MilestoneXProtectVMSproducts SystemArchitectureDocument en-US

Download as pdf or txt
Download as pdf or txt
You are on page 1of 74

Milestone Systems

XProtect® VMS 2023 R3

System architecture document

XProtect Corporate
XProtect Expert
XProtect Professional+
XProtect Express+
XProtect Essential+
System architecture document | XProtect® VMS 2023 R3

Contents
Copyright, trademarks, and disclaimer 5

Introduction 6

Target audience and purpose 7

Overall system architecture 8

Server components 9

Management server 9

Recording server 9

Media database 10

Event server 10

Log server 11

SQL Server 11

Mobile server 11

API Gateway 12

Client components 13

XProtect Management Client 13

XProtect Smart Client 13

XProtect Web Client 13

XProtect Mobile client 13

Encryption 15

Introduction to certificates 16

Identity Provider (explained) 18

Additional products and components 19

MIP SDK 19

Milestone Software Manager 20

XProtect Smart Wall 20

XProtect Incident Manager 20

XProtect Access 21

XProtect Transact 21

XProtect LPR 22

2 | Contents
System architecture document | XProtect® VMS 2023 R3

Milestone Interconnect 22

XProtect DLNA Server 23

Milestone Open Network Bridge 23

System communication and data flow 25

Server communication 25

Login from XProtect Smart Client as an AD user 26

Login from XProtect Smart Client as a basic user 27

Login from XProtect Smart Client with an external IDP 28

Live video and audio 29

Live video multicasting 30

Matrix 31

Management server – view update 32

XProtect Smart Wall 33

Play back video and audio 34

Login from XProtect Web Client and XProtect Mobile as an AD user 35

Login from XProtect Web Client and XProtect Mobile as a basic user 36

Login from XProtect Web Client and the XProtect Mobile client with an external IDP 37

Live video for XProtect Web Client and XProtect Mobile 38

Recording and playback video for XProtect Web Client and XProtect Mobile 39

Video push 40

Milestone Interconnect live 41

Milestone Interconnect recording options 42

Milestone Interconnect play back 43

XProtect DLNA Server 44

Milestone Open Network Bridge 45

Management Client configuration update 46

Log server 47

Event server 47

XProtect Transact 48

XProtect LPR 49

View and manage alarms 50

Data collector 51

3 | Contents
System architecture document | XProtect® VMS 2023 R3

Recording server failover 52

Evidence lock 53

XProtect Incident Manager 54

Move hardware 55

Ports used by the system 56

Application pools 72

Application pools in Milestone XProtect 72

Working with application pools 73

Open the Application Pools page 73

4 | Contents
System architecture document | XProtect® VMS 2023 R3

Copyright, trademarks, and disclaimer


Copyright © 2023 Milestone Systems A/S

Trademarks

XProtect is a registered trademark of Milestone Systems A/S.

Microsoft and Windows are registered trademarks of Microsoft Corporation. App Store is a service mark of
Apple Inc. Android is a trademark of Google Inc.

All other trademarks mentioned in this document are trademarks of their respective owners.

Disclaimer

This text is intended for general information purposes only, and due care has been taken in its preparation.

Any risk arising from the use of this information rests with the recipient, and nothing herein should be
construed as constituting any kind of warranty.

Milestone Systems A/S reserves the right to make adjustments without prior notification.

All names of people and organizations used in the examples in this text are fictitious. Any resemblance to any
actual organization or person, living or dead, is purely coincidental and unintended.

This product may make use of third-party software for which specific terms and conditions may apply. When
that is the case, you can find more information in the file 3rd_party_software_terms_and_conditions.txt
located in your Milestone system installation folder.

5 | Copyright, trademarks, and disclaimer


System architecture document | XProtect® VMS 2023 R3

Introduction
This document contains illustrations and descriptions of communication and dataflow between the most
common system components in a distributed system.

The document shows a range of scenarios with a supporting illustration and a description of actions
supplemented by information about port numbers, protocols and bandwidth usage.

The illustrations are simplified and primarily focus on the general dataflow between system components. This
means that less important flows may have been omitted in order to reduce the level of complexity.

6 | Introduction
System architecture document | XProtect® VMS 2023 R3

Target audience and purpose


This document is primarily aimed at system integrators and IT administrators. It gives insight on the benefits
and simplicity of using Milestone XProtect as a VMS and you can use it for assistance in the process of
selecting, deploying, administrating, maintaining, and expanding a Milestone XProtect VMS.

Read the document for guidance on the following subjects:

l Overall system architecture

l Primary system components and their functions

l Data flow and communication through the system

l Basic system design

To benefit from the information in this document, you should have a general experience with administrating
an IT installation.

7 | Target audience and purpose


System architecture document | XProtect® VMS 2023 R3

Overall system architecture


To enable scaling of thousands of cameras across multiple sites, the system consists of several components
that handle specific tasks. You can install all components on a single server if the server can handle the load, or
you can install the components on separate, dedicated servers to scale and distribute the load.

Depending on hardware and configuration, smaller systems with 50 to100 cameras can run on a single server.

For systems with more than 100 cameras, Milestone recommends that you use dedicated servers for all or
some of the components.

As a starting point, all components need not be available in all installations. Components such as failover
recording servers or mobile servers can be added if the functionality they offer is needed at a later time for
hosting and providing access to both XProtect Web Client and XProtect Mobile.

The components of the XProtect VMS

8 | Overall system architecture


System architecture document | XProtect® VMS 2023 R3

Server components

Management server
The management server is the central VMS component. It stores the configuration of the surveillance system
in a SQL Server database, either on SQL Server on the management server computer itself or on separate SQL
Server on the network. It also handles user authentication, user permissions, the rule system and more.

To improve system performance, you can run several management servers as a Milestone Federated
Architecture™. The management server runs as a service and is typically installed on a dedicated server.

Failover management server

You can get failover support on the management server by installing the management server in a Microsoft
Windows cluster. The cluster ensures that another server takes over the management server function in case
the first server fails.

Recording server
Recording servers are computers where you have installed the Recording Server software, and configured it to
communicate with the management server. A surveillance system typically consists of several recording
servers.

The recording server is responsible for all communication, recording, and event handling related to devices
such as cameras, video and audio encoders, I/O modules, and metadata sources. Examples of actions the
recording server handles:

l Retrieve video, audio, metadata and I/O event streams from the devices

l Record video, audio and metadata from devices

l Provide operators with access to live and recorded video, audio and metadata

l Provide operators with access to device status

l Trigger system and video events on device failures or events

l Perform motion detection and generate smart search metadata

The recording server is also responsible for communicating with other Milestone products when using the
Milestone Interconnect™ technology. For more information, see Milestone Interconnect on page 22.

