Xerox Secure Access Unified ID System Embedded for Xerox EPA-EIP Setup Guide

Software Version 5.3
August 2014
702P03158

Embedded for Xerox EPA-EIP

Setup Guide

©2014 Xerox Corporation. All rights reserved. XEROX® and XEROX and Design®, and Xerox Secure Access

®

Unified ID System

are trademarks of Xerox Corporation in the United States and/or other countries.

Equitrac

®

and Follow-You Printing® are registered trademarks of Nuance Communications.

Document Version: 1.0 (August 2014)

Table of Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

About User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

About Secure Document Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Supported MFPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Supported Card Readers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Magstripe Device Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Proximity and Contactless Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Installation and Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Licensing, Server, and MFP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

List of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Additional Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

2 MFP and Server-Side Configuration . . . . . . . . . . . . . . . . . . . . . 2-1

Licensing Embedded Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Assigning Licenses to Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Configuring Printer Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Add a Printer on an Equitrac Printer Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Convert an Existing TCP/IP Port to Equitrac Port . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Configuring Physical Devices with the Configuration Wizard . . . . . . . . . . . . 2-9

Enabling Secure Printing on the Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-11

Creating Embedded Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Configuring Follow-You Printing® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-14

Configuring Authentication Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

Configuring Card Self-Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Configuring the MFP for Card Reader Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17

Registering the EIP Applet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18

Configuring the MFP Through a Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Enable Custom Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-20

Set the Authentication System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Set Authentication Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Configuring Smart Card Through Xerox Authentication . . . . . . . . . . . . . . . . . . . . 2-24

Refreshing a Domain After Restarting a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25

3 User Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Authenticating at a Card Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Authenticating With a Magnetic Stripe Card . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Authenticating with a Proximity or Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Card Reader Status Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Idle Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Ready Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Card Self-Registration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Using Follow-You Printing® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Ending a Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Copy Enforcement and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Color Quota Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Setup Guide iii

Table of Contents Embedded for Xerox EPA-EIP

4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-i

iv Setup Guide

1

Introduction

To pi cs

About User Authentication

About Secure Document Release

Supported MFPs

Supported Card Readers

System Requirements

Installation and Configuration Requirements

List of Terms

Additional Documentation

This Setup and Administration Guide provides instructions for installing and configuring the Xerox Secure
Access application within an Xerox Secure Access environment.

This chapter includes:

• An overview of the Xerox Secure Access user authentication process

• An overview of the secure document release process

• A list of supported Xerox MFP devices and card readers

• Installation and configuration prerequisites

• A list of unique terms and related documents

Setup Guide 1-1

Introduction Embedded for Xerox EPA-EIP

2. Authentication

request sent to DCE

Card
Reader

5. Request to

unlock device

Database

3. Request to

verify user sent t o

4. User

verification sent

to DCE

1. User enters login ID
at MFP through card

swipe or keypad

MFP

1a. With card swipe

only, card data sent to

MFP

DCE

CAS

1

2

3

5

4

1

About User Authentication

Xerox Secure Access controls access to the print, copy and fax functions of Xerox multi-function product
(MFP) devices by requiring users to enter login credentials, either by using a card or manually entering data
on the MFP front panel. This login action initiates an access request.

The Device Control Engine (DCE) handles all communication with the MFP devices. Using the Authentication
Agent API, the MFP forwards the login request to the DCE, which then contacts the Core Accounting Server
(CAS) to verify the user account data associated with the login ID.

The MFP can be configured to lock all or individual services requiring authentication before use. If the CAS
verifies the user, the MFP device panel unlocks and is ready for use. If the user is not verified, the MFP
remains locked and the user cannot perform any tasks at the device.

Note

Legacy model Xerox MFPs may require an authentication device to make use of serial cards. In this case, the

appropriate authentication device is an additional hardware component that attaches to the card reader
and forwards authorization requests to the DCE.

1-2 Setup Guide

Embedded for Xerox EPA-EIP Introduction

User prints document

in a secure printing

environment

Document is held in

a secure print

Workstation

MFP

Secure Print Queue

1. Doc 1

2. Doc 2
...

1

2

User authenticates

at the MFP

3

Document

list retrieved

5

User accesses the
Follow-You Printing
screen on the front

panel to view

documents in secure

queues

4

About Secure Document Release

If you configure the Core Accounting Server (CAS) to support secure document release, the MFP screen panel
can include a Follow-You Printing screen. This screen displays queued print jobs for the current user, who can
then select one or more jobs, and release or delete them directly from the MFP.

