system architecture document - xprotect® vms 2020 r1...rtsp,udp, tcp/ip deviceconfigurable....

Milestone Systems

XProtect® VMS 2020 R1

System architecture document

XProtect CorporateXProtect ExpertXProtect Professional+XProtect Express+XProtect Essential+

ContentsCopyright, trademarks, and disclaimer 4

Introduction 5

Target audience and purpose 6

Overall system architecture 7

Server components 8

Management server 8

Recording server 8

Media database 9

Event server 9

Log server 9

SQL Server 10

Mobile server 10

Client components 11

XProtect Management Client 11

XProtect Smart Client 11

XProtect Web Client 11

XProtect Mobile client 11

Encryption 13

Introduction to certificates 13

Additional products and components 16

MIP SDK 16

Milestone Software Manager 17

XProtect Smart Wall 17

XProtect Access 17

XProtect Transact 18

XProtect LPR 18

Milestone Interconnect 19

XProtect DLNA Server 20

System architecture document | XProtect® VMS 2020 R1

2 | Contents

Milestone ONVIF Bridge 20

System communication and data flow 22

Server communication 22

Login from XProtect Smart Client 23

Live video and audio 24

Live video multicasting 25

Matrix 26

Management server – view update 27

XProtect Smart Wall 28

Play back video and audio 29

Login from XProtect Web Client and XProtect Mobile 30

Live video for XProtect Web Client and XProtect Mobile 31

Recording and playback video for XProtect Web Client and XProtect Mobile 32

Video push 33

Milestone Interconnect live 34

Milestone Interconnect recording options 35

Milestone Interconnect play back 36

XProtect DLNA Server 37

Milestone ONVIF Bridge 38

Management Client configuration update 39

Log server 40

Event server 41

XProtect Transact 42

XProtect LPR 43

View and manage alarms 44

Data collector 45

Recording server failover 46

Evidence lock 47

Move hardware 48

Ports used by the system 49


3 | Contents

Copyright, trademarks, and disclaimerCopyright © 2020 Milestone Systems A/S

Trademarks

XProtect is a registered trademark of Milestone Systems A/S.

Microsoft and Windows are registered trademarks of Microsoft Corporation. App Store is a service mark of AppleInc. Android is a trademark of Google Inc.

All other trademarks mentioned in this document are trademarks of their respective owners.

Disclaimer

This text is intended for general information purposes only, and due care has been taken in its preparation.

Any risk arising from the use of this information rests with the recipient, and nothing herein should be construedas constituting any kind of warranty.

Milestone Systems A/S reserves the right to make adjustments without prior notification.

All names of people and organizations used in the examples in this text are fictitious. Any resemblance to anyactual organization or person, living or dead, is purely coincidental and unintended.

This product may make use of third-party software for which specific terms and conditions may apply. When thatis the case, you can find more information in the file 3rd_party_software_terms_and_conditions.txt located in yourMilestone system installation folder.


4 |Copyright, trademarks, and disclaimer

IntroductionThis document contains illustrations and descriptions of communication and dataflow between the most commonsystem components in a distributed system.

The document shows a range of scenarios with a supporting illustration and a description of actions supplementedby information about port numbers, protocols and bandwidth usage.

The illustrations are simplified and primarily focus on the general dataflow between system components. Thismeans that less important flows may have been omitted in order to reduce the level of complexity.


5 | Introduction

Target audience and purposeThis document's primary audience is system integrators and IT administrators with limited experience andknowledge about Milestone XProtect VMS solutions and who are in the process of selecting, deploying,administrating, maintaining and expanding a VMS.

The purpose of the document is to provide insight to the benefits and simplicity of using Milestone XProtect as aVMS, including an introduction of the system components and the system architecture.

This document should enable the reader to understand:

l The overall system architecture

l The primary system components and their functions

l Provide guidelines to basic system design

The reader of the document should have general experience with administrating an IT installation.


6 |Target audience and purpose

Overall system architectureTo enable scaling of thousands of cameras across multiple sites, the system consists of several components thathandle specific tasks. You can install all components on a single server if the server can handle the load, or you caninstall the components on separate, dedicated servers to scale and distribute the load.

Depending on hardware and configuration, smaller systems with between 50~100 cameras can run on a singleserver.

For systems with more than 100 cameras, Milestone recommends that you use dedicated servers for all or someof the components.

You do not need all components in all installations. However, you can add them if the functionality they offer isneeded at a later time, for example, failover recording servers or mobile servers for hosting and providing accessto both XProtect Web Client and XProtect Mobile.

The diagram below shows an overview of the system components.


7 |Overall system architecture

Server components

Management serverThe management server is the central VMS component. It handles the system configuration, distributes thesystem configuration to other system components, such as the recording servers, and facilitates userauthentication.

The system configuration is stored in an SQL database on a standard Microsoft SQL Server installed on either themanagement server itself or on a separate dedicated server.

Failover management server

You can get failover support on the management server by installing the management server in a Microsoftwindows cluster. The cluster ensures that another server takes over the management server function in case thefirst server fails.

Recording serverThe recording server is responsible for all communication, recording, and event handling related to devices suchas cameras, video and audio encoders, I/O modules, and metadata sources. Examples of actions the recordingserver handles:

l Retrieve video, audio, metadata and I/O event streams from the devices

l Record video, audio and metadata from devices

l Provide operators with access to live and recorded video, audio and metadata

l Provide operators with access to device status

l Trigger system and video events on device failures or events

l Perform motion detection and generate smart search metadata

The recording server is also responsible for communicating with other Milestone products when using theMilestone Interconnect™ technology. For more information, see Milestone Interconnect on page 19.

Failover recording server

The failover recording server is responsible for taking over the recording task in case a recording server fails.

The failover recording server operates in two modes:

1. Standard failover, for monitoring multiple recording servers

2. Hot standby, for monitoring a single recording server


8 |Server components

Media databaseThe system stores the retrieved video, audio and metadata in the customized high performance Milestone mediadatabase which is optimized for recording and storing audio and video data.

