MilestoneXProtectVMSproducts SystemArchitectureDocument en-US
MilestoneXProtectVMSproducts SystemArchitectureDocument en-US
MilestoneXProtectVMSproducts SystemArchitectureDocument en-US
XProtect Corporate
XProtect Expert
XProtect Professional+
XProtect Express+
XProtect Essential+
System architecture document | XProtect® VMS 2023 R3
Contents
Copyright, trademarks, and disclaimer 5
Introduction 6
Server components 9
Management server 9
Recording server 9
Media database 10
Event server 10
Log server 11
SQL Server 11
Mobile server 11
API Gateway 12
Client components 13
Encryption 15
Introduction to certificates 16
MIP SDK 19
XProtect Access 21
XProtect Transact 21
XProtect LPR 22
2 | Contents
System architecture document | XProtect® VMS 2023 R3
Milestone Interconnect 22
Server communication 25
Matrix 31
Login from XProtect Web Client and XProtect Mobile as a basic user 36
Login from XProtect Web Client and the XProtect Mobile client with an external IDP 37
Recording and playback video for XProtect Web Client and XProtect Mobile 39
Video push 40
Log server 47
Event server 47
XProtect Transact 48
XProtect LPR 49
Data collector 51
3 | Contents
System architecture document | XProtect® VMS 2023 R3
Evidence lock 53
Move hardware 55
Application pools 72
4 | Contents
System architecture document | XProtect® VMS 2023 R3
Trademarks
Microsoft and Windows are registered trademarks of Microsoft Corporation. App Store is a service mark of
Apple Inc. Android is a trademark of Google Inc.
All other trademarks mentioned in this document are trademarks of their respective owners.
Disclaimer
This text is intended for general information purposes only, and due care has been taken in its preparation.
Any risk arising from the use of this information rests with the recipient, and nothing herein should be
construed as constituting any kind of warranty.
Milestone Systems A/S reserves the right to make adjustments without prior notification.
All names of people and organizations used in the examples in this text are fictitious. Any resemblance to any
actual organization or person, living or dead, is purely coincidental and unintended.
This product may make use of third-party software for which specific terms and conditions may apply. When
that is the case, you can find more information in the file 3rd_party_software_terms_and_conditions.txt
located in your Milestone system installation folder.
Introduction
This document contains illustrations and descriptions of communication and dataflow between the most
common system components in a distributed system.
The document shows a range of scenarios with a supporting illustration and a description of actions
supplemented by information about port numbers, protocols and bandwidth usage.
The illustrations are simplified and primarily focus on the general dataflow between system components. This
means that less important flows may have been omitted in order to reduce the level of complexity.
6 | Introduction
System architecture document | XProtect® VMS 2023 R3
To benefit from the information in this document, you should have a general experience with administrating
an IT installation.
Depending on hardware and configuration, smaller systems with 50 to100 cameras can run on a single server.
For systems with more than 100 cameras, Milestone recommends that you use dedicated servers for all or
some of the components.
As a starting point, all components need not be available in all installations. Components such as failover
recording servers or mobile servers can be added if the functionality they offer is needed at a later time for
hosting and providing access to both XProtect Web Client and XProtect Mobile.
Server components
Management server
The management server is the central VMS component. It stores the configuration of the surveillance system
in a SQL Server database, either on SQL Server on the management server computer itself or on separate SQL
Server on the network. It also handles user authentication, user permissions, the rule system and more.
To improve system performance, you can run several management servers as a Milestone Federated
Architecture™. The management server runs as a service and is typically installed on a dedicated server.
You can get failover support on the management server by installing the management server in a Microsoft
Windows cluster. The cluster ensures that another server takes over the management server function in case
the first server fails.
Recording server
Recording servers are computers where you have installed the Recording Server software, and configured it to
communicate with the management server. A surveillance system typically consists of several recording
servers.
The recording server is responsible for all communication, recording, and event handling related to devices
such as cameras, video and audio encoders, I/O modules, and metadata sources. Examples of actions the
recording server handles:
l Retrieve video, audio, metadata and I/O event streams from the devices
l Provide operators with access to live and recorded video, audio and metadata
The recording server is also responsible for communicating with other Milestone products when using the
Milestone Interconnect™ technology. For more information, see Milestone Interconnect on page 22.
