White Paper - Device Manager NX Pro ver. 1.1rfg-esource.ricoh-usa.com/oracle/groups/public/documents/communi… · 1.1.2 March, 2015 4th Release for Device Manager NX Pro v1.1.2 Revised

Device Manager NX Pro v1.1.2 Security White Paper

Copyright 2015 RICOH Americas Corporation. All rights reserved. Page 1 of 51

Visit our Knowledgebase at: http://www.ricoh-usa.com/support/knowledge_base.aspx

5/4/2015

Security White Paper for

Device Manager NX Pro

Document version: 1.1.2


Page 2 of 51

NOTICE:

This document may not be reproduced or distributed in whole or in part, for any purpose or in any fashion

without the prior written consent of Ricoh Company Limited. Ricoh Company Limited retains the sole

discretion to grant or deny consent to any person or party.

Copyright © 2015 by Ricoh Company Ltd.

All product names or product illustrations, including desktop images, used in this document are trademarks,

registered trademarks or the property of their respective companies. They are used throughout this book in

an informational or editorial fashion only. Ricoh Company, Ltd. does not grant or intend to grant hereby any

right to such trademarks or property to any third parties. The use of any trade name or web site is not

intended to convey endorsement or any other affiliation with Ricoh products.

The content of this document, and the appearance, features and specifications of Ricoh products are

subject to change from time to time without notice. While care has been taken to ensure the accuracy of

this information, Ricoh makes no representation or warranties about the accuracy, completeness or

adequacy of the information contained herein, and shall not be liable for any errors or omissions in these

materials. The only warranties for Ricoh products and services are as set forth in the express warranty

statements accompanying them. Nothing herein shall be construed as constituting an additional warranty.

Ricoh does not provide legal, accounting or auditing advice, or represent or warrant that our products or

services will ensure that you are in compliance with any law. Customer is responsible for making the final

selection of solution and technical architectures, and for ensuring its own compliance with various laws

such as the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act and the Health Insurance Portability and

Accountability Act (HIPAA).


Page 3 of 51

DOCUMENT VERSION HISTORY:

Version Date of Issue Revision

1.0 January, 2014 1st Release

1.1 September, 2014 2nd Release for Device Manager NX Pro v1.1

1.1.1 October, 2014 3rd

Release for Device Manager NX Pro v1.1.1

1.1.2 March, 2015

4th Release for Device Manager NX Pro v1.1.2

Revised version of V1.1.1, suitable for DMNX Pro v1.1.x

Revised Items:

Chapter Item Action

2.1.2 Intranet

communication

diagram

Added the Windows Phone as a

supported mobile platform.

5.1

5.12

5.13

Summary

SNMP Trap

Device Log

Corrected the SNMP Trap port

and HTTPS TCP port

information.

5.18 Common Added information about

connections to internal DM

database.


Page 4 of 51

TABLE OF CONTENTS:

1. Introduction .................................................................................................................. 7

Target Readers: ................................................................................................................. 7

2. System .......................................................................................................................... 8

2.1. Device Manager NX Pro ........................................................................................... 8

2.1.1. Internet communication diagram ...................................................................... 8

2.1.2. Intranet communication diagram ...................................................................... 9

3. Data Flow .................................................................................................................... 15

3.1. Internet communication data flow ........................................................................... 15

3.2. Intranet communication data flow ........................................................................... 15

4. Access account .......................................................................................................... 20

4.1. SNMP Access Account ........................................................................................... 20

4.2. Device Administrator ............................................................................................... 20

4.3. SDK Access Account .............................................................................................. 20

5. Protocols and Ports ................................................................................................... 21

5.1. Summary ................................................................................................................ 21

5.2. Discovery ................................................................................................................ 24

5.3. Device Polling ......................................................................................................... 25

5.3.1. Device Polling (Status) ................................................................................... 25

5.3.2. Device Polling (Tray/Toner Ink) ....................................................................... 26

5.3.3. Device Polling (Counter) ................................................................................. 26

5.3.4. Device Polling (Other) .................................................................................... 27

5.3.5. Device Polling (User Counter) ........................................................................ 28

5.3.6. Device Polling (Detail Counter) ....................................................................... 29

5.4. Device-specific Preferences ................................................................................... 29

5.5. Standard Device Preferences ................................................................................. 30

5.6. Address Book Preferences ..................................................................................... 31

5.7. Power Mode ........................................................................................................... 31

5.8. SDK/J Platform Update ........................................................................................... 32


Page 5 of 51

5.8.1. SDK/J Platform Update (Ricoh Software Server) ........................................... 32

5.8.2. SDK/J Platform Update (Local File) ................................................................ 32

5.9. SDK Application ...................................................................................................... 33

5.9.1. SDK Application (Ricoh Software Server) ....................................................... 33

5.9.2. SDK Application (Local File) ........................................................................... 34

5.10. Remote Firmware Update ....................................................................................... 35

5.10.1. Remote Firmware Update (Ricoh Software Server) .................................... 35

5.10.2. Remote Firmware Update (Local File) ........................................................ 35

5.11. Log Collection Setting ............................................................................................. 36

5.12. SNMP Trap ............................................................................................................. 37

5.13. Device log (Job log, Access log, Eco Log) .............................................................. 37

5.14. Reports ................................................................................................................... 37

5.15. Notifications ............................................................................................................ 38

5.16. Activation/Deactivation ........................................................................................... 39

5.17. Usage Report ......................................................................................................... 39

5.18. Common ................................................................................................................. 39

5.19. Certificate Management Tool .................................................................................. 41

5.20. Printer Driver Packager NX .................................................................................... 43

5.21. @Remote Connector NX ........................................................................................ 43

