SBS 2011 and Ricoh (or any network printer that sends scans or notifications by e-mail) (Actually Exchange 2010 Issue)

Posted: March 5, 2011 in Exchange 2010, SBS 2011
Tags: , , ,

As the migration from SBS 2003 top SBS 2011 was progressing, it was time to deal with some network devices, primarily printers.  In this particular office, there was a Ricoh C2050 multi-function device.  It had several issues I had to deal with.

  1. The IP address was set to be 192.168.20.15.  .15 is in the DHCP range that SBS 2011 will control, so it had to be moved to avoid IP conflicts.
  2. The printer was set to deliver .pdf copies of faxes to shares on the SBS 2003 server that were being moved to the SBS 2011 box.
  3. The printer was programmed to allow users to scan a document at the printer and have it delivered via email back to them.  I had to change the SMTP settings to point to the new server.

Steps 1 and 2 were straightforward, and I got them to work right away at the printer console; I could have used the built-in web interface to do the same thing.  Step 3 was just as easy.  I changed the SMTP server address to 192.168.20.2 to point to the new server, changed the log on credentials to the new administrator account, and was feeling pretty good about how easy it was.

Except that scanning didn’t work.  Well, more correctly, scanning worked but no email was delivered to the users.  I checked the settings about oh a dozen times, but no luck.  Finally, a Ricoh technician showed up and said the problem was that a firmware upgrade was out that would fix the problem.

Are you reading ahead?  It didn’t.  But a bit of luck and trial and error led me to the solution.

First, let me tell you about the problem.  Ricoh has not implemented TLS authentication in this printer.  I found this out in a subsequent telephone call with the printer tech.  That made the light-bulb go off in my head.

In Exchange 2010, the Default Receive Connector (found in Hub Transport under Server Configuration on the EMC) specifies the network as all local LAN addresses except the router.  So you would see a network range (on the network tab) of 192.168.20.0 – 192.168.20.0 and  192.168.20.2-192.168.20.255 in this example, since the router is at .1.  The authentication for this segment(on the authentication tab)  is TLS, Basic with TLS, Exchange and Integrated Windows authentication.  Now the problem is obvious.  The Ricoh can’t authenticate on any of these methods.

The solution is very straightforward.  I edited the network segment to exclude the new IP address of .250 as follows:

192.168.20.2 – 192.168.20.249 and 192.168.20.251-192.168.20.255

So far so good.  There are no other changes to make to the Defualt Receive connector.  All this has done is exclude the IP address for the Ricoh printer.

The next thing to do is create a new Receive Connector.  On the Action Pane of EMC, click on New Receive Connector and complete the wizard.  I used internal as the receive type.  I deleted the default IP address range and instead added 192.168.20.250-192.168.20.250.  This is the single IP address for the network printer.

Once the new connector is added, open it by double-clicking on it or clicking on properties in the action pane.  Then click on the authentication tab.  Clear all the authentications but basic and clear the TLS setting for basic as well.  Apply the changes and click OK.

You will now find that the printer device can authenticate correctly to Exchange and it will accept mail from the device.

No doubt there are other network devices – even software programs – that use SMTP but do not authenticate with TLS or as with windows authentication.  Use the same method to allow them to do basic authentication with a new Receive Connector.

Advertisements
Comments
  1. Joe Folkes says:

    Thankyou, been look at this issue for a while, same as yourself, upgrade from SBS 2003 to 2011.

    Like

  2. Joe, this has been coming up more and more often, illustrating how weakly some printer manufacturers implement email integration for notification, scanning and fax forwarding via email. I have played with user name (domain\user) and found it is not always a successful way to get around the need to tweak the receive connectors in Exchange.

    I have also dealt with printers in remote offices. Adding the specific IP address as a separate receive connector works, but there are challenges remaining when the IP address is dynamic.

    Like

  3. Rob says:

    This solution worked perfect!

    Like

  4. It also works for Sharp and other printers. The reason is that these printers don’t authenticate to Exchange, so you carve out a separate IP address and correspond it to a receive connector that allows anonymous authentication. Since this is an IP address inside your LAN, no worries about relaying unwanted email.

    Like

  5. Jim Thompson says:

    I also ran into this problem. After spending 45 minutes with a Ricoh support tech (who was unaware of any authentication issues to Exchange Server) I ended up here of my own volition.

    Your article is great, and got me going down the right path, but it didn’t work for my MP6001SP machine. So I tried modifying your instructions by disabling SMTP Auth. on the machine and unchecking basic authentication and allowing anonymous user access on the new connector, which (surprise, surprise) did work.

    That led me to a second call to Ricoh during which I was advised and sent an article instructing me to create an “open relay” configuration with no authentication. Their article threw open the ENTIRE subnet for open relay, which, while certainly solving the problem of the printers not authenticating, left me wondering how many IT support managers blindly follow any instructions given to them.

    Operating with an open relay (only from a couple of LAN IP’s and CERTAINLY not loving it) seems to be the only solution for me at this point.

    Like

  6. Jim-

    If it’s any consolation, the Ricoh “advanced support” team I spoke with not only was unaware but couldn’t wait to get their hands on my blog post.

    If the source network is a single IP address inside your LAN, for the printer itself, I wouldn’t worry much about annonymous authentication fopr the printer. Just how likely is that an unauthorized sender going to impersonate that internal address?

    Glad this was of some help to you.

    Larry

    Like

  7. Terry says:

    Thanks for the information,

    This solution works with ANY non-TLS authenticating device!!! I could not get my Dell 3115cn to scan to email on SBS 2011 (which includes Exchange 2010) Your fix works like a champ!!! Thanks!

    Terry

    Like

  8. Yes, and I have used it for not only a wide range of printers but for computers that run apps that send email out. I consider it safe to essentially allow relaying from internal LAN addresses.

    Like

  9. Just moved to SBS2011 and I was struggling to get our Rioch C2050 scanning to eMail until I read your post. Fantastic most appreciated it works like a dream, just had to tick the Exchange Users under Permission. Many Many thanks…….

    Like

  10. What amazed me when I wrote this post that seemingly no one at Ricoh (or most any of the other printer manufacturers I have encountered) knows anything at all about this, and it is a very common problem with Exchange servers being used to send scanned documents. Glad you found it helpful.

    Like

  11. Mik Pedersen says:

    I have also resently converted from SBS 2003 to 2011. We have a Sharp MX2300. My problem that I can’t scan to eigher external or internal e-mail. I have made a new Receiver Connector like you suggested and from the scanner point the SMTP server to Server.Domain.local nothing works. When I turn the scanner SMTP to an external SMTP I can use external e-mail but not internal Exchange e-mails. Are there any other settings in Exchange that I miss.

    Like

  12. Mik Pedersen says:

    Just after my comment, I found the error. I struggled with this error for more that one week. It was a AnitSpam problem. Found after looking the Exchange log SMTPReceive. Made the IP address of the Scanner on the Allowed list of the Anti Spam. Then it worked. Thanks Larry for the good advice and inspiration.

    Like

  13. Oh glad you stumbled on that. The rest was pretty easy for you I hope. Can’t tell you how many times I have had to use this, or heard from people who have also needed it.

    Like

  14. Tyler Luce says:

    Thank you for this. I was neglecting listing my subnet without the printer IP. All of my configurations included the entire subnet.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s