eKUIO NetGard Installation Guide

1
Contents
eKUIO NetGard Overview ............................................................................................................................ 4
eKUIO NetGard MFP Setup Guide ............................................................................................................... 5
Configuring eKUIO NetGard with web browser ...................................................................................... 6
Overview of device configuration................................................................................................................ 9
NETWORK ................................................................................................................................................... 10
Network -> Configuration ...................................................................................................................... 10
NETWORK -> Advanced Configuration .................................................................................................. 12
NETWORK -> Routing ............................................................................................................................. 14
NETWORK -> IPv4 – Ipv6 Translation..................................................................................................... 15
NETWORK -> IPv4 –> 802.1X .................................................................................................................. 16
SCAN/PRT SETUP -> Scan to Network ................................................................................................... 17
Scan to Network -> Email ................................................................................................................... 18
Scan to Network -> FTP ...................................................................................................................... 18
Scan to Network -> Firewall ............................................................................................................... 19
Scan to Network -> Integration with Third Party Document Management Application ................. 19
Integration with AutoStore – HTTP or SMB ...................................................................................... 20
Integration with PaperCut ................................................................................................................. 21
Integration with PlanetPress ............................................................................................................. 21
Scan to Network -> Scan to Home ..................................................................................................... 22
SCAN/PRT SETUP -> Authentication ...................................................................................................... 23
SCAN/PRT SETUP -> Secure Print Release ............................................................................................. 24
SCAN/PRT SETUP -> Certificates ............................................................................................................ 26
SCAN/PRT SETUP -> CAC Settings .......................................................................................................... 29
NetGard Lock MFP Configuration .............................................................................................................. 41
Set MFP IP Address................................................................................................................................. 41
NetGard Lock pkg Installation & Configuration .................................................................................... 46
Required MFP settings for Send-to-email & Send-to-Home functions. ............................................... 53
Send-to-email ..................................................................................................................................... 53
Send-to-Home .................................................................................................................................... 57
eKUIO NetGard MFP Connections ............................................................................................................. 60
Appendix A: Certificate Chain Builder Tool ............................................................................................... 62
Appendix B: Kerberos Info Certificate Tool ............................................................................................... 67

2
Appendix C: Card Certificate Tool .............................................................................................................. 68
Appendix D: NetGard Certificates Use Case .............................................................................................. 70
Appendix E: CentraQ Integration............................................................................................................... 71

3
eKUIO NetGard Overview

Kyocera eKUIO NetGard is a CAC/PIV (Common Access Card/Personal Identity Verification)

authentication solution. This embedded solution provides security in network environment that is in
compliance with:

 Homeland Security Presidential Directive HSPD-12

 FIPS 140-2 Validated
 CAC/PIV authentication for NIPRNet & SIPRNet
 ISO Certified
 Networthiness Certified

4
eKUIO NetGard MFP Setup Guide

Connect to this port for device configuration

It is also use for connecting to MFD LAN port

Use this port for device connection to network

DO NOT USE this USB port

USB ports for card-reader connection
Reserved for factory trouble-shooting only

For initial configuration, you would need a computer, preferable a laptop and a network cable.

1. Assign your host an IP 192.168.20.20

2. Connect your computer to DEV/MGMT port
3. Open web browser, enter https://192.168.20.1:8080

Configuration of the eKUIO NetGard device is performed through web browser.

Explanation for port usage:

 USB1 & USB2 are used for card-reader connection

 DEV/MGMT port is used for device configuration
 DEV/MGMT port is used to connect to MFD’s LAN port
 LAN port is used for connecting to network
 Reset button is used to reset device to factory default

5
Configuring eKUIO NetGard with web browser

Enter https://192.168.20.1:8080 on web browser

Default setting:

User Name: admin

Password: password

Note: The password for admin can be changed under ADMIN -> Users

6
Illustration of a typical embedded eKUIO NetGard deployment

Card reader
eKUIO NetGard

gard Client PC

Certificate Server

Note: MFD does not communicate with network directly. All external communication must go through
eKUIO NetGard device.

The device secures the MFD on network. It handles all authentication and communication with
network.

7
After authentication, the first page displayed is the MONITORING -> Status page

Serial number

Assigned IP address for

device to communicate
with network.

Assigned IP address for

device to communicate
with MFD.

Assigned IP address for

device management.
(Label: DEV/MGMT)

Detected card reader

connecting to device.

