Milestone Systems

XProtect® VMS 2023 R1

Administrator manual

XProtect Corporate
XProtect Expert
XProtect Professional+
XProtect Express+
Administrator manual | XProtect® VMS 2023 R1

Contents
Copyright, trademarks, and disclaimer 26

Overview 27

What's new? 27

In Management Client 2023 R1 27

Logging in (explained) 28

Login authorization (explained) 29

Log in using a non-secure connection 30

Change your basic user password 30

Product overview 31

System components 32

Management server (explained) 32

SQL Server installations and databases (explained) 32

Recording server (explained) 33

Mobile server (explained) 34

Event server (explained) 35

Log server (explained) 35

API Gateway (explained) 35

Failover 36

XProtect Management Server Failover 36

Failover management server (explained) 36

Failover recording server (explained) 37

Failover recording server functionality (explained) 38

Failover steps (explained) 40

Failover recording server services (explained) 41

Clients 42

Management Client (explained) 42

XProtect Smart Client (explained) 42

XProtect Mobile client (explained) 43

XProtect Web Client (explained) 44

Add-on products 45

2 | Contents
Administrator manual | XProtect® VMS 2023 R1

XProtect Access (explained) 45

XProtect Incident Manager 46

XProtect LPR (explained) 46

XProtect Smart Wall (explained) 47

XProtect Transact (explained) 48

Milestone Open Network Bridge (explained) 49

XProtect DLNA Server (explained) 50

Devices 50

Hardware (explained) 50

Hardware pre-configuration (explained) 51

Devices (explained) 51

Cameras 52

Microphones 52

Speakers 52

Metadata 52

Inputs 53

Outputs 53

Device groups (explained) 53

Media storage 54

Storage and archiving (explained) 54

Archive structure (explained) 59

Pre-buffering and storage of recordings (explained) 60

Storage of the temporary pre-buffer recordings 61

Authentication 61

Active Directory (explained) 61

Users (explained) 61

Windows Users 62

Basic users 62

Identity Provider (explained) 63

External IDP (explained) 63

Claims (explained) 63

Enable users to log in to the XProtect VMS from an external IDP 63

3 | Contents
Administrator manual | XProtect® VMS 2023 R1

Unique user names for external IDP users 63

Example of claims from an external IDP 64

Using sequence number of claim to create user names in XProtect 64

Defining specific claims to create user names in XProtect 65

Deleting external IDP users 65

Security 66

Roles and permissions of a role (explained) 66

Permissions of a role 66

Privacy masking (explained) 67

Privacy masking (explained) 67

Management Client profiles (explained) 69

Smart Client profiles (explained) 69

Evidence locks (explained) 70

Rules and events 72

Rules (explained) 72

Rule complexity 73

Rules and events (explained) 74

Time profiles (explained) 76

Day length time profiles (explained) 76

Notification profiles (explained) 77

Requirements for creating notification profiles 77

User-defined events (explained) 77

Analytics events (explained) 78

Generic events (explained) 79

Alarms 79

Alarms (explained) 79

Alarm configuration 81

Smart map 81

Smart map (explained) 81

Smart map integration with Google Maps (explained) 82

Add digital signature to Maps Static API key 82

Smart map integration with Bing Maps (explained) 83

4 | Contents
Administrator manual | XProtect® VMS 2023 R1

Cached smart map files (explained) 83

Architecture 83

A distributed system setup 83

Milestone Interconnect (explained) 84

Selecting Milestone Interconnect or Milestone Federated Architecture (explained) 86

Milestone Interconnect and licensing 86

Milestone Interconnect setups (explained) 86

Configuring Milestone Federated Architecture 87

Ports used by the system 91

Application pools 106

Application pools in Milestone XProtect 106

Working with application pools 107

Open the Application Pools page 107

Product comparison 107

Licensing 108

Licenses (explained) 108

Free XProtect Essential+ 108

Licenses for XProtect VMS products (except XProtect Essential+) 108

License types 109

Base licenses 109

Device licenses 109

Camera licenses for Milestone Interconnect™ 110

Licenses for add-on products 110

License activation (explained) 110

Automatic license activation (explained) 110

Grace period for license activation (explained) 111

Device changes without activation (explained) 111

Calculation of available number of device changes without activation (explained) 112

Milestone Care™ (explained) 113

Licenses and hardware replacement (explained) 113

Get an overview of your licenses 114

Activate your licenses 115

5 | Contents
Administrator manual | XProtect® VMS 2023 R1

Enable automatic license activation 115

Disable automatic license activation 115

Activate licenses online 116

Activate licenses offline 116

Activate licenses after grace period 117

Get additional licenses 117

Change the Software License Code 117

From the management server tray icon 118

From Management Client 118

License Information window 118

Requirements and considerations 122

Daylight saving time (explained) 122

Time servers (explained) 122

Limit size of database 123

IPv6 and IPv4 (explained) 123

Writing IPv6 addresses (explained) 125

Using IPv6 Addresses in URLs 125

Virtual servers 126

Multiple management servers (clustering) (explained) 126

Requirements for clustering 127

Protect recording databases from corruption 127

Hard disk failure: protect your drives 127

Windows Task Manager: be careful when you end processes 128

Power outages: use a UPS 128

SQL database transaction log (explained) 128

Minimum system requirements 129

Before you start installation 129

Prepare your servers and network 129

Prepare Active Directory 130

Installation method 130

Decide on a SQL Server edition 132

Select service account 133

6 | Contents
Administrator manual | XProtect® VMS 2023 R1

Kerberos authentication (explained) 133

Virus scanning exclusions (explained) 135

How can XProtect VMS be configured to run in FIPS 140-2 compliant mode? 136

Before you install XProtect VMS on a FIPS enabled system 137

Register Software License Code 137

Device drivers (explained) 137

Requirements for offline installation 138

Secure communication (explained) 138

Installation 140

Install a new XProtect system 140

Install XProtect Essential+ 140

Install your system - Single computer option 145

Install your system - Custom option 151

Install new XProtect components 156

Installing through Download Manager (explained) 156

Install a Management Client through Download Manager 157

Install a recording server through Download Manager 158

Install a failover recording server through Download Manager 161

Installing XProtect VMS using non-default ports 163

Installing silently through a command line shell (explained) 163

Install a recording server silently 165

Install XProtect Smart Client silently 166

Install a log server silently 167

Installation for workgroups 168

Install in a cluster 169

Use a certificate for an external IDP in a cluster environment 172

Troubleshooting errors when an external IDP configuration is protected with a certificate 173

Download Manager/download web page 174

Download Manager's default configuration 176

Download Manager's standard installers (user) 178

Add/publish Download Manager installer components 178

Hide/remove Download Manager installer components 179

7 | Contents
Administrator manual | XProtect® VMS 2023 R1

Device pack installer - must be downloaded 180

Installation log files and troubleshooting 181

Configuration 182

Initial configuration tasks list 182

Recording servers 183

Change or verify the basic configuration of a recording server 183

Register a recording server 185

View encryption status to clients 186

Specify behavior when recording storage is unavailable 187

Add a new storage 188

Create an archive within a storage 189

Attach a device or group of devices to a storage 189

Disabled devices 189

Edit settings for a selected storage or archive 190

Enable digital signing for export 190

Encrypt your recordings 191

Back up archived recordings 194

Delete an archive from a storage 195

Delete a storage 195

Move non-archived recordings from one storage to another 196

Assign failover recording servers 196

Enable multicasting for the recording server 197

Enable multicasting for individual cameras 198

Define public address and port 198

Assign local IP ranges 199

Filter the device tree 199

Filter the device tree 199

Filter criteria characteristics 199

Specifying multiple filter criteria 200

Resetting the filter 200

Disabled devices 200

Failover servers 200

8 | Contents
Administrator manual | XProtect® VMS 2023 R1

Set up and enable failover recording servers 200

Group failover recording servers for cold standby 201

View encryption status on a failover recording server 201

View status messages 202

View version information 202

Hardware 203

Add hardware 203

Add Hardware (dialog) 203

Disable / enable hardware 205

Edit hardware 205

Edit Hardware (dialog) 205

Enable / disable individual devices 208

Set up a secure connection to the hardware 209

Enable PTZ on a video encoder 210

Change passwords on hardware devices 211

Update firmware on hardware devices 212

Add and configure an external IDP 214

Devices - Groups 214

Add a device group 214

Specify which devices to include in a device group 214

Disabled Devices 215

Specify common properties for all devices in a device group 215

Disabled devices 216

Enable/disable devices via device groups 216

Devices - Camera settings 216

View or edit camera settings 216

Preview 217

Performance 217

Enable and disable fisheye lens support 217

Specify fisheye lens settings 217

Devices - Recording 218

Enable/disable recording 218

9 | Contents
Administrator manual | XProtect® VMS 2023 R1

Enable recording on related devices 218

Manage manual recording 218

Add to roles: 219

Use in rules: 219

Specify recording frame rate 219

Enable keyframe recording 219

Enable recording on related devices 220

Save and retrieve remote recording 220

Delete recordings 221

Devices - Streaming 221

Add a stream 221

Manage multi-streaming 221

To change which stream to use for recording 222

Limit data transmission 222

Examples 222

Devices - Storage 223

Manage pre-buffering 223

Enable and disable pre-buffering 223

Specify storage location and pre-buffer period 223

Use pre-buffer in rules 224

Monitor the status of databases for devices 224

Move devices from one storage to another 226

Devices - Motion detection 226

Motion detection (explained) 226

Image quality 227

Privacy masks 227

Enable and disable motion detection 227

Specify the default setting of motion detection for cameras 227

Enable or disable motion detection for a specific camera 227

Enable or disable hardware acceleration 227

To enable or disable hardware acceleration 227

Use of GPU resources 228

10 | Contents
Administrator manual | XProtect® VMS 2023 R1

Load balancing and performance 228

Enable manual sensitivity to define motion 229

Specify threshold to define motion 229

Specify exclude regions for motion detection 230

Devices - Preset camera positions 231

The Home preset position 231

Add a preset position (type 1) 231

Use preset positions from the camera (type 2) 233

Assign a camera's preset position as default 233

Specify the default preset as the PTZ Home position 234

Enable setting the PTZ home position 234

Edit a preset position for a camera (type 1 only) 234

Rename a preset position for a camera (type 2 only) 236

Test a preset position (type 1 only) 236

Devices - Patrolling 237

Patrolling profiles and manual patrolling (explained) 237

Manual patrolling 237

Add a patrolling profile 237

Specify preset positions in a patrolling profile 238

Specify the time at each preset position 238

Customize transitions (PTZ) 239

Specify an end position when patrolling 240

Reserve and release PTZ sessions 240

Reserve a PTZ session 241

Release a PTZ session 241

Specify PTZ session timeouts 241

Devices - Events for rules 242

Add or delete an event for a device 242

Add an event 242

Delete an event 242

Specify event properties 243

Use several instances of an event 243

11 | Contents
Administrator manual | XProtect® VMS 2023 R1

Devices - Privacy masks 243

Enable/disable privacy masking 243

Define privacy masks 244

Change the timeout for lifted privacy masks 245

Give users permission to lift privacy masks 246

Create a report of your privacy masking configuration 247

Clients 248

View groups (explained) 248

Add a view group 248

Smart Client profiles 249

Add and configure a Smart Client profile 249

Copy a Smart Client profile 249

Create and set up Smart Client profiles, roles and time profiles 249

Set number of cameras allowed during search 250

Change the default export settings 254

Management Client profiles 255

Add and configure a Management Client profile 255

Copy a Management Client profile 256

Manage the visibility of functionality for a Management Client profile 256

Associate a Management Client profile with a role 256

Manage the overall access to system functionality for a role 256

Limit visibility of functionality for a profile 257

Matrix 257

Matrix and Matrix recipients (explained) 257

Define rules sending video to Matrix-recipients 257

Add Matrix recipients 258

Send the same video to several XProtect Smart Client views 258

Rules and events 259

Add rules 259

Events 259

Actions and stop actions 259

Create a rule 259

12 | Contents
Administrator manual | XProtect® VMS 2023 R1

Validate rules 260

Validate a rule 261

Validate all rules 261

Edit, copy and rename a rule 261

Deactivate and activate a rule 262

Specify a time profile 262

Add a single time 262

Add a recurring time 263

Recurring time 264

Edit a time profile 264

Create day length time profiles 265

Day length time profile properties 265

Add notification profiles 265

Trigger email notifications from rules 267

Add a user-defined event 267

Rename a user defined event 268

Add and edit an analytics event 268

Add an analytics event 268

Edit an analytics event 268

Edit analytics events settings 268

Test an analytics event 269

Add a generic event 269

To add a generic event: 270

Authentication 270

Register claims from an external IDP 270

Map claims from an external IDP to roles in XProtect 270

Log in via an external IDP 271

Security 271

Add and manage a role 271

Copy, rename or delete a role 272

Copy a role 272

Rename a role 272

13 | Contents
Administrator manual | XProtect® VMS 2023 R1

Delete a role 272

View effective roles 272

Assign/remove users and groups to/from roles 273

Assign Windows users and groups to a role 273

Assign basic users to a role 273

Remove users and groups from a role 273

Create basic users 274

Configure login settings for basic users 274

To create a basic user on your system: 275

View encryption status to clients 276

System Dashboard 277

View currently ongoing tasks on recording servers 277

System monitor (explained) 278

System monitor dashboard (explained) 278

System monitor thresholds (explained) 278

View the current state of your hardware and troubleshoot if needed 279

View the historical state of your hardware and print a report 279

Collect historical data of hardware states 280

Add a new camera or server tile on the System monitor dashboard 280

Edit a camera or server tile on the System monitor dashboard 281

Delete a camera or server tile on the System monitor dashboard 281

Edit thresholds for when hardware states should change 281

View evidence locks in the system 282

Print a report with your system configuration 282

Metadata 283

Show or hide metadata search categories and search filters 283

Alarms 284

Add an alarm 284

Enable encryption 285

Enable encryption to and from the management server 285

Enable server encryption for recording servers or remote servers 286

Enable event server encryption 288

14 | Contents
Administrator manual | XProtect® VMS 2023 R1

Enable encryption to clients and servers 289

Enable encryption on the mobile server 291

Milestone Federated Architecture 293

Set up your system to run federated sites 293

Add site to hierarchy 295

Accept inclusion in the hierarchy 296

Set site properties 296

Refresh site hierarchy 297

Log into other sites in the hierarchy 297

Update site information of child sites 298

Detach a site from the hierarchy 298

Milestone Interconnect 299

Add a remote site to your central Milestone Interconnect site 299

Assign user permissions 299

Update remote site hardware 300

Enable playback directly from remote site camera 300

Retrieve remote recordings from remote site camera 300

Configure your central site to respond to events from remote sites 301

Remote connect services 303

Remote connect services (explained) 303

Install secure tunnel server environment for One-Click camera connection 303

Add or edit secure tunnel servers 303

Register new Axis One-Click camera 304

Smart maps 304

Geographic backgrounds (explained) 304

Enable Bing Maps or Google Maps in Management Client 306

Enable Bing Maps or Google Maps in XProtect Smart Client 306

Enable Milestone Map Service 306

Specify OpenStreetMap tile server 307

Enable smart map editing 308

Enable editing devices on smart map 309

Define device position and camera direction, field of view, depth (smart map) 310

15 | Contents
Administrator manual | XProtect® VMS 2023 R1

Configure smart map with Milestone Federated Architecture 312

Maintenance 313

Backing up and restoring system configuration 313

Backing up and restoring your system configuration (explained) 313

Select shared backup folder 314

Back up system configuration manually 314

Restore system configuration from a manual backup 314

System configuration password (explained) 315

System configuration password settings 316

Change the system configuration password settings 316

Enter the system configuration password settings (recovery) 317

Manually backing up your system configuration (explained) 318

Backing up and restoring the event server configuration (explained) 318

Scheduled backup and restore of system configuration (explained) 318

Back up system configuration with scheduled backup 319

Restore system configuration from a scheduled backup 319

Back up log server's SQL database 320

Backup and restore fail and problem scenarios (explained) 321

Moving the management server 321

Unavailable management servers (explained) 322

Move the system configuration 322

Replace a recording server 323

Move hardware 324

Move hardware (wizard) 325

Replace hardware 327

Update your hardware data 330

Managing the SQL Server and databases 331

Changing the SQL Server and database addresses (explained) 331

Change the log server's SQL Server and database 331

Change the management server and the event server's SQL Server and database 331

Change the XProtect Incident Manager server's SQL Server and database 332

Change the IDP server's SQL Server and database 332

16 | Contents
Administrator manual | XProtect® VMS 2023 R1

Managing server services 333

Server manager tray icons (explained) 333

Start or stop the Management Server service 335

Start or stop the Recording Server service 336

View status messages for Management Server or Recording Server 337

Manage encryption with the Server Configurator 337

Start, stop, or restart the Event Server service 337

Stopping the Event Server service 338

View Event Server or MIP logs 338

Enter current system configuration password 340

Managing registered services 340

Add and edit registered services 341

Manage network configuration 341

Registered services properties 341

Removing device drivers (explained) 342

Remove a recording server 343

Delete all hardware on a recording server 343

Changing the host name of the management server computer 343

The validity of certificates 343

Loss of customer data properties for registered services 344

In Milestone Customer Dashboard, the host name will appear unchanged 344

A host name change can trigger the change of the SQL Server address 344

Host name changes in a Milestone Federated Architecture 345

The host of the site is the root node in the architecture 345

The host of the site is a child node in the architecture 345

Managing server logs 346

Identify user activity, events, actions and errors 346

Filter Logs 346

Export logs 348

Search logs 348

Change log language 349

Allow 2018 R2 and earlier components to write logs 349

17 | Contents
Administrator manual | XProtect® VMS 2023 R1

Troubleshooting 350

Debug logs (explained) 350

Issue: Change of SQL Server and database addresses prevents database access 350

Issue: Recording server startup fails due to port conflict 351

Issue: Recording Server goes offline when switching Management Server cluster node 352

Issue: A parent node in a Milestone Federated Architecture setup cannot connect to a child node 353

To reestablish the connection between parent node and site 353

Upgrade 354

Upgrade (explained) 354

Upgrade requirements 355

Upgrade XProtect VMS to run in FIPS 140-2 compliant mode 356

Upgrade best practices 357

Upgrade in a cluster 359

User interface details 361

Main window and panes 361

Panes layout 363

System settings (Options dialog box) 365

General tab (options) 366

Server Logs tab (options) 369

Mail Server tab (options) 370

AVI Generation tab (options) 371

Network tab (options) 372

Bookmark tab (options) 372

User Settings tab (options) 372

External IDP tab (options) 372

Configure an external IDP 373

Register claims 374

Add redirect URIs for the web clients 375

Customer Dashboard tab (options) 376

Evidence Lock tab (options) 376

Audio messages tab (options) 377

Privacy settings tab 378

18 | Contents
Administrator manual | XProtect® VMS 2023 R1

Access Control Settings tab (options) 378

Analytics Events tab (options) 378

Alarms and Events tab (options) 379

Generic Events tab (options) 381

Component menus 383

Management Client menus 383

File menu 383

Edit menu 383

View menu 383

Action menu 384

Tools menu 384

Help menu 385

Server Configurator (Utility) 385

Encryption tab properties 385

Registering servers 386

Language selection 387

Tray icon status 387

Starting and stopping services from tray icons 389

Management Server Manager (tray icon) 390

Basics node 391

License Information (Basics node) 391

Site Information (Basics node) 391

Remote Connect Services node 392

Axis One-click Camera Connection (Remote Connect Services node) 392

Servers node 393

Servers (node) 393

Recording Servers (Servers node) 393

Recording Server Settings window 394

Recording servers properties 395

Storage tab (recording server) 397

Failover tab (recording server) 401

Multicast tab (recording server) 403

19 | Contents
Administrator manual | XProtect® VMS 2023 R1

Network tab (recording server) 406

Failover Servers (Servers node) 406

Info tab properties (failover server) 408

Multicast tab (failover server) 410

Info tab properties (failover group) 410

Sequence tab properties (failover group) 411

Remote server for Milestone Interconnect 411

Info tab (remote server) 411

Settings tab (remote server) 412

Events tab (remote server) 412

Remote Retrieval tab 412

Devices node 413

Devices (Devices node) 413

Status icons of devices 414

Cameras (Devices node) 416

Microphones (Devices node) 417

Speakers (Devices node) 417

Metadata (Devices node) 418

Input (Devices node) 418

Output (Devices node) 418

Devices tabs 419

Info tab (devices) 419

Info tab properties 420

Settings tab (devices) 421

Streams tab (devices) 422

Tasks on the Streams tab 423

Record tab (devices) 424

Tasks on the Record tab 426

Motion tab (devices) 426

Tasks on the Motion tab 427

Presets tab (devices) 429

Tasks on the Presets tab 431

20 | Contents
Administrator manual | XProtect® VMS 2023 R1

PTZ session properties 432

Patrolling tab (devices) 433

Tasks on the Patrolling tab 435

Manual patrolling properties 435

Fisheye lens tab (devices) 436

Task on the Fisheye lens tab 436

Events tab (devices) 437

Tasks on the Events tab 437

Event tab (properties) 438

Client tab (devices) 438

Client tab properties 439

Privacy masking tab (devices) 441

Tasks on the Privacy masking tab 442

Tasks related to Privacy masking 442

Privacy masking tab (properties) 442

Hardware Properties window 444

Info tab (hardware) 444

Settings tab (hardware) 445

PTZ tab (video encoders) 446

Client node 446

Clients (node) 446

Smart Wall (Client node) 447

Smart Wall properties 447

Monitor properties 448

Smart Client Profiles (Client node) 450

Info tab (Smart Client profiles) 450

General tab (Smart Client profiles) 451

Advanced tab (Smart Client profiles) 451

Live tab (Smart Client profiles) 452

Playback tab (Smart Client profiles) 452

Setup tab (Smart Client profiles) 453

Export tab (Smart Client profiles) 453

21 | Contents
Administrator manual | XProtect® VMS 2023 R1

Timeline tab (Smart Client profiles) 453

Access Control tab (Smart Client profiles) 454

Alarm Manager tab (Smart Client profiles) 454

Smart map tab (Smart Client profiles) 455

View Layout tab (Smart Client profiles) 456

Management Client Profiles (Client node) 456

Info tab (Management Client Profiles) 456

Profile tab (Management Client Profiles) 456

Navigation 457

Details 458

Tools Menu 458

Federated Sites 459

Rules and Events node 459

Rules (Rules and Events node) 459

Recreate default rules 460

Notification Profiles (Rules and Events node) 462

Events overview 463

Hardware: 463

Hardware - Configurable events: 463

Hardware - Predefined events: 464

Devices - Configurable events: 464

Devices - Predefined events: 464

External events - Predefined events: 467

External events - Generic events: 468

External events - User-defined events: 468

Recording servers: 468

System monitor events 470

System Monitor - Server: 470

System Monitor - Camera: 472

System Monitor - Disk: 473

System Monitor - Storage: 473

Other: 474

22 | Contents
Administrator manual | XProtect® VMS 2023 R1

Events from add-on products and integrations: 474

Actions and stop actions 474

Manage Rule Wizard 474

Test Analytics Event (properties) 486

Generic Events and Data sources (properties) 488

Generic event (properties) 488

Generic event data source (properties) 490

Webhooks (Rules and Events node) 492

Security node 492

Roles (Security node) 492

Info tab (roles) 492

User and Groups tab (roles) 494

External IDP (roles) 494

Overall Security tab (roles) 495

Device tab (roles) 523

Camera-related permissions 524

Microphone-related permissions 525

Speaker-related permissions 527

Metadata-related permissions 529

Input-related permissions 530

Output-related permissions 530

PTZ tab (roles) 531

Speech tab (roles) 532

Remote Recordings tab (roles) 533

Smart Wall tab (roles) 533

External Event tab (roles) 533

View Group tab (roles) 534

Servers tab (roles) 534

Matrix tab (roles) 535

Alarms tab (roles) 535

Access Control tab (roles) 536

LPR tab (roles) 536

23 | Contents
Administrator manual | XProtect® VMS 2023 R1

Incidents tab (roles) 537

MIP tab (roles) 537

Basic user (Security node) 537

System dashboard node 538

System Dashboard node 538

Current Tasks (System Dashboard node) 538

System Monitor (System Dashboard node) 538

System monitor dashboard window 539

Tiles 539

Hardware list with monitoring parameters 539

Customize dashboard window 539

Details window 539

System Monitor Thresholds (System Dashboard node) 541

Evidence Lock (System Dashboard node) 544

Configuration Reports (System Dashboard node) 544

Server Logs node 545

Server Logs node 545

System logs (tab) 545

Audit logs (tab) 546

Rule-triggered logs (tab) 546

Metadata Use node 547

Metadata and metadata search 547

What is metadata? 547

Metadata search 547

Metadata search requirements 548

Access Control node 548

Access control properties 548

General Settings tab (Access Control) 548

Doors and Associated Cameras tab (Access Control) 549

Access Control Events tab (Access Control) 550

Access Request Notification tab (Access Control) 551

Cardholders tab (Access Control) 552

24 | Contents
Administrator manual | XProtect® VMS 2023 R1

Incidents node 553

Incident properties (Incidents node) 553

Transact node 554

Transaction Sources (Transact node) 554

Transaction sources (properties) 554

Transaction Definitions (Transact node) 556

Transaction definitions (properties) 556

Alarms node 558

Alarm Definitions (Alarms node) 558

Alarm definition settings: 559

Alarm trigger: 559

Operator action required: 560

Maps: 560

Other: 560

Alarm Data Settings (Alarms node) 561

Alarm Data Levels tab 561

States 562

Reasons for Closing tab 563

Sound Settings (Alarms node) 563

Federated Site Hierarchy 564

Federated site properties 564

General tab 564

Parent Site tab 564

25 | Contents
Administrator manual | XProtect® VMS 2023 R1

Copyright, trademarks, and disclaimer

Copyright © 2023 Milestone Systems A/S

Trademarks

XProtect is a registered trademark of Milestone Systems A/S.

Microsoft and Windows are registered trademarks of Microsoft Corporation. App Store is a service mark of
Apple Inc. Android is a trademark of Google Inc.

All other trademarks mentioned in this document are trademarks of their respective owners.

Disclaimer

This text is intended for general information purposes only, and due care has been taken in its preparation.

Any risk arising from the use of this information rests with the recipient, and nothing herein should be
construed as constituting any kind of warranty.

Milestone Systems A/S reserves the right to make adjustments without prior notification.

All names of people and organizations used in the examples in this text are fictitious. Any resemblance to any
actual organization or person, living or dead, is purely coincidental and unintended.

This product may make use of third-party software for which specific terms and conditions may apply. When
that is the case, you can find more information in the file 3rd_party_software_terms_and_conditions.txt located
in your Milestone system installation folder.

26 | Copyright, trademarks, and disclaimer

Administrator manual | XProtect® VMS 2023 R1

Overview

What's new?

In Management Client 2023 R1

XProtect Incident Manager:

l To comply with GDPR or other applicable laws concerning personal data, administrators of XProtect
Management Client can now define a retention time for incident projects.

In Management Client 2022 R3

XProtect Incident Manager:

l The XProtect Incident Manager add-on is now also compatible with XProtect Expert, XProtect
Professional+, and XProtect Express+ version 2022 R3 or later.

l XProtect Incident Manager can now show more than 10,000 incident projects.

In Management Client 2022 R2

XProtect Incident Manager:

l The first release of this add-on

l The XProtect Incident Manager add-on is compatible with XProtect Corporate version 2022 R2 and later
and with XProtect Smart Client version 2022 R2 and later.

XProtect LPR:

l License plate styles, which are part of country modules, are now listed in one place.

l To make license plate styles easier to manage, you can group them into aliases according to your
license plate recognition needs.

l Match lists now support aliases.

In Management Client 2022 R1

Event server encryption:

l You can encrypt the two-way connection between the event server and the components that
communicate with the event server, including the LPR Server.

For more information, see Enable event server encryption on page 288.

Logging in via an external IDP:

27 | Overview
Administrator manual | XProtect® VMS 2023 R1

l You are now able to log on to the Milestone XProtect VMS using an external IDP. Logging on via an
external IDP is an alternative to logging on as an Active Directory user or as a basic user. With the
external IDP logon method you can bypass the setup requirements of a basic user and still be
authorized to access the components and devices in XProtect.

For more information, see External IDP (explained).

Update hardware data

l You can now see the current firmware version for the hardware device that is detected by the system in
the Management Client.

For more information, see Update your hardware data on page 330.

XProtect Management Server Failover

l You can now achieve high availability of your system by configuring a failover management server
between two redundant computers. If the computer that runs the management server fails, the second
one takes over. The real-time data replication ensures that the databases of the management server,
log server, and event server are identical on both computers.

For more information, see XProtect Management Server Failover on page 36.

Logging in (explained)
When you launch the Management Client, you must first enter your login information to connect to a system.

With XProtect Corporate 2016 or XProtect Expert 2016 or newer installed, you can log into systems that run
older versions of the product after installing a patch. The supported versions are XProtect Corporate 2013 and
XProtect Expert 2013 or newer.

28 | Overview
Administrator manual | XProtect® VMS 2023 R1

Login authorization (explained)

The system allows administrators to set up users so they can only log into a system if a second user with
sufficient permissions authorizes their login. In this case, XProtect Smart Client or the Management Client asks
for the second authorization during login.

A user associated with the built-in Administrators role has always permission to authorize and is not asked for
a second login, unless the user is associated with another role that requires a second login.

Users logging in via an external IDP cannot be set up with a requirement to be authorized by a second user.

To associate login authorization with a role:

29 | Overview
Administrator manual | XProtect® VMS 2023 R1

l Set Login authorization required for the selected role on the Info tab (see Roles settings) under Roles,
so that the user is asked for additional authorization during login

l Set Authorize users for the selected role on the Overall Security tab (see Roles settings) under Roles,
so that the user can authorize other users' logins

You can choose both options for the same user. This means that the user is asked for additional authorization
during login, but can also authorize other users' logins, except for his/her own.

Log in using a non-secure connection

When you log in to the Management Client, you might be asked if you want to log in using a non-secure
network protocol.

l Click Allow to log in disregarding the notification. To avoid getting this notification in the future, either
select Remember my choice. Do not show me this message again or click Tools > Options and then
select Allow non-secure connection to the server (restart of Management Client required).

For information about secure communication, see Secure communication (explained) on page 138.

Change your basic user password

If you log in as a Basic user, you can change your password. If you choose a different authentication method,
only your system administrator can change your password. Changing your password often increases the
security of your XProtect VMS system.

Requirements

The version of your XProtect VMS system must be 2021 R1 or later.

Steps:

30 | Overview
Administrator manual | XProtect® VMS 2023 R1

1. Start Management Client. The login window opens.

2. Specify your login information. In the Authentication list, select Basic authentication. A link with the
text Change password appears.

3. Click the link. A browser window opens.

4. Follow the instructions and save your changes.

5. Now you can log into Management Client using your new password.

Product overview
The XProtect VMS products are video management software designed for installations of all shapes and sizes.
Whether you want to protect your store from vandalism or you want to manage a multi-site, high security
installation, XProtect makes it possible. The solutions offer centralized management of all devices, servers, and

31 | Overview
Administrator manual | XProtect® VMS 2023 R1

users, and provide an extremely flexible rule system driven by schedules and events.

Your system consists of the following main components:

l The management server - the center of your installation, consists of multiple servers

l One or more recording servers

l One or more installations of XProtect Management Client

l XProtect Download Manager

l One or more installations of XProtect® Smart Client

l One or more uses of XProtect Web Client and/or installations of XProtect Mobile client if needed

Your system also includes fully integrated Matrix functionality for distributed viewing of video from any camera
on your surveillance system to any computer with XProtect Smart Client installed.

You can install your system on virtualized servers or on multiple physical servers in a distributed setup. See
also A distributed system setup on page 83.

The system also offers the possibility of including the standalone XProtect® Smart Client – Player when you
export video evidence from the XProtect Smart Client. XProtect Smart Client – Player allows recipients of video
evidence (such as police officers, internal or external investigators and more) to browse and play back the
exported recordings without having to install any software on their computers.

With the most feature-rich products installed (see Product comparison on page 107), your system can handle
an unrestricted number of cameras, servers, and users and across multiple sites if required. Your system can
handle IPv4 as well as IPv6.

System components

Management server (explained)

The management server is the central component of the VMS system. It stores the configuration of the
surveillance system in an SQL database, either on a SQL Server on the management server computer itself or
on a separate SQL Server on the network. It also handles user authentication, user permissions, the rule
system and more. To improve system performance, you can run several management servers as a Milestone
Federated Architecture™. The management server runs as a service and is typically installed on a dedicated
server.

Users connect to the management server for initial authentication, then transparently to the recording servers
for access to for video recordings, etc.

SQL Server installations and databases (explained)

The management server, the event server and the log server store, for example, the system configuration,
alarms, events and log messages in SQL databases on one or more SQL Server installations. The management
server and the event server share the same SQL database while the log server, XProtect Incident Manager, and

32 | Overview
Administrator manual | XProtect® VMS 2023 R1

the Identity Provider each have their own SQL database. For more information about the Identity Provider, see
Identity Provider (explained) on page 63. For more information about the XProtect Incident Manager SQL
database and logging, see the separate administrator manual for XProtect Incident Manager.

The system installer includes Microsoft SQL Server Express which is a free edition of SQL Server.

For very large systems or systems with many transactions to and from the SQL databases, Milestone
recommends that you use a Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition
of the SQL Server on a dedicated computer on the network and on a dedicated hard disk drive that is not used
for other purposes. Installing the SQL Server on its own drive improves the entire system performance.

Recording server (explained)

The recording server is responsible for communicating with the network cameras and video encoders,
recording the retrieved audio and video as well as providing client access to both live and recorded audio and
video. The recording server is also responsible for communicating with other Milestone products connected via
the Milestone Interconnect technology.

Device drivers

l Network cameras and video encoders communicate through a device driver developed specifically for
individual devices or a series of similar devices from the same manufacturer

l From the 2018 R1 release, the device drivers are split into two device packs: the regular device pack
with newer drivers and a legacy device pack with older drivers

l The regular device pack is installed automatically when you install the recording server. Later, you can
update the drivers by downloading and installing a newer version of the device pack

l The legacy device pack can only be installed if the system has a regular device pack installed. The
drivers from the legacy device pack are automatically installed if a previous version is already installed
on your system. It is available for manual download and installation on the software download page
(https://www.milestonesys.com/downloads/)

Media database
l The recording server stores the retrieved audio and video data in the tailor-made high-performance
media database optimized for recording and storing audio and video data

l The media database supports various unique features like; multistage archiving, video grooming,
encryption, and adding a digital signature to the recordings

The system uses recording servers for recording of video feeds, and for communicating with cameras and
other devices. A surveillance system typically consists of several recording servers.

Recording servers are computers where you have installed the Recording Server software, and configured it to
communicate with the management server. You can see your recording servers in the Overview pane when
you expand the Servers folder and then select Recording Servers.

33 | Overview
Administrator manual | XProtect® VMS 2023 R1

Backward compatibility with recording server versions older than this version of the management server is
limited. You can still access recordings on recording servers with older versions, but if you want to change their
configuration, make sure they match this version of the management server. Milestone recommends that you
upgrade all recording servers in your system to the same version as your management server.

The recording server supports encryption of data streams to the clients and services:

l Enable encryption to clients and servers on page 289

l View encryption status to clients on page 276

The recording server also supports encryption of the connection with the management server:

l Enable encryption to and from the management server on page 285

You have several options related to management of your recording servers:

l Add hardware on page 203

l Move hardware on page 324

l Delete all hardware on a recording server on page 343

l Remove a recording server on page 343

When the Recording Server service is running, it is very important that Windows Explorer
or other programs do not access Media Database files or folders associated with your
system setup. If they do, it is likely that the recording server cannot rename or move
relevant media files. This might bring the recording server to a halt. To restart a stopped
recording server, stop the Recording Server service, close the program accessing the
relevant media file(s) or folder(s), and restart the Recording Server service.

Mobile server (explained)

The mobile server is responsible for giving XProtect Mobile client and XProtect Web Client users access to the
system.

In addition to acting as a system gateway for the two clients, the mobile server can transcode video, since the
original camera video stream in many cases are too large to fit the bandwidth available for the client users.

If you are performing a Distributed or Custom installation, Milestone recommends that you install the mobile
server on a dedicated server.

34 | Overview
Administrator manual | XProtect® VMS 2023 R1

Event server (explained)

The event server handles various tasks related to events, alarms, and maps and perhaps also third-party
integrations via the MIP SDK.

Events
l All system events are consolidated in the event server so there are one place and interface for partners
to make integrations that utilize system events

l Furthermore, the event server offers third-party access to sending events to the system via the Generic
events or Analytics events interface

Alarms
l The event server hosts the alarm feature, alarm logic, alarm state as well as handling the alarm
database. The alarm database is stored in the same SQL database that the management server uses

Maps
l The event server also hosts the maps that are configured and used in XProtect Smart Client

MIP SDK
l Finally, third-party-developed plug-ins can be installed on the event server and utilize access to system
events

Log server (explained)

The log server stores all log messages for the entire system in an SQL database. This log messages SQL
database can exist on the same SQL Server as the management server's system configuration SQL database or
on separate SQL Server. The log server is typically installed on the same server as the management server but
can be installed on a separate server for increased performance of the management and log servers.

API Gateway (explained)

The MIP VMS API provides a unified RESTful API, based on industry standard protocols such as OpenAPI, for
accessing XProtect VMS functionality, simplifying integration projects and serving as a basis for cloud
connected communication.

The XProtect VMS API Gateway supports these integration options through the Milestone Integration Platform
VMS API (MIP VMS API).

The API Gateway is installed on-premise and is intended to serve as a front-end and common entry point for
RESTful API services on all the current VMS server components (management server, event server, recording
servers, log server, etc). An API Gateway service can be installed on the same host as the management server
or separately, and more than one can be installed (each on their own host).

The RESTful API is implemented in part by each specific VMS server component, and the API Gateway can
simply pass-through these requests and responses, while for other requests, the API Gateway will convert
requests and responses as appropriate.

Currently, the configuration API, hosted by the management server, is available as a RESTful API.

35 | Overview
Administrator manual | XProtect® VMS 2023 R1

For more information, see the API Gateway administrator manual and the Milestone Integration Platform VMS
API reference documentation.

Failover

XProtect Management Server Failover

If a standalone computer running the Management Server service or the SQL Server has a hardware failure, it
does not affect recordings or the recording server. However, these hardware failures can result in downtime
for operators and administrators who have not logged in to the clients.

XProtect Management Server Failover provides high availability and disaster recovery for the management
server. If the management server becomes unavailable on one computer, the other computer takes over
running the system components. In cases of hardware failure, the secure real-time replication of the SQL
database contents ensures that there is no data loss.

XProtect Management Server Failover can help you mitigate system downtime. You can benefit from a failover
cluster when:

l A server fails – you can run the Management Server service and SQL Server from another computer
while you resolve the problems.

l You need to apply system updates and security patches – applying security patches on a standalone
management server can be time-consuming, resulting in extended periods of downtime. When you
have a failover cluster, you can apply system updates and security patches with minimal downtime.

l You need seamless connection – users get continuous access to live and playback video, and to the
system’s configuration at all times.

You configure XProtect Management Server Failover between two computers. To make the failover work, the
following system components must run on each computer:

l Management Server service

l Event Server service

l Log Server service

l SQL Server

Failover management server (explained)

Failover support on the management server is achieved by installing the management server in a Microsoft
Windows Cluster. The cluster will then ensure that another server take over the management server function
should the first server fail.

36 | Overview
Administrator manual | XProtect® VMS 2023 R1

Failover recording server (explained)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

A failover recording server is an extra recording server which takes over from the standard recording server if
this becomes unavailable. You can configure a failover recording server in two modes, as a cold standby
server or as a hot standby server.

You install failover recording servers like standard recording servers (see Install a failover recording server
through Download Manager on page 161). Once you have installed failover recording servers, they are visible
in the Management Client. Milestone recommends that you install all failover recording servers on separate
computers. Make sure that you configure failover recording servers with the correct IP address/host name of
the management server. The user permissions for the user account under which the Failover Server service
runs are provided during the installation process. They are:

l Start/Stop permissions to start or stop the failover recording server

l Read and Write access permissions to read or write the RecorderConfig.xml file

If a certificate is selected for encryption, then the administrator must grant read access permission to the
failover user on the selected certificate private key.

If the failover recording server takes over from a recording server that uses encryption,
Milestone recommends that you also prepare the failover recording server for using
encryption. For more information, see Secure communication (explained) on page 138
and Install a failover recording server through Download Manager on page 161.

You can specify what type of failover support you want on device-level. For each device on a recording server,
select full, live only or no failover support. This helps you prioritize your failover resources and, for example,
only set up failover for video and not for audio, or only have failover on essential cameras, not on less
important ones.

While your system is in failover mode, you cannot replace or move hardware, update the
recording server, or change device configurations such as storage settings or video
stream settings.

Cold standby failover recording servers

In a cold standby failover recording server setup, you group multiple failover recording servers in a failover
group. The entire failover group is dedicated to take over from any of several preselected recording servers, if
one of these becomes unavailable. You can create as many groups as you want (see Group failover recording

37 | Overview
Administrator manual | XProtect® VMS 2023 R1

servers for cold standby on page 201).

Grouping has a clear benefit: when you later specify which failover recording servers should take over from a
recording server, you select a group of failover recording servers. If the selected group contains more than
one failover recording server, this offers you the security of having more than one failover recording server
ready to take over if a recording server becomes unavailable. You can specify a secondary failover server group
that takes over from the primary group if all the recording servers in the primary group are busy. A failover
recording server can only be a member of one group at a time.

Failover recording servers in a failover group are ordered in a sequence. The sequence determines the order in
which the failover recording servers will take over from a recording server. By default, the sequence reflects
the order in which you have incorporated the failover recording servers in the failover group: first in is first in
the sequence. You can change this if you need to.

Hot standby failover recording servers

In a hot standby failover recording server setup, you dedicate a failover recording server to take over from one
recording server only. Because of this, the system can keep this failover recording server in a "standby" mode
which means that it is synchronized with the correct/current configuration of the recording server it is
dedicated to and can take over much faster than a cold standby failover recording server. As mentioned, you
assign hot standby servers to one recording server only and cannot group it. You cannot assign failover
servers that are already part of a failover group as hot standby recording servers.

Failover recording server validation

To validate a merge of video data from the failover server to the recording server, you
must make the recording server unavailable by either stopping the recording server
service or shutting down the recording server computer.

Any manual interruption of the network that you can cause by pulling out the network
cable or blocking the network using a test tool is not a valid method.

Failover recording server functionality (explained)

l A failover recording server checks the state of relevant recording servers every 0.5 seconds. If a
recording server does not reply within 2 seconds, the recording server is considered unavailable and
the failover recording server takes over

38 | Overview
Administrator manual | XProtect® VMS 2023 R1

l A cold standby failover recording server takes over for the recording server that has become
unavailable after five seconds plus the time it takes for the failover recording server's Recording Server
service to start and the time it takes to connect to the cameras. In contrast, a hot standby failover
recording server takes over faster because the Recording Server service is already running with the
correct configuration and only has to start its cameras to deliver feeds. During the startup period, you
can neither store recordings nor view live video from affected cameras

l When a recording server becomes available again, it automatically takes over from the failover
recording server. Recordings stored by the failover recording server are automatically merged into the
standard recording server's databases. The time it takes to merge, depends on the amount of
recordings, network capacity and more. During the merging process, you cannot browse recordings
from the period during which the failover recording server took over

l If a failover recording server must take over from another recording server during the merging process
in a cold standby failover recording server setup, it postpones the merging process with recording
server A, and takes over from recording server B. When recording server B becomes available again,
the failover recording server takes up the merging process and allows both recording server A and
recording server B to merge back recordings simultaneously.

l In a hot standby setup, a hot standby server cannot take over for an additional recording server
because it can only be hot standby for a single recording server. But if that recording server fails again,
the hot standby takes over again and keeps the recordings from the previous period. The recording
server keeps recordings until they are merged back to the primary recorder or until the failover
recording server runs out of disk space

l A failover solution does not provide complete redundancy. It can only serve as a reliable way of
minimizing the downtime. If a recording server becomes available again, the Failover Server service
makes sure that the recording server is ready to store recordings again. Only then is the responsibility
for storing recordings handed back to the standard recording server. So, a loss of recordings at this
stage of the process is very unlikely

l Client users hardly notice that a failover recording server is taking over. A short break occurs, usually
only for a few seconds, when the failover recording server takes over. During this break, users cannot
access video from the affected recording server. Client users can resume viewing live video as soon as
the failover recording server has taken over. Because recent recordings are stored on the failover
recording server, they can play back recordings from after the failover recording server took over.
Clients cannot play back older recordings stored only on the affected recording server until that
recording server is functioning again and has taken over from the failover recording server. You cannot
access archived recordings. When the recording server is functioning again, a merging process takes
place during which failover recordings are merged back into the recording server's database. During
this process, you cannot play back recordings from the period during which the failover recording
server took over

39 | Overview
Administrator manual | XProtect® VMS 2023 R1

l In a cold standby setup, setting up a failover recording server as backup for another failover recording
server is not necessary. This is because you allocate failover groups and do not allocate particular
failover recording servers to take over from specific recording servers. A failover group must contain at
least one failover recording server, but you can add as many failover recording servers as needed. If a
failover group contains more than one failover recording server, more than one failover recording
server can take over.

l In a hot standby setup, you cannot set up failover recording servers or hot standby servers as failover
for a hot standby server

Failover steps (explained)

Description

Involved servers (numbers in red):

1. Recording Server

2. Failover Recording Server

3. Management Server

Failover steps for Cold standby setups:

40 | Overview
Administrator manual | XProtect® VMS 2023 R1

Description

1. To check whether it is running or not, a failover recording server has a non-stop TCP
connection to a recording server.

2. This connection is interrupted.

3. The failover recording server requests the current configuration of the recording server
from the management server. The management server sends the requested
configuration, the failover recording server receives the configuration, starts up, and
starts recording on behalf of the recording server.

4. The failover recording server and the relevant camera(s) exchange video data.

5. The failover recording server continually tries to re-establish connection to the recording
server.

6. When the connection to the recording server is re-established, the failover recording
server shuts down and the recording server fetches video data (if any) recorded during
its downtime and the video data is merged back in to the recording server database.

Failover steps for Hot standby setups:

1. To check whether it is running or not, a hot standby server has a non-stop TCP
connection to its assigned recording server.

2. This connection is interrupted.

3. From the management server, the hot standby server already knows the current
configuration of its assigned recording server and starts recording on its behalf.

4. The hot standby server and the relevant camera(s) exchange video data.

5. The hot standby server continually tries to re-establish connection to the recording
server.

6. When the connection to the recording server is re-established and the hot standby
server goes back to hot standby mode, the recording server fetches video data (if any)
recorded during its down-time and the video data is merged back in to the recording
server database.

Failover recording server services (explained)

A failover recording server has two services installed:

41 | Overview
Administrator manual | XProtect® VMS 2023 R1

l A Failover Server service, which handles the processes of taking over from the recording server. This
service is always running, and constantly checks the state of relevant recording servers

l A Failover Recording Server service, which enables the failover recording server to act as a recording
server.

In a cold standby setup, this service is only started when required, that is when the cold standby failover
recording server takes over from the recording server. Starting this service typically takes a couple of
seconds, but may take longer depending on local security settings and more.
In a hot standby setup, this service is always running, allowing the hot standby server to take over
faster than the cold standby failover recording server.

Clients

Management Client (explained)

The Management Client is a feature-rich administration client for configuration and day-to-day management of
the system. Available in several languages.

Typically installed on the surveillance system administrator's workstation or similar.

XProtect Smart Client (explained)

XProtect Smart Client is a desktop application designed to help you manage your IP surveillance cameras. It
provides intuitive control over security installations by giving users access to live and recorded video, instant
control of cameras and connected security devices, and the ability to make advanced searches for recordings
and metadata.

Available in multiple local languages, XProtect Smart Client has an adaptable user interface that can be
optimized for individual operators’ tasks and adjusted according to specific skills and authority levels.

42 | Overview
Administrator manual | XProtect® VMS 2023 R1

The interface allows you to tailor your viewing experience to specific working environments by selecting a light
or dark theme. It also features work-optimized tabs and an integrated video timeline for easy surveillance
operation.

Using the MIP SDK, users can integrate various types of security and business systems, and video analytics
applications, which you manage through XProtect Smart Client.

XProtect Smart Client must be installed on operators' computers. Surveillance system administrators manage
access to the surveillance system through the Management Client. Recordings viewed by clients are provided
by your XProtect system's Image Server service. The service runs in the background on the surveillance system
server. Separate hardware is not required.

XProtect Mobile client (explained)

XProtect Mobile client is a mobile surveillance solution closely integrated with the rest of your XProtect system.
It runs on your Android tablet or smartphone or your Apple® tablet, smartphone or portable music player and
gives you access to cameras, views and other functionality set up in the management clients.

Use the XProtect Mobile client to view and play back live and recorded video from one or multiple cameras,
control pan-tilt-zoom (PTZ) cameras, trigger output and events and use the Video push functionality to send
video from your device to your XProtect system.

43 | Overview
Administrator manual | XProtect® VMS 2023 R1

If you want to use the XProtect Mobile client with your system, you must have a XProtect Mobile server to
establish the connection between the XProtect Mobile client and your system. Once the XProtect Mobile server
is set up, download the XProtect Mobile client for free from Google Play or App Store to start using XProtect
Mobile.

You need one device license per device that should be able to push video to your XProtect system.

XProtect Web Client (explained)

XProtect Web Client is a web-based client application for viewing, playing back and sharing video. It provides
instant access to the most commonly used surveillance functions, such as viewing live video, play back
recorded video, print and export evidence. Access to features depends on individual user permissions which
are set up in Management Client.

44 | Overview
Administrator manual | XProtect® VMS 2023 R1

To enable access to the XProtect Web Client, you must have a XProtect Mobile server to establish the
connection between the XProtect Web Client and your system. The XProtect Web Client itself does not require
any installation itself and works with most Internet browsers. Once you have set up the XProtect Mobile server,
you can monitor your XProtect system anywhere from any computer or tablet with Internet access (provided
you know the correct external/Internet address, user name and password).

Add-on products

XProtect Access (explained)

Milestone has developed add-on products that fully integrate with XProtect to give you extra functionality.
Your XProtect license file controls the access to add-on products.

The use of XProtect Access requires that you have purchased a base license that allows
you to access this feature within your XProtect system. You also need an access control
door license for each door you want to control.

You can use XProtect Access with access control systems from vendors where a vendor-
specific plug-in for XProtect Access exists.

The access control integration feature introduces new functionality that makes it simple to integrate
customers’ access control systems with XProtect. You get:

l A common operator user interface for multiple access control systems in XProtect Smart Client

l Faster and more powerful integration of access control systems

l More functionality for the operator (see below)

In XProtect Smart Client, the operator gets:

l Live monitoring of events at access points

l Operator aided passage for access requests

l Map integration

l Alarm definitions for access control events

l Investigation of events at access points

l Centralized overview and control of door states

l Cardholder information and management

The Audit log logs the commands that each user performs in the access control system from XProtect Smart
Client.

45 | Overview
Administrator manual | XProtect® VMS 2023 R1

Apart from a XProtect Access base license, you need a vendor-specific integration plug-in installed on the event
server before you can start an integration.

XProtect Incident Manager

Milestone has developed add-on products that fully integrate with XProtect to give you extra functionality.
Your XProtect license file controls the access to add-on products.

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

XProtect Incident Manager is a Milestone add-on that enables organizations to document incidents and
combine them with sequence evidence (video and, potentially, audio) from the XProtect VMS.

Users of XProtect Incident Manager can save all the incident information in incident projects. From the incident
projects, they can track the status and activities of each incident. In this way, the users can manage incidents
effectively and easily share strong incident evidence, both internally with colleagues and externally with
authorities.

XProtect Incident Manager helps organizations gain an overview and understanding of the incidents
happening in the areas they survey. This knowledge enables the organizations to implement steps to minimize
the chance that similar incidents happen in the future.

In XProtect Management Client, the administrators of an organization’s XProtect VMS can define the available
incident properties in XProtect Incident Manager to the organizations’ needs. The operators of XProtect Smart
Client start, save, and manage incident projects and add various information to the incident projects. This
includes free text, incident properties that the administrators have defined, and sequences from the XProtect
VMS. For full traceability, the XProtect VMS logs when administrators define and edit incident properties and
when operators create and update the incident projects.

XProtect LPR (explained)

Milestone has developed add-on products that fully integrate with XProtect to give you extra functionality.
Your XProtect license file controls the access to add-on products.

Available functionality depends on the system you are using. See the complete feature list, which is available
on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

XProtect LPR offers video-based content analysis (VCA) and recognition of vehicle license plates that interacts
with your surveillance system and your XProtect Smart Client.

To read the characters on a plate, XProtect LPR uses optical character recognition on images aided by
specialized camera settings.

46 | Overview
Administrator manual | XProtect® VMS 2023 R1

You can combine LPR (license plate recognition) with other surveillance features such as recording and event-
based activation of outputs.

Examples of events in XProtect LPR:

l Trigger surveillance system recordings in a particular quality

l Activate alarms

l Match against positive and negative match lists

l Open gates

l Switch on lights

l Push video of incidents to computer screens of particular security staff members

l Send mobile phone text messages

With an event, you can activate alarms in XProtect Smart Client.

XProtect Smart Wall (explained)

See also the Smart Wall manual (https://doc.milestonesys.com/2023r1/en-US/portal/htm/chapter-page-smart-
wall.htm).

Milestone has developed add-on products that fully integrate with XProtect to give you extra functionality.
Your XProtect license file controls the access to add-on products.

XProtect Smart Wall is an advanced add-on tool that enables organizations to create video walls that meet their
specific security demands. XProtect Smart Wall provides an overview of all the video data in the XProtect VMS1
system and supports any amount or combination of monitors.

1Short for "Video Management Software".

47 | Overview
Administrator manual | XProtect® VMS 2023 R1

XProtect Smart Wall allows operators to view static video walls as defined by their system administrator with a
fixed set of cameras and monitor layout. However, the video wall is also operator-driven in the sense that
operators can control what is being displayed. This includes:

l Pushing cameras and other types of content to the video wall, for example images, text, alarms, and
smart map

l Sending entire views to the monitors

l In the course of certain events, applying alternate presets1

Finally, display changes can be controlled by rules that automatically change the presets based on specific
events or time schedules.

XProtect Transact (explained)

Milestone has developed add-on products that fully integrate with XProtect to give you extra functionality.
Your XProtect license file controls the access to add-on products.

1A predefined layout for one or more Smart Wall monitors in XProtect Smart Client. Presets determine which

cameras are displayed, and how content is structured on each monitor on the video wall.

48 | Overview
Administrator manual | XProtect® VMS 2023 R1

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

XProtect Transact is an add-on to Milestone's IP video surveillance solutions.

XProtect Transact is a tool for observing ongoing transactions and investigating transactions in the past. The
transactions are linked with the digital surveillance video monitoring the transactions, for example to help you
prove fraud or provide evidence against a perpetrator. There is a 1-to-1 relationship between the transaction
lines and video images.

The transaction data may originate from different types of transaction sources, typically point of sales (PoS)
systems or automated teller machines (ATM).

Milestone Open Network Bridge (explained)

Milestone has developed add-on products that fully integrate with XProtect to give you extra functionality.
Your XProtect license file controls the access to add-on products.

Milestone Open Network Bridge is an open ONVIF compliant interface for standardized video sharing from
XProtect VMS systems to other IP-based security systems. This enables law enforcement, surveillance centers,
or similar organizations (referred to as ONVIF clients) to access live and recorded video streams from the
XProtect VMS system to the central monitoring solutions. The video streams are sent as RTSP streams over the
Internet.

The key benefits are:

l Enables true interoperability and freedom of choice for large-scale, multi-vendor security deployments
and seamless private-to-public video integration

l Provides external access to H.264 and H.265 video streams in the XProtect VMS system, both live video
and playback

l Offers standardized interfaces that provide an easy and problem-free way of integrating XProtect VMS
solutions with alarm centers and monitoring stations

This document provides the following:

l Information about the ONVIF standard and links to reference materials

l Instructions for installing and configuring the Milestone Open Network Bridge in your XProtect VMS
product

l Examples of how to enable various types of ONVIF clients to stream live and recorded video from
XProtect VMS products

49 | Overview
Administrator manual | XProtect® VMS 2023 R1

XProtect DLNA Server (explained)

Milestone has developed add-on products that fully integrate with XProtect to give you extra functionality.
Your XProtect license file controls the access to add-on products.

DLNA (Digital Living Network Alliance) is a standard for connecting multimedia devices. Electronic
manufactures get their products DLNA certified to ensure interoperability between different vendors and
devices and thereby enable them to distribute video content.

Public displays and TVs are often DLNA certified and connected to a network. They are able to scan the
network for media content, connect to the device, and request a media stream to their built-in media player.
XProtect DLNA Server can be discovered by certain DLNA certified devices and deliver live video streams from
selected cameras to DLNA certified devices with a media player.

The DLNA devices have a live video delay of 1-10 seconds. This is caused by different
buffer sizes in the devices.

XProtect DLNA Server must be connected to the same network as the XProtect system and the DLNA device
must be connected to the same network as XProtect DLNA Server.

Devices

Hardware (explained)
Hardware represents either:

l The physical unit that connects directly to the recording server of the surveillance system via IP, for
example a camera, a video encoder, an I/O module

l A recording server on a remote site in a Milestone Interconnect setup

You have several options for adding hardware to each recording server in your system.

If your hardware is located behind a NAT-enabled router or a firewall, you may need to
specify a different port number and configure the router/firewall so it maps the port and
IP addresses that the hardware uses.

The Add Hardware wizard helps you detect hardware like cameras and video encoders on your network and
add them to the recording servers on your system. The wizard also helps you add remote recording servers for
Milestone Interconnect setups. Only add hardware to one recording server at a time.

50 | Overview
Administrator manual | XProtect® VMS 2023 R1

Hardware pre-configuration (explained)

Certain manufacturers require that credentials be set on out-of-the-box hardware before adding the hardware
to a VMS system for the first time. This is referred to as hardware pre-configuration, and is done through the
Pre-configure hardware devices wizard that appears when such hardware is detected by the Add hardware
on page 203 wizard.

Some important information regarding the Pre-configure hardware devices wizard:

l Hardware that requires initial credentials before being added to a VMS system cannot be added using
the typical default credentials, and must be configured through the wizard or by connecting to the
hardware directly

l You can only apply credentials (user name or password) to fields that are marked as not set

l Once the hardware status is set to configured, you cannot change the credentials (user name or
password)

l Pre-configuration applies to out-of-the-box hardware and needs to be done only once. Once pre-
configured, hardware can be managed like any other hardware in Management Client

l After you close the Pre-configure hardware devices wizard, pre-configured hardware will appear in the
in the Add hardware on page 203 wizard, and can now be added to your system

It is highly recommended that you add the pre-configured hardware to your system by
completing the Add hardware on page 203 wizard after you close the Pre-configure
hardware devices wizard. Management Client will not retain the pre-configured
credentials if you do not add the hardware to your system.

Devices (explained)
Hardware has a number of devices that you can manage individually, for example:

l A physical camera has devices that represent the camera part (lenses) as well as microphones,
speakers, metadata, input and output either attached or built-in

l A video encoder has multiple analog cameras connected that appear in one list of devices that
represent the camera part (lenses) as well as microphones, speakers, metadata, input and output either
attached or built-in

l An I/O module has devices that represent the input and output channels for, for example, lights

l A dedicated audio module has devices that represent microphones and speaker inputs and outputs

l In a Milestone Interconnect setup, the remote system appears as hardware with all devices from the
remote system listed in one list

The system automatically adds the hardware’s devices when you add hardware.

51 | Overview
Administrator manual | XProtect® VMS 2023 R1

For information about supported hardware, see the supported hardware page on the
Milestone website (https://www.milestonesys.com/support/tools-and-
references/supported-devices/).

The following sections describe each of the device types that you can add.

Cameras

Camera devices deliver video streams to the system that the client users can use to view live video or that the
system can record for later playback by the client users. Roles determine the users' permission to view video.

Microphones

On many devices, you can attach external microphones. Some devices have built-in microphones.

Microphone devices deliver audio streams to the system that the client users can listen to live or the system
can record for later playback by the client users. You can set up the system to receive microphone-specific
events that trigger relevant actions.

Roles determine the users' permission to listen to microphones. You cannot listen to microphones from the
Management Client.

Speakers

On many devices you can attach external speakers. Some devices have built-in speakers.

The system sends an audio stream to the speakers when a user presses the talk button in XProtect Smart
Client You can also use this feature from XProtect Web Client and XProtect® Mobile. Speaker audio is only
recorded when talked to by a user. Roles determine users' permission to talk through speakers. You cannot
talk through speakers from the Management Client.

If two users want to speak at the same time, the roles determine users' permission to talk through speakers.
As part of the roles definition, you can specify a speaker priority from very high to very low. If two users want
to speak at the same time, the user whose role has the highest priority wins the ability to speak. If two users
with the same role want to speak at the same time, the first-come first-served principle applies.

Metadata

Metadata devices deliver data streams to the system that the client users can use to view data about data, for
example, data that describes the video image, the content or objects in the image, or the location of where the
image was recorded. Metadata can be attached to cameras, microphones, or speakers.

Metadata can be generated by:

l The device itself delivering the data, for example a camera that is delivering video

l A third-party system or integration via a generic metadata driver

The device-generated metadata is automatically linked to one or more devices on the same hardware.

52 | Overview
Administrator manual | XProtect® VMS 2023 R1

Roles determine the users' permission to view metadata.

Inputs

On many devices, you can attach external units to input ports on the device. Input units are typically external
sensors. You can use such external sensors, for example, for detecting if doors, windows, or gates are opened.
Input from such external input units is treated as events by the system.

You can use such events in rules. For example, you could create a rule specifying that a camera should begin
recording when an input is activated, and stop recording 30 seconds after the input is deactivated.

Outputs

On many devices, you can attach external units to output ports on the device. This allows you to
activate/deactivate lights, sirens, etc. through the system.

You can use output when creating rules. You can create rules that automatically activate or deactivate outputs,
and rules that trigger actions when the state of an output is changed.

Device groups (explained)

Grouping of devices into device groups is part of the Add Hardware wizard, but you can always modify the
groups and add more groups if needed.

You can benefit from grouping different types of devices (cameras, microphones, speakers, metadata, inputs,
and outputs) on your system:

l Device groups help you maintain an intuitive overview of devices on your system

l Devices can exist in several groups

l You can create subgroups and subgroups in subgroups

l You can specify common properties for all devices within a device group in one go

l Device properties set via the group are not stored for the group but on the individual devices

l When dealing with roles, you can specify common security settings for all devices within a device group
in one go

l When dealing with rules, you can apply a rule for all devices within a device group in one go

You can add as many device groups as required, but you cannot mix different types of devices (for example
cameras and speakers) in a device group.

53 | Overview
Administrator manual | XProtect® VMS 2023 R1

Create device groups with less than 400 devices so you can view and edit all properties.

If you delete a device group, you only delete the device group itself. If you want to delete a device, for example
a camera, from your system, do it on the recording server level.

The following examples are based on grouping cameras into device groups, but the principles apply for all
devices

Add a device group

Specify which devices to include in a device group

Specify common properties for all devices in a device group

Media storage

Storage and archiving (explained)

Available functionality depends on the system you are using. See the complete feature list, which is available
on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

On the Storage tab, you can set up, manage and view storages for a selected recording server.

For recording storages and archives, the horizontal bar shows the current amount of free space. You can
specify the behavior of the recording server in case recording storages become unavailable. This is mostly
relevant if your system includes failover servers.

If you are using Evidence lock, there will be a vertical red line showing the space used for evidence locked
footage.

54 | Overview
Administrator manual | XProtect® VMS 2023 R1

When a camera records video or audio, all specified recordings are by default stored in the storage defined for
the device. Each storage consists of a recording storage that saves recordings in the recording database
Recording. A storage has no default archive(s), but you can create these.

To avoid that the recording database runs full, you can create additional storages (see Add a new storage on
page 188). You can also create archives (see Create an archive within a storage on page 189) within each
storage and start an archiving process to store data.

55 | Overview
Administrator manual | XProtect® VMS 2023 R1

Archiving is the automatic transfer of recordings from, for example, a camera's

recording database to another location. In this way, the amount of recordings that you
can store is not limited to the size of the recording database. With archiving you can also
back up your recordings to another media.

You configure storage and archiving on each recording server.

As long as you store archived recordings locally or on accessible network drives, you can use XProtect Smart
Client to view them.

If a disk drive breaks and the recording storage becomes unavailable, the horizontal bar turns red. It is still
possible to view live video in XProtect Smart Client, but recording and archiving stops until the disk drive is
restored. If your system is configured with failover recording servers, you can specify the recording server to
stop running, to let the failover servers take over (see Specify behavior when recording storage is unavailable
on page 187).

The following mostly mentions cameras and video, but speakers, microphones, audio and sound also apply.

Milestone recommends that you use a dedicated hard disk drive for recording storages
and archives to prevent low disk performance. When you format the hard disk, it is
important to change its Allocation unit size setting from 4 to 64 kilobytes. This is to
significantly improve recording performance of the hard disk. You can read more about
allocating unit sizes and find help on the Microsoft website
(https://support.microsoft.com/en-us/topic/default-cluster-size-for-ntfs-fat-and-exfat-
9772e6f1-e31a-00d7-e18f-73169155af95).

The oldest data in a database is always auto-archived (or deleted if no next archive is
defined) when less than 5GB of space is free. If less than 1GB space is free, data is
deleted. A database always requires 250MB of free space. If you reach this limit because
data is not deleted fast enough, attempts to write to the database might fail and in that
case no more data is written to the database until you free up enough space. The actual
maximum size of your database becomes the amount of gigabytes that you specify,
minus 5GB.

56 | Overview
Administrator manual | XProtect® VMS 2023 R1

For FIPS 140-2 compliant systems, with exports and archived media databases from
XProtect VMS versions prior to 2017 R1 that are encrypted with non FIPS-compliant
cyphers, it is required to archive the data in a location where it can still be accessed after
enabling FIPS. For detailed information on how to configure your XProtect VMS to run in
FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening
guide.

Attaching devices to a storage

Once you have configured the storage and archiving settings for a recording server, you can enable storage
and archiving for individual cameras or a group of cameras. You do this from the individual devices or from the
device group. See Attach a device or group of devices to a storage on page 189.
Effective archiving

When you enable archiving for a camera or a group of cameras, the content of the recording storage is
automatically moved to the first archive at intervals that you define.

Depending on your requirements, you can configure one or more archives for each of your storages. Archives
can be located either on the recording server computer itself, or at another location which can be reached by
the system, for example on a network drive.

By setting up your archiving in an effective way, you can optimize storage needs. Often, you want to make
archived recordings take up as little space as possible, especially on a long-term basis, where it is perhaps even
possible to slacken image quality a bit. You handle effective archiving from the Storage tab of a recording
server by adjusting several interdependent settings:

l Recording storage retention

l Recording storage size

l Archive retention

l Archive size

l Archive schedule

l Encryption

l Frames Per Second (FPS).

The size fields define the size of the recording storage, exemplified by the cylinder, and its archive(s)
respectively:

57 | Overview
Administrator manual | XProtect® VMS 2023 R1

By means of retention time and size setting for the recording storage, exemplified by the white area in the
cylinder, you define how old recordings must be before they are archived. In our illustrated example, you
archive the recordings when they are old enough to be archived.

The retention time and size setting for archives define how long the recordings remain in the archive.
Recordings remain in the archive for the time specified, or until the archive has reached the specified size limit.
When these settings are met, the system begins to overwrite old recordings in the archive.

The archiving schedule defines how often and at what times archiving takes place.

FPS determines the size of the data in the databases.

To archive your recordings, you must set all these parameters up in accordance with each other. This means
that the retention period of the next archive must always be longer than the retention period of a current
archive or recording database. This is because the number of retention days stated for an archive includes all
retention stated earlier in the process. Archiving must also always take place more frequently than the
retention period, otherwise you risk losing data. If you have a retention time of 24 hours, any data older than
24 hours is deleted. Therefore, to get your data safely moved to the next archive, it is important to run
archiving more often than every 24 hours.

Example: These storages (image to the left) have a retention time of 4 days and the following archive (image to
the right) a retention time of 10 days. Archiving is set to occur every day at 10:30, ensuring a much more
frequent archiving than retention time.

58 | Overview
Administrator manual | XProtect® VMS 2023 R1

You can also control archiving by use of rules and events.

Archive structure (explained)

When you archive recordings, they are stored in a certain sub-directory structure within the archive.

During all regular use of your system, the sub-directory structure is completely
transparent to the system's users, as they browse all recordings with the XProtect Smart
Client regardless of whether the recordings are archived or not. Knowing the sub-
directory structure is primarily interesting if you want to back up your archived
recordings.

In each of the recording server's archive directories, the system automatically creates separate sub-directories.
These sub-directories are named after the name of the device and the archive database.

Because you can store recordings from different cameras in the same archive, and since archiving for each
camera is likely to be performed at regular intervals, further sub-directories are also automatically added.

These sub-directories each represent approximately an hour's worth of recordings. The one-hour split makes it
possible to remove only relatively small parts of an archive's data if you reach the maximum allowed size of the
archive.

The sub-directories are named after the device, followed by an indication of where the recordings came from
(edge storage or via SMTP), plus the date and time of the most recent database record contained in the sub-
directory.
Naming structure

...[Storage Path]\[Storage name]\[device-name] - plus date and time of most

recent recording]\

If from edge storage:

...[Storage Path]\[Storage name]\[device-name] (Edge) - plus date and time of

most recent recording]\

If from SMTP:

...[Storage Path]\[Storage name]\[device-name] (SMTP) - plus date and time of

most recent recording]\

Real life example

59 | Overview
Administrator manual | XProtect® VMS 2023 R1

...F:\OurArchive\Archive1\Camera 1 on Axis Q7404 Video Encoder(10.100.50.137) -

2011-10-05T11:23:47+02:00\

Sub-directories

Even further sub-directories are automatically added. The amount and nature of these sub-directories depend
on the nature of the actual recordings. For example, several different sub-directories are added if the
recordings are technically divided into sequences. This is often the case if you have used motion detection to
trigger recordings.

l Media: This folder contains the actual media that is either video or audio (not both)

l MotionLevel: This folder contains motion level grids generated from the video data using our motion
detection algorithm. This data allows the Smart Search feature in XProtect Smart Client to do very fast
searches

l Motion: In this folder, the system stores motion sequences. A motion sequence is a time slice for which
motion has been detected in the video data. This information is, for example, used in the time line in
XProtect Smart Client

l Recording: In this folder, the system stores recording sequences. A recording sequence is a time slice
for which there are coherent recordings of media data. This information is, for example, used to draw
the time line in XProtect Smart Client

l Signature: This folder holds the signatures generated for the media data (in the Media folder). With this
information, you can verify that the media data has not been tampered with since it was recorded

If you want to back up your archives, you can target your backups if you know the basics of the sub-directory
structure.
Examples of backup

To back up the content of an entire archive, back up the required archive directory and all of its content. For
example, everything under:

...F:\OurArchive\

To back up the recordings from a particular camera from a particular period of time, back up the contents of
the relevant sub-directories only. For example, everything under:

...F:\OurArchive\Archive1\Camera 1 on Axis Q7404 Video Encoder(10.100.50.137) -

2011-10-05T11:23:47+02:00\

Pre-buffering and storage of recordings (explained)

Pre-buffering is the ability to record audio and video before the actual triggering event occurs. This is useful
when you want to record the audio or video that leads up to an event that triggers recording, for example,
opening a door.

60 | Overview
Administrator manual | XProtect® VMS 2023 R1

Pre-buffering is possible because the system continuously receives audio and video streams from the
connected devices and temporarily stores them for the defined pre-buffer period.

l If a recording rule is triggered, the temporary recordings are made permanent for the rule’s configured
pre-recording time

l If no recording rule is triggered, the temporary recordings in the pre-buffer are automatically deleted
after the defined pre-buffer time

Storage of the temporary pre-buffer recordings

You can choose the storage location of the temporary pre-buffer recordings:

l In the memory; the pre-buffer period is limited to 15 seconds.

l On the disk (in the media database); you can choose all values.

Storage to the memory instead of to disk improves system performance but is only possible for shorter pre-
buffer periods.

When recordings are stored in the memory, and you make some of the temporary recordings permanent, the
remaining temporary recordings are deleted and cannot be restored. If you need to be able to keep the
remaining recordings, store the recordings on the disk.

Authentication

Active Directory (explained)

Active Directory is a distributed directory service implemented by Microsoft for Windows domain networks. It is
included in most Windows Server operating systems. It identifies resources on a network in order for users or
applications to access them.

With the Active Directory installed, you can add Windows users from Active Directory, but you also have the
option of adding basic users without Active Directory. There are certain system limitations related to basic
users.

Users (explained)
The term users primarily refers to users who connect to the surveillance system through the clients. You can
configure such users in two ways:

l As basic users, authenticated by a user name/password combination

l As Windows users, authenticated based on their Windows login

61 | Overview
Administrator manual | XProtect® VMS 2023 R1

Windows Users

You add Windows Users through the use of Active Directory. Active Directory (AD) is a directory service
implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating
systems. It identifies resources on a network in order for users or applications to access them. Active Directory
uses the concepts of users and groups.

Users are Active Directory objects representing individuals with a user account. Example:

Groups are Active Directory objects with several users. In this example, the Management Group has three
users:

Groups can contain any number of users. By adding a group to the system, you add all of its members in one
go. Once you have added the group to the system, any changes made to the group in Active Directory, such as
new members you add or old members you remove at a later stage, are immediately reflected in the system. A
user can be a member of more than one group at a time.

You can use Active Directory to add existing user and group information to the system with some benefits:

l Users and groups are specified centrally in Active Directory so you do not have to create user accounts
from scratch

l You do not have to configure any authentication of users on the system as Active Directory handles
authentication

Before you can add users and groups through the Active Directory service, you must have a server with Active
Directory installed on your network.

Basic users

If your system does not have access to Active Directory, create a basic user. For information about how to set
up basic users, see Create basic users on page 274.

62 | Overview
Administrator manual | XProtect® VMS 2023 R1

Identity Provider (explained)

Identity Provider app pool (IDP) is a system entity that creates, maintains, and manages identity information
for basic users.

Identity Provider also provides authentication and registration services to relying applications or services, in
this case: Recording Server, Management Server, Data Collector, and Report Server.

When you log in to XProtect clients and services as a basic user, your request goes to the Identity Provider.
When authenticated the user can call the management server.

Identity Provider runs in the IIS as a part of the management server using the same SQL Server with a separate
database and is responsible for creating and handling OAuth communication tokens that services use when
communicating (Surveillance_IDP).

Identity Provider logs can be found at: \\ProgramData\Milestone\IDP\Logs.

External IDP (explained)

IDP is an acronym for Identity Provider. An external IDP is an external application and service where you can
store and manage user identity information and provide user authentication services to other systems. You
can associate an external IDP with the XProtect VMS.

Claims (explained)

Claims form the link between the external IDP and the XProtect VMS.

A claim is a statement that an entity such as a user or an application makes about itself. In the XProtect VMS, a
claim can be associated with a role that determine the users' XProtect permissions.

The claim is a key value consisting of a claim name and a claim value. For example, the claim name could be a
standard name that describes the content of the claim value, and the claim value could be the name of a
group. See more example of claims from an external IDP: Example of claims from an external IDP.

Enable users to log in to the XProtect VMS from an external IDP

l From the external IDP, create the users. You must also identify the XProtect VMS and the interaction
between XProtect and the external IDP. Finally, create the claims to identify users as external IDP users
in the XProtect VMS.

l From the XProtect VMS, create a configuration that enables the Identity Provider to contact the external
IDP. For more information about how to create a configuration for an external IDP, see Add and
configure an external IDP.

l From the XProtect VMS, establish authentication of users by mapping the user claims from the external
IDP to XProtect roles. For more information about how to map claims to roles, see Map claims from an
external IDP to roles in XProtect.

Unique user names for external IDP users

User names are created automatically for users that log into Milestone XProtect via an external IDP.

63 | Overview
Administrator manual | XProtect® VMS 2023 R1

The external IDP provides a set of claims to automatically create a name for the user in XProtect, and in
XProtect an algorithm is used to pick a name from the external IDP that is unique in the VMS database.

Example of claims from an external IDP

The claims consist of a claim name and a claim value. For example:

Claim name Claim value

name Raz Van

email [email protected]

amr pwd

idp 00o2ghkgazGgi9BIE5d7

preferred_
[email protected]
username

vmsRole Operator

locale en-US

given_name Raz

family_name Van

zoneinfo America/Los_Angeles

email_verified True

Using sequence number of claim to create user names in XProtect

In XProtect, the search priority for when creating a user in the XProtect VMS is controlled by the sequence
number of the claims in the table below. The first available claim name will be used in the XProtect VMS:

64 | Overview
Administrator manual | XProtect® VMS 2023 R1

Claim name Sequence number Description

Configured mapping with one claim to define

the user name. The claim is defined in the
UserNameClaimType 1
Claim to use to create user name field on
the External IDP tab under Tools > Options.

Claim that can come from the external IDP. A

preferred_username 2 standard claim that is normally used for this
in Oidc (OpenID Connect).

name 3

given_name family_ Given name and family name in a

4
name combination such as Bob Johnson.

email 5

First available claim + #

6 For example, Bob#1
(first available number)

Defining specific claims to create user names in XProtect

The XProtect administrators can define a specific claim from the external IDP that should be used to create a
user name in the XProtect VMS. When an administrator define a claim to use for the creation of the user name
in the XProtect VMS, the claim name must be written exactly as the claim name coming from the external IDP.

l The claim to use for the user name can be defined in the Claim to use to create user name field on the
External IDP tab under Tools > Options .