The media database supports various unique features including multistage archiving, video grooming, encryptionand adding a digital signature to the recordings.

Event serverThe event server handles the tasks related to events, alarms, maps and third-party integrations via the MilestoneIntegration Platform.

Events:

l All system events are consolidated in the event server so there is a single place and interface for partnersto make integrations that use system events

l The event server offers third-party access for sending events to the system via the Generic events orAnalytics events interface

Alarms:

l The event server hosts the alarm feature, alarm logic, alarm state and handling of the alarm database. Thealarm database is stored in the same SQL database as the management server uses

Maps:

l The event server also hosts maps. You configure and use maps in the XProtect Smart Client

Milestone Integration Platform:

l You can install third-party developed plug-ins on the event server and utilize access to system events

You can get failover support on the event server by installing the event server in a Microsoft Windows Cluster. Thecluster ensures that another server takes over the event server function in case the first server fails.

Log serverThe log server is responsible for storing all log messages for the entire system. The log server typically uses thesame SQL Server as the management server but has its own SQL database. Log server is also typically installed onthe same server as the management server. If you need to increase the performance of the management serveror log server, you can install the log server on a separate server and use a separate SQL Server.

The system can through the log server write three types of log messages:



l System logs: the system administrator can choose to log errors, warnings, and information, or acombination of these. The default is to log errors only

l Audit logs: the system administrator can choose to log user activity in clients in addition to login andadministration logs

l Rule-triggered logs: the system administrator can use the rule log to create logs on specific events

SQL ServerThe management server, the event server and the log server use SQL databases on one or two SQL Serverinstallations to store, for example, configuration, alarms, events and log messages.

The Milestone XProtect installer includes Microsoft SQL Server Express which is free edition of SQL Server.

For very large systems or systems with many transactions to and from the SQL databases, Milestone recommendsthat you use a Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition of the SQL Serveron a dedicated computer on the network and on a dedicated hard disk drive that is not used for other purposes.Installing the SQL Server on its own drive improves the entire system performance.

Mobile serverXProtect Mobile server handles logins to the system from XProtect Mobile client or XProtect Web Client.

A XProtect Mobile server distributes video streams from recording servers to XProtect Mobile client or XProtectWeb Client. This offers a secure setup where recording servers are never connected to the Internet. When aXProtect Mobile server receives video streams from recording servers, it also handles the complex conversion ofcodecs and formats allowing streaming of video on the mobile device.



Client components

XProtect Management ClientThe Management Client is the administration interface for all parts of the system.

The VMS is designed for large-scale operation so the Management Client is designed to run remotely from, forexample, the administrator’s computer.

When you select a function in the node tree, the settings for this node appear, typically in a second tree structurewhere you can manage sub items. Once you have selected the correct item, the actual settings appear in theproperties dialog box in the upper right hand corner. The settings are grouped on various tabs if an item has manysettings.

XProtect Smart ClientXProtect Smart Client is the main client for the VMS, offering a full set of advanced features and designed for a day-to-day use by dedicated operators.

XProtect Smart Client is designed to run remotely from the operators’ computer and supports multiscreen usagein full screen mode as shown below or in floating windows mode where the user can resize the windows andmove them around freely.

For more information, see (https://www.milestonesys.com/solutions/platform/clients/xprotect-smart-client/)

XProtectWebClientXProtect Web Clientis a client designed for the occasional or remote user that needs easy access to livemonitoring, playback and export. XProtect Web Client also provides access to activating system events andoutputs.

For more information, see (https://www.milestonesys.com/solutions/platform/clients/xprotect-web-client/)

Find compatible browsers under XProtect Web Client here: (https://www.milestonesys.com/systemrequirements/)

XProtect Mobile clientThe XProtect Mobile client is a client designed for the user on the go. It offers easy access to live monitoring,playback and export of video, as well as access to activating system events and outputs.

You can use the XProtect Mobile client as a remote recording device by using the device's built-in camera and theMilestone Video Push feature. With Video Push activated, video from the device's camera is streamed back to theVMS and recorded as if it is a standard camera.

For more information, see (https://www.milestonesys.com/solutions/platform/clients/milestone-mobile/)


11 |Client components

https://www.milestonesys.com/solutions/platform/clients/xprotect-smart-client/

https://www.milestonesys.com/solutions/platform/clients/xprotect-web-client/

https://www.milestonesys.com/systemrequirements/

https://www.milestonesys.com/solutions/platform/clients/milestone-mobile/

Find the operating systems compatible with XProtect Mobile here:(https://www.milestonesys.com/systemrequirements/)


12 |Client components

https://www.milestonesys.com/systemrequirements/

EncryptionThis section gives you an introduction to encryption and certificates.

XProtect systems support secure communication:

From To

Recording serverManagementserver

Management server Recording server

Clients, servers, andintegrations that retrievedata streams from therecording server

Recording server

Mobile devices Mobile server

When do I need to install certificates?

l If your XProtect VMS system is set up in a Windows Workgroup environment

l Before you install or upgrade to XProtect VMS 2019 R1 or newer, if you want to enable encryption duringthe installation

l Before you enable encryption, if you installed XProtect VMS 2019 R1 or newer without encryption

l When you renew or replace certificates due to expiry

Introduction to certificatesHypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for securecommunication over a computer network. In HTTPS, the communication protocol is encrypted using TransportLayer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).

In XProtect VMS, the secure communication is obtained by using SSL/TLS with asymmetric encryption (RSA).

SSL/TLS uses a pair of keys—one private, one public—to authenticate, secure, and manage secure connections.

A certificate authority (CA) can issue certificates to web services on servers using a CA certificate. This certificatecontains two keys, a private key and public key. The public key is installed on the clients of a web service (serviceclients) by installing a public certificate. The private key is used for signing server certificates that must be installedon the server. Whenever a service client calls the web service, the web service sends the server certificateincluding the public key to the client. The service client can validate the server certificate using the alreadyinstalled public CA certificate. The client and the server can now use the public and private server certificate toexchange a secret key and thereby establish a secure SSL/TLS connection.