If you enable multi-server Follow-You printing on the CAS, the user can view print jobs on other servers also.
For additional information on multi-server Follow-You Printing
chapter in the

Xerox Secure Access Administration Guide

®

, see the Advanced Printing Configuration

.

The illustration below shows the process flow that occurs after a user submits a print job to a controlled
queue. After sending the print job, the user can access the Follow-You Printing screen on the device panel and
use the Embedded secure document release functions.

Note

When the Follow-You Printing extension is not configured, the Follow-You Printing screens are not available
on the MFP panel and the user cannot select individual jobs for release. Immediately after the user
authenticates, all jobs are released from the local or home server.

Setup Guide 1-3

Introduction Embedded for Xerox EPA-EIP

Supported MFPs

For a list of Xerox Secure Access supported MFP models, visit

http://www.nuance.com/for-business/by-product/equitrac/supported-devices/xerox/index.htm.

Supported MFP models must be EIP-enabled prior to installing the Xerox Secure Access solution. Please
contact your local Xerox Sales Representative for more information.

Supported Card Readers

For a list of Xerox Secure Access supported card readers, visit

http://www.equitrac.com/card_readers.html.

All card readers are preconfigured from the manufacturer and require no further configuration.

To setup the card reader on the MFP, see Configuring Follow-You Printing® on page 14.

Magstripe Device Reader

Xerox Secure Access supports external magnetic stripe reader devices. Users can enter validation data by
swiping an encoded magnetic card through the card reader. The reader reads virtually any standard
magnetic card medium on track 2, and accepts standard or custom encoded data.

Proximity and Contactless Smart Cards

Xerox Secure Access supports HID proximity cards, and Mifare and Legic contactless smart cards. Users can
enter validation data by passing the card within about one inch of the card reader.

System Requirements

To review the system requirements for the machine or machines hosting the Core Accounting Server and
Device Control Engine server components, see the

Guide

.

Xerox Secure Access Unified ID System® Installation

1-4 Setup Guide

Embedded for Xerox EPA-EIP Introduction

Installation and Configuration Requirements

If you have already set up and configured your Xerox Secure Access server, you do not need to install the
basic Xerox Secure Access application; you only need to follow configuration procedures.

For instructions on installing and configuring Xerox Secure Access, see the

System® Installation Guide

Before configuring Xerox Secure Access, you need the following:

• The IP address of the Device Control Engine (DCE) server. You need this address when configuring the
MFP to communicate with the DCE server.

• Administrative access to System Manager. For details, see “Configuring Administrative Access” in the

Xerox Secure Access Administration Guide

and the

Xerox Secure Access Administration Guide.

.

Xerox Secure Access Unified ID

Licensing, Server, and MFP Requirements

To enable the Embedded application, you must have the following:

1. Xerox Secure Access Software

Xerox Secure Access requires configuration of the Core Accounting Server and the MFPs, as described in this
guide.

2. One embedded license per MFP

Each MFP requires an embedded license that is applied in System Manager. For example, if you plan to
control 20 Xerox MFPs, you need to obtain 20 corresponding embedded licenses (enabled for Xerox). See

Licensing Embedded Devices on page 2 for instructions to add licenses to CAS.

3. Supported Xerox MFPs

For a list of supported MFP models, see Supported MFPs on page 4.

Setup Guide 1-5

Introduction Embedded for Xerox EPA-EIP

List of Terms

The following unique terms are used within this guide.

Te rm Description

Alternate Primary PIN A sequence of personal identification numbers that uniquely identifies a user who wants to

release a print job. The alternate primary PIN can be data encoded on a magnetic swipe
card or entered into an MFP keypad.

Authentication The process of entering a primary and optional secondary personal identification number

to gain access to a controlled MFP. Users can authenticate via a card reader, or through the
MFP control panel.

Core Accounting Server
(CAS)

Device Control Engine
(DCE)

Device Routing Engine
(DRE)

Follow-You printing A secure printing feature that holds print jobs in a virtual print queue until the user “pulls”

Follow-You Printing
screen

Multi-server
Follow-You Printing

Network Accounting A feature of the Xerox MFP which automatically tracks print, server fax and copy usage for

The Core Accounting Server is a core component of Xerox Secure Access. This service
controls the accounting database that stores all printer, user, transaction and balance
information. The CAS also verifies users, calculates printing charges and assigns charges to
an appropriate user.

A core component of Xerox Secure Access, the DCE communicates with terminals that
control access to MFPs.