Deleting external IDP users

Users created in XProtect by an external IDP login are deleted the same way as a basic user and the user can
be deleted at any time after the user is created.

If a user is deleted in XProtect and the user logs in again from the external IDP, a new user will be created in
XProtect. However, the data associated with the user in XProtect such as private views and roles are lost and
this information has to be created again for the user in XProtect.

If an external IDP is deleted in the Management Client, any users connected to the VMS via the external IDP
are also deleted.

65 | Overview
Administrator manual | XProtect® VMS 2023 R1

Security

Roles and permissions of a role (explained)

Roles determine which devices users can access. Roles also determine permissions and handle security within
the video management system. First, you add roles, then you add users and groups and finally a Smart Client
and a Management Client profile as well as other default profiles that belong to each role. Roles you can create
in the system have their own view groups in XProtect Smart Client in which their views are created and stored.

It is important that all roles, to have access to the Management Server, enable the
Connect security permission, located in Role Settings > Management Server > Overall
Security tab (roles) on page 495.

You add users and groups to the Administrators role just as with any other role. See Assign/remove users and
groups to/from roles on page 273.

In addition to the Administrators role, you can add as many roles as required to suit your needs. You may, for
example, have different roles for users of XProtect Smart Client depending on which cameras you want them
to access or similar restrictions. To set up roles in your system, expand the Security > Roles.

Permissions of a role

Available functionality depends on the system you are using. See the complete feature list, which is available
on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

When you create a role in your system, you can give the role a number of permissions to the system
components or features that the relevant role can access and use. You may, for example, want to create roles
that only have permissions to functionality in XProtect Smart Client or other Milestone viewing clients, with the
permissions to view only certain cameras. If you create such roles, these roles should not have permissions to
access and use the Management Client, but only have access to some or all functionality found in XProtect
Smart Client or other clients. To address this, you may want to set up a role that has some or most typical
administrator permissions, for example, the permissions to add and remove cameras, servers and similar
functionality.

You can create roles that have some or most permissions of a system administrator. This may, for example, be
relevant if your organization wants to separate between people who can administrate a subset of the system
and people who can administrate the entire system. The feature allows you to provide differentiated
administrator permissions to access, edit or change a large variety of system functions, for example, the
permission to edit the settings for servers or cameras in your system. You specify these permissions on the
Overall Security tab (see Overall Security tab (roles) on page 495). As a minimum, to enable that the
differentiated system administrator can launch the Management Client, you must grant read permissions on
the management server for the role.

66 | Overview
Administrator manual | XProtect® VMS 2023 R1

It is important that all roles, to have access to the Management Server, enable the
Connect security permission, located in Role Settings > Management Server > Overall
Security tab (roles) on page 495.

You can also reflect the same limitations in the user interface of the Management Client for each role by
associating the role with a Management Client profile that has the removed the corresponding system
functions from the user interface. See Management Client profiles (explained) on page 69 for information.

To give a role such differentiated administrator permissions, the person with the default full administrator role
must set up the role under Security > Roles > Info tab > Add new. When you set up the new role, you can then
associate the role with your own profiles must similarly to when you set up any other role in the system or use
the system's default profiles. For more information, see Add and manage a role on page 271.

Once you have specified what profiles you want to associate the role with, go to the Overall Security tab to
specify the permissions of the role.

The permissions you can set for a role are different between your products. You can only
give all available permissions to a role in XProtect Corporate.

Privacy masking (explained)

Privacy masking (explained)

With privacy masking, you can define which areas of the video from a camera you want to cover with privacy
masks when shown in the clients. For example, if a surveillance camera covers a street, you can cover certain
areas of a building (could be windows and doors) with privacy masks, to protect the privacy of residents. In
some countries, this is a legal requirement.

You can specify privacy masks as either solid or blurred. The masks cover both live, recorded, and exported
video.

Privacy masks are applied and locked to an area of the camera image, so the covered area does not follow the
pan-til-zoom movements, but constantly covers the same area of the camera image. On some PTZ cameras,
you can enable position based privacy masking on the camera itself.

There are two types of privacy masks:

l Permanent privacy mask: Areas with this type of mask are always covered in the clients. Can be used
to cover areas of the video that never requires surveillance, like public areas, or areas where
surveillance is not allowed. Motion detection is excluded from areas with permanent privacy masks

67 | Overview
Administrator manual | XProtect® VMS 2023 R1

l Liftable privacy mask: Areas with this type of mask can be temporarily uncovered in XProtect Smart
Client by users with permission to lift privacy masks. If the logged in XProtect Smart Client user does
not have the permission to lift privacy masks, the system asks for an authorized user to approve of the
lift.
Privacy masks are lifted until timeout or the user reapply them. Be aware that privacy masks are lifted
on video from all cameras that the user has access to

If you upgrade from a 2017 R3 system or older with privacy masks applied, the masks
will be converted to liftable masks.

When a user exports or playbacks recorded video from a client, the video includes the privacy masks
configured at the time of recording, even if you have changed or removed the privacy masks later. If privacy
protection is lifted when exporting, the exported video does not include the liftable privacy masks.

If you change privacy masking settings very often, for example once a week, your
system can potentially be overloaded.

Example of the Privacy masking tab with privacy masks configured:

And this is how they appear in the clients:

68 | Overview
Administrator manual | XProtect® VMS 2023 R1

You can inform the client users about the settings of permanent and liftable privacy
masks.

Management Client profiles (explained)

Management Client profiles allow system administrators to modify the Management Client user interface for
other users. Associate Management Client profiles with roles to limit the user interface to represent the
functionality available for each administrator role.

Management Client profiles only handle the visual representation of system functionality, not the actual access
to it. The overall access to system functionality is granted via the role that individual users are associated with.
For information about how to manage overall access to system functionality for a role, see Manage the
visibility of functionality for a Management Client profile.

You can change settings for the visibility of all Management Client elements. By default, the Management
Client profile can see all functionality in the Management Client.

Smart Client profiles (explained)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

69 | Overview
Administrator manual | XProtect® VMS 2023 R1

Smart Client profiles allows system administrators to control how XProtect Smart Client should look and
behave and what features and panes XProtect Smart Client users have access to. You can set up user
permissions for: panes and options, minimize/maximize options, inactivity time-control, remember password
or not, view shown after log in, layout of print reports, export path, and more.

To manage Smart Client profiles in the system, expand Client and select Smart Client Profiles.

You can also learn about the relationship between Smart Client profiles, roles and time profiles and how to use
these together (see Create and set up Smart Client profiles, roles and time profiles on page 249).

Evidence locks (explained)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

As of XProtect VMS version 2020 R2, when you upgrade the management server from an
earlier version, it will not be possible to create or modify evidence locks on recording
servers that are version 2020 R1 or earlier, until these recording servers have been
upgraded.
This also means that if the hardware has been moved from one recording server (from
2020 R1 or earlier) to another recording server, and it still has recordings on it, then
evidence locks cannot be created or modified.

With the evidence lock functionality, client operators can protect video sequences, including audio and other
data, from deletion if required, for example, while an investigation or trial is ongoing. For more information,
see the user manual for XProtect Smart Client.

When protected, the data cannot be deleted, neither automatically by the system after the system's default
retention time or in other situations nor manually by the client users. The system or a user cannot delete the
data until a user with sufficient user permissions unlocks the evidence.

Flow diagram for Evidence Lock:

70 | Overview
Administrator manual | XProtect® VMS 2023 R1

1. A XProtect Smart Client user creates an evidence lock. Information sent to Management Server.

2. Management Server stores information about the evidence lock in the SQL database.

3. Management Server informs Recording Server to store and protect the protected recordings in the
database.

When the operator creates an evidence lock, the protected data remains in the recording storage that it was
recorded to, and is moved to archiving disks together with non-protected data, but the protected data:

l Follows the retention time configured for the evidence lock. Potentially infinitely

l Keeps the original quality of the recordings, even if grooming has been configured for non-protected data

When an operator creates locks, the minimum size of a sequence is the period that the database divides
recorded files into, this is by default one-hour sequences. You can change this, but it requires that you
customize the RecorderConfig.xml file on the recording server. If a small sequence spans two one-hour
periods, the system locks the recordings in both periods.

In the audit log in the Management Client, you can see when a user creates, edits, or deletes evidence locks.

When a disk runs out of disk space, it does not impact the protected data. Instead, the oldest non-protected
data will be deleted. If there are no more non-protected data to delete, the system stops recording. You can
create rules and alarms triggered by disk full events, so you are automatically notified.

Except for more data being stored for a longer period and potentially affecting disk storage, the evidence lock
feature as such does not influence system performance.

If you move hardware (see Move hardware on page 324) to another recording server:

71 | Overview
Administrator manual | XProtect® VMS 2023 R1

l Recordings protected by evidence locks remain on the old recording server with the retention time that
was defined when the evidence lock was created

l The XProtect Smart Client user can still protect data with evidence locks on the recordings that were
made on a camera before it was moved to another recording server. Even if you move the camera
multiple times and the recordings are stored on multiple recording servers

By default, all operators have the default evidence lock profile assigned to them, but no user access
permissions to the feature. To specify the evidence lock access permissions of a role, see Device tab (roles) for
role settings. To specify the evidence lock profile of a role, see Info tab (roles) for role settings.

In the Management Client, you can edit the properties of the default evidence lock profile and create
additional evidence lock profiles and assign these to the roles instead.

Rules and events

Rules (explained)
Rules specify actions to carry out under particular conditions. Example: When motion is detected (condition), a
camera should begin recording (action).

The following are examples of what you can do with rules:

l Start and stop recording

l Set non-default live frame rate

l Set non-default recording frame rate

l Start and stop PTZ patrolling

l Pause and resume PTZ patrolling

l Move PTZ cameras to specific positions

l Set output to activated/deactivated state

l Send notifications via e-mail

l Generate log entries

l Generate events

l Apply new device settings, for example a different resolution on a camera

l Make video appear in Matrix recipients

l Start and stop plug-ins

l Start and stop feeds from devices

72 | Overview
Administrator manual | XProtect® VMS 2023 R1

Stopping a device means that video is no longer transferred from the device to the system, in which case you
cannot view live video nor record video. In contrast, a device on which you have stopped the feed can still
communicate with the recording server, and you can start the feed from the device automatically through a
rule, as opposed to when the device is manually disabled in the Management Client.

Some rule content may require that certain features are enabled for the relevant
devices. For example, a rule specifying that a camera should record does not work as
intended if recording is not enabled for the relevant camera. Before creating a rule,
Milestone recommends that you verify that the devices involved can perform as
intended.

Rule complexity

Your exact number of options depends on the type of rule you want to create, and on the number of devices
available on your system. Rules provide a high degree of flexibility: you can combine event and time
conditions, specify several actions in a single rule, and very often create rules covering several or all the
devices on your system.

You can make your rules as simple or complex as required. For example, you can create very simple time-
based rules:

Example Explanation

On Mondays between 08.30 and 11.30 (time condition), Camera 1 and Camera 2
Very Simple Time-
should start recording (action) when the time period begins and stop recording
Based Rule
(stop action) when the time period ends.

When motion is detected (event condition) on Camera 1, Camera 1 should start

recording (action) immediately, then stop recording (stop action) after 10
Very Simple Event- seconds.
Based Rule
Even if an event-based rule is activated by an event on one device, you can
specify that actions should take place on one or more other devices.

When motion is detected (event condition) on Camera 1, Camera 2 should start

recording (action) immediately, and the siren connected to Output 3 should
Rule Involving
sound (action) immediately. Then, after 60 seconds, Camera 2 should stop
Several Devices
recording (stop action), and the siren connected to Output 3 should stop
sounding (stop action).

73 | Overview
Administrator manual | XProtect® VMS 2023 R1

Example Explanation

When motion is detected (event condition) on Camera 1, and the day of the week
Rule Combining is Saturday or Sunday (time condition), Camera 1 and Camera 2 should start
Time, Events, and recording (action) immediately, and a notification should be sent to the security
Devices manager (action). Then, 5 seconds after motion is no longer detected on Camera
1 or Camera 2, the 2 cameras should stop recording (stop action).

Depending on your organization's needs, it is often a good idea to create many simple rules rather than a few
complex rules. Even if it means you have more rules in your system, it provides an easy way to maintain an
overview of what your rules do. Keeping your rules simple also means that you have much more flexibility
when it comes to deactivating/activating individual rule elements. With simple rules, you can
deactivate/activate entire rules when required.

Rules and events (explained)

Rules are a central element in your system. Rules determine highly important settings, such as when cameras
should record, when PTZ cameras should patrol, when notifications should be sent, etc.

Example - a rule specifying that a particular camera should begin recording when it detects motion:

Events are central elements when using the Manage Rule wizard. In the wizard, events are primarily used for
triggering actions. For example, you can create a rule which specifies that in the event of detected motion, the
surveillance system should take the action of starting recording of video from a particular camera.

The following types of conditions can trigger rules:

Name Description

When events occur on the surveillance system, for example when motion is detected or
Events
the system receives input from external sensors.

74 | Overview
Administrator manual | XProtect® VMS 2023 R1

Name Description

When you enter specific periods of time, for example:

Time interval Thursday 16th August 2007 from 07.00 to 07.59

or every Saturday and Sunday

Failover time
Periods of time where failover is active or inactive.
interval

When you set an action to be executed on a detailed, recurring schedule.

For example:

l Every week on Tuesday every 1 hour(s) between 15:00 and 15:30

Recurring l On day 15 every 3 month(s) at 11:45

time
l Every day every 1 hour(s) between 15:00 and 19:00

The time is based on the local time settings of the server on which
Management Client is installed.

You can work with the following under Rules and Events:

l Rules: Rules are a central element in the system. The behavior of your surveillance system is to a very
large extent determined by rules. When creating a rule, you can work with all types of events

l Time profiles: Time profiles are periods of time defined in the Management Client. You use them when
you create rules in the Management Client, for example to create a rule which specifies that a certain
action should take place within a certain time profile

l Notification profiles: You can use notification profiles to set up ready-made email notifications, which
can automatically be triggered by a rule, for example when a particular event occurs

l User-defined events: User-defined events are custom-made events that makes it possible for users to
manually trigger events in the system or react to inputs from the system

l Analytics events: Analytics events are data received from external third-party video content analysis
(VCA) providers. You can use analytics events as basis for alarms

l Generic events: Generic events allow you to trigger actions in the XProtect event server by sending
simple strings via the IP network to your system

75 | Overview
Administrator manual | XProtect® VMS 2023 R1

Time profiles (explained)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Time profiles are periods of time defined by the administrator. You can use time profiles when creating rules,
for example, a rule specifying that a certain action should take place within a certain time period.

Time profiles are also assigned to roles, along with Smart Client profiles. By default, all roles are assigned the
default time profile Always. This means that members of roles with this default time profile attached has no
time-based limits to their user permissions in the system. You can also assign an alternative time profile to a
role.

Time profiles are highly flexible: you can base them on one or more single periods of time, on one or more
recurring periods of time, or a combination of single and recurring times. Many users may be familiar with the
concepts of single and recurring time periods from calendar applications, such as the one in Microsoft®
Outlook.

Time profiles always apply in local time. This means that if your system has recording servers placed in
different time zones, any actions, for example recording on cameras, associated with time profiles are carried
out in each recording server's local time. Example: If you have a time profile covering the period from 08.30 to
09.30, any associated actions on a recording server placed in New York is carried out when the local time is
08.30 to 09.30 in New York, while the same actions on a recording server placed in Los Angeles is carried out
some hours later, when the local time is 08.30 to 09.30 in Los Angeles.

You create and manage time profiles by expanding Rules and Events > Time Profiles. A Time Profiles list
opens. Example only:

For an alternative to time profiles, see Day length time profiles (explained).

Day length time profiles (explained)

When you place cameras outside, you must often lower the camera resolution, enable black/white or change
other settings when it gets dark or when it gets light. The further north or south from the equator the cameras
are placed, the more the sunrise and sunset time varies during the year. This makes it impossible to use
normal fixed time profiles to adjusts camera settings according to light conditions.

In such situations, you can create day length time profiles instead to define the sunrise and sunset in a
specified geographical area. Via geographic coordinates, the system calculates the sunrise and sunset time,
even incorporating daylight saving time on a daily basis. As a result, the time profile automatically follows the

76 | Overview
Administrator manual | XProtect® VMS 2023 R1

yearly changes in sunrise/sunset in the selected area, ensuring the profile to be active only when needed. All
times and dates are based on the management server's time and date settings. You can also set a positive or
negative offset (in minutes) for the start (sunrise) and end time (sunset). The offset for the start and the end
time can be identical or different.

You can use day length profiles both when you create rules and roles.

Notification profiles (explained)

Notification profiles allow you to set up ready-made email notifications. Notifications can automatically be
triggered by a rule, for example when a particular event occurs.

When you create the notification profile, you specify the message text and decides if you want to include still
images and AVI video clips in the email notifications.

You may need to disable any email scanners that could prevent the application from
sending email notifications.

Requirements for creating notification profiles

Before you can create notification profiles, you must specify mail server settings for email notifications.

You can secure the communication to the mail server, if you install the necessary security certificates on the
mail server.

If you want the email notifications to be able to include AVI movie clips, you must first specify the compression
settings:

1. Go to Tools > Options. This opens the Options window.

2. Configure the mail server on the Mail Server tab (Mail Server tab (options) on page 370) and the
compression settings on the AVI Generation tab AVI Generation tab (options) on page 371.

User-defined events (explained)

If the event you require is not on the Events Overview list, you can create your own user-defined events. Use
such user-defined events to integrate other systems with your surveillance system.

With user-defined events, you can use data received from a third-party access control system as events in the
system. The events can later trigger actions. This way, you can, for example, begin recording video from
relevant cameras when somebody enters a building.

You can also use user-defined events for manually triggering events while viewing live video in XProtect Smart
Client or automatically if you use them in rules. For example, when user-defined event 37 occurs, PTZ camera
224 should stop patrolling and go to preset position 18.

77 | Overview
Administrator manual | XProtect® VMS 2023 R1

Through roles, you define which of your users are able to trigger the user-defined events. You can use user-
defined events in two ways and at the same time if required:

Events Description

For providing the

In this case, user-defined events make it possible for end users to manually
ability to manually
trigger events while viewing live video in XProtect Smart Client. When a user-
trigger events in
defined event occurs because a user of XProtect Smart Client triggers it manually,
XProtect Smart
a rule can trigger that one or more actions should take place on the system.
Client

In this case, you can trigger user-defined events outside the surveillance system.
Using user-defined events this way requires that a separate API (Application
Program Interface. A set of building blocks for creating or customizing software
applications) is used when triggering the user-defined event. Authentication
through Active Directory is required for using user-defined events this way. This
ensures that even if the user-defined events can be triggered from outside the
surveillance system, only authorized users are to do it.

Also, user-defined events can via API be associated with meta-data, defining
certain devices or device groups. This is highly usable when using user-defined
For providing the events to trigger rules: you avoid having a rule for each device, basically doing
ability to trigger the same thing. Example: A company uses access control, having 35 entrances,
events through API each with an access control device. When an access control device is activated, a
user-defined event is triggered in the system. This user-defined event is used in a
rule to start recording on a camera associated with the activated access control
device. It is defined in the meta-data which camera is associated with what rule.
This way the company does not need to have 35 user-defined events and 35 rules
triggered by the user-defined events. A single user-defined event and a single
rule are enough.

When you use user-defined events this way, you may not always want them to be
available for manual triggering in XProtect Smart Client. You can use roles to
define which user-defined events should be visible in XProtect Smart Client.

Analytics events (explained)

Analytics events are typically data received from an external third-party video content analysis (VCA) provider.

Using analytics events as basis for alarms is basically a three step process:

78 | Overview
Administrator manual | XProtect® VMS 2023 R1

l Part one, enabling the analytics events feature and setting up its security. Use a list of allowed
addresses to control who can send event data to the system and which port the server listens on

l Part two, creating the analytics event, possibly with a description of the event, and testing it

l Part three, using the analytics event as the source of an alarm definition

You set up analytics events on the Rules and Events list in the Site Navigation pane.

To use VCA-based events, a third-party VCA tool is required for supplying data to the system. Which VCA tool to
use is entirely up to you, as long as the data supplied by the tool adheres to the format. This format is
explained in the MIP SDK Documentation on analytics events.

Contact your system provider for more details. Third-party VCA tools are developed by independent partners
delivering solutions based on a Milestone open platform. These solutions can impact performance on the
system.

Generic events (explained)

Generic events allow you to trigger actions in the XProtect event server by sending simple strings via the IP
network to your system.

You can use any hard- or software, which can send strings via TCP or UDP, to trigger generic events. Your
system can analyze received TCP or UDP data packages, and automatically trigger generic events when specific
criteria are met. This way, you may integrate your system with external sources, for example access control
systems and alarm systems. The aim is to allow as many external sources as possible to interact with the
system.

With the concept of data sources, you avoid having to adapt third-party tools to meet the standards of your
system. With data sources, you can communicate with a particular piece of hard- or software on a specific IP
port and fine-tune how bytes arriving on that port are interpreted. Each generic event type pairs up with a data
source and makes up a language used for communication with a specific piece of hard- or software.

Working with data sources requires general knowledge of IP networking and specific knowledge of the
individual hard- or software you want to interface from. There are many parameters you can use and no ready-
made solution on how to do this. Basically, your system provides the tools, but not the solution. Unlike user-
defined events, generic events have no authentication. This makes them easier to trigger but, to avoid
jeopardizing security, only events from local host are accepted. You can allow other client IP addresses from
the Generic Events tab of the Options menu.

Alarms

Alarms (explained)

This feature only works if you have XProtect Event Server installed.

This article describes how to set up alarms to appear in the system, triggered by events.

79 | Overview
Administrator manual | XProtect® VMS 2023 R1

Based on functionality handled in the event server, the alarms feature provides central overview, control and
scalability of alarms in any number of installations (including any other XProtect systems) throughout your
organization. You can configure it to generate alarms based on either:

l Internal system related events

For example, motion, server responding/not responding, archiving problems, lack of disk space and
more.

l External integrated events

This group consist of several types of external events:

l Analytics events

Typically data received from an external third-party video content analysis (VCA) providers.

l MIP plug-in events

Through the MIP SDK a third-party vendor can develop custom plug-ins (for example, integration
to external access control systems or similar) to your system.

Legend:

1. Surveillance system

2. Management Client

3. XProtect Smart Client

4. Alarm configuration

5. Alarm data flow

80 | Overview
Administrator manual | XProtect® VMS 2023 R1

You handle and delegate alarms in the alarm list in XProtect Smart Client. You can also integrate alarms with
the XProtect Smart Client's smart map and map functionality.

Alarm configuration

Alarm configuration includes:

l Dynamic role-based setup of alarm handling

l Central technical overview of all components: servers, cameras, and external units

l Setup of central logging of all incoming alarms and system information

l Handling of plug-ins, allowing customized integration of other systems, for example external access
control or VCA-based systems

In general, alarms are controlled by the visibility of the object causing the alarm. This means that four possible
aspects can play a role with regards to alarms and who can control/manage them and to what degree:

Name Description

Source/device If the device causing the alarm is not set to be visible to the user's role, the user
visibility cannot see the alarm in the alarm list in XProtect Smart Client.

The right to trigger This permission determines if the user's role can trigger selected user-defined
user-defined events events in XProtect Smart Client.

If any external plug-ins are set up in your system, these might control users'
External plug-ins
permissions to handle alarms.

Determine whether the user is allowed to only view or also to manage alarms.
General role rights What a user of Alarms can do with alarms depends on the user's role and on
settings configured for that particular role.

On the Alarms and Events tab in Options, you can specify settings for alarms, events and logs.

Smart map

Smart map (explained)

In XProtect® Smart Client, the smart map feature lets you view and access devices at multiple locations around
the world in a geographically correct way. Unlike maps, where you had a different map for each location, smart
map gives you the big picture in a single view.

81 | Overview
Administrator manual | XProtect® VMS 2023 R1

The following configuration of the smart map feature is done in Management Client:

l Configure the geographic backgrounds that you can choose for your smart map. This includes
integrating your smart map with one of the following services:

l Bing Maps

l Google Maps

l Milestone Map Service

l OpenStreetMap

l Enable Bing Maps or Google Maps in XProtect Management Client or in XProtect Smart Client

l Enable editing of smart maps, including devices, in XProtect Smart Client

l Position your devices geographically in XProtect Management Client

l Set up your smart map with Milestone Federated Architecture

Smart map integration with Google Maps (explained)

To embed Google Maps into your smart map, you need a Maps Static API key from Google. To get the API key,
first you must create a Google Cloud billing account. You are billed in accordance with the volume of map
loads per month.

Once you have the API key, you must enter it in XProtect Management Client. See also Enable Bing Maps or
Google Maps in Management Client on page 306.

For more information, see:

l Google Maps Platform - get started: https://cloud.google.com/maps-platform/

l Guide to Google Maps Platform

billing: https://developers.google.com/maps/billing/gmp-billing

l Developer guide for Maps Static

API: https://developers.google.com/maps/documentation/maps-static/dev-guide

Add digital signature to Maps Static API key

If you expect the XProtect Smart Client operators to make more than 25,000 maps requests per day, you need
a digital signature for your Maps Static API key. The digital signature allows the Google servers to verify that
any site generating requests using your API key is authorized to do so. However, regardless of the usage
requirements, Google recommends using a digital signature as an additional security layer. To get the digital
signature, you must retrieve a URL signing secret. For more information, see
https://developers.google.com/maps/documentation/maps-static/get-api-key#dig-sig-manual.

82 | Overview
Administrator manual | XProtect® VMS 2023 R1

Smart map integration with Bing Maps (explained)

To embed Bing Maps into your smart map, you need a Basic Key or an Enterprise Key. The difference is that
basic keys are free, but allow a limited number of transactions before the transactions become billable or
access to the map service is denied. The enterprise key is not free, but allow an unrestricted number of
transactions.

For more information about Bing Maps, see https://www.microsoft.com/en-us/maps/licensing/.

Once you have the API key, you must enter it in XProtect Management Client. See Enable Bing Maps or Google
Maps in Management Client on page 306.

Cached smart map files (explained)

If you are using Google Maps as your geographic background, files are not cached.

The files that you use for your geographic background are retrieved from a tile server. The time that the files
are stored in the cache folder depends on the value selected in the Removed cached smart map files list in
the Settings dialog in XProtect Smart Client. The files are stored either:

l Indefinitely (Never)

l For 30 days if the file is not used (When not used for 30 days)

l When the operator exits XProtect Smart Client (On exit)

When you change the tile server address, automatically a new cache folder is created. The previous map files
are retained in the associated cache folder on your local computer.

Architecture

A distributed system setup

Example of a distributed system setup. The number of cameras, recording servers, and connected clients, can
be as high as you require.

All computers in a distributed setup must either be on a domain or in a workgroup.

83 | Overview
Administrator manual | XProtect® VMS 2023 R1

Legend:

1. Management Client(s)

2. Event server

3. Microsoft cluster

4. Management server

5. Failover management server

6. Server with SQL Server

7. Failover recording server

8. Recording server(s)

9. XProtect Smart Client(s)

10. IP video cameras

11. Video encoder

12. Analog cameras

13. PTZ IP camera

14. Camera network

15. Server network

Milestone Interconnect (explained)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Milestone Interconnect™ allows you to integrate a number of smaller, physically fragmented, and remote
XProtect installations with one XProtect Corporate central site. You can install these smaller sites, called
remote sites, on mobile units, for example, boats, busses or trains. This means that such sites do not need to
be permanently connected to a network.

The following illustration shows how you could set up Milestone Interconnect on your system:

84 | Overview
Administrator manual | XProtect® VMS 2023 R1

1. Milestone Interconnect central XProtect Corporate site

2. Milestone Interconnect drivers (handles the connection between the central sites' recording servers and
the remote site, must be selected in the list of drivers when adding remote systems via the Add
Hardware wizard)

3. Milestone Interconnect connection

4. Milestone Interconnect remote site (the complete remote site with system installation, users, cameras
and so on)

5. Milestone Interconnect remote system (the actual technical installation at the remote site)

You add remote sites to your central site with the Add Hardware wizard from the central site (see Add a
remote site to your central Milestone Interconnect site on page 299).

Each remote site runs independently and can perform any normal surveillance tasks. Depending on the
network connections and appropriate user permissions (see Assign user permissions on page 299), Milestone
Interconnect offers you direct live viewing of remote site cameras and play back of remote site recordings on
the central site.

The central site can only see and access devices that the specified user account (when adding the remote site)
has access to. This allows local system administrators to control which devices should be made available to the
central site and its users.

85 | Overview
Administrator manual | XProtect® VMS 2023 R1

On the central site, you can view the system's own status for the interconnected cameras, but not directly the
state of the remote site. Instead, to monitor the remote site, you can use the remote site events to trigger
alarms or other notifications on the central site (see Configure your central site to respond to events from
remote sites on page 301).

It also offers you the possibility to transfer remote site recordings to the central site based on either events,
rules/schedules, or manual requests by XProtect Smart Client users.

Only XProtect Corporate systems can work as central sites. All other products can act as remote sites including
XProtect Corporate. It differs from setup to setup which versions, how many cameras, and how devices and
events originating from the remote site are handled - if at all - by the central site. For further details on how
specific XProtect products interact in a Milestone Interconnect setup, go to the Milestone Interconnect website
(https://www.milestonesys.com/solutions/hardware-and-add-ons/milestone-addons/interconnect/).

Selecting Milestone Interconnect or Milestone Federated Architecture (explained)

In a physically distributed system where users on the central site need to access the video on the remote site,
you can choose between Milestone Interconnect™ or Milestone Federated Architecture™.

Milestone recommends Milestone Federated Architecture when:

l The network connection between the central and federated sites is stable

l The network uses the same domain

l There are fewer larger sites

l The bandwidth is sufficient for the required use

Milestone recommends Milestone Interconnect when:

l The network connection between the central and remote sites is unstable

l You or your organization want to use another XProtect product on the remote sites

l The network uses different domains or workgroups

l There are many smaller sites

Milestone Interconnect and licensing

To run Milestone Interconnect, you need Milestone Interconnect camera licenses on your central site to view
video from hardware devices on remote sites. The number of required Milestone Interconnect camera licenses
depends on the number of hardware devices on the remote sites that you want to receive data from. Only
XProtect Corporate can act as a central site.

The status of your Milestone Interconnect camera licenses are listed on the License Information page of the
central site.

Milestone Interconnect setups (explained)

There are three ways to run Milestone Interconnect. How to run your setup depends on your network
connection, how to play back recordings, and whether you retrieve remote recordings and to what degree.

86 | Overview
Administrator manual | XProtect® VMS 2023 R1

In the following, the three most likely setups are described:

Direct playback from remote sites (good network connections)

The most straightforward setup. The central site is continuously online with its remote sites and the central site
users play back remote recordings directly from the remote sites. This requires use of the Play back
recordings from remote system option (see Enable playback directly from remote site camera on page 300).

Rule- or XProtect Smart Client-based retrieval of selected remote recording sequences from remote
sites (periodically limited network connections)

Used when selected recording sequences (originating from remote sites) should be stored centrally to ensure
independence from remote sites. Independence is crucial in case of network failure or network restrictions.
You configure remote recordings retrieval settings on the Remote Retrieval tab (see Remote Retrieval tab on
page 412).

Remote recordings retrieval can be started from the XProtect Smart Client when needed or a rule can be set
up. In some scenarios, remote sites are online and in others, offline most of the time. This is often industry
specific. For some industries it is common for the central site to be permanently online with its remote sites
(for example a retail HQ (central site) and a number of shops (remote sites)). For other industries, like
transportation, the remote sites are mobile (for example, busses, trains, ships, and so on) and can only
establish network connection randomly. Should the network connection fail during a commenced remote
recording retrieval, the job continues at next given opportunity.

If the system detects an automatic retrieval, or request for retrieval from the XProtect Smart Client, outside the
time interval that you specified on the Remote Retrieval tab, it is accepted, but not started until the selected
time interval is reached. New remote recording retrieval jobs will queue and start when the allowed time
interval is reached. You can view pending remote recording retrieval jobs from System Dashboard -> Current
Tasks.

After connection failure, missing remote recordings are by default retrieved from remote sites

Uses remote sites like a recording server uses the edge storage on a camera. Typically, remote sites are online
with their central site, feeding it a live stream that the central site records. Should the network fail for some
reason, the central site misses out on recording sequences. However, once the network is reestablished, the
central site automatically retrieves remote recordings covering the down-period. This requires use of the
Automatically retrieve remote recordings when connection is restored option (see Retrieve remote
recordings from remote site camera on page 300) on the Record tab for the camera.

You can mix any of the above solutions to fit your organizations special needs.

Configuring Milestone Federated Architecture

XProtect Expert can only be federated as child sites.

87 | Overview
Administrator manual | XProtect® VMS 2023 R1

Milestone Federated Architecture links multiple individual standard systems into a federated site hierarchy of
parent/child sites. Client users with sufficient permissions have seamless access to video, audio and other
resources across individual sites. Administrators can centrally manage all sites from version 2018 R1 and
newer within the federated hierarchy, based on administrator permissions for the individual sites.

Basic users are not supported in Milestone Federated Architecture systems, so you must add users as Windows
users through the Active Directory service.

Milestone Federated Architecture is set up with one central site (top site) and an unrestricted number of
federated sites (see Set up your system to run federated sites on page 293). When you are logged into a site,
you can access information about all of its child sites and the child sites' child sites. The link between two sites
is established, when you request the link from the parent site (see Add site to hierarchy on page 295). A child
site can only be linked to one parent site. If you are not the administrator of the child site when you add it to
the federated site hierarchy, the request must be accepted by the child site administrator.

The components of a Milestone Federated Architecture setup:

88 | Overview
Administrator manual | XProtect® VMS 2023 R1

1. Server with SQL Server

2. Management server

3. Management Client

4. XProtect Smart Client

5. Cameras

6. Recording server

7. Failover recording server

8. to 12. Federated sites

Hierarchy synchronization

A parent site contains an updated list of all its currently attached child sites, child sites' child sites and so on.
The federated site hierarchy has a scheduled synchronization between sites, as well as a synchronization every
time a site is added or removed by the system administrator. When the system synchronizes the hierarchy, it
takes place level by level, each level forwarding and returning communication, until it reaches the server that
requests the information. The system sends less than 1MB each time. Depending on the number of levels,
changes to a hierarchy can take some time to become visible in the Management Client. You cannot schedule
your own synchronizations.

Data traffic

The system sends communication or configuration data when a user or administrator views live or recorded
video or configures a site. The amount of data depends on what and how much is being viewed or configured.

Milestone Federated Architecture with other products and system requirements

l Opening the Management Client in a Milestone Federated Architecture is supported for three major
releases, including the current one being released. In a Milestone Federated Architecture setup beyond
that scope, you need a separate Management Client that matches the server version.

l If the central site uses XProtect Smart Wall, you can also use the XProtect Smart Wall features in the
federated site hierarchy.

See also the manual for XProtect Smart Wall.

l If the central site uses XProtect Access and XProtect Smart Client user logs into a site in a federated site
hierarchy, access request notifications from the federated sites also appear in XProtect Smart Client

l You can add XProtect Expert 2013 systems or newer to the federated site hierarchy as child sites, not as
parent sites

89 | Overview
Administrator manual | XProtect® VMS 2023 R1

l Milestone Federated Architecture does not require additional licenses

l For more information about use cases and benefits, see the white paper about Milestone Federated
Architecture.

Establishing a federated site hierarchy

Before you start building up the hierarchy in the Management Client, Milestone recommends that you map
how you want your sites to link together.

You install and configure each site in a federated hierarchy as a normal standalone system with standard
system components, settings, rules, schedules, administrators, users, and user permissions. If you already
have the sites installed and configured and only need to combine them in a federated site hierarchy, your
systems are ready to be set up.

Once the individual sites are installed, you must set them up to run as federated sites (see Set up your system
to run federated sites on page 293).

To start the hierarchy, you can log into the site that you want to work as the central site and add (see Add site
to hierarchy on page 295) the first federated site. When the link is established, the two sites automatically
create a federated site hierarchy in the Federated Site Hierarchy pane in the Management Client to which you
can add more sites to grow the federated hierarchy.

When you have created a federated site hierarchy, users and administrators can log into a site to access that
site and any federated sites it may have. Access to federated sites depend on the user permissions.

There is no limit to the number of sites you can add to the federated hierarchy. Also, you can have a site on an
older product version linked to a newer version and vice versa. The version numbers appear automatically and
cannot be deleted. The site that you are logged into is always at the top of the Federated Site Hierarchy pane
and is called home site.

Below is an example of federated sited in the Management Client. To the left, the user has logged into the top
site. To the right, the user has logged into one of the child sites, the Paris Server, which is then the home site.

Status icons in Milestone Federated Architecture

The icons represent the possible states of a site:

90 | Overview
Administrator manual | XProtect® VMS 2023 R1

Description Icon

The top site in the entire hierarchy is operational.

The top site in the entire hierarchy is still operational, but one or more issues need attention.
Shown on top of the top site icon.

The site is operational.

The site is awaiting to be accepted in the hierarchy.

The site is attaching but is not yet operational.

Ports used by the system

All XProtect components and the ports needed by them are listed below. To ensure, for example, that the
firewall blocks only unwanted traffic, you need to specify the ports that the system uses. You should only
enable these ports. The lists also include the ports used for local processes.

They are arranged in two groups:

l Server components (services) offer their service on particular ports which is why they need to listen for
client requests on these ports. Therefore, these ports need to be opened in the Windows Firewall for
inbound and outbound connections

l Client components (clients) initiate connections to particular ports on server components. Therefore,
these ports need to be opened for outbound connections. Outbound connections are typically open by
default in the Windows Firewall

If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports
for client components must be opened for outbound connections.

Do keep in mind that server components can act as clients to other server components. These are not explicitly
listed in this doc.

The port numbers are the default numbers, but this can be changed. Contact Milestone support, if you need to
change ports that are not configurable through the Management Client.

Server components (inbound connections)

Each of the following sections list the ports that need to be opened for a particular service. To figure out which
ports need to be opened on a particular computer, you need to consider all services running on the computer.

Management Server service and related processes

91 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port Connections
Protocol Process Purpose
number from...

The purpose of port 80 and port

443 is the same. However, which
port the VMS uses depends on
whether you have used
certificates to secure the
communication.
80 HTTP IIS
l When you have not
secured the
communication with
certificates, the VMS uses
All servers and
port 80.
the XProtect
Smart Client and l When you have secured
the the communication with
Management certificates, the VMS uses
Client port 443 except for
communication from the
event server to the
management server. The

443 HTTPS IIS communication from the

event server to the
management server uses
Windows Secured
Framework (WCF) and
Windows authentication
on port 80.

Management
Management Server Manager Showing status and managing
6473 TCP
Server service tray icon, local the service.
connection only.

Management Local connection Communication between internal

8080 TCP
server only. processes on the server.

Management Recording Web service for internal

9000 HTTP
server Server services communication between servers.

92 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port Connections
Protocol Process Purpose
number from...

Communication between the

Management XProtect Smart system and Matrix recipients.
12345 TCP
Server service Client You can change the port number
in the Management Client.

Communication with the SNMP

extension agent.

Do not use the port for other

purposes even if your system
Management Windows SNMP does not apply SNMP.
12974 TCP
Server service Service
In XProtect 2014 systems or
older, the port number was 6475.

In XProtect 2019 R2 systems and

older, the port number was 7475.

SQL Server service

Port Connections
Protocol Process Purpose
number from...

Management Storing and retrieving configurations

1433 TCP SQL Server
Server service via the Identity Provider.

Event Server Storing and retrieving events via the

1433 TCP SQL Server
service Identity Provider.

Log Server Storing and retrieving log entries via

1433 TCP SQL Server
service the Identity Provider.

Data Collector service

93 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port
Protocol Process Connections from... Purpose
number

On the management server computer: Data

Collector services on all other servers. System
7609 HTTP IIS
On other computers: Data Collector service Monitor.
on the Management Server.

Event Server service

Port
Protocol Process Connections from... Purpose
number

Listening for generic

Event Any server sending generic events from external
1234 TCP/UDP Server events to your XProtect systems or devices.
Service system. Only if the relevant data
source is enabled.

Listening for generic

Event Any server sending generic events from external
1235 TCP Server events to your XProtect systems or devices.
service system. Only if the relevant data
source is enabled.

Listening for analytics

events from external
Event Any system or device that systems or devices.
9090 TCP Server sends analytics events to your
service XProtect system. Only relevant if the
Analytics Events feature is
enabled.

Event
XProtect Smart Client and the Configuration, events,
22331 TCP Server
Management Client alarms, and map data.
service

94 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port
Protocol Process Connections from... Purpose
number

Event
22332 WS/WSS Server API Gateway Reserved for future use.
service

Event
22333 TCP Server MIP Plug-ins and applications. MIP messaging.
service

Recording Server service

Port Connections
Protocol Process Purpose
number from...

Listening for event messages from

devices.

Recording Cameras, The port is disabled by default.

25 SMTP Server encoders, and
(Deprecated) Enabling this will open
Service I/O devices.
a port for non-encrypted
connections and is not
recommended.

Recording Failover Merging of databases after a

5210 TCP Server recording failover recording server had been
Service servers. running.

Recording Cameras, Listening for event messages from

5432 TCP Server encoders, and devices.
Service I/O devices. The port is disabled by default.

XProtect Smart
Recording
Client, Retrieving video and audio streams,
7563 TCP Server
Management PTZ commands.
Service
Client

95 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port Connections
Protocol Process Purpose
number from...

Recording
Recording
Server Manager Showing status and managing the
8966 TCP Server
tray icon, local service.
Service
connection only.

Web service for internal

communication between servers.
Recording
Management If multiple Recording Server
9001 HTTP Server
server instances are in use, every instance
Service
needs its own port. Additional ports
will be 9002, 9003, etc.

Recording Failover
Polling the state of recording
11000 TCP Server recording
servers.
Service servers

Communication with the SNMP

extension agent.

Do not use the port for other

Recording purposes even if your system does
Windows SNMP not apply SNMP.
12975 TCP Server
service
Service In XProtect 2014 systems or older,
the port number was 6474.

In XProtect 2019 R2 systems and

older, the port number was 7474.

Recording
Local connection Listening for event notifications
65101 UDP Server
only from the drivers.
service

96 | Overview
Administrator manual | XProtect® VMS 2023 R1

In addition to the inbound connections to the Recording Server service listed above, the
Recording Server service establishes outbound connections to:
l Cameras

l NVRs

l Remote interconnected sites (Milestone Interconnect ICP)

Failover Server service and Failover Recording Server service

Port
Protocol Process Connections from... Purpose
number

Listening for event messages

from devices.
Failover
The port is disabled by default.
Recording Cameras, encoders,
25 SMTP
Server and I/O devices. (Deprecated) Enabling this will
Service open a port for non-encrypted
connections and is not
recommended.

Failover
Merging of databases after a
Recording Failover recording
5210 TCP failover recording server had
Server servers
been running.
Service

Failover Listening for event messages

Recording Cameras, encoders, from devices.
5432 TCP
Server and I/O devices.
Service The port is disabled by default.

Communication with the SNMP

Failover extension agent.
Recording Windows SNMP
7474 TCP Do not use the port for other
Server service
Service purposes even if your system
does not apply SNMP.

7563 TCP Failover XProtect Smart Client Retrieving video and audio

97 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port
Protocol Process Connections from... Purpose
number

Recording
Server streams, PTZ commands.
Service

Failover Communication
Recording between failover Communication between the
8844 UDP
Server recording server servers.
Service services.

Failover Failover Recording

Recording Server Manager tray Showing status and managing
8966 TCP
Server icon, local connection the service.
Service only.

Failover Failover Server

Showing status and managing
8967 TCP Server Manager tray icon,
the service.
Service local connection only.

Failover
Management Server Monitoring the status of the
8990 TCP Server
service Failover Server service.
Service

Failover Web service for internal

9001 HTTP Server Management server communication between
Service servers.

In addition to the inbound connections to the Failover Server / Failover Recording Server
service listed above, the Failover Server / Failover Recording Server service establishes
outbound connections to the regular recorders, cameras, and for Video Push.

Log Server service

98 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port
Protocol Process Connections from... Purpose
number

All XProtect components except for Write to, read from,

Log Server
22337 HTTP Management Client and the and configure the
service
recording server. log server.

Mobile Server service

Port
Protocol Process Connections from... Purpose
number

Mobile
Mobile Server Manager tray
8000 TCP Server SysTray application.
icon, local connection only.
service

Mobile
Mobile clients, Web clients, and Sending data streams;
8081 HTTP Server
Management Client. video and audio.
service

Mobile
Sending data streams;
8082 HTTPS Server Mobile clients and Web clients.
video and audio.
service

Mobile Server Video

Mobile Push.
40001 -
HTTP Server Recording server service
40099 This port range is
service
disabled by default.

LPR Server service

99 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port
Protocol Process Connections from... Purpose
number

Retrieving recognized license

plates and server status.
LPR Server
22334 TCP Event server In order to connect, the Event
Service
server must have the LPR plug-
in installed.

LPR Server Manager

LPR Server
22334 TCP tray icon, local SysTray application
Service
connection only.

Milestone Open Network Bridge service

Port Connections
Protocol Process Purpose
number from...

Milestone Open Authentication and requests

580 TCP Network Bridge ONVIF clients for video stream
Service configuration.

Streaming of requested video

554 RTSP RTSP Service ONVIF clients
to ONVIF clients.

XProtect DLNA Server service

Port Connections
Protocol Process Purpose
number from...

DLNA Device discovery and providing DLNA

9100 HTTP Server DLNA device channels configuration. Requests for
Service video streams.

100 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port Connections
Protocol Process Purpose
number from...

DLNA
Streaming of requested video to DLNA
9200 HTTP Server DLNA device
devices.
Service

XProtect Screen Recorder service

Port Connections
Protocol Process Purpose
number from...

Provides video from a monitor. It

XProtect appears and acts in the same way as a
Recording camera on the recording server.
52111 TCP Screen
Server Service
Recorder You can change the port number in
the Management Client.

XProtect Incident Manager service

Port Connections
Protocol Process Purpose
number from...

The purpose of port 80 and port 443 is

the same. However, which port the
80 HTTP IIS VMS uses depends on whether you
have used certificates to secure the
XProtect Smart communication.
Client and the
l When you have not secured the
Management
communication with certificates,
Client
the VMS uses port 80.
443 HTTPS IIS l When you have secured the
communication with certificates,
the VMS uses port 443.

101 | Overview
Administrator manual | XProtect® VMS 2023 R1

Server components (outbound connections)

Management Server service

Port
Protocol Connections to... Purpose
number

The License server that hosts the

License Management service.
Communication is via Activating
443 HTTPS
https://www.milestonesys.com/ licenses.
OnlineActivation/
LicenseManagementService.asmx

Recording Server service

Port
Protocol Connections to... Purpose
number

Cameras, NVRs, Authentication, configuration, data streams, video,

80 HTTP encoders and audio.

Interconnected sites Login

Cameras, NVRs, Authentication, configuration, data streams, video,

443 HTTPS
encoders and audio.

Cameras, NVRs,
554 RTSP Data streams, video, and audio.
encoders

7563 TCP Interconnected sites Data streams and events.

Failover recording
11000 TCP Polling the state of recording servers.
servers

40001 – Mobile Server Mobile Server Video Push.

HTTP
40099 service This port range is disabled by default.

Failover Server service and Failover Recording Server service

102 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port number Protocol Connections to... Purpose

11000 TCP Failover recording servers Polling the state of recording servers.

Event Server service

Port
Protocol Connections to... Purpose
number

Send status, events and error

Milestone Customer Dashboard via messages from the XProtect
443 HTTPS
https://service.milestonesys.com/ system to Milestone Customer
Dashboard.

Log Server service

Port number Protocol Connections to... Purpose

443 HTTP Log server Forwarding messages to the log server.

API Gateway

Port number Protocol Connections to... Purpose

Management
443 HTTPS RESTful API
sever

Cameras, encoders, and I/O devices (inbound connections)

103 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port
Protocol Connections from... Purpose
number

Recording servers and failover Authentication, configuration, and data

80 TCP
recording servers streams; video and audio.

Recording servers and failover Authentication, configuration, and data

443 HTTPS
recording servers streams; video and audio.

Recording servers and failover

554 RTSP Data streams; video and audio.
recording servers

Cameras, encoders, and I/O devices (outbound connections)

Port
Protocol Connections to... Purpose
number

Recording servers and failover Sending event

25 SMTP
recording servers notifications (deprecated).

Sending event
Recording servers and failover notifications.
5432 TCP
recording servers The port is disabled by
default.

Forwarding messages to
22337 HTTP Log server
the log server.

Only a few camera models are able to establish outbound connections.

Client components (outbound connections)

XProtect Smart Client, XProtect Management Client, XProtect Mobile server

104 | Overview
Administrator manual | XProtect® VMS 2023 R1

Port
Protocol Connections to... Purpose
number

Management Server
80 HTTP Authentication
service

Management Server Authentication of basic users when

443 HTTPS
service encryption is enabled.

Milestone Systems A/S Management Client and Smart Client

443 HTTPS (doc.milestonesys.com at occasionally check if the online help is
52.178.114.226) available by accessing the help URL.

Retrieving video and audio streams, PTZ

7563 TCP Recording Server service
commands.

22331 TCP Event Server service Alarms.

XProtect Web Client, XProtect Mobile client

Port number Protocol Connections to... Purpose

8081 HTTP XProtect Mobile server Retrieving video and audio streams.

8082 HTTPS XProtect Mobile server Retrieving video and audio streams.

API Gateway

Port number Protocol Connections to... Purpose

80 HTTP Management Server RESTful API

443 HTTPS Management Server RESTful API

105 | Overview
Administrator manual | XProtect® VMS 2023 R1

Application pools
The VMS contains standard application pools such as.NET v4.5, .NET v4.5 Classic and the DefaultAppPool. The
application pools that are available on your system appear in the Internet Information Services (IIS) Manager.
In addition to the standard application pools mentioned above, a set of VideoOS application pools are
delivered with the Milestone XProtect VMS.

Application pools in Milestone XProtect

In the table below you can get an overview of the VideoOS application pools that are delivered with Milestone
XProtect.

Name Identity Purpose

.NET v4.5 ApplicationPoolId Standard IIS feature

.NET v4.5 Classic ApplicationPoolId Standard IIS feature

DefaultAppPool ApplicationPoolId Standard IIS feature

Hosts the XProtect API Gateway which

VideoOS ApiGateway NetworkService is the future public API and gateway
to the VMS.

Hosts legacy components such as the

VideoOS Classic NetworkService local help mainly to comply with
backwards compatibility.

Hosts the Identity Provider API. The

Identity Provider creates, maintains,
and manages identity information for
VideoOS IDP NetworkService basic users and provides
authentication and registration
services to relying applications or
services.

Hosts the XProtect Incident Manager

API. The XProtect Incident Manager
documents incidents and combine
VideoOS IM NetworkService
them with sequence evidence (video
and, potentially, audio) from their
XProtect VMS.

106 | Overview
Administrator manual | XProtect® VMS 2023 R1

Working with application pools

From the Application Pools page in the Internet Information Services (IIS) window you can add application
pools or set appplication pool defaults and you can view the applications hosted by each application pool.

Open the Application Pools page

1. From the Windows Start menu, open Internet Information Servces (IIS) Manager.

2. In the Connections pane, click the name of your environment, and then click Application Pools.

3. Under Actions, click Add Application Pool or Set Application Pool Defaults to perform any of these
tasks.

4. Select an application pool on the Application Pools page to display further options under Actions for
each application pool.

Product comparison
XProtect VMS includes the following products:

l XProtect Corporate

l XProtect Expert

l XProtect Professional+

l XProtect Express+

l XProtect Essential+

See the complete feature list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

107 | Overview
Administrator manual | XProtect® VMS 2023 R1

Licensing

Licenses (explained)

Free XProtect Essential+

If you have installed XProtect Essential+, you can run the system and eight device licenses for free. Automatic
license activation is enabled, and hardware will be activated as you add it to the system.

Only when you upgrade to a more advanced XProtect product and need to change your SLC (Software License
Code) (see Change the Software License Code on page 117), the rest of this topic and the other licensing-
related topics in this documentation could be relevant for you.

Licenses for XProtect VMS products (except XProtect Essential+)

Software license file and SLCs

When you purchase your software and licenses, you get:

l An order confirmation and a software license file named after your SLC (Software License Code) and
with the .lic extension received per email

l A Milestone Care coverage

Your SLC is also printed on your order confirmation and consists of several numbers and letters grouped by
hyphens like:

l Product version 2014 or earlier: xxx-xxxx-xxxx

l Product version 2016 or later: xxx-xxx-xxx-xx-xxxxxx

The software license file contains all information about your purchased VMS products, add-on products, and
licenses. Milestone recommends that you store the information about your SLC and a copy of your software
license file in a safe place for later use. You can also see your SLC in the License Information window in
Management Client. You can open the License Information window in the Site Navigation pane -> Basics
node -> License Information. You may need the software license file or your SLC when you, for example,
create a My Milestone user account, contact your reseller for support, or if you need to make changes to your
system.

Overall process for installation and licensing

To get started, you download the software from our website (https://www.milestonesys.com/downloads/).
While you are installing (see Install a new XProtect system on page 140) the software, you are asked to provide
the software license file. You cannot complete the installation without a software license file.

108 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Once the installation is complete and you have added some cameras, you must activate your licenses (see
License activation (explained) on page 110. You activate your licenses from the License Information window in
Management Client. Here you can also see an overview of your licenses for all installations on the same SLC.
You can open the License Information window in the Site Navigation pane -> Basics node -> License
Information.

License types
There are several license types in the XProtect licensing system.

Base licenses

As a minimum, you have a base license for one of the XProtect VMS products. You may also have one or more
base licenses for XProtect add-on products.

Device licenses

As a minimum, you have several device licenses. Generally, you need one device license per hardware device
with a camera that you want to add to your system. But this can differ from one hardware device to another
and depending on the hardware device being a Milestone supported hardware device or not. For more
information, see Supported hardware devices on page 109 and Unsupported hardware devices on page 109.

If you want to use the video push feature in XProtect Mobile, you also need one device license per mobile
device or tablet that should be able to push video to your system.

Device licenses are not required for speakers, microphones, or input and output devices attached to your
cameras.

Supported hardware devices

Generally, you need one device license per hardware device with a camera that you want to add to your
system. But a few supported hardware devices require more than one device license. You can see how many
device licenses your hardware devices require, in the list of supported hardware on the Milestone website
(https://www.milestonesys.com/support/tools-and-references/supported-devices/).

For video encoders with up to 16 channels, you need only one device license per video encoder IP address. A
video encoder can have one or more IP addresses.

However, if the video encoder has more than 16 channels, one device license per activated camera on the
video encoder is required - also for the first 16 activated cameras.

Unsupported hardware devices

An unsupported hardware device requires one device license per activated camera using a video channel.

Unsupported hardware devices do not appear in the list of supported hardware on the Milestone website
(https://www.milestonesys.com/support/tools-and-references/supported-devices/).

109 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Camera licenses for Milestone Interconnect™

To run Milestone Interconnect, you need Milestone Interconnect camera licenses on your central site to view
video from hardware devices on remote sites. The number of required Milestone Interconnect camera licenses
depends on the number of hardware devices on the remote sites that you want to receive data from. Only
XProtect Corporate can act as a central site.

Licenses for add-on products

Most XProtect add-on products require additional license types. The software license file also includes
information about your licenses for add-on products. Some add-on products have their own separate software
license files.

License activation (explained)

Your SLC must be registered prior to the installation (see Register Software License Code on page 137). Your
different licenses connected with your SLCs must be activated for the installed XProtect VMS and add-on
products to work and the individual hardware devices to be able to send data to the system. For an overview of
all XProtect license types, see License types on page 109.

There are several ways of activating licenses. All of them are available from the License Information window.
The best way of activating depends on your organization's policies and whether your management server has
access to the internet or not. To learn how to activate licenses, see Activate your licenses on page 115.

After the initial license activation of your XProtect VMS, you do not have to activate device licenses every time
you add a hardware device with a camera because of built-in flexibilities to the XProtect licensing system. For
more information about these flexibilities, see Grace period for license activation (explained) on page 111 and
Device changes without activation (explained) on page 111.

Automatic license activation (explained)

For easy maintenance and flexibility - and when your organization's policies permit it - Milestone recommends
that you enable automatic license activation. Automatic license activation requires that the management
server is online. For how to enable automatic license activation, see Enable automatic license activation on
page 115.

Benefits of enabling automatic license activation

l The system activates your hardware devices a few minutes after you have added, removed, or replaced
hardware devices or made other changes that affect the use of your licenses. Therefore, you only
seldom must manually start a license activation. See the few exceptions in When manual license
activation is still required on page 111.

l The used number of device changes without activation is always zero.

110 | Licensing
Administrator manual | XProtect® VMS 2023 R1

l No hardware devices are within a grace period and at risk of expiring.

l If one of your base licenses expires within a period of 14 days, your XProtect system will also - as an
extra precaution - automatically try to activate your licenses every night.

When manual license activation is still required

If you make the following changes to your system, manual license activation is required.

l Purchase additional licenses (see Get additional licenses on page 117)

l Upgrade to a newer version or more advanced VMS system (see Upgrade requirements on page 355)

l Buy or renew a Milestone Care subscription

l Receive allowance for more device changes without activation (see Device changes without activation
(explained) on page 111)

Grace period for license activation (explained)

When you have installed your VMS and added devices (hardware devices, Milestone Interconnect cameras, or
door licenses), the devices run in a 30-day grace period if you have decided not to enable automatic license
activation. Before the end of the 30-day grace period and if you do not have more device changes without
activation left, you must activate your licenses, or your devices will stop sending video to your surveillance
system.

Device changes without activation (explained)

The functionality device changes without activation gives built-in flexibility to the XProtect licensing system. So
even if you have decided to activate licenses manually, you do not necessarily have to activate licenses every
time you add or remove hardware devices.

The number of device changes without activation differs from installation to installation and is calculated
based on several variables. For a detailed description, see Calculation of available number of device changes
without activation (explained) on page 112.

One year after your last license activation, your used number of device changes without activation is
automatically reset to zero. Once the reset happens, you can continue to add and replace hardware devices
without activating the licenses.

If your surveillance system is offline for longer periods of time, for example in cases with a surveillance system
on a ship on a long cruise or a surveillance system in a very remote place without any Internet access, you can
contact your Milestone reseller and request a higher number of device changes without activation.

You must explain why you think you qualify for a higher number of device changes without activation.
Milestone decides each request on an individual basis. Should you be granted a higher number of device
changes without activation, you must activate your licenses to register the higher number on your XProtect
system.

111 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Calculation of available number of device changes without activation

(explained)
The available number of device changes without activation is calculated based on three variables. If you have
several installations of the Milestone software, the variables apply to each of them separately. The variables are:

l C% that is a fixed percentage of the total amount of activated licenses

l Cmin that is a fixed minimum value of the number of device changes without activation

l Cmax that is a fixed maximum value of the number of devices changes without activation

The number of device changes without activation can never be lower than the Cmin value or higher than the
Cmax value. The calculated value based on the C% variable changes according to how many activated devices
you have on each installation in your system. Devices added with device changes without activation are not
counted as activated by the C% variable.

Milestone defines the values of all three variables and the values are subject to change without notification.
The values of the variables differ depending on the product.

Examples based on C% = 15%, Cmin = 10 and Cmax =100

You buy 100 device licenses. You then add 100 cameras to the system. Unless you have enabled automatic
license activation, the number of device changes without activation is still zero. You activate your licenses and
have now 15 device changes without activation.

You buy 100 device licenses. You then add 100 cameras to the system and activate the licenses. Your number
of device changes without activation is now 15. You then decide to delete a hardware device from the system.
You now have 99 activated devices and the number of device changes without activation has dropped to 14.

You buy 1000 device licenses. You then add 1000 cameras and activates the licenses. Your device changes
without activation are now 100. According to the C% variable, you should now have had 150 device changes
without activation, but the Cmax variable only allows you to have 100 device changes without activation.

You buy 10 device licenses. You then add 10 cameras to the system and activates the licenses. Your number of
device changes without activation is now 10 because of the Cmin variable. If the number was only calculated
based on the C% variable, you would only have had 1 (15% of 10 = 1.5 rounded off to 1).

You buy 115 device licenses. You then add 100 cameras to the system and activate the licenses. Your device
changes without activation is now 15. You add another 15 cameras without activating them, using 15 out of 15
of your device changes without activation. You now remove 50 of the cameras from the system and the
number of device changes without activation goes down to 7. This means that 8 of the cameras previously
added within the 15 device changes without activation go into a grace period. You now add 50 new cameras.
Because you activated 100 cameras on the system last time you activated the licenses, the number of device
changes without activation goes back to 15 and the 8 cameras, that were moved into a grace period, move
back as device changes without activation. The 50 new cameras go into a grace period.

112 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Milestone Care™ (explained)

Milestone Care is the name of the complete service and support program for XProtect products throughout
their lifetime.

Milestone Care gives you access to different types of self-help material like knowledge base articles, guides,
and tutorials on our Support website (https://www.milestonesys.com/support/).

For additional benefits, you can purchase more advance Milestone Care subscriptions.

Milestone Care Plus

If you have a Milestone Care Plus subscription, you also have access to free updates to your current XProtect
VMS product and can upgrade to more advanced XProtect VMS products at an advantageous price. Milestone
Care Plus also offers additional functionality:

l The Customer Dashboard service

l The Smart Connect feature

l The full Push Notification functionality

Milestone Care Premium

If you have a Milestone Care Premium subscription, you can also contact the Milestone support team directly.
Please remember to include information about your Milestone Care ID when contacting Milestone support.

Expiration, renewal, and purchase of advanced Milestone Care subscriptions

The expiration date of the more advanced Milestone Care Plus and Milestone Care Premium subscription types is
visible in the License Information window in the Installed Products table. See Installed Products on page 119.

If you decide to buy or renew a Milestone Care subscription after you have installed your system, you must
manually activate your licenses before the correct Milestone Care information appears. See Activate licenses
online on page 116 or Activate licenses offline on page 116.

Licenses and hardware replacement (explained)

If a camera in the system gets faulty or you for other reasons want to replace the camera with a new one,
there are some best practices of how it should be done.

If you remove a camera from a recording server, you free a device license, but you also lose full access to all
databases (cameras, microphones, inputs, outputs) and the settings of the old camera. To keep access to the
databases of the old camera and reuse its settings when replacing it with a new camera, use the relevant
option below.

113 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Replace camera with a similar camera

If you replace a camera with a similar camera (manufacturer, brand, and model), and if you give the new
camera the same IP address as the old one, you maintain full access to all databases of the old camera. The
new camera continues to use the same databases and settings as the old camera. In this case, you move the
network cable from the old camera to the new one without changing any settings in Management Client.

Replace camera with a different camera

If you replace a camera with a different camera (manufacturer, brand, and model), you must use the Replace
Hardware wizard (see Replace hardware on page 327) to map all relevant databases of the old camera to the
new one and reuse the settings of the old camera.

License activation after hardware replacement

If you have enabled automatic license activation (see Enable automatic license activation on page 115), the new
camera is automatically activated.

If automatic license activation is disabled, and if all of the available device changes without activation have
been used (see Device changes without activation (explained) on page 111), you must manually activate your
licenses. For more information about manually activating licenses, see Activate licenses online on page 116 or
Activate licenses offline on page 116.

Get an overview of your licenses

There are many reasons why you would like to get an overview of your SLCs and your number of purchased
licenses and their statuses. Here are a few:

l You want to add one or more new hardware devices, but do you have unused device licenses, or do you
have to purchase new ones?

l Is the grace period for some of your hardware devices ending soon? Then you must activate them
before they stop sending data to the VMS.

l You know from previous contacts to support that they need information about your SLC and your
Milestone Care ID to be able to help you. But which are they?

l You have many installations of XProtect and use the same SLC for all installations, but where are the
licenses used and what are their statuses?

You can find all the information above and more in the License Information window.

You can open the License Information window in the Site Navigation pane -> Basics node -> License
Information.

To learn more about the various information and features available from the License Information window, see
License Information window on page 118.

114 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Activate your licenses

There are several ways of activating licenses. All of them are available from the License Information window.
The best way of activating depends on your organization's policies and whether your management server has
access to the internet or not.

You can open the License Information window in the Site Navigation pane -> Basics node -> License
Information.

To learn more about the various information and features available from the License Information window, see
License Information window on page 118.

Enable automatic license activation

For easy maintenance and flexibility - and when your organization's policies permit it - Milestone recommends
that you enable automatic license activation. Automatic license activation requires that the management
server is online.

If you want to know all the benefits of enabling automatic license activation, see Automatic license activation
(explained) on page 110.

1. From the Site Navigation pane -> Basics node -> License Information, select Enable automatic license
activation.

2. Enter the user name and password that you want to use with automatic license activation:
l If you are an existing user, enter your user name and password to log into the software
registration system

l If you are a new user, click the Create new user link to set up a new user account and then
follow the registration procedure. If you have not yet registered your Software License Code
(SLC), you must do so

The credentials are saved in a file on the management server.

3. Click OK.

If you later want to change your user name and/or the password for automatic activation, click the Edit
activation credentials link.

Disable automatic license activation

If it is not allowed to use automatic license activation in your organization or simply you have changed your
mind, you can disable automatic license activation.

How you disable depends on whether you later plan to use automatic license activation again or not.

115 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Disable but keep the password for later use:

1. From the Site Navigation pane -> Basics node -> License Information, clear Enable automatic license
activation. The user name and password are still saved on the management server.

Disable and delete password:

1. From the Site Navigation pane -> Basics node -> License Information, click Edit activation
credentials.

2. Click Delete password.

3. Confirm that you want to delete the user name and password from the management server.

Activate licenses online

If the management server has internet access but you prefer to manually start the activation process, this is
the easiest license activation option for you.

1. From the Site Navigation pane -> Basics node -> License Information, select Activate License
Manually and then Online.

2. The Activate Online dialog box opens:

l If you are an existing user, enter your user name and password

l If you are a new user, click the Create new user link to set up a new user account. If you have
not yet registered your Software License Code (SLC), you must do so

3. Click OK.

If you receive an error message during online activation, follow the instructions on the screen to solve the
issue or contact Milestone support.

Activate licenses offline

If your organization does not allow that the management server has internet access, you must activate
licenses manually and offline.

1. From the Site Navigation pane -> Basics node -> License Information, select Activate License
Manually > Offline > Export License for Activation to export a license request file (.lrq) with
information about your added hardware devices and other elements that require a license.

2. The license request file (.lrq) is automatically given the same name as your SLC. If you have several sites,
remember to rename the files so you can easily identify which file belongs to which site.

3. Copy the license request file to a computer with internet access and log into our website
(https://online.milestonesys.com/) to obtain the activated software license file (.lic).

4. Copy the .lic file you receive to your computer with Management Client. The file has been given the
same name as your license request file.

116 | Licensing
Administrator manual | XProtect® VMS 2023 R1

5. From the Site Navigation pane -> Basics node -> License Information, select Activate License Offline
> Import Activated License, and then select the activated software license file to import it and thereby
activate your licenses.

6. Click Finish to end the activation process.

Activate licenses after grace period

If you have decided to use manual license activation and you have forgotten to activate a license within the
grace period (hardware device, Milestone Interconnect camera, door licenses, or others), the device using that
license becomes unavailable and cannot send data to the surveillance system

Even if a license’s grace period has expired, the device configuration and settings you have made are saved
and used when the license is activated.

To enable the unavailable devices again, you activate the licenses manually in your preferred way. For more
information, see Activate licenses offline on page 116 or Activate licenses online on page 116.

Get additional licenses

If you want to add or if you have already added more hardware devices, Milestone Interconnect systems,
doors or other elements than you currently have licenses for, you must buy additional licenses to enable them
to send data to your system:
l To get additional licenses for your system, contact your XProtect product reseller

If you have bought new licenses to your existing surveillance system version:
l Simply activate your licenses manually to get access to the new licenses. For more information, see
Activate licenses online on page 116 or Activate licenses offline on page 116.

If you have bought new licenses and an upgraded surveillance system version:
l You receive an updated software license file (.lic) (see Licenses (explained) on page 108) with the new
licenses and the new version. You must use the new software license file during the installation of the
new version. For more information, see Upgrade requirements on page 355

Change the Software License Code

If you run an installation on a temporary Software License Code (SLC) or if you have upgraded to a more
advanced XProtect product, you can change your SLC to a permanent or more advanced SLC. You can change
your SLC without any un- or reinstallation actions when you have received your new software license file.

You can do this locally on the management server or remotely from Management Client.

117 | Licensing
Administrator manual | XProtect® VMS 2023 R1

From the management server tray icon

1. On the management server, go to the notification area of the taskbar.

2. Right-click the Management Server icon and select Change License.

3. Click Import License.

4. Next, select the software license file saved for this purpose. When done, the selected software license
file location is added just below the Import License button.

5. Click OK and you are now ready to register SLC. See Register Software License Code on page 137.

From Management Client

1. Copy the .lic file you receive to your computer with Management Client.

2. From the Site Navigation pane -> Basics node -> License Information, select Activate License Offline
> Import Activated License, and then select the software license file to import.

3. When opened, accept that the software license file is different from the one currently in use.

4. You are now ready to register SLC. See Register Software License Code on page 137.

The software license file is only imported and changed but not activated. Remember to
activate your license. For more information, see Activate your licenses on page 115.

When running XProtect Essential+, you can only change the license from the
management server tray icon. It is not possible to change the license from Management
Client.

License Information window

In the License Information window, you can keep track of all licenses that share the same software license file
both on this site and on all other sites, your Milestone Care subscriptions and decide how you want to activate
your licenses.

You can open the License Information window in the Site Navigation pane -> Basics node -> License
Information.

If you want to have an overall understanding of how the XProtect licensing system works, see Licenses
(explained) on page 108.

118 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Licensed to

This area of the License Information window, lists the contact details of the license owner that was entered
during the software registration.

If you cannot see the Licensed to area, click the Refresh button in the lower right corner of the window.

Click Edit details to edit the license owner information. Click End-user license agreement to see the end-user
license agreement that you accepted prior to the installation.

Milestone Care

Here you can see information about your current Milestone Care™ subscription. The expiry dates for your
subscriptions are shown in the Installed Products table below.

For more information about Milestone Care, use the links or see Milestone Care™ (explained) on page 113.

Installed Products

Lists the following information about all your installed base licenses for XProtect VMS and add-on products
that share the same software license file:

l Products and versions

l The products' software license code (SLC)

l The expiration date of your SLC. Typically, unrestricted

l The expiration date of your Milestone Care Plus subscription

l The expiration date of your Milestone Care Premium subscription

License Overview - All sites

Lists the number of activated device licenses and other licenses in your software license file and the total
number of available licenses on your system. Here you can easily see if you can still grow your system without
purchasing additional licenses.

For a detailed overview of the status of your licenses activated on other sites, click the License Details - All
sites link. See the License Details - Current site section below for the available information that is shown.

119 | Licensing
Administrator manual | XProtect® VMS 2023 R1

If you have licenses for add-on products, you can see additional details about these under the add-on product
specific nodes in the Site Navigation pane.

License Details - Current Site

The Activated column lists the number of activated device licenses or other licenses on this site.

You can also see the number of used device changes without activation (see Device changes without activation
(explained) on page 111) and how many you have available per year in the Changes without activation
column.

If you have licenses that you have not yet activated and that therefore run in a grace period, these are listed in
the In Grace Period column. The expiration date of the first license which expires, appears in red below the
table.

If you forget to activate licenses before the grace period expires, they will stop sending video to the system.
These licenses are shown in the Grace Period Expired column. For more information, see Activate licenses
after grace period on page 117.

If you have used more licenses than you have available, these are listed in the Without License column and
cannot be used in your system. For more information, see Get additional licenses on page 117.

If you have licenses in a grace period, with an expired grace period or without license, a message will remind
you every time you log into your Management Client.

If you have hardware devices that use more than one license, a Click here to open full device license report
link appears underneath the License Details - Current Site table. When you click the link, you can see how
many device licenses, each of these hardware devices require.

Hardware devices without licenses are identified by an exclamation mark in the Management Client. The
exclamation mark is also used for other purposes. Place your mouse over the exclamation mark to see the
purpose.

Features for activating licenses

Below the three tables are:

120 | Licensing
Administrator manual | XProtect® VMS 2023 R1

l A check box for enabling automatic license activation and a link to edit the user credentials for
automatic activation. For more information, see Automatic license activation (explained) on page 110
and Enable automatic license activation on page 115.
If the automatic activation has failed, a failed message will appear in red. For more information, click
the Details link.
Some licenses, such as XProtect Essential+, are installed with the automatic license activation enabled,
and disabling it is not possible.

l A drop-down list for manually activating licenses online or offline. For more information, see Activate
licenses online on page 116 and Activate licenses offline on page 116.

l In the lower right corner of the window, you can see when your licenses were activated last
(automatically or manually) and when the information in the window were refreshed. The time stamps
are from the server and not from the local computer

121 | Licensing
Administrator manual | XProtect® VMS 2023 R1

Requirements and considerations

Daylight saving time (explained)

Daylight saving time (DST) is the practice of advancing clocks for evenings to have more daylight and mornings
to have less. The use of DST varies between countries/regions.

When you work with a surveillance system, which is inherently time-sensitive, it is important that you know
how the system handles DST.

Do not change the DST setting when you are in the DST period or if you have recordings
from a DST period.

Spring: Switch from Standard Time to DST

The change from standard time to DST is not much of an issue since you jump one hour forward.

Example:

The clock jumps forward from 02:00 standard time to 03:00 DST, and the day has 23 hours. In that case, there
is no data between 02:00 and 03:00 in the morning since that hour, for that day, did not exist.

Fall: Switch from DST to Standard Time

When you switch from DST to standard time in the fall, you jump one hour back.

Example:

The clock jumps backward from 02:00 DST to 01:00 standard time, repeating that hour, and the day has 25
hours. You reach 01:59:59, then immediately revert to 01:00:00. If the system did not react, it would essentially
re-record that hour, so the first instance of 01:30 would be overwritten by the second instance of 01:30.

To solve such an issue from happening, your system archives the current video in the event the system time
changes by more than five minutes. You cannot view the first instance of the 01:00 hour directly in any clients,
but the data is recorded and safe. You can browse this video in XProtect Smart Client by opening the archived
database directly.

Time servers (explained)

Once your system receives images, they are instantly time-stamped. Since cameras are separate units which
may have separate timing devices, camera time and your system time may not correspond fully. This may
occasionally lead to confusion. If your cameras support timestamps, Milestone recommends that you auto-
synchronize camera and system time through a time server for consistent synchronization.

For information about how to configure a time server, search the Microsoft website
(https://www.microsoft.com/) for 'time server', 'time service', or similar terms.

122 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Limit size of database

To prevent the SQL database (see SQL Server installations and databases (explained) on page 32) growing to a
size that affects the performance of the system, you can specify for how many days the different types of
events and alarms are stored in the database.

1. Open the Tools menu.

2. ClickOptions>AlarmsandEventstab.

3. Make the required settings. For more information, see Alarms and Events tab (options) on page 379.

IPv6 and IPv4 (explained)

Your system supports IPv6 as well as IPv4. So does XProtect Smart Client.

IPv6 is the latest version of the Internet Protocol (IP). The Internet protocol determines the format and use of
IP addresses. IPv6 coexists with the still much more widely used IP version IPv4. IPv6 was developed in order
to solve the address exhaustion of IPv4. IPv6 addresses are 128-bit long, whereas IPv4 addresses are only 32-
bit long.

123 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

It meant that the Internet's address book grew from 4.3 billion unique addresses to 340 undecillion (340 trillion
trillion trillion) addresses. A growth factor of 79 octillion (billion billion billion).

More and more organizations are implementing IPv6 on their networks. For example, all US federal agency
infrastructures are required to be IPv6 compliant. Examples and illustrations in this manual reflect use of IPv4
because this is still the most widely used IP version. IPv6 works equally well with the system.

Using the system with IPv6 (explained)

The following conditions apply when using the system with IPv6:

Servers

Servers can often use IPv4 as well as IPv6. However, if just one server in your system (for example, a
management server or recording server) requires a particular IP version, all other servers in your system must
communicate using the same IP version.

Example: All of the servers in your system except one can use IPv4 as well as IPv6. The exception is a server
which is only capable of using IPv6. This means that all servers must communicate with each other using IPv6.

Devices

You can use devices (cameras, inputs, outputs, microphones, speakers) with a different IP version than that
being used for server communication provided your network equipment and the recording servers also
support the devices' IP version. See also the illustration below.

Clients

If your system uses IPv6, users should connect with the XProtect Smart Client. The XProtect Smart Client
supports IPv6 as well as IPv4.

If one or more servers in your system can only use IPv6, XProtect Smart Client users must use IPv6 for their
communication with those servers. In this context, it is important to remember that XProtect Smart Client
installations technically connect to a management server for initial authentication, and then to the required
recording servers for access to recordings.

However, the XProtect Smart Client users do not have to be on an IPv6 network themselves, provided your
network equipment supports communication between different IP versions, and they have installed the IPv6
protocol on their computers. See also illustration. To install IPv6 on a client computer, open a command
prompt, enter Ipv6 install, and press ENTER.
Example illustration

124 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Example: Since one server in the system can only use IPv6, all communication with that server must use IPv6.
However, that server also determines the IP version for communication between all other servers in the
system.

Writing IPv6 addresses (explained)

An IPv6 address is usually written as eight blocks of four hexadecimal digits, with each block separated by a
colon.

