HP JetAdvantage Security Manager User Manual

Technical white paper
HP JetAdvantage Security Manager
Release Notes v3.5
Overview 2 Key Features 2 What’s New in Security Manager 3.5? 3
Features and Usability Improvements 3 New Policy Items and policy changes 4 New Devices Supported 4
Fixes 4 Software Notes and Known Issues 5 Installation 7
Installation Notes 8 Supported Operating Systems and Databases9
Operating Systems 9 Hardware Requirements 10
Notes 10 VMware and Hypervisor Support 10
Requirements 10 Solutions 11 Network Port Assignments 11 Ports diagram 13 Appendix A 15
Release History 15 Appendix B 33
Links to HP Security Manager Whitepapers33
Overview
Announcing HP JetAdvantage Security Manager 3.5, the latest release of the industry’s first policy­based solution that helps you increase security, strengthen compliance, and reduce risk across your imaging and printing fleet. With Security Manager, you can gain control of your fleet by enabling an effective, policy-based approach to securing HP imaging and printing devices. Through the intuitive and intelligent security policy editor, you can easily create a custom and comprehensive device security policy that is suited for your specific environment.
A Security Manager Base Policy template is provided as a great place to begin creation of a custom security policy or to use as is, if appropriate, as a baseline security policy for your environment. You can schedule the Assess and Remediate task to execute on a daily, weekly or monthly basis to monitor the print environment for settings that do not comply with the chosen security policy, and then automatically return those settings to the policy-specific state. In addition, the Security Manager Instant-On Security feature can place your HP imaging and printing device into the desired security state, as soon as it is attached to the network. The Instant-On Security feature is also invoked when the device is cold-reset or changes IP addresses.
Security Manager also offers a Fleet Certificate Management solution. This feature eliminates the manually deployed, singular device, network certificate implementation process and replaces it with an automatic, fleet based, security policy centered method of certificate management. By using this feature, you can easily replace the default device self-signed certificate with an authorized Certificate Authority (CA) signed certificate and manage it for validity, expiration, and revocation. Implemented as an extension of the Security Manager policy editor, this solution handles network certificate management as a background task like any other Security Manager assessment and remediation.
Key Features
The Security Manager Instant-On Security feature allows supported devices to automatically locate
the Security Manager server and receive your company approved device security policy as soon as the device is attached to the network. Instant-On Security then maintains policy-based compliance during device resets and address changes.
The Security Manager Policy Editor allows print administrators with minimal security knowledge, as
well as experienced security administrators, to build a valid, comprehensive security policy to deploy across the HP imaging and printing fleet. The Policy Editor provides security setting intelligence through basic definition, recommendations, validations and constraints to ensure creation of a valid policy. A Security Manager Base Policy template is provided as a great place to begin creation of a custom policy or to use as is, if appropriate, as a baseline policy for your environment.
Security Manager can be scheduled to assess and remediate devices on a daily, weekly or monthly
occurrence. When configured in this fashion, Security Manager automatically assesses your fleet for its current setting and returns non-compliant settings to the desired state of the security policy used in the assessment. Unlike other management tools, Security Manager only fixes what is out of compliance, then it reports on exactly what was out of compliance that had to be remediated. This is valuable in understanding where vulnerabilities exist in your environment.
The Security Manager Certificate Management solution replaces a manual, highly interactive network
certificate deployment process with an automated policy-based solution that deploys and manages network certificates like any other assessed and remediated Security Manager device security setting. Automated fleet deployment of Certificate Authority (CA) signed certificates to accommodate encrypted printing, 802.1x protected network authentication and other print environment related encryption/authentication needs is now possible with this solution.
What’s New in Security Manager 3.5?
Features and Usability Improvements
110979/109115 Migration to .net 4.8. The old .net 3.5 is no longer needed.
103558 Added account lockout due to invalid password. Account lockout is now configurable in the
web.config file (the already existing option AutoLogOut can be enabled in the same file).