The recording server supports encryption of data streams to the clients and services as well as encryption of
the connection with the management server.For more information, see the certificates guide about how to
secure your XProtect VMS installations.

9 | Server components
System architecture document | XProtect® VMS 2023 R3

Failover recording server

The failover recording server is responsible for taking over the recording task in case a recording server fails.

The failover recording server operates in two modes:

Cold standby, for monitoring multiple recording servers

In a cold standby failover recording server setup, you group multiple failover recording servers in a failover
group. The entire failover group is dedicated to take over from any of several preselected recording servers, if
one of these becomes unavailable. You can also specify a secondary failover server group that takes over from
the primary group if all the recording servers in the primary group are busy

Hot standby, for monitoring a single recording server

In a hot standby failover recording server setup, you dedicate a failover recording server to take over from one
recording server only. With this approach, the failover recording server is continuously synchronized with the
correct/current configuration of the recording server it is dedicated to and it can take over much faster than a
cold standby failover recording server.

Media database
The system stores the retrieved video, audio and metadata in the customized high performance Milestone
media database which is optimized for recording and storing audio and video data.

The media database supports various unique features including multistage archiving, video grooming,
encryption and adding a digital signature to the recordings.

Event server
The event server handles the tasks related to events, alarms, and maps and also third-party integrations via
the Milestone Integration Platform.

Events:

l All system events are consolidated in the event server so there is a single place and interface for
partners to make integrations that use system events

l The event server offers third-party access for sending events to the system via the Generic events or
Analytics events interface

Alarms:

l The event server hosts the alarm feature, alarm logic, alarm state and handling of the alarm database.
The alarm database is stored in the same SQL Server database as the management server uses

Maps:

l The event server also hosts maps. You configure and use maps in the XProtect Smart Client

10 | Server components
System architecture document | XProtect® VMS 2023 R3

Milestone Integration Platform:

l You can install third-party developed plug-ins on the event server and utilize access to system events

You can get failover support on the event server by installing the event server in a Microsoft Windows cluster.
The cluster ensures that another server takes over the event server function in case the first server fails.

Log server
The log server stores all log messages for the entire system. The log server typically uses the same SQL Server
as the management server but has its own SQL Server database. The log server is also typically installed on the
same server as the management server. If you need to increase the performance of the management server or
log server, you can install the log server on a separate server and use separate SQL Server.

The system can through the log server write three types of log messages:

l System logs: the system administrator can choose to log errors, warnings, and information, or a
combination of these. The default is to log errors only

l Audit logs: the system administrator can choose to log user activity in clients in addition to login and
administration logs

l Rule-triggered logs: the system administrator can use the rule log to create logs on specific events

SQL Server
The management server, the event server, and the log server use SQL Server databases on one or two SQL
Server installations to store, for example, configuration, alarms, events and log messages.

The Milestone XProtect installer includes Microsoft SQL Server Express which is free edition of SQL Server.

For very large systems or systems with many transactions to and from the SQL Server databases, Milestone
recommends that you use the Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition
of SQL Server on a dedicated computer on the network and on a dedicated hard disk drive that is not used for
other purposes. Installing SQL Server on its own drive improves the entire system performance.

Mobile server
XProtect Mobile server handles logins to the system from XProtect Mobile client or XProtect Web Client.

A XProtect Mobile server distributes video streams from recording servers to XProtect Mobile client or XProtect
Web Client. This offers a secure setup where recording servers are never connected to the Internet. When a
XProtect Mobile server receives video streams from recording servers, it also handles the complex conversion
of codecs and formats allowing streaming of video on the mobile device.

11 | Server components
System architecture document | XProtect® VMS 2023 R3

API Gateway
The MIP VMS API provides a unified RESTful API, based on industry standard protocols such as OpenAPI, for
accessing XProtect VMS functionality, simplifying integration projects and serving as a basis for cloud
connected communication.

The XProtect VMS API Gateway supports these integration options through the Milestone Integration Platform
VMS API (MIP VMS API).

The API Gateway is installed on-premise and is intended to serve as a front-end and common entry point for
RESTful API and WebSocket Messaging API services on all the current VMS server components (management
server, event server, recording servers, log server, etc). An API Gateway service can be installed on the same
host as the management server or separately, and more than one can be installed (each on their own host).

The RESTful API is implemented in part by each specific VMS server component, and the API Gateway can
simply pass-through these requests and responses, while for other requests, the API Gateway will convert
requests and responses as appropriate.

Currently, the configuration API, hosted by the management server, is available as a RESTful API. The RESTful
Events API, Websockets messaging API, and the RESTful Alarms API, hosted by the event server, are also
available.

For more information, see the API Gateway administrator manual and the Milestone Integration Platform VMS
API reference documentation.

12 | Server components
System architecture document | XProtect® VMS 2023 R3

Client components

XProtect Management Client


The Management Client is the administration interface for all parts of the system.

The VMS is designed for large-scale operation so the Management Client is designed to run remotely from, for
example, the administrator’s computer.

You can access the settings in the Management Client from a tree structure where you can open items and sub
items.

XProtect Smart Client


XProtect Smart Client is the main client for the VMS. It is designed to run remotely from the operators’
computer for day-to-day use in order to manage IP surveillance cameras. It provides instant control of
cameras and connected security devices and quick access to live and recorded video and metadata.

XProtect Smart Client has an adaptable user interface that can be optimized for individual operators’ tasks and
adjusted according to specific skills and authority levels.

For more information, see the user manual for XProtect Smart Client.

XProtect Web Client


XProtect Web Client is a client designed for the occasional or remote user that needs easy access to live
monitoring, playback and export. XProtect Web Client also provides access to activating system events and
outputs.

For more information, see the user manual for XProtect Web Client.

On the System Requirements web page, you can find information about compatible browsers under XProtect
Web Client.

XProtect Mobile client


The XProtect Mobile client is a mobile surveillance solution and it offers easy access to cameras, views and
other functionality that is set up in the management clients.

It runs on an Android tablet or smartphone or on an Apple® tablet, smartphone or portable music player.

You can use the XProtect Mobile client as a remote recording device by using the device's built-in camera and
the Milestone Video Push feature. With Video Push activated, video from the device's camera is streamed back
to the VMS and recorded as if it was from a standard camera.

For more information, see the user manual for XProtect Mobile.

13 | Client components
System architecture document | XProtect® VMS 2023 R3

On the System Requirements web page, you can find information about which operating systems are
compatible with XProtect Mobile.

14 | Client components
System architecture document | XProtect® VMS 2023 R3

Encryption
This section gives you an introduction to encryption and certificates.

XProtect systems support secure communication:

From To

Recording Server Management Server

Management Server Recording Server

Clients, servers, and integrations that retrieve data streams


Recording Server
from the recording server

Mobile devices Mobile Server

Data Collector servers affiliated with


Management Server
remote servers

Data Collector servers affiliated with remote servers Management Server

When do you need to install certificates?

