system architecture document - xprotect® vms 2020 r1...rtsp,udp, tcp/ip deviceconfigurable....
TRANSCRIPT
Milestone Systems
XProtect® VMS 2020 R1
System architecture document
XProtect CorporateXProtect ExpertXProtect Professional+XProtect Express+XProtect Essential+
ContentsCopyright, trademarks, and disclaimer 4
Introduction 5
Target audience and purpose 6
Overall system architecture 7
Server components 8
Management server 8
Recording server 8
Media database 9
Event server 9
Log server 9
SQL Server 10
Mobile server 10
Client components 11
XProtect Management Client 11
XProtect Smart Client 11
XProtect Web Client 11
XProtect Mobile client 11
Encryption 13
Introduction to certificates 13
Additional products and components 16
MIP SDK 16
Milestone Software Manager 17
XProtect Smart Wall 17
XProtect Access 17
XProtect Transact 18
XProtect LPR 18
Milestone Interconnect 19
XProtect DLNA Server 20
System architecture document | XProtect® VMS 2020 R1
2 | Contents
Milestone ONVIF Bridge 20
System communication and data flow 22
Server communication 22
Login from XProtect Smart Client 23
Live video and audio 24
Live video multicasting 25
Matrix 26
Management server – view update 27
XProtect Smart Wall 28
Play back video and audio 29
Login from XProtect Web Client and XProtect Mobile 30
Live video for XProtect Web Client and XProtect Mobile 31
Recording and playback video for XProtect Web Client and XProtect Mobile 32
Video push 33
Milestone Interconnect live 34
Milestone Interconnect recording options 35
Milestone Interconnect play back 36
XProtect DLNA Server 37
Milestone ONVIF Bridge 38
Management Client configuration update 39
Log server 40
Event server 41
XProtect Transact 42
XProtect LPR 43
View and manage alarms 44
Data collector 45
Recording server failover 46
Evidence lock 47
Move hardware 48
Ports used by the system 49
System architecture document | XProtect® VMS 2020 R1
3 | Contents
Copyright, trademarks, and disclaimerCopyright © 2020 Milestone Systems A/S
Trademarks
XProtect is a registered trademark of Milestone Systems A/S.
Microsoft and Windows are registered trademarks of Microsoft Corporation. App Store is a service mark of AppleInc. Android is a trademark of Google Inc.
All other trademarks mentioned in this document are trademarks of their respective owners.
Disclaimer
This text is intended for general information purposes only, and due care has been taken in its preparation.
Any risk arising from the use of this information rests with the recipient, and nothing herein should be construedas constituting any kind of warranty.
Milestone Systems A/S reserves the right to make adjustments without prior notification.
All names of people and organizations used in the examples in this text are fictitious. Any resemblance to anyactual organization or person, living or dead, is purely coincidental and unintended.
This product may make use of third-party software for which specific terms and conditions may apply. When thatis the case, you can find more information in the file 3rd_party_software_terms_and_conditions.txt located in yourMilestone system installation folder.
System architecture document | XProtect® VMS 2020 R1
4 |Copyright, trademarks, and disclaimer
IntroductionThis document contains illustrations and descriptions of communication and dataflow between the most commonsystem components in a distributed system.
The document shows a range of scenarios with a supporting illustration and a description of actions supplementedby information about port numbers, protocols and bandwidth usage.
The illustrations are simplified and primarily focus on the general dataflow between system components. Thismeans that less important flows may have been omitted in order to reduce the level of complexity.
System architecture document | XProtect® VMS 2020 R1
5 | Introduction
Target audience and purposeThis document's primary audience is system integrators and IT administrators with limited experience andknowledge about Milestone XProtect VMS solutions and who are in the process of selecting, deploying,administrating, maintaining and expanding a VMS.
The purpose of the document is to provide insight to the benefits and simplicity of using Milestone XProtect as aVMS, including an introduction of the system components and the system architecture.
This document should enable the reader to understand:
l The overall system architecture
l The primary system components and their functions
l Provide guidelines to basic system design
The reader of the document should have general experience with administrating an IT installation.
System architecture document | XProtect® VMS 2020 R1
6 |Target audience and purpose
Overall system architectureTo enable scaling of thousands of cameras across multiple sites, the system consists of several components thathandle specific tasks. You can install all components on a single server if the server can handle the load, or you caninstall the components on separate, dedicated servers to scale and distribute the load.
Depending on hardware and configuration, smaller systems with between 50~100 cameras can run on a singleserver.
For systems with more than 100 cameras, Milestone recommends that you use dedicated servers for all or someof the components.
You do not need all components in all installations. However, you can add them if the functionality they offer isneeded at a later time, for example, failover recording servers or mobile servers for hosting and providing accessto both XProtect Web Client and XProtect Mobile.
The diagram below shows an overview of the system components.
System architecture document | XProtect® VMS 2020 R1
7 |Overall system architecture
Server components
Management serverThe management server is the central VMS component. It handles the system configuration, distributes thesystem configuration to other system components, such as the recording servers, and facilitates userauthentication.
The system configuration is stored in an SQL database on a standard Microsoft SQL Server installed on either themanagement server itself or on a separate dedicated server.
Failover management server
You can get failover support on the management server by installing the management server in a Microsoftwindows cluster. The cluster ensures that another server takes over the management server function in case thefirst server fails.
Recording serverThe recording server is responsible for all communication, recording, and event handling related to devices suchas cameras, video and audio encoders, I/O modules, and metadata sources. Examples of actions the recordingserver handles:
l Retrieve video, audio, metadata and I/O event streams from the devices
l Record video, audio and metadata from devices
l Provide operators with access to live and recorded video, audio and metadata
l Provide operators with access to device status
l Trigger system and video events on device failures or events
l Perform motion detection and generate smart search metadata
The recording server is also responsible for communicating with other Milestone products when using theMilestone Interconnect™ technology. For more information, see Milestone Interconnect on page 19.
Failover recording server
The failover recording server is responsible for taking over the recording task in case a recording server fails.
The failover recording server operates in two modes:
1. Standard failover, for monitoring multiple recording servers
2. Hot standby, for monitoring a single recording server
System architecture document | XProtect® VMS 2020 R1
8 |Server components
Media databaseThe system stores the retrieved video, audio and metadata in the customized high performance Milestone mediadatabase which is optimized for recording and storing audio and video data.
The media database supports various unique features including multistage archiving, video grooming, encryptionand adding a digital signature to the recordings.
Event serverThe event server handles the tasks related to events, alarms, maps and third-party integrations via the MilestoneIntegration Platform.
Events:
l All system events are consolidated in the event server so there is a single place and interface for partnersto make integrations that use system events
l The event server offers third-party access for sending events to the system via the Generic events orAnalytics events interface
Alarms:
l The event server hosts the alarm feature, alarm logic, alarm state and handling of the alarm database. Thealarm database is stored in the same SQL database as the management server uses
Maps:
l The event server also hosts maps. You configure and use maps in the XProtect Smart Client
Milestone Integration Platform:
l You can install third-party developed plug-ins on the event server and utilize access to system events
You can get failover support on the event server by installing the event server in a Microsoft Windows Cluster. Thecluster ensures that another server takes over the event server function in case the first server fails.