6. General Security Considerations.............................................................................. 44

6.1. Communication between Device Manager NX Pro and devices ............................. 44

6.2. Communication between Device Manager NX Pro and Browser ............................ 44

6.3. Communication between Device Manager NX Pro and other systems................... 44

6.3.1. Ricoh Software Server .................................................................................... 44

6.3.2. Ricoh Backend Server .................................................................................... 44

6.3.3. LDAP Server ................................................................................................... 45

6.3.4. Mail Server ..................................................................................................... 45

6.3.5. External Database (SQL Server) .................................................................... 45

6.3.6. Proxy Server ................................................................................................... 45


Page 6 of 51

6.4. Certificate Management Tool .................................................................................. 45

6.5. Mobile Application ................................................................................................... 45

6.6. Printer Driver Packager NX .................................................................................... 46

6.7. @Remote Connector NX ........................................................................................ 46

6.8. Driver Distribution ................................................................................................... 46

6. Stored Data ................................................................................................................. 47

6.1. Stored Data ............................................................................................................. 47

7. Services ...................................................................................................................... 50

7.1. Services .................................................................................................................. 50

7.2. Processes ............................................................................................................... 51


Page 7 of 51

1. Introduction

Device Manager NX Pro is device management software which provides basic remote device

management functions, such as device monitoring, device configuration and software update via a web

browser. Device Manager NX Pro can be used to manage up to 5,000 devices.

This document is designed to describe the product’s functioning with regards to network and data security.

As Ricoh products are designed for use inside an intranet where network clients are protected by firewalls,

they rely heavily on the intranet’s security policies. This document focuses on providing the information

necessary to protect against potential threats from external security risks and help customers to securely

incorporate the Ricoh product into their system.

The details of @Remote Connector NX (Standalone/Option) which links with Device Manager NX Pro are

not described in this document. Please refer to the @Remote Connector NX Security White Paper for

details.

Target Readers:

1. End users, mainly IT administrators: The information contained in this document can be distributed to

end users as long as you follow the restrictions outlined on page 2 of the document.

2. Regional support and marketing staff.

3. Support and marketing staff of Ricoh Sales companies, including Ricoh family group companies and

their subsidiaries.

4. Technical support personnel (CEs) of dealers


Page 8 of 51

2. System These diagrams show the general data flow.

2.1. Device Manager NX Pro

2.1.1. Internet communication diagram


Web Server (Jetty)

Platform

Database (SQLServer)

Intranet Internet

RICOH Software

Server

RICOH Backend Server

HTTPS

HTTP

• On-line Activation/Deactivation

• SDK App Activation/Deactivation

• SDK App Download • SDK/J Platform Download • Firmware Download

• Send usage report.

Proxy(if enabled)

Web Browser (IE, Firefox, Safari)

HTTP/HTTPS


Page 9 of 51

2.1.2. Intranet communication diagram

The icons shown here for each device category are identical to the icons used by UI.

SNMP(Standard MIB)


Web Server (Jetty)


HTTP/HTTPS

SNMP (Standard & Private MIB), HTTP/HTTPS, FTP/SFTP

SNMP (Standard & Private MIB), HTTP/HTTPS FTP/SFTP

SNMP(Standard & Private MIB)


SNMP (Standard MIB)

3rd Party Devices

SNMP

USB Agent

SNMP

Ricoh devices (current

generation)

Ricoh devices (previous

generation)

Ricoh’s GelJet devices

Other Ricoh devices

Platform

Database

(SQLServer)

FMAudit Engine

Ricoh-branded OEM

devices

USB Devices


Page 10 of 51

Device Manager NX Pro with IIS

HTTP/HTTPS

Web Server (IIS)

HTTP/HTTPS

SNMP(Standard MIB)


Web Server (Jetty)





SNMP (Standard MIB)

3rd Party Devices

SNMP

USB Agent

SNMP


generation)


generation)


Other Ricoh devices

Platform

Database

(SQLServer)

FMAudit Engine

Ricoh-branded OEM

devices

USB Devices


Page 11 of 51

Device Manager NX Pro with external SQL Server

SNMP(Standard MIB)


Web Server (Jetty)


HTTP/HTTPS



SNMP (Standard MIB)

3rd Party Devices

SNMP

FMAudit Engine

USB Agent

SNMP


generation)


generation)


Other Ricoh devices

Platform


Platform

Database

(SQLServer)

JDBC

Ricoh-branded OEM

devices

USB Devices


Page 12 of 51

Device Manager NX Pro with Mobile Application

SNMP(Standard MIB)


Web Server (Jetty)


SNMP (Standard & Private MIB), HTTP/HTTPS, FTP/SFTP




SNMP (Standard MIB)

3rd Party Devices

SNMP

USB Agent

SNMP


generation)


generation)


Other Ricoh devices

Platform

Database

(SQLServer)

FMAudit Engine

Mobile Application (iOS, Android, Windows Phone)

HTTP/HTTPS

Ricoh-branded OEM

devices

USB Devices


Page 13 of 51

Device Manager NX Pro with Certificate Management Tool


Web Server (Jetty)



generation)

Platform

Database

(SQLServer)

Certificate Management

Tool

HTTP/HTTPS

• Device list

HTTP/HTTPS • Certificate

SCEP Server

HTTP/HTTPS • Certificate


Page 14 of 51

Device Manager NX Pro with the other Ricoh products


Web Server (Jetty)

Printer Driver Packager NX HTTP/HTTPS

• Package Upload


HTTP/HTTPS

Platform

Database

(SQLServer)

@Remote Connector NX HTTP/HTTPS

• Device List

@Remote Connector

Option


Page 15 of 51

3. Data Flow 3.1. Internet communication data flow

Device Manager NX Pro -> Other system

Data Flow Functions Data


-> RICOH Software Server Activation/Deactivation Product Key, Lock Code, License File,

Country Information

SDK App

Activation/Deactivation

Product Key, Lock Code, Product ID,

Product Version, Serial Number, Model

Name, Country, License File

SDK App Download

SDK/J Platform Download

SDK Application

SDK/J Platform

Firmware Download Firmware Package


-> RICOH Backend Server Usage Report Country

GUID (Product code + lock code) OS Report Date & Time Installed Date Product Name Product Version Product Option Number of devices per vendor Breakdown of Ricoh devices by generation, model type, etc.