Example: 2001:0B80:0000:0000:0000:0F80:3FA8:18AB

You may shorten addresses by eliminating leading zeros in a block. Also, note that some of the four-digit
blocks may consist of zeros only. If any number of such 0000 blocks are consecutive, you may shorten
addresses by replacing the 0000 blocks with two colons as long as there is only one such double colon in the
address.

Example:
2001:0B80:0000:0000:0000:0F80:3FA8:18AB can be shortened to

2001:B80:0000:0000:0000:F80:3FA8:18AB if removing the leading zeros, or to

2001:0B80::0F80:3FA8:18AB if removing the 0000 blocks, or even to

2001:B80::F80:3FA8:18AB if removing the leading zeros as well as the 0000 blocks.

Using IPv6 Addresses in URLs

IPv6 addresses contain colons. Colons, however, are also used in other types of network addressing syntax. For
example, IPv4 uses a colon to separate IP address and port number when both are used in a URL. IPv6 has
inherited this principle. Therefore, to avoid confusion, square brackets are put around IPv6 addresses when
they are used in URLs.

Example of a URL with an IPv6 address:

http://[2001:0B80:0000:0000:0000:0F80:3FA8:18AB], which may of course be shortened to, for example, http://
[2001:B80::F80:3FA8:18AB]

Example of a URL with an IPv6 address and a port number:

http://[2001:0B80:0000:0000:0000:0F80:3FA8:18AB]:1234, which may of course be shortened to, for example,
http://[2001:B80::F80:3FA8:18AB]:1234

125 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

For more information about IPv6, see, for example, the IANA website (https://www.iana.org/numbers/). IANA,
the Internet Assigned Numbers Authority, is the organization responsible for the global coordination of IP
addressing.

Virtual servers
You can run all system components on virtualized Windows® servers, such as VMware® and Microsoft® Hyper-V®.

Virtualization is often preferred to better utilize hardware resources. Normally, virtual servers running on the
hardware host server do not load the virtual server to a great extent, and often not at the same time. However,
recording servers record all cameras and video streams. This puts high load on CPU, memory, network, and
storage system. So, when run on a virtual server, the normal gain of virtualization disappears to a large extent,
since - in many cases - it uses all available resources.

If run in a virtual environment, it is important that the hardware host has the same amount of physical
memory as allocated for the virtual servers and that the virtual server running the recording server is allocated
enough CPU and memory - which it is not by default. Typically, the recording server needs 2-4 GB depending
on configuration. Another bottleneck is network adapter allocation and hard disk performance. Consider
allocating a physical network adapter on the host server of the virtual server running the recording server. This
makes it easier to ensure that the network adapter is not overloaded with traffic to other virtual servers. If the
network adapter is used for several virtual servers, the network traffic might result in the recording server not
retrieving and recording the configured number of images.

Multiple management servers (clustering) (explained)

The management server can be installed on multiple servers within a cluster of servers. This ensures that the
system has very little downtime. If a server in the cluster fails, another server in the cluster automatically takes
over the failed server's job running the management server.

It is only possible to have one active management server per surveillance setup, but other management
servers may be set up to take over in case of failure.

By default, the Management Server service limits the number of times a failover occurs
to twice within a six-hour period. If this is exceeded, the Management Server services are
not automatically started by the clustering service. This limit can be changed to better fit
your needs.

126 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Requirements for clustering

l Two machines with Microsoft Windows Server 2016 or newer. Make sure that:
l All servers that you want to add as cluster nodes are running the same version of Windows
Server

l All servers that you want to add as cluster nodes are joined to the same domain

l You have log-in access to the Windows account as the local administrator

About clusters in Microsoft Windows Servers, see Failover clusters https://docs.microsoft.com/en-

us/windows-server/failover-clustering/create-failover-cluster.

l A Microsoft SQL Server installation

Either an external SQL Server and database installed outside the server cluster or an internalSQL
Server service (clustered) within the server cluster (creating an internal SQL Server service requires the
use of the Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition, which can
work as a clustered SQL Server).

When connecting the management server to the database, depending on your

system configuration password settings, you may be asked to provide the current
system configuration password. See System configuration password (explained)
on page 315.

If you work in a failover cluster environment, it is recommended that you pause the
cluster before you start tasks in the Server Configurator. This is because the Server
Configurator may need to stop services while applying changes and the failover cluster
environment may interfere with this operation.

Protect recording databases from corruption

Camera databases can become corrupted. Several database repair options exist to resolve such a problem. but
Milestone recommends that you take steps to ensure that your camera databases do not become corrupted.

Hard disk failure: protect your drives

Hard disk drives are mechanical devices and are vulnerable to external factors. The following are examples of
external factors which may damage hard disk drives and lead to corrupt camera databases:

l Vibration (make sure the surveillance system server and its surroundings are stable)

l Strong heat (make sure the server has adequate ventilation)

l Strong magnetic fields (avoid)

127 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

l Power outages (make sure you use an Uninterruptible Power Supply (UPS))

l Static electricity (make sure you ground yourself if you are going to handle a hard disk drive)

l Fire, water, etc. (avoid)

Windows Task Manager: be careful when you end processes

When you work in Windows Task Manager, be careful not to end any processes which affect the surveillance
system. If you end an application or system service by clicking End Process in the Windows Task Manager, the
process is not given the chance to save its state or data before it is terminated. This may lead to corrupt
camera databases.

Windows Task Manager typically displays a warning if you attempt to end a process. Unless you are absolutely
sure that ending the process is not going to affect the surveillance system, click No when the warning message
asks you if you really want to terminate the process.

Power outages: use a UPS

The single-most common reason for corrupt databases is the recording server being shut down abruptly,
without files being saved and without the operating system being closed down properly. This may happen due
to power outages, due to somebody accidentally pulling out the server's power cable, or similar.

The best way of protecting your recording servers from being shut down abruptly is to equip each of your
recording servers with a UPS (Uninterruptible Power Supply).

The UPS works as a battery-driven secondary power source, providing the necessary power for saving open
files and safely powering down your system in the event of power irregularities. UPSs vary in sophistication,
but many UPSs include software for automatically saving open files, for alerting system administrators, etc.

Selecting the correct type of UPS for your organization's environment is an individual process. When you
assess your needs, however, bear in mind the amount of runtime you require the UPS to be able to provide if
the power fails. Saving open files and shutting down an operating system properly may take several minutes.

SQL database transaction log (explained)

Each time a change is written to an SQL database, the SQL database logs this change in its transaction log.

With the transaction log, you can roll back and undo changes to the SQL database through Microsoft® SQL
Server Management Studio. By default, the SQL database stores its transaction log indefinitely which over time
means that the transaction log has more and more entries. The transaction log is by default located on the
system drive, and if the transaction log keeps growing, it may prevent Windows from running properly.

To avoid such a scenario, flushing the transaction log regularly is a good idea. Flushing it does not make the
transaction log file smaller, but cleans its content and thereby prevents it from growing out of control. Your
VMS system does not flush transaction logs. In SQL Server, there are ways of flushing the transaction log. Visit
the Microsoft support page https://docs.microsoft.com/en-us/sql/relational-databases/logs/the-transaction-
log-sql-server?view=sql-server-2017 and search for Transaction log truncation.

128 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Minimum system requirements

For information about the system requirements for the various VMS applications and system components, go
to the Milestone website (https://www.milestonesys.com/systemrequirements/).

Before you start installation

Milestone recommends that you go through the requirements described in the next sections, before you start
the actual installation.

Prepare your servers and network

Operating system

Make sure that all servers have a clean installation of a Microsoft Windows operating system, and that it is
updated with all the latest Windows updates.

For information about the system requirements for the various VMS applications and system components, go
to the Milestone website (https://www.milestonesys.com/systemrequirements/).

Microsoft® .NET Framework

Check that all servers have Microsoft .NET Framework 4.8 or higher installed.

Network

Assign static IP addresses or make DHCP reservations to all system components and cameras. To make sure
that sufficient bandwidth is available on your network, you must understand how and when the system
consumes bandwidth. The main load on your network consists of three elements:

l Camera video streams

l Clients displaying video

l Archiving of recorded video

The recording server retrieves video streams from the cameras, which results in a constant load on the
network. Clients that display video consume network bandwidth. If there are no changes in the content of the
client views, the load is constant. Changes in view content, video search, or playback, make the load dynamic.

Archiving of recorded video is an optional feature that lets the system move recordings to a network storage if
there is not enough space in the internal storage system of the computer. This is a scheduled job that you have
to define. Typically, you archive to a network drive which makes it a scheduled dynamic load on the network.

Your network must have bandwidth headroom to cope with these peaks in the traffic. This enhances the
system responsiveness and general user experience.

129 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Prepare Active Directory

If you want to add users to your system through the Active Directory service, you must have a server with
Active Directory installed and acting as domain controller available on your network.

For easy user and group management, Milestone recommends that you have Microsoft Active Directory®
installed and configured before you install your XProtect system. If you add the management server to the
Active Directory after installing your system, you must reinstall the management server, and replace users with
new Windows users defined in the Active Directory.

Basic users are not supported in Milestone Federated Architecture systems, so if you plan to use Milestone
Federated Architecture, you must add users as Windows users through the Active Directory service. If you do
not install Active Directory, follow the steps in Installation for workgroups on page 168 when you install.

Installation method
As part of the installation wizard, you must decide which installation method to use. You should base your
selection on your organization's needs, but it is very likely that you already decided on the method when you
purchased the system.

Options Description

Installs all server and client components, as well as the SQL Server on the current
computer.

When the installation completes, you get the possibility to configure your system
Single through a wizard. If you agree to continue, the recording server scans your network for

Computer hardware, and you can select which hardware devices to add to your system. The max
number of hardware devices that can be added in the configuration wizard depends on
your base license. Also, cameras are preconfigured in views, and a default Operator role
is created. After installation, XProtect Smart Client opens, and you are ready to use the
system.

The management server is always selected in the system component list and is always
installed, but you can select freely what to install on the current computer among the
Custom other server and client components.

By default, the recording server is not selected in the component list, but you can change
this. You can install the not selected components on other computers afterwards.

130 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Single Computer installation

Typical system components in a system:

1. Active Directory

2. Devices

3. Server with SQL Server

4. Event server

5. Log server

6. XProtect Smart Client

7. Management Client

8. Management server

9. Recording server

131 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

10. Failover recording server

11. XProtect Mobile server

12. XProtect Web Client

13. XProtect Mobile client

14. XProtect Smart Client with XProtect Smart Wall

Custom installation - example of distributed system components

Decide on a SQL Server edition

Microsoft® SQL Server® Express is a free edition of SQL Server and is easy to install and prepare for use
compared to the other SQL Server editions. During a Single computer installation, Microsoft SQL Server
Express is installed unless a SQL Server is already installed on the computer.

The XProtect VMS installation includes Microsoft SQL Server Express version 2019. Not all Windows operating
systems support this edition of SQL Server. Before you install XProtect VMS, verify that your operating system
supports SQL Server 2019. If your operating system does not support this edition of SQL Server, install a
supported edition of SQL Server before you start the XProtect VMS installation. For information about
supported SQL Server editions, see https://www.milestonesys.com/systemrequirements/.

132 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

For very large systems or systems with many transactions to and from the SQL databases, Milestone
recommends that you use a Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition
of the SQL Server on a dedicated computer on the network and on a dedicated hard disk drive that is not used
for other purposes. Installing the SQL Server on its own drive improves the entire system performance.

Select service account

As part of the installation, you are asked to specify an account to run the Milestone services on this computer.
The services always run on this account no matter which user is logged in. Make sure that the account has all
necessary user permissions, for example, the proper permissions to perform tasks, proper network and file
access, and access to network shared folders.

You can select either a predefined account, or a user account. Base your decision on the environment that you
want to install your system in:

Domain environment

In a domain environment:

l Milestone recommends that you use the built-in Network Service account

It is easier to use even if you need to expand the system to multiple computers.

l You can also use domain user accounts, but they are potentially more difficult to configure

Workgroup environment

In a workgroup environment, Milestone recommends that you use a local user account that has all necessary
permissions. This is often the administrator account.

If you have installed your system components on multiple computers, the selected user
account must be configured on all computers in your installations with identical user
name, password, and access permissions.

Kerberos authentication (explained)

Kerberos is a ticket-based network authentication protocol. It is designed to provide strong authentication for
client/server or server/server applications.

Use Kerberos authentication as an alternative to the older Microsoft NT LAN (NTLM) authentication protocol.

Kerberos authentication requires mutual authentication, where the client authenticates to the service and the
service authenticates to the client. This way you can authenticate more securely from XProtect clients to
XProtect servers without exposing your password.

133 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

To make mutual authentication possible in your XProtect VMS you must register Service Principal Names (SPN)
in the active directory. An SPN is an alias that uniquely identifies an entity such as a XProtect server service.
Every service that uses mutual authentication must have an SPN registered so that clients can identify the
service on the network. Without correctly registered SPNs, mutual authentication is not possible.

The table below lists the different Milestone services with corresponding port numbers you need to register:

Service Port number

Management Server - IIS 80 - Configurable

Management Server - Internal 8080

Recording Server - Data Collector 7609

Failover Server 8990

Event Server 22331

LPR Server 22334

The number of services you need to register in the active directory depends on your
current installation. Data Collector is installed automatically when installing the
Management Server, Recording Server, Event Server or Failover Server service.

You must register two SPNs for the user running the service: one with the host name and one with the fully
qualified domain name.

If you are running the service under a network user service account, you must register the two SPNs for each
computer running this service.

This is the Milestone SPN naming scheme:

VideoOS/[DNS Host Name]:[Port]

VideoOS/[Fully qualified domain name]:[Port]

The following is an example of SPNs for the Recording Server service running on a computer with the following
details:

134 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Hostname: Record-Server1
Domain: Surveillance.com

SPNs to register:

VideoOS/Record-Server1:7609
VideoOS/Record-Server1.Surveillance.com:7609

Virus scanning exclusions (explained)

As is the case with any other database software, if an antivirus program is installed on a computer running
XProtect software, it is important that you exclude specific file types and folders, as well as certain network
traffic. Without implementing these exceptions, virus scanning uses a considerable amount of system
resources. On top of that, the scanning process can temporarily lock files, which could result in a disruption in
the recording process or even corruption of databases.

When you need to perform virus scanning, do not scan Recording Server folders that contain recording
databases (by default C:\mediadatabase\, as well as all subfolders). Also, avoid performing virus scanning on
archive storage directories.

Create the following additional exclusions:

l File types: .blk, .idx, .pic

l Folders and subfolders:

l C:\Program Files\Milestone or C:\Program Files (x86)\Milestone

l C:\ProgramData\Milestone\IDP\Logs

l C:\ProgramData\Milestone\KeyManagement\Logs

l C:\ProgramData\Milestone\MIPSDK

l C:\ProgramData\Milestone\XProtect Data Collector Server\Logs

l C:\ProgramData\Milestone\XProtect Event Server\Logs

l C:\ProgramData\Milestone\XProtect Log Server

l C:\ProgramData\Milestone\XProtect Management Server\Logs

l C:\ProgramData\Milestone\XProtect Mobile Server\Logs

l C:\ProgramData\Milestone\XProtect Recording Server\Logs

l C:\ProgramData\Milestone\XProtect Report Web Server\Logs

l C:ProgramData\Milestone\XProtect Recording Server\Secure\TablesDb

135 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

l Exclude network scanning on the following TCP ports:

Product TCP ports

XProtect VMS 80, 8080, 7563, 25, 21, 9000

XProtect Mobile 8081

or

l Exclude network scanning of the following processes:

Product Processes

VideoOS.Recorder.Service.exe, VideoOS.Server.Service.exe, VideoOS.

XProtect VMS
Administration.exe

XProtect
VideoOS.MobileServer.Service.exe
Mobile

Your organization may have strict guidelines regarding virus scanning, but it is important that you exclude the
above folders and files from virus scanning.

How can XProtect VMS be configured to run in FIPS 140-2 compliant mode?
In order to run XProtect VMS in a FIPS 140-2 mode of operation you must:

l Run Windows operating system in FIPS 140-2 approved mode of operation. See the Microsoft site for
information on enabling FIPS.

l Ensure standalone third-party integrations can run on a FIPS enabled Windows operating system

l Connect to devices in a way that ensures a FIPS 140-2 compliant mode of operation

l Ensure that data in the media database is encrypted with FIPS 140-2 compliant ciphers

This is done by running the media database upgrade tool. For detailed information on how to configure
your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the
hardening guide.

136 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Before you install XProtect VMS on a FIPS enabled system

While new XProtect VMS installations can be done on computers that are FIPS-enabled, you cannot upgrade
XProtect VMS when FIPS is enabled on the Windows operating system.

If you are upgrading, before you install, disable the Windows FIPS security policy on all of the computers that
are part of the VMS, including the computer that hosts the SQL server.

The XProtect VMS installer checks the FIPS security policy and will prevent the installation from starting if FIPS
is enabled.

But, if you are upgrading from XProtect VMS version 2020 R3 and after, you do not need to disable FIPS.

After you have installed the XProtect VMS components on all of the computers and prepared the system for
FIPS, you can enable the FIPS security policy on Windows on all of the computers in your VMS.

For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the
FIPS 140-2 compliance section in the hardening guide.

Register Software License Code

Before you install, you must have the name and location of the software license file that you received from
Milestone.

You can install a free version of XProtect Essential+. This version provides you with limited capabilities of the
XProtect VMS for a limited number of cameras. You must have internet connection to install XProtect
Essential+.

The Software License Code (SLC) is printed on your order confirmation and the software license file is named
after your SLC.

Milestone recommends that you register your SLC on our website (https://online.milestonesys.com/) before
installation. Your reseller may have done that for you.

Device drivers (explained)

Your system uses video device drivers to control and communicate with the camera devices connected to a
recording server. You must install device drivers on each recording server on your system.

From the 2018 R1 release, the device drivers are split into two device packs: the regular device pack with newer
drivers and a legacy device pack with older drivers.

The regular device pack is installed automatically when you install the recording server. Later, you can update
the drivers by downloading and installing a newer version of the device pack. Milestone releases new versions
of device drivers regularly and makes them available on the download page
(https://www.milestonesys.com/downloads/) on our website as device packs. When you update a device pack,
you can install the latest version on top of any version you may have installed.

137 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

The legacy device pack can only be installed if the system has a regular device pack installed. The drivers from
the legacy device pack are automatically installed if a previous version is already installed on your system. It is
available for manual download and installation on the software download page
(https://www.milestonesys.com/downloads/).

Stop the Recording Server service before you install, otherwise you need to restart the computer.

To ensure best performance, always use the latest version of device drivers.

Requirements for offline installation

If you install the system on a server that is offline, you need the following:

l The Milestone XProtect VMS Products 2023 R1 System Installer.exe file

l The software license file (SLC) for your XProtect system

l OS installation media including the required .NET version

(https://www.milestonesys.com/systemrequirements/)

Secure communication (explained)

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for
secure communication over a computer network. In HTTPS, the communication protocol is encrypted using
Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).

In XProtect VMS, secure communication is obtained by using TLS/SSL with asymmetric encryption (RSA).

TLS/SSL uses a pair of keys—one private, one public—to authenticate, secure, and manage secure connections.

A certificate authority (CA) is anyone who can issue root certificates. This can be an internet service that issues
root certificates, or anyone who manually generates and distributes a certificate. A CA can issue certificates to
web services, that is to any software using https communication. This certificate contains two keys, a private
key and a public key. The public key is installed on the clients of a web service (service clients) by installing a
public certificate. The private key is used for signing server certificates that must be installed on the server.
Whenever a service client calls the web service, the web service sends the server certificate, including the
public key, to the client. The service client can validate the server certificate using the already installed public
CA certificate. The client and the server can now use the public and private server certificates to exchange a
secret key and thereby establish a secure TLS/SSL connection.

For manually distributed certificates, certificates must be installed before the client can make such a
verification.

See Transport Layer Security for more information about TLS.

138 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Certificates have an expiry date. XProtect VMS will not warn you when a certificate is
about to expire. If a certificate expires:
• The clients will no longer trust the recording server with the expired certificate and
thus cannot communicate with it
• The recording servers will no longer trust the management server with the expired
certificate and thus cannot communicate with it
• The mobile devices will no longer trust the mobile server with the expired certificate
and thus cannot communicate with it

To renew the certificates, follow the steps in this guide as you did when you created
certificates.

For more information, see the certificates guide about how to secure your XProtect VMS installations.

139 | Requirements and considerations

Administrator manual | XProtect® VMS 2023 R1

Installation

Install a new XProtect system

Install XProtect Essential+

You can install a free version of XProtect Essential+. This version provides you with limited capabilities of the
XProtect VMS for a limited number of cameras. You must have internet connection to install XProtect
Essential+.

This version is installed on a single computer, using the Single computer installation option. The Single
computer option installs all server and client components on the current computer.

Milestone recommends that you read the following section carefully before you install:
Before you start installation on page 129.

For FIPS installations, you cannot upgrade XProtect VMS when FIPS is enabled on the
Windows operating system. Before you install, disable the Windows FIPS security policy
on all of the computers that are part of the VMS, including the computer that hosts the
SQL server. But, if you are upgrading from XProtect VMS version 2020 R3 and after, you
do not need to disable FIPS. For detailed information on how to configure your XProtect
VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the
hardening guide.

After initial installation, you can continue with the configuration wizard. Depending on your hardware and
configuration, the recording server scans your network for hardware. You can then select which hardware
devices to add to your system. Cameras are preconfigured in views, and you have the option to enable other
devices such as microphones and speakers. You also have the option of adding users to the system with either
an operator role or an administrator role. After installation, XProtect Smart Client opens, and you are ready to
use the system.

Otherwise, if you close the installation wizard, XProtect Management Client opens, where you can make
manual configurations such as add hardware devices and users to the system.

If you upgrade from a previous version of the product, the system does not scan for
hardware or create new views and user profiles.

140 | Installation
Administrator manual | XProtect® VMS 2023 R1

1. Download the software from the internet (https://www.milestonesys.com/downloads/) and run the
Milestone XProtect VMS Products 2023 R1 System Installer.exe file.

2. The installation files unpack. Depending on the security settings, one or more Windows® security
warnings appear. Accept these and the unpacking continues.

3. When done, the Milestone XProtect VMS installation wizard appears.

1. Select the Language to use during the installation (this is not the language that your system
uses once installed; this is selected later). Click Continue.

2. Read the Milestone End-user License Agreement. Select the I accept the terms in the license
agreement check box and click Continue.

3. On the Privacy settings page, select whether you want to share usage data, and click Continue.

You must not enable data collection if you want the system to have an EU
GDPR-compliant installation. For more information about data protection
and the usage data collection, see the GDPR privacy guide.

You can always change your privacy setting later. See also System settings
(Options dialog box).

4. Click the XProtect Essential+ link to download a free license file.

The free license file is downloaded and appears in the Enter or browse to the location of the
license file field. Click Continue.

4. Select Single computer.

A list of components to install appears (you cannot edit this list). Click Continue.

5. On the Assign a system configuration password page, enter a password that protects your system
configuration. You will need this password in case of system recovery or when expanding your system,
for example when adding clusters.

It is important that you save this password and keep it safe. If you lose this
password, you may compromise your ability to recover your system
configuration.

If you do not want your system configuration to be password protected, select I choose not to use a
system configuration password and understand that the system configuration will not be
encrypted.

Click Continue.

141 | Installation
Administrator manual | XProtect® VMS 2023 R1

6. On the Assign a mobile server data protection password page, enter a password to encrypt your
investigations. As a system administrator, you will need to enter this password to access the mobile
server data in case of system recovery or when expanding your system with additional mobile servers.

You must save this password and keep it safe. Failure to do so may compromise
your ability to recover mobile server data.

If you do not want your investigations to be password-protected, select I choose not to use a mobile
server data protection password, and I understand that investigations will not be encrypted.

Click Continue.

7. On the Specify recording server settings page, specify the different recording server settings:

1. In the Recording server name field, enter the name of the recording server. The default is the
name of the computer.

2. The Management server address field shows the address and port number of the management
server: localhost:80.

3. In the Select your media database location field, select the location where you want to save
your video recording. Milestone recommends that you save your video recordings in a separate
location from where you install the software and not on the system drive. The default location is
the drive with the most space available.

4. In Retention time for video recordings field, define for how long you want to save the
recordings. You can enter from between 1 and 365,000 days, where 7 days is the default
retention time.

5. Click Continue.

142 | Installation
Administrator manual | XProtect® VMS 2023 R1

8. On the Select encryption page, you can secure the communication flows:

l Between the recording servers, data collectors, and the management server

To enable encryption for internal communication flows, in the Server certificate section, select a
certificate.

If you encrypt the connection from the recording server to the

management server, the system requires that you also encrypt the
connection from the management server to the recording server.

l Between the recording servers and clients

To enable encryption between recording servers and client components that retrieve data
streams from the recording server, in the Streaming media certificate section, select a
certificate.

l Between the mobile server and clients

To enable encryption between client components that retrieve data streams from the mobile
server, in the Mobile streaming media certificate section, select a certificate.

l Between the event server and components that communicate with the event server

To enable encryption between the event server and components that communicate with the
event server, including the LPR Server, in the Event server and add-ons section, select a
certificate.

You can use the same certificate file for all system components or use different certificate files
depending on the system components.

For more information about preparing your system for secure communication, see:

l Secure communication (explained) on page 138

l The Milestone guide about certificates

You can also enable encryption after installation from the Server Configurator in the Management
Server Manager tray icon in the notification area.

143 | Installation
Administrator manual | XProtect® VMS 2023 R1

9. On the Select file location and product language page, do the following:

1. In the File location field, select the location where you want to install the software.

If any Milestone XProtect VMS product is already installed on the

computer, this field is disabled. The field displays the location where the
component will be installed.

2. In Product language, select the language in which to install your XProtect product.

3. Click Install.

The software now installs. If not already installed on the computer, Microsoft® SQL Server® Express
and Microsoft IIS are automatically installed during the installation.

10. You may be prompted to restart the computer. After restarting your computer, depending on the
security settings, one or more Windows security warnings may appear. Accept these and the
installation completes.

11. When the installation completes, a list shows the components that are installed on the computer.

Click Continue to add hardware and users to the system.

If you click Close now, you bypass the configuration wizard and XProtect
Management Client opens. You can configure the system, for example add
hardware and users to the system, in Management Client.

12. On the Enter user names and passwords for hardware page, enter the user names and passwords for
hardware that you have changed from the manufacturer defaults.

The installer scans the network for this hardware as well as hardware with manufacturer default
credentials.

Click Continue and wait while the system scans for hardware.

13. On the Select the hardware to add to the system page, select the hardware that you want to add to
the system. Click Continue and wait while the system adds the hardware.

144 | Installation
Administrator manual | XProtect® VMS 2023 R1

14. On the Configure the devices page, you can give the hardware descriptive names by clicking the edit
icon next to the hardware name. This name is then prefixed to the hardware devices.

Expand the hardware node to enable or disable the hardware devices, such as cameras, speakers, and
microphones.

Cameras are enabled by default, and speakers and microphones are disabled by
default.

Click Continue and wait while the system configures the hardware.

15. On the Add users page, you can add users to the system as Windows users or basic users. The users
can have either the Administrators role or the Operators role.

Define the user and click Add.

When you are done adding users, click Continue.

16. When the installation and initial configuration are done, the Configuration is complete page appears,
where you see:
l A list of hardware devices that are added to the system

l A list of users who are added to the system

l Addresses to the XProtect Web Client and XProtect Mobile client, which you can share with your
users

When you click Close, XProtect Smart Client opens and is ready to use.

Install your system - Single computer option

The Single computer option installs all server and client components on the current computer.

Milestone recommends that you read the following section carefully before you install:
Before you start installation on page 129.

For FIPS installations, you cannot upgrade XProtect VMS when FIPS is enabled on the
Windows operating system. Before you install, disable the Windows FIPS security policy
on all of the computers that are part of the VMS, including the computer that hosts the
SQL server. But, if you are upgrading from XProtect VMS version 2020 R3 and after, you
do not need to disable FIPS. For detailed information on how to configure your XProtect
VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the
hardening guide.

145 | Installation
Administrator manual | XProtect® VMS 2023 R1

After initial installation, you can continue with the configuration wizard. Depending on your hardware and
configuration, the recording server scans your network for hardware. You can then select which hardware
devices to add to your system. Cameras are preconfigured in views, and you have the option to enable other
devices such as microphones and speakers. You also have the option of adding users to the system with either
an operator role or an administrator role. After installation, XProtect Smart Client opens, and you are ready to
use the system.

Otherwise, if you close the installation wizard, XProtect Management Client opens, where you can make
manual configurations such as add hardware devices and users to the system.

If you upgrade from a previous version of the product, the system does not scan for
hardware or create new views and user profiles.

1. Download the software from the internet (https://www.milestonesys.com/downloads/) and run the
Milestone XProtect VMS Products 2023 R1 System Installer.exe file.

2. The installation files unpack. Depending on the security settings, one or more Windows® security
warnings appear. Accept these and the unpacking continues.

3. When done, the Milestone XProtect VMS installation wizard appears.

1. Select the Language to use during the installation (this is not the language that your system
uses once installed; this is selected later). Click Continue.

2. Read the Milestone End-user License Agreement. Select the I accept the terms in the license
agreement check box and click Continue.

3. On the Privacy settings page, select whether you want to share usage data, and click Continue.

You must not enable data collection if you want the system to have an EU
GDPR-compliant installation. For more information about data protection
and the usage data collection, see the GDPR privacy guide.

You can always change your privacy setting later. See also System settings
(Options dialog box).

4. In the Enter or browse to the location of the license file, enter your license file from your
XProtect provider. Alternatively, browse to the file location or click the XProtect Essential+ link
to download a free license file. For limitations to the free XProtect Essential+ product, see the
Product comparison on page 107. The system verifies your license file before you can continue.
Click Continue.

146 | Installation
Administrator manual | XProtect® VMS 2023 R1

4. Select Single computer.

A list of components to install appears (you cannot edit this list). Click Continue.

5. On the Assign a system configuration password page, enter a password that protects your system
configuration. You will need this password in case of system recovery or when expanding your system,
for example when adding clusters.

It is important that you save this password and keep it safe. If you lose this
password, you may compromise your ability to recover your system
configuration.

If you do not want your system configuration to be password protected, select I choose not to use a
system configuration password and understand that the system configuration will not be
encrypted.

Click Continue.

6. On the Assign a mobile server data protection password page, enter a password to encrypt your
investigations. As a system administrator, you will need to enter this password to access the mobile
server data in case of system recovery or when expanding your system with additional mobile servers.

You must save this password and keep it safe. Failure to do so may compromise
your ability to recover mobile server data.

If you do not want your investigations to be password-protected, select I choose not to use a mobile
server data protection password, and I understand that investigations will not be encrypted.

Click Continue.

147 | Installation
Administrator manual | XProtect® VMS 2023 R1

7. On the Specify recording server settings page, specify the different recording server settings:

1. In the Recording server name field, enter the name of the recording server. The default is the
name of the computer.

2. The Management server address field shows the address and port number of the management
server: localhost:80.

3. In the Select your media database location field, select the location where you want to save
your video recording. Milestone recommends that you save your video recordings in a separate
location from where you install the software and not on the system drive. The default location is
the drive with the most space available.

4. In Retention time for video recordings field, define for how long you want to save the
recordings. You can enter from between 1 and 365,000 days, where 7 days is the default
retention time.

5. Click Continue.

148 | Installation
Administrator manual | XProtect® VMS 2023 R1

8. On the Select encryption page, you can secure the communication flows:

l Between the recording servers, data collectors, and the management server

To enable encryption for internal communication flows, in the Server certificate section, select a
certificate.

If you encrypt the connection from the recording server to the

management server, the system requires that you also encrypt the
connection from the management server to the recording server.

l Between the recording servers and clients

To enable encryption between recording servers and client components that retrieve data
streams from the recording server, in the Streaming media certificate section, select a
certificate.

l Between the mobile server and clients

To enable encryption between client components that retrieve data streams from the mobile
server, in the Mobile streaming media certificate section, select a certificate.

l Between the event server and components that communicate with the event server

To enable encryption between the event server and components that communicate with the
event server, including the LPR Server, in the Event server and add-ons section, select a
certificate.

You can use the same certificate file for all system components or use different certificate files
depending on the system components.

For more information about preparing your system for secure communication, see:

l Secure communication (explained) on page 138

l The Milestone guide about certificates

You can also enable encryption after installation from the Server Configurator in the Management
Server Manager tray icon in the notification area.

149 | Installation
Administrator manual | XProtect® VMS 2023 R1

9. On the Select file location and product language page, do the following:

1. In the File location field, select the location where you want to install the software.

If any Milestone XProtect VMS product is already installed on the

computer, this field is disabled. The field displays the location where the
component will be installed.

2. In Product language, select the language in which to install your XProtect product.

3. Click Install.

The software now installs. If not already installed on the computer, Microsoft® SQL Server® Express
and Microsoft IIS are automatically installed during the installation.

10. You may be prompted to restart the computer. After restarting your computer, depending on the
security settings, one or more Windows security warnings may appear. Accept these and the
installation completes.

11. When the installation completes, a list shows the components that are installed on the computer.

Click Continue to add hardware and users to the system.

If you click Close now, you bypass the configuration wizard and XProtect
Management Client opens. You can configure the system, for example add
hardware and users to the system, in Management Client.

12. On the Enter user names and passwords for hardware page, enter the user names and passwords for
hardware that you have changed from the manufacturer defaults.

The installer scans the network for this hardware as well as hardware with manufacturer default
credentials.

Click Continue and wait while the system scans for hardware.

13. On the Select the hardware to add to the system page, select the hardware that you want to add to
the system. Click Continue and wait while the system adds the hardware.

150 | Installation
Administrator manual | XProtect® VMS 2023 R1

14. On the Configure the devices page, you can give the hardware descriptive names by clicking the edit
icon next to the hardware name. This name is then prefixed to the hardware devices.

Expand the hardware node to enable or disable the hardware devices, such as cameras, speakers, and
microphones.

Cameras are enabled by default, and speakers and microphones are disabled by
default.

Click Continue and wait while the system configures the hardware.

15. On the Add users page, you can add users to the system as Windows users or basic users. The users
can have either the Administrators role or the Operators role.

Define the user and click Add.

When you are done adding users, click Continue.

16. When the installation and initial configuration are done, the Configuration is complete page appears,
where you see:
l A list of hardware devices that are added to the system

l A list of users who are added to the system

l Addresses to the XProtect Web Client and XProtect Mobile client, which you can share with your
users

When you click Close, XProtect Smart Client opens and is ready to use.

Install your system - Custom option

The Custom option installs the management server, but you can select which other server and client
components you want to install on the current computer. By default, the recording server is not selected in the
component list. Depending on your selections, you can install the not selected system components on other
computers afterwards. For more information about each system component and their role, see Product
overview on page 31. Installation on other computers is done through the management server's download
web page named Download Manager. For more information about installation through the Download
Manager, see Download Manager/download web page on page 174.

Milestone recommends that you read the following section carefully before you install:
Before you start installation on page 129.

151 | Installation
Administrator manual | XProtect® VMS 2023 R1

For FIPS installations, you cannot upgrade XProtect VMS when FIPS is enabled on the
Windows operating system. Before you install, disable the Windows FIPS security policy
on all of the computers that are part of the VMS, including the computer that hosts the
SQL server. But, if you are upgrading from XProtect VMS version 2020 R3 and after, you
do not need to disable FIPS. For detailed information on how to configure your XProtect
VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the
hardening guide.

1. Download the software from the internet (https://www.milestonesys.com/downloads/) and run the
Milestone XProtect VMS Products 2023 R1 System Installer.exe file.

2. The installation files unpack. Depending on the security settings, one or more Windows® security
warnings appear. Accept these and the unpacking continues.

3. When done, the Milestone XProtect VMS installation wizard appears.

1. Select the Language to use during the installation (this is not the language that your system
uses once installed; this is selected later). Click Continue.

2. Read the Milestone End-user License Agreement. Select the I accept the terms in the license
agreement check box and click Continue.

3. On the Privacy settings page, select whether you want to share usage data, and click Continue.

You must not enable data collection if you want the system to have an EU
GDPR-compliant installation. For more information about data protection
and the usage data collection, see the GDPR privacy guide.

You can always change your privacy setting later. See also System settings
(Options dialog box).

4. In the Enter or browse to the location of the license file, enter your license file from your
XProtect provider. Alternatively, browse to the file location or click the XProtect Essential+ link
to download a free license file. For limitations to the free XProtect Essential+ product, see the
Product comparison on page 107. The system verifies your license file before you can continue.
Click Continue.

4. Select Custom. A list of components to be installed appears. Apart from the management server, all
components in the list are optional. The recording server and the mobile server are by default not
selected. Select the system components you want to install and click Continue.

152 | Installation
Administrator manual | XProtect® VMS 2023 R1

In the steps below, all system components are installed. For a more distributed
system, install fewer system components on this computer and the remaining
system components on other computers. If you cannot recognize an installation
step, it is likely because you have not selected to install the system component
that this page belongs to. In that case, continue to the next step. See also
Installing through Download Manager (explained) on page 156, Install a
recording server through Download Manager on page 158, and Installing silently
through a command line shell (explained) on page 163.

5. The Select a website on the IIS to use with your XProtect system page is shown only if you have
more than one IIS website available on the computer. You must select which website you will use with
your XProtect system. Select a website with HTTPS binding. Click Continue.

If Microsoft® IIS is not installed on the computer, it is installed.

6. On the Select Microsoft SQL Server page, select the SQL Server that you want to use. See also SQL
Server options during custom installation on page 156. Click Continue.

If you do not have a SQL Server on your local computer, you can install Microsoft
SQL Server Express, but in a larger distributed system you would typically use a
dedicated SQL Server on your network.

7. On the Select database page (only shown if you have selected an existing SQL Server), select or create
an SQL database for storing your system configuration. If you choose an existing SQL database, decide
whether to Keep or Overwrite existing data. If you are upgrading, select to keep existing data so you
do not lose your system configuration. See also SQL Server options during custom installation on page
156. Click Continue.

8. On the Assign a system configuration password page, enter a password that protects your system
configuration. You will need this password in case of system recovery or when expanding your system,
for example when adding clusters.

It is important that you save this password and keep it safe. If you lose this
password, you may compromise your ability to recover your system
configuration.

If you do not want your system configuration to be password protected, select I choose not to use a
system configuration password and understand that the system configuration will not be
encrypted.

Click Continue.

153 | Installation
Administrator manual | XProtect® VMS 2023 R1

9. On the Assign a mobile server data protection password page, enter a password to encrypt your
investigations. As a system administrator, you will need to enter this password to access the mobile
server data in case of system recovery or when expanding your system with additional mobile servers.

You must save this password and keep it safe. Failure to do so may compromise
your ability to recover mobile server data.

If you do not want your investigations to be password-protected, select I choose not to use a mobile
server data protection password, and I understand that investigations will not be encrypted.

Click Continue.

10. On the Select service account for recording server, select either This predefined account or This
account to select the service account for the recording server.

If needed, enter a password.

The user name for the account must be a single word. It must not have a space.

Click Continue.

11. On the Specify recording server settings page, specify the different recording server settings:

1. In the Recording server name field, enter the name of the recording server. The default is the
name of the computer.

2. The Management server address field shows the address and port number of the management
server: localhost:80.

3. In the Select your media database location field, select the location where you want to save
your video recording. Milestone recommends that you save your video recordings in a separate
location from where you install the software and not on the system drive. The default location is
the drive with the most space available.

4. In Retention time for video recordings field, define for how long you want to save the
recordings. You can enter from between 1 and 365,000 days, where 7 days is the default
retention time.

5. Click Continue.

154 | Installation
Administrator manual | XProtect® VMS 2023 R1

12. On the Select encryption page, you can secure the communication flows:

l Between the recording servers, data collectors, and the management server

To enable encryption for internal communication flows, in the Server certificate section, select a
certificate.

If you encrypt the connection from the recording server to the

management server, the system requires that you also encrypt the
connection from the management server to the recording server.

l Between the recording servers and clients

To enable encryption between recording servers and client components that retrieve data
streams from the recording server, in the Streaming media certificate section, select a
certificate.

l Between the mobile server and clients

To enable encryption between client components that retrieve data streams from the mobile
server, in the Mobile streaming media certificate section, select a certificate.

l Between the event server and components that communicate with the event server

To enable encryption between the event server and components that communicate with the
event server, including the LPR Server, in the Event server and add-ons section, select a
certificate.

You can use the same certificate file for all system components or use different certificate files
depending on the system components.

For more information about preparing your system for secure communication, see:

l Secure communication (explained) on page 138

l The Milestone guide about certificates

You can also enable encryption after installation from the Server Configurator in the Management
Server Manager tray icon in the notification area.

13. On the Select file location and product language page, select the File location for the program files.

If any Milestone XProtect VMS product is already installed on the computer, this
field is disabled. The field displays the location where the component will be
installed.

155 | Installation
Administrator manual | XProtect® VMS 2023 R1

14. In the Product language field, select the language in which to install your XProtect product. Click
Install.

The software now installs. When the installation completes, you see a list of successfully installed
system components. Click Close.

15. You may be prompted to restart the computer. After restarting your computer, depending on the
security settings, one or more Windows security warnings may appear. Accept these and the
installation completes.

16. Configure your system in Management Client. See Initial configuration tasks list on page 182.

17. Depending on your selections, install the remaining system components on other computers through
the Download Manager. See Installing through Download Manager (explained) on page 156.

SQL Server options during custom installation

Decide which SQL Server and database to use with the below options.

SQL Server options:

l Install Microsoft® SQL Server® Express on this computer: This option is shown only if you do not
have a SQL Server installed on the computer

l Use the SQL Server on this computer: This option is shown only if a SQL Server is already installed on
the computer

l Select a SQL Server on your network through search: Enables you to search for all SQL Servers that
are discoverable on your network subnet

l Select a SQL Server on your network: Enables you to enter the address (host name or IP address) of a
SQL Server that you might not be able to find through search

SQL database options:

l Create new database: Mainly for new installations

l Use existing database: Mainly for upgrades of existing installations. Milestone recommends that you
reuse the existing SQL database and keep the existing data in it, so you do not lose your system
configuration. You can also choose to overwrite the data in the SQL database

Install new XProtect components

Installing through Download Manager (explained)

If you want to install system components on computers other than where the management server is installed,
you must install these system components through the Management Server's download website Download
Manager.

156 | Installation
Administrator manual | XProtect® VMS 2023 R1

1. From the computer where Management Server is installed, go to the Management Server's download
web page. In Windows' Start menu, select Milestone > Administrative Installation Page and write
down or copy the internet address for later use when installing the system components on the other
computers. The address is typically http://[management server address]/installation/Admin/default-en-
US.htm.

2. Log in to each of the other computers to install one or more of the other system components:

l Recording Server (For more information, see Install a recording server through Download
Manager on page 158 or Install a recording server silently on page 165)

l Management Client (For more information, see Install a Management Client through Download
Manager on page 157)

l Smart Client

l Event Server

If you are installing the Event Server in a FIPS-compliant environment, you

must disable Windows FIPS 140-2 mode before installation.

l Log Server (For more information, see Install a log server silently on page 167)

l Mobile Server (For more information see the manual for XProtect Mobile server)

l DLNA Server (For more information see the manual for XProtect DLNA Server)

3. Open an internet browser, enter the address of the Management Server's download web page into the
address field, and download the relevant installer.

4. Run the installer.

See Install your system - Custom option on page 151 if in doubt about the selections and settings in the
different installation steps.

Install a Management Client through Download Manager

If there are several administrators of the XProtect system or you simply want to manage the XProtect system
from multiple computers, you can install the Management Client by following the instructions below.

The Management Client is always installed on the management server.

1. From the computer where Management Server is installed, go to the Management Server's download
web page. In Windows' Start menu, select Milestone > Administrative Installation Page and write
down or copy the internet address for later use when installing the system components on the other
computers. The address is typically http://[management server address]/installation/Admin/default-en-
US.htm.

157 | Installation
Administrator manual | XProtect® VMS 2023 R1

2. Log into the computer where you want to install the system component.

1. Open an internet browser and enter the address of the Management Server's download web page into
the address field and press Enter.

3. Click All Languages for the Management Client installer. Run the downloaded file.

4. Click Yes to all warnings. Unpacking starts.

5. Select the language for the installer. Click Continue.

6. Read and accept the license agreement. Click Continue.

7. Select file location and product language. Click Install.

8. The installation is complete. A list of successfully installed components is displayed. Click Close.

9. Click the icon on the desktop to open the Management Client.

10. The Management Client login dialog appears.

11. Specify the host name or the IP address of your management server in the Computer field.

12. Select authentication, enter your user name and password. Click Connect. The Management Client
launches.

To read in details about the features in the Management Client and what you can accomplish with your
system, click Help in the tools menu.

Install a recording server through Download Manager

If your system components are distributed on separate computers, you can install the recording servers by
following the instructions below.

The recording server is already installed if you made a Single Computer installation, but
you can use the same instructions to add more recording servers if you need more
capacity.

If you need to install a failover recording server, see Install a failover recording server
through Download Manager on page 161.

1. From the computer where Management Server is installed, go to the Management Server's download
web page. In Windows' Start menu, select Milestone > Administrative Installation Page and write
down or copy the internet address for later use when installing the system components on the other
computers. The address is typically http://[management server address]/installation/Admin/default-en-
US.htm.

2. Log into the computer where you want to install the system component.

158 | Installation
Administrator manual | XProtect® VMS 2023 R1

3. Open an internet browser and enter the address of the Management Server's download web page into
the address field and press Enter.

4. Download the recording server installer by selecting All Languages below the Recording Server
Installer. Save the installer or run it directly from the web page.

5. Select the Language you want to use during the installation. Click Continue.

6. On the Select an installation type page, select:

Typical to install a recording server with default values, or

Custom to install a recording server with custom values.

7. On the Specify recording server settings page, specify the different recording server settings:

1. In the Recording server name field, enter the name of the recording server. The default is the
name of the computer.

2. The Management server address field shows the address and port number of the management
server: localhost:80.

3. In the Select your media database location field, select the location where you want to save
your video recording. Milestone recommends that you save your video recordings in a separate
location from where you install the software and not on the system drive. The default location is
the drive with the most space available.

4. In Retention time for video recordings field, define for how long you want to save the
recordings. You can enter from between 1 and 365,000 days, where 7 days is the default
retention time.

5. Click Continue.

8. The Recording servers IP addresses page is shown only if you selected Custom. Specify the number of
recording servers that you want to install on this computer. Click Continue.

9. On the Select service account for recording server, select either This predefined account or This
account to select the service account for the recording server.

If needed, enter a password.

The user name for the account must be a single word. It must not have a space.

Click Continue.

159 | Installation
Administrator manual | XProtect® VMS 2023 R1

10. On the Select encryption page, you can secure the communication flows:

l Between the recording servers, data collectors, and the management server

To enable encryption for internal communication flows, in the Server certificate section, select a
certificate.

If you encrypt the connection from the recording server to the

management server, the system requires that you also encrypt the
connection from the management server to the recording server.

l Between the recording servers and clients

To enable encryption between recording servers and client components that retrieve data
streams from the recording server, in the Streaming media certificate section, select a
certificate.

l Between the mobile server and clients

To enable encryption between client components that retrieve data streams from the mobile
server, in the Mobile streaming media certificate section, select a certificate.

l Between the event server and components that communicate with the event server

To enable encryption between the event server and components that communicate with the
event server, including the LPR Server, in the Event server and add-ons section, select a
certificate.

You can use the same certificate file for all system components or use different certificate files
depending on the system components.

For more information about preparing your system for secure communication, see:

l Secure communication (explained) on page 138

l The Milestone guide about certificates

You can also enable encryption after installation from the Server Configurator in the Management
Server Manager tray icon in the notification area.

11. On the Select file location and product language page, select the File location for the program files.

If any Milestone XProtect VMS product is already installed on the computer, this
field is disabled. The field displays the location where the component will be
installed.

160 | Installation
Administrator manual | XProtect® VMS 2023 R1

12. In the Product language field, select the language in which to install your XProtect product. Click
Install.

The software now installs. When the installation completes, you see a list of successfully installed
system components. Click Close.

13. When you have installed the recording server, you can check its state from the Recording Server
Manager tray icon and configure it in Management Client. For more information, see Initial
configuration tasks list on page 182.

Install a failover recording server through Download Manager

If you run workgroups, you must use the alternative installation method for failover
recording servers (see Installation for workgroups on page 168).

1. From the computer where Management Server is installed, go to the Management Server's download
web page. In Windows' Start menu, select Milestone > Administrative Installation Page and write
down or copy the internet address for later use when installing the system components on the other
computers. The address is typically http://[management server address]/installation/Admin/default-en-
US.htm.

Log into the computer where you want to install the system component.

2. Open an internet browser and enter the address of the Management Server's download web page into
the address field and press Enter.

3. Download the recording server installer by selecting All Languages below the Recording Server
Installer. Save the installer or run it directly from the web page.

4. Select the Language you want to use during the installation. Click Continue.

5. On the Select an installation type page, select Failover to install a recording server as a failover
recording server.

6. On the Specify recording server settings page, specify the different recording server settings. The
name of the failover recording server, the address of the management server, and the path to the
media database. Click Continue.

7. On the Select service account for recording server page and when installing a failover recording
server, you must use the particular user account named This account. This creates the failover user
account. If needed, enter a password and confirm this. Click Continue.

161 | Installation
Administrator manual | XProtect® VMS 2023 R1

8. On the Select encryption page, you can secure the communication flows:

l Between the recording servers, data collectors, and the management server

To enable encryption for internal communication flows, in the Server certificate section, select a
certificate.

If you encrypt the connection from the recording server to the

management server, the system requires that you also encrypt the
connection from the management server to the recording server.

l Between the recording servers and clients

To enable encryption between recording servers and client components that retrieve data
streams from the recording server, in the Streaming media certificate section, select a
certificate.

l Between the mobile server and clients

To enable encryption between client components that retrieve data streams from the mobile
server, in the Mobile streaming media certificate section, select a certificate.

l Between the event server and components that communicate with the event server

To enable encryption between the event server and components that communicate with the
event server, including the LPR Server, in the Event server and add-ons section, select a
certificate.

You can use the same certificate file for all system components or use different certificate files
depending on the system components.

For more information about preparing your system for secure communication, see:

l Secure communication (explained) on page 138

l The Milestone guide about certificates

You can also enable encryption after installation from the Server Configurator in the Management
Server Manager tray icon in the notification area.

9. On the Select file location and product language page, select the File location for the program files.

If any Milestone XProtect VMS product is already installed on the computer, this
field is disabled. The field displays the location where the component will be
installed.

162 | Installation
Administrator manual | XProtect® VMS 2023 R1

10. In the Product language field, select the language in which to install your XProtect product. Click
Install.

The software now installs. When the installation completes, you see a list of successfully installed
system components. Click Close.

11. When you have installed the failover recording server, you can check its state from the Failover Server
service tray icon and configure it in Management Client. For more information, see Initial configuration
tasks list on page 182.

Installing XProtect VMS using non-default ports

An installation of XProtect VMS requires specific ports. In particular, the Management Server and API Gateway
run in the IIS, and certain ports must be available. This topic describes how to install XProtect VMS and use
non-default ports on the IIS. This also applies when installing only the API Gateway.

For an overview of all the ports that the VMS uses, see the XProtect VMS administrator manual
(https://doc.milestonesys.com/2023r1/en-US/portal/htm/chapter-page-mc-administrator-manual.htm).

If IIS is not yet installed on the system, the XProtect VMS installer installs IIS and uses the default website with
default ports.

To avoid using the XProtect VMS default, install the IIS first. Optionally, add a new website or proceed using the
default website.

Add a binding for HTTPS, if it does not already exist, and select a valid certificate on the computer (you will
need to select it during XProtect VMS installation). Edit the port numbers on both HTTP and HTTPS bindings to
available ports of your choosing.

Run the XProtect VMS installer and select a Custom installation.

During the installation, the Select a website on the IIS to use with your XProtect system page appears if
there is more than one website available. You must select which website you will use with your XProtect
system. The installer uses the changed port numbers.

Installing silently through a command line shell (explained)

With silent installation, system administrators can install and upgrade the XProtect VMS and Smart Client
software over a large network with no user interactions from their part and with as little disturbance to the end
users as possible.

The XProtect VMS and Smart Client installers (.exe files) have different command line arguments. They each
have their own set of command line parameters that can be invoked directly in a command line shell or
through an arguments file. In the command line shell, you can also use command line options with the
installers.

You can combine the XProtect installers, their command line parameters and command line options with tools
for silent distribution and installation of software, like Microsoft System Center Configuration Manager (SCCM,

163 | Installation
Administrator manual | XProtect® VMS 2023 R1

also known as ConfigMgr). For more information about such tools, visit the manufacturer's website. You can
also use Milestone Software Manager for remote installing and updating of XProtect VMS, device packs, and
Smart Client. For more information, see the administrator manual for Milestone Software Manager.

Command line parameters and arguments files

During silent installation, you can specify settings that are closely linked to the different VMS system
components and their internal communication with command line parameters and arguments files. Command
line parameters and arguments files should only be used for new installations because you cannot change the
settings that the command line parameters represent during an upgrade.

To see the available command line parameters and to generate an arguments file for an installer, in the
command line shell, navigate to the directory where the installer is located and enter the following command:

[NameOfExeFile].exe --generateargsfile=[path]

Example:

MilestoneXProtectRecordingServerInstaller_x64.exe --generateargsfile=c:\temp

In the saved arguments file (Arguments.xml), each command line parameter has a description that explains its
purpose. You can modify and save the arguments file so that the command line parameter values suit your
installation needs.

When you want to use an arguments file with its installer, use the --arguments command line option by
entering the following command:

[NameOfExeFile].exe --quiet --arguments=[path]\[filename]

Example:

Milestone XProtect VMS Products 2023 R1 System Installer.exe --quiet

--arguments=C:\temp\arguments.xml

Command line options

In the command line shell, you can also combine installers with command line options. The command line
options generally modify the behavior of a command.

To see the full list of command line options, in the command line shell, navigate to the directory where the
installer is located and enter [NameOfExeFile].exe --help. For the installation to be successful, you must
specify a value for command line options that require a value.

164 | Installation
Administrator manual | XProtect® VMS 2023 R1

You can use both command line parameters and command line options in the same command. Use the
--parameters command line option and divide each command line parameter with a colon (:). In the example
below, --quiet, --showconsole, and --parameters are command line options, and ISFAILOVER and
RECORDERNAME are command line parameters:

MilestoneXProtectRecordingServerInstaller_x64.exe --quiet --showconsole

--parameters=ISFAILOVER:true:RECORDERNAME:Failover1

Install a recording server silently

When you install silently, you are not notified when the installation is completed. To get notified, include the
--showconsole command line option in the command. The Milestone XProtect Recording Server tray icon
appears when the installation is completed.

In the command examples below, the text inside square brackets ([ ]) and the square brackets themselves
must be replaced with real values. Example: instead of "[path]" you could enter "d:\program files\",
d:\record\, or \\network-storage-02\surveillance. Use the --help command line option to read about the
legal formats of each command line option value.

1. Log in to the computer where you want to install the Recording Server component.

2. Open an internet browser and enter the address of the Management Server's download web page that
is targeted at the administrators into the address field and press Enter.

The address is typically http://[management server address]:

[port]/installation/Admin/default-en-US.htm.

3. Download the recording server installer by selecting All Languages below Recording Server Installer.

4. Open your preferred command line shell. To open Windows Command Prompt, open the Windows Start
menu and enter cmd.

5. Navigate to the directory with the downloaded installer.

6. Continue the installation depending on one of the two scenarios below:

Scenario 1: Upgrade an existing installation, or install on server with the Management Server
component with default values
l Enter the following command and the installation starts.

MilestoneXProtectRecordingServerInstaller_x64.exe --quiet

165 | Installation
Administrator manual | XProtect® VMS 2023 R1

Scenario 2: Install in a distributed system

1. Enter the following command to generate an arguments file with command line parameters.

MilestoneXProtectRecordingServerInstaller_x64.exe --generateargsfile=
[path]

2. Open the arguments file (Arguments.xml) from the specified path and modify the command line
parameter values if needed.

Make sure that you give the command line parameters SERVERHOSTNAME
and SERVERPORT valid values. If not, the installation cannot complete.

4. Save the arguments file.

5. Return to the command line shell and enter the command below to install with the command
line parameter values specified in the arguments file.

MilestoneXProtectRecordingServerInstaller_x64.exe --quiet
--arguments=[path]\[filename]

Install XProtect Smart Client silently

When you install silently, you are not notified when the installation is completed. To get notified, include the
--showconsole command line option in the command. A shortcut to XProtect Smart Client appears on the
desktop when the installation is completed.

In the command examples below, the text inside square brackets ([ ]) and the square brackets themselves
must be replaced with real values. Example: instead of "[path]" you could enter "d:\program files\",
d:\record\, or \\network-storage-02\surveillance. Use the --help command line option to read about the
legal formats of each command line option value.

1. Open an internet browser and enter the address of the Management Server's download web page that
is targeted at the end users into the address field and press Enter.

The address is typically http://[management server address]:[port]/installation/default-en-US.htm.

2. Download the XProtect Smart Client installer by selecting All Languages below XProtect Smart Client
Installer.

3. Open your preferred command line shell. To open Windows Command Prompt, open the Windows Start
menu and enter cmd.

4. Navigate to the directory with the downloaded installer.

5. Continue the installation depending on one of the two scenarios below:

166 | Installation
Administrator manual | XProtect® VMS 2023 R1

Scenario 1: Upgrade an existing installation, or install with default command line parameter
values
l Enter the following command and the installation starts.

"XProtect Smart Client 2023 R1 Installer.exe" --quiet

Scenario 2: Install with customized command line parameter values using an xml arguments file
as input

1. Enter the following command to generate an arguments xml file with command line parameters.

"XProtect Smart Client 2023 R1 Installer.exe" --generateargsfile=

[path]

2. Open the arguments file (Arguments.xml) from the specified path and modify the command line
parameter values if needed.

3. Save the arguments file.

4. Return to the command line shell and enter the command below to install with the command
line parameter values specified in the arguments file.

"XProtect Smart Client 2023 R1 Installer.exe" --quiet --arguments=

[path]\[filename]

Install a log server silently

When you install silently, you are not notified when the installation is completed. To get notified, include the
--showconsole command line option in the command.

In the command examples below, the text inside square brackets ([ ]) and the square brackets themselves
must be replaced with real values. Example: instead of "[path]" you could enter "d:\program files\",
d:\record\, or \\network-storage-02\surveillance. Use the --help command line option to read about the
legal formats of each command line option value.

1. Log in to the computer where you want to install the Log Server component.

2. Open an internet browser and enter the address of the Management Server's download web page that
is targeted at the administrators into the address field and press Enter.

The address is typically http://[management server address]:

[port]/installation/Admin/default-en-US.htm.

3. Download the log server installer by selecting All Languages below Log Server Installer.

167 | Installation
Administrator manual | XProtect® VMS 2023 R1

4. Open your preferred command line shell. To open Windows Command Prompt, open the Windows Start
menu and enter cmd.

5. Navigate to the directory with the downloaded installer.

6. Continue the installation depending on one of the two scenarios below:

Scenario 1: Upgrade an existing installation, or install with default command line parameter
values
l Enter the following command and the installation starts.

"XProtect Log Server 2023 R1 Installer x64.exe" --quiet --showconsole

Scenario 2: Install with customized command line parameter values using an xml arguments file
as input

1. Enter the following command to generate an arguments xml file with command line parameters.

"XProtect Log Server 2023 R1 Installer x64.exe" --generateargsfile=

[path]

2. Open the arguments file (Arguments.xml) from the specified path and modify the command line
parameter values if needed.

3. Save the arguments file.

4. Return to the command line shell and enter the command below to install with the command
line parameter values specified in the arguments file.

"XProtect Log Server 2023 R1 Installer x64.exe" --quiet --arguments=

[path]\[filename] --showconsole

Installation for workgroups

If you do not use a domain setup with an Active Directory server, but a workgroup setup, do the following
when you install.

All computers in a distributed setup must either be on a domain or in a workgroup.

168 | Installation
Administrator manual | XProtect® VMS 2023 R1

1. Log in to Windows using a common administrator account.

Make sure to use the same account on all computers in the system.

2. Depending on your needs, start the management or recording server installation and click Custom.

3. Depending on what you selected in step 2, select to install the Management Server or Recording Server
service using a common administrator account.

4. Finish the installation.

5. Repeat steps 1-4 to install any other systems you want to connect. They must all be installed using a
common administrator account.

Install in a cluster
Before you install in a cluster, see Multiple management servers (clustering) (explained) on page 126 and
Requirements for clustering on page 127.

Descriptions and illustrations might differ from what you see on your screen.

Install the management server:

1. Install the management server and all its sub-components on the first server in the cluster.

The management server must be installed with a specific user and not as a
network service. This requires that you use the Custom install option. Also, the
specific user must have access to the shared network drive and preferably a non-
expiry password.

169 | Installation
Administrator manual | XProtect® VMS 2023 R1

Configure the Management Server service as a generic service in the failover cluster:

1. On the last server on which you have installed the management server, go to Start > Administrative
Tools, open Windows' Failover Cluster Management. In the Failover Cluster Management window,
expand your cluster, right-click Roles, and select Configure Role.

2. In the High Availability Wizard > Before You Begin page, click Next.

3. On the Select Role page, select Generic Service and click Next.

4. On the Select Service page, select the Milestone XProtect Management Server service and click Next.

5. On the Client Access Point page, specify the name (host name of the cluster) that clients will use when
accessing the service. The host name must be different from the name of the cluster. Click Next.

6. On the Select Storage page, click Next as no storage is required for the service.

7. On the Replicate Registry Settings page, click Next as no registry settings are to be replicated.

8. On the Confirmation page, click Next after you have verified that the cluster service is configured
according to your requirements.

9. On the Configure High Availability page, click Next.

10. On the Summary page, click Finish to complete configuration of the management server as a generic
service in the failover cluster.

170 | Installation
Administrator manual | XProtect® VMS 2023 R1

11. Right-click the role you just created and click Add resource > Generic Script. Select Milestone XProtect
Event Server to add the Milestone XProtect Event Server service as a resource to the Milestone
XProtect Management Server Cluster service.

12. Repeat step 11 and add all required services in the cluster, for example the Log Server. The Milestone
XProtect Event Server and the Data Collector server should both be added as services to achieve an
optimal deployment. Additionally, the Milestone XProtect Event Server should be set as a dependent
service of the management server to ensure the event server also will stop when the management
server is stopped.

13. All added services are displayed in the bottom pane of the window.

171 | Installation
Administrator manual | XProtect® VMS 2023 R1

Update the cluster URL:

When doing configuration changes, on the Microsoft Failover Cluster Manager, pause
the control and monitoring of the service so the Server Configurator can make the
changes and start and/or stop the Management Server service. If you change the
failover cluster service startup type to manual, it should not result in any conflicts with
the Server Configurator.

On the Management Server computers:

1. Start the Server Configurator on each of the computers that have a management server installed.

2. Go to the Registration page.

3. Click the pencil ( ) symbol to make management server address editable.

4. Change the management server address to the URL of the cluster, for example http://MyCluster.

5. Click Register.

On computers that have components that use the Management Server (for example, Recording Server, Mobile
Server, Event Server, API Gateway):

1. Start the Server Configurator on each of the computers.

2. Go to the Registration page.

3. Change the management server address to the URL of the cluster, for example http://MyCluster.

4. Click Register.

Use a certificate for an external IDP in a cluster environment

When you install XProtect in a single-server environment, the external IDP configuration data is protected
using Data Protection API (DPAPI). If you set up the management server in a cluster, the external IDP
configuration data must be protected with a certificate to ensure fluent node failover.

For more information about how to generate a certificate, see The Milestone guide about certificates.

You must import the certificate to the personal certificate store and make the certificate trusted on the
computer.

To set up the data protection you must add the thumbprint of the certificate to the Identity Provider
configuration.

172 | Installation
Administrator manual | XProtect® VMS 2023 R1

1. Import the certificate to the personal certificate store and ensure that:

l the certificate is valid

l the Identity Provider app pool (IDP) account has permissions to the certificate private key.

For more information about how to verify if the account has permissions to the certificate private key,
see The Milestone guide about certificates.

2. Locate the appsettings.json file in the installation path of the Identity Provider (“[Install
path]\Milestone\XProtect Management Server\IIS\Identity Provider”).

3. Set the certificate thumbprint in the section:

"DataProtectionSettings": {
"ProtectKeysWithCertificate": {
"Thumbprint": ""
}
},

4. Repeat step 3 on all management server nodes.

5. Enforce a node failover to ensure that the certificate setup is correct.

6. Log in again using the management client and apply the external provider configuration. If the
configuration is already applied, you must re-enter the client secret from the external IDP in the
management client.

Troubleshooting errors when an external IDP configuration is protected with a certificate

Invalid certificate/expired certificate

If the configured thumbprint certificate represents a certificate that is not trusted or has expired, the Identity
Provider cannot start. The Identity Provider log (C:\ProgramData\Milestone\Identity Provider\Logs\Idp.log) will
clearly state if the certificate is invalid.

Solution:

Make sure that the certificate is valid and trusted on the computer.

Missing permissions to certificate private keys

The Identity Provider cannot protect data without permissions to the private keys. If the Identity Provider does
not have the permission, the following error message is written to the log file of the Identity Provider
(C:\ProgramData\Milestone\Identity Provider\Logs\Idp.log):

ERROR- An exception occurred while processing the key element ‘<key id=”
[installation specific]” version=”1” />’.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException:
Keyset does not exist

Solution:

Make sure the Identity Provider app pool (IDP) account has permissions to the certificate private keys.

173 | Installation
Administrator manual | XProtect® VMS 2023 R1

Check permissions to a certificate private key:

1. Select Start on the Windows task bar and open the Manage computer certificates tool (certlm.msc).

2. Navigate to the personal certificate store and find the certificate that is used for the encryption.

3. Right-click on the certificate, and select All Tasks > Manage Private Keys.

4. Under Permissions for, ensure that the Identity Provider app pool (IDP) account has read permissions.

Download Manager/download web page

The management server has a built-in web page. This web page enables administrators and end users to
download and install required XProtect system components from any location, locally or remotely.

174 | Installation
Administrator manual | XProtect® VMS 2023 R1

The web page can display two sets of content, both in a language version that by default matches the
language of the system installation:

l One web page is targeted at administrators, enabling them to download and install key system
components. Most often the web page is automatically loaded at the end of the management server
installation and the default content is displayed. On the management server, you can access the web
page from Windows' Start menu, select Programs > Milestone > Administrative Installation Page.
Otherwise you can enter the URL:

http://[management server address]:[port]/installation/admin/

[management server address] is the IP address or host name of the management server, and [port] is
the port number which you have configured IIS to use on the management server.

175 | Installation
Administrator manual | XProtect® VMS 2023 R1

l One web page is targeted at end users, providing them access to client applications with default
configuration. On the management server, you can access the web page from Windows' Start menu,
select Programs > Milestone > Public Installation Page. Otherwise you can enter the URL:

http://[management server address]:[port]/installation/

[management server address] is the IP address or host name of the management server, and [port] is
the port number which you have configured IIS to use on the management server.

The two web pages have some default content so you can use them straight away after installation. As
administrator, however, by using the Download Manager, you can customize what should be displayed on the
web pages. You can also move components between the two versions of the web page. To move a component,
right-click it, and select the web page version you want to move the component to.

Even though you can control which components users can download and install in Download Manager, you
cannot use it as a users' permissions management tool. Such permissions are determined by roles defined in
the Management Client.

On the management server, you can access the XProtect Download Manager from Windows' Start menu,
select Programs > Milestone > XProtect Download Manager.

Download Manager's default configuration

The Download Manager has a default configuration. This ensures that your organization's users can access
standard components from the start.

The default configuration provides you a default setup with access to downloading extra or optional
components. Usually you access the web page from the management server computer, but you can also
access the web page from other computers.

176 | Installation
Administrator manual | XProtect® VMS 2023 R1

l The first level: Refers to your XProtect product

l The second level: Refers to the two targeted versions of the web page. Default refers to the web page
version viewed by end users. Administration refers to the web page version viewed by system
administrators

l The third level: Refers to the languages in which the web page is available

177 | Installation
Administrator manual | XProtect® VMS 2023 R1

l The fourth level: Refers to the components which are - or can be made - available to users

l The fifth level: Refers to particular versions of each component, which are - or can be made - available
to users

l The sixth level: Refers to the language versions of the components which are - or can be made -
available to users

The fact that only standard components are initially available - and only in the same language version as the
system itself - helps reduce installation time and save space on the server. There is no need to have a
component or language version available on the server if nobody uses it.

You can make more components or languages available as required and you can hide or remove unwanted
components or languages.

Download Manager's standard installers (user)

By default, the following components are available for separate installation from the management server's
download web page targeted at users (controlled by the Download Manager):

l Recording servers, including failover recording servers. Failover recording servers are initially
downloaded and installed as recording servers, during the installation process you specify that you
want a failover recording server.

l Management Client

l XProtect Smart Client

l Event server, used in connection with map functionality

l Log server, used for providing the necessary functionality for logging system information

l XProtect Mobile server

l More options may be available in your organization.

For installation of device packs, see Device pack installer - must be downloaded on page 180.

Add/publish Download Manager installer components

You must complete two procedures to make non-standard components and new versions available on the
management server's download page.

First you add new and/or non-standard components to the Download Manager. Then you use it to fine-tune
which components should be available in the various language versions of the web page.

If the Download Manager is open, close it before installing new components.

178 | Installation
Administrator manual | XProtect® VMS 2023 R1

Adding new/non-standard files to the Download Manager:

1. On the computer where you downloaded the component(s), go to Windows' Start, enter a Command
Prompt

2. In the Command Prompt, execute the name of the file (.exe) with:[space]--ss_registration

Example: MilestoneXProtectRecordingServerInstaller_x64.exe --ss_registration

The file is now added to the Download Manager, but not installed on the current computer.

To get an overview of installer commands, in the Command Prompt, enter [space]--help

and the following window appears:

When you have installed new components, they are by default selected in the Download Manager and are
immediately available to users via the web page. You can always show or hide features on the web page by
selecting or clearing check boxes in the Download Manager's tree structure.

You can change the sequence in which components are displayed on the web page. In the Download
Manager's tree structure, drag component items and drop them at the required position.

Hide/remove Download Manager installer components

You have three options:

l Hide components from the web page by clearing check boxes in the Download Manager's tree
structure. The components are still installed on the management server, and by selecting check boxes
in the Download Manager's tree structure you can quickly make the components available again

179 | Installation
Administrator manual | XProtect® VMS 2023 R1

l Remove the installation of components on the management server. The components disappear from
the Download Manager, but installation files for the components are kept at C:\Program Files
(x86)\Milestone\XProtect Download Manager, so you can re-install them later if required

1. In the Download Manager, click Remove features.

2. In the Remove Features window, select the feature(s) you want to remove.

3. Click OK and Yes.

l Remove installation files for non-required features from the management server. This can help save
disk space on the server if you know that your organization is not going to use certain features

Device pack installer - must be downloaded

The device pack (containing device drivers) included in your original installation is not included on the
Download Manager. So, if you need to reinstall the device pack or make the device pack installer available, you
must first add or publish the latest device pack installer to the Download Manager:

1. Get the latest regular device pack from the download page on the Milestone website
(https://www.milestonesys.com/downloads/).

2. On the same page, you can download the legacy device pack with older drivers. To check if your
cameras use drivers from the legacy device pack, go to this website
(https://www.milestonesys.com/community/business-partner-tools/device-packs/).

3. Add/publish it to the Download Manager by calling it with the --ss_registration command.

180 | Installation
Administrator manual | XProtect® VMS 2023 R1

If you do not have a network connection, you can reinstall the entire recording server from the Download
Manager. The installation files for the recording server is placed locally on your computer and in this way, you
automatically get a reinstall of the device pack.

Installation log files and troubleshooting

During an installation, upgrade or uninstallation, log entries are written to various installation log files: To the
main installation log file installer.log and to the log files belonging to the different system components you are
installing. All log entries have a time stamp and the most recent log entries are at the end of the log files.

You can find all installation log files in the C:\ProgramData\Milestone\Installer\ folder. Log files that are named
*I.log or *I[integer].log are log files about new installations or upgrades while log files named *U.log or *U
[integer].log are about uninstallations. If you have bought a server with an already installed XProtect system
through a Milestone partner, there might not be any installation log files.

The log files contain information about the command-line parameters and command-line options and their
values used during an installation, upgrade or uninstallation. To find the used command-line parameters in the
log files, search for Command Line: or Parameter ' depending on the log file.

For troubleshooting, the main installation log file installer.log is the first place to look. If there were any
exceptions, errors, or warnings during the installation, these have been logged. Try to search for exception,
error, or warning. "Exit code: 0" means a successful installation and "Exit code: 1" the opposite. Your findings
in the log files may enable you to find a solution on Milestone Knowledge Base. If not, contact your Milestone
partner and share the relevant installation log files.

181 | Installation
Administrator manual | XProtect® VMS 2023 R1

Configuration

Initial configuration tasks list

The checklist below lists the initial tasks for configuring your system. Some of them, you may already have
completed during installation.

A completed checklist does not in itself guarantee that the system matches the exact requirements of your
organization. To make the system match the needs of your organization, Milestone recommends that you
monitor and adjust the system continuously.

For example, it is a good idea to test and adjust the motion detection sensitivity settings of individual cameras
under different physical conditions, including day/night and windy calm weather, once the system is running.

The setup of rules, which determine most of the actions your system performs, including when to record video,
is another example of configuration that you can change according to your organization's needs.

Step Description

You have finished the initial installation of your system.

See Install a new XProtect system on page 140.

Change the trial SLC to a permanent SLC (if required).

See Change the Software License Code on page 117.

Log in to the Management Client.

See Logging in (explained) on page 28.

Verify that each recording server's storage settings meet your needs.

See Storage and archiving (explained) on page 54.

Verify that each recording server's archiving settings meet your needs.

See Storage and Recording Settings properties on page 398.

Detect the hardware, cameras or video encoders to add to each recording server.

See Add hardware on page 203.

Configure each recording server's individual cameras.

182 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Step Description

See Cameras (Devices node) on page 416.

Enable storage and archiving for individual cameras or for a group of cameras. This is done
from the individual cameras or from the device group.

See Attach a device or group of devices to a storage on page 189.

Enable and configure devices.

See Devices (Devices node) on page 413.

Rules determine the system's behavior to a large extent. You create rules to define when
cameras should record, when pan-tilt-zoom (PTZ) cameras should patrol, and when
notifications should be sent, for example.

Create rules.

See Rules and events (explained) on page 74.

Add roles to the system.

See Roles and permissions of a role (explained) on page 66.

Add users or groups of users to each of the roles.

See Assign/remove users and groups to/from roles on page 273.

Activate licenses.

See Activate licenses online on page 116 or Activate licenses offline on page 116.

For more information about how to configure the system in the Site Navigation pane, see Site Navigation
pane on page 364.

Recording servers

Change or verify the basic configuration of a recording server

If your Management Client does not list all the recording servers you have installed, the most likely reason is
that you have configured the setup parameters (for example, the IP address or host name of the management
server) incorrectly during installation.

183 | Configuration
Administrator manual | XProtect® VMS 2023 R1

You do not need to re-install recording servers to specify the parameters of the management servers, but you
can change/verify its basic configuration:

1. On the computer that runs the recording server, right-click the Recording Server icon in the notification
area.

2. Select Stop Recording Server service.

3. Right-click the Recording Server icon again and select Change Settings.

The Recording Server Settings window appears.

184 | Configuration
Administrator manual | XProtect® VMS 2023 R1

4. Verify or change, for example, the following settings:

l Management server: Address: Specify the IP address or host name of the management server
to which the recording server should be connected.

l Management server: Port: Specify the port number to be used when communicating with the
management server. You can change this if required, but the port number must always match
the port number set up on the management server. See Ports used by the system on page 91.

l Recording server: Web server port: Specify the port number to be used when communicating
with the recording server's web server. See Ports used by the system on page 91.

l Recording server: Alert server port: Enable and specify the port number to be used when
communicating with the recording server's alert server, which listens for event messages from
devices. See Ports used by the system on page 91.

l SMTP server: Port: Enable and specify the port number to be used when communicating with
the recording server's Simple Mail Transfer Protocol (SMTP) service. See Ports used by the
system on page 91.

5. Click OK.

6. To start the Recording Server service again, right-click the Recording Server icon, and select Start
Recording Server service.

Stopping the Recording Server service means that you cannot record and view live video
while you verify/change the recording server's basic configuration.

Register a recording server

When you install a recording server, it is automatically registered in most cases. But you need to do the
registration manually if:

l You have replaced the recording server

l The recording server was installed offline and then added to the management server afterward

l Your management server does not use the default ports. The port numbers depend on the encryption
configuration. For more information, see Ports used by the system on page 91

l An automatic registration has failed, for example after changing the management server address,
changing the name of the computer with the recording server, or after enabling or disabling server
communication encryption settings. For more information about changes to the management server
address, see Changing the host name of the management server computer.

When you register a recording server, you configure it to connect to your management server. The part of the
management server that handles registration is the Authorization Server service.

185 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Open the Server Configurator from either the Windows startup menu or from the recording server tray
icon.

2. In the Server Configurator, select Registering servers.

3. Verify the address of the management server and the scheme (http or https) that you want the servers
on the computer to connect to and click Register.

A confirmation appears, stating that registration on the management server has succeeded.

See also Replace a recording server on page 323.

View encryption status to clients

To verify if your recording server encrypt connections:

186 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Open the Management Client.

2. In the Site Navigation pane, select Servers > Recording Servers. This opens a list of recording servers.

3. In the Overview pane, select the relevant recording server and go to the Info tab.
If encryption is enabled to clients and servers that retrieve data streams from the recording server, a
padlock icon appears in front of the local web server address and the optional web server address.