Log serverThe log server is responsible for storing all log messages for the entire system. The log server typically uses thesame SQL Server as the management server but has its own SQL database. Log server is also typically installed onthe same server as the management server. If you need to increase the performance of the management serveror log server, you can install the log server on a separate server and use a separate SQL Server.
The system can through the log server write three types of log messages:
System architecture document | XProtect® VMS 2020 R1
9 |Server components
l System logs: the system administrator can choose to log errors, warnings, and information, or acombination of these. The default is to log errors only
l Audit logs: the system administrator can choose to log user activity in clients in addition to login andadministration logs
l Rule-triggered logs: the system administrator can use the rule log to create logs on specific events
SQL ServerThe management server, the event server and the log server use SQL databases on one or two SQL Serverinstallations to store, for example, configuration, alarms, events and log messages.
The Milestone XProtect installer includes Microsoft SQL Server Express which is free edition of SQL Server.
For very large systems or systems with many transactions to and from the SQL databases, Milestone recommendsthat you use a Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition of the SQL Serveron a dedicated computer on the network and on a dedicated hard disk drive that is not used for other purposes.Installing the SQL Server on its own drive improves the entire system performance.
Mobile serverXProtect Mobile server handles logins to the system from XProtect Mobile client or XProtect Web Client.
A XProtect Mobile server distributes video streams from recording servers to XProtect Mobile client or XProtectWeb Client. This offers a secure setup where recording servers are never connected to the Internet. When aXProtect Mobile server receives video streams from recording servers, it also handles the complex conversion ofcodecs and formats allowing streaming of video on the mobile device.
System architecture document | XProtect® VMS 2020 R1
10 |Server components
Client components
XProtect Management ClientThe Management Client is the administration interface for all parts of the system.
The VMS is designed for large-scale operation so the Management Client is designed to run remotely from, forexample, the administrator’s computer.
When you select a function in the node tree, the settings for this node appear, typically in a second tree structurewhere you can manage sub items. Once you have selected the correct item, the actual settings appear in theproperties dialog box in the upper right hand corner. The settings are grouped on various tabs if an item has manysettings.
XProtect Smart ClientXProtect Smart Client is the main client for the VMS, offering a full set of advanced features and designed for a day-to-day use by dedicated operators.
XProtect Smart Client is designed to run remotely from the operators’ computer and supports multiscreen usagein full screen mode as shown below or in floating windows mode where the user can resize the windows andmove them around freely.
For more information, see (https://www.milestonesys.com/solutions/platform/clients/xprotect-smart-client/)
XProtectWebClientXProtect Web Clientis a client designed for the occasional or remote user that needs easy access to livemonitoring, playback and export. XProtect Web Client also provides access to activating system events andoutputs.
For more information, see (https://www.milestonesys.com/solutions/platform/clients/xprotect-web-client/)
Find compatible browsers under XProtect Web Client here: (https://www.milestonesys.com/systemrequirements/)
XProtect Mobile clientThe XProtect Mobile client is a client designed for the user on the go. It offers easy access to live monitoring,playback and export of video, as well as access to activating system events and outputs.
You can use the XProtect Mobile client as a remote recording device by using the device's built-in camera and theMilestone Video Push feature. With Video Push activated, video from the device's camera is streamed back to theVMS and recorded as if it is a standard camera.
For more information, see (https://www.milestonesys.com/solutions/platform/clients/milestone-mobile/)
System architecture document | XProtect® VMS 2020 R1
11 |Client components
Find the operating systems compatible with XProtect Mobile here:(https://www.milestonesys.com/systemrequirements/)
System architecture document | XProtect® VMS 2020 R1
12 |Client components
EncryptionThis section gives you an introduction to encryption and certificates.
XProtect systems support secure communication:
From To
Recording serverManagementserver
Management server Recording server
Clients, servers, andintegrations that retrievedata streams from therecording server
Recording server
Mobile devices Mobile server
When do I need to install certificates?
l If your XProtect VMS system is set up in a Windows Workgroup environment
l Before you install or upgrade to XProtect VMS 2019 R1 or newer, if you want to enable encryption duringthe installation
l Before you enable encryption, if you installed XProtect VMS 2019 R1 or newer without encryption
l When you renew or replace certificates due to expiry
Introduction to certificatesHypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for securecommunication over a computer network. In HTTPS, the communication protocol is encrypted using TransportLayer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).
In XProtect VMS, the secure communication is obtained by using SSL/TLS with asymmetric encryption (RSA).
SSL/TLS uses a pair of keys—one private, one public—to authenticate, secure, and manage secure connections.
A certificate authority (CA) can issue certificates to web services on servers using a CA certificate. This certificatecontains two keys, a private key and public key. The public key is installed on the clients of a web service (serviceclients) by installing a public certificate. The private key is used for signing server certificates that must be installedon the server. Whenever a service client calls the web service, the web service sends the server certificateincluding the public key to the client. The service client can validate the server certificate using the alreadyinstalled public CA certificate. The client and the server can now use the public and private server certificate toexchange a secret key and thereby establish a secure SSL/TLS connection.
For more information about TLS: https://en.wikipedia.org/wiki/Transport_Layer_Security
System architecture document | XProtect® VMS 2020 R1
13 |Encryption
In XProtect VMS, the following locations are where you can enable SSL/TLS encryption:
l In the communication between the management server and the recording servers
l On the recording server in the communication with clients, servers and integrations that retrieve datastreams from the recording server
l In the communication from clients to the mobile server
For more details on the below references about certificate distribution, download the XProtect VMS Certificatesguide from the Milestone website. (https://www.milestonesys.com/support/help-yourself/manuals-and-guides/).
Certificate distribution
The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS.
A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (server) and by the party that
verifies the certificate (clients) ( see Create CA certificate).
The public CA certificate must be trusted on all client computers. In this way the clients can verify the validity of
the certificates issued by the CA (see Install certificates on the clients).
The CA certificate is used to issue private server authentication certificates to the servers (see Create SSL
certificate).
The created private SSL certificates must be imported to the Windows Certificate Store on all servers (see
Import SSL certificate).
Requirements for the private SSL certificate:
System architecture document | XProtect® VMS 2020 R1
14 |Encryption
l Issued to the server so that the server's host name is included in the certificate, either as subject (owner)or in the list of DNS names that the certificate is issued to
l Trusted on all computers running services or applications that communicate with the service on theservers, by trusting the CA certificate that was used to issue the SSL certificate
l The service account that runs the server must have access to the private key of the certificate on theserver.
Certificates have an expiry date. XProtect VMS will not warn you when a certificate is aboutto expire. If a certificate expires, the clients will no longer trust the server with the expiredcertificate and thus cannot communicate with it.To renew the certificates, follow the steps in this guide as you did when you createdcertificates.
