User's Guide [Network Administrator]
supplied together with the MFP.
AU-211P 96
How to Use the Authentication Unit
5
5.8.3 Scan to Home Related Settings
The following explains the settings required to use the Scan To Home
function.
Obtaining the Home folder position
Configure the setting to enable the user to obtain the position of the user's
Home folder from Active Directory.
Client Setting
Configure the setting to perform SMB TX.
For details on how to handle SMB TX using the PKI card and configure its
settings, refer to "SMB TX Using the PKI Card" (page 76).
2
Note
Specify the WINS server or direct hosting service to fit your environment.
For details, refer to the User's Guide [Network Administrator] supplied
together with the MFP.
!
Detail
If the correct settings are configured to use Scan To Home, [Home
Folder] appears on the Fax/Scan screen to send data to the user's Home
folder.
AU-211P 97
How to Use the Authentication Unit
5
4 Press [OK].
6 Load the original and press the [Start] key on the control panel.
This scans the original and sends data to the user's Home folder.
2
Note
For details on scan conditions, refer to the User's Guide [Network Scan/
Fax/Network Fax Operations] supplied together with the MFP.
AU-211P 98
Added or Changed Setting Information
6
2
Note
For the settings of an ordinary MFP model, refer to the User's Guide
supplied together with the MFP.
AU-211P 99
Added or Changed Setting Information
6
6.2 Administrator Settings
Item Description
PKI Encrypted Document Allows the user to specify the time required to delete a
Delete Time Setting PKI encrypted document.
For details, refer to "Specifying the Print Data Deletion
Time" (page 39).
Item Description
User Authentication Not displayed.
User Authentication is automatically set to External
Server Authentication.
Synchronize User Not displayed.
Authentication & Account Specified so that User Authentication is automatically
Track associated with Account Track when enabling Account
Track.
Description
Active Directory is only available as an external server.
Item Description
General Settings "PKI Card Authentication" is the only available
authentication method. In PIV Transitional Mode, select
PIV or CAC.
Description
Allows the user to configure the setting to verify a certificate. For details, refer to
"Configuring Settings for Verifying the Active Directory Certificate" (page 16).
AU-211P 100
Added or Changed Setting Information
6
6.2.3 Network Settings
TCP/IP Settings
Item Description
IPv4 Settings This item has been renamed from "IP Settings".
For details, refer to "IPv4 Settings" (page 10).
IPv6 Settings "DHCPv6 Setting" has been added. For details, refer to
"IPv6 Settings" (page 11).
DNS Domain "Search Domain Name Auto Retrieval" has been added.
For details, refer to "DNS Domain" (page 11).
DNS Server Settings This item has been renamed from "DNS Server
(IPv4) Settings".
For details, refer to "DNS Server Settings (IPv4)"
(page 14).
DNS Server Settings This item has been renamed from "DNS Server
(IPv6) Settings".
For details, refer to "DNS Server Settings (IPv6)"
(page 14).
LLMNR Setting Select whether to enable the LLMNR function.
To communicate with a computer that contains
Windows Vista/Server 2008, you can perform name
resolution using the LLMNR function even if the DNS
server is not supported.
SMB Settings
Item Description
Client Settings "NTLM Settings" has been changed to "SMB Auth
Setting". "DFS Setting" and "Password Authentication
Restriction" have been added.
For details, refer to "Client Settings" (page 31).
LDAP Settings
Item Description
Setting Up LDAP "Login Name", "Password", "Authentication Type" and
"Select Server Authentication Method" are not
displayed.
On the MFP that supports this system, "Authentication
Type" is automatically set to "GSS-SPNEGO". "Select
Server Authentication Method" is automatically set so
that User Authentication is enabled.
AU-211P 101
Added or Changed Setting Information
6
E-Mail Settings
Item Description
S/MIME Communication "Digital Signature Type" has been added. For details,
Settings refer to "S/MIME Communication Settings" (page 34).
Item Description
Web Service Common "Publication Service" has been added.