Serial numbers for up to 3 devices

(Ricoh devices only, same model*)

*The target model is selected by choosing the device with the largest number of devices. If multiple devices

of that model exist, the models with the 1st, 2nd, and 3rd largest total counters are selected for inclusion in

the Usage Report.

3.2. Intranet communication data flow

Device Manager NX Pro <--> Device



without FMAudit Engine

-> 3rd Party Devices

Collect device

information.

Device’s status, supply, and counter

information.


with FMAudit Engine

-> 3rd Party Devices

Collect device

information.

Device’s status, toner/supply, and

counter information.


with FMAudit Engine and USB

Collect device

information.




Page 16 of 51

Agent

-> USB Devices


-> Ricoh-branded OEM devices

Collect device

information.

Device’s status, supply, and counter

information.


-> Ricoh GelJet devices

Collect device

information.




-> Other Ricoh devices

Collect device

information.




-> Ricoh previous generation1

devices

Collect device

information.


counter information. With user counter

and detail counter.

Standard Device

Preferences

Standard device configuration.

Address book preference Address book configuration.

Power Mode preference Power status changes.

SDK/J Platform Update SDK/J Platform

SDK App Install/Update/

Uninstall/Activate

SDK Application, Product ID, Product

Version, License File

Firmware update Firmware

Log Collection setting Device log collection configuration.

(for Job log, Access log)


-> Ricoh current generation2

devices

Collect the device’s

information.


counter information. With user counter

and detail counter.

Standard Device

Preferences

Standard device configuration.

Device-Specific

Preferences

Device-Specific configuration.

Address book preference Address book configuration.

Power Mode preference Power status changes.

SDK/J Platform Update SDK/J Platform

SDK App Install/Update/

Uninstall/Activate

SDK Application, Product ID, Product

Version, License File

Remote Firmware Update Firmware

Log Collection setting Device log collection configuration.

(for Job log, Access log, Eco log)

Ricoh previous generation1 SNMP Trap Trap signal

1 Spring 2011 or earlier models 2 Autumn 2011 or later models


Page 17 of 51

devices -> Device Manager NX Pro

Device log receive Device log data (Job log, Access log)

Ricoh current generation2 devices -> Device Manager NX Pro

SNMP Trap Trap signal

Device log receive Device log data (Job log, Access log,

Eco log)


Page 18 of 51

Device Manager NX Pro -> Other system


Browser -> Device Manager NX

Pro

Web UI UI Data

Uploaded/Downloaded Files (Csv,

Images, Firmware, SDK/J platform,

Embedded applications, Reports, Driver

packages)

Mobile Application -> Device

Manager NX Pro

Mobile Access UI Data

Uploaded Files (Images)

Device Manager NX Pro ->

Database (SQL Server)

(including an External SQL

Server)

Get/Set Data Data

Device Manager NX Pro -> Mail

Server

Notification SMTP Authentication

or Pop Authentication

Message of customer definitions

Result of task completion

Device Manager NX Pro ->

LDAP Server

Authentication for login LDAP User Account

Device Manager NX Pro -> DNS

Server

Name resolution IP Address

Host name

Device Manager NX Pro -> Network drive

Reports Report files

(In case that "Save on Disk" is activated

as "Delivery Methods" included in report

task settings and the network folder is

selected as the location where report

files will be stored.)


Page 19 of 51

Certificate Management Tool -> Device Manager NX Pro


Certificate Management Tool

-> Device Manager NX Pro

Import device list Device information

Certificate Management Tool -> Device



-> Ricoh current generation

devices

Certificate Management CSR, Certificate

Certificate Management Tool -> SCEP Server



-> SCEP Server

Certificate Management CSR, Certificate

Printer Driver Packager NX -> Device Manager NX Pro


Printer Driver Packager NX


Driver distribution Driver package

@Remote Connector NX -> Device Manager NX Pro


@Remote Connector NX


Import device list Device information


Page 20 of 51

4. Access account Device Manager NX Pro uses 3 types of access accounts to communicate with devices.

4.1. SNMP Access Account

The following access account is used for SNMP communication:

[Using SNMP V1/V2]

Read community Name (default value is “public”.)

Write community Name (default value is “admin”.)

[Using SNMP V3]

Username (default value is “admin”)

Password (default value is none)

Authentication algorithm [MD5/SHA1] (default value is “MD5”)

Encryption password (default value is none)

Encryption algorithm [DES/AES128] (default value is “DES”)

Context Name (default value is “GWNCS”)

Note: The account must have full device administrator privileges (User Administrator, Machine

Administrator, Network Administrator, and File Administrator)

4.2. Device Administrator

This access account is used for web service (HTTP/HTTPS) communication:

Username (the default value is “admin”)

Password (the default value is blank)

Note: The account must have full device administrator privileges (User Administrator, Machine

Administrator, Network Administrator, and File Administrator)

4.3. SDK Access Account This access account is used for installing, updating, uninstalling SDK applications and collecting SDK

application information from devices, as well as updating the SDK/J platform.

