Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Device Manager NX Pro v1.1.2 Security White Paper
Copyright 2015 RICOH Americas Corporation. All rights reserved. Page 1 of 51
Visit our Knowledgebase at: http://www.ricoh-usa.com/support/knowledge_base.aspx
5/4/2015
Security White Paper for
Device Manager NX Pro
Document version: 1.1.2
Device Manager NX Pro v1.1.2 Security White Paper
Page 2 of 51
NOTICE:
This document may not be reproduced or distributed in whole or in part, for any purpose or in any fashion
without the prior written consent of Ricoh Company Limited. Ricoh Company Limited retains the sole
discretion to grant or deny consent to any person or party.
Copyright © 2015 by Ricoh Company Ltd.
All product names or product illustrations, including desktop images, used in this document are trademarks,
registered trademarks or the property of their respective companies. They are used throughout this book in
an informational or editorial fashion only. Ricoh Company, Ltd. does not grant or intend to grant hereby any
right to such trademarks or property to any third parties. The use of any trade name or web site is not
intended to convey endorsement or any other affiliation with Ricoh products.
The content of this document, and the appearance, features and specifications of Ricoh products are
subject to change from time to time without notice. While care has been taken to ensure the accuracy of
this information, Ricoh makes no representation or warranties about the accuracy, completeness or
adequacy of the information contained herein, and shall not be liable for any errors or omissions in these
materials. The only warranties for Ricoh products and services are as set forth in the express warranty
statements accompanying them. Nothing herein shall be construed as constituting an additional warranty.
Ricoh does not provide legal, accounting or auditing advice, or represent or warrant that our products or
services will ensure that you are in compliance with any law. Customer is responsible for making the final
selection of solution and technical architectures, and for ensuring its own compliance with various laws
such as the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act and the Health Insurance Portability and
Accountability Act (HIPAA).
Device Manager NX Pro v1.1.2 Security White Paper
Page 3 of 51
DOCUMENT VERSION HISTORY:
Version Date of Issue Revision
1.0 January, 2014 1st Release
1.1 September, 2014 2nd Release for Device Manager NX Pro v1.1
1.1.1 October, 2014 3rd
Release for Device Manager NX Pro v1.1.1
1.1.2 March, 2015
4th Release for Device Manager NX Pro v1.1.2
Revised version of V1.1.1, suitable for DMNX Pro v1.1.x
Revised Items:
Chapter Item Action
2.1.2 Intranet
communication
diagram
Added the Windows Phone as a
supported mobile platform.
5.1
5.12
5.13
Summary
SNMP Trap
Device Log
Corrected the SNMP Trap port
and HTTPS TCP port
information.
5.18 Common Added information about
connections to internal DM
database.
Device Manager NX Pro v1.1.2 Security White Paper
Page 4 of 51
TABLE OF CONTENTS:
1. Introduction .................................................................................................................. 7
Target Readers: ................................................................................................................. 7
2. System .......................................................................................................................... 8
2.1. Device Manager NX Pro ........................................................................................... 8
2.1.1. Internet communication diagram ...................................................................... 8
2.1.2. Intranet communication diagram ...................................................................... 9
3. Data Flow .................................................................................................................... 15
3.1. Internet communication data flow ........................................................................... 15
3.2. Intranet communication data flow ........................................................................... 15
4. Access account .......................................................................................................... 20
4.1. SNMP Access Account ........................................................................................... 20
4.2. Device Administrator ............................................................................................... 20
4.3. SDK Access Account .............................................................................................. 20
5. Protocols and Ports ................................................................................................... 21
5.1. Summary ................................................................................................................ 21
5.2. Discovery ................................................................................................................ 24
5.3. Device Polling ......................................................................................................... 25
5.3.1. Device Polling (Status) ................................................................................... 25
5.3.2. Device Polling (Tray/Toner Ink) ....................................................................... 26
5.3.3. Device Polling (Counter) ................................................................................. 26
5.3.4. Device Polling (Other) .................................................................................... 27
5.3.5. Device Polling (User Counter) ........................................................................ 28
5.3.6. Device Polling (Detail Counter) ....................................................................... 29
5.4. Device-specific Preferences ................................................................................... 29
5.5. Standard Device Preferences ................................................................................. 30
5.6. Address Book Preferences ..................................................................................... 31
5.7. Power Mode ........................................................................................................... 31
5.8. SDK/J Platform Update ........................................................................................... 32
Device Manager NX Pro v1.1.2 Security White Paper
Page 5 of 51
5.8.1. SDK/J Platform Update (Ricoh Software Server) ........................................... 32
5.8.2. SDK/J Platform Update (Local File) ................................................................ 32
5.9. SDK Application ...................................................................................................... 33
5.9.1. SDK Application (Ricoh Software Server) ....................................................... 33
5.9.2. SDK Application (Local File) ........................................................................... 34
5.10. Remote Firmware Update ....................................................................................... 35
5.10.1. Remote Firmware Update (Ricoh Software Server) .................................... 35
5.10.2. Remote Firmware Update (Local File) ........................................................ 35
5.11. Log Collection Setting ............................................................................................. 36
5.12. SNMP Trap ............................................................................................................. 37
5.13. Device log (Job log, Access log, Eco Log) .............................................................. 37
5.14. Reports ................................................................................................................... 37
5.15. Notifications ............................................................................................................ 38
5.16. Activation/Deactivation ........................................................................................... 39
5.17. Usage Report ......................................................................................................... 39
5.18. Common ................................................................................................................. 39
5.19. Certificate Management Tool .................................................................................. 41
5.20. Printer Driver Packager NX .................................................................................... 43
5.21. @Remote Connector NX ........................................................................................ 43
6. General Security Considerations.............................................................................. 44
6.1. Communication between Device Manager NX Pro and devices ............................. 44
6.2. Communication between Device Manager NX Pro and Browser ............................ 44
6.3. Communication between Device Manager NX Pro and other systems................... 44
6.3.1. Ricoh Software Server .................................................................................... 44
6.3.2. Ricoh Backend Server .................................................................................... 44
6.3.3. LDAP Server ................................................................................................... 45
6.3.4. Mail Server ..................................................................................................... 45
6.3.5. External Database (SQL Server) .................................................................... 45
6.3.6. Proxy Server ................................................................................................... 45
Device Manager NX Pro v1.1.2 Security White Paper
Page 6 of 51
6.4. Certificate Management Tool .................................................................................. 45
6.5. Mobile Application ................................................................................................... 45
6.6. Printer Driver Packager NX .................................................................................... 46
6.7. @Remote Connector NX ........................................................................................ 46
6.8. Driver Distribution ................................................................................................... 46
6. Stored Data ................................................................................................................. 47
6.1. Stored Data ............................................................................................................. 47
7. Services ...................................................................................................................... 50
7.1. Services .................................................................................................................. 50
7.2. Processes ............................................................................................................... 51
Device Manager NX Pro v1.1.2 Security White Paper
Page 7 of 51
1. Introduction
Device Manager NX Pro is device management software which provides basic remote device
management functions, such as device monitoring, device configuration and software update via a web
browser. Device Manager NX Pro can be used to manage up to 5,000 devices.