System architecture document | XProtect® VMS 2020 R1
15 |Encryption
Additional products and components
Available functionality depends on the system you using. See the Product comparison chart(https://www.milestonesys.com/solutions/platform/product-index/) for more information.
MIP SDKThe Milestone Integration Platform Software Development Kit (MIP SDK) is a comprehensive tool that makes it easyto create applications, plug-ins or integrations for Milestone’s XProtect products.
MIP
The open platform is integrated in the following Milestone XProtect system components and applications:
l XProtect Smart Client
l XProtect Management Client
l Management Application
l Management Server
l Event Server
MIP SDK
To have a truly open platform and a community around it Milestone provides the SDK that contains:
l The tools for developing integrations
l Documentation of a set of interfaces
l A set of wrapper .NET DLLs providing an easy interface to a variety of functionality
l A large collection of samples demonstrating different ways of using the MIP SDK
l Short descriptions and how-to guides
l A small application to display links to this information
l Libraries
The MIP SDK is also used internally by Milestone software development teams.
For more information, see (https://www.milestonesys.com/community/developer-tools/sdk/).
System architecture document | XProtect® VMS 2020 R1
16 |Additional products and components
Milestone Software ManagerMilestone Software Manager is a tool that you, from a central point, can use to remotely install and upgraderecording servers, recording server device packs and XProtect Smart Clients on servers or PCs in the network.
For larger installations, the tool makes it easy and fast to remotely upgrade the components that are installed onservers and client PCs.
For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/utilities/).
XProtect SmartWallXProtect Smart Wall is designed for control centers to display live video from selected cameras on one or morevideo wall displays.
There are several ways you can select the cameras:
l Manually using the XProtect Smart Client
l Via the VMS’ rule system on events and/or time schedule
l Via MIP SDK integrations
XProtect Smart Wall does not require a dedicated XProtect software component itself, nor does it use a dedicatedXProtect client - all the required components are included in the standard XProtect Corporate management serverand XProtect Smart Client. It just needs a PC running XProtect Smart Client to show the Smart Wall views.
XProtect Smart Wall is included in XProtect Corporate. You can be purchase it as an add-onfor XProtect Expert.
For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/smart-wall/).
XProtect AccessThe access control integration feature introduces new functionality that makes it simple to integrate customers’access control systems with XProtect. You get:
l A common operator user interface for multiple access control systems in XProtect Smart Client
l Faster and more powerful integration of access control systems
l More functionality for the operator (see below)
In XProtect Smart Client, the operator gets:
System architecture document | XProtect® VMS 2020 R1
17 |Additional products and components
l Live monitoring of events at access points
l Operator aided passage for access requests
l Map integration
l Alarm definitions for access control events
l Investigation of events at access points
l Centralized overview and control of door states
l Cardholder information and management
The use of XProtect Access requires that you have purchased a base license that allows youto access this feature within your XProtect system. You also need an access control doorlicense for each door you want to control.
You can use XProtect Access with access control systems from vendors where a vendor-specific plug-in for XProtect Access exists. You must install this plug-in on the event serverbefore you can start an integration.
For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/access/).
XProtect TransactXProtect Transact is an add-on to Milestone's IP video surveillance solutions XProtect VMS and XProtectProfessional VMS.
XProtect Transact is a tool for observing ongoing transactions and investigating transactions in the past. Thetransactions are linked with the digital surveillance video monitoring the transactions, for example to help youprove fraud or provide evidence against a perpetrator. There is a 1-to-1 relationship between the transaction linesand video images.
The transaction data may originate from different types of transaction sources, typically point of sales (PoS)systems or automated teller machines (ATM).
For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/transact/).
XProtect LPRXProtect LPR offers video-based content analysis (VCA) and recognition of vehicle license plates that interacts withyour surveillance system and your XProtect Smart Client.
To read the characters on a plate, XProtect LPR uses optical character recognition on images aided by specializedcamera settings.
System architecture document | XProtect® VMS 2020 R1
18 |Additional products and components
You can combine LPR (license plate recognition) with other surveillance features such as recording and event-based activation of outputs.
Examples of events in XProtect LPR:
l Trigger surveillance system recordings in a particular quality
l Activate alarms
l Match against positive/negative license plate match lists
l Open gates
l Switch on lights
l Push video of incidents to computer screens of particular security staff members
l Send mobile phone text messages
With an event, you can activate alarms in XProtect Smart Client.
For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/lpr/)
Milestone InterconnectMilestone Interconnect allows you to integrate several XProtect or Milestone Husky™ installations with oneXProtect Corporate central site. You can also install these sites, called remote sites, on mobile units, for example,boats, busses or trains. This means that such sites do not need to be permanently connected to a network.
The central site considers the remote site as an advanced camera or multi-channel encoder with edge storagecapabilities.
Each remote site runs independently and can perform surveillance tasks as configured. Depending on the networkconnections and appropriate user rights, Milestone Interconnect offers you direct live viewing of remote sitecameras and play back of remote site recordings on the central site.
It also offers you the possibility to transfer remote site recordings to the central site based on either system-defined events, rules, schedules or by manual requests from XProtect Smart Client users.
The central site can only see and access devices that the user account specified on the remote site has access to.This allows local system administrators on the remote sites to control which devices should be made available tothe central site and its users.
On the central site, you can view the status for the interconnected cameras, but not the entire status of theremote site. Instead, to monitor the remote site, you can use remote site events to trigger alarms or othernotifications on the central site.
Only XProtect Corporate systems can work as central sites. All other products can act as remote sites includingXProtect Corporate. How specific the products interact in a Milestone Interconnect setup depends on the version
System architecture document | XProtect® VMS 2020 R1
19 |Additional products and components
of the XProtect or Milestone Husky installations, the number of cameras and how devices and events areconfigured on the remote site. For further details, go to the Milestone Interconnect website(https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/interconnect/).
It is not possible to add systems with free XProtect installation as remote sites.
XProtect DLNA ServerDLNA (Digital Living Network Alliance) is a standard for connecting multimedia devices. Electronic manufactures gettheir products DLNA certified to ensure interoperability between different vendors and devices and therebyenable them to distribute multimedia content such as audio, video, and photos.
Public displays and TVs are often DLNA certified and connected to a network. They are able to scan the network formedia content, connect to the device, and request a media stream to their built-in media player. XProtect DLNAServer can be discovered by certain DLNA certified devices and deliver live video streams from selected camerasto DLNA certified devices with a media player.
The DLNA devices have a live video delay of 1-10 seconds. This is caused by different buffersizes in the devices.
XProtect DLNA Server must be connected to the same network as the XProtect system and the DLNA device mustbe connected to the same network as XProtect DLNA Server.
Milestone ONVIF BridgeThe ONVIF standard facilitates full video interoperability in multivendor installations and ensures informationexchange by defining a common protocol. The protocol contains ONVIF profiles, which are collections ofspecifications for interoperability between ONVIF compliant devices.