The recording server supports encryption of data streams to the clients and services as well as encryption of
the connection with the management server.For more information, see the certificates guide about how to
secure your XProtect VMS installations.
9 | Server components
System architecture document | XProtect® VMS 2023 R3
The failover recording server is responsible for taking over the recording task in case a recording server fails.
In a cold standby failover recording server setup, you group multiple failover recording servers in a failover
group. The entire failover group is dedicated to take over from any of several preselected recording servers, if
one of these becomes unavailable. You can also specify a secondary failover server group that takes over from
the primary group if all the recording servers in the primary group are busy
In a hot standby failover recording server setup, you dedicate a failover recording server to take over from one
recording server only. With this approach, the failover recording server is continuously synchronized with the
correct/current configuration of the recording server it is dedicated to and it can take over much faster than a
cold standby failover recording server.
Media database
The system stores the retrieved video, audio and metadata in the customized high performance Milestone
media database which is optimized for recording and storing audio and video data.
The media database supports various unique features including multistage archiving, video grooming,
encryption and adding a digital signature to the recordings.
Event server
The event server handles the tasks related to events, alarms, and maps and also third-party integrations via
the Milestone Integration Platform.
Events:
l All system events are consolidated in the event server so there is a single place and interface for
partners to make integrations that use system events
l The event server offers third-party access for sending events to the system via the Generic events or
Analytics events interface
Alarms:
l The event server hosts the alarm feature, alarm logic, alarm state and handling of the alarm database.
The alarm database is stored in the same SQL Server database as the management server uses
Maps:
l The event server also hosts maps. You configure and use maps in the XProtect Smart Client
10 | Server components
System architecture document | XProtect® VMS 2023 R3
l You can install third-party developed plug-ins on the event server and utilize access to system events
You can get failover support on the event server by installing the event server in a Microsoft Windows cluster.
The cluster ensures that another server takes over the event server function in case the first server fails.
Log server
The log server stores all log messages for the entire system. The log server typically uses the same SQL Server
as the management server but has its own SQL Server database. The log server is also typically installed on the
same server as the management server. If you need to increase the performance of the management server or
log server, you can install the log server on a separate server and use separate SQL Server.
The system can through the log server write three types of log messages:
l System logs: the system administrator can choose to log errors, warnings, and information, or a
combination of these. The default is to log errors only
l Audit logs: the system administrator can choose to log user activity in clients in addition to login and
administration logs
l Rule-triggered logs: the system administrator can use the rule log to create logs on specific events
SQL Server
The management server, the event server, and the log server use SQL Server databases on one or two SQL
Server installations to store, for example, configuration, alarms, events and log messages.
The Milestone XProtect installer includes Microsoft SQL Server Express which is free edition of SQL Server.
For very large systems or systems with many transactions to and from the SQL Server databases, Milestone
recommends that you use the Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition
of SQL Server on a dedicated computer on the network and on a dedicated hard disk drive that is not used for
other purposes. Installing SQL Server on its own drive improves the entire system performance.
Mobile server
XProtect Mobile server handles logins to the system from XProtect Mobile client or XProtect Web Client.
A XProtect Mobile server distributes video streams from recording servers to XProtect Mobile client or XProtect
Web Client. This offers a secure setup where recording servers are never connected to the Internet. When a
XProtect Mobile server receives video streams from recording servers, it also handles the complex conversion
of codecs and formats allowing streaming of video on the mobile device.
11 | Server components
System architecture document | XProtect® VMS 2023 R3
API Gateway
The MIP VMS API provides a unified RESTful API, based on industry standard protocols such as OpenAPI, for
accessing XProtect VMS functionality, simplifying integration projects and serving as a basis for cloud
connected communication.
The XProtect VMS API Gateway supports these integration options through the Milestone Integration Platform
VMS API (MIP VMS API).