First, decide whether your system actually needs encrypted communication.

Don't use certificates with recording server encryption if you are using one or more integrations that don't
support HTTPS communication. This is, for example, third-part MIP SDK integrations that don't support HTTPS.

Unless your installation is made in a physically isolated network, it's recommended that you secure the
communication by using certificates.

This document describes when to use certificates:

l If your XProtect VMS system is set up in a Windows Workgroup environment

l Before you install or upgrade to XProtect VMS 2019 R1 or newer, if you want to enable encryption
during the installation

l Before you enable encryption, if you installed XProtect VMS 2019 R1 or newer without encryption

l When you renew or replace certificates due to expiry

15 | Encryption
System architecture document | XProtect® VMS 2023 R3

Introduction to certificates
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for
secure communication over a computer network. In HTTPS, the communication protocol is encrypted using
Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).

In XProtect VMS, secure communication is obtained by using TLS/SSL with asymmetric encryption (RSA).

TLS/SSL uses a pair of keys—one private, one public—to authenticate, secure, and manage secure connections.

A certificate authority (CA) is anyone who can issue root certificates. This can be an internet service that issues
root certificates, or anyone who manually generates and distributes a certificate. A CA can issue certificates to
web services, that is to any software using https communication. This certificate contains two keys, a private
key and a public key. The public key is installed on the clients of a web service (service clients) by installing a
public certificate. The private key is used for signing server certificates that must be installed on the server.
Whenever a service client calls the web service, the web service sends the server certificate, including the
public key, to the client. The service client can validate the server certificate using the already installed public
CA certificate. The client and the server can now use the public and private server certificates to exchange a
secret key and thereby establish a secure TLS/SSL connection.

For manually distributed certificates, certificates must be installed before the client can make such a
verification.

See Transport Layer Security for more information about TLS.

In XProtect VMS, the following locations are where you can enable TLS/SSL encryption:

l In the communication between the management server and the recording servers, event servers, and
mobile servers

l On the recording server in the communication with clients, servers, and integrations that retrieve data
streams from the recording server

l In the communication between clients and the mobile server

Certificate distribution

The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS.

16 | Encryption
System architecture document | XProtect® VMS 2023 R3

A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (server) and by the party
that verifies the certificate (clients).

The public CA certificate must be trusted on all client computers. In this way the clients can verify the
validity of the certificates issued by the CA.

The CA certificate is used to issue private server authentication certificates to the servers.

The created private SSL certificates must be imported to the Windows Certificate Store on all servers.

Requirements for the private SSL certificate:

l Issued to the server so that the server's host name is included in the certificate, either as subject
(owner) or in the list of DNS names that the certificate is issued to

l Trusted on all computers running services or applications that communicate with the service on the
servers, by trusting the CA certificate that was used to issue the SSL certificate

l The service account that runs the server must have access to the private key of the certificate on the
server.

Certificates have an expiry date. XProtect VMS will not warn you when a certificate is
about to expire. If a certificate expires, the clients will no longer trust the server with the
expired certificate and thus cannot communicate with it.
To renew the certificates, follow the steps in this guide as you did when you created
certificates.

For more information, see the certificates guide about how to secure your XProtect VMS installations.

17 | Encryption
System architecture document | XProtect® VMS 2023 R3

Identity Provider (explained)


Identity Provider app pool (IDP) is a system entity that creates, maintains, and manages identity information
for basic users.

Identity Provider also provides authentication and registration services to relying applications or services, in
this case: Recording Server, Management Server, Data Collector, and Report Server.

When you log in to XProtect clients and services as a basic user, your request goes to the Identity Provider.
When authenticated the user can call the management server.

Identity Provider runs in the IIS as a part of the management server using the same SQL Server with a separate
database and is responsible for creating and handling OAuth communication tokens that services use when
communicating (Surveillance_IDP).

Identity Provider logs can be found at: \\ProgramData\Milestone\IDP\Logs.

18 | Identity Provider (explained)


System architecture document | XProtect® VMS 2023 R3

Additional products and components


Available functionality depends on the system you are using. See the complete feature list, which is available
on the product overview page on the Milestone website
(https://www.milestonesys.com/products/software/product-index/).

MIP SDK
The Milestone Integration Platform Software Development Kit (MIP SDK) is a comprehensive tool that makes it
easy to create applications, plug-ins or integrations for Milestone’s XProtect products.

MIP

The open platform is integrated in the following Milestone XProtect system components and applications:

l XProtect Smart Client

l XProtect Management Client

l Management Application

l Management Server

l Event Server

MIP SDK

To have a truly open platform and a community around it Milestone provides the SDK that contains:

l The tools for developing integrations

l Documentation of a set of interfaces

l A set of wrapper .NET DLLs providing an easy interface to a variety of functionality

l A large collection of samples demonstrating different ways of using the MIP SDK

l Short descriptions and how-to guides

l A small application to display links to this information

l Libraries

The MIP SDK is also used internally by Milestone software development teams.

For more information, see the MIP SDK and Develop Forum webpages.

19 | Additional products and components


System architecture document | XProtect® VMS 2023 R3

Milestone Software Manager


Milestone Software Manager is a tool that you, from a central point, can use to remotely install and upgrade
recording servers, recording server device packs and XProtect Smart Clients on servers or PCs in the network.

For larger installations, the tool makes it easy and fast to remotely upgrade the components that are installed
on servers and client PCs.

For more information, see the XProtect Access webpage and administrator manual.

XProtect Smart Wall


XProtect Smart Wall is designed for control centers to display live video from selected cameras on one or more
video wall displays.

There are several ways you can select the cameras:

l Manually using the XProtect Smart Client

l Via the VMS’ rule system on events and/or time schedule

l Via MIP SDK integrations

XProtect Smart Wall does not require a dedicated XProtect software component itself, nor does it use a
dedicated XProtect client - all the required components are included in the standard XProtect Corporate
management server and XProtect Smart Client. It just needs a PC running XProtect Smart Client to show the
Smart Wall views.

XProtect Smart Wall is included in XProtect Corporate. You can purchase it as an


extension to XProtect Expert.

For more information, see the XProtect Smart Wall webpage and manual.

XProtect Incident Manager


XProtect Incident Manager is an extension that enables organizations to document incidents and combine
them with sequence evidence (video and, potentially, audio) from the XProtect VMS.

You can store the following information about the incidents in incident projects:

l Sequences with video and, potentially, audio from the XProtect VMS

l Incident properties like type, status, categories, and data elements

l Information like comments, descriptions, and information about calls.

All the required components for XProtect Incident Manager are included in the standard XProtect VMS
management server and XProtect Smart Client.