This document is designed to describe the product’s functioning with regards to network and data security.
As Ricoh products are designed for use inside an intranet where network clients are protected by firewalls,
they rely heavily on the intranet’s security policies. This document focuses on providing the information
necessary to protect against potential threats from external security risks and help customers to securely
incorporate the Ricoh product into their system.
The details of @Remote Connector NX (Standalone/Option) which links with Device Manager NX Pro are
not described in this document. Please refer to the @Remote Connector NX Security White Paper for
details.
Target Readers:
1. End users, mainly IT administrators: The information contained in this document can be distributed to
end users as long as you follow the restrictions outlined on page 2 of the document.
2. Regional support and marketing staff.
3. Support and marketing staff of Ricoh Sales companies, including Ricoh family group companies and
their subsidiaries.
4. Technical support personnel (CEs) of dealers
Device Manager NX Pro v1.1.2 Security White Paper
Page 8 of 51
2. System These diagrams show the general data flow.
2.1. Device Manager NX Pro
2.1.1. Internet communication diagram
Device Manager NX Pro
Web Server (Jetty)
Platform
Database (SQLServer)
Intranet Internet
RICOH Software
Server
RICOH Backend Server
HTTPS
HTTP
• On-line Activation/Deactivation
• SDK App Activation/Deactivation
• SDK App Download • SDK/J Platform Download • Firmware Download
• Send usage report.
Proxy(if enabled)
Web Browser (IE, Firefox, Safari)
HTTP/HTTPS
Device Manager NX Pro v1.1.2 Security White Paper
Page 9 of 51
2.1.2. Intranet communication diagram
The icons shown here for each device category are identical to the icons used by UI.
SNMP(Standard MIB)
Device Manager NX Pro
Web Server (Jetty)
Web Browser (IE, Firefox, Safari)
HTTP/HTTPS
SNMP (Standard & Private MIB), HTTP/HTTPS, FTP/SFTP
SNMP (Standard & Private MIB), HTTP/HTTPS FTP/SFTP
SNMP(Standard & Private MIB)
SNMP(Standard & Private MIB)
SNMP (Standard MIB)
3rd Party Devices
SNMP
USB Agent
SNMP
Ricoh devices (current
generation)
Ricoh devices (previous
generation)
Ricoh’s GelJet devices
Other Ricoh devices
Platform
Database
(SQLServer)
FMAudit Engine
Ricoh-branded OEM
devices
USB Devices
Device Manager NX Pro v1.1.2 Security White Paper
Page 10 of 51
Device Manager NX Pro with IIS
HTTP/HTTPS
Web Server (IIS)
HTTP/HTTPS
SNMP(Standard MIB)
Device Manager NX Pro
Web Server (Jetty)
Web Browser (IE, Firefox, Safari)
SNMP (Standard & Private MIB), HTTP/HTTPS FTP/SFTP
SNMP(Standard & Private MIB)
SNMP(Standard & Private MIB)
SNMP (Standard MIB)
3rd Party Devices
SNMP
USB Agent
SNMP
Ricoh devices (current
generation)
Ricoh devices (previous
generation)
Ricoh’s GelJet devices
Other Ricoh devices
Platform
Database
(SQLServer)
FMAudit Engine
Ricoh-branded OEM
devices
USB Devices
Device Manager NX Pro v1.1.2 Security White Paper
Page 11 of 51
Device Manager NX Pro with external SQL Server
SNMP(Standard MIB)
Device Manager NX Pro
Web Server (Jetty)
Web Browser (IE, Firefox, Safari)
HTTP/HTTPS
SNMP(Standard & Private MIB)
SNMP(Standard & Private MIB)
SNMP (Standard MIB)
3rd Party Devices
SNMP
FMAudit Engine
USB Agent
SNMP
Ricoh devices (current
generation)
Ricoh devices (previous
generation)
Ricoh’s GelJet devices
Other Ricoh devices
Platform
SNMP (Standard & Private MIB), HTTP/HTTPS FTP/SFTP
Platform
Database
(SQLServer)
JDBC
Ricoh-branded OEM
devices
USB Devices
Device Manager NX Pro v1.1.2 Security White Paper
Page 12 of 51
Device Manager NX Pro with Mobile Application
SNMP(Standard MIB)
Device Manager NX Pro
Web Server (Jetty)
Web Browser (IE, Firefox, Safari)
SNMP (Standard & Private MIB), HTTP/HTTPS, FTP/SFTP
SNMP (Standard & Private MIB), HTTP/HTTPS FTP/SFTP
SNMP(Standard & Private MIB)
SNMP(Standard & Private MIB)
SNMP (Standard MIB)
3rd Party Devices
SNMP
USB Agent
SNMP
Ricoh devices (current
generation)
Ricoh devices (previous
generation)
Ricoh’s GelJet devices
Other Ricoh devices
Platform
Database
(SQLServer)
FMAudit Engine
Mobile Application (iOS, Android, Windows Phone)
HTTP/HTTPS
Ricoh-branded OEM
devices
USB Devices
Device Manager NX Pro v1.1.2 Security White Paper
Page 13 of 51
Device Manager NX Pro with Certificate Management Tool
Device Manager NX Pro
Web Server (Jetty)
Web Browser (IE, Firefox, Safari)
Ricoh devices (current
generation)
Platform
Database
(SQLServer)
Certificate Management
Tool
HTTP/HTTPS
• Device list
HTTP/HTTPS • Certificate
SCEP Server
HTTP/HTTPS • Certificate
Device Manager NX Pro v1.1.2 Security White Paper
Page 14 of 51
Device Manager NX Pro with the other Ricoh products
Device Manager NX Pro
Web Server (Jetty)
Printer Driver Packager NX HTTP/HTTPS
• Package Upload
Web Browser (IE, Firefox, Safari)
HTTP/HTTPS
Platform
Database
(SQLServer)
@Remote Connector NX HTTP/HTTPS
• Device List
@Remote Connector
Option
Device Manager NX Pro v1.1.2 Security White Paper
Page 15 of 51
3. Data Flow 3.1. Internet communication data flow
Device Manager NX Pro -> Other system
Data Flow Functions Data
Device Manager NX Pro
-> RICOH Software Server Activation/Deactivation Product Key, Lock Code, License File,
Country Information
SDK App
Activation/Deactivation
Product Key, Lock Code, Product ID,
Product Version, Serial Number, Model
Name, Country, License File
SDK App Download
SDK/J Platform Download
SDK Application
SDK/J Platform
Firmware Download Firmware Package
Device Manager NX Pro
-> RICOH Backend Server Usage Report Country
GUID (Product code + lock code) OS Report Date & Time Installed Date Product Name Product Version Product Option Number of devices per vendor Breakdown of Ricoh devices by generation, model type, etc.