The API Gateway is installed on-premise and is intended to serve as a front-end and common entry point for
RESTful API and WebSocket Messaging API services on all the current VMS server components (management
server, event server, recording servers, log server, etc). An API Gateway service can be installed on the same
host as the management server or separately, and more than one can be installed (each on their own host).
The RESTful API is implemented in part by each specific VMS server component, and the API Gateway can
simply pass-through these requests and responses, while for other requests, the API Gateway will convert
requests and responses as appropriate.
Currently, the configuration API, hosted by the management server, is available as a RESTful API. The RESTful
Events API, Websockets messaging API, and the RESTful Alarms API, hosted by the event server, are also
available.
For more information, see the API Gateway administrator manual and the Milestone Integration Platform VMS
API reference documentation.
12 | Server components
System architecture document | XProtect® VMS 2023 R3
Client components
The VMS is designed for large-scale operation so the Management Client is designed to run remotely from, for
example, the administrator’s computer.
You can access the settings in the Management Client from a tree structure where you can open items and sub
items.
XProtect Smart Client has an adaptable user interface that can be optimized for individual operators’ tasks and
adjusted according to specific skills and authority levels.
For more information, see the user manual for XProtect Smart Client.
For more information, see the user manual for XProtect Web Client.
On the System Requirements web page, you can find information about compatible browsers under XProtect
Web Client.
It runs on an Android tablet or smartphone or on an Apple® tablet, smartphone or portable music player.
You can use the XProtect Mobile client as a remote recording device by using the device's built-in camera and
the Milestone Video Push feature. With Video Push activated, video from the device's camera is streamed back
to the VMS and recorded as if it was from a standard camera.
For more information, see the user manual for XProtect Mobile.
13 | Client components
System architecture document | XProtect® VMS 2023 R3
On the System Requirements web page, you can find information about which operating systems are
compatible with XProtect Mobile.
14 | Client components
System architecture document | XProtect® VMS 2023 R3
Encryption
This section gives you an introduction to encryption and certificates.
From To
Don't use certificates with recording server encryption if you are using one or more integrations that don't
support HTTPS communication. This is, for example, third-part MIP SDK integrations that don't support HTTPS.
Unless your installation is made in a physically isolated network, it's recommended that you secure the
communication by using certificates.
l Before you install or upgrade to XProtect VMS 2019 R1 or newer, if you want to enable encryption
during the installation
l Before you enable encryption, if you installed XProtect VMS 2019 R1 or newer without encryption
15 | Encryption
System architecture document | XProtect® VMS 2023 R3
Introduction to certificates
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for
secure communication over a computer network. In HTTPS, the communication protocol is encrypted using
Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).
In XProtect VMS, secure communication is obtained by using TLS/SSL with asymmetric encryption (RSA).
TLS/SSL uses a pair of keys—one private, one public—to authenticate, secure, and manage secure connections.
A certificate authority (CA) is anyone who can issue root certificates. This can be an internet service that issues
root certificates, or anyone who manually generates and distributes a certificate. A CA can issue certificates to
web services, that is to any software using https communication. This certificate contains two keys, a private
key and a public key. The public key is installed on the clients of a web service (service clients) by installing a
public certificate. The private key is used for signing server certificates that must be installed on the server.
Whenever a service client calls the web service, the web service sends the server certificate, including the
public key, to the client. The service client can validate the server certificate using the already installed public
CA certificate. The client and the server can now use the public and private server certificates to exchange a
secret key and thereby establish a secure TLS/SSL connection.
For manually distributed certificates, certificates must be installed before the client can make such a
verification.
In XProtect VMS, the following locations are where you can enable TLS/SSL encryption:
l In the communication between the management server and the recording servers, event servers, and
mobile servers
l On the recording server in the communication with clients, servers, and integrations that retrieve data
streams from the recording server
Certificate distribution
The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS.
16 | Encryption
System architecture document | XProtect® VMS 2023 R3
A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (server) and by the party
that verifies the certificate (clients).
The public CA certificate must be trusted on all client computers. In this way the clients can verify the
validity of the certificates issued by the CA.
The CA certificate is used to issue private server authentication certificates to the servers.