Password (the default value is “ricoh” and this value is encrypted)


Page 21 of 51

5. Protocols and Ports Note: IPv6 is supported through the use of hostnames only.

Device Manager NX Pro does not support NAT environment.

5.1. Summary

Communication with Device

Occasion Communication

Direction

Protocol Port Notes

1 Collecting and

Configuring device

information

Device Manager ->

Device

SNMP UDP/161

HTTP/SOAP

or

HTTPS/SOAP

TCP/80

or

TCP/443

HTTPS/SOAP TCP/7443 Device

detail

information

HTTPS TCP/51443 SDK/J

FTP or SFTP TCP/21

or

TCP/22

If the

device’s

FTP port is

closed, still

works by

using

TCP/10021.

2 Notify device

information

Device -> Device

Manager

SNMP UDP/162 SNMP Trap

HTTP or HTTPS Port Number of

the DM Server

(default: 9090)

or TCP/52443

Transfer

Device Logs

Communication with external systems


Direction

Protocol Port Notes

1 DNS resolution Device Manager -> DNS

Server

DNS UDP/53

or

TCP/53

2 Authentication Device Manager -> LDAP

Server

LDAP

or

LDAPS

TCP/

Port Number of

LDAP Server


Page 22 of 51

(default: 389)

3 Activation/Deactivation Device Manager -> Ricoh

Software Server

HTTPS TCP/433

4 Usage reports Device Manager -> Ricoh

Backend Server

HTTP TCP/80

5 Notification Device Manager -> Email

Server

SMTP

or

POP

TCP/25

or

110

6 Dispatch files Device Manager ->

Network drive

SMB/CIFS TCP/445 Reports

Common


Direction

Protocol Port Notes

1 Operate UI Browser -> Device

Manager

HTTP

or

HTTPS

TCP/

Port Number of

Device Manager

(default: 8080)

2 with IIS Browser ->IIS HTTP

or

HTTPS

TCP/

Port Number of

IIS (default: 80)

IIS -> Device Manager

(Redirect)

HTTP

or

HTTPS

TCP/

Port Number of

Device Manager

(default: 8080)

3 external Database Device Manager ->

Database (SQL Server,

Oracle)

JDBC TCP/

Port No of the

Database

(default:

SQL: 1433,

Oracle: 1521)

Tools


Direction

Protocol Port Notes

1 Certificate

Management Tool


Tool -> Device Manager

HTTP

or

HTTPS

TCP/

Port Number of

Device Manager

(default: 8080)


Page 23 of 51


Tool -> Device

HTTP/SOAP

or

HTTPS/SOAP

TCP/80

or

TCP/443


Tool -> SCEP server

HTTP or HTTPS TCP/80 or

TCP/443

Other Ricoh products


Direction

Protocol Port Notes

1 Printer Driver

Packager NX

Printer Driver Packager

NX -> Device Manager

HTTP

or

HTTPS

TCP/

Port Number of

Device Manager

(default: 8080)

2 @Remote Connector

NX

@Remote Connector NX

-> Device Manager

HTTP

or

HTTPS

TCP/

Port Number of

Device Manager

(default: 8080)

Refer the

Security

White paper

of @Remote

Connector

NX


Page 24 of 51

5.2. Discovery

Network Device without FMAudit Engine

Operation Protoc

ol

Port Access Account Notes

1 DNS resolution

(Device Manager NX Pro ->

DNS Server)

DNS UDP/53

or

TCP/53

- Used when

selecting “Perform

Reverse DNS

Lookup”

2 Collecting device information.


Device)

SNMP UDP/161 SNMP V1/V2:

Read Community

Name

or

SNMP V3 access

account

Devices with one of

the following MIBs

can be registered:

• sysObjectID

• prtGeneralConfig

Changes

• Ricoh Search

Function

3 Confirming the Device

Administrator.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

4 Collecting device’s information.

Refer to Device Polling.

Network Device with FMAudit Engine

Operation Protoc

ol


1 DNS resolution


DNS Server)

DNS UDP/53

or

TCP/53

- Used when


Reverse DNS

Lookup”


(Device Manager NX Pro -> 3rd

Party Device)


Read Community

Name

Devices with the

following MIBs can

be registered:

• sysObjectID




Page 25 of 51

USB Device

Operation Protoc

ol


1 DNS resolution

(Device Manager -> DNS

Server)

DNS UDP/53

or

TCP/53

- Used when


Reverse DNS

Lookup”


(Device Manager NX Pro -> PC)


The value of

Read Community

Name is fixed to

"Public".

Devices with the

following MIBs can

be registered:

• sysObjectID



5.3. Device Polling

5.3.1. Device Polling (Status)


Operation Protoc

ol


1 Collecting device status

information.


Device)


Read Community

Name

or

SNMP V3 access

account


Operation Protoc

ol


1 Collecting device status

information.


Party Device)


Read Community

Name

USB Device

Operation Protoc

ol


1 Collecting device status SNMP UDP/161 SNMP V1/V2:


Page 26 of 51

information.


The value of

Read Community

Name is fixed to

"Public".

5.3.2. Device Polling (Tray/Toner Ink)


Operation Protoc

ol


1 Collecting device Tray/Toner Ink

information.


Device)


Read Community

Name

or

SNMP V3 access

account

2 Collecting device Toner detail

information.


Device)

HTTPS/

SOAP

TCP/744

3

-


Operation Protoc

ol



information.


Party Device)


Read Community

USB Device

Operation Protoc

ol



information.



The value of

Read Community

Name is fixed to

"Public".

5.3.3. Device Polling (Counter)



Page 27 of 51

Operation Protoc

ol


1 Collecting device Counter

information.