Specify behavior when recording storage is unavailable

By default, the recording server keeps running if a recording storage becomes unavailable. If your system is
configured with failover recording servers, you can specify the recording server to stop running, to make the
failover servers take over:

187 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. On the relevant recording server, go to the Storage tab.

2. Select the Stop the recording server if a recording storage is unavailable option.

Add a new storage

When you add a new storage, you always create one recording storage with a predefined recording database
named Recording. You cannot rename the database. Apart from the recording storage, a storage can contain
a number of archives.

188 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. To add an extra storage to a selected recording server, click the button located below the Storage
configuration list. This opens the Storage and Recording Settings dialog box.

2. Specify the relevant settings (see Storage and Recording Settings properties on page 398).

3. Click OK.

If needed, you are now ready to create archive(s) within your new storage.

Create an archive within a storage

A storage has no default archive, but you can create archives as needed.

1. Select the relevant storage in the Recording and archiving configuration list.

2. Click the button below the Recording and archiving configuration list.

3. In the Archive Settings dialog box, specify the required settings (see Archive Settings properties on
page 400).

4. Click OK.

Attach a device or group of devices to a storage

Once a storage is configured for a recording server, you can enable it for individual devices such as cameras,
microphones or speakers or a group of devices. You can also select which of a recording server's storage areas
you want to use for the individual device or the group.

1. Expand Devices and select either Cameras, Microphones or Speakers as required.

2. Select the device or a device group.

3. Select the Record tab.

4. In the Storage area, select Select.

5. In the dialog box that appears, select the database that should store the recordings of the device and
then click OK.

6. In the toolbar, click Save.

When you click the device usage number for the storage area on the Storage tab of the recording server, the
device is visible in the message report that appears.

Disabled devices

Disabled devices are by default not displayed in the Overview pane.

To display all disabled devices, in the top of the Overview pane, click Filter to open the Filter tab and select
Show disabled devices.

To hide disabled devices again, clear Show disabled devices.

189 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Edit settings for a selected storage or archive

1. To edit a storage, select its recording database in the Recording and archiving configuration list. To
edit an archive, select the archive database.

2. Click the Edit Recording Storage button located below the Recording and archiving
configuration list.

3. Either edit a recording database or edit an archive.

If you change the maximum size of a database, the system auto-archives recordings that
exceed the new limit. It auto-archives the recordings to the next archive or deletes them
depending on archiving settings.

Enable digital signing for export

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

You can enable digital signing for recorded video, so that client users can verify that the recorded video has
not been tampered with since it was recorded. Verifying the authenticity of the video is something that the
user does in XProtect Smart Client – Player after the video has been exported.

Signing must also be activated in XProtect Smart Client > Exports tab > Export settings >
XProtect format > Include digital signature. Otherwise, the Verify Signatures button in
XProtect Smart Client – Player is not displayed.

1. In the Site Navigation pane, expand the Servers node.

2. Click Recording Servers.

3. In the overview pane, click the recording server you want to enable signing for.

190 | Configuration
Administrator manual | XProtect® VMS 2023 R1

4. At the bottom of the Properties pane, click the Storage tab.

5. In the Recording and archiving configuration section, double-click the horizontal bar that represents
the recording database. The Storage and Recording Settings window appears.

6. Select the Signing check box.

7. Click OK.

Encrypt your recordings

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

You can secure your recordings by enabling encryption on your recording servers' storage and archives. You
can choose between light and strong encryption. When you enable encryption, you must also specify a related
password.

191 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Enabling or changing encryption settings or password can potentially be time

consuming, depending on the size of the database and performance of the drive. You
can follow the progress under Current Tasks.
Do not stop the recording server while this task is ongoing.

192 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Click the Edit Recording Storage button below the Recording and archiving configuration list.

193 | Configuration
Administrator manual | XProtect® VMS 2023 R1

2. In the dialog box that appears, specify encryption level.

3. You are automatically directed to Set Password dialog box. Enter password and click OK.

Back up archived recordings

Many organizations want to back up their recordings by using tape drives or similar. Exactly how you do this is
highly individual and depends on the backup media used in your organization. However, the following is worth
bearing in mind:
Back up archives rather than camera databases

Always create backups based on the content of archives, not based on individual camera databases. If you
create backups based on the content of individual camera databases, you may cause sharing violations or
other malfunctions.

When scheduling a backup, make sure the backup job does not overlap with your specified archiving times. To
view each recording server's archiving schedule in each of a recording server's storage areas, see the Storage tab.
Know your archive structure so that you can target backups

When you archive recordings, you store them in a certain sub-directory structure within the archive.

During all regular use of your system, the sub-directory structure is completely transparent to the system's
users when they browse recordings with XProtect Smart Client. This is true both with archived and non-
archived recordings. It is relevant to know the sub-directory structure (see Archive structure (explained) on
page 59 if you want to back up your archived recordings (see Backing up and restoring system configuration
on page 313).

194 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Delete an archive from a storage

1. Select the archive from the Recording and archiving configuration list.

It is only possible to delete the last archive in the list. The archive does not have
to be empty.

2. Click the button located below the Recording and archiving configuration list.

3. Click Yes.

For unavailable archives, for example offline archives, it is not possible to verify if
the archive contains media with evidence locks but the archive can be deleted
after user confirmation.

Available archives (online archives) that contain media with evidence locks cannot
be deleted.

Delete a storage
You cannot delete the default storage or storages that devices use as the recording storage for live recordings.
This means that you may need to move devices (see Move hardware on page 324) and any not yet archived
recordings to another storage before you delete the storage.

1. To see the list of devices that use this storage, click the device usage number.

If the storage has data from devices that have been moved to another recording
server, a warning appears. Click the link to see the list of devices.

2. Follow the steps in Move non-archived recordings from one storage to another on page 196.

3. Continue until you have moved all devices.

4. Select the storage that you want to delete.

5. Click the button located below the Storage configuration list.

6. Click Yes.

195 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Move non-archived recordings from one storage to another

You move recordings from one live recording database to another from the Record tab of the device.

1. Select the device type. In the Overview pane, select the device.

2. Click the Record tab. In the upper part of the Storage area, click Select.

3. In the Select Storage dialog box, select the database.

4. Click OK.

5. In the Recordings Action dialog box, select if you want to remove already existing - but non-archived -
recordings to the new storage or if you want to delete them.

6. Click OK.

Assign failover recording servers

On the Failover tab of a recording server, you can choose between three types of failover setups:

l No failover setup

l A primary/secondary failover setup (cold standby)

l A hot standby setup

If you select b and c, you must select the specific server/groups. With b, you can also select a secondary
failover group. If the recording server becomes unavailable, a failover recording server from the primary
failover group takes over. If you have also selected a secondary failover group, a failover recording server from
the secondary group takes over in case all failover recording servers in the primary failover group are busy. In
this way, you only risk not having a failover solution in the rare case when all failover recording servers in the
primary, as well as in the secondary, failover group are busy.

1. In the Site Navigation pane, select Servers > Recording Servers. This opens a list of recording servers.

2. In the Overview pane, select the wanted recording server, go to the Failover tab.

3. To choose failover setup type, select between:

l None

l Primary failover server group/Secondary failover sever group

l Hot standby server

You cannot select the same failover group as both primary and secondary failover group nor select
regular failover servers already part of a failover group as hot standby servers.

4. Next, click Advanced failover settings. This opens the Advanced Failover Settings window, listing all
devices attached to the selected recording server. If you selected None, the advanced failover settings
are also available. The system keeps any selections for later failover setups.

196 | Configuration
Administrator manual | XProtect® VMS 2023 R1

5. To specify the level of failover support, select Full Support, Live Only or Disabled for each device in the
list. Click OK.

6. In the Failover service communication port (TCP) field, edit the port number if needed.

If you enable failover support and the recording server is configured to keep running if a
recording storage is unavailable, the failover recording server will not take over. To
make the failover support work, you must select the Stop the recording server if a
recording storage is unavailable option on the Storage tab.

Enable multicasting for the recording server

In regular network communication, each data packet is sent from a single sender to a single recipient - a
process known as unicasting. But with multicasting you can send a single data packet (from a server) to
multiple recipients (clients) within a group. Multicasting can help save bandwidth.

l When you use unicasting, the source must transmit one data stream for each recipient

l When you use multicasting, only a single data stream is required on each network segment

Multicasting as described here is not streaming of video from camera to servers, but from servers to clients.

With multicasting, you work with a defined group of recipients, based on options such as IP address ranges, the
ability to enable/disable multicast for individual cameras, the ability to define largest acceptable data packet size
(MTU), the maximum number of routers a data packet must be forwarded between (TTL), and so on.

Multicast streams are not encrypted, even if the recording server uses encryption.

Multicasting should not be confused with broadcasting, which sends data to everyone connected to the
network, even if the data is perhaps not relevant for everyone:

Name Description

Unicasting Sends data from a single source to a single recipient.

Multicasting Sends data from a single source to multiple recipients within a clearly defined group.

Sends data from a single source to everyone on a network. Broadcasting can

Broadcasting
therefore significantly slow down network communication.

197 | Configuration
Administrator manual | XProtect® VMS 2023 R1

To use multicasting, your network infrastructure must support the IP multicasting standard IGMP (Internet
Group Management Protocol).

l On the Multicast tab, select the Multicast check box

If the entire IP address range for multicast is already in use on one or more recording servers, you first release
some multicast IP addresses before you can enable multicasting on additional recording servers.

Multicast streams are not encrypted, even if the recording server uses encryption.

Enable multicasting for individual cameras

Multicasting only works when you enable it for the relevant cameras:

1. Select the recording server and select the required camera in the Overview pane.

2. On the Client tab, select the Live multicast check box. Repeat for all relevant cameras.

Multicast streams are not encrypted, even if the recording server uses encryption.

Define public address and port

If you need to access the VMS with XProtect Smart Client over a public or untrusted
network, Milestone recommends that you use a secure connection through VPN. This
helps ensure that communication between XProtect Smart Client and the VMS server is
protected.

You define a recording server's public IP address on the Network tab.

Why use a public address?

Clients may connect from the local network as well as from the Internet, and in both cases the surveillance
system must provide suitable addresses so the clients can get access to live and recorded video from the
recording servers:

l When clients connect locally, the surveillance system should reply with local addresses and port
numbers

l When clients connect from the internet, the surveillance system should reply with the recording server's
public address. This is the address of the firewall or NAT (Network Address Translation) router, and
often also a different port number. The address and the port can then be forwarded to the server's local
address and port.

198 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. To enable public access, select the Enable public access check box.

2. Define the recording server's public address. Enter the address of the firewall or NAT router so clients
that access the surveillance system from the Internet can connect to the recording servers.

3. Specify a public port number. It is always a good idea that port numbers used on the firewall or NAT
router are different from the ones used locally.

If you use public access, configure the firewall or NAT router so requests sent to the
public address and port are forwarded to the local address and port of relevant
recording servers.

Assign local IP ranges

You define a list of local IP ranges which the surveillance system should recognize as coming from a local
network:

l On the Network tab, click Configure

Filter the device tree

The device tree in the Overview pane can become very large if you have many registered devices. You can
filter the device tree to easier locate the devices you want to work with.

By providing filter terms that are unique to a few specific devices, you can effectively only display these specific
devices.

Filter the device tree

l In the top of the Overview pane, click Filter to open the Filter tab.

l In the Type here to filter devices field, enter one or more filter criteria and click Apply filter to filter the
device list.

Filter criteria characteristics

The filter criteria are applied to the device name, device short name, hardware address (IP), device ID, and
hardware ID field values.

Partial filter matches are not displayed when filtering hardware ID and device ID field values. As a result, you
must define the complete and exact identification number when filtering by hardware ID or device ID.

Partial filter matches are displayed for device name, device short name, and hardware address field values, so
the filter term “camer” will display all devices that contain the word “camera” in the device name.

Filter criteria are not case sensitive, using "camera" or "Camera" as filter criteria will yield
the same results.

199 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Specifying multiple filter criteria

You can specify multiple filter criteria and thereby further narrow your filtering of the device tree. When the
filter is applied, all defined filter criteria are considered to be co-joined with an AND, meaning they are
cumulative.

For example, if you have entered two filter criteria: “Camera” and “Warehouse”, the list will display all devices
that contain the words “Camera” and “Warehouse” in the device name but will not display devices that contain
the words “Camera” and “Parking Lot” in the device name nor will devices that only contain the word "Camera"
in the device name be displayed.

Remove each individual filter criteria from the filter field to broaden your filter if you have specified a filter that
is too restrictive. The filter is automatically applied to the device tree when removing filter criteria.

Resetting the filter

If you remove all filter criteria from the filter field, the Overview pane is reset and will display all devices once
again.

You can also press F5 to reset the filter and clear the Show disabled devices check box.

Disabled devices

Disabled devices are by default not displayed in the Overview pane.

To display all disabled devices, in the top of the Overview pane, click Filter to open the Filter tab and select
Show disabled devices.

To hide disabled devices again, clear Show disabled devices.

Failover servers

Set up and enable failover recording servers

If you have disabled the failover recording server, you must enable it before it can take
over from the standard recording servers.

Do the following to enable a failover recording server and edit its basic properties:

1. In the Site Navigation pane, select Servers > Failover Servers. This opens a list of installed failover
recording servers and failover groups.

2. In the Overview pane, select the required failover recording server.

3. Right-click and select Enabled. The failover recording server is now enabled.

4. To edit failover recording server properties, go to the Info tab.

200 | Configuration
Administrator manual | XProtect® VMS 2023 R1

5. When done, go to the Network tab. Here you can define the failover recording server's public IP
address and more. This is relevant if you use NAT (Network Address Translation) and port forwarding.
See the standard recording server's Network tab for more information.

6. In the Site Navigation pane, select Servers > Recording Servers. Select the recording server that you
want failover support for and assign failover recording servers (see Failover tab (recording server) on
page 401).

To see the status of a failover recording server, hold your mouse over the Failover Recording Server Manager
tray icon in the notification area. A tooltip appears containing the text entered in the Description field of the
failover recording server. This may help you determine which recording server the failover recording server is
configured to take over from.

The failover recording server pings the management server on a regular basis to verify
that it is online and able to request and receive the configuration of the standard
recording servers when needed. If you block the pinging, the failover recording server is
not able to take over from the standard recording servers.

Group failover recording servers for cold standby

1. Select Servers > Failover Servers. This opens a list of installed failover recording servers and failover
groups.

2. In the Overview pane, right-click the top-node Failover Groups and select Add Group.

3. Specify a name (in this example Failover Group 1) for and a description (optional) of your new group.
Click OK.

4. Right-click the group (Failover Group 1) you just created. Select Edit Group Members. This opens the
Select Group Members window.

5. Drag and drop or use the buttons to move the selected failover recording server(s) from the left side to
the right side. Click OK. The selected failover recording server(s) now belongs to the group (Failover
Group 1) you just created.

6. Go to the Sequence tab. Click Up and Down to set the internal sequence of the regular failover
recordings servers in the group.

View encryption status on a failover recording server

To verify if your failover recording server uses encryption, do the following:

1. In the Site Navigation pane, select Servers > Failover Servers. This opens a list of failover recording
servers.

2. In the Overview pane, select the relevant recording server and go to the Info tab.
If encryption is enabled to clients and servers that retrieve data streams from the recording server, a

201 | Configuration
Administrator manual | XProtect® VMS 2023 R1

padlock icon appears in front of the local web server address and the optional web server address.

View status messages

1. On the failover recording server, right-click the Milestone Failover Recording Server service icon.

2. Select Show Status Messages. The Failover Server Status Messages window appears, listing time-
stamped status messages.

View version information

Knowing the exact version of your Failover Recording Server service is an advantage if you need to contact
product support.

202 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. On the failover recording server, right-click the Milestone Failover Recording Server service icon.

2. Select About.

3. A small dialog box opens that shows the exact version of your Failover Recording Server service.

Hardware

Add hardware
You have several options for adding hardware to each recording server in your system.

If your hardware is located behind a NAT-enabled router or a firewall, you may need to
specify a different port number and configure the router/firewall so it maps the port and
IP addresses that the hardware uses.

The Add Hardware wizard helps you detect hardware like cameras and video encoders on your network and
add them to the recording servers on your system. The wizard also helps you add remote recording servers for
Milestone Interconnect setups. Only add hardware to one recording server at a time.

1. To access Add Hardware, right-click the required recording server and select Add Hardware.

2. Select one of the wizard options (see below) and follow the instruction on the screen.

3. After installation, you can see the hardware and its devices in the Overview pane.

Certain hardware must be pre-configured when adding the hardware for the first time.
An additional Pre-configure hardware devices wizard will appear when adding such
hardware. See Hardware pre-configuration (explained) on page 51 for more information.

Add Hardware (dialog)

Hardware represents either:

l The physical unit that connects directly to the recording server of the surveillance system via IP, for
example a camera, a video encoder, an I/O module

l A recording server on a remote site in a Milestone Interconnect setup

For more information about how to add hardware to your system, see Add hardware on page 203.

203 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Name Description

The system scans automatically for new hardware on the recording server's local
network.

Select the Show hardware running on other recording servers check box to see if
detected hardware is running on other recording servers.

You can select this option every time you add new hardware to your network and
Express want to use it in your system.
(Recommended) You cannot use this option to add remote systems in Milestone Interconnect
setups.

To add both HTTP and HTTPS hardware, run Express

detection with the HTTPS (Secure) radio button selected, and
then with the HTTP (Unsecure) radio button selected.

The system scans your network for relevant hardware and Milestone Interconnect
remote systems based on your specifications of:

l hardware user names and passwords. Not needed if your hardware uses
the factory default user names and passwords
Address range l drivers
scanning
l IP ranges (IPv4 only)

l port number (default = 80)

You can select this option when you only want to scan a part of your network, for
example, when you expand your system.

Specify details about each hardware and Milestone Interconnect remote systems
separately. This can be a good choice if you want to add only a few pieces of
Manual
hardware, and you know their IP addresses, relevant user names and passwords or
if a camera does not support the automatic discovery function.

The system scans for hardware connected via a remotely connected server.

You can use this option if you have installed servers for, for example, the Axis One-
Remote connect
click Camera Connection.
hardware
You cannot use this option to add remote systems in Milestone Interconnect
setups.

204 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Disable / enable hardware

Added hardware is by default enabled.

You can see if hardware is enabled or disabled in this way:

Enabled
Disabled
To disable added hardware, for example, for licensing or performance purposes

1. Expand the recording server, right-click the hardware you want to disable.

2. Select Enabled to clear or select it.

Edit hardware
Right-click on added hardware and select Edit Hardware to modify the network configuration and user
authentication settings of hardware in Management Client.

Edit Hardware (dialog)

For some hardware, the Edit Hardware dialog also lets you apply settings directly to the
hardware device.

If the Edit Management Client settings radio button is selected, the Edit Hardware dialog displays the
settings which Management Client uses to connect to the hardware. To ensure the hardware device is added
to the system properly, enter the same settings you use to connect to the manufacturer's hardware
configuration interface:

Name Description

Name Displays the name of the hardware alongside its detected IP address (in parenthesis).

Hardware The web address of the manufacturer's hardware configuration interface, typically
URL containing the IP address of the hardware. Specify a valid address in your network.

User name The user name used to connect to the hardware.

205 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Name Description

The user name that you enter here does not change the user name
on the actual hardware device. Select the Edit Management Client
and hardware settings radio button to modify settings on
supported hardware devices.

The password used to connect to the hardware.

The password that you enter here does not change the password
on the actual hardware device. Select the Edit Management Client
and hardware settings radio button to modify settings on
supported hardware devices.

Password

For information about how to change passwords on multiple

hardware devices, see Change passwords on hardware devices on
page 211.

As a system administrator, you need to give other users permission to view the password
in Management Client. For more information, see Role settings under Hardware.

If the Edit Management Client and hardware settings radio button is selected (for supported hardware), the
Edit Hardware dialog displays settings which are also applied directly to the hardware device:

Applying the settings with this radio button selected will overwrite the current settings
on the hardware device. The hardware will momentarily lose connection to the recording
server while the settings are applied.

Name Description

Name Displays the name of the hardware alongside its detected IP address (in parenthesis).

206 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Name Description

Network The network settings of the hardware. To adjust the network settings, select
Configuration Configure on page 207.

Specify the Internet Protocol (for supported hardware devices) using the IP version
dropdown list.

l For IPv4, the values must be in the format: (0-999).(0-999).(0-999).(0-999)

l For IPv6, the values must be in the format of eight groups of hexadecimal
digits each separated by a colon. The subnet mask must be a number
between 0-128.
Configure
The Check button tests whether there is currently another hardware device in the
system that is using the entered IP address.

Check cannot detect conflicts with hardware devices that are

turn off, outside of the XProtect VMS system, or otherwise
momentarily not responding.

The user name and level used to connect to the hardware. Select another user from
the dropdown list and add a new password using the Password field described
below.

Add or delete users using the underlined actions at the bottom of the
User name Authentication section (see Add a user on page 208 or Delete users on page 208).

Selecting a user that does not have the highest user level
specified by the manufacturer could result in some features
not being available.

The password used to connect to the hardware. View the currently entered text using
the Reveal icon.

Password When changing the password, consult the manufacturer's documentation for the

password rules for the specific hardware device, or use the Generate Password
icon to automatically generate a password that matches the requirements.

207 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Name Description

For information about how to change passwords on multiple

hardware devices, see Change passwords on hardware devices
on page 211.

As a system administrator, you need to give other users permission to view the
password in Management Client. For more information, see Role settings under
Hardware.

Select the underlined Add link to open the Add a User dialog and add a user to the
hardware device.

Adding a user will automatically set it as the currently active

user and overwrite the previously entered credentials.

When creating the password, consult the manufacturer's documentation for the

Add a user password rules for the specific hardware device, or use the Generate Password
icon to automatically generate a password that matches the requirements.

The highest user level detected on the hardware device will automatically be
preselected. It is not recommended to modify the User level from its default value.

Selecting a User level that is not the highest specified by the

manufacturer could result in some features not being
available.

Select the underlined Delete link to open the Delete Users dialog and remove users
from the hardware device.

Delete users You cannot delete the currently active user. To set a new user,
use the Add a User dialog described above, then remove the
old user using this interface.

Enable / disable individual devices

Cameras are by default enabled.

208 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Microphones, speakers, metadata, inputs and outputs are by default disabled.

This means that microphones, speakers, metadata, inputs and outputs must be individually enabled before
you can use them in the system. The reason for this is that surveillance systems rely on cameras, whereas the
use of microphones and so on is highly individual depending on the needs of each organization.

You can see if devices are enabled or disabled (the examples show an output):

Disabled
Enabled

The same method for enabling/disabling is used for cameras, microphones, speakers, metadata, inputs, and
outputs.

1. Expand the recording server and the device. Right-click the device you want to enable.

2. Select Enabled to clear or select it.

Set up a secure connection to the hardware

You can set up a secure HTTPS connection using SSL (Secure Sockets Layer) between the hardware and the
recording server.

Consult your camera vendor to get a certificate for your hardware and upload it to the hardware, before you
continue with the steps below:

1. In the Overview pane, right-click the recording server and select the hardware.

2. On the Settings tab, enable HTTPS. This is not enabled by default.

3. Enter the port on the recording server to which the HTTPS connection is connected. The port number
must correspond with the port set up on the device’s homepage.

4. Make changes as needed and save.

209 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Enable PTZ on a video encoder

To enable the use of PTZ cameras on a video encoder, do the following on the PTZ tab:

1. In the list of devices connected to the video encoder, select the Enable PTZ box for the relevant
cameras:

2. In the PTZ Device ID column, verify the ID of each camera.

3. In the COM Port column, select which video encoder's COM (serial communications) ports to use for
control of the PTZ functionality:

4. In the PTZ Protocol column, select which positioning scheme you want to use:

l Absolute: When operators use PTZ controls for the camera, the camera is adjusted relative to a
fixed position, often referred to as the camera's home position

l Relative: When operators use PTZ controls for the camera, the camera is adjusted relative to its
current position

The content of the PTZ protocol column varies a lot depending on the hardware. Some have 5 to 8
different protocols. See also the camera documentation.

5. In the toolbar, click Save.

6. You are ready to configure preset positions and patrolling for each PTZ camera:

l Add a preset position (type 1)

l Add a patrolling profile

210 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Change passwords on hardware devices

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

You can change passwords on multiple hardware devices in one operation.

Initially, the supported devices are models from Canon, Axis, Bosch, Hanwa, Panasonic, Sony, Hikvision, and
ONVIF compatible hardware devices, but the user interface shows you directly if a model is supported or not.
You can also go to our website to find out if a model is supported:
https://www.milestonesys.com/community/business-partner-tools/supported-devices/

For devices that do not support device password management, you must change the
password of a hardware device from its web page and then manually enter the new
password in Management Client. For more information, see Edit hardware on page 205.

You can choose to:

l Let the system generate individual passwords for each hardware device. The system generates
passwords based on the requirements from the manufacturer of the hardware devices.

l Use a single user-defined password for all hardware devices. When you apply the new passwords, the
hardware devices lose connection to the recording server momentarily. After you have applied new
passwords, the result for each hardware device appears on the screen. For unsuccessful changes, the
reason for failure appears if the hardware device supports such information. From within the wizard,
you can create a report of successful and failed password changes, but the results are also logged
under Server logs.

For hardware devices with ONVIF drivers and multiple user accounts, only an
administrator of XProtect with administrative permissions of the hardware device
can change passwords from the VMS.

Requirements:
l The hardware device model supports device password management by Milestone.

Steps:

1. In the Site Navigation pane, select the Recording Servers node.

2. Right-click the relevant recording server or hardware in the overview pane.

3. Select Change Hardware Password. A wizard appears.

211 | Configuration
Administrator manual | XProtect® VMS 2023 R1

4. Type the password using lower and upper letters, numbers, and the following characters: ! ( ) * - . _

The maximum password length is 64 characters.

The maximum password length for the Bosch FLEXIDOME IP outdoor 5000 MP
NDN-50051 camera is 19 characters.

5. Follow the instructions on the screen to complete the changes.

The Password last changed field shows the time stamp of the latest password
change based on the local time settings of the computer that the password was
changed from.

6. The last page shows the result. If the system could not update a password, click Failed next to the
hardware device to see the reason.

7. You can also click the Print report button to see the full list of successful and unsuccessful updates.

8. In case you want to change the password on the hardware devices that failed, click Retry, and the
wizard starts over with the failed hardware devices.

If you select Retry, you can no longer access the report from the first time you
completed the wizard.

Due to security restrictions, some hardware devices might become unavailable

for a certain period if you fail to change password several times in a row. Security
restrictions vary for different manufacturers.

Update firmware on hardware devices

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Management Client allows you to update the firmware of hardware that has been added to your VMS system.
You can update firmware for multiple hardware devices simultaneously if they are compatible with the same
firmware file.

212 | Configuration
Administrator manual | XProtect® VMS 2023 R1

The user interface shows you directly if a model supports firmware updates. You can also go to the Milestone
website to find out if a model is supported: https://www.milestonesys.com/community/business-partner-
tools/supported-devices/

For devices that do not support firmware updates, you must update the firmware of a
hardware device from its web page.

When you update firmware, the hardware devices lose connection to the recording server momentarily.

After you have updated the firmware, the result for each hardware device appears on the screen. For
unsuccessful changes, the reason for failure appears if the hardware device supports such information. The
results are also logged under Server logs.

For hardware devices with ONVIF drivers and multiple user accounts, only an
administrator of XProtect with administrative permissions of the hardware device can
update firmware from the VMS.

Requirements:
l The hardware device model supports firmware updates by Milestone.

Steps:

1. In the Site Navigation pane, select the Recording Servers node.

2. Right-click the relevant recording server or hardware in the overview pane.

3. Select Update hardware firmware. A wizard appears.

4. Follow the instructions on the screen to complete the changes.

You may only update multiple hardware devices that are compatible with the
same firmware file. Hardware that is added through the ONVIF driver is found
under other, rather than its manufacturer name.

6. The last page shows the result. If the system could not update the firmware, click Failed next to the
hardware device to see the reason.

Milestone does not take responsibility for hardware device malfunction if an

incompatible firmware file or hardware device is selected.

213 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Add and configure an external IDP

1. In Management Client, select Tools > Options and open the External IDP tab.

2. In the External IDP section, select Add.

3. Enter the information for the external IDP. For more information about the information that is required,
see External IDP.

For information about how to register which claims from the external IDP that you want to use in the VMS, see
Register claims from an external IDP.

Devices - Groups

Add a device group

1. In the Overview pane, right-click the device type under which you want to create a device group.

2. Select Add Device Group.

3. In the Add Device Group dialog box, specify a name and description of the new device group:

The description appears when you pause the mouse pointer over the device group in the device group
list.

4. Click OK. A folder representing the new device group appears in the list.

5. Continue to specify which devices to include in a device group (see Specify which devices to include in a
device group on page 214).

Specify which devices to include in a device group

1. In the Overview pane, right-click the relevant device group folder.

2. Select Edit Device Group Members.

3. In the Select Group Members window, select one of the tabs to locate the device.

A device can be a member of more than one device group.

214 | Configuration
Administrator manual | XProtect® VMS 2023 R1

4. Select the devices you want to include, and click Add or double-click the device:

5. Click OK.

6. If you exceed the limit of 400 devices in one group, you can add device groups as subgroups under
other device groups:

Disabled Devices

Disabled devices are by default not displayed in the Overview pane.

To display all disabled devices, in the top of the Overview pane, click Filter to open the Filter tab and select
Show disabled devices.

To hide disabled devices again, clear Show disabled devices.

Specify common properties for all devices in a device group

With device groups, you can specify common properties for all devices within a given device group:

1. In the Overview pane, click the device group.

In the Properties pane, all properties which are available on all of the device group's devices are
listed and grouped on tabs.

2. Specify the relevant common properties.

On the Settings tab, you can switch between settings for all devices and settings for individual devices.

3. In the toolbar, click Save. The settings are saved on the individual devices, not in the device group.

215 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Disabled devices

Disabled devices are by default not displayed in the Overview pane.

To display all disabled devices, in the top of the Overview pane, click Filter to open the Filter tab and select
Show disabled devices.

To hide disabled devices again, clear Show disabled devices.

Enable/disable devices via device groups

You can enable/disable devices only via the configured hardware. Unless manually enabled/disabled in the add
hardware wizard, camera devices are by default enabled and all other devices are by default disabled.

Disabled devices are by default not displayed in the Overview pane.

To display all disabled devices, in the top of the Overview pane, click Filter to open the Filter tab and select
Show disabled devices.

To hide disabled devices again, clear Show disabled devices.

To locate a device via the device groups to enable or disable:

1. In the Site Navigation pane, select the device.

2. In the Overview pane expand the relevant group and find the device.

3. Right-click the device, and select Go To Hardware.

4. Click the plus node to see all devices on the hardware.

5. Right-click the device you want to enable/disable, and select Enabled.

Devices - Camera settings

View or edit camera settings

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant camera in the Overview pane.

3. Open the Settings tab.

You can view or edit settings, such as:

l Default frame rate

l Resolution

l Compression

l The maximum number of frames between keyframes

l On-screen date/time/text display for a selected camera, or for all cameras within a device group

216 | Configuration
Administrator manual | XProtect® VMS 2023 R1

The drivers for the cameras determine the content of the Settings tab. The drivers vary depending on the type
of camera.

For cameras that support more than one type of stream, for example MJPEG and MPEG-4/H.264/H.265, you can
use multi-streaming, see Manage multi-streaming on page 221.

Preview

When you change a setting, you can quickly verify the effect of your change if you have the Preview pane
enabled.

l To enable Preview, click the View menu and then click Preview Window.

You cannot use the Preview pane to judge the effect of frame rate changes because the Preview pane's
thumbnail images use another frame rate defined in the Options dialog box.

Performance

If you change the settings for Max. frames between keyframes and Max. frames between keyframes mode,
it may lower the performance of some functionalities in XProtect Smart Client. For example, XProtect Smart
Client requires a keyframe to start up showing video, so a longer period between keyframes, prolongs the
XProtect Smart Client start up.

Enable and disable fisheye lens support

The fisheye lens support is disabled by default.

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Fisheye Lens tab, select or clear the Enable fisheye lens support check box.

Specify fisheye lens settings

1. On the Fisheye Lens tab, select the lens type.

2. Specify the physical position/orientation of the camera from the Camera position/orientation list.

3. Select a Registered Panomorph Lens (RPL) number from the ImmerVision Enables® panomorph RPL
number list.

This ensures the identification and correct configuration of the lens used with the camera. You usually
find the RPL number on the lens itself or on the box it came in. For details of ImmerVision, panomorph
lenses, and RPLs, see the Immervision website (https://www.immervisionenables.com/).

If you select the Generic dewarping lens profile, remember to configure the desired Field of view.

217 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Devices - Recording

Enable/disable recording
Recording is by default enabled. To enable/disable recording:

1. In the Site Navigation pane, select Recording Servers.

2. Select the relevant device in the Overview pane.

3. On the Record tab, select or clear the Recording check box.

You must enable recording for the device before you can record data from the camera. A
rule that specifies the circumstances for a device to record does not work if you have
disabled recording for the device.

Enable recording on related devices

For camera devices, you can enable recording for related devices, for example, microphones that are
connected to the same recording server. It means that the related devices record when the camera records.

Recording on related devices are enabled by default for new camera devices, but you can disable and enable
as you want. For existing camera devices in the system, the check box is cleared by default.

1. In the Site Navigation pane, select Recording Servers.

2. Select the relevant camera device in the Overview pane.

3. On the Record tab, select or clear the Record on related devices check box.

4. On the Client tab, specify the devices that relate to this camera.

If you want to enable recording on related devices that are connected to another recording server, you must
create a rule.

Manage manual recording

Stop manual recording after is enabled by default with a recording time of five minutes. This is to ensure that
the system automatically stops all recordings started by the XProtect Smart Client users.

1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane.

3. On the Record tab, select or clear the Stop manual recording after check box.

218 | Configuration
Administrator manual | XProtect® VMS 2023 R1

When you enable it, specify a recording time. The number of minutes you specify must be sufficiently large to
accommodate the requirements of the various manual recordings without overloading the system.

Add to roles:

You must grant the permission to start and stop manual recording to the client users on each camera in Roles
on the Device tab.

Use in rules:

The events you can use when you create rules related to manual recording are:

l Manual Recording Started

l Manual Recording Stopped

Specify recording frame rate

You can specify the recording frame rate for JPEG.

1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane.

3. On the Record tab, in the Recording frame rate: (JPEG) box, select or enter the recording frame rate (in
FPS, frames per second).

Enable keyframe recording

You can enable keyframe recording for MPEG-4/H.264/H.265 streams. It means that the system switches
between recording keyframes only and recording all frames depending on your rule settings.

You can, for example, let the system record keyframes when there is no motion in the view and switch to all
frames only in case of motion detection to save storage.

1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane.

3. On the Record tab, select the Record keyframes only check box.

4. Set up a rule that activates the function, see Actions and stop actions.

219 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Enable recording on related devices

For camera devices, you can enable recording for related devices, for example, microphones that are
connected to the same recording server. It means that the related devices record when the camera records.

Recording on related devices are enabled by default for new camera devices, but you can disable and enable
as you want. For existing camera devices in the system, the check box is cleared by default.

1. In the Site Navigation pane, select Recording Servers.

2. Select the relevant camera device in the Overview pane.

3. On the Record tab, select or clear the Record on related devices check box.

4. On the Client tab, specify the devices that relate to this camera.

If you want to enable recording on related devices that are connected to another recording server, you must
create a rule.

Save and retrieve remote recording

To ensure that all remote recordings are saved in case of network issues, you can enable automatic retrieval of
recordings once connection is re-established.

1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane.

3. Under Remote recordings, select Automatically retrieve remote recordings when connection is
restored. This enables automatic retrieval of recordings once connection is re-established

The remote recording option is only available if the selected camera supports edge
storage or is a camera in a Milestone Interconnect setup.

The type of hardware selected determines where recordings are retrieved from:

l For a camera with local recording storage, recordings are retrieved from the camera's local recording
storage

l For a Milestone Interconnect remote system, recordings are retrieved from the remote systems'
recording servers

You can use the following functionality independently of the automatic retrieval:

l Manual recording

l The Retrieve and store remote recordings from <devices> rule

l The Retrieve and store remote recordings between <start and end time> from <devices> rule

220 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Delete recordings
1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane and select the Recording tab.

3. Click the Delete All Recordings button to delete all recordings for the device or device group.

This method can only be used if you have added all devices in the group to the same server. Protected data is
not deleted.

Devices - Streaming

Add a stream

1. On the Streams tab, click Add. This adds a second stream to the list.

2. In the Name column, edit the name of the stream. The name appears in XProtect Smart Client.

3. In the Live Mode column, select when live streaming is needed:

l Always: the stream runs even if no XProtect Smart Client users request the stream

l Never: the stream is off. Only use this for recording streams, for example, if you want recordings
in high quality and need the bandwidth

l When needed: the stream starts when a user of XProtect Smart Client requests for it

4. In the Default column, select which stream is default.

5. In the Record column, select the check box if you want to record this stream or leave it cleared if you
only want to use it for live video.

6. Click Save.

If you set a stream to Default or Record, the stream is always running independent of
the Live Mode setting. Selecting When needed and Always have the same effect in the
system and if you select Never, the stream is running, but cannot be viewed live.

If you do not want the streams to run at all unless someone is viewing live video, you can
modify the Default Start Feed Rule to start on request with the predefined Live Client
Feed Requested event.

Manage multi-streaming

Viewing live video and playing back recorded video do not necessarily require the same video quality and
frame rate. You can have either one stream for live viewing and another stream for playback purposes or
multiple separate live streams with different resolution, encoding, and frame rate settings.

221 | Configuration
Administrator manual | XProtect® VMS 2023 R1

To change which stream to use for recording

For live streaming, you can set up and use as many live streams as the camera supports, but you can only
select one stream for recording at a time.

1. In the Site Navigation pane, select Devices.

2. Select the relevant camera in the Overview pane.

3. On the Streams tab, select the Record check box for the stream to be recorded.

Limit data transmission

You can set up a set of conditions to ensure that video streams only run when viewed by a client.

To manage streaming and limit unnecessary data transmission, streaming does not start when the following
conditions are met:

1. In the Site Navigation pane, select Devices.

2. Select the relevant camera in the Overview pane.

3. On the Streams tab, on the Live Mode list, select When needed.

4. On the Record tab, clear the Recording check box.

5. On the Motion tab, clear the Motion detection check box.

If these conditions are met, video streams will only run when viewed by a client.

Examples

Example 1, live and recorded video:

l For viewing live video, your organization may prefer H.264 at a high frame rate

l For playing back recorded video, your organization may prefer MJPEG at a lower frame rate to preserve
disk space

Example 2, local and remote live video:

l For viewing live video from a local connected operating point, your organization may prefer H.264 at
a high frame rate to have the highest quality of video available

l For viewing live video from a remotely connected operating point, your organization may prefer
MJPEG at a lower frame rate and quality to preserve network bandwidth

Example 3, adaptive streaming:

l For viewing live video and decreasing the load on the CPU and GPU of the XProtect Smart Client
computer, your organization may prefer multiple high frame rate H.264/H.265 but with different
resolutions to match the resolution requested by XProtect Smart Client when using adaptive streaming.
For more information, see Smart Client Profiles (Client node) on page 450.

222 | Configuration
Administrator manual | XProtect® VMS 2023 R1

If you enable Live multicast on the camera's Client tab (see Client tab (devices)), it only
works on the default video stream.

Even when cameras support multi-streaming, individual multi-streaming capabilities may vary between
different cameras. See the camera's documentation for more information.

To see if a camera offers different types of streams, see Settings tab (devices).

Devices - Storage

Manage pre-buffering
Cameras, microphones and speakers support pre-buffering. For speakers, the streams are only sent when the
XProtect Smart Client user uses the Talk to speaker function. This means that depending on how your speaker
streams are triggered to be recorded there is little or no pre-buffering available.

In most cases, you set up speakers to record when the XProtect Smart Client user uses the Talk to speaker
function. In such cases, no speaker pre-buffer is available.

To use the pre-buffer function, the devices must be enabled and sending a stream to the
system.

Enable and disable pre-buffering

Pre-buffering is enabled by default with a pre-buffer size of three seconds and storage to the memory.

1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane.

3. On the Record tab, select or clear the Pre-buffer check box.

4. On the Client tab, specify the devices that relate to this camera.

Specify storage location and pre-buffer period

Temporary pre-buffer recordings are stored either in the memory or on the disk:

1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane and select the Record tab.

3. On the Location list, select Memory or Disk, and specify the number of seconds.

4. If you require a pre-buffer period of more than 15 seconds, select Disk.

223 | Configuration
Administrator manual | XProtect® VMS 2023 R1

The number of seconds you specify must be sufficiently large to accommodate your requirements in the
various recording rules you define.

If you change the location to Memory, the system reduced the period to 15 seconds automatically.

Use pre-buffer in rules

When you create rules that trigger recording, you can select that recordings should start some time before the
actual event (pre-buffer).

Example: The below rule specifies that recording should start on the camera 5 seconds before motion is
detected on the camera.

To use the pre-buffer recording function in the rule, you must enable pre-buffering on
the device being recorded and you must set the pre-buffer length to at least the same
length as specified in the rule.

Monitor the status of databases for devices

1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane and select the Recording tab.

Under Storage, you can monitor and manage the databases for a device or a group of devices added to the
same recording server.

Above the table, you can see the selected database and its status. In this example, the selected database is the
default Local Default and the status is Recordings also located on other recording servers. The other server
is the recording server in building A.

224 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Possible statuses for selected database

Name Description

Recordings also located on other The database is active and running and has recordings located in
recording servers storages on other recording servers as well.

The database is active and running and has archives located in

Archives also located in old storage
other storages as well.

Active The database is active and running.

Data for some of the devices The database is active and running and the system is moving data
chosen is currently moving to for one or more selected devices in a group from one location to
another location another.

Data for the device is currently The database is active and running and the system is moving data
moving to another location for the selected device from one location to another.

225 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Name Description

Information unavailable in failover The system cannot collect status information about the database
mode when the database is in failover mode.

Further down in the window, you can see the status of each database (OK, Offline or Old Storage), the location
of each database and how much space each database uses.

If all servers are online, you can see the total spaced used for the entire storage in the Total used space field.

For information about configuration of storage, see Storage tab (recording server).

Move devices from one storage to another

When you select a new location to store recordings, the existing recordings will not be
moved. They will remain in the current location, with the conditions defined by the
configuration of the storage they belong to.

1. In the Site Navigation pane, select Devices.

2. Select the relevant device in the Overview pane and select the Recording tab.

3. Click Select under Storage to select a recording storage for your devices to record in.

The recordings will archive according to the configuration for the storage that you select.

Devices - Motion detection

Motion detection (explained)

Motion detection configuration is a key element in your system: Your motion detection configuration
determines when the system generates motion events and typically also when video is recorded.

Time spent on finding the best possible motion detection configuration for each camera helps you later avoid,
for example, unnecessary recordings. Depending on the physical location of the camera, it may be a good idea
to test motion detection settings under different physical conditions such as day/night and windy/calm
weather.

You can specify settings related to the amount of changes required in a camera's view in order for the change
to be regarded as motion. You can, for example, specify intervals between motion detection analysis and areas
of a view in which motion should be ignored. You can also adjust the accuracy of the motion detection and
thereby the load on system resources.

226 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Image quality

Before you configure motion detection for a camera, Milestone recommends that you have configured the
camera's image quality settings, for example resolution, video codec and stream settings. You do this on the
Settings tab in the Properties window for the device. If you later change image quality settings, you should
always test any motion detection configuration afterwards.

Privacy masks

If you have defined areas with permanent privacy masks, there is no motion detection
within these areas.

Enable and disable motion detection

Specify the default setting of motion detection for cameras

1. On the Tools menu, click Options.

2. On the General tab, under When adding new camera devices automatically enable, select the Motion
detection check box.

Enable or disable motion detection for a specific camera

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant camera in the Overview pane.

3. On the Motion tab tab, select or clear the Motion detection check box.

When you disable motion detection for a camera, motion detection-related rules for the
camera do not work.

Enable or disable hardware acceleration

Automatic hardware accelerated video decoding for motion detection is the default setting when you add a
camera. The recording server is using GPU resources if they are available. This will reduce the CPU load during
video motion analysis and improve the general performance of the recording server.

To enable or disable hardware acceleration

1. In the Site Navigation pane, select Devices.

2. Select the relevant camera in the Overview pane.

3. On the Motion tab, under Hardware acceleration select Automatic to enable hardware acceleration or
select Off to disable the setting.

227 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Use of GPU resources

Hardware accelerated video decoding for motion detection uses GPU resources on:

l Intel CPUs that support Intel Quick Sync

l NVIDIA® display adapters connected to your recording server

Load balancing and performance

The load balancing between the different resources is done automatically. In the System Monitor node you
can verify if the current motion analysis load on the NVIDIA GPU resources is within the specified limits from
the System Monitor Thresholds node. The NVIDIA GPU load indicators are:

l NVIDIA decoding

l NVIDIA memory

l NVIDIA rendering

If the load is too high, you can add GPU resources to your recording server by installing
multiple NVIDIA display adapters. Milestone does not recommend the use of Scalable
Link Interface (SLI) configuration of your NVIDIA display adapters.

NVIDIA products have different compute capabilities.

Hardware accelerated video decoding for motion detection using NVIDIA GPUs requires
compute capability version 6.x (Pascal) or newer.

l To find the compute capability version of your NVIDIA product, visit the NVIDIA website
(https://developer.nvidia.com/cuda-gpus/).

l To see if video motion detection is hardware accelerated for a specific camera, enable logging on the
recoding server log file. Set level to Debug and diagnostics is logged to the DeviceHandling.log. The log
follows the pattern:
[time] [274] DEBUG – [guid] [name] Configured decoding: Automatic: Actual decoding: Intel/NVIDIA

The OS version of the recording server and CPU generation may impact performance of hardware accelerated
video motion detection. GPU memory allocation is often the bottleneck with older versions (typical limit is
between 0.5 GB and 1.7 GB).

Systems based on Windows 10 / Server 2016 and 6th generation CPU (Skylake) or newer can allocate 50% of
system memory to GPU and thereby removing or reducing this bottleneck.

6th generation Intel CPUs does provide hardware accelerated decoding of H.265, so the performance is
comparable with H.264 for these versions of CPU.

228 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Enable manual sensitivity to define motion

The sensitivity setting determines how much each pixel in the image must change before it is regarded as
motion.

1. In the Site Navigation pane, select Devices, and then select Cameras.

2. Select the relevant camera in the Overview pane.

3. Select the Motion tab's Manual Sensitivity check box.

4. Drag the slider to the left for a higher sensitivity level, and to the right for a lower sensitivity level.

The higher the sensitivity level, the less change is allowed in each pixel before it is regarded as motion.

The lower the sensitivity level, the more change in each pixel is allowed before it is regarded as motion.

Pixels in which motion is detected are highlighted in green in the preview image.

5. Select a slider position in which only detections you consider motion are highlighted.

You can compare and set the exact sensitivity setting between cameras by the number in the right side of the
slider.

Specify threshold to define motion

The motion detection threshold determines how many pixels in the image must change before it is regarded
as motion.

1. Drag the slider to the left for a higher motion level, and to the right for a lower motion level.

2. Select a slider position in which only detections that you consider motion are detected.

The black vertical line in the motion indication bar shows the motion detection threshold: When detected
motion is above the selected detection threshold level, the bar changes color from green to red, indicating a
positive detection.

229 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Motion indication bar: changes color from green to red when above the threshold, indicating a positive motion
detection.

Specify exclude regions for motion detection

You can configure all the settings for a group of cameras, but you would typically set the exclude regions per
camera.

Areas with permanent privacy masks, are also excluded from motion detection. Select
the Show privacy masks check box to display them.

Excluding motion detection from specific areas helps you avoid detection of irrelevant motion, for example if
the camera covers an area where a tree is swaying in the wind or where cars regularly pass by in the
background.

When you use exclude regions with PTZ cameras and you pan-tilt-zoom the camera, the excluded area does
not move accordingly because the area is locked to the camera image, and not the object.

1. To use exclude regions, select the Use exclude regions check box.

A grid divides the preview image into selectable sections.

2. To define exclude regions, drag the mouse pointer over the required areas in the preview image while
you press the left mouse button. Right mouse button clears a grid section.

You can define as many exclude regions as needed. Excluded regions appear in blue:

The blue exclude areas only appear in the preview image on the Motion tab, not in any other preview images
in the Management Client or access clients.

230 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Devices - Preset camera positions

The Home preset position

You define a camera's Home preset position on the camera's homepage. The PTZ capabilities available on the
homepage depend on the camera.

Add a preset position (type 1)

To add a preset position for the camera:

231 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Presets tab, click New. The Add Preset window appears:

232 | Configuration
Administrator manual | XProtect® VMS 2023 R1

4. The Add Preset window displays a live preview image from the camera. Use the navigation buttons
and/or sliders to move the camera to the required position.

5. Specify a name for the preset position in the Name field.

6. Optionally, enter a description of the preset position in the Description field.

7. Select Locked if you want to lock the preset position. Only users with sufficient permissions can unlock
the position afterwards.

8. Click Add to specify presets. Keep adding until you have the presets you want.

9. Click OK. The Add Preset window closes, and adds the position to the Presets tab's list of available
preset positions for the camera.

Use preset positions from the camera (type 2)

As an alternative to specifying preset positions in the system, you can specify preset positions for some PTZ
cameras on the camera itself. You can typically do this by accessing a product-specific configuration web page.

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Presets tab, select Use presets from device to import the presets into the system.

Any presets you have previously defined for the camera are deleted and affect any defined rules and
patrolling schedules as well as remove the presets available for the XProtect Smart Client users.

4. Click Delete to delete presets that your users do not need.

5. Click Edit if you want to change the display name of the preset (see Rename a preset position (type 2
only)).

6. If you later want to edit such device-defined presets, edit on the camera and then re-import.

Assign a camera's preset position as default

If required, you can assign one of a PTZ camera's preset positions as the camera's default preset position.

It can be useful to have a default preset position because it allows you to define rules that specify that the PTZ
camera should go to the default preset position under particular circumstances, for example after you have
operated the PTZ camera manually.

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Presets tab, under Preset positions, select the preset in your list of defined preset positions.

4. Select the Default preset check box below the list.

You can only define one preset position as the default preset position.

233 | Configuration
Administrator manual | XProtect® VMS 2023 R1

If you have selected Use default preset as PTZ home position in Options > General, the default preset
position will be used instead of PTZ camera’s defined home position.

Specify the default preset as the PTZ Home position

Management Client and XProtect Smart Client users with the necessary user permissions can set up the
system to use the default preset position instead of the home position of PTZ cameras with the Home button
in a client.

A default preset position must be defined for the camera. If a default preset position is not defined, nothing
will happen when activating the Home button in a client.

Enable setting the PTZ home position

1. Select Tools > Options.

2. On the General tab, in the Recording Server group, select Use default preset as PTZ home position.

3. Assign a preset position as the default preset position for the camera.

To assign a default preset position, see Assign a camera's preset position as default on page 233

See also System settings (Options dialog box) on page 365

Edit a preset position for a camera (type 1 only)

To edit an existing preset position defined in the system:

1. In the Site Navigation pane, select Devices, and then select Cameras.

2. Select the relevant camera in the Overview pane.

3. On the Presets tab, under Preset positions, select the preset position in the list of available preset
positions for the camera.

234 | Configuration
Administrator manual | XProtect® VMS 2023 R1

4. Click Edit. This opens the Edit Preset window:

5. The Edit Preset window displays live video from the preset position. Use the navigation buttons and/or
sliders to change the preset position as required.

6. Change the name/number and description of the preset position if needed.

7. Select Locked if you want to lock the preset position. Only users with sufficient permissions can unlock
the position afterwards.

235 | Configuration
Administrator manual | XProtect® VMS 2023 R1

8. Click OK.

Rename a preset position for a camera (type 2 only)

To edit the name of a preset position defined in the camera:

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. Select the preset position in the Presets tab's list of available presets for the camera.

4. Click Edit. This opens the Edit Preset window:

5. Change the name and add a description of the preset position if needed.

6. Select Locked if you want to lock the preset name. You can lock a preset name if you want to prevent
users in XProtect Smart Client or users with limited security permissions from updating the preset name

or deleting the preset. Locked presets are indicated with this icon . Only users with sufficient
permissions can unlock the preset name afterwards.

7. Click OK.

Test a preset position (type 1 only)

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. Select the preset position in the Presets tab's list of available preset positions for the camera.

4. Click Activate.

236 | Configuration
Administrator manual | XProtect® VMS 2023 R1

5. The camera moves to the selected preset position.

Devices - Patrolling

Patrolling profiles and manual patrolling (explained)

Patrolling profiles are the definitions of how patrolling should take place. This includes the order in which the
camera should move between preset positions and how long it should remain at each position. You can create
an unrestricted number of patrolling profiles and use them in your rules. For example, you may create a rule
specifying that one patrolling profile should be used during daytime opening hours and another during nights.

Manual patrolling

Before you apply a patrolling profile in a rule, for example, you can test the patrolling profile with manual
patrolling. You can also use manual patrolling to take over patrolling from another user or from a rule-
activated patrolling, provided that you have a higher PTZ priority.

If the camera is already patrolling or controlled by another user, you can only start manual patrolling if you
have a higher priority.

If you start a manual patrolling while the camera runs a rule-activated system patrolling, the system resumes
this patrolling when you stop your manual patrolling. If another user runs a manual patrolling, but you have a
higher priority and start your manual patrolling, the other user's manual patrolling is not resumed.

If you do not stop your manual patrolling yourself, it will continue until a rule-based patrolling or a user with a
higher priority takes over. When the rule-based system patrolling stops, the system resumes your manual
patrolling. If another user starts a manual patrolling, your manual patrolling stops, and will not be resumed.

When you stop your manual patrolling and you have defined an end position for your patrolling profile, the
camera returns to this position.

Add a patrolling profile

Before you can work with patrolling, you must specify at least two preset positions for
the camera in the Presets tab, see Add a preset position (type 1).

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Patrolling tab, click Add. The Add Profile dialog box appears.

4. In the Add Profile dialog box, specify a name for the patrolling profile.

5. Click OK. The button is disabled if the name is not unique.

237 | Configuration
Administrator manual | XProtect® VMS 2023 R1

The new patrolling profile is added to the Profile list. You can now specify the preset positions and other
settings for the patrolling profile.

Specify preset positions in a patrolling profile

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Patrolling tab, select the patrolling profile in the Profile list:

4. Click Add.

5. In the Select PTZ Preset dialog box, select the preset positions for your patrolling profile:

6. Click OK. The selected preset positions are added to the list of preset positions for the patrolling profile:

7. The camera uses the preset position at the top of the list as the first stop when it patrols according to
the patrolling profile. The preset position in the second position from the top is the second stop, and so
forth.

Specify the time at each preset position

When patrolling, the PTZ camera by default remains for 5 seconds at each preset position specified in the
patrolling profile.

To change the number of seconds:

238 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Patrolling tab, select the patrolling profile in the Profile list.

4. Select the preset position for which you want to change the time:

5. Specify the time in the Time on position (sec) field.

6. If required, repeat for other preset positions.

Customize transitions (PTZ)

By default, the time required for moving the camera from one preset position to another, known as transition,
is estimated to be three seconds. During this time, motion detection is by default disabled on the camera,
because irrelevant motion is otherwise likely to be detected while the camera moves between the preset
positions.

You can only customize speed for transitions if your camera supports PTZ scanning and is of the type where
preset positions are configured and stored on your system's server (type 1 PTZ camera). Otherwise the Speed
slider is grayed out.

You can customize the following:

l The estimated transition time

l The speed with which the camera moves during a transition

To customize transitions between the different preset positions:

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Patrolling tab, in the Profile list, select the patrolling profile .

4. Select the Customize transitions check box.

Transition indications are added to the list of preset positions.

239 | Configuration
Administrator manual | XProtect® VMS 2023 R1

5. In the list, select the transition.

6. Specify the estimated transition time (in number of seconds) in the Expected time (sec) field.

7. Use the Speed slider to specify the transition speed. When the slider is in its rightmost position, the
camera moves with its default speed. The more you move the slider to the left, the slower the camera
moves during the selected transition.

8. Repeat as required for other transitions.

Specify an end position when patrolling

You can specify that the camera should move to a specific preset position when patrolling according to the
selected patrolling profile ends.

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. On the Patrolling tab, in the Profile list, select the relevant patrolling profile.

4. Select the Go to specific position on finish check box. This opens the Select preset dialog box.

5. Select the end position and click OK.

You can select any of the camera's preset positions as the end position, you are
not limited to the preset positions used in the patrolling profile.

6. The selected end position is added to the profile list.

When patrolling according to the selected patrolling profile ends, the camera moves to the specified end
position.

Reserve and release PTZ sessions

Depending on your surveillance system, you can reserve PTZ sessions.

240 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Administrators with security permissions to run a reserved PTZ session can run the PTZ camera in this mode.
This prevents other users from taking control over the camera. In a reserved PTZ session, the standard PTZ
priority system is disregarded to avoid that users with a higher PTZ priority interrupt the session.

You can operate the camera in a reserved PTZ session both from XProtect Smart Client and the Management
Client.

To reserve a PTZ session can be useful, if you need to make urgent updates or maintenance to a PTZ camera or
its presets without being interrupted by other users.

Reserve a PTZ session

1. In the Site Navigation pane, select Devices and then select Cameras.

2. Select the relevant PTZ camera in the Overview pane.

3. Select the PTZ session in the Presets tab, and click Reserved.

You cannot start a reserved PTZ session if a user with a higher priority than yours
controls the camera or if another user has already reserved the camera.

Release a PTZ session

The Release button allows you to release your current PTZ session so another user can control the camera.
When you click Release, the PTZ session ends immediately and will be available for the first user to operate the
camera.

Administrators assigned with the security permission Release PTZ session have the permissions to release
other users' reserved PTZ session at any time. This can, for example, be useful in occasions where you need to
maintain the PTZ camera or its presets, or if other users have accidentally blocked the camera in urgent
situations.

Specify PTZ session timeouts

Management Client and XProtect Smart Client users with the necessary user permissions can manually
interrupt the patrolling of PTZ cameras.

You can specify how much time should pass before regular patrolling is resumed for all PTZ cameras on your
system:

241 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Select Tools > Options.

2. On the Options window's General tab, select the amount of time in the:
l Timeout for manual PTZ sessions list (default is 15 seconds).

l Timeout for pause patrolling sessions list (default is 10 minutes).

l Timeout for reserved PTZ sessions list (default is 1 hour).

The settings apply for all PTZ cameras on your system.

You can change the timeouts individually for each camera.

1. In the Site Navigation pane, click Camera.

2. In the Overview pane, select the camera.

3. On the Presets tab, select the amount of time in the:

l Timeout for manual PTZ session list (default is 15 seconds).

l Timeout for pause patrolling session list (default is 10 minutes).

l Timeout for reserved PTZ session list (default is 1 hour).

The settings apply for this camera only.

Devices - Events for rules

Add or delete an event for a device

Add an event

1. In the Overview pane, select a device.

2. Select the Events tab and click Add. This opens the Select Driver Event window.

3. Select an event. You can only select one event at a time.

4. If you want to see an entire list of all events, allowing you to add events that have already been added,
select Show already added events.

5. Click OK.

6. In the toolbar, click Save.

Delete an event

When you delete an event, it affects all rules that use the event.

242 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Overview pane, select a device.

2. Select the Events tab and click Delete.

Specify event properties

You can specify properties for each event you have added. The number of properties depends on the device
and the event. In order for the event to work as intended, you must specify some or all of the properties
identically on the device as well as on the [Events] tab.

Use several instances of an event

To be able to specify different properties for different instances of an event, you can add an event more than
once.

The following example is specific to cameras.

Example: You have configured the camera with two motion windows, called A1, and A2. You have added two
instances of the Motion Started (HW) event. In the properties of one instance, you have specified the use of
motion window A1. In the properties of the other instance, you have specified the use of motion window A2.

When you use the event in a rule, you can specify that the event should be based on motion detected in a
specific motion window for the rule to be triggered:

Devices - Privacy masks

Enable/disable privacy masking

The privacy masking feature is disabled by default.

To enable/disable the privacy masking feature for a camera:

1. In the Site Navigation pane, select Devices.

2. Select the relevant camera device in the Overview pane.

3. On the Privacy masking tab, select or clear Privacy masking check box.

243 | Configuration
Administrator manual | XProtect® VMS 2023 R1

In a Milestone Interconnect setup, the central site disregards privacy masks defined in a
remote site. If you want to apply the same privacy masks, you must redefine it on the
central site.

Define privacy masks

When you enable the privacy masking feature on the Privacy masking tab, a grid is applied to the camera
preview.

1. In the Site Navigation pane, select Devices.

2. Select the relevant camera in the Overview pane.

3. On the Privacy masking tab, to cover an area with a privacy mask, first select Permanent mask or
Liftable mask to define if you want a permanent or liftable privacy mask.

4. Drag the mouse pointer over the preview. Left-click to select a grid cell. Right-click to clear a grid cell.

244 | Configuration
Administrator manual | XProtect® VMS 2023 R1

5. You can define as many privacy mask areas as needed. Areas with permanent privacy masks appear in
purple and areas with liftable privacy masks in green.

6. Define how the covering of the areas should appear in the video when shown in the clients. Use the
sliders to go from a light blurring to a full nontransparent mask.

Permanent privacy masks also appear on the Motion tab.

7. In XProtect Smart Client, check that the privacy masks appear as you defined.

Change the timeout for lifted privacy masks

By default, privacy masks are lifted for 30 minutes in XProtect Smart Client and afterwards applied
automatically, but you can change that.

When you change the timeout, remember to do it for the Smart Client profile associated
with the role that has the permission to lift privacy masks.

To change the timeout:

245 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Under Smart Client Profiles, select the relevant Smart Client profile.

2. On the General tab, locate Lift privacy masks timeout.

3. Select between the values:

l 2 minutes

l 10 minutes

l 30 minutes

l 1 hour

l 2 hours

l Until logged out

4. Click Save.

Give users permission to lift privacy masks

By default, no users have permissions to lift privacy masks in XProtect Smart Client.

To enable/disable the permission:

246 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Site Navigation pane, select Security and then select Roles.

2. Select the role that you want to give permission to lift privacy masks.

3. On the Overall Security tab, select Cameras.

4. Select the Allow check box for the Lift privacy masks permission.

Users that you assign to this role, can lift privacy masks configured as liftable masks for himself/herself as well
as authorize the lift for other XProtect Smart Client users.

Create a report of your privacy masking configuration

The devices report include information about your cameras' current privacy masking settings.

To configure a report:

1. In the Site Navigation pane, select System Dashboard.

2. Under Configuration Reports, select the Devices report.

247 | Configuration
Administrator manual | XProtect® VMS 2023 R1

3. If you want to modify the report, you can change the front page and the formatting.

4. Click Export, and the system creates the report as a PDF file.

For more information about reports, see Print a report with your system configuration on page 282.

Clients

View groups (explained)

The way in which the system presents video from one or more cameras in clients is called a view. A view group
is a container for one or more logical groups of such views. In clients, a view group is presented as an
expandable folder from which users can select the group and the view they want to see:

Example from XProtect Smart Client: Arrow indicates a view group, which contains a logical group (called
Amenities), which in turn contains 3 views.

By default, each role you define in the Management Client is also created as a view group. When you add a role
in the Management Client, the role by default appears as a view group for use in clients.

l You can assign a view group based on a role to users/groups assigned to the relevant role. You may
change these view group permissions by setting this up in the role afterwards

l A view group based on a role carries the role's name.

Example: If you create a role with the name Building A Security Staff, it appears in XProtect Smart
Client as a view group called Building A Security Staff.

In addition to the view groups, you get when adding roles, you may create as many other view groups
as you like. You can also delete view groups, including those automatically created when adding roles

l Even if a view group is created each time, you add a role, view groups do not have to correspond to
roles. You can add, rename or remove any of your view groups if required

If you rename a View group, client users already connected must log out and log in
again before the name change is visible.

Add a view group

1. Right-click View Groups, and select Add View Group. This opens the Add View Group dialog box.

2. Enter the name and an optional description of the new view group and click OK.

248 | Configuration
Administrator manual | XProtect® VMS 2023 R1

No roles can use the newly added view group until you have specified such permissions.
If you have specified which roles that can use the newly added view group, client users
that are already connected and who have the relevant roles must log out and log in
again before they can see the view group.

Smart Client profiles

Add and configure a Smart Client profile

You must create a Smart Client profile before you can configure it.

1. Right-click Smart Client Profiles.

2. Select Add Smart Client Profile.

3. In the Add Smart Client Profile dialog box, enter a name and description of the new profile and click OK.

4. In the Overview pane, click the profile you created to configure it.

5. Adjust settings on one, more or all of the available tabs and click OK.

Copy a Smart Client profile

If you have a Smart Client profile with complicated settings or permissions and need a similar profile, it might
be easier to copy an already existing profile and make minor adjustments to the copy than to creating a new
profile from scratch.

1. Click Smart Client Profiles, right-click the profile in the Overview pane, select Copy Smart Client
Profile.

2. In the dialog box that appears, give the copied profile a new unique name and description. Click OK.

3. In the Overview pane, click the profile you just created to configure it. This is done by adjusting settings
on one, more, or all of the available tabs. Click OK.

Create and set up Smart Client profiles, roles and time profiles
When you work with Smart Client profiles, it is important to understand the interaction between Smart Client
profiles, roles and time profiles:

l Smart Client profiles deal with user permission settings in XProtect Smart Client

l Roles deal with security settings in clients, MIP SDK and more

l Time profiles deal with time aspects of the two profiles-types

Together these three features provide unique control and customizing possibilities with regards to XProtect
Smart Client user permissions.

249 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Example: You need a user in your XProtect Smart Client setup who should only be allowed to view live video
(no playback) from selected cameras, and only during normal working hours (8.00 to 16.00). One way of setting
this up could be as follows:

1. Create a Smart Client profile, and name it, for example, Live only.

2. Specify the needed live/playback settings on Live only.

3. Create a time profile, and name it, for example, Daytime only.

4. Specify the needed time period on Daytime only.

5. Create a new role and name it, for example, Guard (Selected cameras).

6. Specify which cameras Guard (Selected cameras) can use.

7. Assign the Live only Smart Client profile and the Daytime only time profile to the Guard (Selected
cameras) role to connect the three elements.

You now have a mix of the three features creating the wanted result and allowing you room for easy fine-
tuning and adjustments. You can do the setup in a different order, for example, creating the role first and then
the Smart Client profile and the time profile, or any other order you prefer.

Set number of cameras allowed during search

You can configure how many cameras the operators can add to a search in XProtect Smart Client. The default
value is 100. If exceeding the camera limit, the operator receives a warning.

250 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In XProtect Management Client, expand Client > Smart Client Profiles.

2. Select the relevant profile.

251 | Configuration
Administrator manual | XProtect® VMS 2023 R1

3. Click the General tab.

252 | Configuration
Administrator manual | XProtect® VMS 2023 R1

253 | Configuration
Administrator manual | XProtect® VMS 2023 R1

4. In the Cameras allowed during search, select one of these values:

l 50

l 100

l 500

l Unrestricted

5. Save your changes.

Change the default export settings

When you install your XProtect VMS system, the default export settings that define the export options in
XProtect Smart Client are restricted to ensure the highest level of security. You can change these settings to
give operators more options.

Default settings
l Only the XProtect format is available

l Re-export is prevented

l Exports are password-protected

l 256-bit AES encryption

l Digital signatures are added

l Not possible to export to MKV format or AVI format

l Not possible to export still images

Steps:

254 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In XProtect Management Client, expand Client > Smart Client Profiles.

2. Select Default Smart Client Profile.

3. In the Properties pane, select the Export tab.

4. To make a restricted format available in XProtect Smart Client, find the setting and select Available.

5. To enable operators to change a setting in XProtect Smart Client, clear the Locked check box next to the
relevant setting.

6. If relevant, change other settings.

7. (optional) Log in to XProtect Smart Client to verify that your settings have been applied.

Management Client profiles

Add and configure a Management Client profile

If you do not want to use the default profile, you can create a Management Client profile before you can
configure it.

255 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Right-click Management Client Profiles.

2. Select Add Management Client Profile.

3. In the Add Management Client Profile dialog box, enter a name and description of the new profile and
click OK.

4. In the Overview pane, click the profile you created to configure it.

5. On the Profile tab, select or clear functionality from the Management Client profile.

Copy a Management Client profile

If you have a Management Client profile with settings that you would like to reuse, you can copy an already
existing profile and make minor adjustments to the copy instead of creating a new profile from scratch.

1. Click Management Client Profile, right-click the profile in the Overview pane, select Copy
Management Client Profile.

2. In the dialog box that appears, give the copied profile a new unique name and description. Click OK.

3. In the Overview pane, click the profile and go to the Info tab or Profile tab to configure the profile.

Manage the visibility of functionality for a Management Client profile

Associate Management Client profiles with roles to limit the user interface to represent the functionality
available for each administrator role.

Associate a Management Client profile with a role

1. Expand the Security node and click Roles.

2. On the Info tab in the Role Settings window, associate a profile with a role. For more information, see
Info tab (roles).

Manage the overall access to system functionality for a role

Management Client profiles only handle the visual representation of system functionality, not the actual access
to it.

To manage the overall access to system functionality for a role:

1. Expand the Security node and click Roles.

2. Click the Overall Security tab and select the appropriate check boxes. For more information, see
Overall Security tab (roles) on page 495.

On the Overall Security tab, make sure to enable the Connect security permission in
order to grant all roles access to the Management Server.

256 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Apart from the built-in administrator role, only users associated with a role that has
been granted Manage security permissions for the management server on the Overall
Security tab, can add, edit, and delete Management Client profiles.

Limit visibility of functionality for a profile

You can change settings for the visibility of all Management Client elements. By default,
the Management Client profile can see all functionality in the Management Client.

1. Expand the Client node and click Management Client Profiles.

2. Select a profile and click the Profile tab.

3. Clear the check boxes for the relevant functionality in order to remove the functionality visually from
the Management Client for any Management Client user with a role associated with this Management
Client profile.

Matrix

Matrix and Matrix recipients (explained)

Matrix is a feature for distributing video remotely.

A Matrix recipient is a computer with XProtect Smart Client, that is defined as a Matrix recipient in
Management Client.

If you use Matrix, you can push video from any camera on your system's network to any running Matrix
recipient.

To see a list of Matrix recipients added in the Management Client, expand Client in the Site Navigation pane,
then select Matrix. A list of Matrix configurations is displayed in the Properties pane.

In Management Client, you must add each Matrix recipient must be added to receive
Matrix-triggered video.

Define rules sending video to Matrix-recipients

To send video to Matrix-recipients you must include the Matrix recipient in a rule that triggers the video
transmission to the related Matrix-recipient. To do so:

1. In the Site Navigation pane, expand Rules and Events > Rules. Right-click Rules to open the Manage
Rule wizard. In the first step, select a rule type and in the second step, a condition.

2. In Manage Rule's step 3 (Step 3: Actions) select the Set Matrix to view <devices> action.

257 | Configuration
Administrator manual | XProtect® VMS 2023 R1

3. Click the Matrix link in the initial rule description.

4. In the Select Matrix Configuration dialog box, select the relevant Matrix-recipient, and click OK.

5. Click the devices link in the initial rule description and select from which cameras you would like to send
video to the Matrix-recipient, then click OK to confirm your selection.

6. Click Finish if the rule is complete or define if required additional actions and/or a stop action.

If you delete a Matrix-recipient, any rule that includes the Matrix-recipient stops
working.

Add Matrix recipients

To add an existing Matrix recipient in Management Client:

1. Expand Clients, then select Matrix.

2. Right-click Matrix Configurations and select Add Matrix.

3. Fill out the fields in the Add Matrix dialog box.

1. In the Address field enter the IP address or the host name of the required Matrix recipient.

2. In the Port field enter the port number used by the Matrix recipient installation.

4. Click OK.

You can now use the Matrix recipient in rules.

Your system does not verify that the specified port number or password is correct or
that the specified port number, password, or type corresponds with the actual Matrix
recipient. Make sure that you enter the correct information.

Send the same video to several XProtect Smart Client views

You can send the same video to Matrix positions in several of the XProtect Smart Client views, provided the
Matrix positions of the views share the same port number and password:

1. In XProtect Smart Client, create the relevant views and Matrix positions that share the same port
number and password.

2. In the Management Client, add the relevant XProtect Smart Client as a Matrix-recipient.

3. You may include the Matrix-recipient in a rule.

258 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Rules and events

Add rules
When you add rules, you are guided by the wizard Manage Rule which only lists relevant options.

It ensures that required elements are not missing from a rule. Based on your rule's content, it automatically
suggests suitable stop actions, that is what should take place when the rule no longer applies, ensuring that
you do not unintentionally create a never-ending rule.

Events

When you add an event-based rule, you can select different types of events.

l See Events overview to get an overview and a description of the event types that you can select.

Actions and stop actions

When you add rules, you can select different actions.

Some of the actions require a stop action. For example, if you select the action Start recording, recording
starts and potentially continues indefinitely. As a result, the action Start recording has a mandatory stop
action called Stop recording.

The Manage Rule wizard makes sure you specify stop actions when necessary:

Selecting stop actions. In the example, note the mandatory stop action (selected, dimmed), the non-relevant
stop actions (dimmed) and the optional stop actions (selectable).

l See Actions and stop actions for an overview of start and stop actions that you can select.

Create a rule

1. Right-click the Rules item > Add Rule. This opens the Manage Rule wizard. The wizard guides you
through specifying the content of your rule.

2. Specify a name and a description of the new rule in the Name and Description fields respectively.

259 | Configuration
Administrator manual | XProtect® VMS 2023 R1

3. Select the relevant type of condition for the rule: either a rule which performs one or more actions
when a particular event occurs, or a rule which performs one or more actions when you enter a specific
period of time.

4. Click Next to go to the wizard's second step. On the wizard's second step, define further conditions for
the rule.

5. Select one or more conditions, for example Day of week is <day>:

Depending on your selections, edit the rule description in the lower part of the wizard window:

Click the underlined items in bold italics to specify their exact content. For example, clicking the days
link in our example lets you select one or more days of the week on which the rule should apply.

6. Having specified your exact conditions, click Next to move to the next step of the wizard and select
which actions the rule should cover. Depending on the content and complexity of your rule, you may
need to define more steps, such as stop events and stop actions. For example, if a rule specifies that a
device should perform a particular action during a time interval (for example, Thursday between 08.00
and 10.30), the wizard may ask you to specify what should happen when that time interval ends.

7. Your rule is by default active once you have created it if the rule's conditions are met. If you do not want
the rule to be active straight away, clear the Active check box.

8. Click Finish.

Validate rules
You can validate the content of an individual rule or all rules in one go. When you create a rule, the Manage
Rule wizard ensures that all of the rule's elements are valid.

When a rule has existed for some time, one or more of the rule's elements may have been affected by other
configuration, and the rule may no longer work. For example, if a rule is triggered by a particular time profile,
the rule does not work if you have deleted that time profile or if you no longer have permissions to it. Such
unintended effects of configuration may be hard to keep an overview of.

260 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Rule validation helps you keep track of which rules have been affected. Validation takes place on a per-rule
basis and each rule is validated by themselves. You cannot validate rules against each other, for example in
order to see whether one rule conflicts with another rule, not even if you use the Validate All Rules feature.

Validate a rule

1. Click Rules and select the rule you want to validate.

2. Right-click the rule and click Validate Rule.

3. Click OK.

Validate all rules

1. Right-click the Rules item and then click Validate All Rules. .

2. Click OK.

A dialog box informs you whether the rule(s) validated successfully or not. If you chose to validate more than
one rule and one or more rules did not succeed, the dialog box lists the names of the affected rules.

You cannot validate whether configuration of requirements outside the rule itself may
prevent the rule from working. For example, a rule specifying that recording should take
place when motion is detected by a particular camera is validated if the elements in the
rule itself are correct, even if motion detection, which is enabled on a camera level, not
through rules, has not been enabled for the relevant camera.

Edit, copy and rename a rule

1. In the Overview pane, right-click the relevant rule.

2. Select either:

Edit Rule or Copy Rule or Rename Rule. The wizard Manage Rule opens.

261 | Configuration
Administrator manual | XProtect® VMS 2023 R1

3. If you select Copy Rule, the wizard opens displaying a copy of the selected rule. Click Finish to create a
copy.

4. If you select Edit Rule, the wizard opens and you can enter changes. Click Finish to accept the changes.

5. If you select Rename Rule, you can rename the rule name text directly.

Deactivate and activate a rule

Your system applies a rule as soon as the rule's conditions apply which means it is active. If you do not want a
rule to be active, you can deactivate the rule. When you deactivate the rule, the system does not apply the rule
even if the rule's conditions apply. You can easily activate a deactivated rule later.
Deactivating a rule

1. In the Overview pane, select the rule.

2. Clear the Active check box in the Properties pane.

3. Click Save in the toolbar.

4. An icon with a red x indicates that the rule is deactivated in the Rules list:

Activating a rule

When you want to activate the rule again, select the rule, select the Activate check box, and save the setting.

Specify a time profile

1. In the Time Profiles list, right-click Time Profiles > Add Time Profile. This opens the Time Profile
window.

2. In the Time Profile window, enter a name for the new time profile in the Name field. Optionally, enter a
description of the new time profile in the Description field.

3. In the Time Profile window's calendar, select either Day View, Week View or Month View, then right-
click inside the calendar and select either Add Single Time or Add Recurring Time.

4. When you have specified the time periods for your time profile, click OK in the Time Profile window.
Your system adds your new time profile to the Time Profiles list. If at a later stage you wish to edit or
delete the time profile, you do that from the Time Profiles list as well.