The created private SSL certificates must be imported to the Windows Certificate Store on all servers.
l Issued to the server so that the server's host name is included in the certificate, either as subject
(owner) or in the list of DNS names that the certificate is issued to
l Trusted on all computers running services or applications that communicate with the service on the
servers, by trusting the CA certificate that was used to issue the SSL certificate
l The service account that runs the server must have access to the private key of the certificate on the
server.
Certificates have an expiry date. XProtect VMS will not warn you when a certificate is
about to expire. If a certificate expires, the clients will no longer trust the server with the
expired certificate and thus cannot communicate with it.
To renew the certificates, follow the steps in this guide as you did when you created
certificates.
For more information, see the certificates guide about how to secure your XProtect VMS installations.
17 | Encryption
System architecture document | XProtect® VMS 2023 R3
Identity Provider also provides authentication and registration services to relying applications or services, in
this case: Recording Server, Management Server, Data Collector, and Report Server.
When you log in to XProtect clients and services as a basic user, your request goes to the Identity Provider.
When authenticated the user can call the management server.
Identity Provider runs in the IIS as a part of the management server using the same SQL Server with a separate
database and is responsible for creating and handling OAuth communication tokens that services use when
communicating (Surveillance_IDP).
MIP SDK
The Milestone Integration Platform Software Development Kit (MIP SDK) is a comprehensive tool that makes it
easy to create applications, plug-ins or integrations for Milestone’s XProtect products.
MIP
The open platform is integrated in the following Milestone XProtect system components and applications:
l Management Application
l Management Server
l Event Server
MIP SDK
To have a truly open platform and a community around it Milestone provides the SDK that contains:
l A large collection of samples demonstrating different ways of using the MIP SDK
l Libraries
The MIP SDK is also used internally by Milestone software development teams.
For more information, see the MIP SDK and Develop Forum webpages.
For larger installations, the tool makes it easy and fast to remotely upgrade the components that are installed
on servers and client PCs.
For more information, see the XProtect Access webpage and administrator manual.
XProtect Smart Wall does not require a dedicated XProtect software component itself, nor does it use a
dedicated XProtect client - all the required components are included in the standard XProtect Corporate
management server and XProtect Smart Client. It just needs a PC running XProtect Smart Client to show the
Smart Wall views.
For more information, see the XProtect Smart Wall webpage and manual.
You can store the following information about the incidents in incident projects:
l Sequences with video and, potentially, audio from the XProtect VMS
All the required components for XProtect Incident Manager are included in the standard XProtect VMS
management server and XProtect Smart Client.
XProtect Access
The access control integration feature introduces new functionality that makes it simple to integrate
customers’ access control systems with XProtect. You get:
l A common operator user interface for multiple access control systems in XProtect Smart Client
l Map integration
The use of XProtect Access requires that you have purchased a base license that allows
you to access this feature within your XProtect system. You also need an access control
door license for each door you want to control.
You can use XProtect Access with access control systems from vendors where a vendor-
specific plug-in for XProtect Access exists. You must install this plug-in on the event
server before you can start an integration.
For more information, see the XProtect Access webpage and administrator manual.
XProtect Transact
XProtect Transact is an extension to Milestone's IP video surveillance solutions XProtect VMS and XProtect
Professional VMS.
XProtect Transact is a tool for observing ongoing transactions and investigating transactions in the past. The
transactions are linked with the digital surveillance video monitoring the transactions, for example to help you
prove fraud or provide evidence against a perpetrator. There is a 1-to-1 relationship between the transaction
lines and video images.
The transaction data may originate from different types of transaction sources, typically point of sales (PoS)
systems or automated teller machines (ATM).
For more information, see the XProtect Transact webpage and administrator manual.
XProtect LPR
XProtect LPR offers video-based content analysis (VCA) and recognition of vehicle license plates that interacts
with your surveillance system and your XProtect Smart Client.
To read the characters on a plate, XProtect LPR uses optical character recognition on images aided by
specialized camera settings.
You can combine LPR (license plate recognition) with other surveillance features such as recording and event-
based activation of outputs.
l Activate alarms
l Open gates
l Switch on lights
For more information, see the XProtect LPR webpage and administrator manual.
