Milestone XProtect VMS System Architecture Document

Milestone Systems
XProtect® VMS 2020 R3
System architecture document
XProtect Corporate
XProtect Expert
XProtect Professional+
XProtect Express+
XProtect Essential+
System architecture document | XProtect® VMS 2020 R3
Contents
Copyright, trademarks, and disclaimer 4
Introduction 5
Target audience and purpose 6
Overall system architecture 7
Server components 8
Management server 8
Recording server 8
Media database 9
Event server 9
Log server 9
SQL Server 10
Mobile server 10
Client components 11
XProtect Management Client 11
XProtect Smart Client 11
XProtect Web Client 11
XProtect Mobile client 11
Encryption 13
Introduction to certificates 13
Additional products and components 16
MIP SDK 16
Milestone Software Manager 17
XProtect Smart Wall 17
XProtect Access 17
XProtect Transact 18
XProtect LPR 18
Milestone Interconnect 19
XProtect DLNA Server 20
2 | Contents
Milestone Open Network Bridge 20
System communication and data flow 22
Server communication 22
Login from XProtect Smart Client 23
Live video and audio 24
Live video multicasting 25
Matrix 26
Management server – view update 27
XProtect Smart Wall 28
Play back video and audio 29
Login from XProtect Web Client and XProtect Mobile 30
Live video for XProtect Web Client and XProtect Mobile 31
Recording and playback video for XProtect Web Client and XProtect Mobile 32
Video push 33
Milestone Interconnect live 34
Milestone Interconnect recording options 36
Milestone Interconnect play back 37
XProtect DLNA Server 38
Milestone Open Network Bridge 40
Management Client configuration update 41
Log server 42
Event server 43
XProtect Transact 44
XProtect LPR 45
View and manage alarms 47
Data collector 48
Recording server failover 49
Evidence lock 50
Move hardware 51
Ports used by the system 53
3 | Contents
Copyright, trademarks, and disclaimer

Copyright © 2020 Milestone Systems A/S
Trademarks
XProtect is a registered trademark of Milestone Systems A/S.
Microsoft and Windows are registered trademarks of Microsoft Corporation. App Store is a service mark of Apple
Inc. Android is a trademark of Google Inc.
All other trademarks mentioned in this document are trademarks of their respective owners.
Disclaimer
This text is intended for general information purposes only, and due care has been taken in its preparation.
Any risk arising from the use of this information rests with the recipient, and nothing herein should be construed
as constituting any kind of warranty.
Milestone Systems A/S reserves the right to make adjustments without prior notification.
All names of people and organizations used in the examples in this text are fictitious. Any resemblance to any
actual organization or person, living or dead, is purely coincidental and unintended.
This product may make use of third-party software for which specific terms and conditions may apply. When that
is the case, you can find more information in the file 3rd_party_software_terms_and_conditions.txt located in your
Milestone system installation folder.
4 | Copyright, trademarks, and disclaimer

Introduction
This document was last updated for release 2020 R2.
This document contains illustrations and descriptions of communication and dataflow between the most common
system components in a distributed system.
The document shows a range of scenarios with a supporting illustration and a description of actions supplemented
by information about port numbers, protocols and bandwidth usage.
The illustrations are simplified and primarily focus on the general dataflow between system components. This
means that less important flows may have been omitted in order to reduce the level of complexity.
5 | Introduction
Target audience and purpose

This document's primary audience is system integrators and IT administrators with limited experience and
knowledge about Milestone XProtect VMS solutions and who are in the process of selecting, deploying,
administrating, maintaining and expanding a VMS.
The purpose of the document is to provide insight to the benefits and simplicity of using Milestone XProtect as a
VMS, including an introduction of the system components and the system architecture.
This document should enable the reader to understand:
l The overall system architecture
l The primary system components and their functions
l Provide guidelines to basic system design
The reader of the document should have general experience with administrating an IT installation.
6 | Target audience and purpose

Overall system architecture

To enable scaling of thousands of cameras across multiple sites, the system consists of several components that
handle specific tasks. You can install all components on a single server if the server can handle the load, or you can
install the components on separate, dedicated servers to scale and distribute the load.
Depending on hardware and configuration, smaller systems with between 50~100 cameras can run on a single
server.
For systems with more than 100 cameras, Milestone recommends that you use dedicated servers for all or some
of the components.
You do not need all components in all installations. However, you can add them if the functionality they offer is
needed at a later time, for example, failover recording servers or mobile servers for hosting and providing access
to both XProtect Web Client and XProtect Mobile.
The diagram below shows an overview of the system components.
7 | Overall system architecture