Milestone ONVIF Bridge is compliant with the parts of ONVIF Profile G and Profile S that provide access to live andrecorded video, and the ability to control pan-tilt-zoom cameras:
l Profile G - Provides support for video recording, storage, search, and retrieval. For more information, seeONVIF Profile G Specification (https://www.onvif.org/profiles/profile-g/).
l Profile S - Provides support for streaming live video using the H.264 codec, audio streaming, and pan-tilt-zoom (PTZ) controls. For more information, see ONVIF Profile S Specification(https://www.onvif.org/profiles/profile-s/).
For more information about the ONVIF standard, see the ONVIF® website (https://www.onvif.org/).
ONVIF Profiles support “get” functions that retrieve data, and “set” functions that configure settings. Each functionis either mandatory, conditional, or optional. For security reasons, Milestone ONVIF Bridge supports only themandatory, conditional, and optional “get” functions that do the following:
System architecture document | XProtect® VMS 2020 R1
20 |Additional products and components
l Request video
l Authenticate users
l Stream video
l Play recorded video
For more information, see (https://www.milestonesys.com/community/developer-tools/milestone-ecosystem/).
System architecture document | XProtect® VMS 2020 R1
21 |Additional products and components
System communication and data flow
Server communication
Component Port Protocol Bandwidth
1 Management server - Recording server 9993 TCP 1 kbit/call
2 Recording server - Media database - - -
3 Management server - Internal 8080 UDP 1 kbit/call
4 SQL database communication 1433 TCP 1 kbit/call
5 Management server - Mobile server 80 HTTP 1 kbit/call
System architecture document | XProtect® VMS 2020 R1
22 |System communication and data flow
Login fromXProtect Smart Client
Process Port Protocol Bandwidth
1XProtect Smart Clientconnects to the managementserver and attempts to log in
Configurable.Typically port 80 foran AD user and port443 for a basic user
HTTP for an ADuser and HTTPSfor a basic user
Low1 kbit/call
2The management servercontacts Active Directory toauthenticate the user
OS- and AD-dependent
OS- and AD-dependent
Low5 kbit/call
3User-specific configuration isretrieved from the SQLdatabase
1433 TCPDepends onconfiguration
4Login is granted and theconfiguration is sent toXProtect Smart Client
Configurable.Typically port 80 foran AD user and port443 for a basic user
HTTP for an ADuser and HTTPSfor a basic user
Depends onconfiguration,Typically 1-10MByte
System architecture document | XProtect® VMS 2020 R1
23 |System communication and data flow
Live video andaudio
Process Port Protocol Bandwidth
1Live streams from camerasretrieved by the recordingserver
Configurable.Typically port80
Configurable.Typically RTSP,UDP, TCP/IP
Device configurable.Typically 1-10 Mbit/s
2Streams are sent to XProtectSmart Client on request
Configurable.The defaultport is 7563
Configurable,TCP/IP, UDPMulticast.The default isTCP/IP
Usage dependable, sumof camera streamsviewed
System architecture document | XProtect® VMS 2020 R1
24 |System communication and data flow
Live videomulticasting
Process Port Protocol Bandwidth
1Live streams from cameras retrieved by therecording server
Configurable.Typically port80
Configurable.TypicallyRTSP, UDP,TCP/IP
Deviceconfigurable.Typically 1-10 Mbit/s
2
Recording server sends multicast stream to themulticast enabled network. This requires that allswitches handling the data traffic between theXProtect Smart Client and the recording servermust be configured for multicast
Configurable.The defaultport range is6000-7000
UDP IGMPMulticast
Usagedependable,sum ofcamerastreamsviewed
3The multicast stream is received by all XProtectSmart Clients on request
Configurable.The defaultport range is6000-7000
UDP IGMPMulticast
Usagedependable,sum ofcamerastreamsviewed
System architecture document | XProtect® VMS 2020 R1
25 |System communication and data flow
Matrix
Process Port Protocol Bandwidth
1XProtect Smart Client user selects tosend a camera to a Matrix-recipient
N/A N/A N/A
2Information is sent to managementserver
Configurable.Typically port 80for an AD user andport 443 a for basicuser
HTTP for ADuser andHTTPS forbasic user
Low1 kbit/call
3
Management server sends request toMatrix-recipient on specified IPaddress and port (XProtect SmartClient B)
Configurable.The default port is12345
TCP/IPLow1 kbit/call
4Streams are sent to XProtect SmartClient from recording server onrequest
Configurable.The default port is7563
Configurable,TCP/IP, UDPMulticast.The defaultis TCP/IP
Usagedependable,sum of camerastreams viewed
System architecture document | XProtect® VMS 2020 R1
26 |System communication and data flow
Management server – viewupdate
Process Port Protocol Bandwidth
1View updated on XProtect SmartClient
Configurable.Typically port 80 for anAD user and port 443for a basic user
HTTP for an ADuser and HTTPSfor a basic user
Low1 kbit/call
2The system configuration is storedin the SQL database
1433 TCPLow1 kbit/call
3The management server sendsnotification about view update toXProtect Smart Clients
Configurable.Typically port 80 for anAD user and port 443for a basic user
HTTP for an ADuser and HTTPSfor a basic user
Low1 kbit/call +constantlow use
4XProtect Smart Clients retrievesand applies the new view
Configurable.Typically port 80 for anAD user and 443 for abasic user
HTTP for an ADuser and HTTPSfor a basic user
Low1 kbit/call
System architecture document | XProtect® VMS 2020 R1
27 |System communication and data flow
XProtect SmartWall
Process Port Protocol Bandwidth
1An XProtect Smart Client user updatesthe XProtect Smart Wall view
Configurable. Thedefault is 5432(disabled by default)
TCP/IPLow1 kbit/call
2The XProtect Smart Wall viewconfiguration is updated and stored inthe SQL database
1433 TCPLow1 kbit/call
3The management server sends anotification to the XProtect Smart Clientrunning the XProtect Smart Wall
Configurable.Typically 80 for anAD user and 443 fora basic user
HTTP for an ADuser and HTTPSfor a basic user
Low1 kbit/call
4The XProtect Smart Client running theXProtect Smart Wall retrieves andapplies new layout
Configurable.Typically 80 for anAD user and 443 fora basic user
HTTP for an ADuser and HTTPSfor a basic user
Low1 kbit/call
System architecture document | XProtect® VMS 2020 R1
28 |System communication and data flow
Play back video andaudio
Process Port Protocol Bandwidth
1Recording stream from camerasretrieved by the recording server
Configurable.Typically port80
Configurable.TypicallyRTSP, UDP,TCP/IP
Device configurable.Typically 1-10 Mbit/s
2The stream is recorded in therecording server database based onrules
N/A N/ADevice configurable.Typically 1-10 Mbit/s
3The recorded stream is retrieved byXProtect Smart Client on playbackrequest
Configurable.The defaultport is 7563
TCP/IPUsage dependable,sum of camerastreams viewed
System architecture document | XProtect® VMS 2020 R1
29 |System communication and data flow
Login fromXProtectWebClient andXProtect Mobile
Process Port Protocol Bandwidth
1Login request from XProtect WebClient or XProtect Mobile receivedon the mobile server
Configurable.Typically 8081 forHTTP and 8082 forHTTPS
HTTP or HTTPSLow1kbit/call
2The mobile server forwardsrequest to the managementserver
Configurable.Typically 80 for anAD user and 443for a basic user
HTTP for an ADuser and HTTPSfor a basic user
Low1kbit/call
3The management server contactsActive Directory to authenticatethe user
OS- and AD-dependent
OS- and AD-dependent
Low1kbit/call
4User-specific configuration isretrieved from the SQL database
1433 TCPConfigurationdependent
5Information returned to themobile server
Configurable.Typically 80 for anAD user and 443for a basic user
HTTP for an ADUser and HTTPSfor a basic user
Configurationdependent,typically 1-10MByte
6The login is granted andconfiguration is sent to XProtectWeb Client or XProtect Mobile
Configurable.Typically 8081 forHTTP and 8082 forHTTPS
HTTP or HTTPS
Configurationdependent,typically < 100kByte
System architecture document | XProtect® VMS 2020 R1
30 |System communication and data flow
Live video for XProtectWebClient andXProtect Mobile
Process Port Protocol Bandwidth
1Live stream(s) from camerasretrieved on the recordingserver
Configurable.Typically port 80
Configurable.TypicallyRTSP, UDP,TCP/IP
Device configurable.Typically 1-10 Mbit/s
2Streams are sent to the mobileserver for transcoding or asdirect streaming
Configurable.The default is7563
Configurable,TCP/IP, UDPMulticast.The default isTCP/IP
Usage dependable,sum of camerastreams viewed
3 Video is streamed to the clients
Configurable.Typically 8081 forHTTP and 8082for HTTPS
HTTP orHTTPS
Transcoding: typically50–200 kbit/sNative: deviceconfigurable.Typically 0.05-1Mbit/s
System architecture document | XProtect® VMS 2020 R1
31 |System communication and data flow
Recording andplayback video for XProtectWebClient andXProtectMobile
Process Port Protocol Bandwidth
1Recording stream from camerasretrieved on the recording server
Configurable.Typically port 80
Configurable.