Add a single time

When you select Add Single Time, the Select Time window appears:

262 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Time and date format may be different on your system.

1. In the Select Time window, specify Start time and End time. If the time is to cover whole days, select
the All day event box.

2. Click OK.

Add a recurring time

When you select Add Recurring Time, the Select Recurring Time window appears:

1. In the Select Time window, specify time range, recurrence pattern and range of recurrence.

2. Click OK.

A time profile can contain several periods of time. If you want your time profile to
contain further periods of time, add more single times or recurring times.

263 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Recurring time

When you set an action to be executed on a detailed, recurring schedule.

For example:

l Every week on Tuesday every 1 hour(s) between 15:00 and 15:30

l On day 15 every 3 month(s) at 11:45

l Every day every 1 hour(s) between 15:00 and 19:00

The time is based on the local time settings of the server on which Management Client is
installed.

Edit a time profile

1. In the Overview pane's Time Profiles list, right-click the relevant time profile, and select Edit Time
Profile. This opens the Time Profile window.

2. Edit the time profile as needed. If you have made changes to the time profile, click OK in the Time
Profile window. You return to the Time Profiles list.

In the Time Profile Information window, you can edit the time profile as needed.
Remember that a time profile may contain more than one time period, and that time
periods may be recurring. The small month overview in the top right corner can help you
get a quick overview of the time periods covered by the time profile, as dates containing
specified times are highlighted in bold.

In this example, the bold dates indicate that you have specified time periods on several
days, and that you have specified a recurring time on Mondays.

264 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Create day length time profiles

1. Expand the Rules and Events folder > Time Profiles.

2. In the Time Profiles list, right-click Time Profiles, and select Add Day Length Time Profile.

3. In the Day Length Time Profile window, refer to the properties table below to fill in the needed
information. To deal with transition periods between lightness and darkness, you can offset activation
and deactivation of the profile. The time and the name of months are shown in the language used your
computer's language/regional settings.

4. To see the location of the entered geographic coordinates in a map, click Show Position in Browser.
This opens a browser where you can see the location.

5. Click OK.

Day length time profile properties

Name Description

Name The name of the profile.

Description A description of the profile (optional).

Geo Geographic coordinates indicating the physical location of the camera(s) assigned to
coordinates the profile.

Sunrise offset Number of minutes (+/-) by which activation of the profile is offset by sunrise.

Sunset offset Number of minutes (+/-) by which deactivation of the profile is offset by sunset.

Time zone Time zone indicating the physical location of the camera(s).

Add notification profiles

Before you can create notification profiles, you must specify mail server settings for
email notifications. For more information, see Requirements for creating notification
profiles.

265 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Expand Rules and Events, right-click Notification Profiles > Add Notification Profile. This opens the
Add Notification Profile wizard.

2. Specify name and description. Click Next.

3. Specify recipient, subject, message text and time between emails:

4. To send a test email notification to the specified recipients, click Test E-mail.

5. To include pre-alarm still images, select Include images, and specify number of images, time between
images and whether to embed images in emails or not.

6. To include AVI video clips, select Include AVI, and specify the time before and after event and frame
rate.

266 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Notifications containing H.265 encoded video require a computer that supports

hardware acceleration.

7. Click Finish.

Trigger email notifications from rules

1. Right-click the Rules item, and then click > Add Rule or Edit rule.

2. In the Manage Rule wizard, click Next to go to the Select actions to perform list and select Send
notification to <profile>.

3. Select the relevant notification profile and select the cameras that recordings to include in the
notification profile's email notifications should come from.

You cannot include recordings in the notification profile's email notifications unless something is actually being
recorded. If you want still images or AVI video clips in the email notifications, verify that the rule specifies that
recording should take place. The following example is from a rule which includes both a Start recording action
and a Send notification to action:

Add a user-defined event

No matter how you want to use user-defined events, you must add each user-defined
event through the Management Client.

1. Expand Rules and Events > User-defined Events.

2. In the Overview pane, right-click Events > Add User-defined Event.

3. Enter a name for the new user-defined event, and click OK. The newly added user-defined event now
appears in the list in the Overview pane.

267 | Configuration
Administrator manual | XProtect® VMS 2023 R1

The user can now trigger the user-defined event manually in XProtect Smart Client if the user has permissions
to do so.

If you delete a user-defined event, this affects any rules in which the user-defined event
is in use. Also, a deleted user-defined event only disappears from XProtect Smart Client
when the XProtect Smart Client users log out.

Rename a user defined event

If you rename a user-defined event, already connected XProtect Smart Client users must
log out and log in again before the name change is visible.

1. Expand Rules and Events > User-defined Events.

2. In the Overview pane, select the user-defined event.

3. In the Properties pane, overwrite the existing name.

4. In the toolbar, click Save.

Add and edit an analytics event

Add an analytics event

1. Expand Rules and Events, right-click Analytics Events and select Add New.

2. In the Properties window, enter a name for the event in the Name field.

3. Enter a description text in the Description field if needed.

4. In the toolbar, click Save. You can test the validity of the event by clicking Test Event. You can
continually correct errors indicated in the test and run the test as many times as you want and from
anywhere in the process.

Edit an analytics event

1. Click an existing analytics event to view the Properties window, where you can edit relevant fields.

2. You can test the validity of the event by clicking Test Event. You can continually correct errors indicated
in the test and run the test as many times as you want and from anywhere in the process.

Edit analytics events settings

In the toolbar, go to the Tools > Options > Analytics Events tab to edit relevant settings.

268 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Test an analytics event

After you create an analytics event, you can test the requirements (see Test an analytics event on page 269), for
example that the analytics events feature has been enabled in Management Client.

1. Select an existing analytics event.

2. Intheproperties,clicktheTestEventbutton.Awindowappearsthatshowsallthepossiblesourcesofevents.

3. Select the source of your test event, for example a camera. The window is closed and a new window
appears that goes through four conditions that must be fulfilled for the analytics event to work.

As an additional test, in XProtect Smart Client you can verify that the analytics event was
sent to the event server. To do this, open XProtect Smart Client and view the event in the
Alarm Manager tab.

Add a generic event

You can define generic events to help the VMS recognize specific strings in TCP or UDP packets from an
external system. Based on a generic event, you can configure Management Client to trigger actions, for
example to start recording, or alarms.

Requirements
You have enabled generic events and specified the source destinations allowed. For more information, see
Generic Events tab (options) on page 381.

269 | Configuration
Administrator manual | XProtect® VMS 2023 R1

To add a generic event:

1. Expand Rules and Events.

2. Right-click Generic Events and select Add New.

3. Fill in the needed information and properties. For more information, see Generic Events and Data
sources (properties) on page 488.

4. (optional) To validate that the search expression is valid, enter a search string in the Check if
expression matches event string field that corresponds to the expected packages:
l Match - the string can be validated against the search expression

l No match - the search expression is invalid. Change it and try again

In XProtect Smart Client, you can verify whether your generic events have been received
by the event server. You do this in the Alarm List on the Alarm Manager tab by
selecting Events.

Authentication

Register claims from an external IDP

1. In Management Client, select Tools > Options and open the External IDP tab.

2. In the External IDP section, select Add.

3. In the Registered claims section, select Add.

4. Enter the information about the claim. For more information, see Register claims.

Map claims from an external IDP to roles in XProtect

On the external IDP site, the administrator must create claims consisting of a name and a value. Subsequently,
the claim is mapped to a role in the VMS, and the user's privileges will be determined by the role.

1. From the Site Navigation pane in Management Client, expand the Security node and select Roles.

2. Select a role, select the External IDP tab, and select Add.

3. Select an external IDP and a claim name and enter a claim value.

The claim name must be written exactly as the claim name coming from the
external IDP.

4. Select OK.

270 | Configuration
Administrator manual | XProtect® VMS 2023 R1

If an external IDP is deleted, all users connected to the VMS via the external IDP are also
deleted. All registered claims that are connected to the external IDP are removed and
any mappings to roles are removed as well.

Log in via an external IDP

You can log in to XProtect Smart Client, XProtect Management Client, XProtect Web Client, and XProtect Mobile
client using an external IDP.

1. Under Authentication in the login dialog box in XProtect Smart Client or XProtect Management Client,
select the external IDP and select Sign in. On your first login, you will be redirected to a web page
belonging to the external IDP.

2. Provide your user name and password and sign in. After you have signed in, you will return to the
XProtect client and you are logged in.

Under Tools > Options > External IDP, you can configure the name of the external IDP
that is shown on the Authentication list.

If the external IDP is disabled by, for example, a restore or a change of password, the
option to log in via an external IDP is not available on the Authentication list. Also, if the
external IDP is disabled, the client secret received from the external IDP disappears from
the Client secret field on the External IDP tab under Tools > Options.

Security

Add and manage a role

1. Expand Security and right-click Roles.

2. Select Add Role. This opens the Add Role dialog box.

3. Enter a name and description of the new role and click OK.

4. The new role is added to the Roles list. By default, a new role does not have any users/groups
associated with it, but it does have a number of default profiles associated.

5. To choose different Smart Client and Management Client profiles, evidence lock profiles or time
profiles, click the drop-down lists.

6. You can now assign users/groups to the role, and specify which of the system’s features they can
access.

271 | Configuration
Administrator manual | XProtect® VMS 2023 R1

For more information, see Assign/remove users and groups to/from roles on page 273 and Roles (Security
node) on page 492.

Copy, rename or delete a role

Copy a role

If you have a role with complicated settings and/or permissions and need a similar or almost similar role, it
might be easier to copy the already existing role and make minor adjustments to the copy than to creating a
new role from scratch.

1. Expand Security, click Roles, right-click the relevant role and select Copy Role.

2. In the dialog box that opens, give the copied role a new unique name and description.

3. Click OK.

Rename a role

If you rename a role, this does not change the name of the view group based upon the role.

1. Expand Security, and right-click Roles.

2. Right-click required role and select Rename Role.

3. In the dialog box that opens, change the name of the role.

4. Click OK.

Delete a role

1. Expand Security, and click Roles.

2. Right-click the unwanted role and select Delete Role.

3. Click Yes.

If you delete a role, this does not delete the view group based upon the role.

View effective roles

With the Effective Roles feature, you can view all roles of a selected user or group. This is practical if you are
using groups and it is the only way of viewing which roles a specific user is a member of.

1. Open the Effective Roles window by expanding Security, then right-clicking Roles and select Effective
Roles.

2. If you want information about a basic user, enter the name in the User name field. Click Refresh to

272 | Configuration
Administrator manual | XProtect® VMS 2023 R1

display the roles of the user.

3. If you use Windows users or groups in Active Directory, click the "..." browse button. Select object type,
enter the name, and click OK. The user's roles appear automatically.

Assign/remove users and groups to/from roles

To assign or remove Windows users or groups or basic users to/from a role:

1. Expand Security and select Roles. Then select the required role in the Overview pane:

2. In the Properties pane, select the Users and Groups tab at the bottom.

3. Click Add, select between Windows user or Basic user.

Assign Windows users and groups to a role

1. Select Windows user. This opens the Select Users, Computers and Groups dialog box:

2. Verify that the required object type is specified. If, for example, you need to add a computer, click
Object Types and mark Computer. Also verify that the required domain is specified in the From this
location field. If not, click Locations to browse for the required domain.

3. In the Enter the object names to select box, enter the relevant user names, initials, or other types of
identifier which Active Directory can recognize. Use the Check Names feature to verify that Active
Directory recognizes the names or initials that you have entered. Alternatively, use the "Advanced..."
function to search for users or groups.

4. Click OK. The selected users/groups are now added to the Users and Groups tab's list of users who you
have assigned the selected role. You can add more users and groups by entering multiple names
separated by a semicolon (;).

Assign basic users to a role

1. Select Basic User. This opens the Select Basic Users to add to Role dialog box:

2. Select the basic user(s) that you want to assign to this role.

3. Optional: Click New to create a new basic user.

4. Click OK. The selected basic user(s) are now added to the Users and Groups tab's list of basic users who
you have assigned the selected role.

Remove users and groups from a role

1. On the Users and Groups tab, select the user or group you want to remove and click Remove in the
lower part of the tab. You can select more than one user or group, or a combination of groups and
individual users, if you need to.

2. Confirm that you want to remove the selected user(s) or and group(s). Click Yes.

273 | Configuration
Administrator manual | XProtect® VMS 2023 R1

A user may also have roles through group memberships. When that is the case, you
cannot remove the individual user from the role. Group members may also hold roles as
individuals. To find out which roles users, groups, or individual group members have,
use the View Effective Roles function.

Create basic users

When you add a basic user to your system, you create a dedicated surveillance system user account with basic
user name and password authentication for the individual user. This is in contrast to the Windows user, added
through Active Directory.

When working with basic users, it is important to understand the difference between basic user and Windows
user.

l Basic users are authenticated by a user name/password combination and are specific to a system.
Even if basic users have the same name and password, a basic user created at one federated site does
not have access to another federated site

l Windows users are authenticated based on their Windows login and are specific to a machine

Configure login settings for basic users

You can define the login settings for basic users. This is done in a JSON file, located here: \\Program
Files\Milestone\Management Server\IIS\IDP\appsettings.json.

In that file, you can set the following parameters:

LoginSettings

Define the length of time (in minutes) a login session will expire if the
"ExpireTimeInMinutes": 5
user takes no action.

LockoutSettings

"LockoutTimeSpanInMinutes": 5 Define the length of time (in minutes) a user will be locked out.

Define the number of attempts a user will have to log in before being
"MaxFailedAccessAttempts": 5
locked out.

PasswordSettings

"RequireDigit": true Define whether base digits (0 through 9) are required in the

274 | Configuration
Administrator manual | XProtect® VMS 2023 R1

password.

"RequireLowercase": true Define whether lowercase characters are required in the password.

Define whether special characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

"RequireNonAlphanumeric": true
are required in the password.

"RequireUppercase": true Define whether uppercase characters are required in the password.

Define the number of characters that are required in the password.

"RequiredLength": 8 There is a minimum password length of {0} characters and a
maximum password length of 255 characters.

Define the minimum number of unique characters that are required

in a password.

For example, if you set required unique characters to 2, then

passwords such as – aaaaaa, aa, a, b, bb, bbbbbbb – will be rejected.
"RequiredUniqueChars": 1 Whereas – abab, abc, aaab, and so forth – will be accepted because
there are at least two unique characters in the password.

Increasing the number of unique characters in a password increases

password strength by avoiding repetitive sequences that are easily
guessed.

To create a basic user on your system:

1. Expand Security > Basic Users.

2. In the Basic Users pane, right-click and select Create Basic User.

3. Specify a user name and a password, and repeat it to be sure you have specified it correctly.

The password must meet the complexity as defined in the appsettings.json file
(see Configure login settings for basic users on page 274).

4. Specify if the basic user should change password on next login.

275 | Configuration
Administrator manual | XProtect® VMS 2023 R1

This is recommended. You should clear the check box only when creating basic
users that cannot change their password. These are for example system users,
used for plug-ins and server services authentication.

5. Specify the status of the basic user to be Enabled or Locked out.

6. Click OK to create the basic user.

View encryption status to clients

To verify if your recording server encrypt connections:

276 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Open the Management Client.

2. In the Site Navigation pane, select Servers > Recording Servers. This opens a list of recording servers.

3. In the Overview pane, select the relevant recording server and go to the Info tab.
If encryption is enabled to clients and servers that retrieve data streams from the recording server, a
padlock icon appears in front of the local web server address and the optional web server address.

System Dashboard

View currently ongoing tasks on recording servers

The Current Tasks window shows an overview of ongoing tasks under a selected recording server. If you have
initiated a task that takes a long time and runs in the background, you can open the Current Tasks window to
see how the task progresses. A few examples of lengthy user-initiated tasks are firmware updates and
movement of hardware. You can see information about the task's start-time, estimated end-time, and
progress.

277 | Configuration
Administrator manual | XProtect® VMS 2023 R1

If the task is not progressing as expected, you can probably find the cause in your hardware or network. A few
examples are server not running, server error, too little bandwidth, or connection loss.

1. In the Site Navigation pane, select the System Dashboard > Current Tasks.

2. Select a recording server to see its current tasks.

The information shown in the Current Tasks window is not dynamically updated but is a snapshot of the
current tasks from the moment you opened the window. If you have had the window open for some time,
refresh the information by selecting the Refresh button in the lower right corner of the window.

System monitor (explained)

The system monitor functionality requires that the Data Collector service is running and
only works on computers that use a Gregorian (Western) calendar.

System monitor dashboard (explained)

On the System monitor dashboard, you can easily get an overview of your VMS system's well-being. The state
of your hardware is visually represented by tiles and their colors: green (running), yellow (warning), and red
(critical). The tiles can also have error or warning icons when one or more hardware pieces in a faulty state.

By default, the system displays tiles that represent all Recording servers, All servers, and All cameras. You
can customize the monitoring parameters of these default tiles and create new tiles. For example, you can set
up tiles to represent a single server, a single camera, a group of cameras, or a server group.

Monitoring parameters are, for example, CPU usage or memory available for a server. A tile monitors only the
monitoring parameters you have added to the tile. See Add a new camera or server tile on the System monitor
dashboard on page 280, Edit a camera or server tile on the System monitor dashboard on page 281, and
Delete a camera or server tile on the System monitor dashboard on page 281 for more information.

System monitor thresholds (explained)

System monitor thresholds allow you to define and adjust the thresholds when tiles on the System monitor
dashboard should visually indicate that your system hardware changes state. For example, when the CPU
usage of a server changes from a normal state (green) state to a warning state (yellow) or from a warning state
(yellow) to a critical state (red).

The system has default threshold values for all hardware of the same type so that you can start monitoring the
state of your system hardware from the moment your system is installed and you have added hardware. You
can also set up threshold values for individual servers, cameras, disks, and storage. To change threshold
values, see Edit thresholds for when hardware states should change on page 281.

To ensure that you do not see a Critical or Warning state in cases where the usage of or the load on your
system hardware reaches a high threshold value only for a second or similar, use Calculation interval. With
the correct calculation interval setting, you will not receive false-positive alerts about exceeded thresholds but
only alerts about sustained issues with, for example, CPU usage or memory consumption.

278 | Configuration
Administrator manual | XProtect® VMS 2023 R1

You can also set up rules (see Rules (explained)) to perform specific actions or activate alarms when a
threshold changes from one state to another.

View the current state of your hardware and troubleshoot if needed

On the System monitor dashboard, you can easily get an overview of your VMS system's well-being. The state
of your hardware is visually represented by tiles and their colors: green (running), yellow (warning), and red
(critical). The tiles can also have error or warning icons when one or more hardware pieces in a faulty state.

You can edit the thresholds for when your hardware is in one of the three states. For more information, see
Edit thresholds for when hardware states should change on page 281.

The System monitor dashboard answers questions like: Are all server services and cameras running? Are the
CPU usage and available memory on the different servers sufficient so everything is recorded and available for
viewing?

1. In the Site Navigation pane, select System Dashboard > System Monitor.

2. If all tiles are green and without warning or error icons, all monitoring parameters and all servers and
cameras represented by the tiles are fine and running.
If one or more tiles have a warning or error icon or are completely yellow or red, select one of these
tiles to troubleshoot.

3. In the hardware list with monitoring parameters (bottom of the window), find the hardware that is not
running. Place your mouse over the red cross sign next to the hardware to read what the problem is.

4. Optionally, select Details to the right side of the hardware to see how long the problem has been there.
Enable the collections of historical data to see the state of your hardware over time. For more
information, see Collect historical data of hardware states on page 280.

5. Find a way to fix the problem. For example, computer restart, server service restart, replacement of a
faulty hardware piece or other.

View the historical state of your hardware and print a report

With the System Monitor feature, you can easily get an overview of the well-being of your VMS system. Also,
over a longer period.

Are there periods where the CPU usage, bandwidth, or other hardware are challenged? Find the answer to this
with the System Monitor functionality and decide if you need to upgrade your hardware or buy new to avoid it
in the future.

Remember to enable the collection of historical data. See Collect historical data of hardware states on page 280.

1. In the Site Navigation pane, select System Dashboard > System Monitor.

2. In the System Monitor window, select a tile with the hardware you want to know the historical well-
being of, or from the lower part of the window, select a server or camera.

279 | Configuration
Administrator manual | XProtect® VMS 2023 R1

3. Select Details to the right side of the relevant server or camera.

4. For servers, select History to the right of the hardware that you want to investigate. For cameras, select
the link.

5. If you want to print a report, select the PDF icon.

You can only create historical reports with data from the recording server where the
device is currently located.

If you access the system monitor's details from a server operating system, you may
experience a message regarding Internet Explorer Enhanced Security Configuration.
Follow the instructions to add the System Monitor page to the Trusted sites zone
before proceeding.

Collect historical data of hardware states

You can enable the collection of historical data on the system's hardware to see graphs of the states of your
hardware over time and print a report. For more information, see View the historical state of your hardware
and print a report on page 279.

1. In the Site Navigation pane, select System Dashboard > System Monitor.

2. In the System Monitor window, select Customize.

3. In the Customize dashboard window that opens, select Collect historical data.

4. Select a sampling interval. The shorter the interval, the more load on the SQL Server database,
bandwidth, or other hardware. The sampling interval of historical data also determines how detailed
the graphs are.

Add a new camera or server tile on the System monitor dashboard

If you want to monitor your cameras or servers in smaller groups after their physical location, or if you want to
monitor some hardware with different monitoring parameters, you can add additional tiles to the System
Monitor window.

1. In the Site Navigation pane, select System Dashboard > System Monitor.

2. In the System Monitor window, select Customize.

3. In the Customize dashboard window that opens, select New under Server tiles or Camera tiles.

4. In the New server tile/New camera tile window, select the cameras or servers to monitor.

280 | Configuration
Administrator manual | XProtect® VMS 2023 R1

5. Under Monitoring parameters, select or clear check boxes for any parameters to add or remove from
the tile.

6. Select OK. The new server or camera tile is now added to the tiles displayed on your dashboard.

Edit a camera or server tile on the System monitor dashboard

If you want to monitor your cameras or servers with other monitoring parameters, you can adjust them.

1. In the Site Navigation pane, select System Dashboard > System Monitor.

2. In the System Monitor window, select Customize.

3. In the Customize dashboard window that opens, select the tile you want to change under Server tiles
or Camera tiles and select Edit.

4. In the Edit dashboard server/camera tile window, select all cameras or servers, a camera or server
group, or individual cameras or servers to change their monitoring parameters.

5. Under Monitoring parameters, select the monitoring parameters you want to monitor.

6. Select OK.

Delete a camera or server tile on the System monitor dashboard

If you no longer need to monitor the hardware represented by a tile, you can delete the tile.

1. In the Site Navigation pane, select System Dashboard > System Monitor.

2. In the System Monitor window, select Customize.

3. In the Customize dashboard window that opens, select the tile you want to change under Server tiles
or Camera tiles.

4. Select Delete.

Edit thresholds for when hardware states should change

You can edit the thresholds for when your hardware change between the three states on the System monitor
dashboard. For more information, see System monitor thresholds (explained) on page 278.

You can change thresholds for different types of hardware. For more information, see System Monitor
Thresholds (System Dashboard node) on page 541.

As a default, the system is set up to show threshold values for all units of the same hardware type, for
example, all cameras or servers. You can change these default threshold values.

You can also set up threshold values for individual servers or cameras or a subset of these to allow, for
example, that some cameras use a higher Live FPS or Recording FPS than other cameras.

281 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Site Navigation pane, select System Dashboard > System Monitor Thresholds.

2. Select the Enabled check box for the relevant hardware if you have not already enabled it. The figure
below shows an example.

3. Drag the threshold control slider up or down to increase or decrease the threshold value. There are two
sliders available for each hardware piece shown in the threshold control, separating the Normal,
Warning, and Critical states.

4. Enter a value for the calculation interval or keep the default value.

5. If you want to set values on individual pieces of hardware, select Advanced.

6. If you want to specify rules for certain events or within specific time intervals, select Create rule.

7. Once you have set the thresholds levels and calculation intervals, select File > Save from the menu.

View evidence locks in the system

Evidence Lock under the System Dashboard node shows an overview of all protected data on the current
surveillance system.

Find an evidence lock by filtering after, for example, who created it or when.

1. In the Site Navigation pane, select System Dashboard > Evidence Lock.

2. Get an overview and find the relevant evidence locks. You can filter after and sort the different
metadata related to the evidence locks.

All information shown in the Evidence Lock window is snapshots. Press F5 to refresh.

Print a report with your system configuration

You make many choices when you install and configure your VMS system, and you may need to document
these. Over time it is also hard to remember all the settings you have changed since the installation and initial
configuration - or just during the last couple of months. That is why it is possible to print a report with all your
configuration choices.

282 | Configuration
Administrator manual | XProtect® VMS 2023 R1

When you create a configuration report (PDF format), you can add any possible elements of your system to the
report. You can, for example, include licenses, device configuration, alarm configuration, and much more. You
can select the Exclude sensitive data option to create a GDPR compliant report (enabled by default). You can
also customize the font, the page setup, and the front page.

1. Expand System Dashboard and select Configuration Reports.

2. Select the elements that you want to include or exclude in your report.

3. Optional: If you have selected to include a frontpage, select Front Page to customize the information
on your front page. In the window that appears, fill in the needed info.

4. Select Formatting to customize your font, page size, and margins. In the window that appears, select
the wanted settings.

5. When you are ready to export, select Export and select a name and save location for your report.

Only users with administrator permissions in the VMS system can create configuration
reports.

Metadata

Show or hide metadata search categories and search filters

Users of XProtect Management Client with administrator permissions can show or hide the default Milestone
metadata search categories and search filters in XProtect Smart Client. By default, these search categories and
search filters are hidden. Showing them is useful if your video surveillance system meets the requirements (see
Metadata search requirements on page 548).

This setting affects all XProtect Smart Client users.

This setting does not affect the visibility of:

l Other, non-metadata Milestone search categories and search filters, for example
Motion, Bookmarks, Alarms, and Events

l Third-party search categories and search filters

1. In XProtect Management Client, in the Site Navigation pane, select Metadata Use > Metadata Search.

2. In the Metadata Search pane, select the search category that you want to change visibility settings for.

3. To enable the visibility of a search category or search filter, select the corresponding check box. To
disable the visibility of a search category or search filter, clear the check box.

283 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Alarms

Add an alarm
To define an alarm, you need to create an alarm definition, where you specify, for example, what triggers the
alarm, instructions on what the operator needs to do, and what or when the alarm stops. For detailed
information about the settings, see Alarm Definitions (Alarms node).

1. In the Site Navigation pane, expand Alarms, and right-click Alarm Definitions.

2. Select Add New.

3. Fill in these properties:

l Name: Enter a name for the alarm definition. The name of the alarm definition appears
whenever the alarm definition is listed.

l Instructions: You can write instructions for the operator who receives the alarm.

l Triggering event: Use the drop-down menus to select an event type and an event message to
be used when the alarm is triggered.

A list of selectable triggering events. The one highlighted is created and customized using analytics
events.

l Sources: Select the cameras or other devices that the event should originate from to trigger the
alarm. Your options depend on the type of event you have selected.

l Time profile: If you want the alarm to be activated during a specific time interval, select the
radio button and then a time profile in the drop-down menu.

l Event based: If you want the alarm definition to be activated by an event, select the radio button
and specify the event that will activate the alarm definition. You must also specify an event that
will deactivate the alarm definition.

4. In the Time limit drop-down menu, specify a time limit for when action is required by the operator.

5. In the Events triggered drop-down menu, specify which event to trigger when the time limit has
passed.

6. Specify additional settings, for example related cameras and initial alarm owner.

284 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Enable encryption

Enable encryption to and from the management server

You can encrypt the two-way connection between the management server and the Data Collector affiliated
when you have a remote server of the following type:

l Recording Server

l Event Server

l Log Server

l LPR Server

l Mobile Server

If your system contains multiple recording servers or remote servers, you must enable encryption on all of
them.

When you configure encryption for a server group, it must either be enabled with a
certificate belonging to the same CA certificate or, if the encryption is disabled, then it
must be disabled on all computers in the server group.

Prerequisites:
l A server authentication certificate is trusted on the computer that hosts the management server

First, enable encryption on the management server.

Steps:

1. On a computer with a management server installed, open the Server Configurator from:

l The Windows Start menu

or

l The Management Server Manager by right-clicking the Management Server Manager icon on the
computer task bar

2. In the Server Configurator, under Server certificate, turn on Еncryption.

3. Click Select certificate to open a list with unique subject names of certificates that have a private key
and that are installed on the local computer in the Windows Certificate Store.

4. Select a certificate to encrypt communication between the recording server, management server,
failover server, and Data Collector server.

285 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Select Details to view Windows Certificate Store information about the selected certificate.

5. Click Apply.

To complete the enabling of encryption, the next step is to update the encryption settings on each recording
server and each server that has a Data Collector (Event Server, Log Server, LPR Server, and Mobile Server).

For more information, see Enable server encryption for recording servers or remote servers on page 286.

Enable server encryption for recording servers or remote servers

You can encrypt the two-way connection between the management server and the recording server or other
remote servers that use the Data Collector.

If your system contains multiple recording servers or remote servers, you must enable encryption on all of
them.

For more information, see the certificates guide about how to secure your XProtect VMS installations.

When you configure encryption for a server group, it must either be enabled with a
certificate belonging to the same CA certificate or, if the encryption is disabled, then it
must be disabled on all computers in the server group.

Prerequisites:
l You have enabled encryption on the management server, see Enable encryption to and from the
management server on page 285.

286 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. On a computer with a Management Server or Recording Server installed, open the Server Configurator
from:

l The Windows Start menu

or

l The server manager, by right-clicking the server manager icon on the computer task bar

2. In the Server Configurator, under Server certificate, turn on Еncryption.

3. Click Select certificate to open a list with unique subject names of certificates that have a private key
and that are installed on the local computer in the Windows Certificate Store.

4. Select a certificate to encrypt communication between the recording server, management server,
failover server, and data collector server.

Select Details to view Windows Certificate Store information about the selected certificate.

The Recording Server service user has been given access to the private key. It is required that this
certificate is trusted on all clients.

5. Click Apply.

When you apply certificates, the recording server will be stopped and restarted.
Stopping the Recording Server service means that you cannot record and view live video
while you are verifying or changing the recording server's basic configuration.

287 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Enable event server encryption

You can encrypt the two-way connection between the event server and the components that communicate
with the event server, including the LPR Server.

When you configure encryption for a server group, it must either be enabled with a
certificate belonging to the same CA certificate or, if the encryption is disabled, then it
must be disabled on all computers in the server group.

Prerequisites:
l A server authentication certificate is trusted on the computer that hosts the event server

First, enable encryption on the event server.

Steps:

1. On a computer with an event server installed, open the Server Configurator from:

l The Windows Start menu

or

l The Event Server by right-clicking the Event Server icon on the computer task bar

2. In the Server Configurator, under Event server and add-ons, turn on Encryption.

3. Click Select certificate to open a list with unique subject names of certificates that have a private key
and that are installed on the local computer in the Windows Certificate Store.

4. Select a certificate to encrypt communication between the event server and related add-ons.

288 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Select Details to view Windows Certificate Store information about the selected certificate.

5. Click Apply.

To complete the enabling of encryption, the next step is to update the encryption settings on each related add-
on LPR Server .

Enable encryption to clients and servers

You can encrypt connections from the recording server to clients and servers that stream data from the
recording server.

When you configure encryption for a server group, it must either be enabled with a
certificate belonging to the same CA certificate or, if the encryption is disabled, then it
must be disabled on all computers in the server group.

Prerequisites:

289 | Configuration
Administrator manual | XProtect® VMS 2023 R1

l The server authentication certificate to be used is trusted on all computers running services that
retrieve data streams from the recording server

l XProtect Smart Client and all services that retrieve data streams from the recording server must be
version 2019 R1 or later

l Some third-party solutions created using MIP SDK versions earlier than 2019 R1 may need to be
updated

Steps:

1. On a computer with a recording server installed, open the Server Configurator from:

l The Windows Start menu

or

l The Recording Server Manager by right-clicking the Recording Server Manager icon on the
computer task bar

2. In the Server Configurator, under Streaming media certificate, turn on Еncryption.

3. Click Select certificate to open a list with unique subject names of certificates that have a private key
and that are installed on the local computer in the Windows Certificate Store.

4. Select a certificate to encrypt communication between the clients and servers that retrieve data streams
from the recording server.

Select Details to view Windows Certificate Store information about the selected certificate.

The Recording Server service user has been given access to the private key. It is required that this

290 | Configuration
Administrator manual | XProtect® VMS 2023 R1

certificate is trusted on all clients.

5. Click Apply.

When you apply certificates, the recording server will be stopped and restarted.
Stopping the Recording Server service means that you cannot record and view live video
while you are verifying or changing the recording server's basic configuration.

To verify if the recording server uses encryption, see View encryption status to clients.

Enable encryption on the mobile server

To use an HTTPS protocol for establishing a secure connection between the mobile server and clients and
services, you must apply a valid certificate on the server. The certificate confirms that the certificate holder is
authorized to establish secure connections.

For more information, see the certificates guide about how to secure your XProtect VMS installations.

When you configure encryption for a server group, it must either be enabled with a
certificate belonging to the same CA certificate or, if the encryption is disabled, then it
must be disabled on all computers in the server group.

291 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Certificates issued by CA (Certificate Authority) have a chain of certificates and on the

root of that chain is the CA root certificate. When a device or browser sees this
certificate, it compares its root certificate with pre-installed ones on the OS (Android,
iOS, Windows, etc.). If the root certificate is listed in the pre-installed certificates list, then
the OS ensures the user that the connection to the server is secure enough. These
certificates are issued for a domain name and are not free of charge.

Steps:

1. On a computer with a mobile server installed, open the Server Configurator from:

l The Windows Start menu

or

l The Mobile Server Manager by right-clicking the Mobile Server Manager icon on the computer
task bar

2. In the Server Configurator, under Mobile streaming media certificate, turn on Еncryption.

3. Click Select certificate to open a list with unique subject names of certificates that have a private key
and that are installed on the local computer in the Windows Certificate Store.

4. Select a certificate to encrypt the communication of XProtect Mobile client and XProtect Web Client with
the mobile server.

Select Details to view Windows Certificate Store information about the selected certificate.

The Mobile Server service user has been given access to the private key. It is required that this

292 | Configuration
Administrator manual | XProtect® VMS 2023 R1

certificate be trusted on all clients.

5. Click Apply.

When you apply certificates, the Mobile Server service restarts.

Milestone Federated Architecture

Set up your system to run federated sites

To prepare your system for Milestone Federated Architecture, you must make certain choices when you install
the management server. Depending on how your IT infrastructure is set up, choose between three different
alternatives.

Alternative 1: Connect sites from the same domain (with a common domain user)

Before you install the management server, you must create a common domain user and configure this user as
the administrator on all servers involved in the federated site hierarchy. How you connect the sites depends on
the created user account.

293 | Configuration
Administrator manual | XProtect® VMS 2023 R1

With a Windows user account

1. Start the installation of the product on the server to be used as the management server and select
Custom.

2. Select to install the Management Server service using a user account. The selected user account must
be the administrator account used on all management servers. You must use the same user account
when you install the other management servers in the federated site hierarchy.

3. Finish the installation. Repeat steps 1-3 to install any other systems you want to add to the federated
site hierarchy.

4. Add site to hierarchy (see Add site to hierarchy on page 295).

With a Windows built-in user account (network service)

1. Start the installation of the product on the first server to be used as the management server and select
Single Computer or Custom. This installs the management server using a network service account.
Repeat this step for all the sites in your federated site hierarchy.

2. Log into the site that you want as your central site in the federated site hierarchy.

3. In the Management Client, expand Security > Roles > Administrators.

4. On the Users and Groups tab, click Add and select Windows User.

5. In the dialog box, select Computers as object type, enter the server name of the federated site and click
OK to add the server to the Administrator role of the central site. Repeat this step until you have added
all the federated sites in this way and exit the application.

6. Log into each federated site, and add the following servers to the Administrator role, in the same way
as above:
l The parent site server.

l The child site servers that you want to connect directly to this federated site.

7. Add site to hierarchy (see Add site to hierarchy on page 295).

Alternative 2: Connecting sites from different domains

To connect to sites across domains, make sure that the domains trust each other. You set up domains to trust
each other in the Microsoft Windows Domain configuration. When you have established trust between the
different domains on each site in the federated site hierarchy are placed, follow the same description as
described in Alternative 1. For more information about how to set up trusted domains, see the Microsoft
website (https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc961481
(v=technet.10)/).

294 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Milestone recommends Milestone Interconnect for creating connected multi-site

systems with multiple domains.

Alternative 3: Connect sites in workgroup(s)

When you connect sites inside workgroups, the same administrator account must be present on all servers you
want connected in the federated site hierarchy. You must define the administrator account before you install
the system.

1. Log into Windows using a common administrator account.

2. Start the installation of the product and click Custom.

3. Select to install the Management Server service using the common administrator account.

4. Finish the installation. Repeat steps 1-4 to install any other systems you want to connect. You must
install all of these systems using the common administrator account.

5. Add site to hierarchy (see Add site to hierarchy on page 295).

Milestone recommends Milestone Interconnect for creating connected multi-site

systems when the sites are not part of a domain.

You cannot mix domain(s) and workgroup(s). This means that you cannot connect sites
from a domain to sites from a workgroup and vice versa.

Add site to hierarchy

As you expand your system, you can add sites to your top site and to its child sites as long as the system is set
up correctly.

When adding a non-secure site to Milestone Federated Architecture, make sure that Allow non-secure
connections to the server is enabled under Tools > Options > General settings in Management Client.

1. Select the Federated Site Hierarchy pane.

2. Select the site to which you want to add a child site, right-click, and click Add Site to Hierarchy.

3. Enter the URL of the requested site in the Add Site to Hierarchy window and click OK.

4. The parent site sends a link request to the child site and after a while, a link between the two sites is
added to the Federated Site Hierarchy pane.

295 | Configuration
Administrator manual | XProtect® VMS 2023 R1

5. If you can establish the link to the child site without requesting acceptance from the child site
administrator, go to step 7.

If not, the child site has the awaiting acceptance icon until the administrator of the child site has
authorized the request.

6. Make sure that the administrator of the child site authorizes the link request from the parent site (see
Accept inclusion in the hierarchy on page 296).

7. The new parent/child link is established and the Federated Site Hierarchy pane is updated with the
icon for the new child site.

Accept inclusion in the hierarchy

When a child site has received a link request from a potential parent site where the administrator did not have

administrator permissions to the child site, it has the awaiting acceptance icon.

To accept a link request:

1. Log into the site.

2. In the Federated Site Hierarchy pane, right-click the site and click Accept Inclusion in Hierarchy.

If the site runs the XProtect Expert version, you right-click the site in the Site Navigation pane.

3. Click Yes.

4. The new parent/child link is established and the Federated Site Hierarchy pane is updated with the

normal site icon for the selected site.

Changes that you make to child sites located far from the parent site can take some time
to be reflected in the Federated Site Hierarchy pane.

Set site properties

You can view and, possibly, edit properties on your home site and its child sites.

296 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Management Client, in the Federated Site Hierarchy pane, select the relevant site, right-click,
and select Properties.

2. If needed, change the following:

General tab (see General tab on page 564)

Parent Site tab (see Parent Site tab on page 564) (available on child sites only)

Due to synchronization issues, any changes made to remote children might take
some time to be reflected in the Site Navigation pane.

Refresh site hierarchy

Regularly the system automatically synchronizes the hierarchy through all levels of your parent/child setup.
You can refresh it manually, if you want to see changes reflected instantly in the hierarchy, and do not want to
wait for the next automatic synchronization.

You need to be logged into a site to perform a manual refresh. Only changes saved by this site since the last
synchronization are reflected by a refresh. This means that changes made further down in the hierarchy might
not be reflected by the manual update, if the changes have not reached the site yet.

1. Log into the relevant site.

2. Right-click the top site in the Federated Site Hierarchy pane and click Refresh Site Hierarchy.

This will take a few seconds.

Log into other sites in the hierarchy

You can log into other sites and administrate these. The site you are logged into is your home site.

297 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Federated Site Hierarchy pane, right-click the site that you want to log into.

2. Click Log into Site.

The Management Client for that site opens.

3. Enter login information and click OK.

4. After login is complete, you are ready to do your administrative tasks for that site.

Update site information of child sites

This section is only relevant if you use XProtect Corporateor XProtect Expert2014 or
newer.

In a large Milestone Federated Architecture setup with a lot of child sites, it is easy to lose the overview and it
can be difficult to find the contact information to the administrators of each child site.

Therefore, you can add additional information to each child site and this information is then available for the
administrators on the central site.

You can read the information about the site, when you pause your mouse over the site name in the Federated
Site Hierarchy pane. To update information about the site:

1. Log into the site.

2. Click Site Navigation pane and select Site Information.

3. Click Edit and add the relevant information in each category.

Detach a site from the hierarchy

When you detach a site from its parent site, the link between the sites are broken. You can detach sites from
the central site, from the site itself or its parent site.

1. In the Federated Site Hierarchy pane, right-click the site, and click Detach Site from Hierarchy.

2. Click Yes to update the Federated Site Hierarchy pane.

If the detached site has child sites, it becomes the new top site for this branch of the hierarchy, and the

normal site icon changes to a top site icon.

3. Click OK.

The changes to the hierarchy are reflected after a manual refresh or an automatic synchronization.

298 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Milestone Interconnect

Add a remote site to your central Milestone Interconnect site

You add remote sites to the central site with the Add Hardware wizard.
Requirements
l Enough Milestone Interconnect camera licenses (see Milestone Interconnect and licensing on page 86).

l Another configured and working XProtect system including a user account (basic users, local Windows
user or Windows Active Directory user) with permissions for the devices that the central XProtect
Corporate system should be able to access

l Network connection between the central XProtect Corporate site and the remote sites with access or
port forwarding to the ports used on the remote sites

To add a remote site:

1. On the central site, expand Servers and select Recording Servers.

2. In the Overview pane, expand the relevant recording server and right-click.

3. Select Add Hardware to start the wizard.

4. On the first page select Address range scanning or Manual and click Next.

5. Specify user names and passwords. The user account must be predefined on the remote system. You
can add user names and passwords as needed by clicking Add. When ready, click Next.

6. Select the drivers to use when you scan. In this case choose between the Milestone drivers. Click Next.

7. Specify the IP addresses and port numbers you want to scan. Default is port 80. Click Next.

Wait while your system detects the remote sites. A status indicator shows the detection process. In case
of a successful detection, a Success message appears in the Status column. If you fail to add, you can
click the Failed error message to see why.

8. Choose to enable or disable successfully detected systems. Click Next.

9. Wait while your system detects hardware and collects device specific information. Click Next.

10. Choose to enable or disable successfully detected hardware and devices. Click Next.

11. Select a default group. Click Finish.

12. After installation, you can see the system and its devices in the Overview pane.

Depending on the user permissions for the selected user on the remote site, the central site gets access
to all cameras and functions or a sub-set of them.

Assign user permissions

You configure user permissions for an interconnected camera as you do with other cameras, by creating a role
and assigning access to functions.

299 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. On the central site, in the Site Navigation pane, expand Security and select Roles.

2. In the Overview pane, right-click the built-in administrator role and select Add Role (see Add and
manage a role).

3. Name the role and configure the settings on the Device tab (see Device tab (roles)) and the Remote
Recordings tab (see Remote recordings tab (roles)).

Update remote site hardware

If the configuration has been changed on a remote site, for example, added or removed cameras and events,
you must update the configuration on the central site to reflect the new configuration on the remote site.

1. On the central site, expand Servers and select Recording Servers.

2. In the Overview pane, expand the required recording server, select the relevant remote system. Right-
click it.

3. Select Update Hardware. This opens the Update hardware dialog box.

4. The dialog box lists all changes (devices removed, updated and added) in the remote system since your
Milestone Interconnect setup was established or refreshed last. Click Confirm to update your central
site with these changes.

Enable playback directly from remote site camera

If your central site is continuously connected with its remote sites, you can configure your system so that the
users playback the recordings directly from the remote sites. For more information, see Milestone
Interconnect setups (explained) on page 86.

1. On the central site, expand Servers and select Recording Servers.

2. In the Overview pane, expand the required recording server, select the relevant remote system. Select
the relevant interconnected camera.

3. In the Properties pane, select the Record tab, and select the Play back recordings from remote
system option.

4. In the toolbar, click Save.

In a Milestone Interconnect setup, the central site disregards privacy masks defined in a remote site. If you
want to apply the same privacy masks, you must redefine it on the central site.

Retrieve remote recordings from remote site camera

If your central site is not continuously connected with its remote sites, you can configure your system to store
remote recordings centrally and you can configure retrieval of remote recordings when the network
connection is optimal. For more information, see Milestone Interconnect setups (explained) on page 86.

To allow users to actually retrieve recordings, you must enable this permission for the relevant role (see Roles
(Security)).

300 | Configuration
Administrator manual | XProtect® VMS 2023 R1

To configure your system:

1. On the central site, expand Servers and select Recording Servers.

2. In the Overview pane, expand the required recording server, select the relevant remote system. Select
the relevant remote server.

3. In the Properties pane, select the Remote Retrieval tab and update the settings (see Remote Retrieval
tab on page 412).

If the network fails for some reason, the central site misses out on recording sequences. You can configure
your system to let the central site automatically retrieve remote recordings to cover the down-period, once the
network is reestablished.

1. On the central site, expand Servers and select Recording Servers.

2. In the Overview pane, expand the required recording server, select the relevant remote system. Select
the relevant camera.

3. In the Properties pane, select the Record tab, and select the Automatically retrieve remote recordings
when connection is restored option (see Save and retrieve remote recording).

4. In the toolbar, click Save.

As an alternative, you can use rules or start remote recording retrievals from XProtect Smart Client when
needed.

In a Milestone Interconnect setup, the central site disregards privacy masks defined in a remote site. If you
want to apply the same privacy masks, you must redefine it on the central site.

Configure your central site to respond to events from remote sites

You can use events defined on the remote sites to trigger rules and alarms on your central site and thereby
respond immediately to events from the remote sites. This requires that the remote sites are connected and
online. The number and type of events depend on the events configured and predefined in the remote sites.

The list of supported events is available on the Milestone website (https://www.milestonesys.com/).

You cannot delete predefined events.

Requirements:

l If you want to use user-defined/manual events from the remote sites as triggering events, you must
first create these on the remote sites

l Make sure that you have an updated list of events from the remote sites (see Update remote site
hardware on page 300).

301 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Add a user-defined/manual event from a remote site:

1. On the central site, expand Servers and select Recording Servers.

2. In the Overview pane, select the relevant remote server and the Events tab.

3. The list contains the predefined events. Click Add to include user-defined or manual events from the
remote site in the list.

Use an event on a remote site to trigger an alarm on the central site:

1. On the central site, expand Alarms and select Alarm Definitions.

2. In the Overview pane, right-click Alarm Definitions and click Add New.

3. Enter values as needed.

4. In the Triggering Event field, you can select between the supported predefined and user-defined
events.

5. In the Sources field, select the remote server representing the remote site that you want alarms from.

6. Save the configuration when done.

Use an event on a remote site to trigger a rule-based action on the central site:

1. On the central site, expand Rules and Events and select Rules.

2. In the Overview pane, right-click Rules and click Add Rule.

3. In the wizard that appears, select Perform an action on <event>.

4. In the Edit the rule description area, click event and select between the supported predefined and
user-defined events. Click OK.

5. Click devices/recording server/management server and select the remote server representing the
remote site that you want the central site to start an action for. Click OK.

6. Click Next to get to the next wizard page.

7. Select the conditions that you want to apply for this rule. If you do not select any conditions, the rule
always applies. Click Next.

8. Select an action and specify the details in the Edit the rule description area. Click Next.

9. Select a stop criterion if required. Click Next.

10. Select a stop action if required. Click Finish.

302 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Remote connect services

Remote connect services (explained)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

The remote connect services feature contains the Axis One-click Camera Connection technology developed by
Axis Communications. It enables the system to retrieve video (and audio) from external cameras where
firewalls and/or router network configuration normally prevents initiating connections to such cameras. The
actual communication takes place via secure tunnel servers (ST servers). ST servers use VPN. Only devices that
hold a valid key work within a VPN. This offers a secure tunnel where public networks can exchange data in a
safe way.
Remote connect services allows you to

l Edit credentials within the Axis Dispatch Service

l Add, edit, and remove ST servers

l Register/unregister and edit Axis One-click cameras

l Go to the hardware related to the Axis One-Click camera

Install secure tunnel server environment for One-Click camera connection

Before you can use Axis One-click Camera Connection, you must first install a suitable ST server environment.
To work with secure tunnel server (ST server) environments and Axis One-click cameras, you must first contact
your system provider to obtain the needed user name and password for Axis Dispatch Services.

Requirements

l Contact your system provider to obtain the needed user name and password for Axis Dispatch Services

l Make sure your camera(s) support Axis Video Hosting System. Go to the Axis website to see supported
devices (https://www.axis.com/products/axis-guardian)

l If needed, update your Axis cameras with the newest firmware. Go to the Axis website to download
firmware (https://www.axis.com/support/firmware)

1. On each camera's homepage, go to Basic Setup, TCP/IP, and select Enable AVHS and Always.

2. From your management server, go to the Milestone download page

(https://www.milestonesys.com/downloads/) and download the AXIS One-Click software. Run the
program to setup a suitable Axis secure tunnel framework.

Add or edit secure tunnel servers

Communication for remote connect services takes place via secure tunnel servers (ST servers).

303 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. Do one of the following:

l To add an ST server, right-click the Axis Secure Tunnel Servers top node, select Add Axis Secure
Tunnel Server

l To edit an ST server, right-click it, select Edit Axis Secure Tunnel Server

2. In the window that opens, fill in the relevant information.

3. If you chose to use credentials when you installed the Axis One-Click Connection Component, select
the Use credentials check box and fill in the same user name and password as used for the Axis One-
Click Connection Component.

4. Click OK.

Register new Axis One-Click camera

1. To register a camera under an ST server, right-click it and select Register Axis One-Click Camera.

2. In the window that opens, fill in the relevant information.

3. Click OK.

4. The camera now appears under the relevant ST server.

The camera can have the following color coding:

Color Description

Red Initial state. Registered, but not connected to the ST server.

Yellow Registered. Connected to the ST server, but not added as hardware.

Green Added as hardware. May or may not be connected to the ST server.

When you add a new camera, its status is always green. The connection status is reflected by Devices on
Recording Servers in the Overview pane. In the Overview pane, you may group your cameras for an easier
overview. If you choose not to register your camera at the Axis dispatch service at this point, you can do so
later from the right-click menu (select Edit Axis One-Click Camera).

Smart maps

Geographic backgrounds (explained)

Before a user of XProtect Smart Client can select a geographic background, first you must configure the
geographic backgrounds in XProtect Management Client.

304 | Configuration
Administrator manual | XProtect® VMS 2023 R1

l Basic world map - use the standard geographic background provided in XProtect Smart Client. It
requires no configuration. This map is intended for use as a general reference, and it does not contain
features such as country boundaries, cities, or other details. However, like the other geographic
backgrounds, it does contain geo-reference data

l Bing Maps - connect to Bing Maps

l Google Maps - connect to Google Maps

l Milestone Map Service - connect to a free map provider. After you enable Milestone Map Service, no
further setup is needed.

See Enable Milestone Map Service

l OpenStreetMap - connect to:

l A commercial tile server of your own choice

l Your own, online or local tile server

See Specify OpenStreetMap tile server

The Bing Maps and Google Maps options require access to the internet, and you must
purchase a key from Microsoft or Google.

Milestone Map Service requires internet access.

Unless you are using your own, local tile server, OpenStreetMap requires internet
access.

If you want the system to have a EU GDPR compliant installation, the following services
may not be used:
l Bing Maps

l Google Maps

l Milestone Map Service

For more information about data protection and the usage data collection, see the
GDPR privacy guide.

By default, Bing Maps and Google Maps display satellite imagery (Satellite). You can change the imagery in
XProtect Smart Client, for example to aerial or terrain, to see different details.

305 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Enable Bing Maps or Google Maps in Management Client

You can make a key available to multiple users by entering it for a Smart Client profile in Management Client.
All users who are assigned to the profile will use this key.

Steps:

1. In Management Client, on the Site Navigation pane, click Smart Client Profiles.

2. In the Smart Client Profiles pane, select the relevant Smart Client profile.

3. In the Properties pane, click the Smart map tab:

l For Bing Maps, enter your Basic Key or Enterprise Key in the Bing Maps key field

l For Google Maps, enter your Maps Static API key in the Private key for Google Maps field

4. To prevent XProtect Smart Client operators from using a different key, select the Locked check box.

Enable Bing Maps or Google Maps in XProtect Smart Client

To allow XProtect Smart Client operators to use a different key than the key from the Smart Client profile, you
must enter the key in the settings in XProtect Smart Client.

Steps:

1. In XProtect Smart Client, open the Settings window.

2. Click Smart map.

3. Depending on the map service you want to use, do one of the following:
l For Bing Maps, enter your key in the Bing Maps key field

l For Google Maps, enter your key in the Private key for Google Maps field

Enable Milestone Map Service

Milestone Map Service is an online service that lets you connect to Milestone Systems's tile server. This tile
server uses a free, commercially available map service.

After you enable Milestone Map Service on your smart map, the smart map will use Milestone Map Service as
its geographic background.

Steps:

306 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Site Navigation pane, expand the Client node and click Smart Client Profiles.

2. In the overview pane, select the relevant Smart Client profile.

3. In the Properties pane, click the Smart map tab.

4. In the Milestone Map Service field, select Available.

5. To enforce this setting in XProtect Smart Client, select the Locked check box. Then the XProtect Smart
Client operators cannot enable or disable Milestone Map Service.

6. Save the changes.

You can also enable Milestone Map Service in the Settings window in XProtect Smart
Client.

Milestone Map Service requires internet access.

Specify OpenStreetMap tile server

If you use the OpenStreetMap option as the geographic background for your smart map, you must specify
where the tiled images are retrieved from. You do this by specifying the tile server address, either a
commercial tile server or a local tile server, for example if your organization has its own maps for areas such as
airports or harbors.

You can also specify the tile server address in the Settings window in XProtect Smart
Client.

Steps:

307 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Site Navigation pane, expand the Client node and click Smart Client Profiles.

2. In the overview pane, select the relevant Smart Client profile.

3. In the Properties pane, click the Smart map tab.

4. In the OpenStreetMap server field, enter the address of the tile server.

5. To enforce this setting in XProtect Smart Client, select the Locked check box. Then the XProtect Smart
Client operators cannot change the address.

6. Save the changes.

Enable smart map editing

Operators can edit smart maps in XProtect Smart Client in setup mode only if editing is enabled in
Management Client. If not already enabled, you need to enable editing for each relevant Smart Client profile.

Steps:

308 | Configuration
Administrator manual | XProtect® VMS 2023 R1

1. In the Site Navigation pane, expand the Client node.

2. Click Smart Client Profiles.

3. In the overview pane, select the relevant Smart Client profile.

4. In the Properties pane, click the Setup tab.

5. In the Edit smart map list, select Available.

6. Repeat these steps for each relevant Smart Client profile.

7. Save your changes. Next time users assigned to the Smart Client profile you selected log into XProtect
Smart Client, they will be able to edit smart maps.

To disable editing, in Edit smart map list, select Unavailable.

Enable editing devices on smart map

You must enable the editing of devices per role to allow operators to, for example:

l Position an input device or a microphone on a smart map

l Adjust the field of view of a camera on a smart map

Operators can be allowed to edit the following device types on smart maps:

l Cameras

l Input devices

l Microphones

309 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Requirements
Before you start, make sure that smart map editing has been enabled (see Enable smart map editing on page
308). You do this on the Smart Client profile that the role of the operator is associated with.

Steps:

1. Expand the Security node > Roles.

2. In the Roles pane, select the role that your operator is associated with.

3. To give the role editing permissions:

l Select the Overall Security tab, and in the Role Settings pane, select the device type (for
example, Cameras or Input)

l In the Allow column, select the Full control or Edit check box

4. Save the changes.

To enable the editing of individual devices, go to the Device tab and select the relevant
device.

Define device position and camera direction, field of view, depth (smart map)
To ensure that a device is positioned correctly on the smart map, you can set the geographic coordinates of
the device. For cameras, you can also set the direction, the field of view, and the viewing depth. Setting any of
the above will automatically add the device to the smart map the next time an operator loads the smart map in
XProtect Smart Client.

Steps:

1. In Management Client, expand the Devices node and select the device type (for example, Cameras or
Input).

2. In the Devices pane, select the relevant device.

310 | Configuration
Administrator manual | XProtect® VMS 2023 R1

3. OntheInfotab,scrolldowntoPositioninginformation.

4. In the Geo coordinates field, specify the latitude and the longitude coordinates, in that order. Use a
period as a decimal separator, and use a comma to separate latitude and longitude.

l For cameras:

1. In the Direction field, enter a value in the range of 0 and 360 degrees.

2. In the Field of view field, enter a value in the range of 0 and 360 degrees.

3. In the Depth field, enter the viewing depth, either in meters or in feet.

311 | Configuration
Administrator manual | XProtect® VMS 2023 R1

5. Save the changes.

You can also set the properties on the recording servers.

Configure smart map with Milestone Federated Architecture

When you use smart map in a Milestone Federated Architecture, all the devices from the connected sites
appear on the smart map. Follow the steps below to set up smart map in a federated architecture.

For general information about Milestone Federated Architecture, see Configuring

Milestone Federated Architecture on page 87.

1. Before connecting the top site with child sites, make sure that geographic coordinates have been
specified on all devices on all sites. Geographic coordinates are added automatically when a device is
positioned on the smart map in XProtect Smart Client, but you can also add them manually in
Management Client in the device properties. For more information, see Define device position and
camera direction, field of view, depth (smart map) on page 310.

2. You must add the Smart Client operators as Windows users on the parent site and all the federated
sites. At least on the top site, the Windows users must have smart map editing permissions. This allows
the users to edit the smart map for the top site and for all child sites. Next, you need to determine
whether the Windows users on the child sites need smart map editing permissions. In Management
Client, first you create the Windows users under Roles, and then you enable smart map editing. For
more information, see Enable smart map editing on page 308.

3. On the top site, add the child sites as Windows users to a role with administrator permissions. When
you specify the object type, select the Computers check box.

4. On each child site, add the top site as a Windows user to the same administrator role that is used on the
top site. When you specify the object type, select the Computers check box.

5. On the top site, make sure that you can view the Federated Site Hierarchy window. In Management
Client, go to View and select Federated Site Hierarchy. Add each of the child sites to the top site. For
more information, see Add site to hierarchy on page 295.

6. Now you can test that Milestone Federated Architecture works in XProtect Smart Client. Log in to the
top site as an administrator or as an operator, and open a view that contains the smart map. If the
setup has been done correctly, all devices from the top site and the child sites appear on the smart
map. If you log in to one of the child sites, you will see only the devices from that site and its child sites.

To edit devices on a smart map, for example the camera position and angle, users need
device editing permissions. For more information, see Enable editing devices on smart
map on page 309.

312 | Configuration
Administrator manual | XProtect® VMS 2023 R1

Maintenance

Backing up and restoring system configuration

Milestone recommends that you make regular backups of your system configuration as a disaster recovery
measure.

While it is rare to lose your configuration, it can happen under unfortunate circumstances. It is important that
you protect your backups, either through technical or organizational measures.

Backing up and restoring your system configuration (explained)

The system offers a built-in feature that backs up all the system configuration you can define in the
Management Client. The log server database and the log files, including audit log files, are not included in this
backup.

If your system is large, Milestone recommends that you define scheduled backups. This is done with the third-
party tool: Microsoft® SQL Server Management Studio. This backup includes the same data as a manual
backup.

During a backup, your system stays online.

Backing up your system configuration can take some time. Backup duration depends on:

l Your system configuration

l Your hardware

l Whether you have installed the SQL Server, Event Server component and the Management Server
component on a single server or several servers

Each time you make a backup both manual and scheduled, the SQL database's transaction log file is flushed.
For additional information about how to flush the transaction log file see SQL database transaction log
(explained) on page 128.

Make sure that you know your system configuration password settings when creating a
backup.

For FIPS 140-2 compliant systems, with exports and archived media databases from
XProtect VMS versions prior to 2017 R1 that are encrypted with non FIPS-compliant
cyphers, it is required to archive the data in a location where it can still be accessed after
enabling FIPS. For detailed information on how to configure your XProtect VMS to run in
FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening
guide.

313 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Select shared backup folder

Before backing up and restoring any system configuration, you must set a backup folder for this purpose.

1. Right-click the notification area's Management Server service icon and select Select shared backup
folder.

2. In the window that appears, browse to the wanted file location.

3. Click OK twice.

4. If asked if you want to delete files in the current backup folder, click Yes or No depending on your
needs.

Back up system configuration manually

1. From the menu bar, select File > Backup Configuration.

2. Read the note in the dialog box and click Backup.

3. Enter a file name for the .cnf file.

4. Enter a folder destination and click Save.

5. Wait until the backup is finished and click Close.

All relevant system configuration files are combined into one single .cnf file that is saved
at a specified location. During the backup, all backup files are first exported to a
temporary system backup folder on the management server. You can select another
temporary folder by right-clicking the notification area's Management Server service
icon and by selecting Select shared backup folder.

Restore system configuration from a manual backup

Important information
l Both the user who installs and the user who restores must be local administrator of the system
configuration SQL database on the management server and on the SQL Server

l Except for your recording servers, your system is completely shut down for the duration of the restore,
which can take some time

l A backup can only be restored on the system installation where it was created. Make sure that the setup
is as similar as possible to when the backup was made. Otherwise, the restore might fail

l If prompted for a system configuration password during a restore, you must provide the system
configuration password that was valid at the time when the backup was created. Without this password,
you cannot restore your configuration from the backup

314 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

l If you do a backup of the SQL database and restore it on a clean SQL Server, then the raise errors from
the SQL database will not work and you will only receive one generic error message from the SQL
Server. To avoid that, first reinstall your XProtect system using the clean SQL Server and then restore
the backup on top of that

l If restoring fails during the validation phase, you can start the old configuration again because you
have made no changes
If restoring fails elsewhere in the process, you cannot roll back to the old configuration
As long as the backup file is not corrupted, you can do another restore

l Restoring replaces the current configuration. This means that any changes to the configuration since
last backup are lost

l No logs, including audit logs, are restored

l Once restoring has started, you cannot cancel it

Restoring

1. Right-click the notification area's Management Server service icon and select Restore Configuration.

2. Read the important note and click Restore.

3. In the file open dialog box, browse to the location of the system configuration backup file, select it, and
click Open.

The backup file is located on the Management Client computer. If the

Management Client is installed on a different server, copy the backup file to this
server before you select the destination.

4. The Restore Configuration window opens. Wait for the restore to finish and click Close.

System configuration password (explained)

You can choose to protect the overall system configuration by assigning a system configuration password.
After you assign a system configuration password, backups are protected by this password. The password
settings are stored on the computer that is running the management server in a secure folder. You will need
this password to:

l Restore the configuration from a configuration backup that was created with password settings
different than the current password settings

l Moving or installing the management server on another computer due to a hardware failure (recovery)

l Configure an additional management server in a system with clustering

315 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

The system configuration password can be assigned during installation or after

installation. The password must meet the Windows complexity requirements, which are
defined by the Windows policy for passwords.

It is important that system administrators save this password and keep it safe. If you
have assigned a system configuration password and you are restoring a backup, you
may be asked to provide the system configuration password. Without this password, you
cannot restore your configuration from the backup.

System configuration password settings

The system configuration password settings can be changed. In system configuration password settings, you
have these options:

l Choose to password protect the system configuration by assigning a system configuration password

l Change a system configuration password

l Choose not to password protect the system configuration by removing any assigned system
configuration passwords

Change the system configuration password settings

When you change the password, it is important that system administrators save the
passwords that are associated with the different backups and keep the passwords safe.
If you are restoring a backup, you may be asked to provide the system configuration
password that was valid at the time the backup was created. Without this password, you
cannot restore your configuration from the backup.

After you change the password, and if your management server and event server are
installed on separate computers, you must enter the current system configuration
password on the event server, too. For more information, see Enter current system
configuration password (event server).

To apply the changes, you must restart the management server services.

316 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

1. Locate the management server tray icon and make sure that the service is running.

2. Right-click the notification area's Management Server service icon and select Change system
configuration password settings.

3. The change system configuration password settings window appears.

Assign a password

1. Type the new password in the New password field.

2. Retype the new password in the Confirm new password field and select enter.

3. Read the notification and click yes to accept the change.

4. Wait for the confirmation of change and select Close.

5. To apply the changes, you must restart the management server services.

6. After the restart, make sure that the management server is running.

Remove password protection

If you do not need password protection, you can select to opt out:

1. Select the check box: I choose not to use a system configuration password and understand that the
system configuration will not be encrypted and click enter.

2. Read the notification and click yes to accept the change.

3. Wait for the confirmation of change and select Close.

4. To apply the changes, you must restart the management server services.

5. After the restart, make sure that the management server is running.

Enter the system configuration password settings (recovery)

If the file that is holding the password settings is deleted due to a hardware failure or other reasons, you will
need to provide the system configuration password settings to access the database that is holding the system
configuration. During installation on your new computer, you will be asked to enter the system configuration
password settings.

But if the file that is holding the password settings is deleted or corrupted, and the computer that is running
the management server has no other problems, you have the option to enter the system configuration
password settings:

1. Locate the management server tray icon.

2. Right-click the notification area's Management Server service icon and select Enter the system
configuration password.

3. The enter the system configuration password settings window appears.

317 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

The system configuration is password-protected

1. Type the password in the password field and select Enter.

2. Wait for the password to be accepted. Select Close.

3. Make sure that the management server is running.

The system configuration is not password-protected

1. Select the check box: This system does not use a system configuration password and select enter.

2. Wait for the setting to be accepted. Select Close.

3. Make sure that the management server is running.

Manually backing up your system configuration (explained)

When you want to perform a manual backup of the management server's SQL database that contains your
system configuration, make sure that your system stays online. The default name of the management server's
SQL database is Surveillance.

Here are a few things to consider before you start the backup:

l You cannot use a backup of the SQL database to copy system configurations to other systems

l It can take some time to back up the SQL database. It depends on your system configuration, your
hardware, and on whether your SQL Server, management server and Management Client are installed
on the same computer

l Logs, including audit logs, are stored in the log server's SQL database and are therefore not part of a
backup of the management server's SQL database. The default name of the log server's SQL database is
SurveillanceLogServerV2. You back up both SQL databases the same way.

Backing up and restoring the event server configuration (explained)

The content of your event server configuration is included when you back up and restore system
configuration.

The first time you run the event server, all its configuration files are automatically moved to the SQL database.
You can apply the restored configuration to the event server without needing to restart the event server, and
the event server can start and stop all external communication while the restoration of the configuration is
being loaded.

Scheduled backup and restore of system configuration (explained)

The management server stores your system's configuration in an SQL database. Milestone recommends that
you regularly make scheduled backups of this SQL database as a disaster recovery measure. While it is rare to
lose your system configuration, it can happen under unfortunate circumstances. Luckily, it takes only a minute,
and backups also have the added benefit that they flush your SQL database's transaction log.

318 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

If you have a smaller setup and do not need scheduled backups, you can back up your system configuration
manually. For instructions, see Manually backing up your system configuration (explained) on page 318.

When you back up/restore your management server, make sure that the SQL database with the system
configuration is included in the backup/restore.

Requirements for using scheduled backup and restore

Microsoft® SQL Server Management Studio, a tool download-able for free from their website
(https://www.microsoft.com/downloads/).

Apart from managing SQL Servers and their databases, the tool includes some easy-to-use backup and
restoration features. Download and install the tool on your management server.

Back up system configuration with scheduled backup

1. From Windows' Start menu, launch Microsoft® SQL Server Management Studio.

2. When connecting, specify the name of the required SQL Server. Use the account under which you
created the SQL database.

1. Find the SQL database that contains your entire system configuration, including event server,
recording servers, cameras, inputs, outputs, users, rules, patrolling profiles, and more. The
default name of this SQL database is Surveillance.

2. Make a backup of the SQL database and make sure to:

l Verify that the selected SQL database is the correct one

l Verify that the backup type is full

l Set the schedule for the recurrent backup. You can read more about scheduled and
automated backups on the Microsoft website (https://docs.microsoft.com/en-
us/sql/relational-databases/logs/the-transaction-log-sql-server?view=sql-server-2017

l Verify that the suggested path is satisfactory or select alternative path

l Select to verify backup when finished and to perform checksum before writing to
media

3. Follow the instructions in the tool to the end.

Also consider backing up the log server's SQL database with your logs by using the same method. The default
name for the log server's SQL database is SurveillanceLogServerV2.

Restore system configuration from a scheduled backup

Requirements
To prevent system configuration changes being made while you restore the system configuration SQL
database, stop the:

319 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

l Management Server service (see Managing server services on page 333)

l Event Server service (can be done from Windows Services (search for services.msc on your machine.
Within Services, locate Milestone XProtect Event Server))

l World Wide Web Publishing Service, also known as the Internet Information Service (IIS). Learn how to
stop the IIS (https://technet.microsoft.com/library/cc732317(WS.10).aspx/)

Open Microsoft® SQL Server Management Studio from Windows' Start menu.

In the tool do the following:

1. When connecting, specify the name of the required SQL Server. Use the user account under which the
SQL database was created.

2. Find the SQL database (the default name is Surveillance) that contains your entire system
configuration, including event server, recording servers, cameras, inputs, outputs, users, rules,
patrolling profiles, etc.

3. Make a restore of the SQL database and make sure to:

l Select to back up from device

l Select backup media type file

l Find and select your backup file (.bak)

l Select to overwrite the existing database

4. Follow the instructions in the tool to the end.

Use the same method to restore the log server's SQL database with your logs. The default name of the log
server's SQL database is SurveillanceLogServerV2.

The system does not work while the Management Server service is stopped. It is
important to remember to start all the services again once you have finished restoring
the database.

Back up log server's SQL database

Handle the log server's SQL database by using the method that you use when handling system configuration
as described earlier. The log server's SQL database contains all your system logs, including errors reported by
recording servers and cameras. The default name of the log server's SQL database is
SurveillanceLogServerV2.

The SQL database is located on the log server's SQL Server. Typically, the log server and the management
server have their SQL databases on the same SQL Server. Backing up the log server SQL database is not vital
since it does not contain any system configuration, but you may appreciate having access to system logs from
before the management server backup/restore.

320 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Backup and restore fail and problem scenarios (explained)

l If, after your last system configuration backup, you have moved the event server or other registered
services such as the log server, you must select which registered service configuration you want for the
new system. You can decide to keep the new configuration after the system is restored to the old
version. You decide by looking at the host names of the services.

l If your restore of the system configuration fails because the event server is not located at the specified
destination (for example, if you have chosen the old registered service setup), do another restore.

l If you are restoring a configuration backup and entering a system configuration password that is
incorrect, you must provide the system configuration password that was valid at the time when the
backup was created.

Moving the management server

The management server stores your system configuration in an SQL database. If you are moving the
management server from one physical server to another, it is vital that you make sure that your new
management server also gets access to this SQL database. The system configuration SQL database can be
stored in two different ways:

l Network SQL Server: If you are storing your system configuration in an SQL database on a SQL Server
on your network, you can point to the SQL database's location on that SQL Server when installing the
management server software on your new management server. In that case, only the following
paragraph about management server host name and IP address applies and you should ignore the rest
of this topic:

Management server host name and IP address: When you move the management server from one
physical server to another physical server, it is by far the easiest to give the new server the same
hostname and IP address as the old one. This is because the recording server automatically connects to
the hostname and IP address of the old management server. If you give the new management server a
new hostname and/or IP address, the recording server cannot find the management server and you
must manually stop each Recording Server service in your system, change their management server
URL, register the recording server again and when done, start the Recording Server service.

l Local SQL Server: If you are storing your system configuration in an SQL database on a SQL Server on
the management server itself, it is important that you back up the existing management server's
system configuration SQL database before the move. By backing up the SQL database, and
subsequently restoring it on a SQL Server on the new management server, you avoid having to
reconfigure your cameras, rules, time profiles, etc. after the move

If you move the management server, you will need the current system configuration
password in order to restore the backup, see System configuration password (explained)
on page 315.

321 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Requirements
l Your software installation file for installation on the new management server

l Your software license file (.lic), that you received when you purchased your system and initially
installed it. You should not use the activated software license file which you have received after a
manual offline license activation. An activated software license file contains information about the
specific server on which the system is installed. Therefore, an activated software license file cannot be
reused when moving to a new server

If you are also upgrading your system software in connection with the move, you have received a new
software license file. Simply use this.

l Local SQL Server users only: Microsoft® SQL Server Management Studio

l What happens while the management server is unavailable? Unavailable management servers
(explained) on page 322)

l Copy log server database (see Back up log server's SQL database on page 320)

Unavailable management servers (explained)

l Recording servers can still record: Any currently working recording servers received a copy of their
configuration from the management server, so they can work and store recordings on their own while
the management server is down. Scheduled and motion-triggered recording therefore works, and
event-triggered recording works unless based on events related to the management server or any
other recording server because these go through the management server

l Recording servers temporarily store log data locally: They automatically send log data to the
management server when it becomes available again:

l Clients cannot log in: Client access is authorized through the management server. Without the
management server, clients cannot log in

l Clients that are already logged in can remain logged in for up to four hours: When clients log
in, they are authorized by the management server and can communicate with recording servers
for up to four hours. If you can get the new management server up and running within four
hours, many of your users are not affected

l No ability to configure the system: Without the management server, you cannot change the
system configuration

Milestone recommends that you inform your users about the risk of losing contact with the surveillance
system while the management server is down.

Move the system configuration

Moving your system configuration is a three step process:

322 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

1. Make a backup of your system configuration. This is identical to making a scheduled backup. See also
Back up system configuration with scheduled backup on page 319.

2. Install the new management server on the new server. See scheduled backup, step 2.

3. Restore your system configuration to the new system. See also Restore system configuration from a
scheduled backup on page 319.

Replace a recording server

If a recording server is malfunctioning and you want to replace it with a new server that inherits the settings of
the old recording server:

1. Retrieve the recording server ID from the old recording server:

1. Select Recording Servers, then in the Overview pane select the old recording server.

2. Select the Storage tab.

3. Press and hold down the CTRL key on your keyboard while selecting the Info tab.

4. Copy the recording server ID-number in the lower part of the Info tab. Do not copy the term ID,
only the number itself.

2. Replace the recording server ID on the new recording server:

1. Stop the Recording Server service on the old recording server, then in Windows' Services set the
service's Startup type to Disabled.

It is very important that you do not start two recording servers with
identical IDs at the same time.

2. On the new recording server, open an explorer and go to C:\ProgramData\Milestone\XProtect

Recording Server or the path where your recording server is located.

3. Open the file RecorderConfig.xml.

4. Delete the ID stated in between the tags <id> and </id>.

5. Paste the copied recording server ID in between the tags <id> and </id>. Save the

323 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

RecorderConfig.xml file.

6. Go to the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VideoOS\Recorder\Installation.

7. Open RecorderIDOnMachine and change the old recording server ID with the new ID.

3. Register the new recording server on the management server. To do that, right- click the Recording
Server Manager tray icon and click Register. For more information, see Register a recording server on
page 185.

4. Restart the Recording Server service. When the new Recording Server service starts up, it has inherited
all settings from the old recording server.

Move hardware
You can move hardware between recording servers that belong to the same site. After a move, the hardware
and its devices run on the new recording server and new recordings are stored on this server. The move is
transparent to the client users.

The recordings on the old recording server remain there until:

l The system deletes them when the retention time expires. Recordings that someone has protected with
Evidence Lock (see Evidence locks (explained) on page 70) is not deleted until the evidence lock's
retention time expires. You define the retention time for evidence locks when you create them.
Potentially the retention time never expires

l You delete them from each device's new recording server on the Record tab

If you try to remove a recording server that still contains recordings, you receive a warning.

If you move hardware to a recording server that currently has no hardware added to it,
the client users must log out and log in to receive data from the devices.

You can use the move hardware feature to:

l Load balance: If, for example, the disk on a recording server is overloaded, you can add a new
recording server and move some of your hardware

l Upgrade: If you, for example, have to replace the server that hosts the recording server with a newer
model, you can install a new recording server and move the hardware from the old server to the new
server

l Replace a defective recording server: If, for example, the server is offline and will never come online
again, you can move the hardware to other recording servers and thereby keep the system running. You
cannot access the old recordings. For more information, see Replace a recording server on page 323.

324 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Remote recordings

When you move hardware to another recording server, the system cancels ongoing or scheduled retrievals
from interconnected sites or edge storages on cameras. The recordings are not deleted, but the data is not
retrieved and saved in the databases as expected. You receive a warning if this is the case. For the XProtect
Smart Client user, who has started a retrieval when you initiate moving the hardware, the retrieval fails. The
XProtect Smart Client user is notified and can try again later.

If someone has moved hardware on a remote site, you must manually synchronize the central site with the
Update hardware option to reflect the new configuration of the remote site. If you do not synchronize, the
moved cameras remain disconnected on the central site.

Move hardware (wizard)

To move hardware from one recording server to another, run the Move hardware wizard. The wizard takes
you through the necessary steps to complete a move for one or more hardware devices.

Requirements
Before you start the wizard:

l Make sure that the new recording server can access the physical camera via the network

l Install a recording server that you want to move hardware to (see Installing through Download
Manager (explained) on page 156 or Install a recording server silently on page 165)

l Install the same device pack versions on the new recording server that you run on the existing server
(see Device drivers (explained) on page 137)

To run the wizard:

1. In the Site Navigation pane, select Recording Servers.

2. In the Overview pane, right-click the recording server you want to move hardware from or right-click a
specific hardware device.