109620 Added Malay and Spanish localization
109219 SMB2 and SMB3 can now be disabled via the expanded policy item SMB/CIFS (Shared
Folder)
109711/110863 Additional Ciphers have been added to the policy item Web Encryption Settings or
Active Ciphers
109226\111922 Added support for Chromium based Microsoft Edge 79 or higher
110094 Added support for using System Name in the From Address for the Outgoing E-mail (SMTP)
policy item under Shared Items
110519 HPSM services can run as a local user
110991 Changed default timeouts and retries to EAPRetry = 1, snmpRequestTimeout = 5000 and
timeBetweenEapRetry= 1000
108681 Added support for licenses with different end-dates in UI.
10560/110010 Support for Device level assessment of remediation history and alerts on device
level and in dashboard.
109851 HPSM will be using the asset identifier from the pfirmware.glf to find the corresponding
firmware level for a device.
109827 Added Advanced option for the filter creation.
107944 Added CA Certificate support for Zebra devices
110675 Added ID Certificate support for Zebra devices
109211 Installer now contains SQL Express 2019
109706 HPSM installer now asks for credentials before creating/updating the Database
109461 Added option under Settings, General to automatic delete device which have status:
network connection error for x number of days.
109260 Added configuration options in the hpsm_service.exe.config to either add a device with
same IP address or hostname or to overwrite a device with the same IP address or
hostname
111029 EST (Enroll over secure transport) certificate management added. This is currently in beta
and based upon RFC 7030
108834 Qualys Service Integration (beta)
109615 The words “Use Default Credentials” have been changed into “Specify Credentials” for the
Email Server Settings
109667 InstallDBrmt.bat script has been renamed into:
InstallOrUpgradeRemoteDB.bat
The InstallSQLScripts.zip file now contains a Readme_InstallSqlScripts.txt
108834 Qualys Service Integration (beta)
110580 The term Alerts has been renamed into Alert Subscriptions
New Policy Items and policy changes
1009779 E-mail domain restriction
109207 The configuration option Digital Send has been renamed into Job Behavior
109514 Descriptions to prevent email spoofing have been improved in the policy item Outgoing
E-mail (SMTP)
110762 The configuration option System logging has been renamed into Syslog (System logging)
110802 All links to existing whitepapers have been added to the HPSM inbuild-help
110781 The Group filter option has been renamed into Group membership and all the filter options
are now working
111467 DAT log files are now using same time settings as other HPSM log files, thus local time
instead of UTC time
110826/109247 Added descriptive comments for configurable parameters in HPSM configuration
file and improved existing descriptions
109029 Renamed Jet Advantage Link into HP Workpath (HP Jetadvantage)
111342 The names of the configuration options for Stored Data PIN Protections options now in sync
with Futuresmart 4 and the word Temporary has been added to Retain Print Jobs After Reboot and Job Storage Limit.
111502 IRM Authentication has been added into HPSM and the descriptions for existing HPAC
authentications have been updated.
New Devices Supported
HP Color LaserJet Enterprise M554 HP Color LaserJet Enterprise M555 HP Color LaserJet Enterprise MFP M578 HP DesignJet T650 24-in
Managed devices: HP Color LaserJet Managed MFP E77428 HP LaserJet Managed MFP E72535 HP LaserJet Managed MFP E72430
Fixes
109070 Performance issues/DB growth is no longer occurring when policy change notification is
enabled.
109917 Web mail can now be configured in the HPSM UI for Automated report Settings as it’s no
longer required to fill in a Domain.
110353 Application Event Log is no longer showing ‘incorrect syntax near ‘)’ during
nightly maintenance when Remove historic data is set to x number of days.
109614 It’s now possible to Save Email server settings and unable to Send Test Email without user
credentials
109961 HPSM is no longer hanging on Export page when you enter a long or invalid email address
and CPU might go to 100%.