8
Overview of device configuration:
1. NETWORK
- Configuration
- Advanced Configuration
- Routing
- IPv4 – Ipv6 Translation
- 802.1X
2. Scan/PRT SETUP
- Scan to Network
- Authentication
- Secure Print Release
- Certificates
- CAC Settings
3. ADMIN
- Management
- Utilities
- Users
- Date and Time
- Licensed Features Management
4. MONITORING
- Status
- Statistics
- Diagnostics
- MFD
- Logs
5. SUPPORT
- Overview
- Documentation

9
NETWORK
Network -> Configuration

Default: Device’s S/N

Assign NetGard IP to communicate

with MFD exclusively

Assign MFD IP to communicate

with NetGard exclusively

MFD web protocol & port

Assign device IP to communicate

with network (LAN port IP)

IP version selection

Assign device Management Port IP

(Notice: same network as MFD and
device internal IP)

Must APPLY for changes to take effect

10
System

When the device is shipped, the serial number is automatically used as the Host Name. This can
be changed per customer’s requirement.

Device IP Settings

This is a closed network. The default IP is 192.168.10.1. Its main purpose is for internal
communication between the device and MFD.

LAN IP Settings

Assign an IP address to the device to communicate with customer’s network. This assigned IP is
denoted by the port marked “LAN” as illustrated on page 3.

IP Version

Select the IP version used – IPv4 or IPv6

Management Port IP Settings

Default IP for device management. Notice that this is the IP for accessing this configuration
page. By entering https://192.168.20.1:8080 administrator can access device configuration.

IMPORTANT

Every time any change is made, you must click Apply button to register the change.

11
NETWORK -> Advanced Configuration

Assign allowable ports for outbound

traffic only

(E.g. SMTP 25, HTTP 80, SMB 445, 139)

12
Device DHCP Server

If enabled, computer host can lease IP from this device. It is a closed network meant for
configuration purpose only. In this case, it is set to No. As a result, the computer host
connecting to device must be assigned a static IP ahead of time. Example, 192.168.20.20.

Device Advanced Settings

Default MTU Size and Speed. This applies to internal communication only.

LAN Advanced Settings

MTU Size and Speed. This applies to device communication with customer’s network.

Allow inbound traffic ports: Enter all or specific ports allowed to come into the device.

Allow outbound traffic ports: Enter all or specific ports allowed to go out of the device.

In example shown, all inbound traffic is allowed whereas ports 25, 80, 445 and 139 are allowed
for outbound traffic.

13
NETWORK -> Routing

This section allows for creation of manual route table.

14
NETWORK -> IPv4 – Ipv6 Translation

This page allows you to define rules for IPv4 IPv6 Protocol translation. This configuration is value only in
IPv4 – IPv6 Translation Mode.

15
NETWORK -> IPv4 –> 802.1X

This page allows you to enable/disable 802.1X authentication on device. The device currently supports
EAP-TLS protocol for 802.1X authentication.

16
SCAN/PRT SETUP -> Scan to Network

17
Scan to Network -> Email
When enabled, enter the SMTP IP and port used. The device can be configured to obtain email
address either from CAC or LDAP.

It can be configured to force email only to self.

Security feature includes encryption, either 3DES or AES-256

IMPORTANT: See Scanning to email MFP Configuration section for additional settings on Page
40.

Assign SMTP server IP and ports for

scanning to email

Select email address from either CAC or LDAP

Select Encryption Type: 3DES or AES-256

Scan to Network -> FTP

When enabled, enter FTP IP and port used.

By selecting Add User Identifier to file names, files will be identified with either Email Address or
EDI-PI.

EDI-PI is the Electronic Data Interchange Personal Identifier. This is obtained from the CAC card
of user.

Assign FTP server IP and ports for

scanning to FTP

Select User Identifier: Email Address or EDI-PI

18
Scan to Network -> File Server
When enabled, enter File Server IP and port.

Scan to Network -> Firewall

Applicable to Outbound traffic after authentication only.

If Only the ports listed below is selected, you can assign specific ports or a range of ports.

Scan to Network -> Integration with Third Party Document Management Application
Supported 3rd party applications: AutoStore, PaperCut and PlanetPress

Supported 3rd party applications – select 1

Master account to access selected 3rd party

application

19
Integration with AutoStore – HTTP or SMB
HTTP

 Enter server IP and port number

Enter server IP and port

SMB

 Enter server IP and username & password to access SMB share

Enter server IP

Enter username & password

to access SMB share

20
Integration with PaperCut
 Enter the port number for communication with PaperCut

Enter port number for PaperCut

Integration with PlanetPress

Enter IP address for PlanetPress

Enter username & password

to access PlanetPress

21
Scan to Network -> Scan to Home
This configuration entails a user account to be created in MFD’s address book. (Detail of MFD
configuration will be covered in ensuing section)

Supported SMB versions are V1, V2 and V3.