3. Select Move Hardware.

If the recording server that you move hardware from is disconnected, an error
message appears. You should only choose to move hardware from a
disconnected recording server if you are sure that it will never come online again.
If you move hardware anyway and the server comes back online, you risk an
unexpected behavior from the system due to having the same hardware running
on two recording servers for a period. Possible issues are, for example, license
errors or events that are not sent to the correct recording server.

4. If you started the wizard from the recording server level, the Select the hardware you want to move
page appears. Select the hardware devices you want to move.

325 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

5. On the Select the recording server you want to move the hardware to page, select from the list of
recording servers installed on this site.

6. On the Select the storage you want to use for future recordings page, the storage usage bar
indicates the free space in the recording database for live recordings only, not the archives. The total
retention time is the retention period for both the recording database and the archives.

7. The system processes your request.

8. If the move was successful, click Close. If you select the new recording server in the Management
Client, you can see the moved hardware and now recordings are stored on this server.

If the move failed, you can troubleshoot the issue below.

In an interconnected system, you must manually synchronize the central site

after moving hardware on a remote site to reflect the changes you, or another
system administrator, made at the remote site.

Move hardware troubleshooting

If a move did not succeed, one of the following reasons can be the cause:

Error type Troubleshooting

Make sure that the recording server is online. You may need to
The recording server is not connected register it.
or in failover mode.
If the server is in failover mode, wait and try again.

The recording server is not the latest Update the recording server so it runs the same version as the
version. management server.

The recording server could not be

Make sure that the recording server has not been removed.
found in the configuration.

Updating the configuration or

Make sure that your SQL Server and database are connected
communication with the configuration
and running.
database failed.

Stopping the hardware on the current Maybe another process has locked the recording server, or the
recording server failed recording server is in error mode.

326 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Error type Troubleshooting

Make sure that the recording server is running and try again.

Make sure that the hardware you try to move has not
The hardware does not exist. simultaneously been removed from the system by another
user. The scenario is quite unlikely.

The recording server that hardware
was moved from is back online, but you
chose to ignore it when it was offline.
Most likely, you have accepted that the old recording server will
never get online again when you started the Move Hardware
wizard, but during the move, the server came online.
Start the wizard again and select No when you are asked to
confirm if the server comes online again.

You are trying to move hardware with devices configured with

a recording storage which is currently offline.
The source recording storage is
A recording storage is offline if the disk is offline or otherwise
unavailable.
unavailable.

Make sure that the recording storage is online and try again.

You are trying to move hardware to a recording server where

one or more recording storages are currently offline.

All recording storages on the target Make sure that all recording storages on the target recording
recording server must be available. server are online.

A recording storage is offline of the disk is offline or otherwise

unavailable.

Replace hardware
When you replace a hardware device on your network with another hardware device, you must know the IP
address, port, user name and password of the new hardware device.

If you have not enabled automatic license activation (see Automatic license activation
(explained) on page 110 and have used all device changes without activation (see Device
changes without activation (explained) on page 111), you must manually activate your
licenses after replacing hardware devices. If the new number of hardware devices
exceeds your total number of device licenses, you have to purchase new device licenses.

327 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

1. Expand the required recording server, right-click the hardware you want to replace.

2. Select Replace Hardware.

3. The Replace Hardware wizard appears. Click Next.

4. In the wizard, in the Address field (marked by red arrow in the image), enter the IP address of the new
hardware. If known, select the relevant driver from the Hardware Driver dropdown list. Otherwise
select Auto Detect. If port, user name or password data is different for the new hardware, correct this
before starting the auto detect process (if needed).

The wizard is pre-filled with data from the existing hardware. If you replace it with a similar hardware
device, you can reuse some of this data - for example, port and driver information.

328 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

5. Do one of the following:

l If you selected the required hardware device driver directly from the list, click Next

l If you selected Auto Detect in the list, click Auto Detect, wait for this process to be successful
(marked by a to the far left), click Next

This step is designed to help you map devices and their databases, depending on the number of
individual cameras, microphones, inputs, outputs and so on attached to the old hardware device
and the new respectively.

It is important to consider how to map databases from the old hardware device to databases of
the new hardware device. You do the actual mapping of individual devices by selecting a
corresponding camera, microphone, input, output or None in the right-side column.

Make sure to map all cameras, microphones, inputs, outputs, etc.

Contents mapped to None, are lost.

329 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Example of the old hardware device having more individual devices than the new one:

Click Next.

6. You are presented with a list of hardware to be added, replaced or removed. Click Confirm.

7. Final step is a summary of added, replaced and inherited devices and their settings. Click Copy to
Clipboard to copy contents to the Windows clipboard or/and Close to end the wizard.

Update your hardware data

To make sure that your hardware device and the system are using the same firmware version, you need to
manually update the hardware data for the hardware device in the Management Client. Milestone
recommends that you update the hardware data after every firmware update to your hardware device.

To get the latest hardware data:

1. In the Site Navigation pane, select Recording Servers.

2. Expand the required recording server, then select the hardware that you want to get the latest
information for.

3. In the Properties pane on the Info tab, click the Update button in the Hardware data last updated
field.

4. The wizard checks if the system is running the latest firmware for the hardware.

Select Confirm to update the information in the Management Client. When the update is complete, The
current firmware version for the hardware device that is detected by the system appears in the
Firmware version field on the Info tab.

330 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Managing the SQL Server and databases

Changing the SQL Server and database addresses (explained)

When you install a system as a trial, or if you restructure a large installation, you may need to use a different
SQL Server and database.

You can change the address of the SQL Server and database used by the management server and by the event
server, and the address of the SQL Server and database used by the log server, the XProtect Incident Manager
server and the IDP server. The only limitation is that you cannot change the management server and the event
server's SQL addresses at the same time as the log server's SQL address. You can do it one after another.

You must change the SQL Server and database addresses locally on the computers where you have installed
the servers. If your management server and event server are installed on separate computers, you must
update the addresses on both computers.

You must copy the SQL databases before you proceed.

Change the log server's SQL Server and database

To change the SQL location for the Log Server, do the following:

Before making any changes to the registry, make a registry backup.

1. Ensure that the user running the Log Server application pool is the owner (DBO) of the log server
database.

2. Update the ConnectionString value in the Windows Registry to include the new location and name of
the log server. The value can be found and modified under:

HKEY_LOCAL_MACHINE\SOFTWARE\VideoOS\Server\ConnectionString:

3. Restart the Log Server via Windows Services.

The default database name is: SurveillanceLogServerV2.

Change the management server and the event server's SQL Server and
database
To change the SQL location for the management server and the event server, do the following:

Before making any changes to the registry, make a registry backup.

331 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

1. Stop the services and ensure that the user running the management server and the event server is the
owner (DBO) of the database.

2. Update the ConnectionString values in the Windows Registry to include the new location and name of
the servers. The values can be found and modified under:

HKEY_LOCAL_MACHINE\SOFTWARE\VideoOS\Server\ConnectionString:

3. Restart the Management Server and the XProtect Event Server via Windows Services or from the tray
icons in the notification area.

The default database name is: Surveillance.

The connection strings are: ManagementServer and EventServer.

If the event server is running on a different computer, make the same change there. The event server and the
management server use the same database.

Change the XProtect Incident Manager server's SQL Server and database

Before making any changes to the registry, make a registry backup.

1. Stop the service and ensure that the user running the XProtect Incident Manager server is the owner
(DBO) of the database.

2. Update the ConnectionString value in the Windows Registry to include the new location and name of
the server. The values can be found and modified under:

HKEY_LOCAL_MACHINE\SOFTWARE\VideoOS\Server\ConnectionString:

3. Restart the Incident Manager from the IIS Manager.

The default database name is: Surveillance_IM.

Change the IDP server's SQL Server and database

Before making any changes to the registry, make a registry backup.

1. Stop the service and ensure that the user running the IDP server is the owner (DBO) of the database.

2. Update the ConnectionString value in the Windows Registry to include the new location and name of
the server. The values can be found and modified under:

HKEY_LOCAL_MACHINE\SOFTWARE\VideoOS\Server\ConnectionString:

3. Restart the IDP from the IIS Manager.

The default database name is: Surveillance_IDP.

332 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Managing server services

On the computer that runs server services, you find server manager tray icons in the notification area. Through
these icons, you can get information about the services and perform certain tasks. This includes, for example,
checking the state of the services, viewing logs or status messages, and starting and stopping the services.

Server manager tray icons (explained)

The tray icons in the table show the different states of the services running on the management server,
recording server, failover recording server, and event server. They are visible on the computers with the
servers installed, in the notification area:

Failover
Recording Event
Management Recording
Server Server
Server Manager Server Description
Managertray Manager
tray icon Manager
icon tray icon
tray icon

Running

Appears when a server service is

enabled and started.

If the
Failover
Recording
Server
service is
running, it
can take
over if the
standard
recording
servers
fails.

Stopped

Appears when a server service has

stopped.

333 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Failover
Recording Event
Management Recording
Server Server
Server Manager Server Description
Managertray Manager
tray icon Manager
icon tray icon
tray icon

If the
Failover
Recording
Server
service
stops, it
cannot take
over if the
standard
recording
server fails.

Starting

Appears when a server service is

in the process of starting. Under
normal circumstances, the tray
icon changes after a short while to
Running.

Stopping

Appears when a server service is

in the process of stopping. Under
normal circumstances, the tray
icon changes after a short while to
Stopped.

In indeterminate state

Appears when the server service

is initially loaded and until the first
information is received, upon
which the tray icon, under normal
circumstances, changes to

334 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Failover
Recording Event
Management Recording
Server Server
Server Manager Server Description
Managertray Manager
tray icon Manager
icon tray icon
tray icon

Starting and afterwards to

Running.

Running offline

Typically appears when the

Recording Server or Failover
recording service is running but
the Management Server service is
not.

Start or stop the Management Server service

The Management Server Manager tray icon indicates the state of the Management Server service, for example
Running. Through this icon, you can start or stop the Management Server service. If you stop the
Management Server service, you cannot use the Management Client.

1. In the notification area, right-click the Management Server Manager tray icon. A context-menu appears.

2. If the service has stopped, click Start Management Server service to start it. The tray icon changes to
reflect the new state.

3. To stop the service, click Stop Management Server service.

For more information about the tray icons, see Server manager tray icons (explained) on
page 333.

335 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Start or stop the Recording Server service

The Recording Server Manager tray icon indicates the state of the Recording Server service, for example
Running. Through this icon, you can start or stop the Recording Server service. If you stop the Recording
Server service, your system cannot interact with devices connected to the server. This means you cannot view
live video or record video.

1. In the notification area, right-click the Recording Server Manager tray icon. A context-menu appears.

2. If the service has stopped, click Start Recording Server service to start it. The tray icon changes to
reflect the new state.

3. To stop the service, click Stop Recording Server service.

For more information about the tray icons, see Server manager tray icons (explained) on
page 333.

336 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

View status messages for Management Server or Recording Server

1. In the notification area, right-click the relevant tray icon. A context-menu appears.

2. Select Show Status Messages. Depending on the server type, either the Management Server Status
Messages or Recording Server Status Messages window appears, listing time-stamped status
messages:

Manage encryption with the Server Configurator

Use the Server Configurator to select certificates on local servers for encrypted communication and register
server services to make them qualified to communicate with the servers.

Open the Server Configurator from either the Windows startup menu, from the management server tray icon
or from the recording server tray icon. See Server Configurator (Utility) on page 385.

For more information, see the certificates guide about how to secure your XProtect VMS installations.

Start, stop, or restart the Event Server service

The Event Server Manager tray icon indicates the state of the Event Server service, for example Running.
Through this icon, you can start, stop, or restart the Event Server service. If you stop the service, parts of the
system will not work, including events and alarms. However, you can still view and record video. For more
information, see Stopping the Event Server service on page 338.

337 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

1. In the notification area, right-click the Event Server Manager tray icon. A context-menu appears.

2. If the service has stopped, click Start Event Server service to start it. The tray icon changes to reflect
the new state.

3. To restart or stop the service, click Restart Event Server service or Stop Event Server service.

For more information about the tray icons, see Server manager tray icons (explained) on
page 333.

Stopping the Event Server service

When installing MIP plug-ins in the Event Server, first you must stop the Event Server service and then,
afterward, restart it. While the service is stopped, many areas of the VMS system will not function:

l No events or alarms are stored in the Event Server. However, system and device events still trigger
actions, for example start recording

l Add-on products do not work in XProtect Smart Client and cannot be configured from the Management
Client.

l Analytic events do not work

l Generic events do not work

l No alarms are triggered

l In XProtect Smart Client, map view items, alarm list view items, and the Alarm Manager workspace do
not work

l MIP plug-ins in the Event Server cannot run

l MIP plug-ins in Management Client and XProtect Smart Client do not work correctly

View Event Server or MIP logs

You can view time-stamped information about Event Server activities in the Event Server log. Information
about third party integrations is logged in the MIP log in a sub-folder in the Event Server folder.

338 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

1. In the notification area, right-click the Event Server Manager tray icon. A context-menu appears.

2. To view the 100 most recent lines in the Event Server log, click Show Event Server Logs. A log viewer
appears.

1. To view the log file, click Open log file.

2. To open the log folder, click Open log folder.

3. To view the 100 most recent lines in the MIP log, go back to the context-menu and click Show MIP logs.
A log viewer is displayed.

339 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

If someone removes the log file from the log directory, the menu items are grayed out.
To open the log viewer, first you need to copy the log file back into its folder:
C:\ProgramData\Milestone\XProtect Event Server\logs or C:\ProgramData\Milestone\XProtect
Event Server\logs\MIPLogs.

Enter current system configuration password

If the system configuration password has been changed in the management server, you must enter the
current system configuration password in the event server, too.

If you don't enter the current password in the event server, then system components,
such as access control, will stop working.

1. In the notification area, right-click the Event Server Manager tray icon. A context-menu appears.

2. To enter the current system configuration password, click Enter current system configuration
password. A window appears.

3. Enter the same system configuration password that has been entered in the management server.

Managing registered services

Occasionally, you have servers and/or services which should be able to communicate with the system even if
they are not directly part of the system. Some services, but not all, can register themselves automatically in the
system. Services that can automatically be registered are:

l Event Server service

l Log Server service

Automatically registered services are displayed in the list of registered services.

340 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

You can manually specify servers/services as registered services in the Management Client.

Add and edit registered services

1. In the Add/Remove Registered Services window, click Add or Edit, depending on your needs.

2. In the Add Registered Service or Edit Registered Service window (depending on your earlier selection),
specify or edit settings.

3. Click OK.

Manage network configuration

With the network configuration settings, you can specify the management server's server LAN and WAN
addresses so the management server and the trusted servers can communicate.

1. In the Add/Remove Registered Services window, click Network.

2. Specify the LAN and/or WAN IP address of the management server.

If all involved servers (both the management server and the trusted servers) are on your local network,
you can simply specify the LAN address. If one or more involved servers access the system through an
internet connection, you must also specify the WAN address.

3. Click OK.

Registered services properties

In the Add Registered Service or Edit Registered Service window, specify the following:

Component Requirement

Type Prefilled field.

Name of the registered service. The name is only used for display purposes in the
Name
Management Client.

341 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Component Requirement

Click Add to add the IP address or hostname of the registered service. If specifying a
hostname as part of a URL, the host must exist and be available on the network. URLs
must begin with http:// or https:// and must not contain any of the following characters:
URLs < > & ' " * ? | [ ] ".

Example of a typical URL format: http://ipaddress:port/directory (where port and

directory are optional). You can add more than one URL if required.

Select if the registered service should be trusted immediately (this is often the case, but
the option gives you the flexibility to add the registered service and then mark it as
Trusted trusted by editing the registered service later).

Changing the trusted state also changes the state of other registered services sharing
one or more of the URLs defined for the relevant registered service.

Description of the registered service. The description is only used for display purposes
Description
in the Management Client.

When a service is advanced, it has specific URI schemes (for example, HTTP, HTTPS,
TCP, or UDP) that need to be set up for each host address you define. A host address
Advanced
therefore has multiple endpoints, each with its own scheme, host address and IP port
for that scheme.

Removing device drivers (explained)

If you no longer require device drivers on your computer, you can delete the device packs from your system.
To do so, follow the standard Windows procedure for removing programs.

If you have multiple device packs installed and have problems deleting the files, you can use the script in the
device pack installation folder to delete them completely.

If you remove device drivers, the recording server and the camera devices cannot communicate any longer. Do
not remove device packs when you upgrade because you can install a new version on top of an old one. Only if
you uninstall the entire system may you remove the device pack.

342 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Remove a recording server

If you remove a recording server, all configuration specified in the Management Client is
removed for the recording server, including all of the recording server's associated
hardware (cameras, input devices, and so on).

1. Right-click the recording server you want to remove in the Overview pane.

2. Select Remove Recording Server.

3. If you are sure, click Yes.

4. The recording server and all of its associated hardware are removed.

Delete all hardware on a recording server

When you delete hardware, all recorded data related to the hardware is deleted
permanently.

1. Right-click the recording server on which you want to delete all hardware.

2. Select Delete All Hardware.

3. Confirm the deletion.

Changing the host name of the management server computer

If the management server is addressed by its fully qualified domain name (FQDN) or its host name, a change to
the host name of the computer will have implications within XProtect that must be considered and dealt with.

In general, a change of the host name of a management server should be planned for
carefully due to the amount of clean-up that might be required afterwards.

In the following sections you can get an overview of some of the implications of a change of a host name.

The validity of certificates

Certificates are used to encrypt communication between services, and the certificates are installed on all the
computers that run one or more of the XProtect services.

Depending on how certificates are created, they can be related to the computer they are installed on, and they
will only be valid as long as the computer name stays the same.

For more information about how to create certificates, see Introduction to certificates.

343 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

If a computer name is changed, the certificates that are used may become invalid, and the XProtect VMS
cannot be started. To get the system up and running again, complete these steps:

l Create new certificates and reinstall them on all of the computers in the environment.

l Apply the new certificates, using the Server Configurator, on each of the computers to enable
encryption with the new certificates.

This will trigger the registration of the new certificates and get the system up and running again.

Loss of customer data properties for registered services

If you complete a registration using the Server Configurator after, for example, a change to the management
server address, any edits to information for the registered services will be overwritten. So, if you have changed
information for the registered services, the changes must be applied again for all the services that are
registered to the management server on the computer with the changed name.

The information that can be edited for registered services is located under Tools > Registered Services > Edit:

l Trusted

l Advanced

l External flag

l Any manually added URL

In Milestone Customer Dashboard, the host name will appear unchanged

Milestone Customer Dashboard is a free online tool for Milestone partners and resellers to manage and
monitor Milestone software installations and licenses.

A change of the name of the management server on a system that is connected to Milestone Customer
Dashboard will not automatically be reflected in Milestone Customer Dashboard.

The old host name will appear in Milestone Customer Dashboard until a new license activation is completed.
The name change, however, will not break anything in Milestone Customer Dashboard and once a new
activation takes place, the record is updated in the database with the new host name. For more information
about Milestone Customer Dashboard, see Milestone Customer Dashboard (explained).

A host name change can trigger the change of the SQL Server address
If an SQL Server is located on the same computer as the management server, and the name of this computer is
changed, the address of the SQL Server will change as well. This means that the SQL Server address will have
to be updated for components located on different computers as well as for components on the local
computer that use the computer name rather than localhost to connect to the SQL Server. This specifically
applies to the Event Server which uses the same database as the Management Server. It might also apply to
the Log Server which uses a different database but very likely on the same SQL server.

344 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

For more information about how to update SQL addresses for the Event Server and the Management Server,
see Change the management server and event server's SQL addresses. The SQL server address for the Log
Server must be updated in the Windows Registry.

Host name changes in a Milestone Federated Architecture

Changes to the name of a computer that resides within a Milestone Federated Architecture setup will have the
following implications, and this applies both when sites are connected inside work groups and across domains.

The host of the site is the root node in the architecture

If you change the name of the computer that the central site within the architecture is running on, all child
nodes will be re-attached automatically to the new address. So in this case, a rename will not require any
actions.

The host of the site is a child node in the architecture

To avoid connection issues when changing the name of a computer that one or more federated sites are
running on, you must add an alternate address to the affected site, before the computer is renamed. The
affected site being the node whose host computer will be renamed. For more information about connection
issues due to unprepared or unpredicted host name changes and how to resolve the problems, see Issue: A
parent node in a Milestone Federated Architecture setup cannot connect to a child node.

The alternate address must be added in the Properties pane in either the Site Navigation or the Federated
Site Hierarchy pane. The following prerequisites must be met:

l The alternate address must be added to be available before the host computer is renamed

l The alternate address must reflect the future name of the host computer (when renamed)

See Set site properties for information about how to access the Properties pane.

To ensure the smoothest update possible, stop the Management Client on the node that
serve as a parent node to the one whose host name will change. Otherwise, stop and
restart the client after the computer has been renamed. For more information, see Start
or stop the Management Server service.

Also, make sure the alternate address you provided is reflected in the Federated Site
Hierarchy pane at your central site and if not, stop and restart the Management Client.

Once the host has been renamed, and you have restarted the computer, the federated site will automatically
switch to the new address.

345 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Managing server logs

The following are the types of server logs:

l System log

l Audit log

l Rule-triggered logs

These are used to log the usage of the system. These logs are available in the Management Client under
Server logs.

For information about logs used for troubleshooting and investigating software errors, see Debug logs
(explained) on page 350.

Identify user activity, events, actions and errors

Use logs to get a detailed record of user activity, events, actions, and errors in the system.

To see logs in the Management Client, go to the Site Navigation pane and select Server Logs.

Log type What is logged?

System logs System-related information

Audit logs User activity

Rules in which users have specified the Make

new <log entry> action. For more information
Rule-triggered logs
about the <log entry> action, see Actions and
stop actions.

To see logs in a different language, see General tab (options) on page 366 under Options.

To export logs as comma-separated values (.csv) files, see Export logs.

To change log settings, see Server Logs tab (options) on page 369.

Filter Logs
In each log window, you can apply filters to see log entries from, for example, a specific time span, a device, or
a user.

346 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Filters are generated from the log entries that are currently visible in the user interface.

1. In the Site Navigation pane, select Server Logs. By default, the System logs tab appears.

To navigate between log types, select a different tab.

2. Under the tabs, select a filter group, for example, Category, Source type, or User.

A list of filters appears. A list of filters shows maximum 1000 filters.

3. Select a filter to apply it. Select the filter again to remove it.

Optional: In a list of filters, select Display applied filters only to see only the filters that you applied.

When you export logs, the contents of your export change depending on the filters that
you apply. For information about your export, see Export logs.

347 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Export logs
Exporting logs helps you to, for example, save log entries beyond the log retention period. You can export logs
as comma-separated values (.csv) files.

To export a log:

1. Select Export in the upper-right corner. The Export window appears.

2. In the Export window, in the Name field, specify a name for the log file.

3. By default, exported log files are saved in your Log export folder. To specify a different location, select

to the right of the Destination field.

4. Select Export to export the log.

The contents of your export change depending on the filters that you apply. For
information about your export, see Filter logs.

Search logs
To search a log, use Search criteria in the top part of the log pane:

1. Specify your search criteria from the lists.

2. Click Refresh to make the log page reflect your search criteria. To clear your search criteria, and return
to viewing all of the log's content, click Clear.

You can double-click any row to have all details presented in a Log Details window. In this way you can also
read the log entries that contain more text than can be displayed in a single line.

348 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Change log language

1. At the bottom part of the log pane, in the Show log in list, select the wanted language.

2. The log is displayed in the selected language. Next time your open the log, it is reset to the default
language.

Allow 2018 R2 and earlier components to write logs

The 2018 R3 version of the log server introduces authentication for added security. This prevents 2018 R2 and
earlier components from writing logs to the log server.

Affected components:

l XProtect Smart Client

l XProtect LPR Plug-in

l LPR Server

l Access Control Plug-in

l Event Server

l Alarm Plug-in

If you're using the 2018 R2 or earlier version of any of the components listed above, you must decide whether
or not to allow the component to write logs to the new log server:

1. Select Tools > Options.

2. In the Options dialog box, at the bottom of the Server Logs tab, find the Allow 2018 R2 and earlier
components to write logs check box.

l Select the check box to allow 2018 R2 and earlier components to write logs

l Clear the check box to not allow 2018 R2 and earlier components to write logs

349 | Maintenance
Administrator manual | XProtect® VMS 2023 R1

Troubleshooting

Debug logs (explained)

Debug logs are used to identify defects and flaws in the system.

For information about logs used for system usage, see Managing server logs on page 346.

The following are the location of the log files in the XProtect installation:

l C:\ProgramData\Milestone\IDP\Logs

This is accessible only to IIS user and administrators. If the IIS user is changed,
these permissions must be updated.

l C:\ProgramData\Milestone\MIPSDK

l C:\ProgramData\Milestone\XProtect Data Collector Server\Logs

l C:\ProgramData\Milestone\XProtect Event Server\Logs

l C:\ProgramData\Milestone\XProtect Log Server

l C:\ProgramData\Milestone\XProtect Management Server\Logs

l C:\ProgramData\Milestone\XProtect Mobile Server\Logs

l C:\ProgramData\Milestone\XProtect Recording Server\Logs

l C:\ProgramData\Milestone\XProtect Report Web Server\Logs

Issue: Change of SQL Server and database addresses prevents

database access
If the addresses to the SQL Server and database are changed, for example by changing the host name of the
computer running the SQL Server, the recording server's access to the database is lost.

Solution: Select Update SQL address tool from the Management Server Manager tray icon, and complete the
steps in the wizard to change the address.

For more information about changing the SQL Server and database addresses, see Managing the SQL server
and databases.

350 | Troubleshooting
Administrator manual | XProtect® VMS 2023 R1

Issue: Recording server startup fails due to port conflict

This issue can only appear if the Simple Mail Transfer Protocol (SMTP) service is running as it uses port 25. If
port 25 is already in use for, it may not be possible to start the Recording Server service. It is important that
port number 25 is available for the recording server's SMTP service.

SMTP Service: Verification and solutions

To verify whether SMTP Service is installed:

1. From Windows' Start menu, select Control Panel.

2. In the Control Panel, double-click Add or Remove Programs.

3. In the left side of the Add or Remove Programs window, click Add/Remove Windows Components.

4. In the Windows Components wizard, select Internet Information Services (IIS), and click Details.

5. In the Internet Information Services (IIS) window, verify whether the SMTP Service check box is
selected. If so, SMTP Service is installed.

If SMTP Service is installed, select one of the following solutions:

Solution 1: Disable SMTP Service, or set it to manual startup

This solution lets you start the recording server without having to stop the SMTP Service every time:

1. From Windows' Start menu, select Control Panel.

2. In the Control Panel, double-click Administrative Tools.

3. In the Administrative Tools window, double-click Services.

4. In the Services window, double-click Simple Mail Transfer Protocol (SMTP).

5. In the SMTP Properties window, click Stop, then set Startup type to either Manual or Disabled.

When set to Manual, the SMTP Service can be started manually from the Services window, or from a
command prompt using the command net start SMTPSVC.

6. Click OK.

Solution 2: Remove SMTP service

Removing the SMTP Service may affect other applications using the SMTP Service.

1. From Windows' Start menu, select Control Panel.

2. In the Control Panel window, double-click Add or Remove Programs.

3. In the left side of the Add or Remove Programs window, click Add/Remove Windows Components.

351 | Troubleshooting
Administrator manual | XProtect® VMS 2023 R1

4. In the Windows Components wizard, select the Internet Information Services (IIS) item, and click
Details.

5. In the Internet Information Services (IIS) window, clear the SMTP Service check box.

6. Click OK, Next, and Finish.

Issue: Recording Server goes offline when switching Management

Server cluster node
If you set up a Microsoft cluster for Management Server redundancy, the Recording Server or Recording
Servers may go offline when switching Management Server between the cluster nodes.

To correct this, do the following:

When doing configuration changes, on the Microsoft Failover Cluster Manager, pause
the control and monitoring of the service so the Server Configurator can make the
changes and start and/or stop the Management Server service. If you change the
failover cluster service startup type to manual, it should not result in any conflicts with
the Server Configurator.

On the Management Server computers:

1. Start the Server Configurator on each of the computers that have a management server installed.

2. Go to the Registration page.

3. Click the pencil ( ) symbol to make management server address editable.

4. Change the management server address to the URL of the cluster, for example http://MyCluster.

5. Click Register.

On computers that have components that use the Management Server (for example, Recording Server, Mobile
Server, Event Server, API Gateway):

1. Start the Server Configurator on each of the computers.

2. Go to the Registration page.

3. Change the management server address to the URL of the cluster, for example http://MyCluster.

4. Click Register.

352 | Troubleshooting
Administrator manual | XProtect® VMS 2023 R1

Issue: A parent node in a Milestone Federated Architecture setup

cannot connect to a child node
If you have renamed the host computer of a site that acts as a child node in a Milestone Federated
Architecture, a parent node will not be able to connect to it.

To reestablish the connection between parent node and site

l Detach the affected site from its parent. For more information, see Detach a site from the hierarchy.

l Re-attach the site using the new name of its host. For more information, see Add site to hierarchy.

To make sure that the changes are in effect, you might want to stop and restart the
Management Client on the node that serve as a parent node to the one whose host
name has been changed. For more information, see Start or stop the Management
Server service.

For more information about the implications of a host name change in a Milestone Federated Architecture
setup, see Host name changes in a Milestone Federated Architecture.

353 | Troubleshooting
Administrator manual | XProtect® VMS 2023 R1

Upgrade

Upgrade (explained)
When you upgrade, all components currently installed on the computer are upgraded. It is not possible to
remove installed components during an upgrade. If you want to remove installed components, use Windows’
Add and remove programs functionality before or after an upgrade. During the upgrade, all components,
except the management server database, are automatically removed and replaced. This includes the drivers of
your device pack.

The management server database contains the entire system configuration (recording server configurations,
camera configurations, rules, and so on). As long as you do not remove the management server database, no
reconfiguration of your system configuration is needed, even if you may want to configure some of the new
features in the new version.

Backward compatibility with recording servers from XProtect versions earlier than the
current version is limited. You can still access recordings on such older recording
servers, but to change their configuration, they must be of the same version as this
current one. Milestone recommends that you upgrade all recording servers in your
system.

When you upgrade including your recording servers, you are asked if you want to update or keep your video
device drivers. If you choose to update, it might take a few minutes for your hardware devices to make connect
to the new video device drivers after restart of your system. This is due to several internal checks on the newly
installed drivers.

If you upgrade from version 2017 R3 or earlier to version 2018 R1 or later, and if your
system has older cameras, you must manually download the device pack with legacy
drivers from the download page on our website
(https://www.milestonesys.com/downloads/). To see if you have cameras that use drivers
in the legacy device pack, visit this page on our website
(https://www.milestonesys.com/community/business-partner-tools/device-packs/).

If you upgrade from version 2018 R1 or earlier to version 2018 R2 or later, it is important
that you update all recording servers in your system with a security patch before you
upgrade. Upgrading without the security patch, will cause the recording servers to fail.

354 | Upgrade
Administrator manual | XProtect® VMS 2023 R1

The instructions for installing the security patch on your recording servers are available
on our website https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-
NET-security-vulnerability-hotfixes-for-2016-R1-2018-R1/.

If you want to encrypt the connection between the management server and the
recording servers, all recording servers must be upgraded to 2019 R2 or newer.

Upgrade requirements
l Have your software license file (see Licenses (explained) on page 108) (.lic) ready:

l Service pack upgrade: During the installation of the management server, the wizard may ask
you to specify the location of the software license file. You can use both the software license file
you got after your purchase of your system (or latest upgrade) and the activated software
license file you got after your last license activation

l Version upgrade: After you purchased the new version, you receive a new software license file.
During the installation of the management server, the wizard asks you to specify the location of
the new software license file

The system verifies the software license file before you can continue. Already added hardware devices
and other devices that require licenses will enter a grace period. If you have not enabled automatic
license activation (see Enable automatic license activation on page 115), remember to activate your
licenses manually before the grace period expires. If you do not have your software license file, contact
your XProtect reseller.

l Have your new product version software ready. You can download it from the download page on the
Milestone website.

l Make sure that you have backed up the system configuration (see Backing up and restoring your
system configuration (explained) on page 313)

The management server stores the system configuration in an SQL database. The SQL database can be
located in a SQL Server on the management server machine itself or in a SQL Server on the network.

If you use an SQL database in a SQL Server on your network, the management server must have
administrator permissions on the SQL Server whenever you want to create, move or upgrade the SQL
database. For regular use and maintenance of the SQL database, the management server only needs to
be SQL database owner.

l If you plan to enable encryption during installation, you need to have the proper certificates installed
and trusted on relevant computers. For more information, see Secure communication (explained) on
page 138.

When you are ready to start the upgrade, follow the procedures in Upgrade best practices on page 357.

355 | Upgrade
Administrator manual | XProtect® VMS 2023 R1

Upgrade XProtect VMS to run in FIPS 140-2 compliant mode

From version 2020 R3, XProtect VMS is configured to run so that it uses only the FIPS 140-2-certified algorithm
instances.

For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the
FIPS 140-2 compliance section in the hardening guide.

For FIPS 140-2 compliant systems, with exports and archived media databases from
XProtect VMS versions prior to 2017 R1 that are encrypted with non FIPS-compliant
cyphers, it is required to archive the data in a location where it can still be accessed after
enabling FIPS.

The following process describes what is necessary to configure XProtect VMS to run in FIPS 140-2 compliant
mode:

1. Disable the Windows FIPS security policy on all of the computers that are part of the VMS, including the
computer that hosts the SQL server.

When you upgrade, you cannot install XProtect VMS when FIPS is enabled on the Windows operating
system.

2. Ensure standalone third-party integrations can run on a FIPS enabled Windows operating system.

If a standalone integration is not FIPS 140-2 compliant, it cannot be run after you set Windows
operating system to operate in FIPS mode.

To prevent this:

l Make an inventory of all your standalone integrations to XProtect VMS

l Contact the providers of these integrations and ask if the integrations are FIPS 140-2 compliant

l Deploy the FIPS 140-2 compliant standalone integrations

356 | Upgrade
Administrator manual | XProtect® VMS 2023 R1

3. Ensure that the drivers, and hence the communication to the devices, adhere to FIPS 140-2 compliance.

XProtect VMS is guaranteed and can enforce FIPS 140-2 compliant mode of operation if the following
criteria are met:

l Devices use only compliant drivers to connect to XProtect VMS

See the FIPS 140-2 compliance section in the hardening guide for more information about
drivers that can assure and enforce compliance.

l Devices use device pack version 11.1 or higher

Drivers from the legacy driver device packs cannot guarantee a FIPS 140-2 compliant connection.

l Devices are connected over HTTPS and on either Secure Real-Time Transport Protocol (SRTP) or
Real Time Streaming Protocol (RTSP) over HTTPS for the video stream

Driver modules cannot guarantee FIPS 140-2 compliance of a connection

over HTTP. The connection may be compliant, but there is no guarantee
that it is in fact compliant.

l The computer that is running the recording server runs Windows OS with FIPS mode enabled

4. Ensure that data in the media database is encrypted with FIPS 140-2 compliant ciphers.

This is done by running the media database upgrade tool. For detailed information on how to configure
your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the
hardening guide.

5. Before you enable FIPS on the Windows operating system, and after you have configured your XProtect
VMS system and ensured that all components and devices can run on a FIPS enabled environment,
update your existing hardware passwords in the XProtect Management Client.

To do this, in the Management Client, from the selected recording server in the Recording Servers
node, right-click and select Add Hardware. Progress through the Add hardware wizard. This will
update all the current credentials and encrypt them to be FIPS-compliant.

You can enable FIPS only after you have upgraded the entire VMS, including all clients.

Upgrade best practices

Read about upgrade requirements (see Upgrade requirements on page 355) including SQL database backup
before you start the actual upgrade.

357 | Upgrade
Administrator manual | XProtect® VMS 2023 R1

Device drivers are now split into two device packs: the regular device pack with newer
drivers and a legacy device pack with older drivers. The regular device pack is always
automatically installed with an update or upgrade. If you have older cameras that use
device drivers from the legacy device pack, and you do not have a legacy device pack
installed already, the system does not automatically install the legacy device pack.

If your system has older cameras, Milestone recommends that you check if the cameras
use drivers from the legacy device pack on this page
(https://www.milestonesys.com/community/business-partner-tools/device-packs/). To
check if you have the legacy pack installed already, look in the XProtect system folders. If
you need to download the legacy device pack, go to download page
(https://www.milestonesys.com/downloads/).

If your system is a Single Computer system, you can install the new software on top of the existing installation.

In a Milestone Interconnect or Milestone Federated Architecture system, you must start upgrading the central
site and afterward the remote sites.

In a distributed system, perform the upgrade in this order:

1. Upgrade the management server with the Custom option in the installer (see Install your system -
Custom option on page 151).

1. On the wizard page where you choose components, all management server components are
preselected.

2. Specify the SQL Server and database. Decide whether to keep the SQL database that you are
already using and to keep the existing data in the database.

When you start the installation, you lose the failover recording server
functionality (see Failover recording server (explained) on page 37).

If you enable encryption on the management server, the recording

servers are offline until they are upgraded, and you have enabled
encryption to the management server (see Secure communication
(explained) on page 138).

358 | Upgrade
Administrator manual | XProtect® VMS 2023 R1

2. Upgrade failover recording servers. From your management server's download web page (controlled by
the Download Manager), install Recording Server.

If you plan to enable encryption on the failover recording servers and you want to
retain the failover functionality, upgrade the failover recording server without
encryption and enable it after you have upgraded the recording servers.

At this point the failover server functionality works again.

3. If you plan to enable encryption from the recording servers or failover recording servers to the clients
and it is important that the clients can retrieve data during the upgrade, upgrade all clients and services
that retrieve data streams from the recording servers before you upgrade the recording servers. These
clients and services are:

l XProtect Smart Client

l Management Client

l Management Server

l XProtect Mobile server

l XProtect Event Server

l DLNA Server Manager

l Milestone Open Network Bridge

l Sites that retrieve data streams from the recording server through Milestone Interconnect

l Some MIP SDK third-party integrations

4. Upgrade the recording servers. You can install recording servers using the installation wizard (see
Install a recording server through Download Manager on page 158) or silently (see Install a recording
server silently on page 165). The advantage of a silent install is that you can do it remotely.

If you enable encryption and the selected server authentication certificate is not
trusted on all relevant computers running, they lose connection. For more
information, see Secure communication (explained) on page 138.

Continue these steps for the other sites in your system.

Upgrade in a cluster
Make sure to have a backup of the database before updating the cluster.

359 | Upgrade
Administrator manual | XProtect® VMS 2023 R1

1. Stop the Management Server service on all management servers in the cluster.

2. Uninstall the management server on all servers in the cluster.

3. Use the procedure for installing multiple management servers in a cluster as described for install in a
cluster. Refer to Install in a cluster on page 169.

When installing, make sure to reuse the existing SQL Server and the existing SQL
database that currently stores the system configuration. The system configuration is
automatically upgraded.

360 | Upgrade
Administrator manual | XProtect® VMS 2023 R1

User interface details

Main window and panes

The Management Client window is divided into panes. The number of panes and layout depend on your:

l System configuration

l Task

l Available functions

Below are some examples of typical layouts:

361 | User interface details

Administrator manual | XProtect® VMS 2023 R1

l When you work with recording servers and devices:

l When you work with rules, time and notification profiles, users, roles:

362 | User interface details

Administrator manual | XProtect® VMS 2023 R1

l When you view logs:

Panes layout

The illustration outlines a typical window layout. You can customize the layout so it may
look different on your computer.

363 | User interface details

Administrator manual | XProtect® VMS 2023 R1

1. Site Navigation pane and Federated Site Hierarchy pane

2. Overview pane

3. Properties pane

4. Preview pane

Site Navigation pane

This is your main navigation element in the Management Client. It reflects the name, settings and
configurations of the site that you have logged into. The site name is visible at the top of the pane. The
features are grouped into categories that reflect the functionality of the software.

In the Site Navigation pane, you can configure and manage your system so it matches your needs. If your
system is not a single-site system, but includes federated sites, note that you manage these sites on the
Federated Site Hierarchy pane.

Available functionality depends on the system you are using. See the complete feature list, which is available
on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Federated Site Hierarchy pane

This is your navigation element that displays all Milestone Federated Architecture sites in a parent/child site
hierarchy.

You can select any site, log into it and the Management Client for that site launches. The site that you are
logged into, is always at the top of the hierarchy.

Overview pane

Provides an overview of the element you have selected in the Site Navigation pane, for example as a detailed
list. When you select an element in the Overview pane, it typically displays the properties in the Properties
pane. When you right-click elements in the Overview pane you get access to the management features.

Properties pane

Displays the properties of the element selected in the Overview pane. The properties appear on several
dedicated tabs:

364 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Preview pane

The Preview pane appears when you work with recording servers and devices. It shows preview images from
the selected cameras or displays information about the state of the device. The example shows a camera
preview image with information about the resolution and data rate of the camera's live stream:

By default, the information shown with the camera preview images concerns live streams. This is displayed in
green text above the preview. If you want recording stream information instead (red text), select View > Show
Recording Streams in the menu.

Performance can be affected if the Preview pane displays preview images from many cameras at a high frame
rate. To control the number of preview images, and their frame rate, select Options > General in the menu.

System settings (Options dialog box)

In the Options dialog box, you can specify a number of settings related to the general appearance and
functionality of the system.

Available functionality depends on the system you are using. See the complete feature list, which is available
on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

To access the dialog box, select Tools > Options.

365 | User interface details

Administrator manual | XProtect® VMS 2023 R1

General tab (options)

On the General tab, you can specify general settings for the Management Client and the recording server.

Management Client

Name Description

Select the maximum number of thumbnail images displayed in

Max number of previews
the Preview pane. Default is 64 thumbnail images.

366 | User interface details

Administrator manual | XProtect® VMS 2023 R1
Name
When adding new camera devices
automatically enable: Motion
detection
When adding new camera devices
automatically enable: Generate
motion data for smart search
When adding new camera devices
automatically enable: Multicast
Language
Allow non-secure connection to the
server
367 | User interface details
Description
Select Action > Refresh from the menu for the change to take
effect.
A large number of thumbnail images in combination with a
high frame rate may slow the system down.
Select the check box to enable motion detection on new
cameras, when you add them to the system with the Add
Hardware wizard.
This setting does not affect motion detection settings on
existing cameras.
You enable and disable motion detection for a camera on the
Motion tab for the camera device.
Generation of motion data for smart search requires that
motion detection is enabled for the camera.
Select the check box to enable generation of smart search
motion data on new cameras, when you add them to the
system with the Add Hardware wizard.
This setting does not affect motion detection settings on
existing cameras.
You enable and disable the generation of smart search motion
data for a camera on the Motion tab for the camera device.
Select the check box to enable multicast on new cameras when
you add them with the Add Hardware wizard.
This setting does not affect multicast settings on existing
cameras.
You enable and disable live multicasting for a camera on the
Client tab for the camera device.
Select the language of the Management Client.
Restart the Management Client to use the new language.
Select the check box to allow non-secure server connection by
HTTP protocol. (No users are prompted to allow non-secure
server connection).
Restart the Management Client to use this setting.
Administrator manual | XProtect® VMS 2023 R1

Recording server

Name Description

Client users with the necessary user permissions can manually interrupt the
patrolling of PTZ cameras. Select how much time should pass before regular
Timeout for manual patrolling is resumed after a manual interruption. The setting applies for all PTZ
PTZ sessions cameras on your system. Default setting is 15 seconds.

If you want individual timeouts on the cameras, you specify this on the Presets tab
for the camera.

Client users with a sufficient PTZ priority can pause patrolling on PTZ cameras.
Select how much time should pass before regular patrolling is resumed after a
Timeout for pause pause. The setting applies for all PTZ cameras on your system. Default setting is 10
patrolling sessions minutes.

If you want individual timeouts on the cameras, you specify this on the Presets tab
for the camera.

Set the default timeout period for reserved PTZ sessions. When a user runs a
reserved PTZ session, the PTZ camera cannot be used by others before it is
Timeout for released either manually or when the period has timed out. Default setting is 1
reserved PTZ hour.
sessions
If you want individual timeouts on the cameras, you specify this on the Presets tab
for the camera.

Select this check box to use the default preset position instead of the home
position of PTZ cameras when activating the Home button in a client.

A default preset position must be defined for the camera. If a default preset
Use default preset position is not defined, nothing will happen when activating the Home button in a
as PTZ home client.
position
By default, this check box is cleared.

To assign a default preset position, see Assign a camera's preset position as

default on page 233

Ignore device The system logs all communication errors on hardware and devices, but here you
communication select for how long a communication error must exist before the rule engine

368 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

errors if
communication
triggers the Communication Error event.
reestablished
before

Server Logs tab (options)

On the Server Logs tab, you can specify settings for the system’s management server logs.

For more information, see Identify user activity, events, actions and errors.

Name Description

Select the log type that you want to configure:

l System logs
Logs
l Audit logs

l Rule-triggered logs

Disable or enable the logs and specify the retention period.

Allow 2018 R2 and earlier components to write logs. For more information, see Allow 2018
R2 and earlier components to write logs.

For System logs, specify the level of messages that you want to log:

l All (includes undefined messages)

l Information, warnings, and errors

Settings
l Warnings and errors

l Errors (default setting)

For Audit logs, enable user access logging if you want the system to log all user actions in
XProtect Smart Client. These are, for example, exports, activating outputs, and viewing
cameras live or in playback.

Specify:

369 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

l The length of a playback sequence

This means that as long as the user plays back within this period, the system only
generates one log entry. When playing back outside the period, the system creates
a new log entry.

l The number of records (frames) a user has seen before the system creates a log
entry

Mail Server tab (options)

On the Mail Server tab, you can specify the settings for your system's mail server.
For more information, see Notification profiles (explained).

Name Description

Sender e-mail Enter the email address that you want to appear as the sender of email notifications for
address all notification profiles. Example: [email protected].

Mail server Enter the address of the SMTP mail server that sends e-mail notifications. Example:
address mailserver.organization.org.

Mail server The TCP port used for connecting to the mail server. Default port is 25 for unencrypted
port connections, Encrypted connections typically use port 465 or 587.

If you want to secure the communication between the management server and the
SMTP mail server, select this check box.
Encrypt the
connection to The connection is secured using the STARTTLS email protocol command. In this mode,
the server the session begins on an unencrypted connectcion, then a STARTTLS command is issued
by the SMTP mail server to the management server to switch to secure communication
using SSL.

Server If enabled, you must specify a user name and password for the users to log in to the
requires login mail server.

370 | User interface details

Administrator manual | XProtect® VMS 2023 R1

AVI Generation tab (options)

On the AVI Generation tab, you can specify compression settings for the generation of AVI video clip files. The
settings are required if you want to include AVI files in e-mail notifications sent by rule-triggered notification
profiles.

See also Trigger email notifications from rules.

Name Description

Select the codec (compression/decompression technology) that you want to

apply. To have more codecs available in the list, install them on the
Compressor
management server.
Not all cameras support all codecs.

(Not available for all codecs). Use the slider to select the degree of
compression (0-100) to be performed by the codec.

0 means no compression, generally resulting in high image quality and large

Compression quality file size. 100 means maximum compression, generally resulting in low image
quality and small file size.

If the slider is not available, the compression quality is determined entirely by

the selected codec.

(Not available for all codecs). If you want to use keyframes, select the check
box and specify the required number of frames between keyframes.

A keyframe is a single frame stored at specified intervals. The keyframe

Keyframe every contains the entire view of the camera, whereas the following frames contain
only the pixels that change. This helps greatly reduce the size of files.

If the check box is not available, or not selected, every frame contains the
entire view of the camera.

(Not available for all codecs). If you want to use a particular data rate, select
the check box and specify the number of kilobytes per second.

Data rate The data rate specifies the size of the attached AVI file.

If the check box is not available, or not selected, the data rate is determined
by the selected codec.

371 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Network tab (options)

On the Network tab, you can specify the IP addresses of the local clients, if the clients are to connect to the
recording server via the Internet. The surveillance system then recognizes them as coming from the local
network.

You can also specify the IP version of the system: IPv4 or IPv6. Default value is IPv4.

Bookmark tab (options)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

On the Bookmarks tab, you can specify settings for bookmarks, their IDs and function in XProtect Smart Client.

Name Description

Specify a prefix for all the bookmarks that is made by the users of XProtect Smart
Bookmark ID prefix
Client.

Specify the default start and end time of a bookmark is set in XProtect Smart
Client.
Default bookmark This setting needs to be aligned with:
time
l The default bookmark rule, see Rules (Rules and Events node).

l The pre-buffer period for each camera, see Manage pre-buffering.

To specify the bookmark permissions of a role, see Device tab (roles) on page 523.

User Settings tab (options)

On the User Settings tab, you can specify user preference settings, for example, if a message should be shown
when remote recording is enabled.

External IDP tab (options)

On the External IDP tab in Management Client, you can add and configure an external IDP and register claims
from the external IDP.

372 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Enabled The external IDP is by default enabled.

The name for the external IDP. The name that you enter here appears in the
Name
Authentication field in the log in window of your client.

Authentication
The URL of the external IDP.
authority

Add and configure an external IDP. When you select Add, the External IDP dialog
Add box opens and you can enter the information for the configuration, see Configure
an external IDP below the table.

Edit Edit the configuration of the external IDP.

Remove the external IDP configuration.

If you remove an external IDP configuration, the users that

Remove are authenticated via this external IDP will not be able to log
in to the XProtect VMS. If you add the external IDP again, new
users will be created on log in because the ID of the external
IDP has changed.

Configure an external IDP

l To add an external IDP, select Add in the External IDP section and enter the information in the table
below:

Name Description

The name for the external IDP that you enter here appears in the Authentication field in
Name
the log in window of your client.

Client ID
Must be obtained from the external IDP. The client ID and the client secret are needed to
and Client
communicate securely with the external IDP.
secret

373 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Part of a URL for the authentication redirect flow to sign in users.

Users are signed in from a sign-in page that is hosted by the external IDP. When the
authentication process is completed, this path is invoked and the user is redirected to the
XProtect VMS.

The default value is “/signin-oidc”.

The redirect format

The URI of the callback path is constructed by the management server FQID together with
Callback
/idp/ and the callback path configured on the external provider.
path
Examples:

l Redirect URI format for the XProtect Smart Client and the XProtect Management
Client: [schema]://[management server address]/idp/[callback path]

l Redirect URI format for the XProtect Web Client and XProtect Mobile client: [redirect
Uri without “/index.html”]/idp/[callback path]

Note, that the "idp" part of the callback path is case sensitive and it must be entered in
lowercase letters.

Specify to the external IDP if the user should stay logged in or if a verification of the user is
Prompt for
required. Depending on the external IDP, the verification can include a password
login
verification or a full log-in.

Claim to
Optionally, specify which claim from the external IDP that should be used to generate a
use to
unique user name for the auto-provisioned user in the VMS. For more information about
create user
unique user names crated by claims, see Unique user names for external IDP users.
name

Optionally, use scopes to limit the number of claims that you get from an external IDP. If
Scopes you know that the claims that are relevant for your VMS are in a specific scope, you can use
the scope to limit the number of claims that you get from the external IDP.

Register claims

When you have registered claims from the external IDP, you can map the claims to roles in the VMS to
determine the user privileges in the VMS. For more information, see Map claims from an external IDP.

l To register claims from an external IDP, select Add in the Registered claims section and enter the
information in the table below:

374 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

External
The name of the external IDP.
IDP

Claim name Name of the claim in free text. The name will be available when selecting a role.

Display
The display name of a claim.
name

Indicates whether the value of a claim is case sensitive.

Examples of values that are typically case sensitive:

- Textual representations of IDs such as a guid: F951B1F0-2FED-48F7-88D3-49EB5999C923

or OadFgrDesdFesff=
Case
sensitive Examples of values that are typically not case sensitive:

- E-mail addresses
- Role names
- Group names

Register and maintain claims.

If you modify a claim at the external IDP web site, a new log in to

Add, Edit, the XProtect client is required by the users. Say, that a user, Bob,
Remove needs to be, for example, Operator. The claim is then added to Bob
at the external IDP web site, but if Bob is already logged in to
XProtect, he must complete a new login for the change to take
effect.

Add redirect URIs for the web clients

The redirect URI is the location where the user is redirected after a successful log in. The redirect URIs must be
an exact match of the addresses of the web clients. For example, you will not be able to log in via an external
IDP if you open XProtect Web Client from https://localhost:8082/index.html and the redirect URI for the web
clients you added is https://127.0.0.1:8082/index.html.

375 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

The URI of XProtect Web Client in the format https://[mobile server]:[port]/index.html.

URI
The redirect URIs are not case sensitive.

Register and maintain redirect URIs.

Add, Edit,
Remove When you remove URIs, you must keep at least one redirect URI for
the system to work.

Customer Dashboard tab (options)

On the Customer Dashboard tab, you can enable or disable Milestone Customer Dashboard.

Customer Dashboard is an online monitoring service that provides a graphical overview of the current status
of your system, including possible technical issues such as camera failures, to system administrators or other
people that have been given access to information about your system installation.

You can select or clear the check box to change your Customer Dashboard settings at any time.

Evidence Lock tab (options)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

On the Evidence Lock tab, you define and edit evidence lock profiles and the duration your client users can
select to keep the data protected.

Name Description

A list with defined evidence lock profiles.

Evidence
lock profiles You can add and remove existing evidence lock profiles. You cannot remove the default
evidence lock profile, but you can change its time options and its name.

The duration the client users can select to lock evidence.

Lock time
options Available time options are hour(s), day(s), week(s), month(s), year(s), indefinite or user-
defined.

376 | User interface details

Administrator manual | XProtect® VMS 2023 R1

To specify the evidence lock access permissions of a role, see the Device tab (roles) on page 523 for role
settings.

Audio messages tab (options)

On the Audio messages tab, you can upload files with audio messages that are used for broadcasting
messages, triggered by rules.

The maximum number of uploaded files is 50 and the maximum size allowed for each file is 1 MB.

Name Description

Provides the name of a message. You enter the name when you add a message. To
Name
upload a message to the system, click Add.

Provides a description of the message.

Description You enter the description when you add a message. You can use the description field to
describe the purpose or the actual message.

Lets you upload audio messages to the system.

Supported formats are standard Windows audio file formats:

Add l .wav

l .wma

l .flac

Edit Lets you modify the name and description, or you can replace the actual file.

Remove Delete the audio message from the list.

Click this button to listen to the audio message from the computer that runs the
Play
Management Client.

To create a rule that triggers playback of audio messages, see Add a rule.

To learn more about actions in general that you can use in rules, see Actions and stop actions.

377 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Privacy settings tab

On the Privacy settings tab, you can enable or disable usage data collection in XProtect Mobile Server,
XProtect Mobile client, XProtect Web Client and XProtect Smart Client. Then, click OK.

By enabling usage data collection, you consent to Milestone Systems's use of technology
by Google as a third-party provider, with which data processing in the USA cannot be
excluded. For more information about data protection and the usage data collection, see
the GDPR privacy guide.

Access Control Settings tab (options)

The use of XProtect Access requires that you have purchased a base license that allows
you to access this feature.

Name Description

If selected, additional developer information appears for Access Control >

Show development General Settings.
property panel This setting is only meant to be used by developers of access control
system integrations.

Analytics Events tab (options)

On the Analytics Events tab, you can enable and specify the analytics events feature.

Name Description

Enable Specify if you want to use analytics events. As default, the feature is disabled.

Specify the port used by this feature. The default port is 9090.
Port
Make sure that relevant VCA tool providers also use this port number. If you change

378 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

the port number, remember to change the port number of the providers.

All network
addresses or Specify if events from all IP addresses/hostnames are allowed, or only events from
Specified network IP addresses/hostnames that are specified in the Address list (see below).
addresses

Specify a list of trusted IP addresses/hostnames. The list filters incoming data so

that only events from certain IP addresses/hostnames are allowed. You can use
both Domain Name System (DNS), IPv4 and IPv6 address formats.

You can add addresses to your list by manually entering each IP address or host
name, or by importing an external list of addresses.
Address list
l Manual entering: Enter the IP address/hostname in the address list. Repeat
for each required address

l Import: Click Import to browse for the external list of addresses. The
external list must be a .txt file and each IP address or host name must be on
a separate line

Alarms and Events tab (options)

On the Alarms and Events tab, you can specify settings for alarms, events and logs. Related to these settings,
see also Limit size of database on page 123.

Name Description

Keep closed alarms Specify the number of days for storing alarms with the state Closed in the
for database. If you set the value to 0, the alarm is deleted after it has been closed.

379 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Alarms always have timestamps. If the alarm is triggered by

a camera, the timestamp has an image from the time of the
alarm. The alarm information itself is stored on the event
server, while the video recordings corresponding to the
attached image are stored on the relevant surveillance
system server.

To be able to see the images of your alarms, keep video

recordings for at least as long as you intend to keep alarms
on the event server.

Specify the number of days for storing alarms with the state New, In progress, or
On hold. If you set the value to 0, the alarm appears in the system, but will not be
stored.

Alarms always have timestamps. If the alarm is triggered by

a camera, the timestamp has an image from the time of the
Keep all other alarm. The alarm information itself is stored on the event
alarms for server, while the video recordings corresponding to the
attached image are stored on the relevant surveillance
system server.

To be able to see the images of your alarms, keep video

recordings for at least as long as you intend to keep alarms
on the event server.

Specify the number of days for keeping the event server logs. If you keep the logs
Keep logs for for longer periods of time, ensure that the machine where the event server is
installed has enough disk space.

Enable verbose To keep a more detailed log for event server communication, select the check box.
logging It will be stored for the number of days specified in the Keep logs for field.

Specify the number of days for storing events in the database. There are two ways
Event types
of doing this:

380 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

l You can specify the retention time for an entire event group. Event types
with the value Follow group will inherit the value of the event group

l Even if you set a value for an event group, you can specify the retention
time for individual event types.

If the value is 0, the events will not be stored in the

database.

The external events (user-defined events, generic events,

and input events) are set to 0 by default, and you cannot
change that value. The reason is that these types of events
occur so frequently that storing them in the database may
cause performance issues.

Generic Events tab (options)

On the Generic Events tab, you can specify generic events and data source related settings.

For more information about how to configure actual generic events, see Generic events (explained).

Name Description

You can choose between two default data sources and define a custom data source.
What to choose depends on your third party program and/or the hard- or software you
want to interface from:

Compatible: Factory default settings are enabled, echoes all bytes, TCP and UDP, IPv4
Data source only, port 1234, no separator, local host only, current code page encoding (ANSI).

International: Factory default settings are enabled, echoes statistics only, TCP only,
IPv4+6, port 1235, <CR><LF> as separator, local host only, UTF-8 encoding. (<CR><LF> =
13,10).

[Data source A]

381 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

[Data source B]

and so on.

New Click to define a new data source.

Name Name of the data source.

Enabled Data sources are by default enabled. Clear the check box to disable the data source.

Click to reset all settings for the selected data source. The entered name in the Name
Reset
field remains.

Port The port number of the data source.

Protocols which the system should listen for, and analyze, in order to detect generic
events:

Any: TCP as well as UDP.

Protocol type
TCP: TCP only.
selector
UDP: UDP only.

TCP and UDP packages used for generic events may contain special characters, such as
@, #, +, ~, and more.

IP type
Selectable IP address types: IPv4, IPv6 or both.
selector

Separator Select the separator bytes used to separate individual generic event records. Default for
bytes data source type International (see Data sources earlier) is 13,10. (13,10 = <CR><IF>).

Available echo return formats:

l Echo statistics: Echoes the following format: [X],[Y],[Z],[Name of generic event]

Echo type [X] = request number.

selector [Y] = number of characters.

[Z] = number of matches with a generic event.

[Name of generic event] = name entered in the Name field.

382 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

l Echo all bytes: Echoes all bytes

l No echo: Suppresses all echoing

Encoding By default, the list only shows the most relevant options. Select the Show all check box to
type selector display all available encodings.

Allowed Specify the IP addresses, that the management server must be able to communicate with
external IPv4 in order to manage external events. You can also use this to exclude IP addresses that
addresses you do not want data from.

Allowed Specify the IP addresses, that the management server must be able to communicate with
external IPv6 in order to manage external events. You can also use this to exclude IP addresses that
addresses you do not want data from.

Component menus

Management Client menus

File menu

You can save changes to the configuration and exit the application. You can also back up your configuration,
see Backing up and restoring your system configuration (explained) on page 313.

Edit menu

You can undo changes.

View menu

Name Description

Reset Application Reset the layout of the different panes in the Management Client to their default
Layout settings.

383 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Toggle the Preview pane on and off when working with recording servers and
Preview Window
devices.

By default, the information shown with preview images in the Preview pane
Show Recording
concerns live streams of the cameras. If you want information about recording
Streams
streams instead, select Show Recording Streams.

Federated Site
By default, the Federated Site Hierarchy pane is enabled.
Hierarchy

Site Navigation By default, the Site Navigation pane is enabled.

Action menu

The content of the Action menu differs depending on the element you have selected in the Site Navigation
pane. The actions you can choose from are the same as when you right-click the element.

The pre-buffer period for each camera, see Manage pre-buffering.

Name Description

Refresh Is always available and reloads the requested information from the management server.

Tools menu

Name Description

Manage registered services.

Registered Services
See Managing registered services on page 340.

Effective Roles View all roles of a selected user or group.

Opens the Options dialog box, which lets you define and edit global system
Options settings. For more information see System settings (Options dialog box) on
page 365.

384 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Help menu

You can access the help system and information about the version of the Management Client.

Server Configurator (Utility)

Encryption tab properties

This tab allows you to specify the following properties:

In a cluster environment, you must set up your cluster and ensure that it is running
before you create certificates for all the computers in the cluster environment. After that
you can install the certificates and do the registration using the Server Configurator for
all the nodes in the cluster. For more information, see the certificates guide about how
to secure your XProtect VMS installations.

Name Description Task

Select the certificate to be used to encrypt Enable encryption to and from the
Server the two-way connection between the management server
certificate management server, data collectors, and Enable server encryption for recording
recording servers. servers or remote servers

Select the certificate to be used to encrypt

the two-way connection between the event
Event server Enable event server encryption on page
server and the components that
and add-ons 288
communicate with the event server,
including the LPR Server.

Select the certificate to be used to encrypt

Streaming communication between the recording
media servers and all clients, servers, and Enable encryption to clients and servers
certificate integrations that retrieve data streams
from the recording servers.

Select the certificate to be used to encrypt

Mobile
communication between the mobile server
streaming
and the mobile and web clients that Enable encryption on the mobile server
media
retrieve data streams from the mobile
certificate
server.

385 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Registering servers

Name Description Task

The address of the management server typically

includes the hostname or the fully qualified
domain name (FQDN) of the computer.

By default, this address is only active from a

computer in the XProtect VMS where the
management server is not installed.

As a rule of thumb, the management server

address should not be changed from a computer
that has the management server installed.

However, if, for example, you use the Server

Configurator in a failover setup, you might have
Click for more information
to change the address from the management
about the implications of
server computer. This could be within a cluster
changing the management
failover environment or in another failover setup
Management server address from a computer
scenario.
server address that has the management
l To activate the Management server server installed:
address field from a computer with the
Changing the host name of the
management server installed, click the
management server computer
pen ( ) symbol.

If you update the

management server
address, you need to
access each of the
computers that have
components installed and
update the management
server address with the
new address information.

Register the servers that are running on the

Register computer with the designated management Register a recording server
server.

386 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Language selection

Use this tab to select the language for the Server Configurator. The set of languages for the Server
Configurator corresponds to the set of languages for the Management Client.

Name Description

Choose
Choose the language of the user interface.
language

If you work in a failover cluster environment, it is recommended that you pause the
cluster before you start tasks in the Server Configurator. This is because the Server
Configurator may need to stop services while applying changes and the failover cluster
environment may interfere with this operation.

Tray icon status

The tray icons in the table show the different states of the services running on the servers in the XProtect VMS.
The icons are available on computers with the servers installed:

Failover
Recording Event
Management Recording
Server Server
Server Manager Server Description
Managertray Manager
tray icon Manager
icon tray icon
tray icon

Running

Appears when a server service is

enabled and started.

387 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Failover
Recording Event
Management Recording
Server Server
Server Manager Server Description
Managertray Manager
tray icon Manager
icon tray icon
tray icon

If the
Failover
Recording
Server
service is
running, it
can take
over if the
standard
recording
servers
fails.

Stopped

Appears when a server service has

stopped.

If the
Failover
Recording
Server
service
stops, it
cannot take
over if the
standard
recording
server fails.

Starting

388 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Failover
Recording Event
Management Recording
Server Server
Server Manager Server Description
Managertray Manager
tray icon Manager
icon tray icon
tray icon

Appears when a server service is

in the process of starting. Under
normal circumstances, the tray
icon changes after a short while to
Running.

Stopping

Appears when a server service is

in the process of stopping. Under
normal circumstances, the tray
icon changes after a short while to
Stopped.

In indeterminate state

Appears when the server service

is initially loaded and until the first
information is received, upon
which the tray icon, under normal
circumstances, changes to
Starting and afterwards to
Running.

Running offline

Typically appears when the

Recording Server or Failover
recording service is running but
the Management Server service is
not.

Starting and stopping services from tray icons

Right-click the icons in the notification area to open the tray icons where you can start and stop services.

389 | User interface details

Administrator manual | XProtect® VMS 2023 R1

l Start or stop the Management Server service

l Start or stop the Recording Server service

Management Server Manager (tray icon)

Use the menu items on the Management Server Manager tray icon to perform tasks from the Management
Server Manager.

Name Description

Click the appropriate menu item to start or to stop the Management Server
Start Management service. If you stop the Management Server service, you cannot use the
Server and Stop Management Client.
Management Server The state of the service is reflected by the tray icon. For more information about
the states of the tray icons, see Server manager tray icons (explained).

Show status
View a list of time-stamped status messages.
messages

Assign or change a system configuration password. You can also choose not to
Change system password protect the system configuration by removing any assigned system
configuration configuration passwords.
password settings
Change the system configuration password settings

Enter the system Enter a password. This applies if, for example, the file that is holding the
configuration password settings is deleted or corrupted. For more information, see Enter the
password system configuration password settings.

Launch the configuration wizard for the failover management server or open
Configure failover the Manage your configuration page to manage your existing configuration.
management server For more information about the failover cluster, see XProtect Management
Server Failover on page 36.

Open the Server Configurator to register servers and manage encryption. For
Server Configurator more information about managing encryption, see Manage encryption with the
Server Configurator.

On the management server computer, change the software license code. You
Change license
would need to enter a new license code to, for example, upgrade your XProtect

390 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

system. For more information, see Change the Software License Code.

Open a dialog box from where you can restore the system configuration. Make
Restore configuration sure, you read the information in the dialog box, before you click Restore. For
more information, see Restore system configuration from a manual backup.

Select shared backup Set a backup folder to store your backup in, before you back up any system
folder configuration. For more information, see Select shared backup folder.

Open a wizard to change the address of the SQL Server. In the rare event of a
host name change, the SQL Server address might need to be aligned with the
Update SQL address
changes. For more information, see A host name change can trigger the change
of the SQL server address.

Basics node

License Information (Basics node)

In the License Information window, you can keep track of all licenses that share the same software license file
both on this site and on all other sites, your Milestone Care subscriptions and decide how you want to activate
your licenses.

To learn more about the various information and features available from the License Information window, see
License Information window on page 118.

Site Information (Basics node)

In a large Milestone Federated Architecture setup with a lot of child sites, it is easy to lose the overview and it
can be difficult to find the contact information to the administrators of each child site.

Therefore, you can add additional information to each child site and this information is then available for the
administrators on the central site.

It is possible to add the following information:

l Site name

l Address/location

l Administrator(s)

l Additional information

391 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Remote Connect Services node

Axis One-click Camera Connection (Remote Connect Services node)

These are the Axis One-Click Camera connection properties.

Name Description

Enter/edit. Provided with your camera at purchase. For further details, see
Camera password
your camera's manual or go to the Axis website (https://www.axis.com/).

Camera user See details for Camera password.

Description Enter/edit a description for the camera.

External address Enter/edit the web address of the ST server to which the camera(s) connect.

Enter/edit the web address of the ST server to which the recording server
Internal address
connects.

Name If needed, edit the name of the item.

Owner authentication
See Camera password.
key

Passwords (for Dispatch Enter password. Must be identical to the one received from your system
Server) provider.

Passwords (for ST Enter password. Must be identical to the one entered when the Axis One-Click
server) Connection Component was installed.

Register/Unregister at
Indicate whether you wish to register your Axis camera with the Axis dispatch
the Axis Dispatch
service. Can be done at time of setup or later.
Service

Hardware serial number as specified by the manufacturer. The serial number

Serial number
is often, but not always, identical to the MAC address.

Use credentials Select the check box if you decided to use credentials during the installation

392 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

of the ST server.

User name (for Dispatch Enter a user name. The user name must be identical to the one received from
Server) your system provider.

User name (for ST Enter user name. Must be identical to the one entered when the Axis One-
server) Click Connection Component was installed.

Servers node

Servers (node)
This section describes how to install and configure recording servers and failover recording servers. You also
learn how to add new hardware to the system and interconnect other sites.

l Recording Servers (Servers node) on page 393

l Failover Servers (Servers node) on page 406

Recording Servers (Servers node)

The system uses recording servers for recording of video feeds, and for communicating with cameras and
other devices. A surveillance system typically consists of several recording servers.

Recording servers are computers where you have installed the Recording Server software, and configured it to
communicate with the management server. You can see your recording servers in the Overview pane when
you expand the Servers folder and then select Recording Servers.

Backward compatibility with recording server versions older than this version of the management server is
limited. You can still access recordings on recording servers with older versions, but if you want to change their
configuration, make sure they match this version of the management server. Milestone recommends that you
upgrade all recording servers in your system to the same version as your management server.

393 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Recording Server Settings window

When you right-click the Recording Server Manager tray icon and select Change settings, you can specify the
following:

Name Description

IP address (example: 123.123.123.123) or host name (example: ourserver) of the

management server to which the recording server should be connected. This
Address
information is necessary so that the recording server can communicate with the
management server.

Port number to be used when communicating with the management server. Default
Port
is port 9000. You can change this if you need to.

Port number to be used for handling web server requests, for example for handling
Web server port PTZ camera control commands and for browse and live requests from XProtect Smart
Client. Default is port 7563. You can change this if you need to.

Port number to be used when the recording server listens for TCP information (some
Alert server port devices use TCP for sending event messages). Default is port 5432 (disabled by
default). You can change this if you need to.

Port number to be used when the recording server listens for Simple Mail Transfer
Protocol (SMTP) information. SMTP is a standard for sending email messages
SMTP server
between servers. Some devices use SMTP for sending event messages or images to
port
the surveillance system server via email. Default is port 25, which you can enable and
disable. You can change the port number if you need to.

Encrypt
Before you enable encryption and select a server authentication certificate from the
connections
list, make sure that you enable encryption on the management server first and that
from the
the management server certificate is trusted on the recording server.
management
server to the
For more information, see Secure communication (explained) on page 138.
recording server

Encrypt
Before you enable encryption and select a server authentication certificate from the
connections to
list, make sure that the certificate is trusted on all computers running services that
clients and
retrieve data streams from the recording server.
services that

394 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

XProtect Smart Client and all services that retrieve data streams from the recording
server must be upgraded to version 2019 R1 or later. Some third-party solutions
created using MIP SDK versions older than 2019 R1 may need to be updated.
stream data For more information, see Secure communication (explained) on page 138.

To verify that your recording server uses encryption, see View encryption status to
clients on page 276.

Details View Windows Certificate Store information about the selected certificate.

Recording servers properties

Info tab (recording server)

On the Info tab, you can verify or edit the name and description of the recording server.

You can view the host name and addresses. The padlock icon in front of the web server address indicates
encrypted communication with the clients and services that retrieve data streams from this recording server.

395 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

You can choose to enter a name for the recording server. The name is used in the
system and clients when the recording server is listed. The name does not have to be
Name unique.

When you rename a recording server, the name is changed globally in the Management
Client.

You can choose to enter a description that appears in a number of listings within the
Description
system. A description is not mandatory.

Host name Displays the recording server's host name.

396 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Displays the local address of the recording server's web server. You use the local
address, for example, for handling PTZ camera control commands, and for handling
browsing and live requests from XProtect Smart Client.

Local web The address includes the port number that is used for web server communication
server address (typically port 7563).

If you enable encryption to clients and servers that retrieve data streams from the
recording server, a padlock icon appears, and the address includes https instead of
http.

Displays the public address of the recording server's web server over the internet.

If your installation uses a firewall or NAT router, enter the address of the firewall or NAT
router so that clients that access the surveillance system on the internet can connect to
Web server the recording server.
address You specify the public address and port number on the Network tab.

If you enable encryption to clients and servers that retrieve data streams from the
recording server, a padlock icon appears, and the address includes https instead of
http.

Time zone Displays the time zone that the recording server is located in.

Storage tab (recording server)

On the Storage tab, you can set up, manage and view storages for a selected recording server.

For recording storages and archives, the horizontal bar shows the current amount of free space. You can
specify the behavior of the recording server in case recording storages become unavailable. This is mostly
relevant if your system includes failover servers.

If you are using Evidence lock, there will be a vertical red line showing the space used for evidence locked
footage.

397 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Storage and Recording Settings properties

Available functionality depends on the system you are using. See the complete feature list, which is available
on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

In the Storage and Recording Settings dialog box, specify the following:

398 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Name Rename the storage if needed. Names must be unique.

Specify the path to the directory to which you save recordings in this storage. The
storage does not necessarily have to be located on the recording server computer.
Path
If the directory does not exist, you can create it. Network drives must be specified by
using UNC (Universal Naming Convention) format, example: \\server\volume\directory\.

Specify for how long recordings should stay in the archive before they are deleted or
moved to the next archive (depending on archive settings).
Retention
time The retention time must always be longer than the retention time of the previous
archive or the default recording database. This is because the number of retention days
specified for an archive includes all the retention periods stated earlier in the process.

Select the maximum number of gigabytes of recording data to save in the recording
database.

Recording data in excess of the specified number of gigabytes is auto-moved to the first
archive in the list - if any is specified - or deleted.

When less than 5GB of space is free, the system always auto-
Maximum
archives (or deletes if no next archive is defined) the oldest data in
size
a database. If less than 1GB space is free, data is deleted. A
database always requires 250MB of free space. If you reach this
limit (if data is not deleted fast enough), no more data is written to
the database until you have freed enough space. The actual
maximum size of your database is the amount of gigabytes you
specify, minus 5GB.

Enables a digital signature to the recordings. This means, for example, that the system
confirms that exported video has not been modified or tampered with when played
Signing back.

The system uses the SHA-2 algorithm for digital signing.

Select the encryption level of the recordings:

Encryption
l None

399 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

l Light (less CPU usage)

l Strong (more CPU usage)

The system uses the AES-256 algorithm for encryption.

If you select Light, a part of the recording is encrypted. If you select Strong, the whole
recording is encrypted.

If you choose to enable encryption, you must also specify a password below.

Enter a password for the users allowed to view encrypted data.

Milestone recommends that you use strong passwords. Strong passwords do not
Password contain words that can be found in a dictionary or are part of the user's name. They
include eight or more alpha-numeric characters, upper and lower cases, and special
characters.

Archive Settings properties

In the Archive Settings dialog box, specify the following:

Name Description

Name Rename the storage if needed. Names must be unique.

Specify the path to the directory to which you save recordings in this storage. The
storage does not necessarily have to be located on the recording server computer.
Path
If the directory does not exist, you can create it. Network drives must be specified by
using UNC (Universal Naming Convention) format, example: \\server\volume\directory\.

Specify for how long recordings should stay in the archive before they are deleted or
moved to the next archive (depending on archive settings).
Retention
time
The retention time must always be longer than the retention time of the previous archive
or the default recording database. This is because the number of retention days specified

400 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

for an archive includes all the retention periods stated earlier in the process.

Select the maximum number of gigabytes of recording data to save in the recording
database.

Recording data in excess of the specified number of gigabytes is auto-moved to the first
archive in the list - if any is specified - or deleted.

When less than 5GB of space is free, the system always auto-
Maximum
archives (or deletes if no next archive is defined) the oldest data in
size
a database. If less than 1GB space is free, data is deleted. A
database always requires 250MB of free space. If you reach this
limit (if data is not deleted fast enough), no more data is written to
the database until you have freed enough space. The actual
maximum size of your database is the amount of gigabytes you
specify, minus 5GB.

Specify an archiving schedule that outlines the intervals with which the archiving process
Schedule should start. You can archive very frequently (in principle every hour all year round), or
very infrequently (for example, every first Monday of every 36 months).

To reduce FPS when archiving, select the Reduce frame rate check box and set a frame
per second (FPS).

Reduce Reduction of frame rates by a selected number of FPS makes your recordings take up
frame rate less space in the archive, but it also reduces the quality of your archive.
MPEG-4/H.264/H.265 reduces automatically to key-frames as a minimum.

0.1 = 1 frame per 10 seconds.

Failover tab (recording server)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

If your organization uses failover recording servers, use the Failover tab to assign failover servers to recording
servers, see Failover tab properties.

401 | User interface details

Administrator manual | XProtect® VMS 2023 R1

For details on failover recording servers, installation and settings, failover groups and their settings, see
Failover recording server (explained) on page 37.

Failover tab properties

Name Description

None Select a setup without failover recording servers.

Primary failover Select a regular failover setup with one primary and possibly one secondary

402 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

server group /
Secondary failover failover server group.
server group

Select a hot standby setup with one dedicated recording server as hot standby
Hot standby server
server.

Opens the Advanced Failover Settings window:

Advanced failover
l Full Support: Enables full failover support for the device
settings l Live Only: Enables only failover support for live streams on the device

l Disabled: Disables failover support for the device

By default, the port number is 11000. You use this port for communication
Failover service
between recording servers and failover recording servers. If you change the port,
communication
the recording server must be running and must be connected to the management
port (TCP)
server.