109907 HPSM is now accepting an email address which contains a plus sign (+)
110997 When SNMPv3 credentials are wrong HPSM will no longer attempt twice with the
wrong credentials during verify
110998 When SNMPv3 credentials are wrong HPSM will no longer try 6 times to attempt to
set 3 OID’s
111369 Parent Tasks marked as completed if there is any exception while getting data from
the DB
109860 The default setting for Delect Rule has been change from No Action to Cascade for
the foreignkeys such as FK984CDE507E9133 for RecToReasonsTable which prevents intermittent Stale database Errors
110549 Performance when remediating EWS password while device is set to snmp read-
only has been improved
111167 Instant on will now also use the global credentials if the device specific credentials are
not valid for the device
112394 HP Devices which have SNMPv3 configured and SNMPv1 disabled will no longer end
up in credentials error during discovery/verify/remediation.
110990 After manual importing devices into a group, the number of devices in the group does
now match the discovery list.
110918 HPSM can now install certificate on Z9 when CSR Source is set to HPSM
109215 HPSM can now remediate SNMP settings on a LJM404 with secure if SNMPv3
configuration is available in the policy.
111591 When Hostname Resolution is disabled, Manual discovery will no longer perform a
hostname resolution
109614 Email server settings can now be saved without specifying user credentials
109917 Webmail servers can now be used for Automated report settings as domain field is no longer
required
111180 HPSM can now configure SNMPv3 settings (username remains empty) on HP LaserJet 400
MFP M425
109274 When applying an SNMP v3 only policy HPSM no longer indicates unable to remediate with
SNMPv1 credential error when the device is only configured with SNMPv3 only.
111738 ID certificate installation using Venafi SCEP service is now downloading the certificate from
the Venafi SCEP server correctly.
111368 Syslog Server IP is now removed from a device during remediation of a policy with syslog
disabled.
Software Notes and Known Issues
111911 The groups pane on the left might show different number of devices for the same group
which is listed in the main window/pane. This can happen even after hitting the Refresh button for the groups section (left pane) and after hitting the Refresh button for devices screen (right pane). Workaround: run the following script on the HPSM database:
use HPIPSC
--Delete unused DeviceNodeIndentity entries Delete from dbo.DeviceToDeviceNodeIdenityTable where Device_ID not in (select ID from DeviceTable where state=2)
113300 The manual maintenance script and nightly maintenance are not making the
recommendations table smaller. This will be fixed in HPSM 3.6. Workaround: see 112833
112833 Nightly maintenance task is failing due to too many parameters (in HPSM_Service.log file: The
incoming request has too many parameters. The server supports a maximum of 2100 parameters). This will be fixed in HPSM 3.6. Workaround for 11300 and 112833: run the following script regularly (weekly/biweekly) on the HPSM database:
USE HPIPSC ; -- HPSM database name
DECLARE @X INT=1; DECLARE @DeleteOlderThan INT=10; -- Days. Records older than this day will be deleted
WAY:
SELECT TOP 10000 * into #NEWTABLE FROM (SELECT rec.ID AS recID, rToret.KEY_ID as rToretID, rt.ID AS rtID, rvt.ID as rvtID, rTorv.ID AS rTorvID, rTorat.KEY_ID AS rToratKEY_ID, rat.ID AS ratID, av.ID AS avID, raTop.ID AS raTopID FROM dbo.RecommendationTable rec LEFT OUTER JOIN dbo.RecToReasonsTable rToret ON rToret.KEY_ID = rec.ID LEFT OUTER JOIN dbo.ReasonTable rt ON rt.ID = rToret.Reason LEFT OUTER JOIN dbo.ReasonToReasonValuesTable rTorv ON rTorv.ID = rt.ID LEFT OUTER JOIN dbo.ReasonValueTable rvt ON rvt.ID = rTorv.ReasonValue_ID LEFT OUTER JOIN dbo.RecToRecommendationActionsTable rTorat ON rTorat.KEY_ID = rec.ID LEFT OUTER JOIN dbo.RecommendationActionTable rat ON rat.ID = rTorat.RecommendationAction LEFT OUTER JOIN dbo.AssessmentValueTable av ON av.ID = rat.ActionValue_REF LEFT OUTER JOIN dbo.RecActionsToParametersTable raTop ON raTop.ID = rat.ID