Serial numbers for up to 3 devices
(Ricoh devices only, same model*)
*The target model is selected by choosing the device with the largest number of devices. If multiple devices
of that model exist, the models with the 1st, 2nd, and 3rd largest total counters are selected for inclusion in
the Usage Report.
3.2. Intranet communication data flow
Device Manager NX Pro <--> Device
Data Flow Functions Data
Device Manager NX Pro
without FMAudit Engine
-> 3rd Party Devices
Collect device
information.
Device’s status, supply, and counter
information.
Device Manager NX Pro
with FMAudit Engine
-> 3rd Party Devices
Collect device
information.
Device’s status, toner/supply, and
counter information.
Device Manager NX Pro
with FMAudit Engine and USB
Collect device
information.
Device’s status, toner/supply, and
counter information.
Device Manager NX Pro v1.1.2 Security White Paper
Page 16 of 51
Agent
-> USB Devices
Device Manager NX Pro
-> Ricoh-branded OEM devices
Collect device
information.
Device’s status, supply, and counter
information.
Device Manager NX Pro
-> Ricoh GelJet devices
Collect device
information.
Device’s status, toner/supply, and
counter information.
Device Manager NX Pro
-> Other Ricoh devices
Collect device
information.
Device’s status, toner/supply, and
counter information.
Device Manager NX Pro
-> Ricoh previous generation1
devices
Collect device
information.
Device’s status, toner/supply, and
counter information. With user counter
and detail counter.
Standard Device
Preferences
Standard device configuration.
Address book preference Address book configuration.
Power Mode preference Power status changes.
SDK/J Platform Update SDK/J Platform
SDK App Install/Update/
Uninstall/Activate
SDK Application, Product ID, Product
Version, License File
Firmware update Firmware
Log Collection setting Device log collection configuration.
(for Job log, Access log)
Device Manager NX Pro
-> Ricoh current generation2
devices
Collect the device’s
information.
Device’s status, toner/supply, and
counter information. With user counter
and detail counter.
Standard Device
Preferences
Standard device configuration.
Device-Specific
Preferences
Device-Specific configuration.
Address book preference Address book configuration.
Power Mode preference Power status changes.
SDK/J Platform Update SDK/J Platform
SDK App Install/Update/
Uninstall/Activate
SDK Application, Product ID, Product
Version, License File
Remote Firmware Update Firmware
Log Collection setting Device log collection configuration.
(for Job log, Access log, Eco log)
Ricoh previous generation1 SNMP Trap Trap signal
1 Spring 2011 or earlier models 2 Autumn 2011 or later models
Device Manager NX Pro v1.1.2 Security White Paper
Page 17 of 51
devices -> Device Manager NX Pro
Device log receive Device log data (Job log, Access log)
Ricoh current generation2 devices -> Device Manager NX Pro
SNMP Trap Trap signal
Device log receive Device log data (Job log, Access log,
Eco log)
Device Manager NX Pro v1.1.2 Security White Paper
Page 18 of 51
Device Manager NX Pro -> Other system
Data Flow Functions Data
Browser -> Device Manager NX
Pro
Web UI UI Data
Uploaded/Downloaded Files (Csv,
Images, Firmware, SDK/J platform,
Embedded applications, Reports, Driver
packages)
Mobile Application -> Device
Manager NX Pro
Mobile Access UI Data
Uploaded Files (Images)
Device Manager NX Pro ->
Database (SQL Server)
(including an External SQL
Server)
Get/Set Data Data
Device Manager NX Pro -> Mail
Server
Notification SMTP Authentication
or Pop Authentication
Message of customer definitions
Result of task completion
Device Manager NX Pro ->
LDAP Server
Authentication for login LDAP User Account
Device Manager NX Pro -> DNS
Server
Name resolution IP Address
Host name
Device Manager NX Pro -> Network drive
Reports Report files
(In case that "Save on Disk" is activated
as "Delivery Methods" included in report
task settings and the network folder is
selected as the location where report
files will be stored.)
Device Manager NX Pro v1.1.2 Security White Paper
Page 19 of 51
Certificate Management Tool -> Device Manager NX Pro
Data Flow Functions Data
Certificate Management Tool
-> Device Manager NX Pro
Import device list Device information
Certificate Management Tool -> Device
Data Flow Functions Data
Certificate Management Tool
-> Ricoh current generation
devices
Certificate Management CSR, Certificate
Certificate Management Tool -> SCEP Server
Data Flow Functions Data
Certificate Management Tool
-> SCEP Server
Certificate Management CSR, Certificate
Printer Driver Packager NX -> Device Manager NX Pro
Data Flow Functions Data
Printer Driver Packager NX
-> Device Manager NX Pro
Driver distribution Driver package
@Remote Connector NX -> Device Manager NX Pro
Data Flow Functions Data
@Remote Connector NX
-> Device Manager NX Pro
Import device list Device information
Device Manager NX Pro v1.1.2 Security White Paper
Page 20 of 51
4. Access account Device Manager NX Pro uses 3 types of access accounts to communicate with devices.
4.1. SNMP Access Account
The following access account is used for SNMP communication:
[Using SNMP V1/V2]
Read community Name (default value is “public”.)
Write community Name (default value is “admin”.)
[Using SNMP V3]
Username (default value is “admin”)
Password (default value is none)
Authentication algorithm [MD5/SHA1] (default value is “MD5”)
Encryption password (default value is none)
Encryption algorithm [DES/AES128] (default value is “DES”)
Context Name (default value is “GWNCS”)
Note: The account must have full device administrator privileges (User Administrator, Machine
Administrator, Network Administrator, and File Administrator)
4.2. Device Administrator
This access account is used for web service (HTTP/HTTPS) communication:
Username (the default value is “admin”)
Password (the default value is blank)
Note: The account must have full device administrator privileges (User Administrator, Machine
Administrator, Network Administrator, and File Administrator)
4.3. SDK Access Account This access account is used for installing, updating, uninstalling SDK applications and collecting SDK
application information from devices, as well as updating the SDK/J platform.