Server components
Management server
The management server is the central VMS component. It handles the system configuration, distributes the
system configuration to other system components, such as the recording servers, and facilitates user
authentication.
The system configuration is stored in an SQL database on a standard Microsoft SQL Server installed on either the
management server itself or on a separate dedicated server.
Failover management server
You can get failover support on the management server by installing the management server in a Microsoft
windows cluster. The cluster ensures that another server takes over the management server function in case the
first server fails.
Recording server
The recording server is responsible for all communication, recording, and event handling related to devices such
as cameras, video and audio encoders, I/O modules, and metadata sources. Examples of actions the recording
server handles:
l Retrieve video, audio, metadata and I/O event streams from the devices
l Record video, audio and metadata from devices
l Provide operators with access to live and recorded video, audio and metadata
l Provide operators with access to device status
l Trigger system and video events on device failures or events
l Perform motion detection and generate smart search metadata
The recording server is also responsible for communicating with other Milestone products when using the
Milestone Interconnect™ technology. For more information, see Milestone Interconnect on page 19.
Failover recording server
The failover recording server is responsible for taking over the recording task in case a recording server fails.
The failover recording server operates in two modes:
1. Standard failover, for monitoring multiple recording servers
2. Hot standby, for monitoring a single recording server
8 | Server components
Media database
The system stores the retrieved video, audio and metadata in the customized high performance Milestone media
database which is optimized for recording and storing audio and video data.
The media database supports various unique features including multistage archiving, video grooming, encryption
and adding a digital signature to the recordings.
Event server
The event server handles the tasks related to events, alarms, maps and third-party integrations via the Milestone
Integration Platform.
Events:
l All system events are consolidated in the event server so there is a single place and interface for partners
to make integrations that use system events
l The event server offers third-party access for sending events to the system via the Generic events or
Analytics events interface
Alarms:
l The event server hosts the alarm feature, alarm logic, alarm state and handling of the alarm database. The
alarm database is stored in the same SQL database as the management server uses
Maps:
l The event server also hosts maps. You configure and use maps in the XProtect Smart Client
Milestone Integration Platform:
l You can install third-party developed plug-ins on the event server and utilize access to system events
You can get failover support on the event server by installing the event server in a Microsoft Windows Cluster. The
cluster ensures that another server takes over the event server function in case the first server fails.
Log server
The log server is responsible for storing all log messages for the entire system. The log server typically uses the
same SQL Server as the management server but has its own SQL database. Log server is also typically installed on
the same server as the management server. If you need to increase the performance of the management server
or log server, you can install the log server on a separate server and use a separate SQL Server.
The system can through the log server write three types of log messages:
l System logs: the system administrator can choose to log errors, warnings, and information, or a
combination of these. The default is to log errors only
l Audit logs: the system administrator can choose to log user activity in clients in addition to login and
administration logs
l Rule-triggered logs: the system administrator can use the rule log to create logs on specific events
SQL Server
The management server, the event server and the log server use SQL databases on one or two SQL Server
installations to store, for example, configuration, alarms, events and log messages.
The Milestone XProtect installer includes Microsoft SQL Server Express which is free edition of SQL Server.
For very large systems or systems with many transactions to and from the SQL databases, Milestone recommends
that you use a Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition of the SQL Server
on a dedicated computer on the network and on a dedicated hard disk drive that is not used for other purposes.
Installing the SQL Server on its own drive improves the entire system performance.
Mobile server
XProtect Mobile server handles logins to the system from XProtect Mobile client or XProtect Web Client.
A XProtect Mobile server distributes video streams from recording servers to XProtect Mobile client or XProtect
Web Client. This offers a secure setup where recording servers are never connected to the Internet. When a
XProtect Mobile server receives video streams from recording servers, it also handles the complex conversion of
codecs and formats allowing streaming of video on the mobile device.
Client components
XProtect Management Client

The Management Client is the administration interface for all parts of the system.
The VMS is designed for large-scale operation so the Management Client is designed to run remotely from, for
example, the administrator’s computer.
When you select a function in the node tree, the settings for this node appear, typically in a second tree structure
where you can manage sub items. Once you have selected the correct item, the actual settings appear in the
properties dialog box in the upper right hand corner. The settings are grouped on various tabs if an item has many
settings.
For more information, see the administrator manual for XProtect VMS.
XProtect Smart Client

XProtect Smart Client is the main client for the VMS, offering a full set of advanced features and designed for a day-
to-day use by dedicated operators.
XProtect Smart Client is designed to run remotely from the operators’ computer and supports multiscreen usage
in full screen mode as shown below or in floating windows mode where the user can resize the windows and
move them around freely.
For more information, see the user manual for XProtect Smart Client.
XProtect Web Client

XProtect Web Clientis a client designed for the occasional or remote user that needs easy access to live
monitoring, playback and export. XProtect Web Client also provides access to activating system events and
outputs.
For more information, see the user manual for XProtect Web Client.
On the System Requirements web page, you can find information about compatible browsers under XProtect Web
Client.
XProtect Mobile client