20 | Additional products and components


System architecture document | XProtect® VMS 2023 R3

XProtect Access
The access control integration feature introduces new functionality that makes it simple to integrate
customers’ access control systems with XProtect. You get:

l A common operator user interface for multiple access control systems in XProtect Smart Client

l Faster and more powerful integration of access control systems

l More functionality for the operator (see below)

In XProtect Smart Client, the operator gets:

l Live monitoring of events at access points

l Operator aided passage for access requests

l Map integration

l Alarm definitions for access control events

l Investigation of events at access points

l Centralized overview and control of door states

l Cardholder information and management

The use of XProtect Access requires that you have purchased a base license that allows
you to access this feature within your XProtect system. You also need an access control
door license for each door you want to control.

You can use XProtect Access with access control systems from vendors where a vendor-
specific plug-in for XProtect Access exists. You must install this plug-in on the event
server before you can start an integration.

For more information, see the XProtect Access webpage and administrator manual.

XProtect Transact
XProtect Transact is an extension to Milestone's IP video surveillance solutions XProtect VMS and XProtect
Professional VMS.

XProtect Transact is a tool for observing ongoing transactions and investigating transactions in the past. The
transactions are linked with the digital surveillance video monitoring the transactions, for example to help you
prove fraud or provide evidence against a perpetrator. There is a 1-to-1 relationship between the transaction
lines and video images.

The transaction data may originate from different types of transaction sources, typically point of sales (PoS)
systems or automated teller machines (ATM).

For more information, see the XProtect Transact webpage and administrator manual.

21 | Additional products and components


System architecture document | XProtect® VMS 2023 R3

XProtect LPR
XProtect LPR offers video-based content analysis (VCA) and recognition of vehicle license plates that interacts
with your surveillance system and your XProtect Smart Client.

To read the characters on a plate, XProtect LPR uses optical character recognition on images aided by
specialized camera settings.

You can combine LPR (license plate recognition) with other surveillance features such as recording and event-
based activation of outputs.

Examples of events in XProtect LPR:

l Trigger surveillance system recordings in a particular quality

l Activate alarms

l Match against positive/negative match lists

l Open gates

l Switch on lights

l Push video of incidents to computer screens of particular security staff members

l Send mobile phone text messages

With an event, you can activate alarms in XProtect Smart Client.

For more information, see the XProtect LPR webpage and administrator manual.

Milestone Interconnect
Milestone Interconnect allows you to integrate several XProtect or Milestone Husky™ installations with one
XProtect Corporate central site. You can also install these sites, called remote sites, on mobile units, for
example, boats, busses or trains. This means that such sites do not need to be permanently connected to a
network.

The central site considers the remote site as an advanced camera or multi-channel encoder with edge storage
capabilities.

Each remote site runs independently and can perform surveillance tasks as configured. Depending on the
network connections and appropriate user permissions, Milestone Interconnect offers you direct live viewing
of remote site cameras and play back of remote site recordings on the central site.

It also offers you the possibility to transfer remote site recordings to the central site based on either system-
defined events, rules, schedules or by manual requests from XProtect Smart Client users.

The central site can only see and access devices that the user account specified on the remote site has access
to. This allows local system administrators on the remote sites to control which devices should be made
available to the central site and its users.

22 | Additional products and components


System architecture document | XProtect® VMS 2023 R3

On the central site, you can view the status for the interconnected cameras, but not the entire status of the
remote site. Instead, to monitor the remote site, you can use remote site events to trigger alarms or other
notifications on the central site.

Only XProtect Corporate systems can work as central sites. All other products can act as remote sites including
XProtect Corporate. How specific the products interact in a Milestone Interconnect setup depends on the
version of the XProtect or Milestone Husky installations, the number of cameras and how devices and events
are configured on the remote site.

For more information, see the Milestone Interconnect webpage and documentation.

It is not possible to add systems with free XProtect installation as remote sites.

XProtect DLNA Server

As of 2023 R2, this product is no longer supported by Milestone.

DLNA (Digital Living Network Alliance) is a standard for connecting multimedia devices. Electronic
manufactures get their products DLNA certified to ensure interoperability between different vendors and
devices and thereby enable them to distribute multimedia content such as audio, video, and photos.

Public displays and TVs are often DLNA certified and connected to a network. They are able to scan the
network for media content, connect to the device, and request a media stream to their built-in media player.
XProtect DLNA Server can be discovered by certain DLNA certified devices and deliver live video streams from
selected cameras to DLNA certified devices with a media player.

The DLNA devices have a live video delay of 1-10 seconds. This is caused by different
buffer sizes in the devices.

XProtect DLNA Server must be connected to the same network as the XProtect system and the DLNA device
must be connected to the same network as XProtect DLNA Server.

Milestone Open Network Bridge


The ONVIF standard facilitates full video interoperability in multivendor installations and ensures information
exchange by defining a common protocol. The protocol contains ONVIF profiles, which are collections of
specifications for interoperability between ONVIF compliant devices.

Milestone Open Network Bridge is compliant with the parts of ONVIF Profile G and Profile S that provide access
to live and recorded video, and the ability to control pan-tilt-zoom cameras:

23 | Additional products and components


System architecture document | XProtect® VMS 2023 R3

l Profile G - Provides support for video recording, storage, search, and retrieval. For more information,
see ONVIF Profile G Specification (https://www.onvif.org/profiles/profile-g/).

l Profile S - Provides support for streaming live video using the H.264 codec, audio streaming, and pan-
tilt-zoom (PTZ) controls. For more information, see ONVIF Profile S Specification
(https://www.onvif.org/profiles/profile-s/).

For more information about the ONVIF standard, see the ONVIF® website (https://www.onvif.org/).

ONVIF Profiles support “get” functions that retrieve data, and “set” functions that configure settings. Each
function is either mandatory, conditional, or optional. For security reasons, Milestone Open Network Bridge
supports only the mandatory, conditional, and optional “get” functions that do the following:

l Request video

l Authenticate users

l Stream video

l Play recorded video

For more information, see the administrator manual for Milestone Open Network Bridge.

24 | Additional products and components


System architecture document | XProtect® VMS 2023 R3

System communication and data flow


The following illustrations provide an overview of the flow of data between XProtect components.

For a complete list of the ports that must be enabled for communication between
components, see Ports used by the system.