Password (the default value is “ricoh” and this value is encrypted)
Device Manager NX Pro v1.1.2 Security White Paper
Page 21 of 51
5. Protocols and Ports Note: IPv6 is supported through the use of hostnames only.
Device Manager NX Pro does not support NAT environment.
5.1. Summary
Communication with Device
Occasion Communication
Direction
Protocol Port Notes
1 Collecting and
Configuring device
information
Device Manager ->
Device
SNMP UDP/161
HTTP/SOAP
or
HTTPS/SOAP
TCP/80
or
TCP/443
HTTPS/SOAP TCP/7443 Device
detail
information
HTTPS TCP/51443 SDK/J
FTP or SFTP TCP/21
or
TCP/22
If the
device’s
FTP port is
closed, still
works by
using
TCP/10021.
2 Notify device
information
Device -> Device
Manager
SNMP UDP/162 SNMP Trap
HTTP or HTTPS Port Number of
the DM Server
(default: 9090)
or TCP/52443
Transfer
Device Logs
Communication with external systems
Occasion Communication
Direction
Protocol Port Notes
1 DNS resolution Device Manager -> DNS
Server
DNS UDP/53
or
TCP/53
2 Authentication Device Manager -> LDAP
Server
LDAP
or
LDAPS
TCP/
Port Number of
LDAP Server
Device Manager NX Pro v1.1.2 Security White Paper
Page 22 of 51
(default: 389)
3 Activation/Deactivation Device Manager -> Ricoh
Software Server
HTTPS TCP/433
4 Usage reports Device Manager -> Ricoh
Backend Server
HTTP TCP/80
5 Notification Device Manager -> Email
Server
SMTP
or
POP
TCP/25
or
110
6 Dispatch files Device Manager ->
Network drive
SMB/CIFS TCP/445 Reports
Common
Occasion Communication
Direction
Protocol Port Notes
1 Operate UI Browser -> Device
Manager
HTTP
or
HTTPS
TCP/
Port Number of
Device Manager
(default: 8080)
2 with IIS Browser ->IIS HTTP
or
HTTPS
TCP/
Port Number of
IIS (default: 80)
IIS -> Device Manager
(Redirect)
HTTP
or
HTTPS
TCP/
Port Number of
Device Manager
(default: 8080)
3 external Database Device Manager ->
Database (SQL Server,
Oracle)
JDBC TCP/
Port No of the
Database
(default:
SQL: 1433,
Oracle: 1521)
Tools
Occasion Communication
Direction
Protocol Port Notes
1 Certificate
Management Tool
Certificate Management
Tool -> Device Manager
HTTP
or
HTTPS
TCP/
Port Number of
Device Manager
(default: 8080)
Device Manager NX Pro v1.1.2 Security White Paper
Page 23 of 51
Certificate Management
Tool -> Device
HTTP/SOAP
or
HTTPS/SOAP
TCP/80
or
TCP/443
Certificate Management
Tool -> SCEP server
HTTP or HTTPS TCP/80 or
TCP/443
Other Ricoh products
Occasion Communication
Direction
Protocol Port Notes
1 Printer Driver
Packager NX
Printer Driver Packager
NX -> Device Manager
HTTP
or
HTTPS
TCP/
Port Number of
Device Manager
(default: 8080)
2 @Remote Connector
NX
@Remote Connector NX
-> Device Manager
HTTP
or
HTTPS
TCP/
Port Number of
Device Manager
(default: 8080)
Refer the
Security
White paper
of @Remote
Connector
NX
Device Manager NX Pro v1.1.2 Security White Paper
Page 24 of 51
5.2. Discovery
Network Device without FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 DNS resolution
(Device Manager NX Pro ->
DNS Server)
DNS UDP/53
or
TCP/53
- Used when
selecting “Perform
Reverse DNS
Lookup”
2 Collecting device information.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
Devices with one of
the following MIBs
can be registered:
• sysObjectID
• prtGeneralConfig
Changes
• Ricoh Search
Function
3 Confirming the Device
Administrator.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
4 Collecting device’s information.
Refer to Device Polling.
Network Device with FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 DNS resolution
(Device Manager NX Pro ->
DNS Server)
DNS UDP/53
or
TCP/53
- Used when
selecting “Perform
Reverse DNS
Lookup”
2 Collecting device information.
(Device Manager NX Pro -> 3rd
Party Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
Devices with the
following MIBs can
be registered:
• sysObjectID
3 Collecting device’s information.
Refer to Device Polling.
Device Manager NX Pro v1.1.2 Security White Paper
Page 25 of 51
USB Device
Operation Protoc
ol
Port Access Account Notes
1 DNS resolution
(Device Manager -> DNS
Server)
DNS UDP/53
or
TCP/53
- Used when
selecting “Perform
Reverse DNS
Lookup”
2 Collecting device information.
(Device Manager NX Pro -> PC)
SNMP UDP/161 SNMP V1/V2:
The value of
Read Community
Name is fixed to
"Public".
Devices with the
following MIBs can
be registered:
• sysObjectID
3 Collecting device’s information.
Refer to Device Polling.
5.3. Device Polling
5.3.1. Device Polling (Status)
Network Device without FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Collecting device status
information.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
Network Device with FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Collecting device status
information.
(Device Manager NX Pro -> 3rd
Party Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
USB Device
Operation Protoc
ol
Port Access Account Notes
1 Collecting device status SNMP UDP/161 SNMP V1/V2:
Device Manager NX Pro v1.1.2 Security White Paper
Page 26 of 51
information.
(Device Manager NX Pro -> PC)
The value of
Read Community
Name is fixed to
"Public".
5.3.2. Device Polling (Tray/Toner Ink)
Network Device without FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Tray/Toner Ink
information.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Collecting device Toner detail
information.
(Device Manager NX Pro ->
Device)
HTTPS/
SOAP
TCP/744
3
-
Network Device with FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Tray/Toner Ink
information.
(Device Manager NX Pro -> 3rd
Party Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
USB Device
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Tray/Toner Ink
information.
(Device Manager NX Pro -> PC)
SNMP UDP/161 SNMP V1/V2:
The value of
Read Community
Name is fixed to
"Public".
5.3.3. Device Polling (Counter)
Network Device without FMAudit Engine
Device Manager NX Pro v1.1.2 Security White Paper
Page 27 of 51
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Counter
information.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
Network Device with FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Counter
information.
(Device Manager NX Pro -> 3rd
Party Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
USB Device
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Counter
information.