The XProtect Mobile client is a client designed for the user on the go. It offers easy access to live monitoring,
playback and export of video, as well as access to activating system events and outputs.
You can use the XProtect Mobile client as a remote recording device by using the device's built-in camera and the
Milestone Video Push feature. With Video Push activated, video from the device's camera is streamed back to the
VMS and recorded as if it is a standard camera.
11 | Client components
For more information, see the XProtect Mobilewebpage and user manual.
On the System Requirements web page, you can find information about which operating systems are compatible
with XProtect Mobile.
12 | Client components
Encryption
This section gives you an introduction to encryption and certificates.
XProtect systems support secure communication:
From To
Recording server Management server
Management server Recording server
Clients, servers, and integrations that retrieve data streams from the recording server Recording server
Mobile devices Mobile server
When do I need to install certificates?
l If your XProtect VMS system is set up in a Windows Workgroup environment
l Before you install or upgrade to XProtect VMS 2019 R1 or newer, if you want to enable encryption during
the installation
l Before you enable encryption, if you installed XProtect VMS 2019 R1 or newer without encryption
l When you renew or replace certificates due to expiry
Introduction to certificates
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for secure
communication over a computer network. In HTTPS, the communication protocol is encrypted using Transport
Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).
In XProtect VMS, the secure communication is obtained by using SSL/TLS with asymmetric encryption (RSA).
SSL/TLS uses a pair of keys—one private, one public—to authenticate, secure, and manage secure connections.
A certificate authority (CA) can issue certificates to web services on servers using a CA certificate. This certificate
contains two keys, a private key and public key. The public key is installed on the clients of a web service (service
clients) by installing a public certificate. The private key is used for signing server certificates that must be installed
on the server. Whenever a service client calls the web service, the web service sends the server certificate
including the public key to the client. The service client can validate the server certificate using the already
installed public CA certificate. The client and the server can now use the public and private server certificate to
exchange a secret key and thereby establish a secure SSL/TLS connection.
13 | Encryption
For more information about TLS: https://en.wikipedia.org/wiki/Transport_Layer_Security
In XProtect VMS, the following locations are where you can enable SSL/TLS encryption:
l In the communication between the management server and the recording servers
l On the recording server in the communication with clients, servers and integrations that retrieve data
streams from the recording server
l In the communication from clients to the mobile server
Certificate distribution
The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS.
A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (server) and by the party that
verifies the certificate (clients) ( see Create CA certificate).
The public CA certificate must be trusted on all client computers. In this way the clients can verify the validity of
the certificates issued by the CA (see Install certificates on the clients).
The CA certificate is used to issue private server authentication certificates to the servers (see Create SSL
certificate).
The created private SSL certificates must be imported to the Windows Certificate Store on all servers (see
Import SSL certificate).
Requirements for the private SSL certificate:
14 | Encryption
l Issued to the server so that the server's host name is included in the certificate, either as subject (owner)
or in the list of DNS names that the certificate is issued to
l Trusted on all computers running services or applications that communicate with the service on the
servers, by trusting the CA certificate that was used to issue the SSL certificate
l The service account that runs the server must have access to the private key of the certificate on the
server.
Certificates have an expiry date. XProtect VMS will not warn you when a certificate is about
to expire. If a certificate expires, the clients will no longer trust the server with the expired
certificate and thus cannot communicate with it.
To renew the certificates, follow the steps in this guide as you did when you created
certificates.
For more information, see the certificates guide about how to secure your XProtect VMS installations.
15 | Encryption
Additional products and components

Available functionality depends on the system you using. For more information, see the
product comparison webpage.
MIP SDK
The Milestone Integration Platform Software Development Kit (MIP SDK) is a comprehensive tool that makes it easy
to create applications, plug-ins or integrations for Milestone’s XProtect products.
MIP
The open platform is integrated in the following Milestone XProtect system components and applications:
l XProtect Smart Client
l XProtect Management Client
l Management Application
l Management Server
l Event Server
MIP SDK
To have a truly open platform and a community around it Milestone provides the SDK that contains:
l The tools for developing integrations
l Documentation of a set of interfaces
l A set of wrapper .NET DLLs providing an easy interface to a variety of functionality
l A large collection of samples demonstrating different ways of using the MIP SDK
l Short descriptions and how-to guides
l A small application to display links to this information
l Libraries
The MIP SDK is also used internally by Milestone software development teams.
For more information, see the MIP SDK and Develop Forum webpages.
16 | Additional products and components

Milestone Software Manager

Milestone Software Manager is a tool that you, from a central point, can use to remotely install and upgrade
recording servers, recording server device packs and XProtect Smart Clients on servers or PCs in the network.
For larger installations, the tool makes it easy and fast to remotely upgrade the components that are installed on
servers and client PCs.
For more information, see the XProtect Utilities webpage and administrator manual for Milestone Software
Manager.
XProtect Smart Wall

XProtect Smart Wall is designed for control centers to display live video from selected cameras on one or more
video wall displays.
There are several ways you can select the cameras:
l Manually using the XProtect Smart Client
l Via the VMS’ rule system on events and/or time schedule
l Via MIP SDK integrations
XProtect Smart Wall does not require a dedicated XProtect software component itself, nor does it use a dedicated
XProtect client - all the required components are included in the standard XProtect Corporate management server
and XProtect Smart Client. It just needs a PC running XProtect Smart Client to show the Smart Wall views.
XProtect Smart Wall is included in XProtect Corporate. You can be purchase it as an add-on
for XProtect Expert.
For more information, see the XProtect Smart Wallwebpage and administrator manual.
XProtect Access
The access control integration feature introduces new functionality that makes it simple to integrate customers’
access control systems with XProtect. You get:
l A common operator user interface for multiple access control systems in XProtect Smart Client
l Faster and more powerful integration of access control systems
l More functionality for the operator (see below)
In XProtect Smart Client, the operator gets:

l Live monitoring of events at access points
l Operator aided passage for access requests
l Map integration
l Alarm definitions for access control events
l Investigation of events at access points
l Centralized overview and control of door states
l Cardholder information and management
The use of XProtect Access requires that you have purchased a base license that allows you
to access this feature within your XProtect system. You also need an access control door
license for each door you want to control.
You can use XProtect Access with access control systems from vendors where a vendor-
specific plug-in for XProtect Access exists. You must install this plug-in on the event server
before you can start an integration.
For more information, see the XProtect Accesswebpage and administrator manual.
XProtect Transact
XProtect Transact is an add-on to Milestone's IP video surveillance solutions XProtect VMS and XProtect
Professional VMS.
XProtect Transact is a tool for observing ongoing transactions and investigating transactions in the past. The
transactions are linked with the digital surveillance video monitoring the transactions, for example to help you
prove fraud or provide evidence against a perpetrator. There is a 1-to-1 relationship between the transaction lines
and video images.
The transaction data may originate from different types of transaction sources, typically point of sales (PoS)
systems or automated teller machines (ATM).
For more information, see the XProtect Transactwebpage and administrator manual.
XProtect LPR
XProtect LPR offers video-based content analysis (VCA) and recognition of vehicle license plates that interacts with
your surveillance system and your XProtect Smart Client.
To read the characters on a plate, XProtect LPR uses optical character recognition on images aided by specialized
camera settings.
You can combine LPR (license plate recognition) with other surveillance features such as recording and event-
based activation of outputs.

Examples of events in XProtect LPR:
l Trigger surveillance system recordings in a particular quality
l Activate alarms
l Match against positive/negative license plate match lists
l Open gates
l Switch on lights
l Push video of incidents to computer screens of particular security staff members
l Send mobile phone text messages
With an event, you can activate alarms in XProtect Smart Client.
For more information, see the XProtect LPRwebpage and administrator manual.
Milestone Interconnect
Milestone Interconnect allows you to integrate several XProtect or Milestone Husky™ installations with one
XProtect Corporate central site. You can also install these sites, called remote sites, on mobile units, for example,
boats, busses or trains. This means that such sites do not need to be permanently connected to a network.
The central site considers the remote site as an advanced camera or multi-channel encoder with edge storage
capabilities.
Each remote site runs independently and can perform surveillance tasks as configured. Depending on the network
connections and appropriate user rights, Milestone Interconnect offers you direct live viewing of remote site
cameras and play back of remote site recordings on the central site.
It also offers you the possibility to transfer remote site recordings to the central site based on either system-
defined events, rules, schedules or by manual requests from XProtect Smart Client users.
The central site can only see and access devices that the user account specified on the remote site has access to.
This allows local system administrators on the remote sites to control which devices should be made available to
the central site and its users.
On the central site, you can view the status for the interconnected cameras, but not the entire status of the
remote site. Instead, to monitor the remote site, you can use remote site events to trigger alarms or other
notifications on the central site.
Only XProtect Corporate systems can work as central sites. All other products can act as remote sites including
XProtect Corporate. How specific the products interact in a Milestone Interconnect setup depends on the version
of the XProtect or Milestone Husky installations, the number of cameras and how devices and events are
configured on the remote site.
For more information, see the Milestone Interconnectwebpage and documentation.

It is not possible to add systems with free XProtect installation as remote sites.
XProtect DLNA Server

DLNA (Digital Living Network Alliance) is a standard for connecting multimedia devices. Electronic manufactures get
their products DLNA certified to ensure interoperability between different vendors and devices and thereby
enable them to distribute multimedia content such as audio, video, and photos.
Public displays and TVs are often DLNA certified and connected to a network. They are able to scan the network for
media content, connect to the device, and request a media stream to their built-in media player. XProtect DLNA
Server can be discovered by certain DLNA certified devices and deliver live video streams from selected cameras
to DLNA certified devices with a media player.
The DLNA devices have a live video delay of 1-10 seconds. This is caused by different buffer
sizes in the devices.
XProtect DLNA Server must be connected to the same network as the XProtect system and the DLNA device must
be connected to the same network as XProtect DLNA Server.
For more information, see the XProtect DLNA Serverfeature brief and administrator manual.
Milestone Open Network Bridge

The ONVIF standard facilitates full video interoperability in multivendor installations and ensures information
exchange by defining a common protocol. The protocol contains ONVIF profiles, which are collections of
specifications for interoperability between ONVIF compliant devices.
Milestone Open Network Bridge is compliant with the parts of ONVIF Profile G and Profile S that provide access to
live and recorded video, and the ability to control pan-tilt-zoom cameras:
l Profile G - Provides support for video recording, storage, search, and retrieval. For more information, see
ONVIF Profile G Specification (https://www.onvif.org/profiles/profile-g/).
l Profile S - Provides support for streaming live video using the H.264 codec, audio streaming, and pan-tilt-
zoom (PTZ) controls. For more information, see ONVIF Profile S Specification
(https://www.onvif.org/profiles/profile-s/).
For more information about the ONVIF standard, see the ONVIF® website (https://www.onvif.org/).
ONVIF Profiles support “get” functions that retrieve data, and “set” functions that configure settings. Each function
is either mandatory, conditional, or optional. For security reasons, Milestone Open Network Bridge supports only
the mandatory, conditional, and optional “get” functions that do the following:

l Request video
l Authenticate users
l Stream video
l Play recorded video
For more information, see the Ecosystem webpage and administator manual for Milestone Open Network Bridge.