Device)


Read Community

Name

or

SNMP V3 access

account


Operation Protoc

ol



information.


Party Device)


Read Community

Name

USB Device

Operation Protoc

ol



information.



The value of

Read Community

Name is fixed to

"Public".

5.3.4. Device Polling (Other)


Operation Protoc

ol


1 Collecting device Other

information, such as MAC

address, etc.


Device)


Read Community

Name

Or

SNMP V3 access

account

2 Collecting DOSS / HDD

Encryption information


HTTP/S

OAP

or

TCP/80

or

TCP/443

Device

Administrator


Page 28 of 51

Device) HTTPS/

SOAP

3 Collecting SDK information and

Firmware information


Device)

FTP or SFTP

HTTPS

TCP/20,21 or TCP/Port Number of the Device

TCP/514

43

Device

Administrator &

SDK access

account

FTP/SFTP is used

to check for the

SDK Platform and

Firmware.

Disabling FTP on

the device does not

affect this process.


Operation Protoc

ol




address, etc.


Party Device)


Read Community

Name

USB Device

Operation Protoc

ol




address, etc.



The value of

Read Community

Name is fixed to

"Public".

5.3.5. Device Polling (User Counter)


Operation Protoc

ol


1 Confirming the device’s

response.


Device)


Read Community

Name

or

SNMP V3 access

account


Page 29 of 51

2 Collecting User Counter

information.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

5.3.6. Device Polling (Detail Counter)


Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account

2 Collecting Detail Counter

information.


Device)

HTTPS/

SOAP

TCP/744

3

-

5.4. Device-specific Preferences

Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account

2 Collecting preference

information.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

3 Configuring device preferences.


Device)

HTTP/S

OAP

or

HTTPS/

TCP/80

or

TCP/443

Device

Administrator


Page 30 of 51

SOAP

5.5. Standard Device Preferences

Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account

2 Collecting preference

information.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator


Read Community

Name

or

SNMP V3 access

account

3 Configuring device preferences.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator


Write Community

Name

or

SNMP V3 access

account

4 Restarting the device.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator


Page 31 of 51

5.6. Address Book Preferences

Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account

2 Collecting Address Book

information.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

3 Configuring the Address Book.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

5.7. Power Mode

Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account

2 Configuring the power mode.


Device)


Write Community

Name

or

SNMP V3 access

account


Page 32 of 51

5.8. SDK/J Platform Update

5.8.1. SDK/J Platform Update (Ricoh Software Server)

Operation Protoc

ol


1 Download SDK/J Platform.


Ricoh Software Server)

HTTPS TCP/443 Retained in

Device Manager

NX Pro


response.


Device)


Read Community

Name

or

SNMP V3 access

account

3 Confirming the device’s SDK/J

Platform


Device)

FTP or SFTP

HTTPS


TCP/514

43

Device

Administrator

and

SDK access

account

If the device’s FTP

port is closed, this

function still works.

4 Updating the device’s SDK/J

Platform


Device)

HTTPS TCP/514

43

Device

Administrator

and

SDK access

account

5.8.2. SDK/J Platform Update (Local File)

Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account


Platform

FTP or SFTP

TCP/20,21 or

Device

Administrator




Page 33 of 51


Device)

HTTPS

TCP/Port Number of the Device

TCP/514

43

and

SDK access

account


3 Updating the device’s SDK/J

Platform


Device)

HTTPS TCP/514

43

Device

Administrator

and

SDK access

account

5.9. SDK Application

5.9.1. SDK Application (Ricoh Software Server)

Operation Protoc

ol


1 Download SDK Application.




Device Manager

NX Pro


response.


Device)


Read Community

Name

or

SNMP V3 access

account


Platform


Device)

FTP or SFTP

HTTPS


TCP/514

43

Device

Administrator

and

SDK access

account




4 Installing/Updating/Uninstalling/

Activating the device’s SDK App


Device)

HTTPS TCP/514

43

Device

Administrator

and

SDK access

account

5 Restarting the device. HTTP/S TCP/80 Device


Page 34 of 51


Device)

OAP

or

HTTPS/

SOAP

or

TCP/443

Administrator

5.9.2. SDK Application (Local File)

Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account


Platform


Device)

FTP or SFTP

HTTPS


TCP/514

43

Device

Administrator

and

SDK access

account




3 Installing/Updating/Uninstalling/

Activating the device’s SDK App


Device)

HTTPS TCP/514

43

Device

Administrator

and

SDK access

account

4 Restarting the device.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator


Page 35 of 51

5.10. Remote Firmware Update

5.10.1. Remote Firmware Update (Ricoh Software Server)

Operation Protoc

ol


1 Download Firmware.




Device Manager

NX Pro


response.


Device)


Read Community

Name

or

SNMP V3 access

account


Firmware Information


Device)

FTP or SFTP


Device

Administrator



function still works

by using

TCP/10021.

4 Updating the device’s Firmware


Device)

FTP or

SFTP

TCP/20,21 or

TCP/Port

Number

of the

Device

Device

Administrator




by using

TCP/10021.

5.10.2. Remote Firmware Update (Local File)

Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account


Firmware Information


FTP or

SFTP

TCP/20,21 or

TCP/Port

Device

Administrator





Page 36 of 51

Device) Number

of the

Device

by using

TCP/10021.

3 Updating the device’s Firmware


Device)

FTP or

SFTP

TCP/20,21 or

TCP/Port

Number

of the

Device

Device

Administrator




by using

TCP/10021.

5.11. Log Collection Setting

Operation Protoc

ol



response.


Device)


Read Community

Name

or

SNMP V3 access

account

2 Collecting log preference

information.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

3 Configuring device log

preferences.