where rec.Date < getdate()- @DeleteOlderThan Or rec.AssessmentAndPolicyUniqueID NOT IN ( select distinct dal.assessmentAndPolicyUniqueID as uniqueID from dbo.DeviceAssessmentLogTable dal where dal.State = 2 )) as Sub1
--select count (*) from #NEWTABLE
DELETE a FROM dbo.RecToRecommendationActionsTable a INNER JOIN #NEWTABLE B ON a.KEY_ID= B.rToratKEY_ID DELETE a FROM dbo.RecToReasonsTable a inner join #NEWTABLE B on a.KEY_ID = B.rToretID DELETE a FROM dbo.RecommendationTable a inner join #NEWTABLE B on a.ID = B.recID
DELETE a FROM dbo.ReasonToReasonValuesTable a inner join #NEWTABLE B on a.ID = B.rTorvID DELETE a FROM dbo.ReasonTable a inner join #NEWTABLE B on a.ID = B.rtID
DELETE a FROM dbo.ReasonValueTable a inner join #NEWTABLE B on a.ID = B.rvtID DELETE a FROM dbo.RecActionsToParametersTable a inner join #NEWTABLE B on a.ID = B.raTopID DELETE a FROM dbo.RecommendationActionTable a inner join #NEWTABLE B on a.ID = B.ratID DELETE a FROM dbo.AssessmentValueTable a inner join #NEWTABLE B on a.ID = B.avID
SET @X = (select count (*) from #NEWTABLE)
drop table #NEWTABLE
IF @X=10000 GOTO WAY;
107960 An assessment or assessment and remediation task for HP Designjet Z3200ps 24in Photo,
HP DesignJet Z2600 PostScript , HP Designjet Z6600 and HP Designjet T7100 devices will fail even while the device is supported by HPSM. This issue is under investigation by HP.
112215 HPSM shows status as ERROR when remediating an HP Futuresmart printer with a policy
which includes disk encryption status after performing a partial clean on the device with USB drive inserted . This is under investigation.
112383 HPSM in-build help for Admin (EWS) password is not mentioning that Admin (EWS) password
is also supported for Zebra devices
112029 Some HPSM Configuration values are not updated after upgrade. HPSM 3.5 has the
following new default settings:
PolicyChangeNotification is now disabled
EAPRetry = 1
snmpRequestTimeout = 5000 timeBetweenEapRetry= 1000 During an upgrade the PolicyChangeNotification will always be disabled, regardless of it’s value in 3.4. If this doesn’t match the desired behavior, change the settings in the hpsm_service.exe.config file and restart the HPSM service.
112349 Unable to remediate SNMPv3 settings with a policy which disabled SNMPv1, enables
SNMPv3 with a non-complex passphrase, while the device was enforcing strong encryption for SNMPv3 before the policy was applied. After attempting this combination the device will end up in credentials error with SNMPv1 and SNMPv3 disabled. Workaround: always use a complex passphrase in the policy for SNMPv3. This issue will be fixed in a future release of HPSM.
112301 When user switch the language from non-English language to a different non-English
language the fonts and styles are not loading properly.
Resolution: Refresh the browser or open HPSM in a new browser tab.
109548 The HPSM installer is using powerscript files (CheckIISInstalled.ps1 and IISInstall.ps1) to
install HPSM. HPSM installation will fail to correctly install HPSM if local security policies do not allow to run unsigned powerscript files. Resolution: temporarily allow to run unsigned powerscript files during HPSM installation.
110914 Unable to install ID certificate on DesignJet T790 and Z6 when the device is set to a
non-English language. The following error message will be visible: " The certificate request returned from the printer was empty". This is caused by a firmware limitation. Resolution: Change the language of the device to English before installing the ID certificate with HPSM.