TypicallyRTSP, UDP,TCP/IP
Device configurable.Typically 1-10 Mbit/s
2The stream is recorded in therecording server database basedon rules
Configurable.The default is7563
Configurable.TCP/IP, UDPMulticast.The default isTCP/IP.
Usage dependable,sum of camerastreams viewed
3Recordings are sent to the mobileserver for transcoding or asdirect streaming
Configurable.Typically 8081 forHTTP and 8082for HTTPS
HTTP orHTTPS
Transcoding:typically 50–200kbit/sNative: deviceconfigurableTypically 1-10 Mbit/s
4 Video is streamed to clients - - -
System architecture document | XProtect® VMS 2020 R1
32 |System communication and data flow
Video push
Process Port Protocol Bandwidth
1Video push stream from a devicerunning XProtect Mobile is sentinstantly to the mobile server
Configurable.Typically port 8081for HTTP and port8082 for HTTPS
HTTP orHTTPS
Usage dependable,resolution and frame-rate set up in themobile device.Typically 0.05 – 1Mbit/s
2
The video push stream isretrieved by recording serverusing the specific video pushdevice driver
Configurable.Typically port 40001(40002, 40003, ifmany devices arepresent)
TCP/IP
Usage dependable, resolution and frame-rate set up in themobile device.Typically 0.05 – 1Mbit/s
System architecture document | XProtect® VMS 2020 R1
33 |System communication and data flow
Milestone Interconnect live
Process Port Protocol Bandwidth
This illustrates how XProtect Smart Client users, specified for the interconnected system, only needto log into the management server on the central site to view video
1Live stream(s) from the remote sitecameras retrieved by the remote siterecording server
Configurable.Typically 80
Configurable.TypicallyRTSP, UDP,TCP/IP
Deviceconfigurable.Typically 1-10Mbit/s
2Live streams from the remote siterecording server retrieved by thecentral site recording server
Configurable.The default is7563*
TCP/IPUsage dependable,sum of camerastreams viewed
* In XProtect Professional VMS the default port is 80, events 22331, central 1237 must be open.The recording server on the central site connects to the remote site in the same way as a XProtectSmart Client
3Stream(s) are sent to XProtect SmartClient on request
Configurable.The default is7563
Configurable,TCP/IP, UDPMulticast.The default isTCP/IP
Usage dependable,sum of camerastreams viewed
System architecture document | XProtect® VMS 2020 R1
34 |System communication and data flow
Milestone Interconnect recording options
Process Port Protocol Bandwidth
This highlights some of the different options when configuring your system recording settings
No recording - - -
Record at remote site only - - -
Retrieve recordings from remote site onrequest
- - -
Retrieve recordings from remote site based onrule (time profile)
- - -
Record at central site only - - -
Retrieve recordings from remote site after sitelink down
- - -
Record at both sites - - -
Combinations of above and other options - - -
These options could also be combined with cameras that have edge storage capabilities
System architecture document | XProtect® VMS 2020 R1
35 |System communication and data flow
Milestone Interconnect play back
Process Port Protocol Bandwidth
This illustrates when recording is done on both sites. Recordings can be retrieved to the central site based onschedule, event or request. XProtect Smart Client users, specified for the interconnected system, only needto log into the management server on the central site to view video
1Recording stream from the remotesite cameras retrieved by theremote site recording server
Configurable.Typically 80
Configurable.Typically RTSP,UDP, TCP/IP
Device configurable.Typically 1-10 Mbit/s
2The stream is recorded in theremote site recording serverdatabase based on rules
N/A N/A -
3Recording stream from the remotesite recording server retrieved bythe central site recording server
Configurable.The default is7563*
TCP/IPSum of camerastreams viewed
* In XProtect Professional VMS the default port is 80, events 22331, central 1237 must be open. Therecording server on the central site connects to the remote site in the same way as a XProtect Smart Client
4
The stream is recorded in the central site recordingserver database based on rules. Recordings notavailable due to remote site link downtime can beretrieved automatically or based on schedule, event orrequest
N/AConfigurable byremote retrievalsettings
5The recorded stream(s) areretrieved by XProtect Smart Clienton playback request
Configurable.The default is7563
TCP/IPSum of camerastreams viewed
System architecture document | XProtect® VMS 2020 R1
36 |System communication and data flow
XProtect DLNA Server
Process Port Protocol Bandwidth
1The XProtect DLNA Server connects tothe management server to authorizeitself with the provided credentials
Configurable.Typically port 80for an AD userand port 443 fora basic user
HTTP for an ADuser and HTTPSfor a basic user
Low1 kbit/call
2
A DLNA device scans the network andconnects to the XProtect system viathe XProtect DLNA Server andrequests a live camera video stream
Configurable.The default portis 9100
HTTPLow1 kbit/call
3XProtect DLNA Server retrieves therequested camera video stream fromthe recording server
Configurable.The default portis 7563
TCP/IP
Usagedependable,sum of camerastreams viewed
4XProtect DLNA Server sends the livevideo stream from the requestedcamera to the DLNA device
Configurable.The default portis 9200
HTTP
Usagedependable,sum of camerastreams viewed
Only H.264 encoded camera streams are supported. If a camera supports multiple streams, only thedefault stream is sent. The system administrator manages the entire XProtect DLNA Serverconfiguration from the Management Client. For example, selecting cameras available
System architecture document | XProtect® VMS 2020 R1
37 |System communication and data flow
Milestone ONVIF Bridge
Process Port Protocol Bandwidth
1
Login, stream or PTZ request from ONVIFclient received on the Milestone ONVIFBridge server. The Milestone ONVIF Bridge isa gateway for non-Milestone clients to theMilestone VMS
Configurable.The defaultis 580
HTTP foran AD userand HTTPSfor a basicuser
Low1 kbit/call
2
The Milestone ONVIF Bridge forwards thelogin request to the management server toauthenticate the user.Access to the Milestone VMS is granted andsent to the Milestone ONVIF Bridge server
Configurable.Typically 80for an ADuser and 443for a basicuser
HTTP foran AD userand HTTPSfor a basicuser
Low1 kbit/call
3Requested live or playback stream from therecording server is retrieved by theMilestone ONVIF Bridge server
Configurable.The defaultport is 7563
TCP/IPUsage dependable,sum of camerastreams viewed
4 Video is streamed to the ONVIF clientConfigurable.The defaultport is 554
RTSPUsage dependable,sum of camerastreams viewed