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator


Page 37 of 51

5.12. SNMP Trap

Operation Protoc

ol


1 Notify SNMP Trap.

(Device -> Device Manager NX

Pro)

SNMP UDP/162 SNMP

V1/V2:Trap

Community

Name

or

SNMP V3 access

account


Refer to Device Polling (Status).

5.13. Device log (Job log, Access log, Eco Log)

Operation Protoc

ol


1 Notify Device Log.

(Device -> Device Manager NX

Pro)

HTTP

or

HTTPS

Number

of the DM

Server

(default:

9090)

or

TCP/524

43

Port

- HTTPS port is not

changeable.

5.14. Reports

"Save on Disk" is activated as "Delivery Methods".

Operation Protoc

ol


1 Run Report task - - -

2 Save on Disk SMB/CI

FS

TCP/445 Account who

starts up RICOH

DMNX Central

Manager Service

In case that the network folder is selected as the location where report files will be stored.

"Send by Email" is activated as "Delivery Methods".


Page 38 of 51

Operation Protoc

ol


1 Run Report task - - -

2 Send by Email SMTP

or

POP

TCP/25

or

110

SMTP Authentication or

Pop

Authentication

5.15. Notifications

Operation Protoc

ol


1 Complete tasks

Refer to the following functions.

Discovery

Device Polling

Device-specific Preferences

Standard Device Preferences

Address Book Preferences

Power Mode

SDK/J Platform Update

SDK Application

Remote Firmware Update

Log Collection Setting

Configuration Alerts

- - -

2 Notification SMTP

or

POP

TCP/25

or

TCP/110

SMTP Authentication Account or Pop Authentication Account


Page 39 of 51

5.16. Activation/Deactivation

Activation/deactivation is internet-based, so this communication must pass through the proxy server, if one

is in use.

Operation Protoc

ol


1 Confirm the request for

Activation/Deactivation.




Device Manager

NX Pro

5.17. Usage Report

Usage Reports are internet-based, so this communication must pass through the proxy server, if one is in

use.

Operation Protoc

ol


1 Transmit usage reports


Ricoh Backend Server)

HTTP TCP/80 Retained in

Device Manager

NX Pro

Device Manager

NX Pro does not

support direct

downloading of

update data.

5.18. Common

Operate UI (including Mobile Access) with Internal Authentication

Operation Protoc

ol


1 Login

(Browser -> Device Manager NX

Pro)

HTTP

or

HTTPS

TCP/Port

number

of Device

Manager

NX Pro

Internal User

Account

2 Operate UI


Pro)

HTTP

or

HTTPS

TCP/Port

number

of Device

Manager

NX Pro

Internal User

Account


Page 40 of 51

Operate UI (including Mobile Access) with external Authentication

Operation Protoc

ol


1 Login


Pro)

HTTP

or

HTTPS

TCP/Port

number

of Device

Manager

NX Pro

LDAP User

Account

2 Authentication


LDAP Server)

LDAP

or

LDAPS

TCP/Port

number

of LDAP

Server

LDAP User

Account

3 Operate UI


Pro)

HTTP

or

HTTPS

TCP/Port

number

of Device

Manager

NX Pro

LDAP User

Account

Operate UI (including Mobile Access) with IIS

Operation Protoc

ol


1 Login

(Browser ->IIS)

HTTP

or

HTTPS

TCP/Port

number

of IIS

Internal User

Account

2 Redirect

(IIS -> Device Manager NX Pro)

HTTP

or

HTTPS

TCP/Port

number

of Device

Manager

NX Pro

Internal User

Account

3 Operate UI

(Browser ->IIS)

HTTP

or

HTTPS

TCP/Port

number.

of IIS

Internal User

Account

4 Redirect

(IIS -> Device Manager NX Pro)

HTTP

or

HTTPS

TCP/Port

number

of Device

Manager

NX Pro

Internal User

Account


Page 41 of 51

Get/Set Data

Operation Protoc

ol


1 Get/Set Data


Database (SQL Server))

JDBC TCP/Port

number

of the

Database

.

SQL Server

Authentication

Account

or

Windows

Authentication

Account

2 Get/Set Data


Internal database (Derby) )

JDBC TCP/152

7

Internal User

Account

This port is used

internally.

5.19. Certificate Management Tool

Operation Protoc

ol


1 Import Device List

(Certificate Management Tool ->

Device Manager NX Pro)

HTTP

or

HTTPS

TCP/Port

number

of Device

Manager

NX Pro

User Account Certificate

Management Tool

provides the

function to create

the self-certificate

on the devices.

Operation Protoc

ol


1 Import Certificate


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

2 Export Certificate


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

3 Get Status of Certificate


Device)

HTTP/S

OAP

or

TCP/80

or

TCP/443

Device

Administrator


Page 42 of 51

HTTPS/

SOAP

4 Delete Certificate


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

Generate and Install Certificate

Operation Protoc

ol


1 Generate and retrieve CSR from

the device


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

2 Enroll with SCEP to generate

and download certificate on

Certificate Authority server


SCEP Server)

HTTP

or

HTTPS

TCP/80

or

TCP/443

Note: Before using the SCEP linking function, the following two configurations are required on the NDES server. - Disable password requirements by editing the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword = 0 - Relax restrictions on IIS when using IIS 7 or 7.5 by executing the following command:%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.max


Page 43 of 51

QueryString:"3072" /commit:apphost

3 Import Certificate to device


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

4 Get Status of Certificate from

device


Device)

HTTP/S

OAP

or

HTTPS/

SOAP

TCP/80

or

TCP/443

Device

Administrator

5.20. Printer Driver Packager NX

Operation Protoc

ol


1 Printer Driver Packager NX ->


HTTP

or

HTTPS

TCP/Port

Number

of Device

Manager

NX Pro

User Account

5.21. @Remote Connector NX

Operation Protoc

ol


1 @Remote Connector NX ->


HTTP

or

HTTPS

TCP/Port

Number

of Device

Manager

NX Pro

User Account Refer to the

Security White

Paper of @Remote

Connector NX for

details.