Settings Publication Service, which is one of the Web service
functions, detects a connection destination using the
multicast service. When using the MFP while NetBIOS
is set to Disable in Windows Vista/Server 2008 or the
IPv6-only communication is configured, the user cannot
detect a connection destination using NetBIOS. In this
case, set "Publication Service" to "Enable".
Item Description
SSL/Port Settings This item has been renamed from "Port Number" or
"SSL".
The user can specify SSL and port for OpenAPI
communication.
Item Description
Password Rules Not displayed on the MFP that supports this system.
Prohibited Functions The setting value of [Release] has been changed from
when Authentication "Users & Accounts" to "Account".
Error
Description
Not displayed on the MFP that supports this system.
AU-211P 102
Added or Changed Setting Information
6
6.2.6 License Settings
Description
Not displayed on the MFP that supports this system.
AU-211P 103
Added or Changed Setting Information
6
6.3 Registering a Device Certificate
The user can register the MFP certificate (device certificate) using
PageScope Web Connection. The method for registering a device certificate
on an MFP with PKI card authentication is different from an ordinary MFP
model.
Use the following flowchart to configure settings. Clicking a step jumps to the
associated procedure.
Device Certificate
Setting
¿ Self-sign
¡ Issue by the
certification authority
¿ ¡
Install a Certificate
SSL Setting
Finish
2
Note
For details on how to use PageScope Web Connection, refer to the
User's Guide [Network Administrator] supplied together with the MFP.
AU-211P 104
Added or Changed Setting Information
6
In the PageScope Web Connection administrator mode, select the Security
tab, and then "PKI Settings" - "Device Certificate Setting".
Item Description
[New Registration] Register a new device certificate.
Default Specify a default device certificate for all protocols.
Specify a default device certificate when not using
protocol specific device certificates.
Issuer Displays the device certificate issuer.
Subject Displays a destination to issue a device certificate to.
Validity Period Displays the validity period of a device certificate.
Detail Enables you to view the detailed information about a
device certificate.
Setting Enables you to discard a device certificate if it is
installed.
If "Requesting Certificate" is displayed in "Issuer" of the
device certificate, you can install a CA-issued certificate
in the MFP.
2
Note
The user can use multiple registered device certificates depending on
protocols. For details on the setting, refer to "Using Device Certificates
per Protocol" (page 111).
AU-211P 105
Added or Changed Setting Information
6
6.3.2 Create and install a self-signed Certificate
In the PageScope Web Connection administrator mode, select the Security
tab, and then "PKI Settings" - "Device Certificate Setting" - [New
Registration] - "Create and install a self-signed Certificate".
Item Description
Common Name Displays the IP address or domain name of the MFP.
This item shows the setting value when accessing the
MFP.
Organization Enter the association name or organization name (up to
63 characters).
Organizational Unit Enter the account name (up to 63 characters).
This item may be left blank as required.
Locality Enter the city, ward, town, or village name (up to 127
characters).
State/Province Enter the state or province name (up to 127 characters).
Country Enter the country code as defined in ISO03166 (2
characters).
United States: US, Great Britain: GB, Italy: IT, Australia:
AU, The Netherlands: NL, Canada: CA, Spain: ES,
Czech Republic: CZ, China: CN, Denmark: DK,
Germany: DE, Japan: JP, France: FR, Belgium: BE,
Russia: RU
Admin. E-mail Address Enter the e-mail address of the administrator (up to 127
characters).
If the administrator's e-mail address is already
registered, it appears.
AU-211P 106
Added or Changed Setting Information
6
Item Description
Validity Start Date Displays the validity period starting date.
This item displays the date and time of the MFP when
this screen appears.
Validity Period Enter the certificate's the validity period (in days).
Encryption Key Type Select the type of encryption key.
[OK] Click this button to create a self-signed certificate.
It may take several minutes to create the certificate.
Item Description
Common Name Displays the IP address or domain name of the MFP.
This item shows the setting value when accessing the
MFP.
Organization Enter the association name or organization name (up to
63 characters).
Organizational Unit Enter the account name (up to 63 characters).
This item may be left blank as required.
Locality Enter the city, ward, town, or village name (up to 127
characters).
AU-211P 107
Added or Changed Setting Information
6
Item Description
State/Province Enter the state or province name (up to 127 characters).