(Device Manager NX Pro -> PC)
SNMP UDP/161 SNMP V1/V2:
The value of
Read Community
Name is fixed to
"Public".
5.3.4. Device Polling (Other)
Network Device without FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Other
information, such as MAC
address, etc.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
Or
SNMP V3 access
account
2 Collecting DOSS / HDD
Encryption information
(Device Manager NX Pro ->
HTTP/S
OAP
or
TCP/80
or
TCP/443
Device
Administrator
Device Manager NX Pro v1.1.2 Security White Paper
Page 28 of 51
Device) HTTPS/
SOAP
3 Collecting SDK information and
Firmware information
(Device Manager NX Pro ->
Device)
FTP or SFTP
HTTPS
TCP/20,21 or TCP/Port Number of the Device
TCP/514
43
Device
Administrator &
SDK access
account
FTP/SFTP is used
to check for the
SDK Platform and
Firmware.
Disabling FTP on
the device does not
affect this process.
Network Device with FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Other
information, such as MAC
address, etc.
(Device Manager NX Pro -> 3rd
Party Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
USB Device
Operation Protoc
ol
Port Access Account Notes
1 Collecting device Other
information, such as MAC
address, etc.
(Device Manager NX Pro -> PC)
SNMP UDP/161 SNMP V1/V2:
The value of
Read Community
Name is fixed to
"Public".
5.3.5. Device Polling (User Counter)
Network Device without FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
Device Manager NX Pro v1.1.2 Security White Paper
Page 29 of 51
2 Collecting User Counter
information.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
5.3.6. Device Polling (Detail Counter)
Network Device without FMAudit Engine
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Collecting Detail Counter
information.
(Device Manager NX Pro ->
Device)
HTTPS/
SOAP
TCP/744
3
-
5.4. Device-specific Preferences
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Collecting preference
information.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
3 Configuring device preferences.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
TCP/80
or
TCP/443
Device
Administrator
Device Manager NX Pro v1.1.2 Security White Paper
Page 30 of 51
SOAP
5.5. Standard Device Preferences
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Collecting preference
information.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
3 Configuring device preferences.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
SNMP UDP/161 SNMP V1/V2:
Write Community
Name
or
SNMP V3 access
account
4 Restarting the device.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
Device Manager NX Pro v1.1.2 Security White Paper
Page 31 of 51
5.6. Address Book Preferences
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Collecting Address Book
information.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
3 Configuring the Address Book.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
5.7. Power Mode
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Configuring the power mode.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Write Community
Name
or
SNMP V3 access
account
Device Manager NX Pro v1.1.2 Security White Paper
Page 32 of 51
5.8. SDK/J Platform Update
5.8.1. SDK/J Platform Update (Ricoh Software Server)
Operation Protoc
ol
Port Access Account Notes
1 Download SDK/J Platform.
(Device Manager NX Pro ->
Ricoh Software Server)
HTTPS TCP/443 Retained in
Device Manager
NX Pro
2 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
3 Confirming the device’s SDK/J
Platform
(Device Manager NX Pro ->
Device)
FTP or SFTP
HTTPS
TCP/20,21 or TCP/Port Number of the Device
TCP/514
43
Device
Administrator
and
SDK access
account
If the device’s FTP
port is closed, this
function still works.
4 Updating the device’s SDK/J
Platform
(Device Manager NX Pro ->
Device)
HTTPS TCP/514
43
Device
Administrator
and
SDK access
account
5.8.2. SDK/J Platform Update (Local File)
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Confirming the device’s SDK/J
Platform
FTP or SFTP
TCP/20,21 or
Device
Administrator
If the device’s FTP
port is closed, this
Device Manager NX Pro v1.1.2 Security White Paper
Page 33 of 51
(Device Manager NX Pro ->
Device)
HTTPS
TCP/Port Number of the Device
TCP/514
43
and
SDK access
account
function still works.
3 Updating the device’s SDK/J
Platform
(Device Manager NX Pro ->
Device)
HTTPS TCP/514
43
Device
Administrator
and
SDK access
account
5.9. SDK Application
5.9.1. SDK Application (Ricoh Software Server)
Operation Protoc
ol
Port Access Account Notes
1 Download SDK Application.
(Device Manager NX Pro ->
Ricoh Software Server)
HTTPS TCP/443 Retained in
Device Manager
NX Pro
2 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
3 Confirming the device’s SDK/J
Platform
(Device Manager NX Pro ->
Device)
FTP or SFTP
HTTPS
TCP/20,21 or TCP/Port Number of the Device
TCP/514
43
Device
Administrator
and
SDK access
account
If the device’s FTP
port is closed, this
function still works.
4 Installing/Updating/Uninstalling/
Activating the device’s SDK App
(Device Manager NX Pro ->
Device)
HTTPS TCP/514
43
Device
Administrator
and
SDK access
account
5 Restarting the device. HTTP/S TCP/80 Device
Device Manager NX Pro v1.1.2 Security White Paper
Page 34 of 51
(Device Manager NX Pro ->
Device)
OAP
or
HTTPS/
SOAP
or
TCP/443
Administrator
5.9.2. SDK Application (Local File)
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Confirming the device’s SDK/J
Platform
(Device Manager NX Pro ->
Device)
FTP or SFTP
HTTPS
TCP/20,21 or TCP/Port Number of the Device
TCP/514
43
Device
Administrator
and
SDK access
account
If the device’s FTP
port is closed, this
function still works.
3 Installing/Updating/Uninstalling/
Activating the device’s SDK App
(Device Manager NX Pro ->
Device)
HTTPS TCP/514
43
Device
Administrator
and
SDK access
account
4 Restarting the device.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
Device Manager NX Pro v1.1.2 Security White Paper
Page 35 of 51
5.10. Remote Firmware Update
5.10.1. Remote Firmware Update (Ricoh Software Server)
Operation Protoc
ol
Port Access Account Notes
1 Download Firmware.
(Device Manager NX Pro ->
Ricoh Software Server)
HTTPS TCP/443 Retained in
Device Manager
NX Pro
2 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
3 Confirming the device’s
Firmware Information
(Device Manager NX Pro ->
Device)
FTP or SFTP
TCP/20,21 or TCP/Port Number of the Device
Device
Administrator
If the device’s FTP
port is closed, this
function still works
by using
TCP/10021.
4 Updating the device’s Firmware
(Device Manager NX Pro ->
Device)
FTP or
SFTP
TCP/20,21 or
TCP/Port
Number
of the
Device
Device
Administrator
If the device’s FTP
port is closed, this
function still works
by using
TCP/10021.
