hp-support-head-portlet

Actions
Loading...

HP Customer Support

hp-contact-secondary-navigation-portlet

Actions
Loading...

hp-share-print-widget-portlet

Actions
Loading...

hp-concentra-wrapper-portlet

Actions
Loading...

HP Jetdirect and Embedded Jetdirect Inside Print Servers - Making HP Jetdirect Print Servers Secure on a Network

Introduction
The following security steps are described which will help make an HP Jetdirect print server or embedded Jetdirect Inside print server secure on the network. This document is not intended as a substitute for general network or operating system security. Refer to the appropriate HP and non-HP documentation when planning security. Many of these security steps may require that the HP Jetdirect have the most current firmware version available (see the firmware upgrade section for information).
To have a minimally secure HP Jetdirect device, follow Security Steps 1 through 4.
Steps 5 and 6 offer additional security yet may affect network management applications from accessing the HP Jetdirect print server. Only knowledgeable administrators should use Security Steps 5 and 6.
The steps in this document describe using Telnet primarily, but also mention using HP Web Jetadmin, and the HP Jetdirect Embedded Web server. When using Telnet, be sure to save any settings or configurations made as described in the Telnet section below (also described in each security step). Each individual configuration does not need to be saved as they are performed; configure as many security steps that are needed, then exit and save (quit) the configuration.
For information about HP Web Jetadmin, Click here for information to download HP Web Jetadmin
Secure printing
The steps in this document pertain to securing the HP Jetdirect print server against unauthorized access to the print server or unauthorized configuration. HP Jetdirect devices and HP port monitor software do not offer print data encryption at this time; however, secure printing is offered through additional solutions.
Another possible solution would be to use Virtual Private Networking (VPN), which can offer secure IP tunneling through the Internet; normal print data traverses the Internet through the VPN infrastructure. Contact the network operating system vendor with more questions regarding VPN.
Security Step 1 - Update HP Jetdirect firmware
Always keep firmware on HP Jetdirect print servers at the latest revision level. As firmware is revised, performance and security are improved. Jetdirect firmware can be upgraded using either Download Manager or HP Web Jetadmin software, though HP Web Jetadmin is a complete management software for large corporate networks. Both of these applications are automatically able to download the latest firmware images from the Internet.
Security Step 2 - Telnet passwords
Prerequisite information
A Telnet password can be set during a telnet session to a HP Jetdirect print server that will prevent unauthorized telnet access to the Jetdirect. The password can be up to 16 characters long, it is case sensitive and it is retained even after turning either the printer or Jetdirect off and back on. If the password is forgotten, the Jetdirect will have to be cold reset to factory defaults, which will lose all of the TCP/IP configuration, and then the print server will need to be reconfigured.
Once the password is set, there will be a prompt for the password before the next telnet session can be opened. With a Jetdirect firmware version x.20.xx or newer, there will also be a prompt for a username, along with the password. The four valid usernames are: root, admin, administrator, or supervisor.
Telnet requirements
  • TCP/IP enabled and an IP address set on the print server
  • Firmware x.03.16 or newer on the print server
  • Telnet utility and TCP/IP installed on the computer or workstation
  • IP address set on the computer or workstation
  • Good TCP/IP communication to the print server
Setting the password
For firmware x.20.xx or higher
  1. Once in Telnet, type the password command and the password on the same line. For example: passwd: mypassword
  2. When finished, type quit. Press Enter to exit.
  3. Type Y to save the password on the Jetdirect.