For more information about TLS: https://en.wikipedia.org/wiki/Transport_Layer_Security


13 |Encryption

https://en.wikipedia.org/wiki/Transport_Layer_Security

In XProtect VMS, the following locations are where you can enable SSL/TLS encryption:

l In the communication between the management server and the recording servers

l On the recording server in the communication with clients, servers and integrations that retrieve datastreams from the recording server

l In the communication from clients to the mobile server

For more details on the below references about certificate distribution, download the XProtect VMS Certificatesguide from the Milestone website. (https://www.milestonesys.com/support/help-yourself/manuals-and-guides/).

Certificate distribution

The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS.

A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (server) and by the party that

verifies the certificate (clients) ( see Create CA certificate).

The public CA certificate must be trusted on all client computers. In this way the clients can verify the validity of

the certificates issued by the CA (see Install certificates on the clients).

The CA certificate is used to issue private server authentication certificates to the servers (see Create SSL

certificate).

The created private SSL certificates must be imported to the Windows Certificate Store on all servers (see

Import SSL certificate).

Requirements for the private SSL certificate:


14 |Encryption

https://www.milestonesys.com/support/help-yourself/manuals-and-guides/

l Issued to the server so that the server's host name is included in the certificate, either as subject (owner)or in the list of DNS names that the certificate is issued to

l Trusted on all computers running services or applications that communicate with the service on theservers, by trusting the CA certificate that was used to issue the SSL certificate

l The service account that runs the server must have access to the private key of the certificate on theserver.

Certificates have an expiry date. XProtect VMS will not warn you when a certificate is aboutto expire. If a certificate expires, the clients will no longer trust the server with the expiredcertificate and thus cannot communicate with it.To renew the certificates, follow the steps in this guide as you did when you createdcertificates.


15 |Encryption

Additional products and components

Available functionality depends on the system you using. See the Product comparison chart(https://www.milestonesys.com/solutions/platform/product-index/) for more information.

MIP SDKThe Milestone Integration Platform Software Development Kit (MIP SDK) is a comprehensive tool that makes it easyto create applications, plug-ins or integrations for Milestone’s XProtect products.

MIP

The open platform is integrated in the following Milestone XProtect system components and applications:

l XProtect Smart Client

l XProtect Management Client

l Management Application

l Management Server

l Event Server

MIP SDK

To have a truly open platform and a community around it Milestone provides the SDK that contains:

l The tools for developing integrations

l Documentation of a set of interfaces

l A set of wrapper .NET DLLs providing an easy interface to a variety of functionality

l A large collection of samples demonstrating different ways of using the MIP SDK

l Short descriptions and how-to guides

l A small application to display links to this information

l Libraries

The MIP SDK is also used internally by Milestone software development teams.

For more information, see (https://www.milestonesys.com/community/developer-tools/sdk/).


16 |Additional products and components

https://www.milestonesys.com/solutions/platform/product-index/

https://www.milestonesys.com/community/developer-tools/sdk/

Milestone Software ManagerMilestone Software Manager is a tool that you, from a central point, can use to remotely install and upgraderecording servers, recording server device packs and XProtect Smart Clients on servers or PCs in the network.

For larger installations, the tool makes it easy and fast to remotely upgrade the components that are installed onservers and client PCs.

For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/utilities/).

XProtect SmartWallXProtect Smart Wall is designed for control centers to display live video from selected cameras on one or morevideo wall displays.

There are several ways you can select the cameras:

l Manually using the XProtect Smart Client

l Via the VMS’ rule system on events and/or time schedule

l Via MIP SDK integrations

XProtect Smart Wall does not require a dedicated XProtect software component itself, nor does it use a dedicatedXProtect client - all the required components are included in the standard XProtect Corporate management serverand XProtect Smart Client. It just needs a PC running XProtect Smart Client to show the Smart Wall views.

XProtect Smart Wall is included in XProtect Corporate. You can be purchase it as an add-onfor XProtect Expert.

For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/smart-wall/).

XProtect AccessThe access control integration feature introduces new functionality that makes it simple to integrate customers’access control systems with XProtect. You get:

l A common operator user interface for multiple access control systems in XProtect Smart Client

l Faster and more powerful integration of access control systems

l More functionality for the operator (see below)

In XProtect Smart Client, the operator gets:



https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/utilities/

https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/utilities/

https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/smart-wall/

https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/smart-wall/

l Live monitoring of events at access points

l Operator aided passage for access requests

l Map integration

l Alarm definitions for access control events

l Investigation of events at access points

l Centralized overview and control of door states

l Cardholder information and management

The use of XProtect Access requires that you have purchased a base license that allows youto access this feature within your XProtect system. You also need an access control doorlicense for each door you want to control.

You can use XProtect Access with access control systems from vendors where a vendor-specific plug-in for XProtect Access exists. You must install this plug-in on the event serverbefore you can start an integration.

For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/access/).

XProtect TransactXProtect Transact is an add-on to Milestone's IP video surveillance solutions XProtect VMS and XProtectProfessional VMS.

XProtect Transact is a tool for observing ongoing transactions and investigating transactions in the past. Thetransactions are linked with the digital surveillance video monitoring the transactions, for example to help youprove fraud or provide evidence against a perpetrator. There is a 1-to-1 relationship between the transaction linesand video images.

The transaction data may originate from different types of transaction sources, typically point of sales (PoS)systems or automated teller machines (ATM).

For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/transact/).

XProtect LPRXProtect LPR offers video-based content analysis (VCA) and recognition of vehicle license plates that interacts withyour surveillance system and your XProtect Smart Client.

To read the characters on a plate, XProtect LPR uses optical character recognition on images aided by specializedcamera settings.



https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/access/

https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/access/

https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/transact/

https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/transact/

You can combine LPR (license plate recognition) with other surveillance features such as recording and event-based activation of outputs.