5.10.2. Remote Firmware Update (Local File)
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Confirming the device’s
Firmware Information
(Device Manager NX Pro ->
FTP or
SFTP
TCP/20,21 or
TCP/Port
Device
Administrator
If the device’s FTP
port is closed, this
function still works
Device Manager NX Pro v1.1.2 Security White Paper
Page 36 of 51
Device) Number
of the
Device
by using
TCP/10021.
3 Updating the device’s Firmware
(Device Manager NX Pro ->
Device)
FTP or
SFTP
TCP/20,21 or
TCP/Port
Number
of the
Device
Device
Administrator
If the device’s FTP
port is closed, this
function still works
by using
TCP/10021.
5.11. Log Collection Setting
Operation Protoc
ol
Port Access Account Notes
1 Confirming the device’s
response.
(Device Manager NX Pro ->
Device)
SNMP UDP/161 SNMP V1/V2:
Read Community
Name
or
SNMP V3 access
account
2 Collecting log preference
information.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
3 Configuring device log
preferences.
(Device Manager NX Pro ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
Device Manager NX Pro v1.1.2 Security White Paper
Page 37 of 51
5.12. SNMP Trap
Operation Protoc
ol
Port Access Account Notes
1 Notify SNMP Trap.
(Device -> Device Manager NX
Pro)
SNMP UDP/162 SNMP
V1/V2:Trap
Community
Name
or
SNMP V3 access
account
2 Collecting device’s information.
Refer to Device Polling (Status).
5.13. Device log (Job log, Access log, Eco Log)
Operation Protoc
ol
Port Access Account Notes
1 Notify Device Log.
(Device -> Device Manager NX
Pro)
HTTP
or
HTTPS
Number
of the DM
Server
(default:
9090)
or
TCP/524
43
Port
- HTTPS port is not
changeable.
5.14. Reports
"Save on Disk" is activated as "Delivery Methods".
Operation Protoc
ol
Port Access Account Notes
1 Run Report task - - -
2 Save on Disk SMB/CI
FS
TCP/445 Account who
starts up RICOH
DMNX Central
Manager Service
In case that the network folder is selected as the location where report files will be stored.
"Send by Email" is activated as "Delivery Methods".
Device Manager NX Pro v1.1.2 Security White Paper
Page 38 of 51
Operation Protoc
ol
Port Access Account Notes
1 Run Report task - - -
2 Send by Email SMTP
or
POP
TCP/25
or
110
SMTP Authentication or
Pop
Authentication
5.15. Notifications
Operation Protoc
ol
Port Access Account Notes
1 Complete tasks
Refer to the following functions.
Discovery
Device Polling
Device-specific Preferences
Standard Device Preferences
Address Book Preferences
Power Mode
SDK/J Platform Update
SDK Application
Remote Firmware Update
Log Collection Setting
Configuration Alerts
- - -
2 Notification SMTP
or
POP
TCP/25
or
TCP/110
SMTP Authentication Account or Pop Authentication Account
Device Manager NX Pro v1.1.2 Security White Paper
Page 39 of 51
5.16. Activation/Deactivation
Activation/deactivation is internet-based, so this communication must pass through the proxy server, if one
is in use.
Operation Protoc
ol
Port Access Account Notes
1 Confirm the request for
Activation/Deactivation.
(Device Manager NX Pro ->
Ricoh Software Server)
HTTPS TCP/443 Retained in
Device Manager
NX Pro
5.17. Usage Report
Usage Reports are internet-based, so this communication must pass through the proxy server, if one is in
use.
Operation Protoc
ol
Port Access Account Notes
1 Transmit usage reports
(Device Manager NX Pro ->
Ricoh Backend Server)
HTTP TCP/80 Retained in
Device Manager
NX Pro
Device Manager
NX Pro does not
support direct
downloading of
update data.
5.18. Common
Operate UI (including Mobile Access) with Internal Authentication
Operation Protoc
ol
Port Access Account Notes
1 Login
(Browser -> Device Manager NX
Pro)
HTTP
or
HTTPS
TCP/Port
number
of Device
Manager
NX Pro
Internal User
Account
2 Operate UI
(Browser -> Device Manager NX
Pro)
HTTP
or
HTTPS
TCP/Port
number
of Device
Manager
NX Pro
Internal User
Account
Device Manager NX Pro v1.1.2 Security White Paper
Page 40 of 51
Operate UI (including Mobile Access) with external Authentication
Operation Protoc
ol
Port Access Account Notes
1 Login
(Browser -> Device Manager NX
Pro)
HTTP
or
HTTPS
TCP/Port
number
of Device
Manager
NX Pro
LDAP User
Account
2 Authentication
(Device Manager NX Pro ->
LDAP Server)
LDAP
or
LDAPS
TCP/Port
number
of LDAP
Server
LDAP User
Account
3 Operate UI
(Browser -> Device Manager NX
Pro)
HTTP
or
HTTPS
TCP/Port
number
of Device
Manager
NX Pro
LDAP User
Account
Operate UI (including Mobile Access) with IIS
Operation Protoc
ol
Port Access Account Notes
1 Login
(Browser ->IIS)
HTTP
or
HTTPS
TCP/Port
number
of IIS
Internal User
Account
2 Redirect
(IIS -> Device Manager NX Pro)
HTTP
or
HTTPS
TCP/Port
number
of Device
Manager
NX Pro
Internal User
Account
3 Operate UI
(Browser ->IIS)
HTTP
or
HTTPS
TCP/Port
number.
of IIS
Internal User
Account
4 Redirect
(IIS -> Device Manager NX Pro)
HTTP
or
HTTPS
TCP/Port
number
of Device
Manager
NX Pro
Internal User
Account
Device Manager NX Pro v1.1.2 Security White Paper
Page 41 of 51
Get/Set Data
Operation Protoc
ol
Port Access Account Notes
1 Get/Set Data
(Device Manager NX Pro ->
Database (SQL Server))
JDBC TCP/Port
number
of the
Database
.
SQL Server
Authentication
Account
or
Windows
Authentication
Account
2 Get/Set Data
(Device Manager NX Pro ->
Internal database (Derby) )
JDBC TCP/152
7
Internal User
Account
This port is used
internally.
5.19. Certificate Management Tool
Operation Protoc
ol
Port Access Account Notes
1 Import Device List
(Certificate Management Tool ->
Device Manager NX Pro)
HTTP
or
HTTPS
TCP/Port
number
of Device
Manager
NX Pro
User Account Certificate
Management Tool
provides the
function to create
the self-certificate
on the devices.