System communication and data flow
Server communication
Component Port Protocol Bandwidth
1 Management server - Recording server 9993 TCP 1 kbit/call
2 Recording server - Media database - - -
3 Management server - Internal 8080 UDP 1 kbit/call
4 SQL database communication 1433 TCP 1 kbit/call
5 Management server - Mobile server 80 HTTP 1 kbit/call
22 | System communication and data flow

Login from XProtect Smart Client
Process Port Protocol Bandwidth
Configurable.
XProtect Smart Client connects HTTP for an AD
Typically port 80 for an Low
1 to the management server and user and HTTPS
AD user and port 443 1 kbit/call
attempts to log in for a basic user
for a basic user
The management server

OS- and AD- Low
2 contacts Active Directory to OS- and AD-dependent
dependent 5 kbit/call
authenticate the user
User-specific configuration is
Depends on
3 retrieved from the SQL 1433 TCP
configuration
database
Configurable. Depends on
Login is granted and the HTTP for an AD
Typically port 80 for an configuration,
4 configuration is sent to user and HTTPS
AD user and port 443 Typically 1-10
XProtect Smart Client for a basic user
for a basic user MByte

Live video and audio
Live streams from cameras Configurable.

Configurable. Device configurable.
1 retrieved by the recording Typically RTSP,
Typically port 80 Typically 1-10 Mbit/s
server UDP, TCP/IP
Configurable,
Configurable. TCP/IP, UDP Usage dependable, sum
Streams are sent to XProtect
2 The default port Multicast. of camera streams
Smart Client on request
is 7563 The default is viewed
TCP/IP

Live video multicasting
Device
Configurable.
Live streams from cameras retrieved Configurable. configurable.
1 Typically RTSP,
by the recording server Typically port 80 Typically 1-10
UDP, TCP/IP
Mbit/s
Recording server sends multicast

stream to the multicast enabled
Configurable. Usage
network. This requires that all switches
The default port UDP IGMP dependable,
2 handling the data traffic between the
range is 6000- Multicast sum of camera
XProtect Smart Client and the recording
7000 streams viewed
server must be configured for
multicast
Configurable. Usage
The multicast stream is received by all The default port UDP IGMP dependable,
3
XProtect Smart Clients on request range is 6000- Multicast sum of camera
7000 streams viewed

Matrix
XProtect Smart Client user selects to

1 N/A N/A N/A
send a camera to a Matrix-recipient
Configurable.
HTTP for AD
Information is sent to management Typically port 80 for Low
2 user and HTTPS
server an AD user and port 1 kbit/call
for basic user
443 a for basic user
Management server sends request

Configurable.
to Matrix-recipient on specified IP Low
3 The default port is TCP/IP
address and port (XProtect Smart 1 kbit/call
12345
Client B)
Configurable,
Usage
Streams are sent to XProtect Smart Configurable. TCP/IP, UDP
dependable,
4 Client from recording server on The default port is Multicast.
sum of camera
request 7563 The default is
streams viewed
TCP/IP

Management server – view update
Configurable.
HTTP for an AD
View updated on XProtect Smart Typically port 80 for an Low
1 user and HTTPS
Client AD user and port 443 1 kbit/call
for a basic user
for a basic user
The system configuration is Low

2 1433 TCP
stored in the SQL database 1 kbit/call
Configurable. Low
The management server sends HTTP for an AD
Typically port 80 for an 1 kbit/call +
3 notification about view update to user and HTTPS
AD user and port 443 constant low
XProtect Smart Clients for a basic user
for a basic user use
Configurable.
HTTP for an AD
XProtect Smart Clients retrieves Typically port 80 for an Low
4 user and HTTPS
and applies the new view AD user and 443 for a 1 kbit/call
for a basic user
basic user

XProtect Smart Wall
Configurable. The
An XProtect Smart Client user Low
1 default is 5432 TCP/IP
updates the XProtect Smart Wall view 1 kbit/call
(disabled by default)
The XProtect Smart Wall view

Low
2 configuration is updated and stored 1433 TCP
1 kbit/call
in the SQL database
The management server sends a Configurable.