Examples of events in XProtect LPR:

l Trigger surveillance system recordings in a particular quality

l Activate alarms

l Match against positive/negative license plate match lists

l Open gates

l Switch on lights

l Push video of incidents to computer screens of particular security staff members

l Send mobile phone text messages

With an event, you can activate alarms in XProtect Smart Client.

For more information, see (https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/lpr/)

Milestone InterconnectMilestone Interconnect allows you to integrate several XProtect or Milestone Husky™ installations with oneXProtect Corporate central site. You can also install these sites, called remote sites, on mobile units, for example,boats, busses or trains. This means that such sites do not need to be permanently connected to a network.

The central site considers the remote site as an advanced camera or multi-channel encoder with edge storagecapabilities.

Each remote site runs independently and can perform surveillance tasks as configured. Depending on the networkconnections and appropriate user rights, Milestone Interconnect offers you direct live viewing of remote sitecameras and play back of remote site recordings on the central site.

It also offers you the possibility to transfer remote site recordings to the central site based on either system-defined events, rules, schedules or by manual requests from XProtect Smart Client users.

The central site can only see and access devices that the user account specified on the remote site has access to.This allows local system administrators on the remote sites to control which devices should be made available tothe central site and its users.

On the central site, you can view the status for the interconnected cameras, but not the entire status of theremote site. Instead, to monitor the remote site, you can use remote site events to trigger alarms or othernotifications on the central site.

Only XProtect Corporate systems can work as central sites. All other products can act as remote sites includingXProtect Corporate. How specific the products interact in a Milestone Interconnect setup depends on the version



https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/lpr/

https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/lpr/

of the XProtect or Milestone Husky installations, the number of cameras and how devices and events areconfigured on the remote site. For further details, go to the Milestone Interconnect website(https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/interconnect/).

It is not possible to add systems with free XProtect installation as remote sites.

XProtect DLNA ServerDLNA (Digital Living Network Alliance) is a standard for connecting multimedia devices. Electronic manufactures gettheir products DLNA certified to ensure interoperability between different vendors and devices and therebyenable them to distribute multimedia content such as audio, video, and photos.

Public displays and TVs are often DLNA certified and connected to a network. They are able to scan the network formedia content, connect to the device, and request a media stream to their built-in media player. XProtect DLNAServer can be discovered by certain DLNA certified devices and deliver live video streams from selected camerasto DLNA certified devices with a media player.

The DLNA devices have a live video delay of 1-10 seconds. This is caused by different buffersizes in the devices.

XProtect DLNA Server must be connected to the same network as the XProtect system and the DLNA device mustbe connected to the same network as XProtect DLNA Server.

Milestone ONVIF BridgeThe ONVIF standard facilitates full video interoperability in multivendor installations and ensures informationexchange by defining a common protocol. The protocol contains ONVIF profiles, which are collections ofspecifications for interoperability between ONVIF compliant devices.

Milestone ONVIF Bridge is compliant with the parts of ONVIF Profile G and Profile S that provide access to live andrecorded video, and the ability to control pan-tilt-zoom cameras:

l Profile G - Provides support for video recording, storage, search, and retrieval. For more information, seeONVIF Profile G Specification (https://www.onvif.org/profiles/profile-g/).

l Profile S - Provides support for streaming live video using the H.264 codec, audio streaming, and pan-tilt-zoom (PTZ) controls. For more information, see ONVIF Profile S Specification(https://www.onvif.org/profiles/profile-s/).

For more information about the ONVIF standard, see the ONVIF® website (https://www.onvif.org/).

ONVIF Profiles support “get” functions that retrieve data, and “set” functions that configure settings. Each functionis either mandatory, conditional, or optional. For security reasons, Milestone ONVIF Bridge supports only themandatory, conditional, and optional “get” functions that do the following:



https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/interconnect/

https://www.onvif.org/profiles/profile-g/

https://www.onvif.org/profiles/profile-s/

https://www.onvif.org/

l Request video

l Authenticate users

l Stream video

l Play recorded video

For more information, see (https://www.milestonesys.com/community/developer-tools/milestone-ecosystem/).



https://www.milestonesys.com/community/developer-tools/milestone-ecosystem/

System communication and data flow

Server communication

Component Port Protocol Bandwidth

1 Management server - Recording server 9993 TCP 1 kbit/call

2 Recording server - Media database - - -

3 Management server - Internal 8080 UDP 1 kbit/call

4 SQL database communication 1433 TCP 1 kbit/call

5 Management server - Mobile server 80 HTTP 1 kbit/call


22 |System communication and data flow

Login fromXProtect Smart Client

Process Port Protocol Bandwidth

1XProtect Smart Clientconnects to the managementserver and attempts to log in

Configurable.Typically port 80 foran AD user and port443 for a basic user

HTTP for an ADuser and HTTPSfor a basic user

Low1 kbit/call

2The management servercontacts Active Directory toauthenticate the user

OS- and AD-dependent


Low5 kbit/call

3User-specific configuration isretrieved from the SQLdatabase

1433 TCPDepends onconfiguration

4Login is granted and theconfiguration is sent toXProtect Smart Client



Depends onconfiguration,Typically 1-10MByte



Live video andaudio


1Live streams from camerasretrieved by the recordingserver

Configurable.Typically port80

Configurable.Typically RTSP,UDP, TCP/IP

Device configurable.Typically 1-10 Mbit/s

2Streams are sent to XProtectSmart Client on request

Configurable.The defaultport is 7563

Configurable,TCP/IP, UDPMulticast.The default isTCP/IP

Usage dependable, sumof camera streamsviewed



Live videomulticasting


1Live streams from cameras retrieved by therecording server


Configurable.TypicallyRTSP, UDP,TCP/IP

Deviceconfigurable.Typically 1-10 Mbit/s

2

Recording server sends multicast stream to themulticast enabled network. This requires that allswitches handling the data traffic between theXProtect Smart Client and the recording servermust be configured for multicast