Milestone Interconnect
Milestone Interconnect allows you to integrate several XProtect or Milestone Husky™ installations with one
XProtect Corporate central site. You can also install these sites, called remote sites, on mobile units, for
example, boats, busses or trains. This means that such sites do not need to be permanently connected to a
network.
The central site considers the remote site as an advanced camera or multi-channel encoder with edge storage
capabilities.
Each remote site runs independently and can perform surveillance tasks as configured. Depending on the
network connections and appropriate user permissions, Milestone Interconnect offers you direct live viewing
of remote site cameras and play back of remote site recordings on the central site.
It also offers you the possibility to transfer remote site recordings to the central site based on either system-
defined events, rules, schedules or by manual requests from XProtect Smart Client users.
The central site can only see and access devices that the user account specified on the remote site has access
to. This allows local system administrators on the remote sites to control which devices should be made
available to the central site and its users.
On the central site, you can view the status for the interconnected cameras, but not the entire status of the
remote site. Instead, to monitor the remote site, you can use remote site events to trigger alarms or other
notifications on the central site.
Only XProtect Corporate systems can work as central sites. All other products can act as remote sites including
XProtect Corporate. How specific the products interact in a Milestone Interconnect setup depends on the
version of the XProtect or Milestone Husky installations, the number of cameras and how devices and events
are configured on the remote site.
For more information, see the Milestone Interconnect webpage and documentation.
It is not possible to add systems with free XProtect installation as remote sites.
DLNA (Digital Living Network Alliance) is a standard for connecting multimedia devices. Electronic
manufactures get their products DLNA certified to ensure interoperability between different vendors and
devices and thereby enable them to distribute multimedia content such as audio, video, and photos.
Public displays and TVs are often DLNA certified and connected to a network. They are able to scan the
network for media content, connect to the device, and request a media stream to their built-in media player.
XProtect DLNA Server can be discovered by certain DLNA certified devices and deliver live video streams from
selected cameras to DLNA certified devices with a media player.
The DLNA devices have a live video delay of 1-10 seconds. This is caused by different
buffer sizes in the devices.
XProtect DLNA Server must be connected to the same network as the XProtect system and the DLNA device
must be connected to the same network as XProtect DLNA Server.
Milestone Open Network Bridge is compliant with the parts of ONVIF Profile G and Profile S that provide access
to live and recorded video, and the ability to control pan-tilt-zoom cameras:
l Profile G - Provides support for video recording, storage, search, and retrieval. For more information,
see ONVIF Profile G Specification (https://www.onvif.org/profiles/profile-g/).
l Profile S - Provides support for streaming live video using the H.264 codec, audio streaming, and pan-
tilt-zoom (PTZ) controls. For more information, see ONVIF Profile S Specification
(https://www.onvif.org/profiles/profile-s/).
For more information about the ONVIF standard, see the ONVIF® website (https://www.onvif.org/).
ONVIF Profiles support “get” functions that retrieve data, and “set” functions that configure settings. Each
function is either mandatory, conditional, or optional. For security reasons, Milestone Open Network Bridge
supports only the mandatory, conditional, and optional “get” functions that do the following:
l Request video
l Authenticate users
l Stream video
For more information, see the administrator manual for Milestone Open Network Bridge.
For a complete list of the ports that must be enabled for communication between
components, see Ports used by the system.
Server communication
1. XProtect Smart Client connects to the management server and attempts to log in
1. XProtect Smart Client attempts to connect to the management server as a basic user
1. Login from XProtect Smart Client launches a web browser on the client computer.
2. The login request goes from the web browser to the Identity Provider for authentication.
3. The web browser is redirected to the external IDP login page where the user enters credentials and the
browser receives an authorization code.
4. The Identity Provider requests information about the user from the external IDP and receives a list of
claims. If a new user logs in to the VMS, the user is created in the VMS.
5. The web browser is redirected to XProtect Smart Client with the authorization code from the Identity
Provider.