Page 44 of 51

6. General Security Considerations

6.1. Communication between Device Manager NX Pro and devices As devices do not have secure communication enabled by default, communication between Device

Manager NX Pro and devices is not encrypted by default. Please configure HTTPS and SNMPv3 settings if secure protocols are required. However to collect the detailed information from 3rd party devices with FMA Engine, SNMPv3 is not available. About USB device, please refer to Protocols and Ports. When Device Manager NX Pro communicates with a device via SSL/TLS communication (this depends

on device configuration), Device Manager NX Pro uses a certificate to encrypt the communication, but does not check the validity of the certificate. Also, importing a device certificate to the PC where Device Manager NX Pro is installed has no effect, as Device Manager NX Pro does not support custom certificates. If a device has both HTTP and HTTPS enabled, HTTPS is used. Device Manager NX Pro supports the following ciphers/encryption protocols: - Hash- SHA-2 (SHA-256) - Public Key- RSA2048 - Common Key- AES256, AES128, or 3TDEA

6.2. Communication between Device Manager NX Pro and Browser As browsers do not have secure communication enabled by default, communication between Device

Manager NX Pro and the browser is not encrypted by default. Please configure HTTPS settings in Server Settings if secure protocols are required on Server Settings.

Device Manager NX Pro supports the following certificates:

.cer/.crt, .pem/der, .csr, .p7b/.p7c

6.3. Communication between Device Manager NX Pro and other systems

6.3.1. Ricoh Software Server The Ricoh Software Server provides secure communication between Device Manager NX Pro and the

Ricoh Software Server. Device Manager NX Pro connects to the following URLs as Ricoh Software Server:

- https://e2-as1.support-download.com - https://e2-cs2.support-download.com - https://e2-ds1.support-download.com - https://support.ricoh.com

6.3.2. Ricoh Backend Server Ricoh Backend Server does not have secure communication. Please configure Usage Report to the off

setting if secure protocols are required. You can change this setting in [System > Server Settings > Activation/Usage Report]. Device Manager NX Pro connects to the following URLs as Ricoh Backend Server:

- http://log.app2me.com/ - http://update.app2me.com/


Page 45 of 51

6.3.3. LDAP Server Select to use the secure communication or not when connecting to an LDAP Server. Please configure the

SSL settings in [System > Server Settings > Networking] if secure protocols are required on the Device Manager NX Pro Server.

6.3.4. Mail Server

Device Manager NX Pro does not support POP3s/IMAP4s/SMTPs (over SSL).

6.3.5. External Database (SQL Server)

Device Manager NX Pro does not support JDBC over SSL. All security information is encrypted.

6.3.6. Proxy Server

Device Manager NX Pro supports the following proxy server authentication:

- Basic

- Digest

- NTLMv1

- NTLMv2

- Kerberos

Device Manager NX Pro performs according to Server Settings (port and the other settings).

6.4. Certificate Management Tool

Select to utilize secure communication (or not) to communicate between the Certificate Management Tool

and Device Manager NX Pro as the same setting of Communication between Device Manager NX Pro and

Browser.

Select to utilize secure communication (or not) to communicate between the Certificate Management Tool

and the Devices as the same setting of Communication between Device Manager NX Pro and devices.

The communications between the Certificate Management Tool and the SCEP Server is secure by

configuring the Certificate Authority server with SSL and configuring the SCEP URL in Certificate

Management tool to use https.

6.5. Mobile Application

Select secure communications (or not) to communicate between the Mobile Application and Device

Manager NX Pro as the same setting for Communication between the Device Manager NX Pro and the

Browser.

Mobile Application support the trusted CA certificates in case of SSL connection to Device Manager NX

Pro.


Page 46 of 51

6.6. Printer Driver Packager NX

Select secure communications (or not) to communicate between the Printer Driver Packager NX and

Device Manager NX Pro as the same setting for Communication between Device Manager NX Pro and the

Browser.

6.7. @Remote Connector NX

Select secure communications (or not) to communicate between the @Remote Connector NX and Device

Manager NX Pro as the same setting for Communication between Device Manager NX Pro and the

Browser.

6.8. Driver Distribution

When the advanced driver browsing is enabled, the authorization is required and only LDAP or Kerberos

profiles are available. This function is not available for internal authentication profile.


Page 47 of 51

6. Stored Data 6.1. Stored Data

Data Item Detail

Device Data Encryption Not encrypted.

Device Data is stored in the Database (SQL Server).

Device Manager NX Pro uses the specific account

configured during the installation.

Back-up Performed by the Database (SQL Server)

administrator.

Access Control DeviceBasicRead: View all information associated with a device DeviceBasicWrite: Create, update, and delete discovery profiles, polling profiles, and associated tasks Create, update, and delete device groups

Device Access

Account Data

Encryption Not encrypted. (Password is encrypted) Access Account Data is stored in the same database as Device Data.


administrator.

Access Control DeviceBasicRead: View all information associated with a device DeviceBasicWrite: Modify device access accounts and custom properties

Configuration Data

(Template/Task)

Encryption Not encrypted. (Password is encrypted) Configuration Data is stored in the same database as Device Data.