IMPORTANT: See Scanning to Home Directory MFP Configuration section for additional settings
on Page 41.

*User account for scan to SMB

on MFD (see MFD Command
Center below)

Domain server IP for home

directory scanning

Supported SMB: V1, V2 & V3

22
SCAN/PRT SETUP -> Authentication
Authentication options: X.509, OCSP, and LDAP.

(See Appendix for using LDAP Discovery Tool to obtain LDAP information)

Enter LDAP server info and master account with access right

23
SCAN/PRT SETUP -> Secure Print Release
In order to use the device for storing authenticated user’s print jobs, the device must be made a
member of the domain where user belongs.

Join Windows Domain: Enter domain administrator credential in order to join the domain.

Start/Stop SPR Service: To enable secure job release, change status to START and APPLY.

Ensure that device is a member

of target domain

Change to Start and Apply

24
SCAN/PRT SETUP -> Secure Print Release

Join Windows Domain should show device as a member of domain in Current Status.

After starting SPR Service, Current Status should show the name of the queue created. In this
case, it is \\mfd201711052798\ngdprinter

Notice that the naming format is \\DeviceName\PrinterName

Choose printing protocol from: RAW, LPD or IPP

Secure print jobs are stored in the device memory. Administrator defines deletion parameters.

Enabling Direct Print will cause printers to output immediately after jobs are sent.

Status showing that device is now a

member of target domain

Create a network shared printer

with this specific queue name

\\mfd201711052798\ngdprinter

Printing protocol: RAW, LPD or IPP

Rules for device memory usage and

secure print jobs retention

Direct Print selection

25
SCAN/PRT SETUP -> Certificates
All Trusted Certificates are loaded via this section.

(See Appendix on using Certificate Chain Builder to obtain required certificates)

Upload trusted certificates

(E.g. domain certificates & card

issuer’s certificates)

26
Trusted certificates from domain controller and card issuer must be loaded onto device in order
to authenticate.

On the issuing certificate server for Microsoft Windows domain, obtain the certificates from
issuing Certificate Authority.

Obtain a copy of this certificate

to be uploaded to device

27
Customer should obtain a copy of certificate from card issuer.

In case where certificate is not readily available, use ActivClient utility to view and obtain the
card certificates.

Select PIV Authentication to view the certificates.

Obtain a copy of these certificates

to be uploaded to device

28
SCAN/PRT SETUP -> CAC Settings
Configure login timeout.

Enable MFP Integration allows user to enter PIN on MFP’s large display panel or hard key.

Login timeout setting

Enable user interaction with

MFP display panel or hard key

The Configuration Data Sent to MFP defines the function access for authenticated and public
users at MFP.
Print Print Color Send Fax Copy Color Copy Admin
Public true/false true/false true/false true/false true/false true/false true/false
CAC User true/false true/false true/false true/false true/false true/false true/false

For example, administrator can allow public access to copy, print, and fax except copy in color,
scanning, fax and printing in color.

Print Print Color Send Fax Copy Color Copy Admin

Public true false false false false true false
CAC User true true true true true true false

29
Sample default settings:

Print Print Color Send Fax Copy Color Copy Admin

Public false false false false false false false
CAC User true true true true true true false
memberOf true true true true true true false

{
"Settings": {
"sAMAccount": {
"Value": "%U",
"sourceType": "Formatted",
"removeDomain": true
}
},
"publicAccess": {
"print": false,
"printColor": false,
"sending": false,
"fax": false,
"copyColor": false,
"isMfpAdmin": false,
"copy": false
},
"cacUser": {
"print": true,
"printColor": true,
"sending": true,
"fax": true,
"copyColor": true,
"isMfpAdmin": false,
"copy": true
},
"memberOf": {"CN=Domain
Users,CN=Users,DC=upn,DC=example,DC=com":{
"print": true,
"printColor": true,
"sending": true,
"fax": true,
"copyColor": true,
"isMfpAdmin": false,
"copy": true}}
}

30
ADMIN -> Management

Assign the IP or IP range for

remote administration

Assign port to be used for

remote administration

Define allowable IP or IP ranges to manage this device via secure connection.

Enabling both LAN and Management Port allows for centralized management of NetGard
devices.

31
ADMIN -> Utilities

Backup device setting

Firmware update

The backup function allows administrator to save each device’s NetGard configuration settings.
This file can be used for multiple device deployment. After restoring the settings, administrator
would have to change the NetGard Host Name and LAN IP (see Page 9).

32
ADMIN -> Users

NetGard allows up to four unique administrator-level users and four guest (view-only) level
users. There is one default admin and one default guest user that cannot be deleted, rather the
default password can be changed.