6. XProtect Smart Client gets an access token from the Identity Provider.
7. XProtect Smart Client login to the management server using the access token.
2. Recording server sends multicast stream to the multicast enabled network. This requires that all
switches handling the data traffic between the XProtect Smart Client and the recording server must be
configured for multicast
Matrix
3. Management server sends request to Matrix-recipient on specified IP address and port (XProtect Smart
Client B)
4. Streams are sent to XProtect Smart Client from recording server on request
3. The management server sends notification about view update to XProtect Smart Clients
1. An XProtect Smart Client user updates the XProtect Smart Wall view
2. The XProtect Smart Wall view configuration is updated and stored in the SQL Server database
3. The management server sends a notification to the XProtect Smart Client running the XProtect Smart Wall
4. The XProtect Smart Client running the XProtect Smart Wall retrieves and applies new layout
1. Login request from XProtect Web Client or XProtect Mobile received on the mobile server
6. The login is granted and configuration is sent to XProtect Web Client or XProtect Mobile
Login from XProtect Web Client and XProtect Mobile as a basic user
1. Login request from XProtect Web Client or XProtect Mobile received on the mobile server
6. The login is granted and configuration is sent to XProtect Web Client or XProtect Mobile
Login from XProtect Web Client and the XProtect Mobile client with an
external IDP
1. In XProtect Web Client or in the XProtect Mobile client, the user selects to log in via an external IDP. The
login request launches a web browser.
2. The web browser is redirected to the external IDP login page where the user enters credentials.
3. The Identity Provider receives an authorization code from the external IDP to be exchanged for an
access token. Then the Identity Provider requests information about the user from the external IDP and
gets a list of claims. If a new user logs in to the VMS, the user is created in the VMS.
4. The Identity Provider returns an authorization code to XProtect Web Client or the XProtect Mobile client.
5. XProtect Web Client or the XProtect Mobile client requests an access token from the Identity Provider.
6. XProtect Web Client or the XProtect Mobile client logs in to the mobile server using the access token.
2. Streams are sent to the mobile server for transcoding or as direct streaming
Recording and playback video for XProtect Web Client and XProtect
Mobile
3. Recordings are sent to the mobile server for transcoding or as direct streaming
Video push
1. Video push stream from a device running XProtect Mobile is sent instantly to the mobile server
2. The video push stream is retrieved by recording server using the specific video push device driver
Illustrates how XProtect Smart Client users, specified for the interconnected system, only need to log into the
management server on the central site to view video.
1. Live stream(s) from the remote site cameras retrieved by the remote site recording server
2. Live streams from the remote site recording server retrieved by the central site recording server
Some of the different options when configuring your system recording settings:
l No recording
Illustrates when recording is done on both sites. Recordings can be retrieved to the central site based on
schedule, event or request. XProtect Smart Client users, specified for the interconnected system, only need to
log into the management server on the central site to view video.
1. Recording stream from the remote site cameras retrieved by the remote site recording server
2. The stream is recorded in the remote site recording server database based on rules
3. Recording stream from the remote site recording server retrieved by the central site recording server
4. The stream is recorded in the central site recording server database based on rules. Recordings not
available due to remote site link downtime can be retrieved automatically or based on schedule, event
or request
5. The recorded stream(s) are retrieved by XProtect Smart Client on playback request
1. The XProtect DLNA Server connects to the management server to authorize itself with the provided
credentials
2. A DLNA device scans the network and connects to the XProtect system via the XProtect DLNA Server
and requests a live camera video stream
3. XProtect DLNA Server retrieves the requested camera video stream from the recording server
4. XProtect DLNA Server sends the live video stream from the requested camera to the DLNA device
1. Login, stream or PTZ request from ONVIF client received on the Milestone Open Network Bridge server.
The Milestone Open Network Bridge is a gateway for non-Milestone clients to the Milestone VMS
2. The Milestone Open Network Bridge forwards the login request to the management server to
authenticate the user.
Access to the Milestone VMS is granted and sent to the Milestone Open Network Bridge server
3. Requested live or playback stream from the recording server is retrieved by the Milestone Open
Network Bridge server
3. Configuration update sent to relevant components. In this case, the recording server
Log server
3. The log message is stored in the log server's SQL Server database
Event server
The event server sends data to XProtect Smart Client to show in alarm list, XProtect Access or the map
overview. The event server Plug-in is a client to the access control system.