HTTP for an AD
notification to the XProtect Smart Typically 80 for an Low
3 user and HTTPS
Client running the XProtect Smart AD user and 443 for 1 kbit/call
for a basic user
Wall a basic user
Configurable.
The XProtect Smart Client running the HTTP for an AD
Typically 80 for an Low
4 XProtect Smart Wall retrieves and user and HTTPS
AD user and 443 for 1 kbit/call
applies new layout for a basic user
a basic user

Play back video and audio
Configurable.
Recording stream from cameras Configurable. Device configurable.
1 Typically RTSP,
retrieved by the recording server Typically port 80 Typically 1-10 Mbit/s
UDP, TCP/IP
The stream is recorded in the

Device configurable.
2 recording server database based N/A N/A
Typically 1-10 Mbit/s
on rules
The recorded stream is retrieved Configurable. Usage dependable,

3 by XProtect Smart Client on The default port TCP/IP sum of camera
playback request is 7563 streams viewed

Login from XProtect Web Client and XProtect Mobile
Configurable.
Login request from XProtect Web
Typically 8081 for Low
1 Client or XProtect Mobile received HTTP or HTTPS
HTTP and 8082 for 1kbit/call
on the mobile server
HTTPS
Configurable.
HTTP for an AD
The mobile server forwards Typically 80 for an Low
2 user and HTTPS
request to the management server AD user and 443 1kbit/call
for a basic user
for a basic user
The management server contacts

OS- and AD- OS- and AD- Low
3 Active Directory to authenticate the
dependent dependent 1kbit/call
user
User-specific configuration is Configuration

4 1433 TCP
retrieved from the SQL database dependent
Information returned to the mobile Configurable. HTTP for an AD Configuration

5
server Typically 80 for an User and HTTPS dependent,

AD user and 443 typically 1-10

for a basic user
for a basic user MByte
Configurable. Configuration
The login is granted and
Typically 8081 for dependent,
6 configuration is sent to XProtect HTTP or HTTPS
HTTP and 8082 for typically < 100
Web Client or XProtect Mobile
HTTPS kByte
Live video for XProtect Web Client and XProtect Mobile
Live stream(s) from cameras Configurable.

1 retrieved on the recording Typically RTSP,
Typically port 80 Typically 1-10 Mbit/s
server UDP, TCP/IP
Streams are sent to the mobile Configurable. Configurable, Usage dependable,

2
server for transcoding or as The default is TCP/IP, UDP sum of camera

Multicast.
direct streaming 7563 The default is streams viewed
TCP/IP
Transcoding: typically
Configurable. 50–200 kbit/s
Typically 8081 for Native: device
3 Video is streamed to the clients HTTP or HTTPS
HTTP and 8082 for configurable.
HTTPS Typically 0.05-1
Mbit/s
Recording and playback video for XProtect Web Client and XProtect
Mobile
1 Recording stream from cameras Configurable. Configurable. Device configurable.

Typically RTSP,
retrieved on the recording server Typically port 80 Typically 1-10 Mbit/s
UDP, TCP/IP
Configurable.
The stream is recorded in the Configurable. TCP/IP, UDP Usage dependable,
2 recording server database based The default is Multicast. sum of camera
on rules 7563 The default is streams viewed
TCP/IP.
Transcoding:
Configurable. typically 50–200
Recordings are sent to the mobile
Typically 8081 for kbit/s
3 server for transcoding or as HTTP or HTTPS
HTTP and 8082 Native: device
direct streaming
for HTTPS configurable
Typically 1-10 Mbit/s
4 Video is streamed to clients - - -
Video push

Usage dependable,
Video push stream from a Configurable. resolution and frame-
device running XProtect Mobile Typically port 8081 HTTP or rate set up in the
1
is sent instantly to the mobile for HTTP and port HTTPS mobile device.
server 8082 for HTTPS Typically 0.05 – 1
Mbit/s
Usage dependable,
Configurable.
The video push stream is resolution and frame-
Typically port 40001
retrieved by recording server rate set up in the
2 (40002, 40003, if TCP/IP
using the specific video push mobile device.
many devices are
device driver Typically 0.05 – 1
present)
Mbit/s
Milestone Interconnect live

This illustrates how XProtect Smart Client users, specified for the interconnected system, only need
to log into the management server on the central site to view video
Device
Live stream(s) from the remote site Configurable.
Configurable. configurable.
1 cameras retrieved by the remote site Typically RTSP,
Typically 80 Typically 1-10
recording server UDP, TCP/IP
Mbit/s
Usage
Live streams from the remote site Configurable.
dependable, sum
2 recording server retrieved by the The default is TCP/IP
of camera streams
central site recording server 7563*
viewed
* In XProtect Professional VMS the default port is 80, events 22331, central 1237 must be open.
The recording server on the central site connects to the remote site in the same way as a XProtect
Smart Client
Configurable,
Usage
Configurable. TCP/IP, UDP
Stream(s) are sent to XProtect Smart dependable, sum
3 The default is Multicast.
Client on request of camera streams
7563 The default is
viewed
TCP/IP

Milestone Interconnect recording options
This highlights some of the different options when configuring your system recording settings
No recording - - -
Record at remote site only - - -
Retrieve recordings from remote site on

- - -
request
Retrieve recordings from remote site based

- - -
on rule (time profile)
Record at central site only - - -
Retrieve recordings from remote site after

- - -
site link down
Record at both sites - - -

Combinations of above and other options - - -
These options could also be combined with cameras that have edge storage capabilities
Milestone Interconnect play back
This illustrates when recording is done on both sites. Recordings can be retrieved to the central site based on
schedule, event or request. XProtect Smart Client users, specified for the interconnected system, only need
to log into the management server on the central site to view video
Recording stream from the