Country Enter the country name with the country code defined
in ISO03166 (2 characters).
United States: US, Great Britain: GB, Italy: IT, Australia:
AU, The Netherlands: NL, Canada: CA, Spain: ES,
Czech Republic: CZ, China: CN, Denmark: DK,
Germany: DE, Japan: JP, France: FR, Belgium: BE,
Russia: RU
Admin. E-mail Address Enter the e-mail address of the administrator (up to 127
characters).
If the administrator's e-mail address is already
registered, it appears.
Encryption Key Type Select the type of encryption key.
[OK] Click this button to create a self-signed certificate.
It may take several minutes to create a certificate.
Item Description
Certificate Signing Displays request data to issue a certificate.
Request Data Send the displayed character string to the CA.
[Save] Click this button to save the certificate signing request
data as a file in your computer.
AU-211P 108
Added or Changed Setting Information
6
6.3.4 Install a Certificate
In the PageScope Web Connection administrator mode, select the Security
tab, and then- "PKI Settings" - "Device Certificate Setting" - [Setting] -
"Install a Certificate".
Ask the CA to issue a certificate, and install the certificate sent from the CA
in the MFP.
Item Description
Install Certificate Pastes text data sent from the CA.
[Install] Click this button to install the certificate.
AU-211P 109
Added or Changed Setting Information
6
6.3.5 SSL Setting
In the PageScope Web Connection administrator mode, select the Security
tab, and then "PKI Settings" - "SSL Setting".
Item Description
Mode using SSL/TLS Select the PageScope Web Connection mode to apply
SSL.
Select "None" to disable SSL.
Encryption Strength Specify the SSL encryption strength.
AU-211P 110
Added or Changed Setting Information
6
6.4 Using Device Certificates per Protocol
The MFP that supports this system enables you to use different device
certificates per protocol. Configure settings according to fit your
environment.
On the MFP, you can specify the device certificate to be used for each of the
following protocols.
AU-211P 111
Added or Changed Setting Information
6
Protocol1 Protocol2 Description
SSL Web Service When the MFP acts as a Web service server:
• This protocol is used to encrypt
communications from Windows Vista to the
MFP when Windows Vista accesses the MFP
over HTTPS.
S/MIME This protocol is used to attach a device certificate
when sending an S/MIME e-mail.
!
Detail
• When not using protocol specific device certificates, use the device
certificate that is set to "Default" in "Device Certificate Setting". For
details, refer to "Device Certificate Setting" (page 104).
• You cannot enable this function, which uses protocol specific device
certificates, when a device certificate is not registered or it is only in the
certificate signing request state.
Protocol setting
In the PageScope Web Connection administrator mode, select the Security
tab, and then "PKI Settings" - "Protocol Setting".
Item Description
Protocol 1/2 Displays the classification for each protocol.
If the device certificate is registered, the protocol is
marked with *.
AU-211P 112
Added or Changed Setting Information
6
Item Description
[Create] Select the protocol and click [Create]. The device
certificate registration page appears, and you can
specify the target device certificate.
If the device certificate is already registered, [Edit]
appears. If [Edit] is clicked, the target device certificate
details can be viewed or modified.
[Delete] If the target device certificate is registered, click this
button to delete the registered information.
AU-211P 113
Appendix
7
7 Appendix
2
Reminder
• Remove this unit from the MFP before cleaning. Loading the USB port
will result in a malfunction.
• Take care so that no water gets into this unit when cleaning. If water gets
into this unit, it will result in a malfunction.
• Do not clean this unit using organic solvent such as benzene or alcohol.
Doing so will result in a malfunction.
• Before disconnecting or connecting this unit, turn the MFP Main Power
off. After 10 seconds or more have lapsed, turn the MFP Main Power on.
Failing to do so may result in a malfunction.
• When connecting or disconnecting the USB cable, hold the plug. Failing
to do so will result in a malfunction.
AU-211P 114
Appendix
7
7.3 Troubleshooting
If an error occurs during running, refer to the following.
If any of the above errors recur after taking the specified action, or if other
errors occur, contact your service engineer.
AU-211P 115