A core component of Xerox Secure Access, the DRE enables document flow from
workstations to output devices. When a job is released, the DRE captures the job
characteristics and communicates the characteristics to the CAS.

the print job to a selected device. A user can select a particular printer when they submit a
print request, then walk to an entirely different compatible MFP and pull the job to that
device.

An additional screens that appears as a custom service on the the MFP when the Follow-You
Printing extension is configured. Users can select one or more jobs from different print
servers.

A secure printing feature that extends the Follow-You functionality to allow users to view
and release secure print jobs from different print servers.

each user. Network accounting is run over a network and the accounting transactions are
performed remotely by

Xerox Secure Access

server software.

Print Tracking The ability to track the attributes of a released network print job. For example, number of

pages, page size, color, etc. You can configure Xerox Secure Access to track printing through
the embedded device or through an Equitrac Port.

Primary PIN A sequence of numbers that act as a user ID to uniquely identify a user who wants to

release a print job. The primary PIN can be entered on the MFP keypad.

Secondary PIN A sequence of numbers that act as a password when used in conjunction with a Primary

PIN. After entering the Primary PIN, the user must enter the Secondary PIN code on a MFP
keypad before the print job is released to a device. Secondary PINs are an optional
configuration.

1-6 Setup Guide

Embedded for Xerox EPA-EIP Introduction

Te rm Description

Secure Document Release
(SDR)

An Xerox Secure Access feature that holds network print jobs in a secure virtual print queue.
Users must authenticate at an MFP to release jobs from the secure queue. The goal of
secure printing is to ensure that proprietary information does not sit at an output device for
public consumption.

Setup Guide 1-7

Introduction Embedded for Xerox EPA-EIP

Additional Documentation

It may be necessary to refer to one of the following documents when performing some server-side
configuration tasks. These documents are located on the Xerox Secure Access product CD’s, and are installed
automatically with any server-side component in the Program Files\Xerox Secure Access\
Access

\Documentation folder.

Guide When to refer to this guide

Xerox Secure Access Installation Guide Use this guide to perform an initial installation or upgrade.

Xerox Secure Access Administration Guide After installing Xerox Secure Access, use this guide to configure

advanced options for use on your campus or in your organization.

Xerox Secure

1-8 Setup Guide

MFP and Server-Side
Configuration

Topi cs

Licensing Embedded Devices

Configuring Printer Ports

Creating Embedded Devices

Configuring Follow-You Printing®

Configuring Follow-You Printing®

Configuring Authentication Prompts

Configuring Card Self-Registration

Configuring the MFP for Card Reader Support

Registering the EIP Applet

Configuring the MFP Through a Web Interface

Configuring Smart Card Through Xerox

Authentication

Refreshing a Domain After Restarting a Device

2

To enable Xerox Secure Access, you must configure the MFPs and the Core Accounting Server (CAS). This
chapter includes instructions for configuring your MFP devices and the
Secure Access.

Setup Guide 2-1

Xerox Secure Access

server for Xerox

MFP and Server-Side Configuration Embedded for Xerox EPA-EIP

Licensing Embedded Devices

The Xerox Secure Access system utilizes a 6 tier licensing structure which allows licenses to be assigned on a
per device basis. The license tiers are as follows:

Authentication – Any time the user approaches a device and authenticates themselves, they are using an
Authentication license. This could be for a PageCounter, ID Controller, Web Release or Embedded device.
Desktop Printing is not considered authentication.

• Licenses are assigned per device where authentication is required.

• Does not require a prerequisite.

Follow-You Printing

it. Includes Web Release, PageCounter, Embedded and ID Controller.

• License are assigned per device where Follow-You Printing is required.

• Requires an Authentication license as a prerequisite.

®

– Allows the user the ability to release a job from a device with this license assigned to

Assigning Licenses to Devices

Licenses must be assigned to each printer that will use that particular feature.

To assign a license, do the following:

1. Open System Manager, and select Licensing in the left pane.

2. Select the Assignment View tab to open the list of all assigned licenses.

3. Expand or right-click the desired license option, and select Add to open the Assign license dialog box.

4. On the Assign license dialog box, select the checkbox for the device(s) to assign the license to.

At the bottom of the dialog box is a counter displaying the number of available licenses and available
devices. These numbers decrease with every license assigned.

5. Click OK after the licenses have been assigned to the desired devices.

2-2 Setup Guide

Embedded for Xerox EPA-EIP MFP and Server-Side Configuration

The devices assigned to the license now display under the selected license option.

To remove an assigned license from a device, right-click the device and select Remove assignment. The
number of used licenses will be adjusted accordingly.

Setup Guide 2-3