     note:
    If the password is forgotten, the HP Jetdirect device will have to be cold reset.
For firmware x.08.40 and below
  1. Once in Telnet, type the following command passwd
  2. Press Enter then a prompt asking for a telnet password will appear.
  3. Type in the password.
  4. When finished, type: quit
  5. Press Enter to exit and save the password on the HP Jetdirect.
     note:
    If the password is forgotten, the HP Jetdirect device will need to be cold reset.
Telneting after the password is enabled
For firmware versions X.20.XX
  1. Telnet to the HP Jetdirect print server.
  2. Type one of the four valid usernames: root, admin, administrator, or supervisor.
  3. Press Enter.
  4. Type the password at the prompt line.
  5. Press Enter twice to confirm the connection.
For firmware versions X.06.00 to x.08.04
  1. Telnet to the HP Jetdirect print server.
  2. Press Enter until prompted for the password.
  3. Type the password at the prompt line.
  4. Press Enter twice to confirm the connection.
For firmware versions X.05.34 and below
  1. Telnet to the HP Jetdirect print server.
  2. Press Enter until prompted for the password.
  3. Do not type in the password at the password prompt or it will appear that the password failed. Instead, press Enter to return to the next line with just the ">" prompt.
  4. Then enter the telnet password. The following reply may appear: logged in
  5. Press Enter twice to confirm the connection.
Background:Telnet is one of many utilities found in the TCP/IP protocol suite and is a systems user interface. It is a way to log onto one system from another system through a network. Telnet has been adapted to HP Jetdirect print servers as a method of user interface and provides access to the device's configurable parameters. Any operating system that provides a Telnet utility path through the TCP/IP protocol can use Telnet to configure an HP Jetdirect print server.
Security Step 3 - Disable unused protocols
Disabling unused protocols helps minimize network traffic and makes good security sense. Protocols can be disabled using Telnet, Web Jetadmin, or the HP Embedded Web server. Web Jetadmin software provides both single or batch methods for disabling HP Jetdirect protocols. See HP Web Jetadmin documentation for more information on device configuration.
Telnet can be used to disable all protocols except TCP/IP.
  • To disable protocols through Telnet, type the following commands in the Telnet session:
    To disable Novell or IPX/SPX protocol, type ipx/spx: 0
    To disable the data link (DLC) protocol, type dlc/llc:0
    To disable the EtherTalk protocol, type ethertalk: 0
  • When finished, type quit and press Enterto save and exit the configuration.
Security Step 4 - Disable other unused protocols and management services
Services or connectivity ports on the HP Jetdirect print servers are used for both printing and configuration. It is highly recommended that unused services be disabled through this method. For instance, if the administrator is not using the HP Embedded Web server, it should be disabled.
  • Use any of the following commands in Telnet to disable protocols or services:
    • To disable the Internet Printing Protocol, type ipp-config: 0
    • To disable the File Transfer Protocol, type ftp-config: 0
    • To disable HP Jetdirect’s Embedded Web server, type ews-config: 0
    • To disable the Service Location Protocol, type tl-slp: -1
    • To disable SNMP, type snmp-config: 0
    • When finished, type quit and press Enter to exit and save the configuration.
 caution:
Disabling SNMP should only be used if the administrator is not using HP Web Jetadmin, Jetadmin, OpenView, or any other SNMP management utility.
 note:
The Jetdirect must have firmware x.08.32 or higher in order to disable SNMP. Also, only HP Jetdirect print servers with firmware of x.08.03 and higher (except for A.08.03 or higher firmware on J25xx Print Servers) have FTP capability and thus only these can have it disabled.
Security Step 5 - SNMP set and get community names
 note:
The get-cmnty-name command is only valid with Jetdirects that have x.2x.xx firmware or greater.