Configurable.
remote site cameras retrieved Configurable. Device configurable.
1 Typically RTSP,
by the remote site recording Typically 80 Typically 1-10 Mbit/s
UDP, TCP/IP
server
2 The stream is recorded in the N/A N/A -

remote site recording server

database based on rules
Recording stream from the

Configurable.
remote site recording server Sum of camera
3 The default is TCP/IP
retrieved by the central site streams viewed
7563*
recording server
* In XProtect Professional VMS the default port is 80, events 22331, central 1237 must be open. The recording
server on the central site connects to the remote site in the same way as a XProtect Smart Client
The stream is recorded in the central site recording

server database based on rules. Recordings not Configurable by
4 available due to remote site link downtime can be N/A remote retrieval
retrieved automatically or based on schedule, event or settings
request
The recorded stream(s) are Configurable.

Sum of camera
5 retrieved by XProtect Smart The default is TCP/IP
streams viewed
Client on playback request 7563
XProtect DLNA Server

Configurable.
The XProtect DLNA Server connects to Typically port 80 HTTP for an AD
Low
1 the management server to authorize for an AD user user and HTTPS
1 kbit/call
itself with the provided credentials and port 443 for for a basic user
a basic user
A DLNA device scans the network and

Configurable.
connects to the XProtect system via Low
2 The default port HTTP
the XProtect DLNA Server and 1 kbit/call
is 9100
requests a live camera video stream
Usage
XProtect DLNA Server retrieves the Configurable.
dependable,
3 requested camera video stream from The default port TCP/IP
sum of camera
the recording server is 7563
streams viewed
Usage
XProtect DLNA Server sends the live Configurable.
dependable,
4 video stream from the requested The default port HTTP
sum of camera
camera to the DLNA device is 9200
streams viewed
Only H.264 encoded camera streams are supported. If a camera supports multiple streams, only the
default stream is sent. The system administrator manages the entire XProtect DLNA Server
configuration from the Management Client. For example, selecting cameras available

Milestone Open Network Bridge
Login, stream or PTZ request from

ONVIF client received on the Milestone HTTP for an
Configurable.
Open Network Bridge server. The AD user and Low
1 The default is
Milestone Open Network Bridge is a HTTPS for a 1 kbit/call
580
gateway for non-Milestone clients to the basic user
Milestone VMS
The Milestone Open Network Bridge

forwards the login request to the Configurable.
HTTP for an
management server to authenticate the Typically 80 for
AD user and Low
2 user. an AD user and
HTTPS for a 1 kbit/call
Access to the Milestone VMS is granted 443 for a basic
basic user
and sent to the Milestone Open Network user
Bridge server
Requested live or playback stream from Configurable. Usage dependable,

3 the recording server is retrieved by the The default port TCP/IP sum of camera
Milestone Open Network Bridge server is 7563 streams viewed
Configurable. Usage dependable,

4 Video is streamed to the ONVIF client The default port RTSP sum of camera
is 554 streams viewed

Management Client configuration update
Configuration updated on the

1 - - -
Management Client
Configurable.
HTTP for an AD
Changes are stored on the Typically 80 for an AD Low
2 user and HTTPS
management server user and 443 for a 10 kbit/call
for a basic user
basic user
Configuration update sent to

Low
3 relevant components. In this case, 9993 TCP/IP
1 kbit/call
the recording server
If updates concern cameras, the Configurable.

Low
4 recording server applies new Typically 80 for HTTP HTTP or HTTPS
1 kbit/call
settings and 443 for HTTPS

Log server
The Management server or recording server creates Low

1 9993 TCP
a log message 1 kbit/call
Low
2 The log message is forwarded to the log server 22337 HTTP
1 kbit/call
The log message is stored in the log server's SQL Low

3 1433 TCP
database 1 kbit/call

Event server
Data about alarms, access control or map

- - -
updates are received by the event server
Third-party integrations MIP message Low

22333 TCP/IP
communication 1 kbit/call
Depends on the Low

Access control integrations TCP/IP
integration 1 kbit/call
XProtect Access. The event server Plug-in is a Random or fixed. Low

TCP/IP
client to the access control system Paxton 8025 1 kbit/call
Configurable.
Low
Analytics events The default port TCP/IP
1 kbit/call
is 9090
Configurable.
Low
Generic events The default ports TCP/IP, UDP
1 kbit/call
are 1234 and

1235
Low
Recording server 7563 TCP
1 kbit/call
The event server sends data to XProtect

Smart Client to show in alarm list, XProtect
Access or the map overview.
- - -
The XProtect Smart Client user responds to
the notification and returns data to event
server
XProtect Transact
Transaction data generated by the transaction Configurable. Low

1 TCP/IP
source is sent to the event server and stored Typically 80 10 kbit/call

The event server sends transaction data to Configurable.

XProtect Smart Client. View items containing The default is Low
2 TCP/IP
transaction data and the associated video is 22331 1 kbit/call
updated 22333
The system administrator manages the entire

XProtect Transact configuration from the
Management Client. For example, setting up - - -
transaction sources, associated cameras,
definitions and events
XProtect LPR
Live streams from cameras Configurable.