Configurable.The defaultport range is6000-7000

UDP IGMPMulticast

Usagedependable,sum ofcamerastreamsviewed

3The multicast stream is received by all XProtectSmart Clients on request

Configurable.The defaultport range is6000-7000

UDP IGMPMulticast

Usagedependable,sum ofcamerastreamsviewed



Matrix


1XProtect Smart Client user selects tosend a camera to a Matrix-recipient

N/A N/A N/A

2Information is sent to managementserver

Configurable.Typically port 80for an AD user andport 443 a for basicuser

HTTP for ADuser andHTTPS forbasic user

Low1 kbit/call

3

Management server sends request toMatrix-recipient on specified IPaddress and port (XProtect SmartClient B)

Configurable.The default port is12345

TCP/IPLow1 kbit/call

4Streams are sent to XProtect SmartClient from recording server onrequest


Configurable,TCP/IP, UDPMulticast.The defaultis TCP/IP

Usagedependable,sum of camerastreams viewed



Management server – viewupdate


1View updated on XProtect SmartClient

Configurable.Typically port 80 for anAD user and port 443for a basic user


Low1 kbit/call

2The system configuration is storedin the SQL database

1433 TCPLow1 kbit/call

3The management server sendsnotification about view update toXProtect Smart Clients

Configurable.Typically port 80 for anAD user and port 443for a basic user


Low1 kbit/call +constantlow use

4XProtect Smart Clients retrievesand applies the new view

Configurable.Typically port 80 for anAD user and 443 for abasic user


Low1 kbit/call



XProtect SmartWall


1An XProtect Smart Client user updatesthe XProtect Smart Wall view

Configurable. Thedefault is 5432(disabled by default)


2The XProtect Smart Wall viewconfiguration is updated and stored inthe SQL database


3The management server sends anotification to the XProtect Smart Clientrunning the XProtect Smart Wall

Configurable.Typically 80 for anAD user and 443 fora basic user


Low1 kbit/call

4The XProtect Smart Client running theXProtect Smart Wall retrieves andapplies new layout



Low1 kbit/call



Play back video andaudio


1Recording stream from camerasretrieved by the recording server




2The stream is recorded in therecording server database based onrules

N/A N/ADevice configurable.Typically 1-10 Mbit/s

3The recorded stream is retrieved byXProtect Smart Client on playbackrequest


TCP/IPUsage dependable,sum of camerastreams viewed



Login fromXProtectWebClient andXProtect Mobile


1Login request from XProtect WebClient or XProtect Mobile receivedon the mobile server

Configurable.Typically 8081 forHTTP and 8082 forHTTPS

HTTP or HTTPSLow1kbit/call

2The mobile server forwardsrequest to the managementserver

Configurable.Typically 80 for anAD user and 443for a basic user


Low1kbit/call

3The management server contactsActive Directory to authenticatethe user



Low1kbit/call

4User-specific configuration isretrieved from the SQL database

1433 TCPConfigurationdependent

5Information returned to themobile server

Configurable.Typically 80 for anAD user and 443for a basic user

HTTP for an ADUser and HTTPSfor a basic user

Configurationdependent,typically 1-10MByte

6The login is granted andconfiguration is sent to XProtectWeb Client or XProtect Mobile

Configurable.Typically 8081 forHTTP and 8082 forHTTPS

HTTP or HTTPS

Configurationdependent,typically < 100kByte



Live video for XProtectWebClient andXProtect Mobile


1Live stream(s) from camerasretrieved on the recordingserver

Configurable.Typically port 80



2Streams are sent to the mobileserver for transcoding or asdirect streaming

Configurable.The default is7563


Usage dependable,sum of camerastreams viewed

3 Video is streamed to the clients

Configurable.Typically 8081 forHTTP and 8082for HTTPS

HTTP orHTTPS

Transcoding: typically50–200 kbit/sNative: deviceconfigurable.Typically 0.05-1Mbit/s



Recording andplayback video for XProtectWebClient andXProtectMobile


1Recording stream from camerasretrieved on the recording server

Configurable.Typically port 80

Configurable.

TypicallyRTSP, UDP,TCP/IP


2The stream is recorded in therecording server database basedon rules


Configurable.TCP/IP, UDPMulticast.The default isTCP/IP.


3Recordings are sent to the mobileserver for transcoding or asdirect streaming

Configurable.Typically 8081 forHTTP and 8082for HTTPS

HTTP orHTTPS

Transcoding:typically 50–200kbit/sNative: deviceconfigurableTypically 1-10 Mbit/s

4 Video is streamed to clients - - -



Video push


1Video push stream from a devicerunning XProtect Mobile is sentinstantly to the mobile server

Configurable.Typically port 8081for HTTP and port8082 for HTTPS

HTTP orHTTPS

Usage dependable,resolution and frame-rate set up in themobile device.Typically 0.05 – 1Mbit/s

2

The video push stream isretrieved by recording serverusing the specific video pushdevice driver

Configurable.Typically port 40001(40002, 40003, ifmany devices arepresent)

TCP/IP

Usage dependable, resolution and frame-rate set up in themobile device.Typically 0.05 – 1Mbit/s



Milestone Interconnect live


This illustrates how XProtect Smart Client users, specified for the interconnected system, only needto log into the management server on the central site to view video

1Live stream(s) from the remote sitecameras retrieved by the remote siterecording server

Configurable.Typically 80


Deviceconfigurable.Typically 1-10Mbit/s

2Live streams from the remote siterecording server retrieved by thecentral site recording server

Configurable.The default is7563*


* In XProtect Professional VMS the default port is 80, events 22331, central 1237 must be open.The recording server on the central site connects to the remote site in the same way as a XProtectSmart Client

3Stream(s) are sent to XProtect SmartClient on request






Milestone Interconnect recording options


This highlights some of the different options when configuring your system recording settings

No recording - - -

Record at remote site only - - -

Retrieve recordings from remote site onrequest

- - -

Retrieve recordings from remote site based onrule (time profile)