SNMP set community names and get community names can be configured or disabled using Telnet, the HP Embedded Web Server or HP Web Jetadmin software. In the case of HP Web Jetadmin software, a set community name can be configured on multiple HP Jetdirects at once. The set community name can be 32 characters long maximum.
  1. To configure the SNMP set community name in Telnet, use the following example command: set-cmnty-name: my_setcommunitypasswd
    . (Use your own password)
    It is a good idea to make this password the same as the Telnet password (see Security Step 2). That way, the administrator only needs to remember one password.
  2. If concerned about monitoring and device discovery from SNMP management software, disable SNMP as described in Step 4 above.
     caution:
    Disabling SNMP should only be used if the administrator is not using Web Jetadmin, Jetadmin, OpenView, or any other SNMP management utility. In addition, print paths should not be using SNMP as well (for example, Standard TCP/IP Port Monitor should have SNMP disabled.)
  3. When finished, type quit and press Enter to save and exit the configuration.
    1. To configure the SNMP get community name in Telnet, type the following example command: get-cmnty-name: my_getcommunitypasswd. (Use your own password)
    2. To disable the default get community name (in firmware x.08.49 and newer) type the following Telnet command: default-get-cmnty: 0
    Background: SNMP is a protocol that is used by network management applications for monitoring and controlling network devices. HP software, such as Jetadmin or Web Jetadmin, uses SNMP to acquire information about HP Jetdirect print servers and the printers to which they are connected. Get and Set are SNMP commands used to gather information and to configure parameters. A community name is nothing more than a password used by a network management application during Set and Get operations.
Security Step 6 - Allow list or access control list
HP Jetdirect print servers with firmware of x.08.03 or above supports the ability to limit the access to the printer by creating an allow list or access control list in a telnet session.
The access control list specifies a range of IP addresses would be allowed TCP connections with the HP Jetdirect. The access control list affects printing as well as management. Therefore, be sure to include the administrator computer’s IP address and the print spooling computer’s IP addresses when configuring the list.
Web proxy servers may hide the IP address of the computer attempting to connect to the HP Jetdirect. Therefore, be sure to put the proxy server IP address in the access control list if Web access is desired. Also, computers that are specified explicitly in the access control list should have static IP addresses (not DHCP assigned).
Up to 10 ranges or single IP addresses can be configured in the allow list. To see what allow list has been configured on the HP Jetdirect, type the following in Telnet:
allow: list
Finally, if an SNMP set community name has been configured on the HP Jetdirect, the computer attempting an SNMP SET command must know the SNMP set community name of the HP Jetdirect as well as be on the access control list of the HP Jetdirect.
Example 1
Assume an HP Jetdirect has an IP address of 192.168.0.70 and a subnet mask of 255.255.255.0.
  1. To allow everyone on the local subnet access to TCP connections to the HP Jetdirect, type the following command in Telnet: allow: 192.168.0.70 255.255.255.0
  2. When finished, type quit and press Enter to exit and save the configuration.
Also assume that an SNMP set community name has been configured on the HP Jetdirect.
In this example, any computer that is not on the 192.168.0 subnet cannot establish a TCP connection to the HP Jetdirect and cannot make any configuration changes via SNMP. Only those computers that are on the 192.168.0 subnet and know the SNMP set community name can make configuration changes via SNMP.
Example 2
  1. To allow only one IP address access to TCP connections to a HP Jetdirect card (for example, 192.168.10.15), enter the following in Telnet: allow: 192.168.10.15 255.255.255.255
  2. When finished, type quit and press Enter to exit and save the configuration.