The XProtect Smart Client user responds to the notification and returns data to event server.
XProtect Transact
1. Transaction data generated by the transaction source is sent to the event server and stored
2. The event server sends transaction data to XProtect Smart Client. View items containing transaction
data and the associated video is updated
XProtect LPR
1. Live streams from cameras configured for LPR (License Plate Recognition) retrieved by the recording
server
3. The LPR server recognizes license plates by comparing them with the license plate styles of the installed
country modules. Found license plates are compared with the match list requests from the event server
LPR plug-in
4. The event server sends events and alarms to XProtect Smart Client when there is a match
2. The alarm list is retrieved from the SQL Server database and returned to XProtect Smart Client
Data collector
1. System status received on management server delivered by: log server, event server, recording server,
failover recording server and mobile server
3. XProtect Smart Client or the Management Client requests status via System Monitor
Evidence lock
1. The user creates an evidence lock in XProtect Smart Client. XProtect Smart Client sends the information
to the management server
2. The management server informs the recording server to store and protect the locked recordings in the
Media database
3. The management server stores information about the evidence lock in the SQL Server database
An operator of XProtect Smart Client starts, saves, edits, or deletes an incident project.
Information about the incident project and its data is saved in the extension’s own SQL Server
1 database Surveillance_IM. The activities related to incident projects are - depending on the
activity - logged in the extension’s own SQL Server database Surveillance_IM, in the Log Server
service’s SQL Server database SurveillanceLogServerV2, or in both.
Move hardware
1. The user moves hardware from recording server 1 to recording server 2 in Management Client
2. The management server receives the update in the system configuration and stores it in the SQL Server
database
5. Recording server 2 connects to Hardware. All new recordings are stored in the recording server 2
database
Old recordings are still available on recording server 1. The system deletes them when the retention time
expires. Recordings marked with evidence lock are not deleted until the evidence lock's retention time expires.
l Server components (services) offer their service on particular ports which is why they need to listen for
client requests on these ports. Therefore, these ports need to be opened in the Windows Firewall for
inbound and outbound connections
l Client components (clients) initiate connections to particular ports on server components. Therefore,
these ports need to be opened for outbound connections. Outbound connections are typically open by
default in the Windows Firewall
If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports
for client components must be opened for outbound connections.
Do keep in mind that server components can act as clients to other server components. These are not explicitly
listed in this doc.
The port numbers are the default numbers, but this can be changed. Contact Milestone support, if you need to
change ports that are not configurable through the Management Client.
Each of the following sections list the ports that need to be opened for a particular service. To figure out which
ports need to be opened on a particular computer, you need to consider all services running on the computer.
Port Connections
Protocol Process Purpose
number from...
Management
Management Server Manager Showing status and managing
6473 TCP
Server service tray icon, local the service.
connection only.
Port Connections
Protocol Process Purpose
number from...
Port Connections
Protocol Process Purpose
number from...
Port
Protocol Process Connections from... Purpose
number
Port
Protocol Process Connections from... Purpose
number
Port
Protocol Process Connections from... Purpose
number
Event/State Subscription,
WS/WSS Event
API Gateway and the Events REST API,
22332 Server
HTTP/HTTPS* Management Client Websockets Messaging API,
service
and Alarms REST API.
Event
MIP Plug-ins and
22333 TCP Server MIP messaging.
applications.
service
*A 403 error will be returned when accessing HTTP to access an HTTPS-only endpoint.
Port Connections
Protocol Process Purpose
number from...
7563 TCP Recording XProtect Smart Retrieving video and audio streams,
Port Connections
Protocol Process Purpose
number from...
Client,
Server
Management PTZ commands.
Service
Client
Recording
Recording
Server Manager Showing status and managing the
8966 TCP Server
tray icon, local service.
Service
connection only.
Recording Failover
Polling the state of recording
11000 TCP Server recording
servers.