- - -

Record at central site only - - -

Retrieve recordings from remote site after sitelink down

- - -

Record at both sites - - -

Combinations of above and other options - - -

These options could also be combined with cameras that have edge storage capabilities



Milestone Interconnect play back


This illustrates when recording is done on both sites. Recordings can be retrieved to the central site based onschedule, event or request. XProtect Smart Client users, specified for the interconnected system, only needto log into the management server on the central site to view video

1Recording stream from the remotesite cameras retrieved by theremote site recording server


Configurable.Typically RTSP,UDP, TCP/IP


2The stream is recorded in theremote site recording serverdatabase based on rules

N/A N/A -

3Recording stream from the remotesite recording server retrieved bythe central site recording server

Configurable.The default is7563*

TCP/IPSum of camerastreams viewed

* In XProtect Professional VMS the default port is 80, events 22331, central 1237 must be open. Therecording server on the central site connects to the remote site in the same way as a XProtect Smart Client

4

The stream is recorded in the central site recordingserver database based on rules. Recordings notavailable due to remote site link downtime can beretrieved automatically or based on schedule, event orrequest

N/AConfigurable byremote retrievalsettings

5The recorded stream(s) areretrieved by XProtect Smart Clienton playback request


TCP/IPSum of camerastreams viewed



XProtect DLNA Server


1The XProtect DLNA Server connects tothe management server to authorizeitself with the provided credentials

Configurable.Typically port 80for an AD userand port 443 fora basic user


Low1 kbit/call

2

A DLNA device scans the network andconnects to the XProtect system viathe XProtect DLNA Server andrequests a live camera video stream

Configurable.The default portis 9100

HTTPLow1 kbit/call

3XProtect DLNA Server retrieves therequested camera video stream fromthe recording server


TCP/IP


4XProtect DLNA Server sends the livevideo stream from the requestedcamera to the DLNA device


HTTP


Only H.264 encoded camera streams are supported. If a camera supports multiple streams, only thedefault stream is sent. The system administrator manages the entire XProtect DLNA Serverconfiguration from the Management Client. For example, selecting cameras available



Milestone ONVIF Bridge


1

Login, stream or PTZ request from ONVIFclient received on the Milestone ONVIFBridge server. The Milestone ONVIF Bridge isa gateway for non-Milestone clients to theMilestone VMS

Configurable.The defaultis 580

HTTP foran AD userand HTTPSfor a basicuser

Low1 kbit/call

2

The Milestone ONVIF Bridge forwards thelogin request to the management server toauthenticate the user.Access to the Milestone VMS is granted andsent to the Milestone ONVIF Bridge server

Configurable.Typically 80for an ADuser and 443for a basicuser

HTTP foran AD userand HTTPSfor a basicuser

Low1 kbit/call

3Requested live or playback stream from therecording server is retrieved by theMilestone ONVIF Bridge server



4 Video is streamed to the ONVIF clientConfigurable.The defaultport is 554

RTSPUsage dependable,sum of camerastreams viewed



Management Client configuration update


1Configuration updated on theManagement Client

- - -

2Changes are stored on themanagement server

Configurable.Typically 80 for an ADuser and 443 for abasic user

HTTP for an ADuser and HTTPS fora basic user

Low10 kbit/call

3Configuration update sent torelevant components. In this case,the recording server

9993 TCP/IPLow1 kbit/call

4If updates concern cameras, therecording server applies newsettings

Configurable.Typically 80 for HTTPand 443 for HTTPS

HTTP or HTTPSLow1 kbit/call



Log server


1The Management server or recording server creates a logmessage


2 The log message is forwarded to the log server 22337 HTTPLow1 kbit/call

3 The log message is stored in the log server's SQL database 1433 TCPLow1 kbit/call



Event server


Data about alarms, access control or map updatesare received by the event server

- - -

Third-party integrations MIP messagecommunication


Access control integrationsDepends on theintegration


XProtect Access. The event server Plug-in is aclient to the access control system

Random or fixed.Paxton 8025


Analytics eventsConfigurable.The default portis 9090


Generic events

Configurable.The default portsare 1234 and1235

TCP/IP,UDP

Low1 kbit/call

Recording server 7563 TCPLow1 kbit/call

The event server sends data to XProtect SmartClient to show in alarm list, XProtect Access or themap overview.The XProtect Smart Client user responds to thenotification and returns data to event server

- - -



XProtect Transact


1Transaction data generated by the transaction sourceis sent to the event server and stored



2The event server sends transaction data to XProtectSmart Client. View items containing transaction dataand the associated video is updated



The system administrator manages the entireXProtect Transact configuration from theManagement Client. For example, setting uptransaction sources, associated cameras, definitionsand events

- - -



XProtect LPR


1Live streams from cameras configuredfor LPR (License Plate Recognition)retrieved by the recording server




2Streams from the recording serverretrieved by the LPR server



3

The LPR server recognizes license platesby comparing them with the license platecharacteristics of the installed countrymodules. Found license plates arecompared with the license plate matchlist requests from the event server LPRplug-in


4The event server sends events andalarms to XProtect Smart Client whenthere is a match



The system administrator manages the entire XProtect LPR configuration, for example, setting upevents, alarms, and match lists from the Management Client. To be able to configure XProtect LPR fromthe Management Client you must install the LPR plug-in on the Management Client computer



Viewandmanage alarms


1XProtect Smart Client requests an alarm list fromevent server



2The alarm list is retrieved from the SQL databaseand returned to XProtect Smart Client


3The alarm is handled and its state/details isupdated by the user

- - -

4 New state/details stored in the SQL database 1433 TCPLow1 kbit/call



Data collector


1System status received on management server deliveredby: log server, event server, recording server, failoverrecording server and mobile server

7609 HTTPLow10 kbit/call

2The collected data is stored in an SQL database on a SQLServer


3XProtect Smart Client or the Management Client requestsstatus via System Monitor