The User List contains the unique User Name required to login to the management GUI, as well
as the First Name, Last Name, and user Type (admin or guest) associated with the username.
The Edit button in the action column links to the User Settings section where the user can
modify details such as password and inactivity timeout.
Select All: Select all the entries in the Users List.
Delete: Delete selected entries from the Users List. Note: The factory default admin and guest
users cannot be deleted.
Add: Add a new user to the User List.

33
ADMIN -> Date and Time

Set correct time zone

Set NTP servers

Accurate date and time settings are vital to the authentication function of NetGard.

Set the date, time and NTP servers. Network Time Protocol (NTP) is a protocol that is used to
synchronize computer clock times in a network of computers. Accurate time across a network is
important.

34
ADMIN -> Licensed Features Management

Licensed Features Management

This page is used to install a license key into the system. It also displays the list of features that
need a license for operation and also the list of features that are currently have an appropriate
license for operation.

35
MONITORING -> Status

Displays the current system information and network configuration

36
MONITORING -> Statistics

The Statistics page displays statistical information for CAC users and Printer Status.

37
MONITORING -> Diagnostics

The diagnostics page is used to perform various diagnostics such as ping connectivity tests, trace
route, DNS lookup, and others.

38
MONITORING -> MFD

Activities occurred at this MFP will be displayed.

39
MONITORING -> Logs

This page will allow you to configure a Syslog server that can receive detailed log messages from
NetGard MFD. There are a variety of events that can be captured and logged for review.

40
NetGard Lock MFP Configuration
Set MFP IP Address
Select System Menu (2 locations as illustrated below)

System Menu

41
Proceed to Page 2, select System/Network

System/Network

Enter username “Admin” and password “Admin” (default setting)

42
Select Network

Network

Select Wired Network

Wired Network

43
Select TCP/IP Setting

TCP/IP Setting

Enable TCP/IP and change IPv4 setting

TCP/IP
IPv4

Turn ON TCP/IP

44
Change IPv4:

IP Address 192.168.10.30

Subnet Mask 255.255.255.0

Default Gateway 192.168.10.1

Reboot device.

45
NetGard Lock pkg Installation & Configuration
Load MFP NetGard pkg

Select System Menu (2 locations as illustrated below)

System Menu

46
Proceed to Page 2 of System Menu

Scroll down to Page 2

Select Application

Scroll to Page 2

Select Application

47
Enter username “Admin” and password “Admin” (default setting)

A list of installed applications will be shown.

Select Add

At this point, please make sure that the target pkg is stored on an USB thumb drive and
it is inserted into the MFP USB port near the display panel.

Select Add to install

new HyPAS app.

48
Locate the NetGard Lock pkg on the USB display list. Select and Install.

Select NetGard Lock

Select Install

Highlight NetGard Lock, select Activate

Select Activate

49
If a license is purchased, enter the License Key. Otherwise use the Trial.

Enter license key, if available.

Otherwise activate the Trial.

After activation, the MFP panel will display the NetGard Lock icon. Select NetGard Lock.

NetGard Lock

50
Further configuration is required after initial NetGard Lock installation.

Select settings icon

Enter MFP username “Admin” and password “Admin”

Enter MFP Administrator

username & password

51
Enter the default Address and Port for MFP to communicate with NetGard

Address: http://192.168.10.1
Port: 80

Apply and Reboot device.

52
Required MFP settings for Send-to-email & Send-to-Home functions.
Access the Command Center RX (CCRX) with a web browser. Enter the IP address assigned to
the NetGard LAN port.

Send-to-email
Select Network Settings -> Protocol

Function Settings

Protocol

Enable Send Protocols -> SMTP (E-mail TX) function:

53
Additional required steps for Send-to-email:

Select Function Settings -> E-mail

Function Settings

E-mail

Enable SMTP

IP: 192.168.10.1

Port: 25

IP 192.168.10.1

Port 25

54
Create Address Book user

Select Address Book -> Machine Address Book

Machine Address Book

On the MFP address book, create one accounts: NetGardUser

Configure

1. self@mail.mil (scan to email)

55
 Enter any email address in the
Create a user account on correct format (self@mail.mil)
MFD’s Machine Address Book

56
Send-to-Home
Select Network Settings -> Protocol

Function Settings

Protocol

Enable Send Protocols -> SMB function:

Enable SMB

Set port to 445

SMB = ON

Port = 445

57
Select Address Book -> Machine Address Book

Machine Address Book

On the MFP address book, create one accounts: NetGardUser

Note: If an account already exists, use the same

58
 Configure SMB

1. Host Name: 192.168.10.1

2. Port Number: 445
3. Path: scanhome
4. Login User Name: netgard
5. Login Password: netgard

Create a user account on

MFD’s Machine Address Book
IP address of NetGard
internal network.