System architecture document | XProtect® VMS 2020 R1
38 |System communication and data flow
Management Client configuration update
Process Port Protocol Bandwidth
1Configuration updated on theManagement Client
- - -
2Changes are stored on themanagement server
Configurable.Typically 80 for an ADuser and 443 for abasic user
HTTP for an ADuser and HTTPS fora basic user
Low10 kbit/call
3Configuration update sent torelevant components. In this case,the recording server
9993 TCP/IPLow1 kbit/call
4If updates concern cameras, therecording server applies newsettings
Configurable.Typically 80 for HTTPand 443 for HTTPS
HTTP or HTTPSLow1 kbit/call
System architecture document | XProtect® VMS 2020 R1
39 |System communication and data flow
Log server
Process Port Protocol Bandwidth
1The Management server or recording server creates a logmessage
9993 TCPLow1 kbit/call
2 The log message is forwarded to the log server 22337 HTTPLow1 kbit/call
3 The log message is stored in the log server's SQL database 1433 TCPLow1 kbit/call
System architecture document | XProtect® VMS 2020 R1
40 |System communication and data flow
Event server
Process Port Protocol Bandwidth
Data about alarms, access control or map updatesare received by the event server
- - -
Third-party integrations MIP messagecommunication
22333 TCP/IPLow1 kbit/call
Access control integrationsDepends on theintegration
TCP/IPLow1 kbit/call
XProtect Access. The event server Plug-in is aclient to the access control system
Random or fixed.Paxton 8025
TCP/IPLow1 kbit/call
Analytics eventsConfigurable.The default portis 9090
TCP/IPLow1 kbit/call
Generic events
Configurable.The default portsare 1234 and1235
TCP/IP,UDP
Low1 kbit/call
Recording server 7563 TCPLow1 kbit/call
The event server sends data to XProtect SmartClient to show in alarm list, XProtect Access or themap overview.The XProtect Smart Client user responds to thenotification and returns data to event server
- - -
System architecture document | XProtect® VMS 2020 R1
41 |System communication and data flow
XProtect Transact
Process Port Protocol Bandwidth
1Transaction data generated by the transaction sourceis sent to the event server and stored
Configurable.Typically 80
TCP/IPLow10 kbit/call
2The event server sends transaction data to XProtectSmart Client. View items containing transaction dataand the associated video is updated
Configurable.The defaultis 2233122333
TCP/IPLow1 kbit/call
The system administrator manages the entireXProtect Transact configuration from theManagement Client. For example, setting uptransaction sources, associated cameras, definitionsand events
- - -
System architecture document | XProtect® VMS 2020 R1
42 |System communication and data flow
XProtect LPR
Process Port Protocol Bandwidth
1Live streams from cameras configuredfor LPR (License Plate Recognition)retrieved by the recording server
Configurable.Typically 80
Configurable.TypicallyRTSP, UDP,TCP/IP
Device configurable.Typically 1-10 Mbit/s
2Streams from the recording serverretrieved by the LPR server
Configurable.The defaultis 7563
TCP/IPUsage dependable,sum of camerastreams viewed
3
The LPR server recognizes license platesby comparing them with the license platecharacteristics of the installed countrymodules. Found license plates arecompared with the license plate matchlist requests from the event server LPRplug-in
22334 TCP/IPLow1 kbit/call
4The event server sends events andalarms to XProtect Smart Client whenthere is a match
Configurable.The defaultis 2233122333
TCP/IPLow1 kbit/call
The system administrator manages the entire XProtect LPR configuration, for example, setting upevents, alarms, and match lists from the Management Client. To be able to configure XProtect LPR fromthe Management Client you must install the LPR plug-in on the Management Client computer
System architecture document | XProtect® VMS 2020 R1
43 |System communication and data flow
Viewandmanage alarms
Process Port Protocol Bandwidth
1XProtect Smart Client requests an alarm list fromevent server
Configurable.The defaultport is 22331
TCP/IPLow1 kbit/call
2The alarm list is retrieved from the SQL databaseand returned to XProtect Smart Client
1433 TCPLow100 kbit/call
3The alarm is handled and its state/details isupdated by the user
- - -
4 New state/details stored in the SQL database 1433 TCPLow1 kbit/call
System architecture document | XProtect® VMS 2020 R1
44 |System communication and data flow
Data collector
Process Port Protocol Bandwidth
1System status received on management server deliveredby: log server, event server, recording server, failoverrecording server and mobile server
7609 HTTPLow10 kbit/call
2The collected data is stored in an SQL database on a SQLServer
1433 TCPLow1 kbit/call
3XProtect Smart Client or the Management Client requestsstatus via System Monitor
80 HTTPLow1 kbit/call
4Requested data is collected from an SQL database on aSQL Server
1433 TCPLow100 kbit/call
5 Data returned to clients 80 HTTPLow100 kbit/call
System architecture document | XProtect® VMS 2020 R1
45 |System communication and data flow
Recording server failover
Process Port Protocol Bandwidth
1Video streamed from therecording server
Configurable.The default port is7563
Configurable.TCP/IP, UDPMulticast.Default TCP/IP
Sum ofcamerastreamsviewed
2Alive messages exchangedbetween recording and failoverrecording server
Configurable.Default is 11000
Configurable,TCP/IP
Low1 kbit/call
3
Cold standby: failover messagesent, configuration retrieved, startfailoverHot standby: failover messagesent, start failover
80 HTTPConfigurationdependent
4Configuration updated with activefailover recording server
1433 TCPLow1 kbit/call
5Update configuration messagesent to the management server
80 HTTPLow1 kbit/call
6Update message distributed to allclients
Configurable.Typically 80 for anAD user and 443 fora basic user
HTTP for an ADuser and HTTPSfor a basic user
Low1 kbit/call
System architecture document | XProtect® VMS 2020 R1
46 |System communication and data flow
Process Port Protocol Bandwidth
7Video streamed from failoverrecording server
Configurable.The default port is7563
Configurable.TCP/IP, UDPMulticast.Default TCP/IP
Sum ofcamerastreamsviewed
Media retrieved from failoverrecording server when recordingserver is available
5210 TCP -
Evidence lock
Process Port Protocol Bandwidth
1
The user creates an evidence lock inXProtect Smart Client. XProtect SmartClient sends the information to themanagement server
Configurable.Typically port 80 foran AD user and port443 for a basic user
HTTP for ADUser andHTTPS for abasic user
Low1kbit/call
2The management server informs therecording server to store and protect thelocked recordings in the Media database
9993 TCPLow1kbit/call
3The management server storesinformation about the evidence lock in theSQL database