4Requested data is collected from an SQL database on aSQL Server


5 Data returned to clients 80 HTTPLow100 kbit/call



Recording server failover


1Video streamed from therecording server


Configurable.TCP/IP, UDPMulticast.Default TCP/IP

Sum ofcamerastreamsviewed

2Alive messages exchangedbetween recording and failoverrecording server

Configurable.Default is 11000

Configurable,TCP/IP

Low1 kbit/call

3

Cold standby: failover messagesent, configuration retrieved, startfailoverHot standby: failover messagesent, start failover

80 HTTPConfigurationdependent

4Configuration updated with activefailover recording server


5Update configuration messagesent to the management server


6Update message distributed to allclients



Low1 kbit/call




7Video streamed from failoverrecording server


Configurable.TCP/IP, UDPMulticast.Default TCP/IP

Sum ofcamerastreamsviewed

Media retrieved from failoverrecording server when recordingserver is available

5210 TCP -

Evidence lock


1

The user creates an evidence lock inXProtect Smart Client. XProtect SmartClient sends the information to themanagement server


HTTP for ADUser andHTTPS for abasic user

Low1kbit/call

2The management server informs therecording server to store and protect thelocked recordings in the Media database

9993 TCPLow1kbit/call

3The management server storesinformation about the evidence lock in theSQL database




Move hardware


1The user moves hardware from recording server 1 torecording server 2 in Management Client

- - -

2The management server receives the update in the systemconfiguration and stores it in the SQL database


3 The management server sends update to recording server 1 9993 TCPLow1kbit/call

4 The management server sends update to recording server 2 9993 TCPLow1kbit/call

5Recording server 2 connects to Hardware. All new recordingsare stored in the recording server 2 database

- - -

Old recordings are still available on recording server 1. Thesystem deletes them when the retention time expires.Recordings marked with evidence lock are not deleted untilthe evidence lock's retention time expires

5210 TCP -

Clients connect to recording server 2 - - -



Ports used by the systemAll XProtect components and the ports needed by them are listed below. To ensure, for example, that the firewallblocks only unwanted traffic, you need to specify the ports that the system uses. You should only enable theseports. The lists also include the ports used for local processes.

They are arranged in two groups:

l Server components (services) offer their service on particular ports which is why they need to listen forclient requests on these ports. Therefore, these ports need to be opened in the Windows Firewall forinbound and outbound connections

l Client components (clients) initiate connections to particular ports on server components. Therefore,these ports need to be opened for outbound connections. Outbound connections are typically open bydefault in the Windows Firewall

If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports forclient components must be opened for outbound connections.

Do keep in mind that server components can act as clients to other server components as well.

The port numbers are the default numbers, but this can be changed. Contact Milestone support, if you need tochange ports that are not configurable through the Management Client.

Server components (inbound connections)

Each of the following sections list the ports that need to be opened for a particular service. To figure out whichports need to be opened on a particular computer, you need to consider all services running on the computer.

Management Server service and related processes

Port number Protocol ProcessConnectionsfrom...

Purpose

80 HTTP IIS

All XProtectcomponents

The ManagementServer service andRecording Serverservices

Main communication, forexample, authentication andconfigurations.

Handles registration ofrecording servers andmanagement servers via theAuthorization Serverservice.


49 |Ports used by the system


Purpose

443 HTTPS IIS

XProtect SmartClient and theManagement Client

The ManagementServer service andRecording Serverservices

Authentication of basicusers.

Handles registration ofrecording servers andmanagement servers via theAuthorization Serverservice.

6473 TCPManagementServerservice

ManagementServer Managertray icon, localconnection only.

Showing status andmanaging the service.

8080 TCPManagementserver

Local connectiononly.

Communication betweeninternal processes on theserver.

9000 HTTPManagementserver

Recording Serverservices

Web service for internalcommunication betweenservers.


Recording Serverservices

Authentication,configuration, tokenexchange.


XProtect SmartClient

Communication betweenthe system and Matrixrecipients.

You can change the portnumber in the ManagementClient.




Purpose


Windows SNMPService

Communication with theSNMP extension agent.

Do not use the port forother purposes even if yoursystem does not applySNMP.

In XProtect 2014 systems orolder, the port number was6475.

In XProtect 2019 R2 systemsand older, the port numberwas 7475.

SQL Server service


Purpose

1433 TCPSQLServer

Management Serverservice

Storing and retrievingconfigurations.

1433 TCPSQLServer

Event Server serviceStoring and retrievingevents.

1433 TCPSQLServer

Log Server serviceStoring and retrieving logentries.

Data Collector service

Port number Protocol Process Connections from... Purpose

7609 HTTP IIS

On the management server computer:Data Collector services on all otherservers.

On other computers: Data Collectorservice on the Management Server.

SystemMonitor.

Event Server service




1234 TCP/UDPEventServerService

Any server sendinggeneric events to yourXProtect system.

Listening for genericevents from externalsystems or devices.

Only if the relevant datasource is enabled.

1235 TCPEventServerservice

Any server sendinggeneric events to yourXProtect system.

Listening for genericevents from externalsystems or devices.

Only if the relevant datasource is enabled.


Any system or device thatsends analytics events toyour XProtect system.

Listening for analyticsevents from externalsystems or devices.

Only relevant if theAnalytics Eventsfeature is enabled.


XProtect Smart Client andthe Management Client

Configuration, events,alarms, and map data.


MIP Plug-ins andapplications.

MIP messaging.

Recording Server service


Purpose

25 SMTPRecordingServerService

Cameras,encoders,and I/Odevices.

Listening for event messages fromdevices.

The port is disabled by default.

5210 TCPRecordingServerService

Failoverrecordingservers.

Merging of databases after a failoverrecording server had been running.


Cameras,encoders,and I/Odevices.

Listening for event messages fromdevices.

The port is disabled by default.




Purpose


XProtectSmart Client,ManagementClient

Retrieving video and audio streams,PTZ commands.


RecordingServerManager trayicon, localconnectiononly.

Showing status and managing theservice.

9001 HTTPRecordingServerService

Managementserver

Web service for internalcommunication between servers.