Port 445 is allowed for Outbound

(page 12, LAN Advanced Settings)

User account for scan to SMB

on MFD must match Scan to
Home User Name & Password

The NetGard User Name and Password for Scan-to-Home must match the Login User
Name and Password on the MFP’s Machine Address Book user account. (See illustration
on Page 22)

Must match Login User Name & Login Password

SMB Host Name is the internal IP for NetGard device.

59
eKUIO NetGard MFP Connections

The eKUIO NetGard device is installed into the MFP’s KUIO slot.

Configuration:

Green cable shown is for connecting MFP’s Network Interface to NetGard (DEV/MGMT port)

Yellow cable shown is for connecting NetGard (LAN port) to LAN

Black cable shown is for connecting card-reader to NetGard (either USB1 or USB2)

Caution: Do not use uUSB1 for card-reader.

Connecting to LAN

Connecting these 2 ports

Connecting to USB card-reader

60
 To LAN

To USB card-reader

MFP’s NIC NetGard DEV/MGMT port

61
Appendix A: Certificate Chain Builder Tool
Use this tool to extract domain certificates. Extracted certificates are required for NetGard.

IMPORTANT: Obtain permission or provide this tool to customer’s administrator to discover the domain
certificates.

Note: Under normal circumstances, the certificate administrator should be able to provide the
certificates.

Run CertificateChainBuilder 3.0.0.1 application

If the application is run on the LDAP server, click Build to proceed.

Build

62
Dialog box will prompt for the file generated to be saved.

Dialog box will also show the domain information discovered. Click Exit when finish.

63
Locate the file SmartCardLogonCertificates created by the steps above.

Double-click on the file:

Right-click on each certificate. Select All Tasks -> Export…

64
Proceed with Certificate Export Wizard

Next

Select DER encoded binary X.509 (.CER)

DER encoded binary X.509 (.CER)

65
Provide a File Name

Complete export

Repeat the procedure for all certificates shown.

Import all certificates generated into NetGard’s Trusted Certificates section.

Note: See Page 26 for detail

66
Appendix B: Kerberos Info Certificate Tool
Use this tool to discover domain names and LDAP detail to be used on NetGard configuration.

IMPORTANT: Obtain permission or provide this tool to customer’s administrator to discover the domain
name and LDAP detail.

Run KerberosInfoCert2 application next.

These two entries are needed for NetGard domain configuration:

1. dnsHostName
2. ldapServiceName

67
Appendix C: Card Certificate Tool
Use ACC70CWP (ActivIdentity ActivClient for Windows) to extract Smart Card (CAC/PIV) certificates.
Extracted certificates are required for NetGard.

IMPORTANT: Obtain permission or provide this tool to customer’s administrator to discover the Smart
Card issuer’s certificates.

Note: Under normal circumstances, the certificate administrator should be able to provide the
certificates.

Launch the ActivIdentity -> ActivClient -> User Console application

Insert Smart Card into reader.

When the card is read, dialog box will display Smart Card information.

Select My Certificates

My Certificates

68
Open My Certificates folder and export all required certificates.

Import all certificates generated into NetGard’s Trusted Certificates section.

Note: See Page 26 for detail

69
Appendix D: NetGard Certificates Use Case

1. Web pages: Each NetGard device has a default certificate for its web pages. If a customer
wants to replace that with his own certificate, he can do so by generating a self-certificate
request on the SCAN/PRT SETUP -> Certificates section.

The certificate generated can then be loaded as and loading certificates as Active Self
Certificates.

2. Kerberos Authentication: NetGard requires CA certificates to perform Kerberos authentication.

These certificates should be loaded on NetGard as Trusted Certificates (CA Certificate).

3. 802.1X authentication: NetGard requires CA certificates for 802.1X authentication. These

certificates should be loaded on NetGard as 802.1X CA Certificates.

4. Smart Card web login service: Customer can log in NetGard's web site using his smart card.
CA certificates must be loaded on NetGard as Web Authentication CA Certificates.

70
Appendix E: CentraQ Integration
This new feature allows for “follow-me” print job release at any MFP or printers under CentraQ*
management.

NetGard device comes with a secure print release function but it lacks the follow-me function where
users can release jobs at any of the managed devices.

Requirements:

1. CentraQ application
2. Print server
3. Kyocera KX driver

*CentraQ requires a license for each connecting device under management.

Refer to CentraQ User Guide for all setup and configuration procedures.

71