Service servers
Recording
Local connection Listening for event notifications
65101 UDP Server
only from the drivers.
service
In addition to the inbound connections to the Recording Server service listed above, the
Recording Server service establishes outbound connections to:
l Cameras
l NVRs
Port
Protocol Process Connections from... Purpose
number
Failover
Merging of databases after a
Recording Failover recording
5210 TCP failover recording server had
Server servers
been running.
Service
7563 TCP Failover XProtect Smart Client Retrieving video and audio
Port
Protocol Process Connections from... Purpose
number
Recording
Server streams, PTZ commands.
Service
Failover Communication
Recording between failover Communication between the
8844 UDP
Server recording server servers.
Service services.
Failover
Management Server Monitoring the status of the
8990 HTTP Server
service Failover Server service.
Service
In addition to the inbound connections to the Failover Server / Failover Recording Server
service listed above, the Failover Server / Failover Recording Server service establishes
outbound connections to the regular recorders, cameras, and for Video Push.
Port
Protocol Process Connections from... Purpose
number
Port
Protocol Process Connections from... Purpose
number
Mobile
Mobile Server Manager tray
8000 TCP Server SysTray application.
icon, local connection only.
service
Mobile
Mobile clients, Web clients, and Sending data streams;
8081 HTTP Server
Management Client. video and audio.
service
Mobile
Sending data streams;
8082 HTTPS Server Mobile clients and Web clients.
video and audio.
service
Port
Protocol Process Connections from... Purpose
number
Port Connections
Protocol Process Purpose
number from...
Port Connections
Protocol Process Purpose
number from...
Port Connections
Protocol Process Purpose
number from...
DLNA
Streaming of requested video to DLNA
9200 HTTP Server DLNA device
devices.
Service
Port Connections
Protocol Process Purpose
number from...
Port Connections
Protocol Process Purpose
number from...
Port
Protocol Connections to... Purpose
number
Port
Protocol Connections to... Purpose
number
Cameras, NVRs,
554 RTSP Data streams, video, and audio.
encoders
Failover recording
11000 TCP Polling the state of recording servers.
servers
11000 TCP Failover recording servers Polling the state of recording servers.
Port
Protocol Connections to... Purpose
number
API Gateway and the Management Access the Configuration API from
80 HTTP
Server the API Gateway
API Gateway and the Management Access the Configuration API from
443 HTTPS
Server the API Gateway
API Gateway
Port
Protocol Connections to... Purpose
number
Management
443 HTTPS RESTful API
Server
Port
Protocol Connections from... Purpose
number
Port
Protocol Connections to... Purpose
number
Sending event
Recording servers and failover notifications.
5432 TCP
recording servers
The port is disabled by
Port
Protocol Connections to... Purpose
number
default.
Forwarding messages to
22337 HTTP Log server
the log server.
Port
Protocol Connections to... Purpose
number
8081 HTTP XProtect Mobile server Retrieving video and audio streams.
8082 HTTPS XProtect Mobile server Retrieving video and audio streams.
API Gateway
Application pools
The VMS contains standard application pools such as.NET v4.5, .NET v4.5 Classic and the DefaultAppPool. The
application pools that are available on your system appear in the Internet Information Services (IIS) Manager.
In addition to the standard application pools mentioned above, a set of VideoOS application pools are
delivered with the Milestone XProtect VMS.
72 | Application pools
System architecture document | XProtect® VMS 2023 R3
2. In the Connections pane, click the name of your environment, and then click Application Pools.
3. Under Actions, click Add Application Pool or Set Application Pool Defaults to perform any of these
tasks.
4. Select an application pool on the Application Pools page to display further options under Actions for
each application pool.
73 | Application pools
[email protected]
About Milestone
Milestone Systems is a leading provider of open platform video management software; technology that
helps the world see how to ensure safety, protect assets and increase business efficiency. Milestone
Systems enables an open platform community that drives collaboration and innovation in the development
and use of network video technology, with reliable and scalable solutions that are proven in more than
150,000 sites worldwide. Founded in 1998, Milestone Systems is a stand-alone company in the Canon
Group. For more information, visit https://www.milestonesys.com/.