1433 TCPLow1kbit/call
System architecture document | XProtect® VMS 2020 R1
47 |System communication and data flow
Move hardware
Process Port Protocol Bandwidth
1The user moves hardware from recording server 1 torecording server 2 in Management Client
- - -
2The management server receives the update in the systemconfiguration and stores it in the SQL database
1433 TCPLow1kbit/call
3 The management server sends update to recording server 1 9993 TCPLow1kbit/call
4 The management server sends update to recording server 2 9993 TCPLow1kbit/call
5Recording server 2 connects to Hardware. All new recordingsare stored in the recording server 2 database
- - -
Old recordings are still available on recording server 1. Thesystem deletes them when the retention time expires.Recordings marked with evidence lock are not deleted untilthe evidence lock's retention time expires
5210 TCP -
Clients connect to recording server 2 - - -
System architecture document | XProtect® VMS 2020 R1
48 |System communication and data flow
Ports used by the systemAll XProtect components and the ports needed by them are listed below. To ensure, for example, that the firewallblocks only unwanted traffic, you need to specify the ports that the system uses. You should only enable theseports. The lists also include the ports used for local processes.
They are arranged in two groups:
l Server components (services) offer their service on particular ports which is why they need to listen forclient requests on these ports. Therefore, these ports need to be opened in the Windows Firewall forinbound and outbound connections
l Client components (clients) initiate connections to particular ports on server components. Therefore,these ports need to be opened for outbound connections. Outbound connections are typically open bydefault in the Windows Firewall
If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports forclient components must be opened for outbound connections.
Do keep in mind that server components can act as clients to other server components as well.
The port numbers are the default numbers, but this can be changed. Contact Milestone support, if you need tochange ports that are not configurable through the Management Client.
Server components (inbound connections)
Each of the following sections list the ports that need to be opened for a particular service. To figure out whichports need to be opened on a particular computer, you need to consider all services running on the computer.
Management Server service and related processes
Port number Protocol ProcessConnectionsfrom...
Purpose
80 HTTP IIS
All XProtectcomponents
The ManagementServer service andRecording Serverservices
Main communication, forexample, authentication andconfigurations.
Handles registration ofrecording servers andmanagement servers via theAuthorization Serverservice.
System architecture document | XProtect® VMS 2020 R1
49 |Ports used by the system
Port number Protocol ProcessConnectionsfrom...
Purpose
443 HTTPS IIS
XProtect SmartClient and theManagement Client
The ManagementServer service andRecording Serverservices
Authentication of basicusers.
Handles registration ofrecording servers andmanagement servers via theAuthorization Serverservice.
6473 TCPManagementServerservice
ManagementServer Managertray icon, localconnection only.
Showing status andmanaging the service.
8080 TCPManagementserver
Local connectiononly.
Communication betweeninternal processes on theserver.
9000 HTTPManagementserver
Recording Serverservices
Web service for internalcommunication betweenservers.
9993 TCPManagementServerservice
Recording Serverservices
Authentication,configuration, tokenexchange.
12345 TCPManagementServerservice
XProtect SmartClient
Communication betweenthe system and Matrixrecipients.
You can change the portnumber in the ManagementClient.
System architecture document | XProtect® VMS 2020 R1
50 |Ports used by the system
Port number Protocol ProcessConnectionsfrom...
Purpose
12974 TCPManagementServerservice
Windows SNMPService
Communication with theSNMP extension agent.
Do not use the port forother purposes even if yoursystem does not applySNMP.
In XProtect 2014 systems orolder, the port number was6475.
In XProtect 2019 R2 systemsand older, the port numberwas 7475.
SQL Server service
Port number Protocol ProcessConnectionsfrom...
Purpose
1433 TCPSQLServer
Management Serverservice
Storing and retrievingconfigurations.
1433 TCPSQLServer
Event Server serviceStoring and retrievingevents.
1433 TCPSQLServer
Log Server serviceStoring and retrieving logentries.
Data Collector service
Port number Protocol Process Connections from... Purpose
7609 HTTP IIS
On the management server computer:Data Collector services on all otherservers.
On other computers: Data Collectorservice on the Management Server.
SystemMonitor.
Event Server service
System architecture document | XProtect® VMS 2020 R1
51 |Ports used by the system
Port number Protocol Process Connections from... Purpose
1234 TCP/UDPEventServerService
Any server sendinggeneric events to yourXProtect system.
Listening for genericevents from externalsystems or devices.
Only if the relevant datasource is enabled.
1235 TCPEventServerservice
Any server sendinggeneric events to yourXProtect system.
Listening for genericevents from externalsystems or devices.
Only if the relevant datasource is enabled.
9090 TCPEventServerservice
Any system or device thatsends analytics events toyour XProtect system.
Listening for analyticsevents from externalsystems or devices.
Only relevant if theAnalytics Eventsfeature is enabled.
22331 TCPEventServerservice
XProtect Smart Client andthe Management Client
Configuration, events,alarms, and map data.
22333 TCPEventServerservice
MIP Plug-ins andapplications.
MIP messaging.
Recording Server service
Port number Protocol ProcessConnectionsfrom...
Purpose
25 SMTPRecordingServerService
Cameras,encoders,and I/Odevices.
Listening for event messages fromdevices.
The port is disabled by default.
5210 TCPRecordingServerService
Failoverrecordingservers.
Merging of databases after a failoverrecording server had been running.
5432 TCPRecordingServerService
Cameras,encoders,and I/Odevices.
Listening for event messages fromdevices.
The port is disabled by default.
System architecture document | XProtect® VMS 2020 R1
52 |Ports used by the system
Port number Protocol ProcessConnectionsfrom...
Purpose
7563 TCPRecordingServerService
XProtectSmart Client,ManagementClient
Retrieving video and audio streams,PTZ commands.
8966 TCPRecordingServerService
RecordingServerManager trayicon, localconnectiononly.
Showing status and managing theservice.
9001 HTTPRecordingServerService
Managementserver
Web service for internalcommunication between servers.