Server communication

1. Management server - Recording server

2. Recording server - Media database

3. Management server - Internal

4. SQL Server database communication

5. Management server - Mobile server

6. Authentication of basic users by the Identity Provider

7. API Gateway - Management server

25 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Login from XProtect Smart Client as an AD user

1. XProtect Smart Client connects to the management server and attempts to log in

2. The management server contacts Active Directory to authenticate the user

3. User-specific configuration is retrieved from the SQL Server database

4. Login is granted and the configuration is sent to XProtect Smart Client

26 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Login from XProtect Smart Client as a basic user

1. XProtect Smart Client attempts to connect to the management server as a basic user

2. The login request goes to the Identity Provider for authentication

3. User-specific configuration is retrieved from the SQL Server database

4. Login is granted and the configuration is sent to XProtect Smart Client

27 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Login from XProtect Smart Client with an external IDP

1. Login from XProtect Smart Client launches a web browser on the client computer.

2. The login request goes from the web browser to the Identity Provider for authentication.

3. The web browser is redirected to the external IDP login page where the user enters credentials and the
browser receives an authorization code.

4. The Identity Provider requests information about the user from the external IDP and receives a list of
claims. If a new user logs in to the VMS, the user is created in the VMS.

5. The web browser is redirected to XProtect Smart Client with the authorization code from the Identity
Provider.

6. XProtect Smart Client gets an access token from the Identity Provider.

7. XProtect Smart Client login to the management server using the access token.

8. Verification of user permissions according to claims to role mapping.

9. The user logs in to XProtect Smart Client upon successful authorization.

28 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Live video and audio

1. Live streams from cameras retrieved by the recording server

2. Streams are sent to XProtect Smart Client on request

29 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Live video multicasting

1. Live streams from cameras retrieved by the recording server

2. Recording server sends multicast stream to the multicast enabled network. This requires that all
switches handling the data traffic between the XProtect Smart Client and the recording server must be
configured for multicast

3. The multicast stream is received by all XProtect Smart Clients on request

30 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Matrix

1. XProtect Smart Client user selects to send a camera to a Matrix-recipient

2. Information is sent to management server

3. Management server sends request to Matrix-recipient on specified IP address and port (XProtect Smart
Client B)

4. Streams are sent to XProtect Smart Client from recording server on request

31 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Management server – view update

1. View updated on XProtect Smart Client

2. The system configuration is stored in the SQL Server database

3. The management server sends notification about view update to XProtect Smart Clients

4. XProtect Smart Clients retrieves and applies the new view

32 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

XProtect Smart Wall

1. An XProtect Smart Client user updates the XProtect Smart Wall view

2. The XProtect Smart Wall view configuration is updated and stored in the SQL Server database

3. The management server sends a notification to the XProtect Smart Client running the XProtect Smart Wall

4. The XProtect Smart Client running the XProtect Smart Wall retrieves and applies new layout

33 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Play back video and audio

1. Recording stream from cameras retrieved by the recording server

2. The stream is recorded in the recording server database based on rules

3. The recorded stream is retrieved by XProtect Smart Client on playback request

34 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Login from XProtect Web Client and XProtect Mobile as an AD user

1. Login request from XProtect Web Client or XProtect Mobile received on the mobile server

2. The mobile server forwards request to the management server

3. The management server contacts Active Directory to authenticate the user

4. User-specific configuration is retrieved from the SQL Server database

5. Information returned to the mobile server

6. The login is granted and configuration is sent to XProtect Web Client or XProtect Mobile

35 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Login from XProtect Web Client and XProtect Mobile as a basic user

1. Login request from XProtect Web Client or XProtect Mobile received on the mobile server

2. The mobile server forwards a request to the management server

3. The login request goes to the Identity Provider for authentication

4. User-specific configuration is retrieved from the SQL Server database

5. Information returned to the mobile server

6. The login is granted and configuration is sent to XProtect Web Client or XProtect Mobile

36 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Login from XProtect Web Client and the XProtect Mobile client with an
external IDP

1. In XProtect Web Client or in the XProtect Mobile client, the user selects to log in via an external IDP. The
login request launches a web browser.

2. The web browser is redirected to the external IDP login page where the user enters credentials.

3. The Identity Provider receives an authorization code from the external IDP to be exchanged for an
access token. Then the Identity Provider requests information about the user from the external IDP and
gets a list of claims. If a new user logs in to the VMS, the user is created in the VMS.

4. The Identity Provider returns an authorization code to XProtect Web Client or the XProtect Mobile client.

5. XProtect Web Client or the XProtect Mobile client requests an access token from the Identity Provider.

6. XProtect Web Client or the XProtect Mobile client logs in to the mobile server using the access token.

37 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Live video for XProtect Web Client and XProtect Mobile

1. Live stream(s) from cameras retrieved on the recording server

2. Streams are sent to the mobile server for transcoding or as direct streaming

3. Video is streamed to the clients

38 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Recording and playback video for XProtect Web Client and XProtect
Mobile

1. Recording stream from cameras retrieved on the recording server

2. The stream is recorded in the recording server database based on rules

3. Recordings are sent to the mobile server for transcoding or as direct streaming

4. Video is streamed to clients

39 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Video push

1. Video push stream from a device running XProtect Mobile is sent instantly to the mobile server

2. The video push stream is retrieved by recording server using the specific video push device driver

40 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Milestone Interconnect live

Illustrates how XProtect Smart Client users, specified for the interconnected system, only need to log into the
management server on the central site to view video.

1. Live stream(s) from the remote site cameras retrieved by the remote site recording server

2. Live streams from the remote site recording server retrieved by the central site recording server

3. Stream(s) are sent to XProtect Smart Client on request

41 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Milestone Interconnect recording options

Some of the different options when configuring your system recording settings:

l No recording

l Record at remote site only

l Retrieve recordings from remote site on request

l Retrieve recordings from remote site based on rule (time profile)

l Record at central site only

l Retrieve recordings from remote site after site link down

l Record at both sites

l Combinations of above and other options

42 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Milestone Interconnect play back

Illustrates when recording is done on both sites. Recordings can be retrieved to the central site based on
schedule, event or request. XProtect Smart Client users, specified for the interconnected system, only need to
log into the management server on the central site to view video.

1. Recording stream from the remote site cameras retrieved by the remote site recording server

2. The stream is recorded in the remote site recording server database based on rules

3. Recording stream from the remote site recording server retrieved by the central site recording server

4. The stream is recorded in the central site recording server database based on rules. Recordings not
available due to remote site link downtime can be retrieved automatically or based on schedule, event
or request

5. The recorded stream(s) are retrieved by XProtect Smart Client on playback request

43 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

XProtect DLNA Server

1. The XProtect DLNA Server connects to the management server to authorize itself with the provided
credentials

2. A DLNA device scans the network and connects to the XProtect system via the XProtect DLNA Server
and requests a live camera video stream

3. XProtect DLNA Server retrieves the requested camera video stream from the recording server

4. XProtect DLNA Server sends the live video stream from the requested camera to the DLNA device

44 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Milestone Open Network Bridge

1. Login, stream or PTZ request from ONVIF client received on the Milestone Open Network Bridge server.
The Milestone Open Network Bridge is a gateway for non-Milestone clients to the Milestone VMS

2. The Milestone Open Network Bridge forwards the login request to the management server to
authenticate the user.
Access to the Milestone VMS is granted and sent to the Milestone Open Network Bridge server

3. Requested live or playback stream from the recording server is retrieved by the Milestone Open
Network Bridge server

4. Video is streamed to the ONVIF client

45 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Management Client configuration update

1. Configuration updated on the Management Client

2. Changes are stored on the management server

3. Configuration update sent to relevant components. In this case, the recording server

4. If updates concern cameras, the recording server applies new settings

46 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Log server

1. The Management server or recording server creates a log message

2. The log message is forwarded to the log server

3. The log message is stored in the log server's SQL Server database

Event server

The event server sends data to XProtect Smart Client to show in alarm list, XProtect Access or the map
overview. The event server Plug-in is a client to the access control system.
The XProtect Smart Client user responds to the notification and returns data to event server.