112568 HPSM will not send an email when after finishing a remediation task if one of the devices in
the group has network connection error. Instead the task details will show: Error while sending automated email. Invalid email address. This issue does not occur on new installations.
111092 HPSM can not install a ID certificate with HPSM on T790 and T1300 which have an HP
JetDirect 640N. This issue is under investigation.
Older versions of Web Jetadmin may not have assigned rights for Network Service to use its self-
signed certificate. If so, Instant on Reflection will fail if attempting to add Instant On discovered devices to that Web Jetadmin installation. Manually assign rights for Network Service to use the self­signed certificate to resolve.
Email Summary Remediation report sent via email claims devices are remediating successfully when
they are powered down and cannot be remediating successfully.
Upgrades from version 2.1.2 directly to version 3.1 or beyond are not supported and will result in
tasks being unable to run. Upgrade to version 2.1.4 or 2.1.5 first from version 2.1.2 before upgrading to version 3.1 or beyond.
A locked policy automatically becomes unlocked after 2 hours.
For better representation of pages, maximum recommended zoom is 150%.
For the Web Encryption Strength individual ciphers, a device status can display as Network Connection
Error if the device is verified after applying a policy with RC4-SHA and RC4-MD5 ciphers enabled. In order to ensure communication between a server and client, both sides need to have the same set of supported ciphers. If a device is set to use RC4-SHA/RC4-MD5 as the active ciphers after remediation,
but the operating system doesn’t support these ciphers, a Network Connection Error will be displayed.
RC4-SHA and RC4-MD5 are considered weak ciphers and are not supported in the operating system.
DesignJet devices do not allow device guest permission to be configured from Security Manager under
Role Based Access Control if the devices are not configured with an Admin password.
If a Policy has Subject Alternate names (SANs) enabled with a Domain name entered to include the
Universal Printer name (UPN) as a SAN, the UPN is sent as ‘username@domainName’ to DNS. This is
not accepted by an OpenTrust CA.
If browser security level is set to High, Security Manager will not be able to perform any file related
operations in IE until the security level is set to any other stage.
Installation
The Security Manager software is provided as a universal installation executable that is compatible with all supported operating systems. Installation options include a full local install or a full local install with a remote database option. For proper Security Manager installation and operation, specific Microsoft software must be present.
The requirements are listed below:
Microsoft .NET Framework 4.8.
Microsoft SQL Server Database
Microsoft Internet Information Services (IIS) - (part of installation script)
If these are not present on the system, the installation process installs some of the required software. This includes the option to install the Microsoft SQL Server Express 2019 database which is bundled with the product.
Note: SQL Express 2019 is not supported on all operating systems. When using an operating system on which SQL 2019 is not supported, then you must install manually an older version of SQL (Express) before starting the HPSM installer.
Installation Notes
The browser-based interface requires Internet Information Services (IIS) in order to operate. The installer
will verify that IIS is enabled with the proper settings enabled and will offer to enable the proper settings if desired. The Installation Guide specifies the proper IIS setting to be enabled if it is desired to perform manually. If the installer fails to set some of the IIS settings, it may be necessary to configure them manually. Since the installer is attempting to enable IIS, it may prompt for a machine restart.
The browser-based interface is set to use port 7637 by default during installation. Security Manager is
launched in a browser as such: https://localhost:7637. If it is desired to change this port, it can be changed by editing the bindings for the HPSM web site under IIS Manager.
The browser-based interface offers the ability to use an existing server certificate or to create a self-
signed certificate during installation. The self-signed certificate allows the data to be encrypted between client and server, while an existing server certificate not only encrypts data but also provides trust that the server is who it says it is. IIS will always search and bind for the server certificate in the personal store of
computer account. An identity certificate needs to be of the type “Server Authentication” in order to
provide trust.