Multicast tab (recording server)

Your system supports multicasting of live streams from recording servers. If multiple XProtect Smart Client
users want to view live video from the same camera, multicasting helps saving considerable system resources.
Multicasting is particularly useful if you use the Matrix functionality, where multiple clients require live video
from the same camera.

Multicasting is only possible for live streams, not for recorded video/audio.

If a recording server has more than one network interface card, it is only possible to use
multicast on one of them. Through the Management Client you can specify which one to use.

If you are using failover servers, remember to also specify the IP address of the network
interface card on the failover servers (see Multicast tab (failover server) on page 410).

403 | User interface details

Administrator manual | XProtect® VMS 2023 R1

The successful implementation of multicasting also requires that you have set up your
network equipment to relay multicast data packets to the required group of recipients
only. If not, multicasting may not be different from broadcasting, which can significantly
slow down network communication.

Assign IP address range

Specify the range you want to assign as addresses for multicast streams from the selected recording server.
The clients connect to these addresses when the users view multicast video from the recording server.

404 | User interface details

Administrator manual | XProtect® VMS 2023 R1

For each multicast camera feed, the IP address and port combination must be unique (IPv4 example:
232.0.1.0:6000). You can either use one IP address and many ports, or many IP addresses and fewer ports. By
default, the system suggests a single IP address and a range of 1000 ports, but you can change this as
required.

IP addresses for multicasting must be within the range defined for dynamic host allocation by IANA. IANA is
the authority overseeing global IP address allocation.

Name Description

In the Start field, specify the first IP address in the required range. Then specify the last IP
IP address
address in the range in the End field.

In the Start field, specify the first port number in the required range. Then specify the last
Port
port number in the range in the End field.

You can only multicast on one network interface card, so this field is relevant if your
recording server has more than one network interface card or if it has a network interface
card with more than one IP address.
Source IP
address for To use the recording server's default interface, leave the value 0.0.0.0 (IPv4) or :: (IPv6) in
all multicast the field. If you want to use another network interface card, or a different IP address on
streams the same network interface card, specify the IP address of the required interface.

l IPv4: 224.0.0.0 to 239.255.255.255.

l IPv6, the range is described on the IANA website (https://www.iana.org/).

Specify datagram options

Specify the settings for data packets (datagrams) transmitted through multicasting.

Name Description

Maximum Transmission Unit, the largest allowed physical data packet size (measured in
bytes). Messages larger than the specified MTU are split into smaller packets before they are
MTU
sent. The default value is 1500, which is also the default on most Windows computers and
Ethernet networks.

405 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Time To Live, the largest allowed number of hops a data packet should be able to travel
TTL before it is discarded or returned. A hop is a point between two network devices, typically a
router. Default value is 128.

Network tab (recording server)

If you need to access the VMS with XProtect Smart Client over a public or untrusted
network, Milestone recommends that you use a secure connection through VPN. This
helps ensure that communication between XProtect Smart Client and the VMS server is
protected.

You define a recording server's public IP address on the Network tab.

Why use a public address?

Clients may connect from the local network as well as from the Internet, and in both cases the surveillance
system must provide suitable addresses so the clients can get access to live and recorded video from the
recording servers:

l When clients connect locally, the surveillance system should reply with local addresses and port
numbers

l When clients connect from the internet, the surveillance system should reply with the recording server's
public address. This is the address of the firewall or NAT (Network Address Translation) router, and
often also a different port number. The address and the port can then be forwarded to the server's local
address and port.

Failover Servers (Servers node)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

A failover recording server is an extra recording server which takes over from the standard recording server if
this becomes unavailable. You can configure a failover recording server in two modes, as a cold standby
server or as a hot standby server.

406 | User interface details

Administrator manual | XProtect® VMS 2023 R1

You install failover recording servers like standard recording servers (see Install a failover recording server
through Download Manager on page 161). Once you have installed failover recording servers, they are visible
in the Management Client. Milestone recommends that you install all failover recording servers on separate
computers. Make sure that you configure failover recording servers with the correct IP address/host name of
the management server. The user permissions for the user account under which the Failover Server service
runs are provided during the installation process. They are:

l Start/Stop permissions to start or stop the failover recording server

l Read and Write access permissions to read or write the RecorderConfig.xml file

If a certificate is selected for encryption, then the administrator must grant read access permission to the
failover user on the selected certificate private key.

If the failover recording server takes over from a recording server that uses encryption,
Milestone recommends that you also prepare the failover recording server for using
encryption. For more information, see Secure communication (explained) on page 138
and Install a failover recording server through Download Manager on page 161.

You can specify what type of failover support you want on device-level. For each device on a recording server,
select full, live only or no failover support. This helps you prioritize your failover resources and, for example,
only set up failover for video and not for audio, or only have failover on essential cameras, not on less
important ones.

While your system is in failover mode, you cannot replace or move hardware, update the
recording server, or change device configurations such as storage settings or video
stream settings.

Cold standby failover recording servers

In a cold standby failover recording server setup, you group multiple failover recording servers in a failover
group. The entire failover group is dedicated to take over from any of several preselected recording servers, if
one of these becomes unavailable. You can create as many groups as you want (see Group failover recording
servers for cold standby on page 201).

Grouping has a clear benefit: when you later specify which failover recording servers should take over from a
recording server, you select a group of failover recording servers. If the selected group contains more than
one failover recording server, this offers you the security of having more than one failover recording server
ready to take over if a recording server becomes unavailable. You can specify a secondary failover server group
that takes over from the primary group if all the recording servers in the primary group are busy. A failover
recording server can only be a member of one group at a time.

407 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Failover recording servers in a failover group are ordered in a sequence. The sequence determines the order in
which the failover recording servers will take over from a recording server. By default, the sequence reflects
the order in which you have incorporated the failover recording servers in the failover group: first in is first in
the sequence. You can change this if you need to.

Hot standby failover recording servers

In a hot standby failover recording server setup, you dedicate a failover recording server to take over from one
recording server only. Because of this, the system can keep this failover recording server in a "standby" mode
which means that it is synchronized with the correct/current configuration of the recording server it is
dedicated to and can take over much faster than a cold standby failover recording server. As mentioned, you
assign hot standby servers to one recording server only and cannot group it. You cannot assign failover
servers that are already part of a failover group as hot standby recording servers.

Failover recording server validation

To validate a merge of video data from the failover server to the recording server, you
must make the recording server unavailable by either stopping the recording server
service or shutting down the recording server computer.

Any manual interruption of the network that you can cause by pulling out the network
cable or blocking the network using a test tool is not a valid method.

Info tab properties (failover server)

Specify the following failover recording server properties:

Name Description

The name of the failover recording server as it appears in the Management Client, logs
Name
and more.

An optional field that you can use to describe the failover recording server, for example
Description
which recording server it takes over from.

Host name Displays the failover recording server's host name. You cannot change this.

408 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Displays the local address of the failover recording server's web server. You use the
local address, for example, for handling PTZ camera control commands, and for
handling browsing and live requests from XProtect Smart Client.

The address includes the port number that is used for web server communication
Local web (typically port 7563).
server address If the failover recording server takes over from a recording server that uses encryption,
you also need to prepare the failover recording server to use encryption.

If you enable encryption to clients and servers that retrieve data streams from the
recording server, a padlock icon appears, and the address includes https instead of
http.

Displays the public address of the failover recording server's web server on the
internet.

If your installation uses a firewall or NAT router, enter the address of the firewall or NAT
router so that clients that access the surveillance system on the internet can connect to
Web server the failover recording server.
address
You specify the public address and port number on the Network tab.

If you enable encryption to clients and servers that retrieve data streams from the
recording server, a padlock icon appears, and the address includes https instead of
http.

The port number used for communication between failover recording servers. Default
UDP port
port is 8844.

Specify the path to the database used by the failover recording server for storing
recordings.
Database
location You cannot change the database path while the failover recording server is taking over
from a recording server. The system applies the changes when the failover recording
server is no longer taking over from a recording server.

Enable this Clear to disable the failover recording server (selected by default). You must disable
failover server failover recording servers before they can take over from recording servers.

409 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Multicast tab (failover server)

If you are using failover servers, and you have enabled multicasting of live streaming, you must specify the IP
address of the network interface card you are using, on both the recording servers and the failover servers.

For more information about multicasting, see Enable multicasting for the recording server on page 197.

Info tab properties (failover group)

Field Description

Name The name of the failover group as it appears in the Management Client, logs and more.

Description An optional description, for example the server's physical location.

410 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Sequence tab properties (failover group)

Field Description

Specify the failover Use Up and Down to set the wanted sequence of regular failover recording
sequence servers within the group.

Remote server for Milestone Interconnect

Milestone Interconnect™ allows you to integrate a number of smaller, physically fragmented, and remote
XProtect installations with one XProtect Corporate central site. You can install these smaller sites, called
remote sites, on mobile units, for example, boats, busses or trains. This means that such sites do not need to
be permanently connected to a network.

Info tab (remote server)

Name Description

The system uses the name whenever the remote server is listed in the system and
Name clients. The name does not have to be unique.

When you rename a server, the name is changed globally in the Management Client.

Enter a description of the remote server (optional).

Description The description appears in a number of listings within the system. For example, when
pausing the mouse pointer over the hardware name in the Overview pane.

Model Displays the XProtect product installed at the remote site.

Version Displays the version of the remote system.

Software
The software license code of the remote system.
license code

Driver Identifies the driver that handles the connection to the remote server.

Address The host name or IP address of the hardware.

411 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Opens the default home page of the hardware vendor. You can use this page for
IE
administration of the hardware or system.

Remote The unique system ID of the remote site used by XProtect to, for example, manage
system ID licenses.

Settings tab (remote server)

On the Settings tab, you can view the name of the remote system.

Events tab (remote server)

You can add events from the remote system to your central site in order to create rules and thereby respond
immediately to events from the remote system. The number of events depend on the events configured in the
remote system. You cannot delete default events.

If the list appears to be incomplete:

1. Right-click the relevant remote server in the Overview pane and select Update Hardware.

2. The dialog box lists all changes (devices removed, updated and added) in the remote system since you
established or last refreshed the Milestone Interconnect setup. Click Confirm to update your central
site with these changes.

Remote Retrieval tab

On the Remote Retrieval tab, you can handle remote recording retrieval settings for the remote site in a
Milestone Interconnect setup:

Specify the following properties:

Name Description

Retrieve
Determines the maximum bandwidth in Kbits/s to be used for retrieving recordings
recordings at
from a remote site. Select the check box to enable limiting retrievals.
max

Retrieve Determines that retrieval of recordings from a remote site are limited to a specific time

412 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

interval.

Unfinished jobs at the end time continue until completion, so if the end time is critical,
you need to set it earlier to allow for unfinished jobs to complete.
recordings If the system receives an automatic retrieval or request for retrieval from the XProtect
between Smart Client outside the time interval, it is accepted, but not started until the selected
time interval is reached.

You can view pending remote recording retrieval jobs initiated by the users from System
Dashboard -> Current Tasks.

Retrieve on Determines the maximum number of devices from which recordings are retrieved
devices in simultaneously. Change the default value if you need more or less capacity depending
parallel on your system's capabilities.

When you change the settings, it may take several minutes until the changes are reflected in the system.

None of the above applies to direct playback of remote recordings.

All cameras set to be played back directly is available for direct playback and use
bandwidth as needed.

Devices node

Devices (Devices node)

The devices appear in the Management Client when you add hardware with the Add Hardware wizard.

You can manage devices via the device groups if they have the same properties, see Device groups (explained)
on page 53.

You can also manage the devices individually.

Enabling/disabling and renaming of individual devices take place on the recording server hardware. See
Enable/disable devices via device groups.

For all other configuration and management of cameras, expand Devices in the Site Navigation pane, then
select a device:

413 | User interface details

Administrator manual | XProtect® VMS 2023 R1

l Cameras

l Microphones

l Speakers

l Metadata

l Inputs

l Outputs

In the Overview pane, you group your cameras for an easy overview of your cameras. Initial grouping is done
as part of the Add hardware wizard.

For information about supported hardware, see the supported hardware page on the
Milestone website (https://www.milestonesys.com/support/tools-and-
references/supported-devices/).

Status icons of devices

When you select a device, information about the current status appears in the Preview pane.
The following icons indicate the status of the devices:

Camera Microphone Speaker Metadata Input Output Description

Device enabled
and retrieving
data: The
device is
enabled and
you retrieve a
live stream.

Device
recording: The
device is
recording data
on the system.

Device

414 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Camera Microphone Speaker Metadata Input Output Description

temporarily
stopped or has
no feed: When
stopped, no
information is
transferred to
the system. If it
is a camera, you
cannot view live
video. A
stopped device
can still
communicate
with the
recording
server for
retrieving
events, setting
settings etc., as
opposed to
when a device
is disabled.

Devices
disabled:
Cannot be
started
automatically
through a rule
and cannot
communicate
with the
recording
server. If a
camera is
disabled, you
cannot view live
or recorded
video.

415 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Camera Microphone Speaker Metadata Input Output Description

Device
database being
repaired.

Device requires
attention: The
device does not
function
correctly. Pause
the mouse
pointer over the
device icon to
get a
description of
the problem in
the tooltip.

Status
unknown:
Status of the
device is
unknown, for
example, if the
recording
server is offline.

Some icons can

be combined,
as in this
example where
Device enabled
and retrieving
data is
combined with
Device
recording.

Cameras (Devices node)

Camera devices are added automatically when you add hardware to the system and are by default enabled.

416 | User interface details

Administrator manual | XProtect® VMS 2023 R1

The system comes with a default start feed rule which ensures that video feeds from all connected cameras are
automatically fed to the system. The default rule can be deactivated and/or modified as required.

Follow this configuration order to complete the most typical tasks related to configuration of a camera device:

1. Configure camera settings, see Settings tab (devices.

2. Configure streams, see Streams tab (devices).

3. Configure motion, see Motion tab (devices).

4. Configure recording, see Record tab (devices) and Monitor the databases for devices.

5. Configure the remaining settings as needed.

Microphones (Devices node)

Microphone devices are added automatically when you add hardware to the system. They are by default
disabled, so you must enable them before use, either as part of the Add Hardware wizard or afterwards.
Microphones do not require separate licenses. You can use as many microphones as required on your system.

You can use microphones completely independently of cameras.

The system comes with a default start audio feed rule which ensures that audio feeds from all connected
microphones are automatically fed to the system. The default rule can be deactivated and/or modified as
required.

You can configure microphone devices on these tabs:

l Info tab, see Info tab (devices)

l Settings tab, see Settings tab (devices)

l Record tab, see Record tab (devices)

l Events tab, see Events tab (devices)

Speakers (Devices node)

Speaker devices are added automatically when you add hardware to the system. They are by default disabled,
so you must enable them before use, either as part of the Add Hardware wizard or afterwards. Speakers do
not require separate licenses. You can use as many speakers as required on your system.

You can use speakers completely independently of cameras.

The system comes with a default start audio feed rule that starts the device so the device is ready to send user
activated audio to the speakers. The default rule can be deactivated and/or modified as required.

You can configure speaker devices on these tabs:

l Info tab, see Info tab (devices)

l Settings tab, see Settings tab (devices)

l Record tab, see Record tab (devices)

417 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Metadata (Devices node)

The system comes with a default start feed rule which ensures that metadata feeds from all connected
hardware that supports metadata, are automatically fed to the system. The default rule can be deactivated
and/or modified as required.

You can configure metadata devices on these tabs:

l Info tab, see Info tab (devices)

l Settings tab, see Settings tab (devices)

l Record tab, see Record tab (devices)

Input (Devices node)

You can use input devices completely independently of cameras.

Before you specify use of external input units on a device, verify that the device itself
recognize the sensor operation. Most devices can show this in their configuration
interfaces, or via Common Gateway Interface (CGI) script commands.

Input devices are added automatically when you add hardware to the system. They are by default disabled, so
you must enable them before use, either as part of the Add Hardware wizard or afterwards. Input devices do
not require separate licenses. You can use as many input devices as required on your system.

You can configure input devices on these tabs:

l Info tab, see Info tab (devices)

l Settings tab, see Settings tab (devices)

l Events tab, see Events tab (devices)

Output (Devices node)

Output can be triggered manually from the Management Client and XProtect Smart Client.

Before you specify use of external output units on a device, verify that the device itself
can control the device attached to the output. Most devices can show this in their
configuration interfaces, or via Common Gateway Interface (CGI) script commands.

Output devices are added automatically when you add hardware to the system. They are by default disabled,
so you must enable them before use, either as part of the Add Hardware wizard or afterwards. Output devices
do not require separate licenses. You can use as many output devices as required on your system.

You can configure output devices on these tabs:

418 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Info tab, see

l Info tab, see Info tab (devices)

l Settings tab, see Settings tab (devices)

Devices tabs

Info tab (devices)

On the Info tab, you can view and edit basic information about a device in a number of fields.
All devices have an Info tab.

419 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Info tab properties

Name Description

The name is used whenever the device is listed in the system and clients.
Name
When you rename a device, the name is changed globally in the Management Client.

Enter a description of the device (optional).

Description The description appears in a number of listings within the system. For example, when
you pause the mouse pointer over the name in the Overview pane.

Displays the name of the hardware, with which the device is connected. The field is
Hardware
non-editable from here, but you can change it by clicking Go To next to it. This takes
name
you to hardware information where you can change the name.

Displays the port on which the device is attached on the hardware.

Port number For single-device hardware, the port number is typically 1. For multi-device hardware,
such as video servers with several channels, the port number typically indicates the
channel on which the device is attached, for example 3.

To apply a short name for the camera, enter it here. The maximum length of characters
is 128.
Short name
If you are using smart map, automatically the short name is displayed with the camera
on the smart map. Otherwise the full name is displayed.

Enter the geographic location of the camera in the format latitude, longitude. The
value you enter determines the position of the camera icon on the smart map in
Geo XProtect Smart Client.
coordinates
The field is mainly for smart map and third party integrations.

Enter the viewing direction of the camera measured against a due north point on a
vertical axis. The value you enter determines the direction of the camera icon on the
Direction smart map in XProtect Smart Client.

The default value is 0.0.

420 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

The field is mainly for smart map and third party integrations.

Enter the field of view in degrees. The value you enter determines the field of view of
the camera icon on the smart map in XProtect Smart Client.

Field of view The default value is 0.0.

The field is mainly for smart map and third party integrations.

Enter the depth of the camera in meters or feet. The value you enter determines the
depth of the camera icon on the smart map in XProtect Smart Client.

Depth The default value is 0.0.

The field is mainly for smart map and third party integrations.

To verify that you have entered the correct geographic coordinates, click the button.
Preview Google Maps will open in your standard Internet browser on the position you specify.
position in
browser The field is mainly for smart map and third party integrations.

Settings tab (devices)

On the Settings tab, you can view and edit settings for a device in a number of fields.
All devices have a Settings tab.

The values appear in a table as changeable or read-only. When you change a setting to a non-default value, the
value appears in bold.

The content of the table depends on the device driver.

Allowed ranges appear in the information box below the settings table:

421 | User interface details

Administrator manual | XProtect® VMS 2023 R1

For more information about camera settings, see View or edit camera settings.

Streams tab (devices)

The following devices have a Streams tab:

l Cameras

The Streams tab lists by default a single stream. It is the selected camera's default stream, used for live and
recorded video.

422 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tasks on the Streams tab

Name Description

Select this check box to change which stream to use for recording. For live streaming, you
Record can set up and use as many live streams as the camera supports, but you can only select one
stream for recording at a time.

Click to add a stream to the list.

Add
Add a stream

423 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Record tab (devices)

The following devices have a Record tab:

l Cameras

l Microphones

l Speakers

l Metadata

Recordings from a device are only saved in the database when you have enabled recording and the recording-
related rule criteria are met.

Parameters that cannot be configured for a device are grayed out.

424 | User interface details

Administrator manual | XProtect® VMS 2023 R1

425 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tasks on the Record tab

Name Description

Enable/disable recording
Recording
Enable recording on related devices

Pre-buffering and storage of pre-buffer recordings

(explained)
Pre-buffer
Manage pre-buffering

Manage manual recording

Recording frame Specify recording frame rate

rate Enable keyframe recording

Storage Monitor the status of databases for devices

Select Move devices from one storage to another

Use this button if you have added all devices in the group to
Delete All the same server:
Recordings
Delete recordings

Automatically
retrieve remote
recordings when Save and retrieve remote recording
connection is
restored

Motion tab (devices)

The following devices have a Motion tab:

l Cameras

On the Motion tab, you can enable and configure motion detection for the selected camera.

426 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tasks on the Motion tab

Name Description

Motion detection Enable and disable motion detection

Hardware Select Automatic to enable hardware acceleration or select Off to disable the
acceleration setting. For more information, see Enable or disable hardware acceleration.

If you have defined areas with permanent privacy masks, you can select the Privacy
Privacy masks masks check box to display the privacy masks on the Motion tab. You define areas
with privacy masks on the Privacy masking tab (devices) on page 441.

427 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

There is no motion detection within areas covered by

permanent privacy masks.

Determine how much each pixel in the image must change before it is regarded as
Manual motion:
sensitivity
Enable manual sensitivity to define motion

Determine how many pixels in the image must change before it is regarded as
Threshold motion:

Specify threshold to define motion

Select this check box to do motion detection on keyframes only instead of on the
Keyframes only entire video stream. Only applies to MPEG-4/H.264/H.265.
(MPEG-
4/H.264/H.265) Motion detection on keyframes reduces the amount of processing power used to
carry out the analysis.

Select an image processing interval in this list to determine how often the system
performs the motion detection analysis.

Process image For example, every 1000 milliseconds are once every second. Default value is every
every (msec) 500 milliseconds.

The interval is applied if the actual frame rate is higher than the interval you set
here.

Select a detection resolution in this list to optimize motion detection performance.

Only the selected percentage of the image is analyzed, for example 25%. By
Detection
analyzing 25%, only every fourth pixel in the image is analyzed instead of all pixels.
resolution
Using optimized detection reduces the amount of processing power used to carry
out the analysis, but also means a less accurate motion detection.

With this check box enabled, the system generates motion data for the images used
Generate motion for motion detection. For example, if you select motion detection on keyframes only,
data for smart the motion data is also produced for keyframes only.
search
The extra motion data enables the client user, via the smart search function, to

428 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

quickly search for relevant recordings based on motion in the selected area of the
image. The system does not generate motion data within areas covered by
permanent privacy masks, but only for areas with liftable privacy masks (see Motion
detection (explained)).

Motion detection threshold and exclude regions do not influence the generated
motion data.

l Specify the default setting of generating smart search data for cameras
under Tools > Options > General.

Use exclude Exclude motion detection from specific areas of a camera view:
regions Specify exclude regions for motion detection

Presets tab (devices)

The following devices have a Presets tab:

l PTZ cameras that support preset positions

On the Presets tab, you can create or import preset positions, for example:

l In rules for making a PTZ (pan-tilt-zoom) camera move to a specific preset position when an event
occurs

l In patrolling, for the automatic movement of a PTZ camera between a number of preset positions

l For manual activation by the XProtect Smart Client users

You assign PTZ permission to roles on the Overall Security tab (see Overall Security tab (roles) on page 495) or
the PTZ tab (see PTZ tab (roles) on page 531).

429 | User interface details

Administrator manual | XProtect® VMS 2023 R1

430 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tasks on the Presets tab

Name Description

Add a preset position for a camera in the system:

New
Add a preset position (type 1)

Add a preset position for a PTZ cameras on the camera

Use presets from itself:
device
Use preset positions from the camera (type 2)

Assign one of a PTZ camera's preset positions as the

Default preset camera's default preset position:

Assign a camera's default preset position as default

Edit an existing preset position defined in the system:

Edit a preset position for a camera (type 1 only)

Edit
Edit the name of a preset position defined in the camera:

Rename a preset position for a camera (type 2 only)

Select this check box to lock a preset position. You can

lock a preset position if you want to prevent users in
XProtect Smart Client or users with limited security
permissions from updating or deleting a preset. Locked
Locked
presets are indicated with this icon .

You lock presets as part of adding (see Add a preset

position (type 1)) and editing (see Edit a preset position
(type 1 only)).

Click this button to test a cameras preset position:

Activate
Test a preset position (type 1 only).

Prevent other users from taking control over the camera

Reserve and and release the reservation.
Release
Administrators with security permissions to run a

431 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

reserved PTZ session can run the PTZ camera in this

mode. This prevents other users from taking control over
the camera. With sufficient permissions, you can release
other users' reserved PTZ sessions:

Reserve and release PTZ sessions.

Monitor if the system is currently patrolling or a user has

taken control:

PTZ session properties on page 432.

PTZ session
View the status of PTZ cameras and manage timeouts for
cameras:

Specify PTZ session timeouts.

PTZ session properties

The PTZ session table shows the current status of the PTZ camera.

Name Description

Displays the user that has pressed the Reserved button and currently controls the PTZ
User camera.

If a patrolling session is activated by the system, it displays Patrolling.

Displays the user's PTZ priority. You can only take over PTZ sessions from users with a
Priority
lower priority than you.

Timeout Displays the remaining time of the current PTZ session.

Indicates if the current session is a reserved PTZ session or not:

Reserved l True: Reserved

l False: Not reserved

432 | User interface details

Administrator manual | XProtect® VMS 2023 R1

The check boxes in the PTZ session section enable you to change the following timeouts for each PTZ camera.

Name Description

Specify the timeout period for manual PTZ sessions on this

Timeout for
camera if you want the timeout to be different from the default
manual PTZ
period. You specify the default period in the Tools menu under
session
Options.

Timeout for Specify the timeout period for pause patrolling PTZ sessions on
pause this camera if you want the timeout to be different from the
patrolling default period. You specify the default period in the Tools menu
PTZ session under Options.

Specify the timeout period for reserved PTZ sessions on this

Timeout for
camera if you want the timeout to be different from the default
reserved PTZ
period. You specify the default period in the Tools menu under
session
Options.

Patrolling tab (devices)

The following devices have a Patrolling tab:

l PTZ cameras

On the Patrolling tab, you can create patrolling profiles - the automatic movement of a PTZ (pan-tilt-zoom)
camera between a number of preset positions.
Before you can work with patrolling, you must specify at least two preset positions for the camera in the
Presets tab, see Add a preset position (type 1).

Patrolling tab, displaying a patrolling profile with customized transitions:

433 | User interface details

Administrator manual | XProtect® VMS 2023 R1

434 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tasks on the Patrolling tab

Name Description

Add Add a patrolling profile

Preset ID Specify preset positions in a patrolling profile

Wait time
Specify the time at each preset position
(sec)

Customize
Customize transitions (PTZ)
transitions

Go to specific
position on Specify an end position when patrolling
finish

Manual
Monitor if the system is currently patrolling or a user has taken control.
patrolling

Use the Start and Stop buttons to initiate and stop manual patrolling.
Start and Stop See Specify PTZ session timeouts for information about how to specify how much time
should pass before regular patrolling is resumed for all or for individual PTZ cameras.

Manual patrolling properties

The Manual patrolling table shows the current status of the PTZ camera.

Name Description

Displays the user who has either reserved the PTZ session or started a manual patrolling
User and currently controls the camera.

If a patrolling session is activated by the system, it displays Patrolling.

435 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Displays the user's PTZ priority. You can only take over PTZ sessions from users or
Priority
patrolling profiles with a lower priority than yours.

Timeout Displays the remaining time of the current reserved or manual PTZ sessions.

Indicates if the current session is a reserved PTZ session or not.

Reserved l True: Reserved

l False: Not reserved

Fisheye lens tab (devices)

The following devices have a Fisheye Lens tab:

l Fixed cameras with a fisheye lens

On the Fisheye Lens tab, you can enable and configure fisheye lens support for the selected camera.

Task on the Fisheye lens tab

436 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Enable fisheye
Enable and disable fisheye lens support
lens support

Events tab (devices)

The following devices have an Events tab:

l Cameras

l Microphones

l Inputs

In addition to the system's event, some devices can be configured to trigger events. You can use these events
when creating event-based rules in the system. Technically, they occur on the actual hardware/device rather
than on the surveillance system.

Tasks on the Events tab

Name Description

Add and Delete Add or delete an event for a device

437 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event tab (properties)

Name Description

Configured Which events you may select and add in the Configured events list is determined
events entirely by the device and its configuration. For some types of devices, the list is empty.

The list of properties depends on the device and the event. In order for the event to
General work as intended, you must specify some or all of the properties identically on the
device as well as on this tab.

Client tab (devices)

The following devices have a Client tab:

l Cameras

On the Client tab you can specify which other devices are viewed and heard when you use the camera in
XProtect Smart Client.

The related devices also record when the camera records, see Enable recording on related devices on page 220.

You can also enable Live multicast on the camera. It means that the camera multicasts live streams to the
clients via the recording server.

Multicast streams are not encrypted, even if the recording server uses encryption.

438 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Client tab properties

Name Description

Specify the microphone on the camera that XProtect Smart

Client users by default listen to audio. The XProtect Smart
Client user can manually select to listen to another
Related microphone if needed.
microphone
Specify the microphone that is related to the video push
camera for streaming video with audio.

The related microphones record when the camera records.

439 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Specify through which speakers on the camera, that XProtect

Related Smart Client users speak by default. The XProtect Smart Client
speaker user can manually select another speaker if needed.

The related speakers record when the camera records.

Specify one or more metadata devices on the camera, that

Related XProtect Smart Client users receive data from.
metadata The related metadata devices record when the camera
records.

To ease the selection of cameras for the XProtect Smart Client

users, define keyboard shortcuts to the camera.

l Create each shortcut so it uniquely identifies the

Shortcut
camera

l A camera shortcut number cannot be longer than four

digits

The system supports multicast of live streams from the

recording server to XProtect Smart Client. To enable multicast
of live streams from the camera, select the check box.

Live multicasting only works on the

stream that you have specified as the
camera's default stream on the Streams
tab.
Live multicast

You must also configure multicasting for the recording server.

See Enable multicasting for the recording server on page 197.

Multicast streams are not encrypted,

even if the recording server uses
encryption.

440 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Privacy masking tab (devices)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

XProtect Essential+ 2018 R1 and onwards does not support privacy masking, so if you upgrade from a system
with privacy masks applied, the masks will be removed.

The following devices have a Privacy masking tab:

l Cameras

On the Privacy masking tab, you can enable and configure privacy protection for the selected camera.

441 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tasks on the Privacy masking tab

Name Description

Enable/disable privacy masking

Privacy masking
Privacy masking (explained)

Permanent Define, if you want a permanent or liftable privacy mask:

mask and
Liftable mask Define privacy masks

Tasks related to Privacy masking

Task Description

Change the timeout for lifted privacy masks for the

Smart Client profile associated with the role that has Change the timeout for lifted privacy masks
the permission to lift privacy masks.

Enable or disable the permission to lift privacy masks

Give users permission to lift privacy masks
for a role.

Create a devices report with information about your Create a report of your privacy masking
cameras' current privacy masking settings. configuration

Privacy masking tab (properties)

Name Description

The selected grid size determines the density of the grid, regardless whether the grid is
Grid size
visible in the preview or not.

442 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Select between the values 8×8, 16×16, 32×32 or 64×64.

Clear Clears all privacy masks you have specified.

Show grid Select the Show grid check box to make the grid visible.

When you select the Show privacy masks check box (default), permanent privacy masks
Show privacy appear in purple in the preview and liftable privacy masks in green.
masks Milestone recommends that you keep the Show privacy masks box selected so that you
and your colleagues can see the current privacy protection configuration.

Use the Pen size slider to indicate the size of the selections you wish to make when you
Pen size click and drag the grid to select regions. Default is set to small, which is equivalent to
one square in the grid.

Appears in purple in the preview on this tab and on the Motion tab.

Permanent privacy masks are always visible in XProtect Smart Client and cannot be
lifted. Can be used to cover areas of the video that never requires surveillance, like
Permanent
public areas, where surveillance is not allowed. Motion detection is excluded from
mask
permanent masks.

You specify the coverage of privacy masks as either solid or some level of blurred. The
coverage settings apply to both live and recorded video.

Appears in green in the preview on this tab.

Liftable privacy masks can be lifted in XProtect Smart Client by users with sufficient user
permissions. By default, the privacy masks are lifted for 30 minutes, or until the user
apply them again. Be aware that the privacy masks are lifted on video from all the
Liftable mask cameras that the user has access to.

If the XProtect Smart Client user does not have the permission to lift privacy masks, the
system asks for a user with permission to authorize the lift.

You specify the coverage of privacy masks as either solid or a level of blurred. The
coverage settings apply to both live and recorded video.

Use the slider to select the blurring level of the privacy masks in the clients or set the
Blurring
coverage to solid.

443 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

By default, the coverage of areas with permanent privacy masks are solid
(nontransparent). By default, liftable privacy masks are medium blurred.

You can inform the client users about the appearance of permanent and liftable privacy
masks, so they are able to distinguish.

Hardware Properties window

You have several options for adding hardware to each recording server in your system.

If your hardware is located behind a NAT-enabled router or a firewall, you may need to
specify a different port number and configure the router/firewall so it maps the port and
IP addresses that the hardware uses.

The Add Hardware wizard helps you detect hardware like cameras and video encoders on your network and
add them to the recording servers on your system. The wizard also helps you add remote recording servers for
Milestone Interconnect setups. Only add hardware to one recording server at a time.

Info tab (hardware)

For information about the Info tab for remote servers, see Info tab (remote server) on page 411.

Name Description

Enter a name. The system uses the name whenever the hardware is listed in the system
Name and in the clients. The name does not have to be unique.

When you rename hardware, the name is changed globally in the Management Client.

Enter a description of the hardware (optional). The description appears in a number of

Description listings within the system. For example, when moving the mouse pointer over the
hardware name in the Overview pane:

444 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Model Identifies the hardware model.

Hardware serial number as specified by the manufacturer. The serial number is often,
Serial number
but not always, identical to the MAC address.

Driver Identifies the driver that handles the connection to the hardware.

Opens the default home page of the hardware vendor. You can use this page for
IE
administration of the hardware.

Address The host name or IP address of the hardware.

Specifies the Media Access Control (MAC) address of the system hardware. A MAC
MAC address address is a 12-character hexadecimal number uniquely identifying each piece of
hardware on a network.

Firmware The firmware version of the hardware device. To ensure that the system displays the
version: current version, run the Update hardware data wizard after every firmware update.

Password last The Password last changed field shows the time stamp of the latest password change
changed based on the local time settings of the computer that the password was changed from.

Hardware
data last Time and date of the last update of the hardware data.
updated:

Settings tab (hardware)

On the Settings tab, you can verify or edit settings for the hardware.

445 | User interface details

Administrator manual | XProtect® VMS 2023 R1

The content of the Settings tab is determined by the selected hardware, and varies
depending on the type of hardware. For some types of hardware, the Settings tab
displays no content at all or read-only content.

For information about the Settings tab for remote servers, see Settings tab (remote server) on page 412.

PTZ tab (video encoders)

On the PTZ tab, you can enable PTZ (pan-tilt-zoom) for video encoders. The tab is available if the selected
device is a video encoder or if the driver supports both non-PTZ and PTZ cameras.

You must enable the use of PTZ separately for each of the video encoder's channels on the PTZ tab before you
can use the PTZ features of the PTZ cameras attached to the video encoder.

Not all video encoders support the use of PTZ cameras. Even video encoders that
support the use of PTZ cameras may require configuration before the PTZ cameras can
be used. It is typically the installation of additional drivers through a browser-based
configuration interface on the device's IP address.

PTZ tab, with PTZ enabled for two channels on a video encoder.

Client node

Clients (node)
This article describes how to customize the user interface for operators in XProtect Smart Client and for system
administrators in the Management Client.

446 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Smart Wall (Client node)

Smart Wall properties

Info tab

On the Info tab for a Smart Wall definition, you can add and edit Smart Wall properties.

Name Description

The name of the Smart Wall definition. Displayed in XProtect Smart Client as the Smart
Name
Wall view group name.

A description of the Smart Wall definition. The description is only used internally in
Description
XProtect Management Client.

Status text Display camera and system status information in camera view items.

No title bar Hide the title bar on all view items on the video wall.

Title bar Show the title bar on all view items on the video wall.

Presets tab

On the Presets tab for a Smart Wall definition, you can add and edit Smart Wall presets1.

Name Description

Add a preset to your Smart Wall definition.

Add New
Enter a name and description for the preset.

Edit Edit the name or description of a preset.

1A predefined layout for one or more Smart Wall monitors in XProtect Smart Client. Presets determine which

cameras are displayed, and how content is structured on each monitor on the video wall.

447 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Delete Delete a preset.

Apply the preset on the Smart Wall monitors that are configured to use the preset. To
Activate
apply a preset automatically, you must create a rule that uses the preset.

Layout tab

On the Layout tab for a Smart Wall definition, you position the monitors, so their positions resemble the
mounting of the physical monitors on the video wall. The layout is also used in XProtect Smart Client.

Name Description

Edit Adjust the positioning of the monitors.

To move a monitor to a new position, select the monitor and drag it to the desired
Movement
position, or click one of the arrow buttons to move the monitor in the selected direction.

Zoom in or out of the Smart Wall layout preview to ensure you position the monitors
Zoom buttons
correctly.

Name The name of the monitor. The name is displayed in XProtect Smart Client.

Size The size of the physical monitor on the video wall.

Aspect ratio The height/width relationship of the physical monitor on the video wall.

Monitor properties

Info tab

On the Info tab for a monitor in a Smart Wall preset, you can add monitors and edit the monitor settings.

448 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Name The name of the monitor. The name is displayed in XProtect Smart Client.

A description of the monitor. The description is only used internally in the XProtect
Description
Management Client.

Size The size of the physical monitor on the video wall.

Aspect ratio The height/width relationship of the physical monitor on the video wall.

Defines what should be displayed on a monitor with an empty preset layout when a
new Smart Wall preset is triggered or selected in XProtect Smart Client:
Empty preset
l Select Preserve to keep the current content on the monitor.

l Select Clear to clear all content so nothing is displayed on the monitor.

Defines what should be displayed in an empty preset item when a new Smart Wall
preset is triggered or selected in XProtect Smart Client:
Empty preset
item l Select Preserve to keep the current content in the layout item.

l Select Clear to clear the content so nothing is displayed in the layout item.

Defines how cameras are inserted in the monitor layout when viewed in the XProtect
Smart Client:

l Independent - only the content of the affected layout item changes, the rest of
the content in the layout remain the same.

l Linked - the contents of the layout items are pushed from left to right. If, for
example, a camera is inserted in position 1, the previous camera of position 1 is
Element pushed to position 2, the previous camera of position 2 is pushed to position 3,
insertion and so on. llustrated in this example:

449 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Presets tab

On the Presets tab for a monitor in a Smart Wall preset, you can edit the view layout and content of the
monitor in the selected Smart Wall preset.

Name Description

Preset A list of Smart Wall presets for the selected Smart Wall definition.

Click Edit to edit the layout and the content of the selected monitor.

Double-click a camera to remove it.

Click Clear to define a new layout or to exclude the monitor in the Smart Wall preset so the
Edit
monitor is available for other content not controlled by the Smart Wall preset.

Click to select the layout you want to use with your monitor, and click OK.

Smart Client Profiles (Client node)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

The following tabs allow you to specify the properties of each Smart Client profile. You can lock the settings in
the Management Client if required, so the users of XProtect Smart Client cannot change them.

To manage Smart Client profiles in the system, expand Client and select Smart Client Profiles.

Info tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Name and description, priority of existing profiles and an overview of which roles use the
profile.
Info
If a user is a member of more than one role, each with their individual Smart Client profile, the
user gets the Smart Client profile with the highest priority.

450 | User interface details

Administrator manual | XProtect® VMS 2023 R1

General tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Settings such as show/hide and mini- and maximize menu settings, login/-out, startup,
timeout, info and messaging options, and enabling or disabling of certain tabs in XProtect
Smart Client.

The Camera error messages, Server error messages, and Live video error message
settings let you control if these error messages are displayed as an overlay, as a black
image with overlay, or if they are hidden.

The Live video stopped message is displayed in XProtect Smart Client when the camera
live feed is stopped. For example if the camera has stopped sending images even though
it's connected.

General If you Hide the camera error messages, there is a risk that the
operator overlooks that the connection to a camera has been lost.

The Cameras allowed during search setting lets you control how many cameras operators
can add to searches in XProtect Smart Client. Setting a camera limit can help you prevent
overloading the system.

The Online help setting lets you to disable the help system in XProtect Smart Client.

The Video tutorials setting lets you disable the Video tutorials button in XProtect Smart
Client. The button redirects operators to the video tutorials page:
https://www.milestonesys.com/support/help-yourself/video-tutorials/

Advanced tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Advanced Advanced settings such as maximum decoding threads, deinterlacing and time zone

451 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tab Description

settings.

Maximum decoding threads controls how many decoding threads are used to decode
video streams. It can help improve performance on multi-core computers in live as well
as playback mode. The exact performance improvement depends on the video stream. It
is mainly relevant if using heavily coded high-resolution video streams like H.264/H.265,
for which the performance improvement potential can be significant, and less relevant if
using, for example, JPEG or MPEG-4.

With deinterlacing, you convert video into a non-interlaced format. Interlacing

determines how an image is refreshed on a screen. The image is refreshed by first
scanning the odd lines in the image, then scanning the even lines. This allows a faster
refresh rate because less information is processed during each scan. However,
interlacing may cause flickering, or the changes in half of the image's lines may be
noticeable.

Adaptive streaming enables XProtect Smart Client to automatically select the live video
streams with the best match in resolution to the streams requested by the view item. This
decreases the load on the CPU and the GPU and thereby improves the decoding
capability and performance of the computer. This requires multi-streaming of live video
streams with different resolutions to be configured, see Manage multi-streaming.

Live tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Availability of the live mode and other live features, camera playback, camera overlay buttons,
Live
and bounding boxes, and also live-related MIP plug-ins.

Playback tab (Smart Client profiles)

This tab allows you to specify the following properties:

452 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tab Description

Availability of the playback mode and other playback features, layout of print reports,
Playback independent playback, bookmarks, and bounding boxes, and also playback-related MIP
plug-ins.

Setup tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Availability of general setup/panes/buttons, setup-related MIP plug-in and permissions to edit

Setup
a map and to edit live video buffering.

Export tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Paths, privacy masks, video and still image formats and what to include when exporting
Export
these, export formats for XProtect Smart Client – Player and much more.

Timeline tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Whether to include audio or not, visibility of indication of time and motion, and finally how
to handle playback gaps.
Timeline
You can also select whether to show additional data or additional markers from other
sources.

453 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Access Control tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Access Select if access request notifications should pop up on the XProtect Smart Client screen
Control when triggered by events.

Alarm Manager tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Specify whether:

l Desktop notifications for alarms should be displayed on the computers where

XProtect Smart Client is installed. The notifications appear only if XProtect Smart
Client is running - even if minimized

Alarm Desktop notifications for alarms appear only when the

Manager alarms have certain priorities, for example Medium or High.
To configure which alarm priorities that trigger notifications,
go to Alarms > Alarm Data Settings > Alarm Data Levels.
For each required alarm priority, select the Enable desktop
notifications check box. See Alarms Data Settings (Alarms
node).

454 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Tab Description

l Alarms should play sound notifications on the computers where XProtect Smart
Client is installed. The sound notifications play only if XProtect Smart Client is
running - even if minimized

Sound notifications for alarms play only when a sound is

associated with the alarm. To associate sounds with alarms,
go to Alarms > Alarm Data Settings > Alarm Data Levels.
For each required alarm priority, select the sound to be
associated with the alarm. See Alarms Data Settings (Alarms
node).

Smart map tab (Smart Client profiles)

This tab allows you to specify the following properties:

Tab Description

Specify settings for the smart map feature.

You can specify whether:

l Milestone Map Service is available for use as a geographic background

l OpenStreetMaps is available for use as a geographic background

l XProtect Smart Client will automatically create locations when a user adds a custom
Smart overlay to the smart map.
map You can also specify how often you want the system to delete data related to smart maps
from your computer. To help XProtect Smart Client display smart map faster, the client saves
map data in the cache on your computer. Over time this might slow down your computer.

Caching does not apply for Google Maps.

If you want to use Bing Maps or Google Maps as geographic backgrounds, enter a Bing Maps
API key, or a Maps Static API key from Google.

455 | User interface details

Administrator manual | XProtect® VMS 2023 R1

View Layout tab (Smart Client profiles)

This tab allows you to specify the following properties:

Management Client Profiles (Client node)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Info tab (Management Client Profiles)

On the Info tab, you can set the following for Management Client profiles:

Component Requirement

Name Enter a name for the Management Client profile.

Use the up and down arrows to set a priority for the Management Client
Priority
profile.

Description Enter a description for the profile. This is optional.

Roles using the This field shows the roles that you have associated with the Management
Management Client profile Client profile. You cannot edit this.

Profile tab (Management Client Profiles)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

On the Profile tab, you can enable or disable the visibility of the following elements from the Management
Client's user interface:

456 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Navigation

In this section, decide if an administrator user associated with the Management Client profile is allowed to see
the various features and functionality located in the Navigation pane.

Navigation
Description
element

Allows the administrator user associated with the Management Client profile to see
Basics
License Information and Site Information.

Remote
Allows the administrator user associated with the Management Client profile to see Axis
Connect
One-click Camera Connection.
Services

Allows the administrator user associated with the Management Client profile to see
Servers
Recording Servers and Failover Servers.

Allows the administrator user associated with the Management Client profile to see
Devices
Cameras, Microphones, Speakers, Metadata, Input and Output.

Allows the administrator user associated with the Management Client profile to see
Client Smart Wall, View Groups, Smart Client Profiles, Management Client Profiles and
Matrix.

Allows the administrator user associated with the Management Client profile to see
Rules and
Rules, Time Profiles, Notification Profiles, User-defined Events, Analytics Events and
Events
Generic Events.

Allows the administrator user associated with the Management Client profile to see
Security
Roles and Basic Users.

Allows the administrator user associated with the Management Client profile to see
System
System Monitor, System Monitor Thresholds, Evidence Lock, Current Tasks and
Dashboard
Configuration Reports.

Allows the administrator user associated with the Management Client profile to see
Server Logs
system, audit, and rule-triggered logs.

Allows the administrator user associated with the Management Client profile to see
Access
Access Control features, if you have added any access control system integrations or
Control
plug-ins to your system.

457 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Details

In this section, decide if an administrator user associated with the Management Client profile is allowed to see
the various tabs for a specific device channel, for example the Settings tab or Record tab for cameras.

Device channel Description

Allows the administrator user associated with the Management Client profile to see
Cameras
some or all camera-related settings and tabs.

Allows the administrator user associated with the Management Client profile to see
Microphones
some or all microphone-related settings and tabs.

Allows the administrator user associated with the Management Client profile to see
Speakers
some or all speaker-related settings and tabs.

Allows the administrator user associated with the Management Client profile to see
Metadata
some or all metadata-related settings and tabs.

Allows the administrator user associated with the Management Client profile to see
Input
some or all input-related settings and tabs.

Allows the administrator user associated with the Management Client profile to see
Output
some or all output-related settings and tabs.

Tools Menu

In this section, decide if an administrator user associated with the Management Client profile is allowed to see
the elements that are part of the Tools menu.

Tool Menu
Description
option

Registered Allows the administrator user associated with the Management Client profile to see
Services Registered Services.

Allows the administrator user associated with the Management Client profile to see
Effective Roles
Effective Roles.

Allows the administrator user associated with the Management Client profile to see
Options
Options.

458 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Federated Sites

In this section, decide if an administrator user associated with the Management Client profile is allowed to see
the Federated Site Hierarchy pane.

Rules and Events node

Rules (Rules and Events node)

Your system includes a number of default rules that you can use for basic features without setting anything up.
You can deactivate or modify the default rules as you need. If you modify or deactivate the default rules, your
system may not work as desired nor guarantee that video feeds or audio feeds are automatically fed to the
system.

Default rule Description

Ensures that PTZ cameras go to their respective default preset positions after you have
Go to Preset operated them manually. This rule is not enabled by default.
when PTZ is Even when you have enabled the rule, you must have defined default preset positions
done for the relevant PTZ cameras in order for the rule to work. You do this on the Presets
tab.

Ensures that video is recorded automatically when an external request occurs.

Play Audio on
Request The request is always triggered by a system integrating externally with your system,
and the rule is primarily used by integrators of external systems or plug-ins.

Ensures that video is recorded automatically when an operator sets a bookmark in

XProtect Smart Client. This is provided you have enabled recording for the relevant
cameras. Recording is enabled by default.
Record on
Bookmark The default recording time for this rule is three seconds before the bookmark is set and
30 seconds after the bookmark is set. You can edit the default recording times in the
rule. The pre-buffer which you set on the Record Tab must match or be longer than the
pre-recording time.

Ensures that as long as motion is detected in video from cameras, the video is
recorded, provided recording is enabled for the relevant cameras. Recording is by
Record on
default enabled.
Motion
While the default rule specifies recording based on detected motion, it does not

459 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Default rule Description

guarantee that the system records video, as you may have disabled individual cameras'
recording for one or more cameras. Even when you have enabled recording,
remember that the quality of recordings may be affected by individual camera's
recording settings.

Ensures that video is recorded automatically when an external request occurs,

provided recording is enabled for the relevant cameras. Recording is enabled by
Record on default.
Request
The request is always triggered by a system integrating externally with your system,
and the rule is primarily used by integrators of external systems or plug-ins.

Ensures that audio feeds from all connected microphones and speakers are
automatically fed to the system.
Start Audio
Feed While the default rule enables access to connected microphones' and speakers' audio
feeds immediately upon installing the system, it does not guarantee that audio is
recorded, as you must specify recording settings separately.

Ensures that video feeds from all connected cameras are automatically fed to the
system.
Start Feed While the default rule enables access to connected cameras' video feeds immediately
upon installing the system, it does not guarantee that video is recorded, as cameras'
recording settings must be specified separately.

Ensures that data feeds from all connected cameras are automatically fed to the
system.
Start Metadata
Feed While the default rule enables access to connected cameras' data feeds immediately
upon installing the system, it does not guarantee that data is recorded, as cameras'
recording settings must be specified separately.

Show Access Ensures that all access control events categorized as 'Access Request', will cause an
Request access request notification to pop up in XProtect Smart Client, unless the notification
Notification function is disabled in the Smart Client profile.

Recreate default rules

If you accidentally delete any of the default rules, you can recreate them by entering the following content:

460 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Default rule Text to enter

Goto preset Perform an action on PTZ Manual Session Stopped from All Cameras
when PTZ is
done Move immediately to default preset on the device on which event occurred

Play Audio on Perform an action on Request Play Audio Message from External
Request Play audio message from metadata on the devices from metadata with priority 1

Perform an action on Bookmark Reference Requested from All Cameras, All

Record on Microphones, All Speakers start recording three seconds before on the device on which
Bookmark event occurred

Perform action 30 seconds after stop recording immediately

Perform an action on Motion Started from All Cameras start recording three seconds
Record on before on the device on which event occurred
Motion Perform stop action on Motion Stopped from All Cameras stop recording three seconds
after

Perform an action on Request Start Recording from External start recording

Record on immediately on the devices from metadata
Request Perform stop action on Request Stop Recording from External stop recording
immediately

Start Audio Perform an action in a time interval always start feed on All Microphones, All Speakers
Feed Perform an action when time interval ends stop feed immediately

Perform an action in a time interval always start feed on All Cameras

Start Feed
Perform an action when time interval ends stop feed immediately

Start Metadata Perform an action in a time interval always start feed on All Metadata
Feed Perform an action when time interval ends stop feed immediately

Show Access Perform an action on Access request (Access Control Categories) from Systems [+ units]
Request
Notification Show built-in access request notification

461 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Notification Profiles (Rules and Events node)

Specify the following properties for notification profiles:

Component Requirement

Enter a descriptive name for the notification profile. The name appears later whenever
Name
you select the notification profile during the process of creating a rule.

Enter a description of the notification profile. The description appears when you pause
Description
your mouse pointer over the notification profile in the Overview pane's Notification
(optional)
Profiles list.

Enter the e-mail addresses to which the notification profile's e-mail notifications should
Recipients be sent. To enter more than one e-mail address, separate addresses with a semicolon.
Example: [email protected];[email protected];[email protected]

Enter the text you want to appear as the subject of the e-mail notification.

Subject
You can insert system variables, such as Device name, in the subject and message text
field. To insert variables, click the required variable links in the box below the field.

Enter the text you want to appear in the body of the e-mail notifications. In addition to
the message text, the body of each e-mail notification automatically contains this
information:
Message text
l What triggered the e-mail notification

l The source of any attached still images or AVI video clips

Specify required minimum time (in seconds) to pass between the sending of each e-
mail notification. Examples:

l If specifying a value of 120, a minimum of 2 minutes pass between the sending

of each e-mail notification, even if the notification profile is triggered again by a
Time between rule before the 2 minutes have passed
e-mails
l If specifying a value of 0, e-mail notifications is sent each time the notification
profile is triggered by a rule. This can potentially result in a very large number of
e-mail notifications being sent. If using the value 0, you should therefore
carefully consider whether you want to use the notification profile in rules which
are likely to be triggered frequently

462 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Component Requirement

Number of Specify the maximum number of still images you want to include in each of the
images notification profile's e-mail notifications. Default is five images.

Specify the number of milliseconds you want between the recordings presented on the
Time between
included images. Example: With the default value of 500 milliseconds, the included
images (ms)
images show recordings with half a second between them.

This setting is used to specify the start of the AVI file. By default, the AVI file contains
Time before
recordings from 2 seconds before the notification profile is triggered. You can change
event (sec.)
this to the number of seconds you require.

This setting is used to specify the end of the AVI file. By default, the AVI file ends 4
Time after
seconds after the notification profile is triggered. You can change this to the number of
event (sec.)
seconds you require.

Specify the number of frames per second you want the AVI file to contain. Default is five
Frame rate frames per second. The higher the frame rate, the higher the image quality and AVI file
size.

Embed images If selected (default), images are inserted in the body of e-mail notifications. If not,
in e-mail images are included in e-mail notifications as attached files.

Events overview
When you add an event-based rule in the Manage Rule wizard, you can select between a number of different
event types. In order for you to get a good overview, events you can select are listed in groups according to
whether they are:

Hardware:

Some hardware can create events themselves, for example to detect motion. You can use these as events but
you must configure them on the hardware before you can use them in the system. You may only be able to use
the events listed on some hardware as not all types of cameras can detect tampering or temperature changes.

Hardware - Configurable events:

Configurable events from hardware are automatically imported from device drivers. This means that they vary
from hardware to hardware and are not documented here. Configurable events are not triggered until you
have added them to the system and configured them on the Event tab for hardware. Some of the configurable
events also require that you configure the camera (hardware) itself.

463 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Hardware - Predefined events:

Event Description

Communication Error
Occurs when a connection to the hardware is lost.
(Hardware)

Communication Started Occurs when communication with the hardware is successfully

(Hardware) established.

Communication Stopped Occurs when communication with the hardware is successfully

(Hardware) stopped.

Devices - Configurable events:

Configurable events from devices are automatically imported from device drivers. This means that they vary
from device to device and are not documented here. Configurable events are not triggered until you have
added them to the system and configured them on the Event tab on a device.

Devices - Predefined events:

Event Description

Bookmark
Occurs when a bookmark is made in live mode in the clients. Also, a requirement
Reference
for using the Default record on bookmark rule.
Requested

Communication Occurs when a connection to a device is lost, or when an attempt is made to

Error (Device) communicate with a device, and the attempt is unsuccessful.

Communication
Occurs when communication with a device is successfully established.
Started (Device)

Communication
Occurs when communication with a device is successfully stopped.
Stopped (Device)

464 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event Description

Evidence Lock Occurs when an evidence lock is changed for devices by a client user or via the MIP
Changed SDK.

Occurs when an evidence lock is created for devices by a client user or via the MIP
Evidence Locked
SDK.

Occurs when an evidence lock is removed for devices by a client user or via the MIP
Evidence Unlocked
SDK.

Feed overflow (media overflow) occurs when a recording server cannot process
received data as quickly as specified in the configuration and therefore is forced to
discard some recordings.

If the server is healthy, feed overflow usually happens because of slow disk writes.
You can resolve this either by reducing the amount of data written, or by
Feed Overflow improving the storage system's performance. Reduce the amount of written data
Started by reducing frame rates, resolution or image quality on your cameras, but this may
degrade recording quality. If you are not interested in that, instead improve your
storage system's performance by installing extra drives to share the load or by
installing faster disks or controllers.

You can use this event to trigger actions that helps you avoid the problem, for
example, to lower the recording frame rate.

Feed Overflow
Occurs when feed overflow (see Feed Overflow Started on page 465) ends.
Stopped

Occurs when client users request a live stream from a device.

Live Client Feed The event occurs upon the request even if the client user's request later turns out
Requested to be unsuccessful, for example because the client user does not have the
permissions required for viewing the requested live feed or because the feed is for
some reason stopped.

Live Client Feed

Occurs when client users no longer request a live stream from a device.
Terminated

Manual Recording Occurs when a client user starts a recording session for a camera.
Started The event is triggered even if the device is already recording via rule actions.

465 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event Description

Occurs when a client user stops a recording session for a camera.

Manual Recording
Stopped If the rule system also has started a recording session it continues recording even
after the manual recording is stopped.

Marked Data Occurs when an evidence lock is made in playback mode in the clients or via the
Reference MIP SDK.
Requested An event is created that you can use in your rules.

Occurs when the system detects motion in video received from cameras.

This type of event requires that the system's motion detection is enabled for the
cameras to which the event is linked.
Motion Started
In addition to the system's motion detection, some cameras can detect motion
themselves and trigger the Motion Started (HW) event, but it depends on the
configuration of the camera hardware and in the system. See also Hardware -
Configurable events: on page 463.

Occurs when motion is no longer detected in received video. See also Motion
Started on page 466.

This type of event requires that the system's motion detection is enabled for the
cameras to which the event is linked.
Motion Stopped
In addition to the system's motion detection, some cameras can detect motion
themselves and trigger the Motion Stopped (HW) event, but it depends on the
configuration of the camera hardware and in the system. See also Hardware -
Configurable events: on page 463.

Occurs when an external output port on a device is activated.

Output Activated This type of event requires that at least one device on your system supports output
ports.

Occurs when the state of an external output port on a device is changed.

Output Changed This type of event requires that at least one device on your system supports output
ports.

Output
Occurs when an external output port on a device is deactivated.
Deactivated

466 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event Description

This type of event requires that at least one device on your system supports output
ports.

Occurs when a manually operated PTZ session (as opposed to a PTZ session based
on scheduled patrolling or automatically triggered by an event) is started on a
PTZ Manual camera.
Session Started
This type of event requires that the cameras to which the event is linked are PTZ
cameras.

Occurs when a manually operated PTZ session (as opposed to a PTZ session based
on scheduled patrolling or automatically triggered by an event) is stopped on a
PTZ Manual camera.
Session Stopped
This type of event requires that the cameras to which the event is linked are PTZ
cameras.

Occurs whenever recording is started. There is a separate event for manual

Recording Started
recording started.

Occurs whenever recording is stopped. There is a separate event for manual

Recording Stopped
recording stopped.

Settings Changed Occurs when settings on a device are successfully changed.

Settings Changed Occurs when an attempt is made to change settings on a device, and the attempt is
Error unsuccessful.

External events - Predefined events:

Event Description

Request Play Activated when play audio messages are requested via the MIP SDK.
Audio Through the MIP SDK a third-party vendor can develop custom plug-ins (for example,
Message integration to external access control systems or similar) for your system.

467 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event Description

Activated when start recordings are requested via the MIP SDK.
Request Start
Recording Through the MIP SDK a third-party vendor can develop custom plug-ins (for example,
integration to external access control systems or similar) for your system.

Activated when stop recordings are requested via the MIP SDK.
Request Stop
Recording Through the MIP SDK a third party vendor can develop custom plug-ins (for example,
integration to external access control systems or similar) for your system.

External events - Generic events:

Generic events allow you to trigger actions in the system by sending simple strings via the IP network to the
system. The purpose of generic events is to allow as many external sources as possible to interact with the
system.

External events - User-defined events:

A number of events custom made to suit your system may also be selectable. You can use such user-defined
events for:

l Making it possible for client users to manually trigger events while viewing live video in the clients

l Countless other purposes. For example, you may create user-defined events which occur if a particular
type of data is received from a device

See also User-defined events (explained) on page 77.

Recording servers:

Event Description

Occurs when an archive for a recording server becomes available after having
Archive Available
been unavailable. See also Archive Unavailable on page 468.

Occurs when an archive for a recording server becomes unavailable, for

Archive Unavailable example if the connection to an archive located on a network drive is lost. In
such cases, you cannot archive recordings.

468 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event Description

You can use the event to, for example, trigger an alarm or a notification profile
so that an email notification is automatically sent to relevant people in your
organization.

Occurs when an archive for a recording server is not finished with the last
Archive Not Finished
archiving round when the next is scheduled to start.

Database Deleting
Recordings Before Set Occurs when the retention time limit is reached before the database size limit.
Retention Size

Database Deleting
Recordings Before Set Occurs when database size limit is reached before the retention time limit.
Retention Time

Occurs when a database disk is full. A database disk is full when there is less
Database Disk Full - than 5GB of space is left on the disk:
Auto Archiving The oldest data in a database is always auto-archived (or deleted if no next
archive is defined) when less than 5GB of space is free.

Occurs when a database disk is full and less than 1GB space is free. Data is
deleted even if a next archive is defined. A database always requires 250MB of
Database Disk Full - free space. If this limit is reached (if data is not deleted fast enough), no more
Deleting data is written to the database until enough space has been freed. The actual
maximum size of your database is the number of gigabytes you specify, minus
5GB.

Database Full - Auto Occurs when an archive for a recording server is full and needs to auto-archive
Archiving to an archive in the storage.

Occurs if a database becomes corrupted, in which case the system

Database Repair automatically attempts two different database repair methods: a fast repair and
a thorough repair.

Occurs when a storage for a recording server becomes available after having
Database Storage been unavailable. See also Database Storage Unavailable on page 470.
Available You can, for example, use the event to start recording if it has been stopped by
a Database Storage Unavailable event.

469 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event Description

Occurs when a storage for a recording server becomes unavailable, for example
if the connection to a storage located on a network drive is lost. In such cases,
Database Storage you cannot archive recordings.
Unavailable You can use the event to, for example, stop recording, trigger an alarm or a
notification profile so an e-mail notification is automatically sent to relevant
people in your organization.

Failover encrypted Occurs when there is an SSL communication error between the failover server
communication error and monitored recording servers.

Occurs when a failover recording server takes over from a recording server. See
Failover Started
also Failover servers (node).

Occurs when a recording server becomes available again and can take over
Failover Stopped
from a failover recording server.

System monitor events

System monitor events are triggered by exceeded thresholds values configured in the System Monitor
Thresholds node. See also View the current state of your hardware and troubleshoot if needed on page 279.

This functionality requires that the Data Collector service is running.

System Monitor - Server:

Event Description

CPU usage critical Occurs when the CPU usage exceeds the critical CPU threshold.

CPU usage normal Occurs when the CPU usage falls back below the warning CPU threshold.

Occurs when the CPU usage exceeds the warning CPU threshold or falls back
CPU usage warning
below the critical CPU threshold.

470 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event Description

Memory usage
Occurs when the memory usage exceeds the critical memory threshold.
critical

Memory usage Occurs when the memory usage falls back below the warning memory
normal threshold.

Memory usage Occurs when the memory usage exceeds the warning memory threshold or falls
warning back below the critical memory usage threshold.

NVIDIA decoding Occurs when the NVIDIA decoding usage exceeds the critical NVIDIA decoding
critical threshold.

NVIDIA decoding Occurs when the NVIDIA decoding usage falls back below the warning NVIDIA
normal decoding threshold.

NVIDIA decoding Occurs when the NVIDIA decoding usage exceeds the warning NVIDIA decoding
warning threshold or falls back below the critical NVIDIA decoding threshold.

NVIDIA memory Occurs when the NVIDIA memory usage exceeds the critical NVIDIA memory
critical threshold.

NVIDIA memory Occurs when the NVIDIA memory usage falls back below the warning NVIDIA
normal memory threshold.

NVIDIA memory Occurs when the NVIDIA memory usage exceeds the warning NVIDIA memory
warning threshold or falls back below the critical NVIDIA memory threshold.

NVIDIA rendering Occurs when the NVIDIA rendering usage exceeds the critical NVIDIA rendering
critical threshold.

NVIDIA rendering Occurs when the NVIDIA rendering usage falls back below the warning NVIDIA
normal rendering threshold.

NVIDIA rendering Occurs when the NVIDIA rendering usage exceeds the warning NVIDIA
warning rendering threshold or falls back below the critical NVIDIA rendering threshold.

Service available Occurs when a server service stops running.

critical There are no threshold values for this event.

471 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Event Description

Service available Occurs when a server service status changes to running.

normal There are no threshold values for this event.

System Monitor - Camera:

Event Description

Live FPS critical Occurs when the live FPS rate falls below the critical live FPS threshold.

Live FPS normal Occurs when the live FPS rate exceeds the warning live FPS threshold.

Occurs when the live FPS rate falls below the warning live FPS threshold or
Live FPS warning
exceeds the critical live FPS threshold.

Occurs when the recording FPS rate falls below the critical recording FPS
Recording FPS critical
threshold.

Recording FPS Occurs when the recording FPS rate exceeds the warning recording FPS
normal threshold.

Recording FPS Occurs when the recording FPS rate falls below the warning recording FPS
warning threshold or exceeds the critical recording FPS threshold.

Occurs when the storage used for recordings by a specific camera exceeds the
Used space critical
critical used space threshold.

Occurs when the storage used for recordings by a specific camera falls back
Used space normal
below the warning used space threshold.

Occurs when the storage used for recordings by a specific camera exceeds the
Used space warning warning used space threshold or falls back below the critical used space
threshold.

472 | User interface details

Administrator manual | XProtect® VMS 2023 R1

System Monitor - Disk:

Event Description

Free space critical Occurs when the disk space usage exceeds the critical free space threshold.

Free space normal Occurs when the disk space usage falls below the warning free space threshold.

Occurs when the disk space usage exceeds the warning free space threshold or
Free space warning
falls back below the critical free space threshold.

System Monitor - Storage:

Event Description

Occurs when the system predicts that the storage will be filled up faster than the
Retention time
critical retention time threshold value. For example, when data from video
critical
streams is filling up the storage faster than expected.

Occurs when the system predicts that the storage will be filled up slower than the
Retention time
warning retention time threshold value. For example, when data from video
normal
streams is filling up the storage at the expected rate.

Occurs when the system predicts that the storage will be filled up faster than the
warning retention time threshold value or slower than the critical retention time
Retention time
threshold value. For example, when data from video streams is filling up the
warning
storage faster than expected due to more motion detected by the cameras
configured to record on motion.

473 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Other:

Event Description

Occurs when online automatic license activation fails.

Automatic license activation failed
There are no thresholds values for this event.

Scheduled password change started Occurs when a scheduled password change starts.

Scheduled password change completed Occurs when a scheduled password change completes
successfully without errors.

Scheduled password change completed Occurs when a scheduled password change completes
with errors with errors.

Events from add-on products and integrations:

Events from add-on products and integrations can be used in the rule system, for example:

l Analytics events can also be used in the rule system

Actions and stop actions

A set of actions and stop actions are available for rule creation in the Manage Rule wizard. You may have more
actions available if your system installation uses add-on products or vendor-specific plug-ins. For each type of
action, stop action information is listed if relevant.

Manage Rule Wizard

Action Description

Start recording and saving data in the database from the selected devices.

When your select this type of action, the Manage Rule wizard prompts you to
Start recording specify:
on <devices>
When recording should start. This happens either immediately or a number of
seconds before the triggering event/beginning of the triggering time interval and on
which devices the action should take place.

474 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

This type of action requires that you have enabled recording on the devices to which
the action is linked. You can only save data from before an event or time interval if
you have enabled pre-buffering for the relevant devices. You enable recording and
specify pre-buffering settings for a device on the Record tab.

Stop action required: This type of action requires one or more stop actions. In one
of the following steps, the wizard automatically prompts you to specify the stop
action: Stop recording.

Without this stop action, recording would potentially continue indefinitely. You also
have the option of specifying further stop actions.

Begin data feed from devices to the system. When the feed from a device is started,
data is transferred from the device to the system, in which case you may view and
record, depending on the data type.

When you select this type of action, the Manage Rule wizard prompts you to specify
on which devices to start the feeds. Your system includes a default rule which
ensures that feeds are always started on all cameras.

Stop action required: This type of action requires one or more stop actions. In one
of the following steps, the wizard automatically prompts you to specify the stop
action: Stop feed.

Start feed on You can also specify further stop actions.

<devices>
Using the mandatory stop action Stop feed to stop the feed from a device means
that data is no longer transferred from the device to the system, in which case live
viewing and recording of video, for example, is no longer possible. However, a
device on which you have stopped the feed can still communicate with the recording
server, and you can start the feed again automatically through a rule, as opposed to
when you manually have disabled the device.

While this type of action enables access to selected devices'

data feeds, it does not guarantee that data is recorded, as you
must specify recording settings separately.

Sets the XProtect Smart Wall to a selected preset. Specify the preset on the Smart
Set <Smart Wall> Wall Presets tab.
to <preset> No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a

475 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

period of time.

Sets a specific XProtect Smart Wall monitor to display live video from the selected
Set <Smart Wall> cameras on this site or any child site configured in Milestone Federated Architecture.
<monitor> to No mandatory stop action: This type of action does not require a stop action.You
show <cameras> can specify optional stop actions to be performed on either an event or after a
period of time.

Sets a specific XProtect Smart Wall monitor to display a user-defined text message of
Set <Smart Wall> up to 200 characters.
<monitor> to
show text No mandatory stop action: This type of action does not require a stop action.You
<messages> can specify optional stop actions to be performed on either an event or after a
period of time.

Remove Stop displaying video from a specific camera.

<cameras> from
<Smart Wall> No mandatory stop action: This type of action does not require a stop action.You
monitor can specify optional stop actions to be performed on either an event or after a
<monitor> period of time.

Sets a particular frame rate to use when the system displays live video from the
selected cameras that substitutes the cameras' default frame rate. Specify this on
the Settings tab.

When you select this type of action, the Manage Rule wizard prompts you to specify
which frame rate to set, and on which devices. Always verify that the frame rate you
Set live frame specify is available on the relevant cameras.
rate on <devices>
Stop action required: This type of action requires one or more stop actions. In one
of the following steps, the wizard automatically prompts you to specify the stop
action: Restore default live frame rate.

Without this stop action, the default frame rate would potentially never be restored.
You also have the option of specifying further stop actions.

Sets a particular frame rate to use when the system saves recorded video from the
Set recording selected cameras in the database, instead of the cameras' default recording frame
frame rate on rate.
<devices>
When you select this type of action, the Manage Rule wizard prompts you to specify

476 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

which recording frame rate to set, and on which cameras.

You can only specify a recording frame rate for JPEG, a video codec with which each
frame is separately compressed into a JPEG image. This type of action also requires
that you have enabled recording on the cameras to which the action is linked. You
enable recording for a camera on the Record tab. The maximum frame rate you can
specify depends on the relevant camera types, and on their selected image
resolution.

Stop action required: This type of action requires one or more stop actions. In one
of the following steps, the wizard automatically prompts you to specify the stop
action: Restore default recording frame rate.

Without this stop action, the default recording frame rate would potentially never be
restored. You also have the option of specifying further stop actions.

Sets the frame rate to record all frames when the system saves recorded video from
the selected cameras in the database, instead of keyframes only. Enable the
recording keyframes only function on the Record tab.

When you select this type of action, the Manage Rule wizard prompts you to select
which devices the action should apply for.
Set recording
You can only enable keyframe recording for MPEG-4/H.264/H.265. This type of action
frame rate to all
also requires that you have enabled recording on the cameras to which the action is
frames for MPEG-
linked. You enable recording for a camera on the Record tab.
4/H.264/H.265 on
<devices> Stop action required: This type of action requires one or more stop actions. In one
of the following steps, the wizard automatically prompts you to specify the stop
action:
Restore default recording frame rate of keyframes for MPEG-4/H.264/H.265

Without this stop action, the default setting would potentially never be restored. You
also have the option of specifying further stop actions.

Begins PTZ patrolling according to a particular patrolling profile for a particular PTZ
Start patrolling camera with a particular priority. This is an exact definition of how patrolling should
on <device> be carried out, including the sequence of preset positions, timing settings, and
using <profile> more.
with PTZ priority If you have upgraded your system from an older version of the system, the old
<priority> values (Very Low, Low, Medium, High and Very High) have been translated as
follows:

477 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

l Very Low = 1000

l Low = 2000

l Medium = 3000

l High = 4000

l Very High = 5000

When you select this type of action, the Manage Rule wizard prompts you to select a
patrolling profile. You can only select one patrolling profile on one device and you
cannot select several patrolling profiles.

This type of action requires that the devices to which the

action is linked are PTZ devices.

You must define at least one patrolling profile for the device
(s). You define patrolling profiles for a PTZ camera on the
Patrolling tab.

Stop action required: This type of action requires one or more stop actions. In one
of the following steps, the wizard automatically prompts you to specify the stop
action:
Stop patrolling

Without this stop action, patrolling would potentially never stop. You can also specify
further stop actions.

Pauses PTZ patrolling. When you select this type of action, the Manage Rule wizard
prompts you to specify the devices on which to pause patrolling.
Pause patrolling
on <devices> This type of action requires that the devices to which the
action is linked are PTZ devices.

478 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

You must define at least one patrolling profile for the device
(s). You define patrolling profiles for a PTZ camera on the
Patrolling tab.

Stop action required: This type of action requires one or more stop actions. In one
of the following steps, the wizard automatically prompts you to specify the stop
action: Resume patrolling

Without this stop action, patrolling would potentially pause indefinitely. You have
also the option of specifying further stop actions.

Moves a particular camera to a particular preset position - however always according

to priority. When selecting this type of action, the Manage Rule wizard prompts you
to select a preset position. Only one preset position on one camera can be selected.
It is not possible to select several preset positions.

This type of action requires that the devices to which the

action is linked are PTZ devices.
Move <device> to
<preset> position
with PTZ priority
<priority> This action requires that you have defined at least one preset
position for those devices. You define preset positions for a
PTZ camera on the Presets tab.

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Move to default
Moves one or more particular cameras to their respective default preset positions -
preset on
however always according to priority. When you select this type of action, the
<devices> with
Manage Rule wizard prompts you to select which devices the action should apply
PTZ priority
for.
<priority>

479 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

This type of action requires that the devices to which the

action is linked are PTZ devices.
This action requires that you have defined at least one preset
position for those devices. You define preset positions for a
PTZ camera on the Presets tab.

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Sets an output on a device to a particular state (activated or deactivated). When you

select this type of action, the Manage Rule wizard prompts you to specify which
state to set, and on which devices.

Set device output This type of action requires that the devices to which the action is linked each have at
to <state> least one external output unit connected to an output port.

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Creates a bookmark on live streaming or recordings from a selected device. A

bookmark makes it easy to retrace a certain event or period in time. Bookmark
settings are controlled from the Options dialog box. When you select this type of
Create bookmark action, the Manage Rule wizard prompts you to specify bookmark details and select
on <device> devices.

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Plays back an audio message on selected devices triggered by an event. Devices are
mostly speakers or cameras.
Play audio
This type of action requires that you have uploaded the message to the system on
<message> on
Tools > Options > Audio messages tab.
<devices> with
<priority> You can create more rules to the same event and send different messages to each
device, but always according to priority. The priorities that control the sequence are
those set on the rule and on the device for a role on the Speech tab:

480 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

l If a message is played back and another message with the same priority is
sent to the same speaker, the first message will complete and then the
second one starts

l If a message is played back and another message with a higher priority is

sent to the same speaker, the first message is interrupted and the second
one starts immediately

Sends a notification, using a particular notification profile. When you select this type
of action, the Manage Rule wizard prompts you to select a notification profile, and
which devices to include pre-alarm images from. You can only select one notification
profile and you cannot select several notification profiles. A single notification profile
may contain several recipients.

You can also create more rules to the same event and send different notifications to
Send notification each of the notification profiles. You can copy and re-use the content of rules by
to <profile> right-clicking a rule in the Rules list.

This type of action requires that you have defined at least one notification profile.
Pre-alarm images are only included if you have enabled the Include images option
for the relevant notification profile.

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Generates an entry in the rule log. When selecting this type of action, the Manage
Rule wizard prompts you to specify a text for the log entry. When you specify the log
text, you can insert variables, such as $DeviceName$, $EventName$, into the log
Make new <log message.
entry>
No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Starts one or more plug-ins. When you select this type of action, the Manage Rule
wizard prompts you to select required plug-ins, and on which devices to start the
Start plug-in on plug-ins.
<devices>
This type of action requires that you have at least one or more plug-ins installed on
your system.

481 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Stops one or more plug-ins. When you select this type of action, the Manage Rule
wizard prompts you to select required plug-ins, and on which devices to stop the
plug-ins.

Stop plug-in on This type of action requires that you have at least one or more plug-ins installed on
<devices> your system.

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Changes device settings on one or more devices. When you select this type of action,
the Manage Rule wizard prompts you to select relevant devices, and you can define
the relevant settings on the devices you have specified.

If you define settings for more than one device, you can only
change settings that are available for all of the specified
devices.
Apply new
settings on
<devices>
Example: You specify that the action should be linked to Device 1 and Device 2.
Device 1 has the settings A, B and C, and Device 2 has the settings B, C and D. In this
case, you can only change the settings that are available for both devices, namely
settings B and C.

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Makes video from the selected cameras appear on a computer capable of displaying
Matrix-triggered video such as a computer on which you have installed XProtect
Set Matrix to Smart Client.
view <devices> When you select this type of action, the Manage Rule wizard prompts you to select a
Matrix recipient, and one or more devices from which to display video on the
selected Matrix recipient.