47 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

XProtect Transact

1. Transaction data generated by the transaction source is sent to the event server and stored

2. The event server sends transaction data to XProtect Smart Client. View items containing transaction
data and the associated video is updated

48 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

XProtect LPR

1. Live streams from cameras configured for LPR (License Plate Recognition) retrieved by the recording
server

2. Streams from the recording server retrieved by the LPR server

3. The LPR server recognizes license plates by comparing them with the license plate styles of the installed
country modules. Found license plates are compared with the match list requests from the event server
LPR plug-in

4. The event server sends events and alarms to XProtect Smart Client when there is a match

49 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

View and manage alarms

1. XProtect Smart Client requests an alarm list from event server

2. The alarm list is retrieved from the SQL Server database and returned to XProtect Smart Client

3. The alarm is handled and its state/details is updated by the user

4. New state/details stored in the SQL Server database

50 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Data collector

1. System status received on management server delivered by: log server, event server, recording server,
failover recording server and mobile server

2. The collected data is stored in a SQL Server database on SQL Server

3. XProtect Smart Client or the Management Client requests status via System Monitor

4. Requested data is collected from a SQL Server database on SQL Server

5. Data returned to clients

51 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Recording server failover

1. Video streamed from the recording server

2. Alive messages exchanged between recording and failover recording server

3. Cold standby: failover message sent, configuration retrieved, start failover


Hot standby: failover message sent, start failover

4. Configuration updated with active failover recording server

5. Update configuration message sent to the management server

6. Update message distributed to all clients

7. Video streamed from failover recording server

52 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Evidence lock

1. The user creates an evidence lock in XProtect Smart Client. XProtect Smart Client sends the information
to the management server

2. The management server informs the recording server to store and protect the locked recordings in the
Media database

3. The management server stores information about the evidence lock in the SQL Server database

53 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

XProtect Incident Manager

Flow Actions and components

An operator of XProtect Smart Client starts, saves, edits, or deletes an incident project.
Information about the incident project and its data is saved in the extension’s own SQL Server
1 database Surveillance_IM. The activities related to incident projects are - depending on the
activity - logged in the extension’s own SQL Server database Surveillance_IM, in the Log Server
service’s SQL Server database SurveillanceLogServerV2, or in both.

A Management Client administrator creates, edits, or deletes an incident property. The


incident property definition is saved in the extension’s own SQL Server database Surveillance_
2
IM. The user activity is logged in the Log Server service’s SQL Server database
SurveillanceLogServerV2.

54 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Move hardware

1. The user moves hardware from recording server 1 to recording server 2 in Management Client

2. The management server receives the update in the system configuration and stores it in the SQL Server
database

3. The management server sends update to recording server 1

4. The management server sends update to recording server 2

5. Recording server 2 connects to Hardware. All new recordings are stored in the recording server 2
database

Old recordings are still available on recording server 1. The system deletes them when the retention time
expires. Recordings marked with evidence lock are not deleted until the evidence lock's retention time expires.

Clients connect to recording server 2

55 | System communication and data flow


System architecture document | XProtect® VMS 2023 R3

Ports used by the system


All XProtect components and the ports needed by them are listed below. To ensure, for example, that the
firewall blocks only unwanted traffic, you need to specify the ports that the system uses. You should only
enable these ports. The lists also include the ports used for local processes.

They are arranged in two groups:

l Server components (services) offer their service on particular ports which is why they need to listen for
client requests on these ports. Therefore, these ports need to be opened in the Windows Firewall for
inbound and outbound connections

l Client components (clients) initiate connections to particular ports on server components. Therefore,
these ports need to be opened for outbound connections. Outbound connections are typically open by
default in the Windows Firewall

If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports
for client components must be opened for outbound connections.

Do keep in mind that server components can act as clients to other server components. These are not explicitly
listed in this doc.

The port numbers are the default numbers, but this can be changed. Contact Milestone support, if you need to
change ports that are not configurable through the Management Client.

Server components (inbound connections)

Each of the following sections list the ports that need to be opened for a particular service. To figure out which
ports need to be opened on a particular computer, you need to consider all services running on the computer.

Management Server service and related processes

56 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port Connections
Protocol Process Purpose
number from...

The purpose of port 80 and port


443 is the same. However, which
port the VMS uses depends on
whether you have used
certificates to secure the
communication.
80 HTTP IIS
l When you have not
secured the
communication with
certificates, the VMS uses
All servers and
port 80.
the XProtect
Smart Client and l When you have secured
the the communication with
Management certificates, the VMS uses
Client port 443 except for
communication from the
event server to the
management server. The

443 HTTPS IIS communication from the


event server to the
management server uses
Windows Secured
Framework (WCF) and
Windows authentication
on port 80.

Management
Management Server Manager Showing status and managing
6473 TCP
Server service tray icon, local the service.
connection only.

Management Local connection Communication between internal


8080 TCP
server only. processes on the server.

Management Recording Web service for internal


9000 HTTP
server Server services communication between servers.

57 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port Connections
Protocol Process Purpose
number from...

Communication between the


Management XProtect Smart system and Matrix recipients.
12345 TCP
Server service Client You can change the port number
in the Management Client.

Communication with the SNMP


extension agent.

Do not use the port for other


purposes even if your system
Management Windows SNMP does not apply SNMP.
12974 TCP
Server service Service
In XProtect 2014 systems or older,
the port number was 6475.

In XProtect 2019 R2 systems and


older, the port number was 7475.

SQL Server service

Port Connections
Protocol Process Purpose
number from...

Management Storing and retrieving configurations


1433 TCP SQL Server
Server service via the Identity Provider.

Event Server Storing and retrieving events via the


1433 TCP SQL Server
service Identity Provider.

Log Server Storing and retrieving log entries via


1433 TCP SQL Server
service the Identity Provider.

Data Collector service

58 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port
Protocol Process Connections from... Purpose
number

On the management server computer: Data


Collector services on all other servers. System
7609 HTTP IIS
On other computers: Data Collector service Monitor.
on the Management Server.