Also assume that an SNMP set community name has been configured on the HP Jetdirect.
In this example, any computer that does not have an IP address of 192.168.10.15 cannot establish a TCP connection to the HP Jetdirect and cannot make any configuration changes via SNMP.
Example 3
  1. To allow any IP address with the 192.168 prefix access to TCP connections with HP Jetdirect, enter the following: allow: 192.168.0.0 255.255.0.0
  2. When finished, type quit and press the Enter key to exit and save the configuration.
Also assume that an SNMP set community name has been configured on the HP Jetdirect.
In this example, any computer that does not have an IP address that begins with 192.168 cannot establish a TCP connection to the card and cannot make any configuration changes via SNMP.
Additional information
SNMPv3 and SSL/TLS support
Recent HP Jetdirect printer servers (610N with current firmware, 620n, 615N, 680N, and 380X) also include SNMPv3 and SSL/TLS support.
HP Jetdirect device password
HP Jetdirect device passwords are used in HP Web Jetadmin or HP Jetadmin software to secure the HP Jetdirect print server from unauthorized configuration by that software. This password is also known as a software password. This password does not secure the HP Jetdirect print server from unauthorized access from other SNMP management software. To prevent unauthorized access from other SNMP management software, use SNMP set community names described earlier in this document.
HP Jetdirect device passwords can be batch configured from within HP Web Jetadmin software.
Early HP Jetdirect Embedded Web server architecture
Early HP Jetdirect architecture includes an http server (the HP Embedded Web server) that allows the user to access HP Jetdirect print server settings and diagnostics. HP Jetdirect print server models that included the HP Embedded Web server are:
  • 600N (J3110A, J3111A, J3112A, J3113A)
  • 400N (J4100A, J4105A, J4106A)
  • 300X, 500X, and 170X (J3296A, J4101B, J3263A, J3264A, 3265A, J4102B, J3258B)
Passwords
This early HP Embedded Web server architecture matched the HP Jetdirect device password to the HP Embedded Web Server administrator password. The HP Embedded Web server administrator password and the HP Jetdirect device password can be said to be equal. The following shows the password matches for these print server architectures.
  • HP Jetdirect Device Password = HP Embedded Web server Administrator Password
  • Telnet Password = N/A
  • SNMP Set Community Name = N/A
Therefore, batch HP Embedded Web server and HP Jetdirect device password configuration can be done through HP Web Jetadmin software by configuring just the HP Jetdirect device password.
Recent HP Jetdirect and peripheral HP Embedded Web server architecture
Current HP Jetdirect Embedded Web server architecture adds a layer of complexity in that it now supports an HP Embedded Web server on the HP peripheral or printer. This peripheral's HP Embedded Web server can only be accessed if newer HP Jetdirect print server products are installed.
These newer HP Jetdirect products are:
  • 680N (J6058A) (Discontinued)
  • 615N (J6057A) (Discontinued)
  • 610N (J4169A, J4167A) (Discontinued)
  • 620N (J7934A, J7934G)
  • 625N (J7960A, J7960G)
  • 635N (J7961A, J7961G)
  • 380X (J6061A) (Discontinued)
  • 310X (J6038A) (Discontinued)
  • 200M (J6039C) (Discontinued)
  • 250M (J6042A) (Discontinued)
  • 280M (J6044A) (Discontinued)
  • 75X (J6035A) (Discontinued)
  • ew2400 (J7951A, J7951G)
  • en3700 (J7942A, J7942G)
HP peripherals or printers that have an HP Embedded Web Server (EWS) are:
  • Q7535A 802.3 Jetdirect Inside - HP Color LaserJet 3000dn printer
  • Q7534A 802.3 Jetdirect Inside - HP Color LaserJet 3000n printer
  • Q5988A 802.3 Jetdirect Inside - HP Color LaserJet 3600dn printer
  • Q5987A 802.3 Jetdirect Inside - HP Color LaserJet 3600n printer
  • Q5983A 802.3 Jetdirect Inside - HP Color LaserJet 3800dn printer
  • Q5984A 802.3 Jetdirect Inside - HP Color LaserJet 3800dtn printer
  • Q5982A 802.3 Jetdirect Inside - HP Color LaserJet 3800n printer
  • Q7493A 802.3 Jetdirect Inside - HP Color LaserJet 4700dn printer
  • Q7492A 802.3 Jetdirect Inside - HP Color LaserJet 4700n printer