The browser-based interface supports Microsoft Internet Explorer, Google Chrome and Microsoft Edge
Chromium based. The following settings may need to be configured on certain machines or operating systems if Security Manager is having difficulty loading:
o Internet Explorer may require the “Display intranet sites in Compatibility View” box to be unchecked
under Compatibility View Settings if the login screen for Security Manager is not appearing.
o Internet Explorer may require the “Bypass proxy server for local addresses” box to be checked under
Internet Options, Connections, LAN Settings if the login screen for Security Manager is not appearing.
o Windows 10 may require HTTP2 to be disabled in the browser if Security Manager continually logs out
the user.
Newer versions of Google Chrome may require the following technique to disable HTTP2:
Launch chrome by disable http/2 through RUN cmd.
Open RUN prompt and type "chrome.exe --disable-http-2"
Open registry and add two new parameters:
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Cleartext DWORD 0 o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Tls DWORD 0
Based on the system state, in some cases, installation/uninstallation prompts for a system restart. This is
caused by the MS Installer seeing a particular value present in the registry. A workaround rather than rebooting is to change an entry available in registry:
o HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\pendingFileRenameOperation
This entry needs to be deleted if it exists.
Users need to be re-added to the HPIPSC group after software upgrade.
Licenses need to be re-loaded if the operating system is upgraded.
Licenses need to be re-added if the database is being restored from 2014 to 2016 SQL Express.
The Security Manager service must have the proper permissions to access the Security Manager service
database. If the service and database are installed on the same computer, the installation process manages the assignment of database permissions. If the service and the database are installed on separate computers, you must configure the correct permissions for the remote database. For complete Security Manager installation information, see the Security Manager Installation and Setup Guide at www.hp.com/go/securitymanager. Also see the whitepaper titled “HP JetAdvantage Security Manager - Using Microsoft® SQL Server” for more information.
If a firewall is installed on the computer on which the Security Manager service runs, and the service will be
accessed from the user interface on a remote computer, the firewall must be set to allow access to the service. The older Security Manager service listens on port 8002, which must be opened in the firewall to allow remote access to the service. The new browser-based interface listens on port 7637 be default. If you do not want to allow remote access to the Security Manager web service for either version, then you can block the respective ports with a firewall.
For complete uninstallation, all the HPSM installation files/folders should be closed before uninstalling.
Supported Operating Systems and Databases
Operating Systems
Client and Server
Windows 8
Windows 8.1
Windows 10
Microsoft Server 2008 R2
Microsoft Server 2012
Microsoft Server 2012 R2
Microsoft Server 2016
Microsoft Server 2019
Note: Windows 7 SP1 is no longer tested. Therefore, it is no longer officially supported but can be
used at customer’s own risk. Also, only 64-bit operating systems are tested.
Tested Browsers
Microsoft Internet Explorer 11 and greater
Google Chrome v70.0 and greater
Microsoft Edge, Chromium based, version 79 and greater
.NET Versions
Recommended: .NET 4.8
IIS Versions
Recommended: 7.5 or newer.
Tested Databases
Microsoft SQL Server Express 2014
Microsoft SQL Server 2016
Microsoft SQL Server 2017
Microsoft SQL Server Express 2019 (bundled with HPSM 3.5 installer)
HP Jet Advantage Security Manager requires a Microsoft SQL database to store data. For customers who do not have their own full SQL Server or do not want to use a SQL license, Security Manager bundles a recent version of SQL Server Express that can be installed and used if desired. Since organizations usually upgrade SQL Server less often than operating systems, older versions may be used for quite some time, especially if the applications accessing SQL don't use the features added to the new SQL versions. While Security Manager only tests the two most recent SQL versions at the time of release, there should be no issues using older or newer SQL versions as Security Manager uses basic calls into the SQL database that would be supported by virtually all SQL releases.
Backward and forward compatibility should be present, there just isn’t capacity to test the multitude of SQL
versions offered over the years.