If multiple Recording Serverinstances are in use, every instanceneeds its own port. Additional portswill be 9002, 9003, etc.
11000 TCPRecordingServerService
Failoverrecordingservers
Polling the state of recordingservers.
12975 TCPRecordingServerService
WindowsSNMP service
Communication with the SNMPextension agent.
Do not use the port for otherpurposes even if your system doesnot apply SNMP.
In XProtect 2014 systems or older,the port number was 6474.
In XProtect 2019 R2 systems andolder, the port number was 7474.
65101 UDPRecordingServerservice
Localconnectiononly
Listening for event notificationsfrom the drivers.
In addition to the inbound connections to the Recording Server service listed above, theRecording Server service establishes outbound connections to the cameras.
Failover Server service and Failover Recording Server service
System architecture document | XProtect® VMS 2020 R1
53 |Ports used by the system
Port number Protocol ProcessConnectionsfrom...
Purpose
25 SMTPRecordingServerService
Cameras, encoders,and I/O devices.
Listening for eventmessages from devices.
The port is disabled bydefault.
5210 TCPRecordingServerService
Failover recordingservers
Merging of databasesafter a failover recordingserver had been running.
5432 TCPRecordingServerService
Cameras, encoders,and I/O devices.
Listening for eventmessages from devices.
The port is disabled bydefault.
7474 TCPRecordingServerService
Windows SNMPservice
Communication with theSNMP extension agent.
Do not use the port forother purposes even ifyour system does notapply SNMP.
7563 TCPRecordingServerService
XProtect Smart ClientRetrieving video and audiostreams, PTZ commands.
8844 UDPFailoverrecordingservers
Local connectiononly.
Communication betweenthe servers.
8966 TCP
FailoverRecordingServerService
Failover RecordingServer Manager trayicon, local connectiononly.
Showing status andmanaging the service.
8967 TCPFailoverServerService
Failover ServerManager tray icon,local connection only.
Showing status andmanaging the service.
8990 TCPFailoverServerService
Management Serverservice
Monitoring the status ofthe Failover Serverservice.
9001 HTTPFailoverServerService
Management serverWeb service for internalcommunication betweenservers.
Log Server service
System architecture document | XProtect® VMS 2020 R1
54 |Ports used by the system
Port number Protocol Process Connections from... Purpose
22337 HTTPLogServerservice
All XProtect componentsexcept for Management Clientand the recording server.
Write to, readfrom, andconfigure the logserver.
In addition to the inbound connections to the Failover Recording Server service listedabove, the Recording Server service establishes outbound connections to the cameras.
Mobile Server service
Port number Protocol Process Connections from... Purpose
8000 TCPMobileServerservice
Mobile Server Managertray icon, local connectiononly.
SysTray application.
8081 HTTPMobileServerservice
Mobile clients, Web clients,and Management Client.
Sending datastreams; video andaudio.
8082 HTTPSMobileServerservice
Mobile clients and Webclients.
Sending datastreams; video andaudio.
LPR Server service
Port number Protocol Process Connections from... Purpose
22334 TCPLPRServerService
Event server
Retrieving recognizedlicense plates and serverstatus.
In order to connect, theEvent server must have theLPR plug-in installed.
22334 TCPLPRServerService
LPR Server Managertray icon, localconnection only.
SysTray application
Milestone ONVIF Bridge service
System architecture document | XProtect® VMS 2020 R1
55 |Ports used by the system
Port number Protocol ProcessConnectionsfrom...
Purpose
580 TCPONVIFBridgeService
ONVIF clientsAuthentication and requests forvideo stream configuration.
554 RTSPRTSPService
ONVIF clientsStreaming of requested videoto ONVIF clients.
XProtect DLNA Server service
Port number Protocol ProcessConnectionsfrom...
Purpose
9100 HTTPDLNA ServerService
DLNA deviceDevice discovery and providingDLNA channels configuration.Requests for video streams.
9200 HTTPDLNA ServerService
DLNA deviceStreaming of requested video toDLNA devices.
XProtect Screen Recorder service
Port number Protocol ProcessConnectionsfrom...
Purpose
52111 TCPXProtectScreenRecorder
RecordingServerService
Provides video from a monitor. Itappears and acts in the same wayas a camera on the recordingserver.
You can change the port number inthe Management Client.
Server components (outbound connections)
Management Server service
Port number Protocol Connections to... Purpose
443 HTTPSMilestone Customer Dashboard via
https://service.milestonesys.com/
Send status, eventsand error messagesfrom the XProtectsystem to MilestoneCustomer Dashboard.
System architecture document | XProtect® VMS 2020 R1
56 |Ports used by the system
Port number Protocol Connections to... Purpose
443 HTTPS
The License server that hosts theLicense Management service.Communication is viahttps://www.milestonesys.com/OnlineActivation/LicenseManagementService.asmx
Activating licenses.
Log Server service
Port number ProtocolConnectionsto...
Purpose
443 HTTP Log serverForwarding messages to the logserver.
Cameras, encoders, and I/O devices (inbound connections)
Port number Protocol Connections from... Purpose
80 TCPRecording servers andfailover recording servers
Authentication, configuration, anddata streams; video and audio.
443 HTTPSRecording servers andfailover recording servers
Authentication, configuration, anddata streams; video and audio.
554 RTSPRecording servers andfailover recording servers
Data streams; video and audio.
Cameras, encoders, and I/O devices (outbound connections)
Port number Protocol Connections to... Purpose
25 SMTPRecording servers and failoverrecording servers
Sending eventnotifications (deprecated).
5432 TCPRecording servers and failoverrecording servers
Sending eventnotifications.
The port is disabled bydefault.
22337 HTTP Log serverForwarding messages tothe log server.
Only a few camera models are able to establish outbound connections.
System architecture document | XProtect® VMS 2020 R1
57 |Ports used by the system
Client components (outbound connections)
XProtect Smart Client, XProtect Management Client, XProtect Mobile server
Port number Protocol Connections to... Purpose
80 HTTPManagement Serverservice
Authentication
443 HTTPSManagement Serverservice
Authentication of basic users.
7563 TCPRecording Serverservice
Retrieving video and audio streams,PTZ commands.
22331 TCP Event Server service Alarms.
XProtect Web Client, XProtect Mobile client
Port number Protocol Connections to... Purpose
8081 HTTPXProtect Mobileserver
Retrieving video and audiostreams.
8082 HTTPSXProtect Mobileserver
Retrieving video and audiostreams.
System architecture document | XProtect® VMS 2020 R1
58 |Ports used by the system
About Milestone
Milestone Systems is a leading provider of open platform video management software; technology that helpsthe world see how to ensure safety, protect assets and increase business efficiency. Milestone Systemsenables an open platform community that drives collaboration and innovation in the development and use ofnetwork video technology, with reliable and scalable solutions that are proven in more than 150,000 sitesworldwide. Founded in 1998, Milestone Systems is a stand-alone company in the Canon Group. For moreinformation, visit https://www.milestonesys.com/.