Operation Protoc
ol
Port Access Account Notes
1 Import Certificate
(Certificate Management Tool ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
2 Export Certificate
(Certificate Management Tool ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
3 Get Status of Certificate
(Certificate Management Tool ->
Device)
HTTP/S
OAP
or
TCP/80
or
TCP/443
Device
Administrator
Device Manager NX Pro v1.1.2 Security White Paper
Page 42 of 51
HTTPS/
SOAP
4 Delete Certificate
(Certificate Management Tool ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
Generate and Install Certificate
Operation Protoc
ol
Port Access Account Notes
1 Generate and retrieve CSR from
the device
(Certificate Management Tool ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
2 Enroll with SCEP to generate
and download certificate on
Certificate Authority server
(Certificate Management Tool ->
SCEP Server)
HTTP
or
HTTPS
TCP/80
or
TCP/443
Note: Before using the SCEP linking function, the following two configurations are required on the NDES server. - Disable password requirements by editing the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword = 0 - Relax restrictions on IIS when using IIS 7 or 7.5 by executing the following command:%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.max
Device Manager NX Pro v1.1.2 Security White Paper
Page 43 of 51
QueryString:"3072" /commit:apphost
3 Import Certificate to device
(Certificate Management Tool ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
4 Get Status of Certificate from
device
(Certificate Management Tool ->
Device)
HTTP/S
OAP
or
HTTPS/
SOAP
TCP/80
or
TCP/443
Device
Administrator
5.20. Printer Driver Packager NX
Operation Protoc
ol
Port Access Account Notes
1 Printer Driver Packager NX ->
Device Manager NX Pro
HTTP
or
HTTPS
TCP/Port
Number
of Device
Manager
NX Pro
User Account
5.21. @Remote Connector NX
Operation Protoc
ol
Port Access Account Notes
1 @Remote Connector NX ->
Device Manager NX Pro
HTTP
or
HTTPS
TCP/Port
Number
of Device
Manager
NX Pro
User Account Refer to the
Security White
Paper of @Remote
Connector NX for
details.
Device Manager NX Pro v1.1.2 Security White Paper
Page 44 of 51
6. General Security Considerations
6.1. Communication between Device Manager NX Pro and devices As devices do not have secure communication enabled by default, communication between Device
Manager NX Pro and devices is not encrypted by default. Please configure HTTPS and SNMPv3 settings if secure protocols are required. However to collect the detailed information from 3rd party devices with FMA Engine, SNMPv3 is not available. About USB device, please refer to Protocols and Ports. When Device Manager NX Pro communicates with a device via SSL/TLS communication (this depends
on device configuration), Device Manager NX Pro uses a certificate to encrypt the communication, but does not check the validity of the certificate. Also, importing a device certificate to the PC where Device Manager NX Pro is installed has no effect, as Device Manager NX Pro does not support custom certificates. If a device has both HTTP and HTTPS enabled, HTTPS is used. Device Manager NX Pro supports the following ciphers/encryption protocols: - Hash- SHA-2 (SHA-256) - Public Key- RSA2048 - Common Key- AES256, AES128, or 3TDEA
6.2. Communication between Device Manager NX Pro and Browser As browsers do not have secure communication enabled by default, communication between Device
Manager NX Pro and the browser is not encrypted by default. Please configure HTTPS settings in Server Settings if secure protocols are required on Server Settings.
Device Manager NX Pro supports the following certificates:
.cer/.crt, .pem/der, .csr, .p7b/.p7c
6.3. Communication between Device Manager NX Pro and other systems
6.3.1. Ricoh Software Server The Ricoh Software Server provides secure communication between Device Manager NX Pro and the
Ricoh Software Server. Device Manager NX Pro connects to the following URLs as Ricoh Software Server:
- https://e2-as1.support-download.com - https://e2-cs2.support-download.com - https://e2-ds1.support-download.com - https://support.ricoh.com
6.3.2. Ricoh Backend Server Ricoh Backend Server does not have secure communication. Please configure Usage Report to the off
setting if secure protocols are required. You can change this setting in [System > Server Settings > Activation/Usage Report]. Device Manager NX Pro connects to the following URLs as Ricoh Backend Server:
- http://log.app2me.com/ - http://update.app2me.com/
Device Manager NX Pro v1.1.2 Security White Paper
Page 45 of 51
6.3.3. LDAP Server Select to use the secure communication or not when connecting to an LDAP Server. Please configure the
SSL settings in [System > Server Settings > Networking] if secure protocols are required on the Device Manager NX Pro Server.
6.3.4. Mail Server
Device Manager NX Pro does not support POP3s/IMAP4s/SMTPs (over SSL).
6.3.5. External Database (SQL Server)
Device Manager NX Pro does not support JDBC over SSL. All security information is encrypted.
6.3.6. Proxy Server
Device Manager NX Pro supports the following proxy server authentication:
- Basic
- Digest
- NTLMv1
- NTLMv2
- Kerberos
Device Manager NX Pro performs according to Server Settings (port and the other settings).
6.4. Certificate Management Tool
Select to utilize secure communication (or not) to communicate between the Certificate Management Tool
and Device Manager NX Pro as the same setting of Communication between Device Manager NX Pro and
Browser.
Select to utilize secure communication (or not) to communicate between the Certificate Management Tool
and the Devices as the same setting of Communication between Device Manager NX Pro and devices.
The communications between the Certificate Management Tool and the SCEP Server is secure by
configuring the Certificate Authority server with SSL and configuring the SCEP URL in Certificate
Management tool to use https.
6.5. Mobile Application
Select secure communications (or not) to communicate between the Mobile Application and Device
Manager NX Pro as the same setting for Communication between the Device Manager NX Pro and the
Browser.
Mobile Application support the trusted CA certificates in case of SSL connection to Device Manager NX
Pro.
Device Manager NX Pro v1.1.2 Security White Paper
Page 46 of 51
6.6. Printer Driver Packager NX
Select secure communications (or not) to communicate between the Printer Driver Packager NX and
Device Manager NX Pro as the same setting for Communication between Device Manager NX Pro and the
Browser.
6.7. @Remote Connector NX
Select secure communications (or not) to communicate between the @Remote Connector NX and Device
Manager NX Pro as the same setting for Communication between Device Manager NX Pro and the
Browser.
6.8. Driver Distribution
When the advanced driver browsing is enabled, the authorization is required and only LDAP or Kerberos
profiles are available. This function is not available for internal authentication profile.
Device Manager NX Pro v1.1.2 Security White Paper
Page 47 of 51
6. Stored Data 6.1. Stored Data
Data Item Detail
Device Data Encryption Not encrypted.
Device Data is stored in the Database (SQL Server).
Device Manager NX Pro uses the specific account
configured during the installation.