  • Q7495A 802.3 Jetdirect Inside - HP Color LaserJet 4700ph+ printer
  • Q7494A 802.3 Jetdirect Inside - HP Color LaserJet 4700dtn printer
  • Q7517A 802.3 Jetdirect Inside - HP Color LaserJet 4730 MFP printer
  • Q7518A 802.3 Jetdirect Inside - HP Color LaserJet 4730x MFP printer
  • Q7520A 802.3 Jetdirect Inside - HP Color LaserJet 4730xm MFP printer
  • Q7519A 802.3 Jetdirect Inside - HP Color LaserJet 4730xs MFP printer
  • Q5916A HP 9200c Digital Sender printer
  • Q5959A 802.3 Jetdirect Inside - HP LaserJet 2420dn printer
  • Q5962A 802.3 Jetdirect Inside - HP LaserJet 2430dtn printer
  • Q5964A 802.3 Jetdirect Inside - HP LaserJet 2430n printer
  • Q5961A 802.3 Jetdirect Inside - HP LaserJet 2430tn printer
  • Q5403A 802.3 Jetdirect Inside - HP LaserJet 4250dtn printer
  • Q5404A 802.3 Jetdirect Inside - HP LaserJet 4250dtnsl printer
  • Q5401A 802.3 Jetdirect Inside - HP LaserJet 4250n printer
  • Q5402A 802.3 Jetdirect Inside - HP LaserJet 4250tn printer
  • Q3942A 802.3 Jetdirect Inside - HP LaserJet 4345 MFP Em printer
  • Q3943A 802.3 Jetdirect Inside - HP LaserJet 4345x MFP printer
  • Q3945A 802.3 Jetdirect Inside - HP LaserJet 4345xm MFP printer
  • Q3944A 802.3 Jetdirect Inside - HP LaserJet 4345xs MFP printer
  • Q5409A 802.3 Jetdirect Inside - HP LaserJet 4350dtn printer
  • Q5410A 802.3 Jetdirect Inside - HP LaserJet 4350dtnsl printer
  • Q5407A 802.3 Jetdirect Inside - HP LaserJet 4350n printer
  • Q5408A 802.3 Jetdirect Inside - HP LaserJet 4350tn printer
  • Q3726A 802.3 Jetdirect Inside - HP LaserJet 9050 MFP printer
  • Q3728A 802.3 Jetdirect Inside - HP LaserJet 9050 MFP printer
  • Q3722A 802.3 Jetdirect Inside - HP LaserJet 9050n MFP printer
  • Q3723A 802.3 Jetdirect Inside - HP LaserJet 9050dn printer
  • Q7544A 802.3 Jetdirect Inside – HP LaserJet 5200n printer
  • Q7545A 802.3 Jetdirect Inside – HP LaserJet 5200tn printer
  • Q7546A 802.3 Jetdirect Inside – HP LaserJet 5200dtn printer
  • Q7698A 802.3 Jetdirect Inside – HP LaserJet 9040n printer
  • Q7699A 802.3 Jetdirect Inside – HP LaserJet 9040dn printer
  • Q7812A 802.3 Jetdirect Inside – HP LaserJet P3005n printer
  • Q7814A 802.3 Jetdirect Inside – HP LaserJet P3005dn printer
  • Q7815A 802.3 Jetdirect Inside – HP LaserJet P3005x printer
  • CB425A 802.3 Jetdirect Inside – HP LaserJet M4345 MFP printer
  • CB426A 802.3 Jetdirect Inside – HP LaserJet M4345x MFP printer
  • CB427A 802.3 Jetdirect Inside – HP LaserJet M345xm MFP printer
  • CB428A 802.3 Jetdirect Inside – HP LaserJet M345xs MFP printer
  • Q3726A 802.3 Jetdirect Inside – HP LaserJet 9040 MFP printer
  • Q3728A 802.3 Jetdirect Inside – HP LaserJet 9050 MFP printer
  • CB416A 802.3 Jetdirect Inside – HP LaserJet M3027 MFP printer
  • CB417A 802.3 Jetdirect Inside – HP LaserJet M3027x MFP printer
  • CB414A 802.3 Jetdirect Inside – HP LaserJet M3035 MFP printer
  • QB415A 802.3 Jetdirect Inside – HP LaserJet M3035x MFP printer
  • CB425A 802.3 Jetdirect Inside – HP LaserJet M3035xs MFP printer o
  • Q7840A 802.3 Jetdirect Inside – HP LaserJet M5025 MFP printer
  • Q7829A 802.3 Jetdirect Inside – HP LaserJet M5035 MFP printer
  • Q7830A 802.3 Jetdirect Inside – HP LaserJet M5035x MFP printer
  • Q7831A 802.3 Jetdirect Inside – HP LserjEt M5035xs MFP printer
Passwords
In current HP Embedded Web server architecture with firmware versions x.22.09 or newer, the HP Embedded Web server password is equal to the HP Jetdirect device password and to the HP Jetdirect telnet password. The following shows the password matches for these devices.
  • HP Embedded Web server password = Telnet password = HP Jetdirect device password
  • SNMP Set Community Name = N/A
The HP Jetdirect device password, EWS password, and the telnet password are all configurable from within HP Web Jetadmin simply by configuring the HP Jetdirect’s device password. This feature provides a method of batch configuration for all three of these passwords on many devices at the same time.
Some important points to remember:
  • New HP Jetdirect Embedded Web server architecture rules apply even if the printer does not have an HP Embedded Web server.
  • HP Web Jetadmin 6.5 must have Service Patch 2 installed before batch configuration of these passwords is possible.