Event Server service

Port
Protocol Process Connections from... Purpose
number

Listening for generic events


Event Any server sending from external systems or
1234 TCP/UDP Server generic events to your devices.
Service XProtect system. Only if the relevant data
source is enabled.

Listening for generic events


Event Any server sending from external systems or
1235 TCP Server generic events to your devices.
service XProtect system. Only if the relevant data
source is enabled.

Listening for analytics


Any system or device events from external
Event
that sends analytics systems or devices.
9090 TCP Server
events to your
service Only relevant if the Analytics
XProtect system.
Events feature is enabled.

Event XProtect Smart Client


Configuration, events,
22331 TCP Server and the Management
alarms, and map data.
service Client

59 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port
Protocol Process Connections from... Purpose
number

Event/State Subscription,
WS/WSS Event
API Gateway and the Events REST API,
22332 Server
HTTP/HTTPS* Management Client Websockets Messaging API,
service
and Alarms REST API.

Event
MIP Plug-ins and
22333 TCP Server MIP messaging.
applications.
service

*A 403 error will be returned when accessing HTTP to access an HTTPS-only endpoint.

Recording Server service

Port Connections
Protocol Process Purpose
number from...

Listening for event messages from


devices.

Recording Cameras, The port is disabled by default.


25 SMTP Server encoders, and
(Deprecated) Enabling this will open
Service I/O devices.
a port for non-encrypted
connections and is not
recommended.

Recording Failover Merging of databases after a


5210 TCP Server recording failover recording server had been
Service servers. running.

Recording Cameras, Listening for event messages from


5432 TCP Server encoders, and devices.
Service I/O devices. The port is disabled by default.

7563 TCP Recording XProtect Smart Retrieving video and audio streams,

60 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port Connections
Protocol Process Purpose
number from...

Client,
Server
Management PTZ commands.
Service
Client

Recording
Recording
Server Manager Showing status and managing the
8966 TCP Server
tray icon, local service.
Service
connection only.

Web service for internal


communication between servers.
Recording
Management If multiple Recording Server
9001 HTTP Server
server instances are in use, every instance
Service
needs its own port. Additional ports
will be 9002, 9003, etc.

Recording Failover
Polling the state of recording
11000 TCP Server recording
servers.
Service servers

Communication with the SNMP


extension agent.

Do not use the port for other


Recording purposes even if your system does
Windows SNMP not apply SNMP.
12975 TCP Server
service
Service In XProtect 2014 systems or older,
the port number was 6474.

In XProtect 2019 R2 systems and


older, the port number was 7474.

Recording
Local connection Listening for event notifications
65101 UDP Server
only from the drivers.
service

61 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

In addition to the inbound connections to the Recording Server service listed above, the
Recording Server service establishes outbound connections to:
l Cameras

l NVRs

l Remote interconnected sites (Milestone Interconnect ICP)

Failover Server service and Failover Recording Server service

Port
Protocol Process Connections from... Purpose
number

Listening for event messages


from devices.
Failover
The port is disabled by default.
Recording Cameras, encoders,
25 SMTP
Server and I/O devices. (Deprecated) Enabling this will
Service open a port for non-encrypted
connections and is not
recommended.

Failover
Merging of databases after a
Recording Failover recording
5210 TCP failover recording server had
Server servers
been running.
Service

Failover Listening for event messages


Recording Cameras, encoders, from devices.
5432 TCP
Server and I/O devices.
Service The port is disabled by default.

Communication with the SNMP


Failover extension agent.
Recording Windows SNMP
7474 TCP Do not use the port for other
Server service
Service purposes even if your system
does not apply SNMP.

7563 TCP Failover XProtect Smart Client Retrieving video and audio

62 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port
Protocol Process Connections from... Purpose
number

Recording
Server streams, PTZ commands.
Service

Failover Communication
Recording between failover Communication between the
8844 UDP
Server recording server servers.
Service services.

Failover Failover Recording


Recording Server Manager tray Showing status and managing
8966 TCP
Server icon, local connection the service.
Service only.

Failover Failover Server


Showing status and managing
8967 TCP Server Manager tray icon,
the service.
Service local connection only.

Failover
Management Server Monitoring the status of the
8990 HTTP Server
service Failover Server service.
Service

Failover Web service for internal


9001 HTTP Server Management server communication between
Service servers.

In addition to the inbound connections to the Failover Server / Failover Recording Server
service listed above, the Failover Server / Failover Recording Server service establishes
outbound connections to the regular recorders, cameras, and for Video Push.

Log Server service

63 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port
Protocol Process Connections from... Purpose
number

All XProtect components except for Write to, read from,


Log Server
22337 HTTP Management Client and the and configure the
service
recording server. log server.

Mobile Server service

Port
Protocol Process Connections from... Purpose
number

Mobile
Mobile Server Manager tray
8000 TCP Server SysTray application.
icon, local connection only.
service

Mobile
Mobile clients, Web clients, and Sending data streams;
8081 HTTP Server
Management Client. video and audio.
service

Mobile
Sending data streams;
8082 HTTPS Server Mobile clients and Web clients.
video and audio.
service

Mobile Server Video


Mobile Push.
40001 -
HTTP Server Recording server service
40099 This port range is
service
disabled by default.

LPR Server service

64 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port
Protocol Process Connections from... Purpose
number

Retrieving recognized license


plates and server status.
LPR Server
22334 TCP Event server In order to connect, the Event
Service
server must have the LPR plug-
in installed.

LPR Server Manager


LPR Server
22334 TCP tray icon, local SysTray application
Service
connection only.

Milestone Open Network Bridge service

Port Connections
Protocol Process Purpose
number from...

Milestone Open Authentication and requests


580 TCP Network Bridge ONVIF clients for video stream
Service configuration.

Streaming of requested video


554 RTSP RTSP Service ONVIF clients
to ONVIF clients.

XProtect DLNA Server service

Port Connections
Protocol Process Purpose
number from...

DLNA Device discovery and providing DLNA


9100 HTTP Server DLNA device channels configuration. Requests for
Service video streams.

65 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port Connections
Protocol Process Purpose
number from...

DLNA
Streaming of requested video to DLNA
9200 HTTP Server DLNA device
devices.
Service

XProtect Screen Recorder service

Port Connections
Protocol Process Purpose
number from...

Provides video from a monitor. It


XProtect appears and acts in the same way as a
Recording camera on the recording server.
52111 TCP Screen
Server Service
Recorder You can change the port number in
the Management Client.

XProtect Incident Manager service

Port Connections
Protocol Process Purpose
number from...