Hardware Requirements
Server minimum hardware
CPU: Dual-core processor or greater – 2.33 GHz or greater
RAM: 64-bit systems – Minimum 8 GB
STORAGE: Minimum of 4 GB
Client minimum hardware
CPU: PC with 1.8 GHz or greater processor
RAM: 64-bit systems – 4 GB or greater
The following hardware requirements are recommended, especially with the inclusion of IIS for the web-based interface. Microsoft recommends quad core processors and 10 GB RAM for IIS.
Recommended Server Hardware
CPU: 4 or more processor cores – 2.8GHz or higher processor speed
RAM: 64-bit systems – 12 GB or greater
STORAGE – 4 GB or greater
Notes
Connecting to a remote database is made possible through the install process. See whitepaper titled
HP JetAdvantage Security Manager - Using Microsoft® SQL Server” for more information.
After upgrading to Security Manager 3.1 and beyond from earlier versions, existing policies must be
opened in the policy editor and saved to be compatible with Security Manager 3.1.
Before any upgrade or machine restart, it is required that no tasks are in running state. Otherwise, the
tasks will remain in the database in a running state.
For better performance, it is recommended to start new tasks only after the completion of the current
task. For example, launch verification task only after the discovery task is complete.
VMware and Hypervisor Support
Security Manager is supported in a VMware and Hyper-V with windows versions listed previously.
Requirements
The Supported Operating Systems and Databases listed above, are also supported in VMware and Hyper-V environments. Hyperthreading is optional for VMware and Hyper-V. Reserve memory is required for Hyper-V.
Note 1
If installing Security Manager on a VMware instance, you must use the hardware (MAC) address of that virtual adapter during the ordering of the license file. Be aware that VMware dynamically generates the virtual adapter MAC address and does not guarantee it will remain static during session restarts or power toggling. If the MAC address changes, the print license service will fail to operate properly. Refer to VMware help documentation for instructions on how to configure a static MAC address or how to change the modified MAC address back to original.
Note 2:
Importing a license file might fail on VMware VM’s. Resolution: reboot the virtual machine.
Note 3:
SQL 2017 or 2019 is recommended on VMware as testing with older versions and partially disabled TLS settings did show random database connectivity issues.
Solutions
When used with third party solutions or any print or management solution requiring access to the device, the Security Manager Base Policy template, or any template defined to meet the security standards for a company, might require changes to the security settings. See the solution documentation to determine whether policy changes are required to accommodate specific functionality. Care should be taken when creating policies as to not disrupt the operation of any solutions that may be installed on devices.
NOTE: Testing a small number of devices in a sandbox or test environment when solutions are present on
devices is highly recommended before applying settings to a fleet as undesired behavior may occur with certain settings on certain solutions. Solutions may fail to install/operate, or potentially even worse behavior can occur on devices, when some settings are applied to devices with solutions present.
Security settings that have been known to affect either the installation or operation of solutions include:
DNS server configured
SNMP GET Community Name (Read Community Name) required for installation and configuration
EWS password required for installation and configuration
Command Load & Execute enabled
PJL Access Commands enabled
Remote Firmware Updates enabled
Allow PJL Access enabled
PJL Password not set
Legacy Firmware Upgrades enabled (Current versions of firmware are signed with the SHA-256
hashing algorithm. Enabling this option allows installation of legacy firmware signed with the less secure SHA-1 algorithm)
Control Panel Timeout
Please see the whitepaper titled “HP JetAdvantage Security Manager - Policy Editor Settings” for more detailed information regarding settings for solutions.
Network Port Assignments
This section lists the ports used by Security Manager.
Port
Protocol
Service
Notes
Client to Server
7637 (version 3.0+)
TCP
HTTPS
Port set during installation to be used to secure data between client and HPSM server via browser. This port may be changed to something else by editing bindings for the HPSM web site under IIS Manager. HPSM versions 3.0 and beyond.
Loading...
+ 23 hidden pages