482 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

This type of action allows you to select only a single Matrix recipient at a time. If you
want to make video from the selected devices appear on more than one Matrix
recipient, you should create a rule for each required Matrix recipient or use the
XProtect Smart Wall feature. By right-clicking a rule in the Rules list, you can copy
and re-use the content of rules. This way, you can avoid having to create near-
identical rules from scratch.

As part of the configuration on the Matrix recipients

themselves, users must specify the port number and
password required for the Matrix communication. Make sure
that the users have access to this information. The users must
typically also define the IP addresses of allowed hosts from
which commands regarding display of Matrix-triggered video
is accepted. In that case, the users must also know the IP
address of the management server, or any router or firewall
used.

Generates a small message which logs events on selected devices. The text of SNMP
traps is auto-generated and cannot be customized. It can contain the source type
and name of the device on which the event occurred.
Send SNMP trap
No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Retrieves and stores remote recordings from selected devices (that support edge
recording) in a specified period before and after the triggering event.
Retrieve and
This rule is independent of the Automatically retrieve remote recordings when
store remote
connection is restored setting.
recordings from
<devices> No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Retrieve and Retrieves and stores remote recordings in a specified period from selected devices
store remote (that support edge recording).
recordings This rule is independent of the Automatically retrieve remote recordings when
between <start connection is restored setting.

483 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

No mandatory stop action: This type of action does not require a stop action.You
and end time>
can specify optional stop actions to be performed on either an event or after a
from <devices>
period of time.

Ensures that when an image is received from the Images Received event (sent via
SMTP email from a camera), it is saved for future usage. In future, other events can
Save attached possibly also trigger this action.
image No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Starts archiving on one or more archives. When you select this type of action, the
Activate Manage Rule wizard prompts you to select relevant archives.
archiving on No mandatory stop action: This type of action does not require a stop action.You
<archives> can specify optional stop actions to be performed on either an event or after a
period of time.

Relevant mostly within Milestone Federated Architecture, but you can also use this in
a single site setup. Use the rule to trigger a user-defined event on a site, normally a
On <site> trigger remote site within a federated hierarchy.
<user-defined
event> No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Lets you access request notifications pop up on the XProtect Smart Client screen
when the criteria for the triggering events are met. Milestone recommends that you
use access control events as triggering events for this action, because access request
notifications typically are configured for operating on related access control
Show <access commands and cameras.
request
This type of action requires that you have at least one access control plug-in installed
notification>
on your system.

No mandatory stop action: This type of action does not require a stop action.You
can specify optional stop actions to be performed on either an event or after a
period of time.

Set <camera> to Cameras are assigned to the rule-based DLNA channel based on events. This type of

484 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Action Description

action requires that you have a DLNA server installed on your system.
<rule-based No mandatory stop action: This type of action does not require a stop action.You
DLNA channel> can specify optional stop actions to be performed on either an event or after a
period of time.

Cameras are removed from the rule-based DLNA channel based on events. This type
Remove of action requires that you have a DLNA server installed on your system.
<camera> from
<rule-based No mandatory stop action: This type of action does not require a stop action.You
DLNA channel> can specify optional stop actions to be performed on either an event or after a
period of time.

The camera with the active stream is removed from the rule-based DLNA channel
Remove current based on events. This type of action requires that you have a DLNA server installed
camera from on your system.
<rule-based No mandatory stop action: This type of action does not require a stop action.You
DLNA channel> can specify optional stop actions to be performed on either an event or after a
period of time.

Changes the password of selected hardware devices to a randomly-generated

password based on the password requirements for that specific hardware device.
For a list of supported hardware devices, see Find hardware.

This action is only available when you set up a rule using the
Perform an action on a <recurring time> rule type.

The following events are available for the action:

Change the l Scheduled password change started on page 474
password on
hardware devices l Scheduled password change completed successfully on page 474

l Scheduled password change completed with errors on page 474

This type of action does not have a stop action.

You can view the progress of this action in the Current Tasks node. For more
information, seeView currently ongoing tasks on recording servers on page 277.

To view the action results - go to the Server Logs node, on the System logs tab. For
more information, see Server Logs tab (options) on page 369.

For more information, see System logs (tab).

485 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Test Analytics Event (properties)

When you test the requirements of an analytics event, a window appears that checks four conditions and
provides possible error descriptions and solutions.

Condition Description Error messages and solutions

If the event is new, is it saved?

Changes Or if there are changes to the Save changes before testing analytics event.
saved event name, are these Solution/Explanation: Save changes.
changes saved?

Analytics events have not been enabled.

Analytics
Is the Analytics Event feature Solution/Explanation: Enable the Analytics Events
Events
enabled? feature. To do this, click Tools > Options > Analytics
enabled
Events and select the Enabled check box.

The local host name must be added as allowed

Is the IP address/host name
Address of the machine sending the
allowed event(s) allowed (listed on the
analytics events address list)?
address for the Analytics Event service.
Solution/Explanation: Add your machine to the
analytics events address list of allowed IP addresses or
host names.
Error resolving the local host name.
Solution/Explanation: The IP address or host name of
the machine cannot be found or is invalid.

Send
Did sending a test event to
analytics See table below.
the Event Server succeed?
event

Each step is marked by either failed: or successful: .

Error messages and solutions for the condition Send analytics event:

Error message Solution

Event server not Unable to find the event server on the list of registered services.

486 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Error message Solution

found

Error connecting to Unable to connect to the event server on the stated port. The error occurs most
event server likely because of network problems, or the Event Server service has stopped.

The connection to the event server is established, but the event cannot be sent.
Error sending
The error most likely occurs because of network problems, for example a time
analytics event
out.

The event has been sent to the event server, but no reply received. The error
Error receiving most likely occurs because of network problems or a port that is busy.
response from event
server See the event server log, typically located at ProgramData\Milestone\XProtect
Event Server\Logs\.

Analytics event
The Event Server service does not know the event. The error most likely occurs
unknown by event
because the event or changes to the event have not been saved.
server

Invalid analytics
event received by The event format is incorrect.
event server

Sender unauthorized Most likely your machine is not on the list of allowed IP addresses or host
by event server names.

Event server error.

Internal error in
event server See the event server log, typically located at ProgramData\Milestone\XProtect
Event Server\Logs\.

Invalid response The response is invalid. Possibly the port is busy or there are network problems.
received from Event See the event server log, typically located at ProgramData\Milestone\XProtect
server Event Server\Logs\.

The response is valid, but not understood. The error occurs possibly because of
Unknown response network problems, or the port is busy.
from event server See the event server log, typically located at ProgramData\Milestone\XProtect
Event Server\Logs\.

Unexpected error Please contact Milestone support for help.

487 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Generic Events and Data sources (properties)

This feature only works if you have the XProtect event server installed.

Generic event (properties)

Component Requirement

Unique name for the generic event. Name must be unique among all types of events,
Name
such as user defined events, analytics events, and so on.

Enabled Generic events are by default enabled. Clear the check box to disable the event.

Expression that the system should look out for when analyzing data packages. You can
use the following operators:

l ( ): Used to ensure that related terms are processed together as a logical unit.
They can be used to force a certain processing order in the analysis

Example: The search criteria "(User001 OR Door053) AND Sunday" first processes the
two terms inside the parenthesis, then combines the result with the last part of the
string. So, the system first looks for any packages containing either of the terms
User001 or Door053, then takes the results and run through them in order to see
which packages also contain the term Sunday.

l AND: With an AND operator, you specify that the terms on both sides of the
Expression
AND operator must be present

Example: The search criteria "User001 AND Door053 AND Sunday" returns a result
only if the terms User001, Door053 and Sunday are all included in your expression. It is
not enough for only one or two of the terms to be present. The more terms you
combine with AND, the fewer results you retrieve.

l OR: With an OR operator, you specify that either one or another term must be
present

Example: The search criteria "User001 OR Door053 OR Sunday" returns any results
containing either User001, Door053 or Sunday. The more terms you combine with OR,
the more results you retrieve.

Expression Indicates how particular the system should be when analyzing received data packages.
type The options are the following:

488 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Component Requirement

l Search: In order for the event to occur, the received data package must contain
the text specified in the Expression field, but may also have more content

Example: If you have specified that the received package should contain the
terms User001 and Door053, the event is triggered if the received package
contains the terms User001 and Door053 and Sunday since your two required
terms are contained in the received package

l Match: In order for the event to occur, the received data package must contain
exactly the text specified in the Expression field, and nothing else

l Regular expression: In order for the event to occur, the text specified in the
Expression field must identify specific patterns in the received data packages

If you switch from Search or Match to Regular expression, the text in the Expression
field is automatically translated to a regular expression.

The priority must be specified as a number between 0 (highest priority) and 999999
(lowest priority).

The same data package may be analyzed for different events. The ability to assign a
priority to each event lets you manage which event should be triggered if a received
package matches the criteria for several events.
Priority
When the system receives a TCP and/or UDP package, analysis of the packet starts with
analysis for the event with the highest priority. This way, when a package matches the
criteria for several events, only the event with the highest priority is triggered. If a
package matches the criteria for several events with an identical priority, for example
two events with a priority of 999, all events with this priority is triggered.

Check if
expression
An event string to be tested against the expression entered in the Expression field.
matches event
string

489 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Generic event data source (properties)

Component Requirement

You can choose between two default data sources and define a custom data source.
What to choose depends on your third party program and/or the hard- or software
you want to interface from:

Compatible: Factory default settings are enabled, echoes all bytes, TCP and UDP,
IPv4 only, port 1234, no separator, local host only, current code page encoding
(ANSI).
Data source International: Factory default settings are enabled, echoes statistics only, TCP only,
IPv4+6, port 1235, <CR><LF> as separator, local host only, UTF-8 encoding.
(<CR><LF> = 13,10).

[Data source A]

[Data source B]

and so on.

New Click to create a new data source.

Name Name of the data source.

Enabled Data sources are by default enabled. Clear the check box to disable the data source.

Click to reset all settings for the selected data source. The entered name in the Name
Reset
field remains.

Port The port number of the data source.

Protocols which the system should listen for, and analyze, in order to detect generic
events:

Any: TCP as well as UDP.

Protocol type
TCP: TCP only.
selector
UDP: UDP only.

TCP and UDP packages used for generic events may contain special characters, such
as @, #, +, ~, and more.

490 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Component Requirement

IP type selector Selectable IP address types: IPv4, IPv6 or both.

Select the separator bytes used to separate individual generic event records. Default
Separator bytes for data source type International (see Data source on page 490) is 13,10. (13,10 =
<CR><IF>).

Available echo return formats:

l Echo statistics: Echoes the following format: [X],[Y],[Z],[Name of generic

event]

[X] = request number.

Echo type [Y] = number of characters.
selector
[Z] = number of matches with a generic event.

[Name of generic event] = name entered in the Name field

l Echo all bytes: Echoes all bytes

l No echo: Suppresses all echoing

Encoding type By default, the list only shows the most relevant options. Select the Show all check
selector box to display all available encoding options.

Show all See previous bullet.

Specify the IP addresses, that the management server must be able to communicate
Allowed external
with in order to manage external events. You can also use this to exclude IP
IPv4 addresses
addresses that you do not want data from.

Specify the IP addresses, that the management server must be able to communicate
Allowed external
with in order to manage external events. You can also use this to exclude IP
IPv6 addresses
addresses that you do not want data from.

Ranges can be specified in each of the four positions, like 100,105,110-120. As an

example, all addresses on the 10.10 network can be allowed by 10.10.[0-254].[0-254] or
by 10.10.255.255.

491 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Webhooks (Rules and Events node)

In the Webhooks node, you can create, edit and delete webhook endpoints.

The following fields are available when creating and editing webhooks:

Field Description

Enter a unique name of the webhook endpoint.

Name
The webhook name cannot be empty.

The URL of the web server or application you want to send event data to. If the URL of
the web server is updated, you must update the webhook URL in the webhook node.
Address
Using HTTP through unsecure networks (like open internet) exposes all the events in
plain text.

Enter a token which is used to help secure communication with other applications by
Token validating the source of the HTTP POST.

Using a token to hep secure communication is optional but recommended.

API version The version of the webhook plugin and API utilized for the webhook functionality.

Security node

Roles (Security node)

Info tab (roles)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

On the Info tab of a role, you can set the following:

492 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Name Enter a name for the role.

Description Enter a description for the role.

Select a Management Client profile to associate with the role.

You cannot apply this to the default Administrators role.

Management Client
profile
Requires permissions to manage security on the
management server.

Select a Smart Client profile to associate with the role.

Smart Client profile Requires permissions to manage security on the

management server.

Select a default time profile to associate with the role.

Default time profile
You cannot apply this to the default Administrators role.

Evidence lock profile Select an evidence lock profile to associate with the role.

Select a time profile for which the XProtect Smart Client user associated with
this role is allowed to log in.
Smart Client login
If the XProtect Smart Client user is logged in when the period expires, he or she
within time profile
is logged off automatically.

You cannot apply this to the default Administrators role.

Select the check box to allow users associated with this role to log in to XProtect
Allow Smart Client Smart Client.
login Access to Smart Client is not allowed by default. Clear the check box to deny
access to XProtect Smart Client.

Allow XProtect Mobile Select the check box to allow users associated with this role to log in to XProtect
client login Mobile client.

493 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Access to XProtect Mobile client is not allowed by default. Clear the check box to
deny access to XProtect Mobile client.

Select the check box to allow users associated with this role to log in to XProtect
Allow XProtect Web Web Client.
Client login Access to XProtect Web Client is not allowed by default. Clear the check box to
deny access to XProtect Web Client.

Select the check box to associate login authorization with the role. It means that
XProtect Smart Client or the Management Client asks for a second
authorization, typically by a superuser or manager, when the user logs in.
Login authorization
required To enable administrators to authorize users, configure the management
server's Authorize Users permission on the Overall Security tab.

You cannot apply this to the default Administrators role.

Make users
Select the check box to hide the names of users associated with this role when
anonymous during
they control PTZ sessions.
PTZ sessions

User and Groups tab (roles)

On the User and Groups tab, you assign users and groups to roles (see Assign/remove users and groups
to/from roles on page 273). You can assign Windows users and groups or basic users (see Users (explained) on
page 61).

External IDP (roles)

On the External IDP tab, you can view existing claims and add new claims to roles.

Name Description

External
The name of the external IDP.
IDP

Claim A variable that is defined in the external IDP.

494 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

name

The value of the claim, such as a group name, that can be used to assign the appropriate
Claim value
role to the user.

Overall Security tab (roles)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

On the Overall Security tab, you set up overall permissions for roles. For every component available in your
system, define access permissions for the roles by setting Allow or Deny. When a role is denied access to a
component, that component is not visible in the Overall Security tab to a user in that role.

The Overall Security tab is not available in the free XProtect Essential+.

You can define more access permissions for XProtect Corporate than for the other XProtect VMS products. This
is because you can only set up differentiated administrator permissions in XProtect Corporate, while you can
set up overall permissions for a role that uses XProtect Smart Client, XProtect Web Client, or XProtect Mobile
client in all products.

The overall security settings only apply to the current site.

If you associate a user with more than one role and select Deny on a security setting for one role and Allow for
another, the Deny permission overrules the Allow permission.

In the following, the descriptions show what happens on each individual permission for the different system
components if you select Allow for the relevant role. If you use XProtect Corporate, you can see which settings
are available only to your system under each system component.

For every system component or functionality, the full system administrator can use the Allow or Deny check
boxes to set up security permissions for the role. Any security permissions that you set up here are set up for
the whole system component or functionality. If, for example, you select the Deny check box on Cameras, all
cameras added to the system are unavailable for the role. In contrast, if you select the Allow check box, the

495 | User interface details

Administrator manual | XProtect® VMS 2023 R1

role can see all cameras added to the system. The result of selecting Allow or Deny on your cameras is that the
camera settings on the Device tab then inherit your selections on the Overall Security tab so that either all
cameras are either available or unavailable to the particular role.

If you want to set security permissions for individual cameras or similar, you can only set these individual
permissions on the tab of the relevant system component or functionality if you have not set any overall
permissions for the system component or functionality on the Overall Security tab.

The descriptions below also apply to the permissions that you can configure through the MIP SDKs.

If you want to switch your base license from XProtect Corporate to one of the other
products, make sure that you remove all security permissions that are available to only
XProtect Corporate. If you do not remove those permissions, you cannot complete the
switch.

Management Server

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables users to connect to the Management Server.

This permission is enabled by default.

You can temporarily deny connection permission on roles for maintenance

Connect purposes, and then reapply access to the system.

This permission must be selected to allow access to the

system.

496 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

This permission is a highly privileged administrative

permission that gives significant access rights to the XProtect
VMS, including access to sensitive data such as credentials
configured in the system.

Enables the permission to access a wide range of functionality, including:

l Logging in with the Management Client

l List of current tasks

l Server logs

It also enables access to:

l Remote Connect Services

l Smart Client Profiles

l Management Client Profiles

Read
l Matrix

l Time Profiles

l Registered Servers and Service Registration API

This permission also reveals some sensitive information to the client:

l Credentials for any configured external IDP

l Credentials, IP-addresses, and other information for all cameras in the

XProtect VMS

l Credentials for configured mail server

l Credentials for any configured matrix

l Credentials configured for the Interconnect feature

l Credentials configured for license activation

This permission does not reveal credentials for users of the XProtect VMS. This
includes Basic Users, Windows users and users from external IDPs.

Edit Enables the permission to modify data in a wide range of functionality, including:

497 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

l Options

l License Management

It also enables users to create, delete, and edit the following:

l Remote Connect Services

l Device groups

l Matrix

l Time Profiles

l Notification Profiles

l Registered Servers

Enables the permission to configure local IP ranges when

configuring the network on the recording server.

System Monitor Enables the permission to view the data of the System Monitor.

Enables the permission to perform queries on the Status API located on the
Status API recording server. This means that the role with this permission enabled has access
to read the status of the items located on the recording server.

Enables the permission to add and detach the current site to other sites in a
federated site hierarchy.
Manage
Federated site
hierarchy If you set this permission to allowed on the child site only, the
user can still detach the site from the parent site.

Backup Enables the permission to create backups of the system configuration using the
Configuration system's backup and restore functionality.

Enables the permission to authorize users when they are asked for a second login in
Authorize users XProtect Smart Client or Management Client. You define if a role requires login
authorization on the Infotab.

498 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Enables the permission to manage permissions for the Management Server.

It also enables users to create, delete, and edit the following features:

l Roles
Manage security
l Basic users

l Smart Client Profiles

l Management Client Profiles

Recording Servers

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to edit properties on the recording servers, except for network
Edit
configuration settings that require edit permission on the management server.

Enables the permission to delete recording servers. To do this, you must also give the
user delete permissions on:

l Hardware security group if you have added hardware to the recording server
Delete

If any of the devices on the recording server contains evidence

locks, you can only delete the recording server if it is offline.

Manage
Enables the permission to add hardware on recording servers.
hardware

499 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Manage Enables the permission to administrate storage containers on recording server, that is,
storage to create, delete, move, and empty storage containers.

Manage
Enables the permission to manage security permissions for recording servers.
security

Failover Servers

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security permission Description

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to see and access failover servers in the Management
Read
Client.

Enables the permission to create, update, delete, move, and enable or disable
Edit
failover servers in the Management Client.

Manage security Enables the permission to manage security permissions for the failover servers.

Mobile Servers

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

500 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to see and access mobile servers in the Management
Read
Client.

Enables the permission to edit and delete mobile servers in the Management
Edit
Client.

Manage security Enables the permission to manage security permissions for the mobile servers.

Create Enables the permission to add mobile servers to the system.

Hardware

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Edit Enables the permission to edit properties on hardware.

Enables the permission to delete hardware.

Delete If any of the hardware devices contains evidence locks, you can
only delete the hardware if the recording server is offline.

Driver Enables the permission to send special commands to the drivers and thereby control
commands features and configuration on the device itself.

501 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

The Driver commands permission is for special developed MIP

plug-ins in the clients only. It does not control standard
configuration tasks.

View Enables the permission to view passwords on hardware devices in the Edit Hardware
passwords dialog box.

Manage
Enables the permission to manage security permissions for the hardware.
security

Cameras

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view camera devices in the clients and the Management
Read
Client.

Enables the permission to edit properties for cameras in the Management Client. It
Edit
also enables users to enable or disable a camera.

Enables the permission to view live video from cameras in the clients and the
View Live
Management Client.

Enables the permission to play back recorded video from cameras in the clients and
Playback
the Management Client.

502 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Retrieve remote Enables the permission to retrieve recordings in the clients from cameras on
recordings remotes sites or from edge storages on cameras.

Enables the permission to read the sequence information related to, for example,
Read sequences
playing back recorded video in the clients.

Smart search Enables the permission to use the Smart search function in the clients.

Export Enables the permission to export recordings from the clients.

Create
Enables the permission to create bookmarks in recorded and live video in the clients.
bookmarks

Read bookmarks Enables the permission to search for and read bookmark details in the clients.

Edit bookmarks Enables the permission to edit bookmarks in the clients.

Delete
Enables the permission to delete bookmarks in the clients.
bookmarks

Create and
extend evidence Enables the permission to create and extend evidence locks in the clients.
locks

Read evidence
Enables the permission to search and read evidence locks in the clients.
locks

Delete and
reduce evidence Enables the permission to delete or reduce evidence locks in the clients.
locks

Start manual
Enables the permission to start manual recording of video in the clients.
recording

Stop manual
Enables the permission to stop manual recording of video in the clients.
recording

503 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Enables the permission to use auxiliary (AUX) commands on the camera from the
clients.
AUX commands AUX commands offer users the control of, for example, wipers on a camera
connected via a video encoder. Camera-associated devices connected via auxiliary
connections are controlled from the client.

Enables the permission to use PTZ functions on PTZ cameras in the clients and the
Manual PTZ
Management Client.

Activate PTZ Enables the permission to move PTZ cameras to preset positions, start and stop
presets or patrolling profiles, and pause a patrolling in the clients and the Management Client.
patrolling To allow this role to use other PTZ functions on the camera, enable the Manual PTZ
profiles permission.

Manage PTZ Enables the permission to add, edit, and delete PTZ presets and patrolling profiles on
presets or PTZ cameras in the clients and the Management Client.
patrolling To allow this role to use other PTZ functions on the camera, enable the Manual PTZ
profiles permission.

Enables the permission to lock and unlock PTZ presets in the Management Client.
Lock/unlock PTZ
This prevents or allows other users from changing preset positions in the clients and
presets
in the Management Client.

Enables the permission to set PTZ cameras in reserved PTZ session mode in the
clients and the Management Client.

Reserve PTZ In a reserved PTZ session, other users with higher PTZ priority are not able to take
sessions over the control.

To allow this role to use other PTZ functions on the camera, enable the Manual PTZ
permission.

Enables the permission to release other users' PTZ sessions from the Management
Release PTZ Client.
sessions
You can always release your own PTZ sessions - without this permission.

Delete Enables the permission to delete stored video recordings from the system via the

504 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

recordings Management Client.

Enables the permission to temporarily lift privacy masks in XProtect Smart Client. It
also enables the permission to authorize other XProtect Smart Client users to lift
privacy masks.
Lift privacy
masks
Lifting privacy masks only applies to privacy masks configured
as liftable privacy masks in the Management Client.

Enables the permission to manage security permissions in the Management Client

Manage security
for the camera.

Microphones

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view microphone devices in the clients and the
Read
Management Client.

Enables the permission to edit microphone properties in the Management Client.

Edit
It also allows users to enable or disable microphones.

Enables the permission to listen to live audio from speakers in the clients and the
Listen Live
Management Client.

505 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Enables the permission to play back recorded audio from microphones in the
Playback
clients.

Retrieve remote Enables the permission to retrieve recordings in the clients from microphones on
recordings remotes sites or from edge storages on cameras.

Enables the permission to read the sequence information related to, for example,
Read sequences
the Playback mode in the clients.

Export Enables the permission to export recordings from the clients.

Create
Enables the permission to create bookmarks in the clients.
bookmarks

Read bookmarks Enables the permission to search for and read bookmark details in the clients.

Edit bookmarks Enables the permission to edit bookmarks in the clients.

Delete
Enables the permission to delete bookmarks in the clients.
bookmarks

Create and
extend evidence Enables the permission to create or extend evidence locks in the clients.
locks

Read evidence
Enables the permission to search and read evidence lock details in the clients.
locks

Delete and
reduce evidence Enables the permission to delete or reduce evidence locks in the clients.
locks

Start manual
Enables the permission to start manual recording of audio in the clients.
recording

Stop manual
Enables the permission to stop manual recording of audio in the clients.
recording

506 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Delete recordings Enables the permission to delete stored recordings from the system.

Enables the permission to manage security permissions in the Management Client

Manage security
for microphones.

Speakers

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view speaker devices in the clients and the
Read
Management Client.

Enables the permission to edit properties for speakers in the Management Client.
Edit
It also allows users to enable or disable speakers.

Enables the permission to listen to live audio from speakers in the clients and the
Listen live
Management Client.

Speak Enables the permission to speak through the speakers in the clients.

Playback Enables the permission to play back recorded audio from speakers in the clients.

Retrieve remote Enables the permission to retrieve recordings in the clients from speakers on
recordings remotes sites or from edge storages on cameras.

Read sequences Enables the permission to use the Sequences feature while browsing recorded

507 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

audio from speakers in the clients.

Export Enables the permission to export recorded audio from speakers in the clients.

Create
Enables the permission to create bookmarks in the clients.
bookmarks

Read bookmarks Enables the permission to search for and read bookmark details in the clients.

Edit bookmarks Enables the permission to edit bookmarks in the clients.

Delete
Enables the permission to delete bookmarks in the clients.
bookmarks

Create and
Enables the permission to create or extend evidence locks to protect recorded
extend evidence
audio in the clients.
locks

Read evidence Enables the permission to view recorded audio protected by evidence locks in the
locks clients.

Delete and
Enables the permission to delete or reduce evidence locks on protected audio in
reduce evidence
the clients.
locks

Start manual
Enables the permission to start manual recording of audio in the clients.
recording

Stop manual
Enables the permission to stop manual recording of audio in the clients.
recording

Delete recordings Enables the permission to delete stored recordings from the system.

Enables the permission to manage security permissions in the Management Client

Manage security
for speakers.

Metadata

508 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Read Enables the permission to receive metadata in the clients.

Enables the permission to edit metadata properties in the Management Client. It

Edit
also allows users to enable or disable metadata devices.

Enables the permission to receive live metadata from metadata devices in the
Live
clients.

Enables the permission to play back recorded data from metadata devices in the
Playback
clients.

Retrieve remote Enables the permission to retrieve recordings in the clients from metadata devices
recordings on remotes sites or from edge storages on cameras.

Enables the permission to read the sequence information related to, for example,
Read sequences
the Playback mode in the clients.

Export Enables the permission to export recordings in the clients.

Create and
extend evidence Enables the permission to create evidence locks in the clients.
locks

Read evidence
Enables the permission to view evidence locks in the clients.
locks

Delete and
reduce evidence Enables the permission to delete or reduce evidence locks in the clients.
locks

509 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Start manual
Enables the permission to start manual recording of metadata in the clients.
recording

Stop manual
Enables the permission to stop manual recording of metadata in the clients.
recording

Delete recordings Enables the permission to delete stored recordings from the system.

Enables the permission to manage security permissions in the Management Client

Manage security
for metadata.

Input

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view input devices in the clients and the Management
Read
Client.

Enables the permission to edit properties for input devices in the Management
Edit
Client. It also enables users to enable or disable an input device.

Enables the permission to manage security permissions in the Management Clientfor

Manage security
input devices.

Output

510 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Read Enables the permission to view output devices in the clients.

Enables the permission to edit properties for output devices in the Management
Edit
Client. It also enables users to enable or disable an output device.

Activate Enables the permission to activate outputs in the clients.

Enables the permission to manage security permissions in the Management Clientfor

Manage security
output devices.

Smart Wall

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Enables the permission to manage all security permissions in XProtect Management

Full control
Client.

Read Enables the permission to view a video wall in XProtect Smart Client.

Edit Enables the permission to edit properties for the Smart Wall definition in XProtect

511 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Management Client.

Enables the permission to delete existing Smart Wall definitions in XProtect

Delete
Management Client.

Enables the permission to activate and modify Smart Wall definitions, for example to
change and activate presets or apply cameras on views in XProtect Smart Client and
in XProtect Management Client.
Operate
You can associate Operate with time profiles that define when
the user permission applies.

Create Smart Enables the permission to create new Smart Wall definitions in XProtect Management
Wall Client.

Enables the permission to manage security permissions in XProtect Management

Manage security
Client for the Smart Wall definition.

Enables the permission to play back recorded data from a video wall in XProtect
Smart Client.

Playback
You can associate Playback with time profiles that define when
the user permission applies.

View Groups

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

512 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view View Groups in the clients and in the Management
Read
Client. View groups are created in the Management Client.

Enables the permission to edit properties on the View Groups in the Management
Edit
Client.

Delete Enables the permission to delete View Groups in the Management Client.

Enables the permission to use View Groups in XProtect Smart Client, that is, to create
Operate
and delete subgroups and views.

Create view
Enables the permission to create View Groups in the Management Client.
group

Enables the permission to manage security permissions in the Management Client

Manage security
for View Groups.

User-defined Events

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Read Enables the permission to view user-defined events in the clients.

Edit Enables the permission to edit properties on user-defined events in the

513 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Management Client.

Delete Enables the permission to delete user-defined events in the Management Client.

Trigger Enables the permission to trigger user-defined events in the clients.

Enables the permission to manage security permissions in the Management

Manage security
Clientfor user-defined events.

Create user- Enables the permission to create new user-defined events in the Management
defined event Client.

Analytics Events

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Read Enables the permission to view analytics events in the Management Client.

Enables the permission to edit properties on analytics events in the Management

Edit
Client.

Manage Enables the permission to manage security permissions in the Management Client for
security analytics events.

Generic Events

514 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view generic events in the clients and the Management
Read
Client.

Enables the permission to edit properties on generic events in the Management

Edit
Client.

Manage Enables the permission to manage security permissions in the Management Clientfor
security generic events.

Matrix

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to select and send video to the Matrix recipient from the
Read
clients.

Edit Enables the permission to edit properties for a Matrix in the Management Client.

Delete Enables the permission to delete a Matrix in the Management Client.

Create Matrix Enables the permission to create a new Matrix in the Management Client.

Enables the permission to manage security permissions in the Management Client

Manage security
for all Matrix's.

515 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Rules

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Read Enables the permission to view existing rules in the Management Client.

Enables the permission to edit properties for rules and to define rule behavior in the
Management Client.
Edit
It also requires that the user has read permissions on all the devices that are impacted
by the rule.

Enables the permission to delete rules from the Management Client.

Delete It also requires that the user has read permissions on all devices that are impacted by
the rule.

Enables the permission to create new rules in the Management Client.

Create rule It also requires that the user has read permissions on all devices that are impacted by
the rule.

Manage Enables the permission to manage security permissions in the Management Client for
security all rules.

Sites

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

516 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view other sites in the Management Client. Connected sites
Read are connected via Milestone Federated Architecture.

To edit properties, you need Edit permissions on the Management Server on each site.

Manage
Enables the permission to manage security permissions on all sites.
security

System Monitor

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Read Enables the permission to view system monitors in XProtect Smart Client.

Enables the permission to edit properties for system monitors in the Management
Edit
Client.

Manage Enables the permission to manage security permissions in the Management Client for
security all system monitors.

Metadata search

517 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view the Metadata Use functionality in Management

Read Client and its related settings, but does not enable the permission to change the
settings.

Edit the metadata

Enables the permission to enable or disable metadata search categories, for
search
example metadata for people or vehicles, in the Management Client.
configuration

Manage security Enables the permission to manage security permissions for metadata searches.

Search

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Read public
Enables the permission to view and open saved public searches in XProtect Smart Client.
searches

Create public Enables the permission to save newly configured searches as public searches in
searches XProtect Smart Client.

518 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Enables the permission to edit the details or the configuration of saved public searches
Edit public
in XProtect Smart Client, for example the name, description, cameras, and search
searches
categories.

Delete public
Enables the permission to delete saved public searches.
searches

Manage Enables the permission to manage security permissions in the Management Client for
security search.

Alarms

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to manage alarms in the Management Client. For example,
change priorities of alarms and re-delegate alarms to other users, acknowledge
alarms and change the state, for example, from New to Assigned, of several alarms at
the same time iew alarm definitions, alarm sounds, and alarm data settings.
Manage

Only when you set this to allowed does the Alarms and Events
tab in the Options dialog appear.

Edit Enables the permission to view alarms and print alarm reports.

Disable alarms Enables the permission to disable alarms.

519 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Receive Enables the permission to receive notifications about alarms in XProtect Mobile clients
notifications and XProtect Web Client.

Manage
Enables the permission to manage security permissions for alarms.
security

Create Enables the permission to create new alarm definitions in the Management Client.

Server Logs

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security permission Description

Enables the permission to manage all security entries on this part of the
Full control
system.

Read system log entries Enables the permission to see system log entries.

Read audit log entries Enables the permission to see audit log entries.

Read rule-triggered log

Enables the permission to see rule-triggered log entries.
entries

Enables the permission to read log settings in Tools > Options > Server
Read log configuration
Logs.

Enables the permission to change log settings in Tools > Options >
Update log configuration
Server Logs.

Manage security Enables the permission to manage security permissions for alarms.

520 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Access Control

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to edit properties for the Access Control systems in the
Edit
Management Client.

Use access
Allows the user to use any access control-related features in the clients.
control

View cardholders
Allows the user to view the cardholders list on the Access Control tab in the clients.
list

Receive
Allows the user to receive notifications about access requests in the clients.
notifications

Enables the permission to manage security permissions for all Access Control
Manage security
systems.

LPR

If your system runs with XProtect LPR, specify the following permissions for the user:

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Use LPR Enables the permission to use any LPR-related features in the clients

521 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Manage Enables the permission to add, import, modify, export, and delete match lists in the
match lists Management Client.

Read match
Enables the permission to view match lists.
lists

Manage Enables the permission to manage security permissions in the Management Client for
security all Transaction definitions.

Transaction sources

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view properties for the Transaction sources in the
Read
Management Client.

Enables the permission to edit properties for the Transaction sources in the
Edit
Management Client.

Delete Enables the permission to delete Transaction sources in the Management Client.

Create Enables the permission to create new Transaction sources in the Management Client.

Manage Enables the permission to manage security permissions in the Management Client for
security all Transaction sources.

Transaction definition

522 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Security
Description
permission

Full control Enables the permission to manage all security entries on this part of the system.

Enables the permission to view properties for the Transaction definitions in the
Read
Management Client.

Enables the permission to edit properties for the Transaction definitions in the
Edit
Management Client.

Delete Enables the permission to delete Transaction definitions in the Management Client.

Enables the permission to create new Transaction definitions in the Management

Create
Client.

Manage Enables the permission to manage security permissions in the Management Client for
security all Transaction definitions.

MIP plug-ins

Through the MIP SDK, a third-party vendor can develop custom plug-ins for your system, for example,
integration to external access control systems or similar functionality.

Device tab (roles)

Available functionality depends on the system you are using. See the complete feature
list, which is available on the product overview page on the Milestone website
(https://www.milestonesys.com/solutions/platform/product-index/).

The Device tab lets you specify which features users/groups with the selected role can use for each device (for
example, a camera) or device group in XProtect Smart Client.

Remember to repeat for each device. You can also select a device group, and specify role permissions for all
the devices in the group in one go.

You can still select or clear such square-filled check boxes, but note that your choice in that case applies for all
devices within the device group. Alternatively, select the individual devices in the device group to verify exactly
which devices the relevant permission applies for.

523 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Camera-related permissions

Specify the following permissions for camera devices:

Name Description

Read The selected camera(s) will be visible in the clients.

Allows live viewing of video from the selected camera(s) in the clients.

View live For XProtect Smart Client, it requires that the role has been granted the permission
to view live video in the clients. This permission is granted as part of the application
permissions. Specify the time profile or leave the default value.

Playback >
Allows playback of recorded video from the selected camera(s) in the clients. Specify
Within time
the time profile or leave the default value.
profile

Playback > Limit Allows playback of recorded video from the selected camera(s) in the clients. Specify
playback to a playback limit or apply no restrictions.

Allows reading the sequence information related to, for example, the Sequence
Read sequences
explorer in the clients.

Smart search Allows the user to use the Smart search function in the clients.

Export Allows the user to export recordings from the clients.

Start manual
Allows starting manual recording of video from the selected camera(s) in the clients.
recording

Stop manual
Allows stopping manual recording of video from the selected camera(s) in the clients.
recording

Read bookmarks Allows search for and read bookmark details in the clients.

Edit bookmarks Allows editing bookmarks in the clients.

Create
Allows adding bookmarks in the clients.
bookmarks

524 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Delete
Allows deleting bookmarks in the clients.
bookmarks

AUX commands Allows the use of auxiliary commands from the clients.

Allows the client user to:

l Add the camera to new or existing evidence locks

Create and
l Extend the expiry time for existing evidence locks
extend evidence l Extend the protected interval for existing evidence locks
locks

Requires user permissions to all devices included in the

evidence lock.

Allows the client user to:

l Remove the camera from existing evidence locks

l Delete existing evidence locks

Delete and
l Shorten the expiry time for existing evidence locks
reduce evidence
locks l Shorten the protected interval for existing evidence locks

Requires user permissions to all devices included in the

evidence lock.

Read evidence
Allows the client user to search for and read evidence lock details.
locks

Microphone-related permissions

Specify the following permissions for microphone devices:

525 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Read The selected microphone(s) will be visible in the clients.

Allows listening to live audio from the selected microphones in the clients.
For XProtect Smart Client, it requires that the role has been granted the permission
Listen live
to view live video in the clients. This permission is granted as part of the application
permissions. Specify the time profile or leave the default value.

Playback >
Allows playback of recorded audio from the selected microphone(s) in the clients.
Within time
Specify the time profile or leave the default value.
profile

Playback > Limit Allows playback of recorded audio from the selected microphone(s) in the clients.
playback to Specify a playback limit or apply no restrictions.

Allows reading the sequence information related to, for example, the Sequence
Read sequences
explorer in the clients.

Export Allows the user to export recordings from the clients.

Start manual Allows starting manual recording of audio from the selected microphone(s) in the
recording clients.

Stop manual Allows stopping manual recording of audio from the selected microphone(s) in the
recording clients.

Read bookmarks Allows search for and read bookmark details in the clients.

Edit bookmarks Allows editing bookmarks in the clients.

Create
Allows adding bookmarks in the clients.
bookmarks

Delete
Allows deleting bookmarks in the clients.
bookmarks

Create and
Allows the client user to:
extend evidence

526 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

l Add the microphone to new or existing evidence locks

l Extend the expiry time for existing evidence locks

l Extend the protected interval for existing evidence locks

locks

Requires user permissions to all devices included in the

evidence lock.

Allows the client user to:

l Remove the microphone from existing evidence locks

l Delete existing evidence locks

Delete and
l Shorten the expiry time for existing evidence locks
reduce evidence
locks l Shorten the protected interval for existing evidence locks

Requires user permissions to all devices included in the

evidence lock.

Read evidence
Allows the client user to search for and read evidence lock details.
locks

Speaker-related permissions

Specify the following permissions for speaker devices:

Name Description

Read The selected speaker(s) is visible in the clients.

Allows listening to live audio from the selected speaker(s) in the clients.
For XProtect Smart Client, it requires that the role has been granted the permission
Listen live
to view live video in the clients. This permission is granted as part of the application
permissions. Specify the time profile or leave the default value.

527 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Playback >
Allows playback of recorded audio from the selected speaker(s) in the clients. Specify
Within time
the time profile or leave the default value.
profile

Playback > Limit Allows playback of recorded audio from the selected speaker(s) in the clients. Specify
playback to a playback limit or apply no restrictions.

Allows reading the sequence information related to, for example, the Sequence
Read sequences
explorer in the clients.

Export Allows the user to export recordings from the clients.

Start manual
Allows starting manual recording of audio from the selected speaker(s) in the clients.
recording

Stop manual Allows stopping manual recording of audio from the selected speaker(s) in the
recording clients.

Read bookmarks Allows search for and read bookmark details in the clients.

Edit bookmarks Allows editing bookmarks in the clients.

Create
Allows adding bookmarks in the clients.
bookmarks

Delete
Allows deleting bookmarks in the clients.
bookmarks

Allows the client user to:

l Add the speaker to new or existing evidence locks

Create and
l Extend the expiry time for existing evidence locks
extend evidence l Extend the protected interval for existing evidence locks
locks

Requires user permissions to all devices included in the

evidence lock.

528 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Allows the client user to:

l Remove the speaker from existing evidence locks

l Delete existing evidence locks

Delete and
l Shorten the expiry time for existing evidence locks
reduce evidence
locks l Shorten the protected interval for existing evidence locks

Requires user permissions to all devices included in the

evidence lock.

Read evidence
Allows the client user to search for and read evidence lock details.
locks

Metadata-related permissions

Specify the following permissions for metadata devices:

Name Description

Enables the permission to see metadata devices and retrieve data from them in the
Read
clients.

Enables the permission to edit metadata properties. It also allows users to enable or
Edit
disable metadata devices in the Management Client and via the MIP SDK.

Enables the permission to view live metadata from cameras in the clients.

View Live For XProtect Smart Client, it requires that the role has been granted the permission
to view live video in the clients. This permission is granted as part of the application
permissions.

Enables the permission to play back recorded data from metadata devices in the
Playback
clients.

529 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Enables the permission to use the Sequences feature while browsing recorded data
Read sequences
from metadata devices in the clients.

Enables the permission to export recorded audio from metadata devices in the
Export
clients.

Create and
Enables the permission to create and extend the evidence locks on metadata in the
extend evidence
clients.
locks

Read evidence
Enables the permission to view evidence locks on metadata in the clients.
locks

Delete and
reduce evidence Enables the permission to delete or reduce evidence locks on metadata in the clients.
locks

Start manual
Enables the permission to start manual recording of metadata in the clients.
recording

Stop manual
Enables the permission to stop manual recording of metadata in the clients.
recording

Input-related permissions

Specify the following permissions for input devices:

Name Description

Read The selected input(s) will be visible in the clients.

Output-related permissions

Specify the following permissions for output devices:

530 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

The selected output(s) will be visible in the clients. If visible, the output will be
Read
selectable on a list in the clients.

The selected output(s) can be activated from the Management Client and the clients.
Activate
Specify the time profile or leave the default value.

PTZ tab (roles)

You set up permissions for pan-tilt-zoom (PTZ) cameras on the PTZ tab. You can specify the features
users/groups can use in the clients. You can select individual PTZ cameras or device groups containing PTZ
cameras.

Specify the following permissions for PTZ:

Name Description

Determines if the selected role can use PTZ functions and pause a patrolling on the
selected camera.
Manual PTZ
Specify a time profile, select Always, or leave the default value that follows the
default time profile defined on the Info tab for that role.

Determines if the selected role can move the selected camera to preset positions,
start and stop patrolling profiles, and pause a patrolling.
Activate PTZ
presets or Specify a time profile, select Always, or leave the default value that follows the
patrolling default time profile defined on the Info tab for that role.
profiles
To allow this role to use other PTZ functions on the camera, enable the Manual PTZ
permission.

Determines the priority of PTZ cameras. When several users on a surveillance system
want to control the same PTZ camera at the same time, conflicts may occur.

PTZ Priority You can avoid such a situation by specifying a priority for use of the selected PTZ
camera(s) by users/groups with the selected role. Specify a priority from 1 to 32,000,
where 1 is the lowest priority. The default priority is 3,000. The role with the highest
priority number is the one who can control the PTZ camera(s).

531 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Determines the permission to add, edit and delete PTZ presets and patrolling
Manage PTZ profiles on the selected camera in both the Management Client and XProtect Smart
presets or Client.
patrolling
profiles To allow this role to use other PTZ functions on the camera, enable the Manual PTZ
permission.

Lock/unlock PTZ
Determines if the role can lock and unlock preset positions for the selected camera.
presets

Determines the permission to set the selected camera in reserved PTZ session mode.

In a reserved PTZ session other users or patrolling sessions with higher PTZ priority
Reserve PTZ
are not able to take over the control.
sessions
To allow this role to use other PTZ functions on the camera, enable the Manual PTZ
permission.

Determines if the selected role can release other users' PTZ sessions from the
Release PTZ Management Client.
sessions
You can always release your own PTZ sessions - without this permission.

Speech tab (roles)

Relevant only if you use speakers on your system. Specify the following permissions for speakers:

Name Description

Determine if users should be allowed to talk through the selected speaker(s). Specify the
Speak
time profile or leave the default value.

When several client users want to talk through the same speaker at the same time, conflicts
may occur.

Solve the problem by specifying a priority for use of the selected speaker(s) by users/groups
Speak
with the selected role. Specify a priority from Very low to Very high. The role with the
priority
highest priority is allowed use the speaker before other roles.

Should two users with the same role want to speak at the same time, the first come, first
served-principle applies.

532 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Remote Recordings tab (roles)

Specify the following permissions for remote recordings:

Name Description

Retrieve
Enables the permission to retrieve recordings in the clients from cameras, microphones,
remote
speakers, and metadata devices on remotes sites or from edge storages on cameras.
recordings

Smart Wall tab (roles)

Through roles, you can grant your client users Smart Wall-related user permissions:

Name Description

Read Allows users to view the selected Smart Wall in XProtect Smart Client.

Edit Allows users to edit the selected Smart Wall in the Management Client.

Delete Allows users to delete the selected Smart Wall in the Management Client.

Allows users to apply layouts on the selected Smart Wall in XProtect Smart Client and to
Operate
activate presets.

Allows users to play back recorded data from the selected Smart Wall in XProtect Smart
Playback
Client.

External Event tab (roles)

Specify the following external event permissions:

Name Description

Read Allows users to search for and view the selected external system event in the clients and the

533 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Management Client.

Edit Allows users to edit the selected external system event in the Management Client.

Delete Allows users to delete the selected external system event in the Management Client.

Trigger Allows users to trigger the selected external system event in the clients.

View Group tab (roles)

On the View Group tab, you specify which view groups the users and user groups with the selected role can
use in the clients.

Specify the following permissions for view groups:

Name Description

Enables the permission to view the View Groups in the clients and in the Management
Read
Client. View groups are created in the Management Client.

Edit Enables the permission to edit properties on View Groups in the Management Client.

Delete Enables the permission to delete View Groups in the Management Client.

Enables the permission to use View Groups in XProtect Smart Client, that is to create and
Operate
delete subgroups and views.

Servers tab (roles)

Specifying role permissions on the Servers tab is only relevant if your system works in a Milestone Federated
Architecture setup.

534 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Enables the permission to view the selected site in the Management Client. Connected sites
Sites are connected via Milestone Federated Architecture.

To edit properties, you need Edit permissions on the Management Server on each site.

See Configuring Milestone Federated Architecture on page 87 for more information.

Matrix tab (roles)

If you have configured Matrix recipients on your system, you may configure Matrix role permissions. From a
client, you can send video to selected Matrix recipients. Select the users who can receive this on the Matrix tab.

The following permissions are available:

Name Description

Determine if users and groups with the selected role can select and send video to the Matrix
Read
recipient from the clients.

Alarms tab (roles)

If you use alarms in your system setup to provide central overview and control of your installation (including
any other XProtect servers), you can use the Alarms tab to specify the alarm permissions for users and groups
with the selected role they should have, for example, how to handle alarms in the clients.

Specify the following permissions for alarms:

Name Description

Enables the permission to manage alarms, for example changing priorities of alarms
Manage and re-delegate alarms to other users, acknowledge alarms and change the state, for
example from New to Assigned, of several alarms at the same time.

View Enables the permission to view alarms and print alarm reports.

535 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Disable alarms Enables the permission to disable alarms.

Receive Enables the permission to receive notifications about alarms in XProtect Mobile clients
notifications and XProtect Web Client.

Access Control tab (roles)

When you add or edit basic users, Windows users or groups, specify access control settings:

Name Description

Use access control Allows the user to use any access control-related features in the clients.

View cardholders Allows the user to view the cardholders list on the Access Control tab in the
list clients.

Receive
Allows the user to receive notifications about access requests in the clients.
notifications

LPR tab (roles)

If your system runs with XProtect LPR, specify the following permissions for the users:

Name Description

Use LPR Enables the permission to use any LPR-related features in the clients.

Manage match Enables the permission to add, import, modify, export, and delete match lists in the
lists Management Client.

Read match
Enables the permission to view match lists.
lists

536 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Incidents tab (roles)

If you have XProtect Incident Manager, you can specify the following permissions for your roles.

To give a Management Client administrator role the permissions to manage or view incident properties, select
the Incident properties node.

To give an operator of XProtect Smart Client permission to view your defined incident properties, select
Incident properties and give View permission. To give general permissions to manage or view incident
projects, select the Incident project node. Expand the Incident project node and select one or more sub-
nodes to give permissions for these additional specific features or capabilities.

Name Description

Permission to manage (view, create, edit, and delete) settings and properties related to a
Manage feature or view a user interface element represented by the selected node in either
Management Client or XProtect Smart Client.

Permission to view (but not create, edit, and delete) the settings and properties related to a
View feature, view defined incident properties, or view a user interface element represented by
the selected node in either Management Client or XProtect Smart Client.

MIP tab (roles)

Through the MIP SDK, a third-party vendor can develop custom plug-ins for your system, for example,
integration to external access control systems or similar functionality.

The settings you change depend on the actual plug-in. Find the custom settings for the plug-ins on the MIPtab.

Basic user (Security node)

When you add a basic user to your system, you create a dedicated surveillance system user account with basic
user name and password authentication for the individual user. This is in contrast to the Windows user, added
through Active Directory.

When working with basic users, it is important to understand the difference between basic user and Windows
user.

l Basic users are authenticated by a user name/password combination and are specific to a system.
Even if basic users have the same name and password, a basic user created at one federated site does
not have access to another federated site

l Windows users are authenticated based on their Windows login and are specific to a machine

537 | User interface details

Administrator manual | XProtect® VMS 2023 R1

System dashboard node

System Dashboard node

Under the System Dashboard node, you find different functionality to monitor your system and its various
system components.

Name Description

Current Task Get an overview of ongoing tasks on a selected recording server.

System Monitor Monitor the status of your servers and cameras by parameters you define.

System Monitor Set threshold values for monitored parameters on server and monitor tiles used
Thresholds in System Monitor.

Evidence Lock Get an overview of all protected data in the system.

Configuration Print a report with your system configuration. You can decide what to include in
Reports the report.

Current Tasks (System Dashboard node)

The Current Tasks window shows an overview of ongoing tasks under a selected recording server. If you have
initiated a task that takes a long time and runs in the background, you can open the Current Tasks window to
see how the task progresses. A few examples of lengthy user-initiated tasks are firmware updates and
movement of hardware. You can see information about the task's start-time, estimated end-time, and
progress.

The information shown in the Current Tasks window is not dynamically updated but is a snapshot of the
current tasks from the moment you opened the window. If you have had the window open for some time,
refresh the information by selecting the Refresh button in the lower right corner of the window.

System Monitor (System Dashboard node)

The System Monitor functionality provides you with a quick, visual overview of the current well-being of your
system's servers and cameras.

538 | User interface details

Administrator manual | XProtect® VMS 2023 R1

System monitor dashboard window

Tiles

The upper part of the System monitor dashboard window shows colored tiles that represent the state of your
system's server hardware and camera hardware.

The tiles change their state and thereby color based on threshold values set under System Monitor
Thresholds node. For more information, see System Monitor Thresholds (System Dashboard node) on page
541. Define the thresholds, so tile colors mean the following:

Tile color Description

Green Normal state. Everything is running normally.

Warning state. One or more monitoring parameters is above the threshold value for the
Yellow
Normal state.

Critical state. One or more monitoring parameters is above the threshold value for the
Red
Normal and Warning state.

Hardware list with monitoring parameters

If you click a tile, you can see the state of each selected monitoring parameter for each hardware represented
by the tile in the bottom part of the System monitor dashboard window.

Example: A camera's LIVE FPS monitoring parameters have reached the Warning state.

Customize dashboard window

Select Customize in the upper right corner of the window to open the Customize dashboard window.

In the Customize dashboard window, you can select which tile to create, edit or delete. When creating or
editing tiles, you can select which hardware and which monitoring parameters you want to monitor on the tile.

Details window

If you select a tile and then from the hardware list with monitoring parameters, select the Details button to the
right of a camera or server, you can -depending on the selected hardware - view system information and
create reports regarding:

539 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Hardware Information

Shows data about:

l CPU Usage
Management
server
l Memory available

Select History to see the historical states of your hardware and

create a report on the above data.

Shows data about:

l CPU usage

l Memory available

l Disks
Recording
server(s)
l Storage

l Network

l Cameras

Select History to see the historical states of your hardware and

create a report on the above data.

Shows data about:

l CPU usage
Failover
l Memory available
recording
servers l Monitored recording servers

Select History to see the historical states of your hardware and

create a report on the above data.

Shows data about

Log servers,
l CPU usage
events servers, l Memory available
and more
Select History to see the historical states of your hardware and
create a report on the above data.

540 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Hardware Information

Shows data about:

l Storage

l Used Space

l Live FPS (Default)

l Recording FPS

l Live Video Format

Cameras l Recording Video Format

l Media Data Received (Kbit/s)

l Memory available

Select the camera name to see its historical states and create a
report on:

l Data received from camera

l Camera disk usage

If you access the system monitor's details from a server operating system, you may
experience a message regarding Internet Explorer Enhanced Security Configuration.
Follow the instructions to add the System Monitor page to the Trusted sites zone
before proceeding.

System Monitor Thresholds (System Dashboard node)

System monitor thresholds allow you to define and adjust the thresholds when tiles on the System monitor
dashboard should visually indicate that your system hardware changes state. For example, when the CPU
usage of a server changes from a normal state (green) state to a warning state (yellow) or from a warning state
(yellow) to a critical state (red).

541 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Example of thresholds between the three states

You can change thresholds for servers, cameras, disks, and storage, and all thresholds have some common
buttons and settings.

Common user interface elements

Buttons &
Description Unit
settings

Often there are short outages in the connection to your different hardware.
If you specify a calculation interval of 0 seconds, all these short outages will
trigger alerts about changes in hardware state. Therefore, define a
calculation interval of some length.

If you define a one (1) minute calculation internal, it means that you only get
Calculation
alerts if the average value for the whole minute exceeds the threshold. With sec
interval
the correct calculation interval setting, you will not receive false-positive
alerts but only alerts about sustained issues with, for example, CPU usage
or memory consumption.

To change the values of calculation intervals, see Edit thresholds for when
hardware states should change on page 281.

If you select the Advanced button, you can define thresholds and
Advanced calculation intervals for individual servers, cameras, disks, and storage. For -
more information, see below.

You can combine events from System Monitor and rules to trigger actions,
for example, when a server's CPU usage is critical, or a disk is running out of
Create rule free space. -
For more information, see Rules and events (explained) on page 74 and Add
rules on page 259.

542 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Server thresholds

Threshold Description Unit

CPU usage Thresholds for the CPU usage on the servers you monitor. %

Memory available Thresholds for RAM in use on the servers you monitor. MB

NVIDIA decoding Thresholds for the NVIDIA decoding usage on the servers you monitor. %

NVIDIA memory Thresholds for NVIDIA RAM in use on the servers you monitor. %

NVIDIA rendering Thresholds for the NVIDIA rendering usage on the servers you monitor. %

Camera thresholds

Threshold Description Unit

Thresholds for cameras' FPS in use when live video is shown on cameras you
Live FPS %
monitor.

Recording Thresholds for cameras' FPS in use when the system is recording video on
%
FPS cameras, you monitor.

Used space Thresholds for the space used by cameras you monitor. GB

Disk thresholds

Threshold Description Unit

Free space Thresholds for available space on disks you monitor. GB

543 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Storage thresholds

Threshold Description Unit

Threshold showing a prediction for when you run out of space on

Retention
your storage. The state shown is based on your system setup and is Days
time
updated twice a day.

Evidence Lock (System Dashboard node)

Evidence Lock under the System Dashboard node shows an overview of all protected data on the current
surveillance system.

The following metadata is available for all evidence locks:

l Start and end date for the protected data

l The user who locked the evidence

l When the evidence is no longer locked

l Where the data is stored

l The size of each evidence lock

All information shown in the Evidence Lock window is snapshots. Press F5 to refresh.

Configuration Reports (System Dashboard node)

You make many choices when you install and configure your VMS system, and you may need to document
these. Over time it is also hard to remember all the settings you have changed since the installation and initial
configuration - or just during the last couple of months. That is why it is possible to print a report with all your
configuration choices.

The following settings are available when creating and printing configuration reports:

Name Description

Reports A list of elements that is possible to include in a configuration report.

Select All Adds all elements in the Reports list to the configuration report.

544 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Clear All Removes all elements in the Reports list from the configuration report.

Front Page Customize the front page of the report.

Formatting Format the report.

Removes personal data like user names, e-mail addresses, and other types of sensitive
Exclude data from the configuration report and makes it GDPR compliant.
sensitive data
Information about the license owner is always exclude from the report.

Export Select a save location for the report and create it as a PDF.

Server Logs node

Server Logs node

System logs (tab)

Each row in a log represents a log entry. A log entry contains a number of information fields:

Name Description

Log level Info, warning, or error.

Local time Timestamped in the local time of your system's server.

Message text The identification number for the logged incident.

Category The type of logged incident.

The type of equipment on which the logged incident occurred, for

Source type
example, server or device.

Source name The name of the equipment on which the logged incident occurred.

Event type The type of event represented by the logged incident.

545 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Audit logs (tab)

Each row in a log represents a log entry. A log entry contains a number of information fields:

Name Description

Local time Timestamped in the local time of your system's server.

Message text Shows a description of the logged incident.

Permission The information about whether the remote user action was allowed (granted) or not.

Category The type of logged incident.

The type of equipment on which the logged incident occurred, for example, server or
Source type
device.

Source name The name of the equipment on which the logged incident occurred.

User The user name of the remote user causing the logged incident.

The IP address or host name of the computer from which the remote user caused the
User location
logged incident.

Rule-triggered logs (tab)

Each row in a log represents a log entry. A log entry contains a number of information fields:

Name Description

Local time Timestamped in the local time of your system's server.

Message text Shows a description of the logged incident.

Category The type of logged incident.

Source type The type of equipment on which the logged incident occurred, for

546 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

example, server or device.

Source name The name of the equipment on which the logged incident occurred.

Event type The type of event represented by the logged incident.

Rule name The name of the rule triggering the log entry.

Service name The name of the service on which the logged incident occurred.

Metadata Use node

Metadata and metadata search

To manage and configure metadata devices, see Show or hide metadata search
categories and search filters on page 283.

What is metadata?

Metadata is data about data, for example, data that describes the video image, the content or objects in the
image, or the location of where the image was recorded.

Metadata can be generated by:

l The device itself delivering the data, for example a camera that is delivering video

l A third-party system or integration via a generic metadata driver

Metadata search

Metadata search is any search for video recordings in XProtect Smart Client that uses search categories and
search filters related to metadata.

The default Milestone metadata search categories are:

l Location

l People

l Vehicles

547 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Metadata search requirements

To get search results, you need one of the following:

l At least one device in your video surveillance system that can perform video analytics and is configured
correctly

l A video processing service in your video surveillance system that generates metadata

In either case, metadata must be in the required metadata format.

For more information, see the documentation for integration of Metadata Search.

Access Control node

Access control properties

General Settings tab (Access Control)

Name Description

Systems are by default enabled, meaning that they are visible in XProtect Smart
Client for users with sufficient permissions and that the XProtect system receives
Enable access control events.

You can disable a system, for example during maintenance, to avoid creating
unnecessary alarms.

The name of the access control integration as it appears in the management

Name
application and in the clients. You can overwrite the existing name with a new one.

Description Provide a description of the access control integration. This is optional.

Integration
Shows the type of access control system selected during the initial integration.
plug-in

Last
Shows the date and time of the last time the configuration was imported from the
configuration
access control system.
refresh

Refresh Click the button when you need to reflect configuration changes made in the access
configuration control system in XProtect, for example if you have added or deleted a door.

548 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

A summary of the configuration changes from the access control system appears.
Review the list to ensure that your access control system is reflected correctly before
you apply the new configuration.

Enable an additional login for the client users, if the access control system supports
differentiated user permissions. If you enable this option, the access control system
Operator login will not be available in XProtect Mobile client.
required
This option is only visible if the integration plug-in supports differentiated user
permissions.

The naming and content of the following fields are imported from the integration plug-in. Below are examples
of some typical fields:

Name Description

Address Enter the address of the server that hosts the integrated access control system.

Port Specify the port number on the server to which the access control system is connected.

Enter the name of the user, as defined in the access control system, who should be
User name
administrator of the integrated system in XProtect.

Password Specify the password for the user.

Doors and Associated Cameras tab (Access Control)

This tab provides mappings between door access points and cameras, microphones or speakers. You associate
cameras as part of the integration wizard, but you can change the setup at any time. Mappings to
microphones and speakers are implicit through the related microphone or speaker on the camera.

549 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Lists the available door access points defined in the access control system, grouped by
door.

For an easier navigation to the relevant doors, you can filter on the doors in your access
control system with the dropdown list box at the top.

Doors Enabled: Licensed doors are by default enabled. You can disable a door to free a license.

License: Shows if a door is licensed or if the license has expired. The field is blank when
the door is disabled.

Remove: Click Remove to remove a camera from an access point. If you remove all
cameras, the check box for associated cameras is automatically cleared.

Lists the cameras configured in the XProtect system.

Cameras Select a camera from the list and drag and drop it at the relevant access point to associate
the access point with the camera.

Access Control Events tab (Access Control)

Event categories allow you to group events. The configuration of event categories affects the behavior of
access control in the XProtect system and allows you to, for example, define an alarm to trigger a single alarm
on multiple event types.

Name Description

Lists the access control events imported from the access control system. The integration
plug-in controls default enabling and disabling of events. You can disable or enable
Access events any time after the integration.
Control Event
When an event is enabled, it is stored in the XProtect event database and is, for example,
available for filtering in the XProtect Smart Client.

Source Type Shows the access control unit that can trigger the access control event.

Assign none, one or more event categories to the access control events. The system
Event
automatically maps relevant event categories to the events during integration. This
Category
enables a default setup in the XProtect system. You can change the mapping at any

550 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

time.

Built-in event categories are:

l Access denied

l Access granted

l Access request

l Alarm

l Error

l Warning

Events and event categories defined by the integration plug-in also appear, but you can
also define your own event categories, see User-defined Categories.

If you change the event categories in XProtect Corporate, ensure

that the existing access control rules still work.

Allows you to create, modify or delete user-defined event categories.

You can create event categories when the built-in categories do not meet your
requirements, for example, in connection with defining triggering events for access
control actions.
User-defined
Categories The categories are global for all integration systems added to the XProtect system. They
allow setting up cross-system handling, for example on alarm definitions.

If you delete a user-defined event category, you receive a warning if it is used by any
integration. If you delete it anyway, all configurations made with this category, for
example access control actions, do not work anymore.

Access Request Notification tab (Access Control)

You can specify access request notifications that appear on the XProtect Smart Client screen when a given
event occurs.

551 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Name Enter a name for the access request notification.

Click to add and define access request notifications.

To delete a notification, click X on the right-hand side.

Add Access
Request If a user of XProtect Smart Client logs into a parent site in a
Notification Milestone Federated Architecture hierarchy, access request
notifications from the child sites also appear in XProtect Smart
Client.

Access request Specify which cameras, microphones or speakers that appear in the access request
notification notifications when a given event occurs. Also specify the sound to alert the user when
details the notification pops up.

Select which commands that should be available as buttons in the access request
notification dialogs in the XProtect Smart Client.

Related access request commands:

l Enables all commands related to access request operations available on the

source unit. For example Open door

All related commands:

Add command l Enables all commands on the source unit

Access control command:

l Enables a selected access control command

System command:

l Enables a command predefined in the XProtect system

To delete a command, click X on the right-hand side.

Cardholders tab (Access Control)

Use the Cardholders tab to review information about cardholders in the access control system.

552 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Search cardholder Enter the characters of a cardholder name and it appears in the list, if it exists.

Name Lists the names of the cardholders retrieved from the access control system.

Lists the type of cardholder, for example:

l Employee
Type
l Guard

l Guest

If your access control system supports adding/deleting pictures in the XProtect system, you can add pictures to
the cardholders. This is useful if your access control system does not include pictures of the cardholders.

Name Description

Specify the path to a file with a picture of the cardholder. This button is not visible if the
access control system manages the pictures.
Select Allowed file-formats are .bmp, .png, and .jpg.
picture
Pictures are resized to maximize the view.

Milestone recommends that you use a quadratic picture.

Delete Click to delete the picture. If the access control system had a picture, then this picture is
picture shown after deletion.

Incidents node

Incident properties (Incidents node)

The following information describes settings that are related to XProtect Incident Manager.

You define all incident properties for your XProtect Smart Client operators on these tabs:

553 | User interface details

Administrator manual | XProtect® VMS 2023 R1

l Types

l Statuses

l Categories

l Category 1-5

All the incident properties have the following settings:

Name Description

Incident property names do not have to be unique, but it is an advantage to use unique
Name
and descriptive incident property names in many situations.

An additional explanation of the defined incident property. For example, if you have
Description created a category named Location, its description could be Where did the incident
happen?

Transact node

Transaction Sources (Transact node)

The following table describes the properties for transaction sources.

For more information about adding a source, see Add transaction source (wizard).

Transaction sources (properties)

Name Description

If you want to disable the transaction source, clear this check box. The stream of
transaction data stops, but the data already imported remains on the event server. You
can still view transactions from a disabled transaction source in XProtect Smart Client
during its retention period.
Enable

Even a disabled transaction source requires a transaction source

license.

554 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Name If you want to change the name, enter a new name here.

You cannot change the connector you selected when you created the transaction
Connector source. To select a different connector, you need to create a new transaction source,
and during the wizard, select the connector you want.

You can select a different transaction definition that defines how to transform the
transaction data received into transactions and transaction lines. This includes defining:
Transaction
definition l When a transaction begins and ends

l How transactions are displayed in XProtect Smart Client

Specify, in days, for how long transaction data is maintained on the event server. The
default retention period is 30 days. When the retention period expires, automatically
Retention the data is deleted. This is to avoid the situation, where the storage capacity of the
period database is exceeded.

The minimum value is 1 day, whereas the maximum value is 1000 days.

If you selected TCP client connector, specify these settings:

l Host name: enter the host name of the TCP server associated with the
TCP client
transaction source
connector
l Port: enter the port name on the TCP server associated with the transaction
source

If you selected Serial port connector, specify these settings and make sure that they
match the settings on the transaction source:

l Serial port: select the COM port

l Baud rate: specify the number of bits transmitted per second

l Parity: specify the method for detecting errors in the transmissions. By default,
Serial port
None is selected
connector
l Data bits: specify the number of bits used to represent one character of data

l Stop bits: specify the number of bits to indicate when a byte has been
transmitted. Most devices need 1 bit

l Handshake: specify the handshaking method determining the communication

protocol between the transaction source and event server

555 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Transaction Definitions (Transact node)

The following table describes the properties for definitions to be used for the transaction sources.

For more information about creating and adding transaction definitions, see Create and add transaction
definitions.

Transaction definitions (properties)

Name Description

Name Enter a name.

Select the character set used by the transaction source, for example the cash register.
This helps XProtect Transact convert the transaction data to understandable text that
Encoding you can work with when configuring the definition.

If you select the wrong encoding, the data may appear as non-sense text.

Collect transaction data from the connected transaction source. You can use the data
Start collecting to configure a transaction definition.
data
Wait for at least one, but preferably more, transactions to complete.

Stop collecting
When you have collected sufficient data to configure the definition, click this button.
data

If you want to import data from an already existing file, click this button. Typically this
is a file that you have created previously in the file format .capture. It can be other file
Load from file
formats. What is important here is that the encoding of the import file matches the
encoding selected for the current definition.

If you want to save the collected raw data to a file, click this button. You can reuse it
Save to file
later.

Select the match type to use to search for the start pattern and the stop pattern in the
collected raw data:
Match type
l Use exact match: The search identifies strings that contain exactly what you
have entered in the Start pattern and Stop pattern fields

556 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

l Use wildcards: The search identifies strings that contain what you have entered
in the Start pattern and Stop pattern fields in combination with a wild card
symbol (*, #, ?)
* matches any number of characters. For example, if you have entered "Start
tra*tion", the search identifies strings that contain "Start transaction".
# matches exactly 1 digit. For example, if you have entered "# watermelon", the
search identifies strings that contain, for example, "1 watermelon".
? matches exactly 1 character. For example, you may use the search expression
"Start trans?ction" to identify strings that contain "Start transaction"

l Use regular expression: Use this match type to identify strings that contain
specific notation methods or conventions, for example a date format or credit
card number. For more information, see the Microsoft website
(https://docs.microsoft.com/dotnet/standard/base-types/regular-expression-
language-quick-reference/)

Transaction data strings from the connected transaction source are displayed in this
Raw data
section.

Specify a start pattern to indicate where a transaction begins. Horizontal lines are
Start pattern inserted in the Preview field to visualize where the transaction starts and ends, and
will help to keep individual transactions separated.

Specify a stop pattern to indicate where a transaction ends. A stop pattern is not
mandatory, but is useful if the received data contains irrelevant information, such as
information about opening hours or special offers, between actual transactions.
Stop pattern
If you do not specify a stop pattern, the end of the receipt is defined in terms of where
the next receipt starts. The start is determined by what is entered in the Start pattern
field.

Use the Add filters button to point out the characters that you want to be omitted in
XProtect Smart Client or replaced by other characters or a line break.
Add filter Replacing characters is useful when the transaction source string contains control
characters for non-printing purposes. Adding line breaks is necessary to make receipts
in XProtect Smart Client resemble the original receipts.

Filter text Displays the characters currently selected in the Raw data section. If you are aware of

557 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

characters that you want to be omitted or replaced, but they do not occur in the
collected raw data string, you can enter the characters manually in the Character field.

If the character is a control character, you need to enter its hexadecimal byte value.
Use this format for the byte value: {XX} and {XX, XX,...} if a characters consists of more
bytes.

For each filter you add, you should specify how the characters you have selected are
handled:

l Omit: the characters you select are filtered out

Action
l Substitute: the characters you select are replaced with the characters you
specify

l Add line break: the characters you select are replaced by a line break

Enter the text to replace the characters selected. Only relevant if you have selected the
Substitution
action Substitute.

Remove
control Remove non-printing characters that were not already removed after adding filters.
characters that In the Raw data pane and the Preview section, see how the transaction data strings
are not defined change when you enable or disable this setting.
as filter text

Use the Preview section to verify that you have identified and filtered out unwanted
Preview characters. The output you see here resembles what the real-life receipt looks like in
XProtect Smart Client.

Alarms node

Alarm Definitions (Alarms node)

When your system registers an event on your system, you can configure the system to generate an alarm in
XProtect Smart Client. You must define alarms before you can use them, and alarms are defined based on
events registered in your system servers. You can also use user-defined events for triggering alarms and use
the same event to trigger several different alarms.

558 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Alarm definition settings:

Name Description

Enable By default, the alarm definition is enabled. To disable it, clear the check box.

Alarm names do not have to be unique, but using unique and descriptive alarm names
Name
are advantageous in many situations.

Enter a descriptive text about the alarm and how to resolve the issue that caused the
Instructions alarm.

The text appears in XProtect Smart Client when the user handles the alarm.

Select the event message to use when the alarm is triggered. Choose from two
dropdowns:

l The first drop-down: Select the type of event, for example analytics event and
Triggering
system events
event
l The second drop-down: Select the specific event message to use. The messages
available are determined by the event type you selected in the first drop-down
menu

Specify the sources that the events originate from. Aside from cameras or other
Sources devices, sources may also be plug-in defined sources, for example VCA and MIP. The
options depend on the type of event you have selected.

Alarm trigger:

Name Description

Select the Time profile radio button to specify the time interval during which the alarm
Time
definition is active. Only the time profile you have defined under the Rules and Events node
profile
are displayed in the list. If none are defined, only the Always option is available.

If you want the alarm to be based on an event, select this radio button. Once selected,
Event specify the start and stop event. You can select hardware events defined on cameras, video
based servers and input. See also Events overview. Also, global/manual event definitions can be
used. See also User-defined events (explained).

559 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Operator action required:

Name Description

Select a time limit for when operator action is required. The default value is 1 minute. The
Time limit time limit is not active before you have attached an event in the Events triggered drop-
down menu.

Events
Select which event to trigger when the time limit has passed.
triggered

Maps:

Name Description

Assign either a smart map or a map to the alarm when the alarm is listed in XProtect
Smart Client > Alarm Manager.
Alarm Manager
view Smart map displays alarms if they are triggered by a device
and if the device is added to the smart map.

Other:

Name Description

Select up to 15 cameras to include in the alarm definition, even

if these cameras themselves do not trigger the alarm. This can
be relevant, for example, if you have selected an external event
Related cameras
message (such as a door being opened) as the source of your
alarm. By defining one or more cameras near the door, you can
attach the cameras' recordings of the incident to the alarm.

560 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Initial alarm owner Select a default user responsible for the alarm.

Initial alarm Select a priority for the alarm. Use these priorities in XProtect
priority Smart Client to determine the importance of an alarm.

Select an alarm category for the alarm, for example False

Alarm category
alarm or Need investigation.

Events triggered by Define an event that the alarm can trigger in XProtect Smart
alarm Client.

If you want a particular event to automatically stop the alarm,

Auto-close alarm select this check box. Not all events can trigger alarms. Clear
the check box to disable the new alarm from the beginning.

Select the check box to include users with an administrator role

in the Assigned to list.

Alarm assignable The Assigned to list is in the alarm details on the Alarm
to Administrators Manager tab in XProtect Smart Client.

Clear the check box to filter out users with an administrator

role from the Assigned to list to shorten the list.

Alarm Data Settings (Alarms node)

When you configure alarm data settings, specify the following:

Alarm Data Levels tab

Priorities

Name Description

Add new priorities with level numbers of your choosing or use/edit the default priority
Level levels (numbers 1, 2 or 3). These priority levels are used to configure the Initial alarm
priority setting.

561 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Name Enter a name for the entity. You can create as many as you like.

Select the sound to be associated with the alarm. Use one of the default sounds or add
Sound
more in Sound Settings.

Decide whether the sound should play only once or repeatedly until in XProtect Smart
Repeat sound
Client, the operator clicks the alarm in the alarm list.

For each alarm priority, you can enable or disable desktop notifications. If you are
Enable desktop using an XProtect VMS that supports Smart Client profiles, you must also enable
notifications notifications on the required Smart Client profiles. See Alarm Manager tab (Smart
Client profiles) on page 454.

States

Name Description

In addition to the default state levels (numbers 1, 4, 9 and 11, which cannot be edited or
Level reused), add new states with level numbers of your choosing. These state levels are only
visible in the XProtect Smart Client's Alarm List.

Categories

Name Description

Add new categories with level numbers of your choosing. These category levels are used to
Level
configure the Initial alarm category setting.

Name Enter a name for the entity. You can create as many as you like.

562 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Alarm List Configuration tab

Name Description

Use > to select which columns should be available in the XProtect Smart Client's Alarm List.
Available
Use < to clear selection. When done, Selected columns should contain the items to be
columns
included.

Reasons for Closing tab

Name Description

Select to enable that all alarms must be assigned a reason for closing before they can be
Enable
closed.

Add reasons for closing that the user can choose between when closing alarms. Examples
Reason
could be Solved-Trespasser or False Alarm. You can create as many as you like.

Sound Settings (Alarms node)

When you configure sound settings, specify the following:

Name Description

Select the sound to be associated with the alarm. The list of sounds contains a number of
Sounds
default Windows sounds. You can also add new sounds (.wav or .mp3).

Add Add sounds. Browse the sound file and upload one or several .wav or .mp3 files.

Remove a selected sound from the list of manually added sounds. Default sounds cannot
Remove
be removed.

Test Test the sound. In the list, select the sound. The sound plays once.

563 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Federated Site Hierarchy

Federated site properties

This section describes the General tab and the Parent Site tab.

General tab

You can change some of the information related to the site that you are currently logged in to.

Name Description

Name Enter the name of the site.

Description Enter a site description.

Use the list to add and remove URL(s) for this site and indicate if they are external
URLs
or not. External addresses can be reached from outside the local network.

Version The version number of the site's management server.

Service account The service account under which the management server is running.

Time for last

Time and date of the last synchronization of the hierarchy.
synchronization

Status for last The status of the last synchronization of the hierarchy. It can be either Successful
synchronization or Failed.

Parent Site tab

This tab shows information about the parent site of the site that you are currently logged in to. The tab is not
visible if your site has no parent site.

Name Description

Name Shows the name of the parent site.

564 | User interface details

Administrator manual | XProtect® VMS 2023 R1

Name Description

Description Shows a description of the parent site (optional).

Lists URL(s) for the parent site and indicates if they are external or not. External
URLs
addresses can be reached from outside the local network.

Version The version number of the site's management server.

Service account The service account under which the management server is running.

Time for last

Time and date of the last synchronization of the hierarchy.
synchronization

Status for last The status of the last synchronization of the hierarchy. It can be either Successful
synchronization or Failed.

565 | User interface details

 [email protected]

About Milestone

Milestone Systems is a leading provider of open platform video management software; technology that
helps the world see how to ensure safety, protect assets and increase business efficiency. Milestone
Systems enables an open platform community that drives collaboration and innovation in the development
and use of network video technology, with reliable and scalable solutions that are proven in more than
150,000 sites worldwide. Founded in 1998, Milestone Systems is a stand-alone company in the Canon
Group. For more information, visit https://www.milestonesys.com/.