  • SNMP set community name is a separate and standalone password and does not sync with the telnet, HP Jetdirect device or EWS password.
  • "Automatically synchronize Web Jetadmin/SNMP Set Community Name" is a feature that exists in the EWS interface. The feature configures the SNMP Set Community Name but the object can be changed and made different in other configuration utilities.
Background: HP Embedded Web server is an http connection option that is offered on all current HP Jetdirect print servers. Most of the configurable parameters on the HP Jetdirect print server can be accessed through HP Embedded Web server. The HP Embedded Web server can be accessed through a browser by using a URL similar to this: http://IPADDRESS/ where IPADDRESS is the IP address or IP hostname of the HP Jetdirect print server.
Using Telnet with HP Jetdirect print servers
To configure an HP Jetdirect using Telnet, first Telnet to the HP Jetdirect to establish a connection, then once in Telnet, type the various commands as described. You do not have to exit and save each individual configuration; configure as many Security steps as are needed, then exit and save the configuration.
When finished configuring the HP Jetdirect, type quit and press Enter to exit and save the configuration. Newer HP Jetdirect firmware has a menu style Telnet which has an Exit menu and a prompt to save the settings; however, some commands can be used without using the Telnet menu (the Telnet password command, for example.)
 note:
For more information on other HP Jetdirect Telnet interface and configuration parameters, see support Web pages of specific HP Jetdirect models. Click here to browse for specific HP Jetdirect models .
Route Add
To use Telnet commands with the HP Jetdirect print server, a route must be available from the computer to the print server. This means that there must be a match between the network identification of the computer to that of the Jetdirect print server. (Specifically, if the print server is at its default IP address of 192.0.0.192, a route may not exist.)
On Windows computers, use the following route command at a DOS prompt to add a route to the print server:
route add Jetdirect.IP.Address computer.IP.Address where Jetdirect.IP.Address is the IP address of the HP Jetdirect print server and computer.IP.Address is the IP address of the computer.
Example: route add 192.168.45.39 192.170.1.2
To configure an HP Jetdirect using Telnet
  1. Type the following at the system prompt: telnet ipaddress. For example, telnet 198.162.20.10
  2. When the HP Jetdirect responds, press Return twice to make sure that the Telnet connection is initialized.
  3. If using Windows Telnet, first select Terminal and Preferences at the top of the Telnet window.
  4. Check Local Echo and select OK. (Newer firmware on HP Jetdirects does not require Local Echo to be set.) If prompted for a password, enter the correct password, and press Enter.
    Telnet in Windows 2000
    1. Click Start, then Run.
    2. Type telnet, then press Enter.
    3. Type set local_echo. (Some devices, such as the HP Jetdirect 610N card, do not need local echo set. If local echo has been set and double sets of characters appear, type unset local_echo.)
    4. Type open ipaddress (for example, open 192.168.192.191).
  5. At the Telnet prompt, type the parameter to change (see examples below), then press Enter.
  6. Repeat Step 3 to set any additional configuration parameters.
  7. When finished entering the configuration parameters, type quit and press Enter to exit and save the configuration parameters. (To exit without saving, type exit and press Enter.)
  8. Any time during the Telnet session, type a question mark and press Enter to view available configuration parameters.

hp-feedback-input-portlet

Actions
Loading...

hp-online-communities-portlet

Actions
Loading...

Ask the community!


Support Forum

Support Forum

Join the conversation! Find Solutions, ask questions, and share advice with other HP product owners. Visit now


hp-feedback-banner-portlet

Actions
Loading...

hp-country-locator-portlet

Actions
Loading...
Country: Flag United States

hp-detect-load-my-device-portlet

Actions
Loading...