In addition, Address Book Preferences,

Device-specific Preferences, SDK Application, SDK/J

Platform and Firmware are stored in the repository:

<Install Folder>\data\repository\>


administrator for the Data stored in the SQL Server.

Performed by administrator of Device Manager NX

Pro for the Data stored in the repository (<Install

Folder>\data\repository\).

Access Control AddressBookRead: View address book entries AddressBookWrite: Create, update and delete address book entries DeviceAdvancedRead: View all information


Page 48 of 51

associated with a device (including tasks, templates, notifications) DeviceAdvancedWrite: Create, update, and delete device preferences, firmware, SDK platform and embedded applications

Log Entry Task results are recorded in the Task Logs.

System Settings Encryption Not encrypted. (Password is encrypted) System Settings are stored in the same database as Device Data.


administrator.

Access Control DeviceBasicRead: View all information associated with a device

DeviceBasicWrite: Update email address lists

DMOperation: Device Administrator with access to

DM Server Management options

SecurityRead: View security information including

roles, users and login profiles

SecurityWrite: Create, update, and delete security

information including roles, users and login profiles

SysConfigRead: View system configuration information SysConfigWrite: Update software configuration (not related to security or devices)

Log Entry The configuration of system settings is not recorded in

the System Logs.

Logs (Task, System,

Audit and

Notification)

Encryption Not encrypted. The Logs are stored in the same database as Device Data.


administrator.

Access Control AuditRead: View the software configuration audit log AuditWrite: Delete the software configuration audit log LogDelete: Delete log records SysConfigRead: View system configuration information

Debug Log Encryption Plain text. Not Masked.

(Password is masked as “*******”.)

Debug Log Collection Debug Logs collected by RsInfo are:

- %ProgramData%/Ricoh/Device Manager NX/logs or

%ProgramData%/Ricoh/Rioh Device Manager Pro/

logs

- debug_core.log (Core Server Log)


Page 49 of 51

- debug_dm.log (DM Server Log) - smartClientServer.log (UI Log) - equinox.log (OSGi Log)

- %TEMP%/RICOH

- installxxx.log (Install/Uninstall Log)

* RsInfo is the tool which collects the information of

the Server/PC that Ricoh products are installed. (e.g.

OS information, processes, ports, event logs, SQL

server logs, logs of Ricoh products etc.)

Back-up Not Included in the Database (SQL Server).

Access Control SysConfigRead: View system configuration information

Report Data

(Template, Task, File)

Encryption None.

The Report Data is stored in the same database as

Device Data.

In addition, the report file that is activated by "Save on Application" in the report task settings is stored in Reporting Server:

Install Folder>\data\repository\RS


administrator.

Access Control ReportRead: View reports ReportWrite: Create, update, delete or schedule reports

Log Entry The result of task execution is recorded in the Report

Logs.

Report Log Encryption Not encrypted.

The Report Data is stored in the same database as

Device Data.


administrator.

Access Control SysConfigRead: View system configuration

information

Device Log (Job Log,

Access Log, Eco Log)

Encryption Not encrypted.

The Eco Log Data is stored in the same database as

Device Data.

The Job Log and Access Log Data are stored in the

internal DB (Derby) on Device Manager NX Pro.


Page 50 of 51

Back-up Eco Log: Performed by the Database (SQL Server) administrator.

Job Log, Access Log: Performed by Windows

Administrator on the server.

Access Control SysConfigRead: View system configuration information

Driver Package Data Encryption Not encrypted. Driver Package Data is stored in the same database as Device Data. In addition, Driver Packages are stored in the repository: <Install Folder>\data\repository\

Back-up Performed by the Database (SQL Server) administrator.

Access Control DeviceBasicRead: View driver packages information DeviceAdvancedWrite: Create, update and delete driver packages.

Password in Stored Data is encrypted as the following encryption. Algorithm: Blowfish 128bit

Password is masked as “*******”.

7. Services 7.1. Services The following services are registered.

Name Description Startup type Woking on

RICOH DMNX

Central Manager

Service

This service provides the functions in

the Web UI. This service

communicates with RICOH DMNX

Device Manager Service. This service

also communicates via HTTP(s) with

the Ricoh Data Center to retrieve and

apply software, firmware and SDK

application updates.

Automatic Device Manager

NX Pro installed

PC

RICOH DMNX

Device Manager

Service

This service monitors the status of

connected devices. This service

communicates with the connected

devices via HTTP(s) and SNMP.

Automatic Device Manager

NX Pro installed

PC

USB Agent3 To communicate with USB-connected

devices, the RICOH DMNX Device

Manager Service communicates with

this service via SNMP to retrieve

information about the attached devices.

Automatic FMA Agent

installed PC

3 The USB Agent need to be running on customer client desktops.


Page 51 of 51

7.2. Processes

The following processes are created by Device Manager NX Pro.

Name Description Created by

corewrapper.exe This process is created by the RICOH DMNX

Central Manager Service after the customer

installs the components of Device Manager NX

Pro.

RICOH DMNX Central

Manager Service

java.exe This process is created by corewrapper.exe. RICOH DMNX Central

Manager Service

dmwrapper.exe This process is created by the RICOH DMNX

Device Manager Service after the customer

installs the components of Device Manager NX

Pro.

RICOH DMNX Device

Manager Service

java.exe This process is created by the dmwrapper.exe. RICOH DMNX Device

Manager Service

fmaagent.exe This process is created by the USB Agent Service

after the customer installs the USB Agent.

USB Agent Service

Documents

White Paper - Device Manager NX Pro ver. 1.1rfg-esource.ricoh-usa.com/oracle/groups/public/documents/communi… · 1.1.2 March, 2015 4th Release for Device Manager NX Pro v1.1.2 Revised