If multiple Recording Serverinstances are in use, every instanceneeds its own port. Additional portswill be 9002, 9003, etc.


Failoverrecordingservers

Polling the state of recordingservers.


WindowsSNMP service

Communication with the SNMPextension agent.

Do not use the port for otherpurposes even if your system doesnot apply SNMP.

In XProtect 2014 systems or older,the port number was 6474.

In XProtect 2019 R2 systems andolder, the port number was 7474.

65101 UDPRecordingServerservice

Localconnectiononly

Listening for event notificationsfrom the drivers.

In addition to the inbound connections to the Recording Server service listed above, theRecording Server service establishes outbound connections to the cameras.

Failover Server service and Failover Recording Server service




Purpose

25 SMTPRecordingServerService

Cameras, encoders,and I/O devices.

Listening for eventmessages from devices.

The port is disabled bydefault.


Failover recordingservers

Merging of databasesafter a failover recordingserver had been running.


Cameras, encoders,and I/O devices.

Listening for eventmessages from devices.



Windows SNMPservice

Communication with theSNMP extension agent.

Do not use the port forother purposes even ifyour system does notapply SNMP.


XProtect Smart ClientRetrieving video and audiostreams, PTZ commands.

8844 UDPFailoverrecordingservers

Local connectiononly.

Communication betweenthe servers.

8966 TCP

FailoverRecordingServerService

Failover RecordingServer Manager trayicon, local connectiononly.


8967 TCPFailoverServerService

Failover ServerManager tray icon,local connection only.


8990 TCPFailoverServerService

Management Serverservice

Monitoring the status ofthe Failover Serverservice.

9001 HTTPFailoverServerService

Management serverWeb service for internalcommunication betweenservers.

Log Server service




22337 HTTPLogServerservice

All XProtect componentsexcept for Management Clientand the recording server.

Write to, readfrom, andconfigure the logserver.

In addition to the inbound connections to the Failover Recording Server service listedabove, the Recording Server service establishes outbound connections to the cameras.

Mobile Server service


8000 TCPMobileServerservice

Mobile Server Managertray icon, local connectiononly.

SysTray application.

8081 HTTPMobileServerservice

Mobile clients, Web clients,and Management Client.

Sending datastreams; video andaudio.

8082 HTTPSMobileServerservice

Mobile clients and Webclients.

Sending datastreams; video andaudio.

LPR Server service


22334 TCPLPRServerService

Event server

Retrieving recognizedlicense plates and serverstatus.

In order to connect, theEvent server must have theLPR plug-in installed.

22334 TCPLPRServerService

LPR Server Managertray icon, localconnection only.

SysTray application

Milestone ONVIF Bridge service




Purpose

580 TCPONVIFBridgeService

ONVIF clientsAuthentication and requests forvideo stream configuration.

554 RTSPRTSPService

ONVIF clientsStreaming of requested videoto ONVIF clients.

XProtect DLNA Server service


Purpose

9100 HTTPDLNA ServerService

DLNA deviceDevice discovery and providingDLNA channels configuration.Requests for video streams.

9200 HTTPDLNA ServerService

DLNA deviceStreaming of requested video toDLNA devices.

XProtect Screen Recorder service


Purpose

52111 TCPXProtectScreenRecorder

RecordingServerService

Provides video from a monitor. Itappears and acts in the same wayas a camera on the recordingserver.

You can change the port number inthe Management Client.

Server components (outbound connections)

Management Server service

Port number Protocol Connections to... Purpose

443 HTTPSMilestone Customer Dashboard via

https://service.milestonesys.com/

Send status, eventsand error messagesfrom the XProtectsystem to MilestoneCustomer Dashboard.



https://service.milestonesys.com/


443 HTTPS

The License server that hosts theLicense Management service.Communication is viahttps://www.milestonesys.com/OnlineActivation/LicenseManagementService.asmx

Activating licenses.

Log Server service

Port number ProtocolConnectionsto...

Purpose

443 HTTP Log serverForwarding messages to the logserver.

Cameras, encoders, and I/O devices (inbound connections)

Port number Protocol Connections from... Purpose

80 TCPRecording servers andfailover recording servers

Authentication, configuration, anddata streams; video and audio.

443 HTTPSRecording servers andfailover recording servers

Authentication, configuration, anddata streams; video and audio.

554 RTSPRecording servers andfailover recording servers

Data streams; video and audio.

Cameras, encoders, and I/O devices (outbound connections)


25 SMTPRecording servers and failoverrecording servers

Sending eventnotifications (deprecated).

5432 TCPRecording servers and failoverrecording servers

Sending eventnotifications.


22337 HTTP Log serverForwarding messages tothe log server.

Only a few camera models are able to establish outbound connections.



https://www.milestonesys.com/OnlineActivation/LicenseManagementService.asmx



Client components (outbound connections)

XProtect Smart Client, XProtect Management Client, XProtect Mobile server


80 HTTPManagement Serverservice

Authentication

443 HTTPSManagement Serverservice

Authentication of basic users.

7563 TCPRecording Serverservice

Retrieving video and audio streams,PTZ commands.

22331 TCP Event Server service Alarms.

XProtect Web Client, XProtect Mobile client


8081 HTTPXProtect Mobileserver

Retrieving video and audiostreams.

8082 HTTPSXProtect Mobileserver

Retrieving video and audiostreams.



About Milestone

Milestone Systems is a leading provider of open platform video management software; technology that helpsthe world see how to ensure safety, protect assets and increase business efficiency. Milestone Systemsenables an open platform community that drives collaboration and innovation in the development and use ofnetwork video technology, with reliable and scalable solutions that are proven in more than 150,000 sitesworldwide. Founded in 1998, Milestone Systems is a stand-alone company in the Canon Group. For moreinformation, visit https://www.milestonesys.com/.

[email protected]

system architecture document - xprotect® vms 2020 r1...rtsp,udp, tcp/ip deviceconfigurable....

Documents