The purpose of port 80 and port 443 is


the same. However, which port the
80 HTTP IIS VMS uses depends on whether you
have used certificates to secure the
XProtect Smart communication.
Client and the
l When you have not secured the
Management
communication with certificates,
Client
the VMS uses port 80.
443 HTTPS IIS l When you have secured the
communication with certificates,
the VMS uses port 443.

66 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Server components (outbound connections)

Management Server service

Port
Protocol Connections to... Purpose
number

The License server that hosts the


License Management service.
Communication is via Activating
443 HTTPS
https://www.milestonesys.com/ licenses.
OnlineActivation/
LicenseManagementService.asmx

Recording Server service

Port
Protocol Connections to... Purpose
number

Cameras, NVRs, Authentication, configuration, data streams, video,


80 HTTP encoders and audio.

Interconnected sites Login

Cameras, NVRs, Authentication, configuration, data streams, video,


443 HTTPS
encoders and audio.

Cameras, NVRs,
554 RTSP Data streams, video, and audio.
encoders

7563 TCP Interconnected sites Data streams and events.

Failover recording
11000 TCP Polling the state of recording servers.
servers

40001 – Mobile Server Mobile Server Video Push.


HTTP
40099 service This port range is disabled by default.

Failover Server service and Failover Recording Server service

67 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port number Protocol Connections to... Purpose

11000 TCP Failover recording servers Polling the state of recording servers.

Event Server service

Port
Protocol Connections to... Purpose
number

API Gateway and the Management Access the Configuration API from
80 HTTP
Server the API Gateway

API Gateway and the Management Access the Configuration API from
443 HTTPS
Server the API Gateway

Send status, events and error


Milestone Customer Dashboard via messages from the XProtect
443 HTTPS
https://service.milestonesys.com/ system to Milestone Customer
Dashboard.

Log Server service

Port number Protocol Connections to... Purpose

443 HTTP Log server Forwarding messages to the log server.

API Gateway

68 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port
Protocol Connections to... Purpose
number

Management
443 HTTPS RESTful API
Server

Event/State Subscription, Events REST API,


WS/WSS Management
22332 Websockets Messaging API, and Alarms REST
HTTP/HTTPS* Client
API.

Cameras, encoders, and I/O devices (inbound connections)

Port
Protocol Connections from... Purpose
number

Recording servers and failover Authentication, configuration, and data


80 TCP
recording servers streams; video and audio.

Recording servers and failover Authentication, configuration, and data


443 HTTPS
recording servers streams; video and audio.

Recording servers and failover


554 RTSP Data streams; video and audio.
recording servers

Cameras, encoders, and I/O devices (outbound connections)

Port
Protocol Connections to... Purpose
number

Recording servers and failover Sending event


25 SMTP
recording servers notifications (deprecated).

Sending event
Recording servers and failover notifications.
5432 TCP
recording servers
The port is disabled by

69 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port
Protocol Connections to... Purpose
number

default.

Forwarding messages to
22337 HTTP Log server
the log server.

Only a few camera models are able to establish outbound connections.

Client components (outbound connections)

XProtect Smart Client, XProtect Management Client, XProtect Mobile server

Port
Protocol Connections to... Purpose
number

API Gateway and


Authentication and other APIs in the API
80 HTTP Management Server
Gateway.
service

API Gateway and Authentication of basic users when


443 HTTPS Management Server encryption is enabled and other APIs in the
service API Gateway.

Milestone Systems A/S Management Client and Smart Client


443 HTTPS (doc.milestonesys.com at occasionally check if the online help is
52.178.114.226) available by accessing the help URL.

Retrieving video and audio streams, PTZ


7563 TCP Recording Server service
commands.

22331 TCP Event Server service Alarms.

XProtect Web Client, XProtect Mobile client

70 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Port number Protocol Connections to... Purpose

8081 HTTP XProtect Mobile server Retrieving video and audio streams.

8082 HTTPS XProtect Mobile server Retrieving video and audio streams.

API Gateway

Port number Protocol Connections to... Purpose

80 HTTP Management Server RESTful API

443 HTTPS Management Server RESTful API

71 | Ports used by the system


System architecture document | XProtect® VMS 2023 R3

Application pools
The VMS contains standard application pools such as.NET v4.5, .NET v4.5 Classic and the DefaultAppPool. The
application pools that are available on your system appear in the Internet Information Services (IIS) Manager.
In addition to the standard application pools mentioned above, a set of VideoOS application pools are
delivered with the Milestone XProtect VMS.

Application pools in Milestone XProtect


In the table below you can get an overview of the VideoOS application pools that are delivered with Milestone
XProtect.

Name Identity Purpose

.NET v4.5 ApplicationPoolId Standard IIS feature

.NET v4.5 Classic ApplicationPoolId Standard IIS feature

DefaultAppPool ApplicationPoolId Standard IIS feature

Hosts the XProtect API Gateway which


VideoOS ApiGateway NetworkService is the future public API and gateway
to the VMS.

Hosts legacy components such as the


VideoOS Classic NetworkService local help mainly to comply with
backwards compatibility.

Hosts the Identity Provider API. The


Identity Provider creates, maintains,
and manages identity information for
VideoOS IDP NetworkService basic users and provides
authentication and registration
services to relying applications or
services.

Hosts the XProtect Incident Manager


API. The XProtect Incident Manager
VideoOS IM NetworkService
documents incidents and combine
them with sequence evidence (video

72 | Application pools
System architecture document | XProtect® VMS 2023 R3

Name Identity Purpose

and, potentially, audio) from their


XProtect VMS.

Hosts the Configuration API, server


VideoOS Management component APIs and other
NetworkService
Server Management Server services, and
manages user authorization.

Hosts the web application that is


responsible for collecting and
VideoOS ReportServer NetworkService
creating reports for alarms and
events.

Hosts the service that facilitates


bookmarks and live video sharing
VideoOS ShareService NetworkService
between the users of XProtect Mobile
client.

Working with application pools


From the Application Pools page in the Internet Information Services (IIS) window you can add application
pools or set appplication pool defaults and you can view the applications hosted by each application pool.

Open the Application Pools page


1. From the Windows Start menu, open Internet Information Servces (IIS) Manager.

2. In the Connections pane, click the name of your environment, and then click Application Pools.

3. Under Actions, click Add Application Pool or Set Application Pool Defaults to perform any of these
tasks.

4. Select an application pool on the Application Pools page to display further options under Actions for
each application pool.

73 | Application pools
[email protected]

About Milestone

Milestone Systems is a leading provider of open platform video management software; technology that
helps the world see how to ensure safety, protect assets and increase business efficiency. Milestone
Systems enables an open platform community that drives collaboration and innovation in the development
and use of network video technology, with reliable and scalable solutions that are proven in more than
150,000 sites worldwide. Founded in 1998, Milestone Systems is a stand-alone company in the Canon
Group. For more information, visit https://www.milestonesys.com/.

You might also like