Back-up Performed by the Database (SQL Server)
administrator.
Access Control DeviceBasicRead: View all information associated with a device DeviceBasicWrite: Create, update, and delete discovery profiles, polling profiles, and associated tasks Create, update, and delete device groups
Device Access
Account Data
Encryption Not encrypted. (Password is encrypted) Access Account Data is stored in the same database as Device Data.
Back-up Performed by the Database (SQL Server)
administrator.
Access Control DeviceBasicRead: View all information associated with a device DeviceBasicWrite: Modify device access accounts and custom properties
Configuration Data
(Template/Task)
Encryption Not encrypted. (Password is encrypted) Configuration Data is stored in the same database as Device Data.
In addition, Address Book Preferences,
Device-specific Preferences, SDK Application, SDK/J
Platform and Firmware are stored in the repository:
<Install Folder>\data\repository\>
Back-up Performed by the Database (SQL Server)
administrator for the Data stored in the SQL Server.
Performed by administrator of Device Manager NX
Pro for the Data stored in the repository (<Install
Folder>\data\repository\).
Access Control AddressBookRead: View address book entries AddressBookWrite: Create, update and delete address book entries DeviceAdvancedRead: View all information
Device Manager NX Pro v1.1.2 Security White Paper
Page 48 of 51
associated with a device (including tasks, templates, notifications) DeviceAdvancedWrite: Create, update, and delete device preferences, firmware, SDK platform and embedded applications
Log Entry Task results are recorded in the Task Logs.
System Settings Encryption Not encrypted. (Password is encrypted) System Settings are stored in the same database as Device Data.
Back-up Performed by the Database (SQL Server)
administrator.
Access Control DeviceBasicRead: View all information associated with a device
DeviceBasicWrite: Update email address lists
DMOperation: Device Administrator with access to
DM Server Management options
SecurityRead: View security information including
roles, users and login profiles
SecurityWrite: Create, update, and delete security
information including roles, users and login profiles
SysConfigRead: View system configuration information SysConfigWrite: Update software configuration (not related to security or devices)
Log Entry The configuration of system settings is not recorded in
the System Logs.
Logs (Task, System,
Audit and
Notification)
Encryption Not encrypted. The Logs are stored in the same database as Device Data.
Back-up Performed by the Database (SQL Server)
administrator.
Access Control AuditRead: View the software configuration audit log AuditWrite: Delete the software configuration audit log LogDelete: Delete log records SysConfigRead: View system configuration information
Debug Log Encryption Plain text. Not Masked.
(Password is masked as “*******”.)
Debug Log Collection Debug Logs collected by RsInfo are:
- %ProgramData%/Ricoh/Device Manager NX/logs or
%ProgramData%/Ricoh/Rioh Device Manager Pro/
logs
- debug_core.log (Core Server Log)
Device Manager NX Pro v1.1.2 Security White Paper
Page 49 of 51
- debug_dm.log (DM Server Log) - smartClientServer.log (UI Log) - equinox.log (OSGi Log)
- %TEMP%/RICOH
- installxxx.log (Install/Uninstall Log)
* RsInfo is the tool which collects the information of
the Server/PC that Ricoh products are installed. (e.g.
OS information, processes, ports, event logs, SQL
server logs, logs of Ricoh products etc.)
Back-up Not Included in the Database (SQL Server).
Access Control SysConfigRead: View system configuration information
Report Data
(Template, Task, File)
Encryption None.
The Report Data is stored in the same database as
Device Data.
In addition, the report file that is activated by "Save on Application" in the report task settings is stored in Reporting Server:
Install Folder>\data\repository\RS
Back-up Performed by the Database (SQL Server)
administrator.
Access Control ReportRead: View reports ReportWrite: Create, update, delete or schedule reports
Log Entry The result of task execution is recorded in the Report
Logs.
Report Log Encryption Not encrypted.
The Report Data is stored in the same database as
Device Data.
Back-up Performed by the Database (SQL Server)
administrator.
Access Control SysConfigRead: View system configuration
information
Device Log (Job Log,
Access Log, Eco Log)
Encryption Not encrypted.
The Eco Log Data is stored in the same database as
Device Data.
The Job Log and Access Log Data are stored in the
internal DB (Derby) on Device Manager NX Pro.
Device Manager NX Pro v1.1.2 Security White Paper
Page 50 of 51
Back-up Eco Log: Performed by the Database (SQL Server) administrator.
Job Log, Access Log: Performed by Windows
Administrator on the server.
Access Control SysConfigRead: View system configuration information
Driver Package Data Encryption Not encrypted. Driver Package Data is stored in the same database as Device Data. In addition, Driver Packages are stored in the repository: <Install Folder>\data\repository\
Back-up Performed by the Database (SQL Server) administrator.
Access Control DeviceBasicRead: View driver packages information DeviceAdvancedWrite: Create, update and delete driver packages.
Password in Stored Data is encrypted as the following encryption. Algorithm: Blowfish 128bit
Password is masked as “*******”.
7. Services 7.1. Services The following services are registered.
Name Description Startup type Woking on
RICOH DMNX
Central Manager
Service
This service provides the functions in
the Web UI. This service
communicates with RICOH DMNX
Device Manager Service. This service
also communicates via HTTP(s) with
the Ricoh Data Center to retrieve and
apply software, firmware and SDK
application updates.
Automatic Device Manager
NX Pro installed
PC
RICOH DMNX
Device Manager
Service
This service monitors the status of
connected devices. This service
communicates with the connected
devices via HTTP(s) and SNMP.
Automatic Device Manager
NX Pro installed
PC
USB Agent3 To communicate with USB-connected
devices, the RICOH DMNX Device
Manager Service communicates with
this service via SNMP to retrieve
information about the attached devices.
Automatic FMA Agent
installed PC
3 The USB Agent need to be running on customer client desktops.
Device Manager NX Pro v1.1.2 Security White Paper
Page 51 of 51
7.2. Processes
The following processes are created by Device Manager NX Pro.
Name Description Created by
corewrapper.exe This process is created by the RICOH DMNX
Central Manager Service after the customer
installs the components of Device Manager NX
Pro.
RICOH DMNX Central
Manager Service
java.exe This process is created by corewrapper.exe. RICOH DMNX Central
Manager Service
dmwrapper.exe This process is created by the RICOH DMNX
Device Manager Service after the customer
installs the components of Device Manager NX
Pro.
RICOH DMNX Device
Manager Service
java.exe This process is created by the dmwrapper.exe. RICOH DMNX Device
Manager Service
fmaagent.exe This process is created by the USB Agent Service
after the customer installs the USB Agent.
USB Agent Service