1 configured for LPR (License Plate Typically RTSP,
Typically 80 Typically 1-10 Mbit/s
Recognition) retrieved by the UDP, TCP/IP

recording server
Configurable. Usage dependable,

Streams from the recording server
2 The default is TCP/IP sum of camera
retrieved by the LPR server
7563 streams viewed
The LPR server recognizes license

plates by comparing them with the
license plate characteristics of the
installed country modules. Found Low
3 22334 TCP/IP
license plates are compared with 1 kbit/call
the license plate match list
requests from the event server
LPR plug-in
Configurable.
The event server sends events and
The default is Low
4 alarms to XProtect Smart Client TCP/IP
22331 1 kbit/call
when there is a match
22333
The system administrator manages the entire XProtect LPR configuration, for example, setting up
events, alarms, and match lists from the Management Client. To be able to configure XProtect LPR
from the Management Client you must install the LPR plug-in on the Management Client computer

View and manage alarms
Configurable.
XProtect Smart Client requests an alarm list Low
1 The default port TCP/IP
from event server 1 kbit/call
is 22331
The alarm list is retrieved from the SQL

Low
2 database and returned to XProtect Smart 1433 TCP
100 kbit/call
Client
The alarm is handled and its state/details is

3 - - -
updated by the user
Low
4 New state/details stored in the SQL database 1433 TCP
1 kbit/call

Data collector
System status received on management server

Low
1 delivered by: log server, event server, recording 7609 HTTP
10 kbit/call
server, failover recording server and mobile server
The collected data is stored in an SQL database on a Low

2 1433 TCP
SQL Server 1 kbit/call
XProtect Smart Client or the Management Client Low

3 80 HTTP
requests status via System Monitor 1 kbit/call
Requested data is collected from an SQL database on Low

4 1433 TCP
a SQL Server 100 kbit/call
Low
5 Data returned to clients 80 HTTP
100 kbit/call

Recording server failover
Configurable.
Configurable.
Video streamed from the TCP/IP, UDP Sum of camera
1 The default port is
recording server Multicast. streams viewed
7563
Default TCP/IP
Alive messages exchanged

Configurable. Configurable, Low
2 between recording and failover
Default is 11000 TCP/IP 1 kbit/call
recording server
Cold standby: failover message

sent, configuration retrieved,
Configuration
3 start failover 80 HTTP
dependent
Hot standby: failover message
sent, start failover
Configuration updated with Low

4 1433 TCP
active failover recording server 1 kbit/call
5 Update configuration message 80 HTTP Low

sent to the management server 1 kbit/call
Configurable.
HTTP for an AD
Update message distributed to Typically 80 for an Low
6 user and HTTPS for
all clients AD user and 443 for 1 kbit/call
a basic user
a basic user
Configurable.
Configurable.
Video streamed from failover TCP/IP, UDP Sum of camera
7 The default port is
recording server Multicast. streams viewed
7563
Default TCP/IP
Media retrieved from failover

recording server when 5210 TCP -
recording server is available
Evidence lock

The user creates an evidence lock in Configurable. HTTP for AD

XProtect Smart Client. XProtect Smart Typically port 80 for User and Low
1
Client sends the information to the an AD user and port HTTPS for a 1kbit/call
management server 443 for a basic user basic user
The management server informs the

recording server to store and protect Low
2 9993 TCP
the locked recordings in the Media 1kbit/call
database
The management server stores

Low
3 information about the evidence lock in 1433 TCP
1kbit/call
the SQL database
Move hardware

The user moves hardware from recording server 1 to

1 - - -
recording server 2 in Management Client
The management server receives the update in the

Low
2 system configuration and stores it in the SQL 1433 TCP
1kbit/call
database
The management server sends update to recording Low

3 9993 TCP
server 1 1kbit/call
The management server sends update to recording Low

4 9993 TCP
server 2 1kbit/call
Recording server 2 connects to Hardware. All new

5 recordings are stored in the recording server 2 - - -
database
Old recordings are still available on recording server

1. The system deletes them when the retention time
expires. Recordings marked with evidence lock are 5210 TCP -
not deleted until the evidence lock's retention time
expires
Clients connect to recording server 2 - - -

Ports used by the system

All XProtect components and the ports needed by them are listed below. To ensure, for example, that the firewall
blocks only unwanted traffic, you need to specify the ports that the system uses. You should only enable these
ports. The lists also include the ports used for local processes.
They are arranged in two groups:
l Server components (services) offer their service on particular ports which is why they need to listen for
client requests on these ports. Therefore, these ports need to be opened in the Windows Firewall for
inbound and outbound connections
l Client components (clients) initiate connections to particular ports on server components. Therefore,
these ports need to be opened for outbound connections. Outbound connections are typically open by
default in the Windows Firewall
If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports for
client components must be opened for outbound connections.
Do keep in mind that server components can act as clients to other server components. These are not explicitly
listed in this doc.
The port numbers are the default numbers, but this can be changed. Contact Milestone support, if you need to
change ports that are not configurable through the Management Client.
Server components (inbound connections)
Each of the following sections list the ports that need to be opened for a particular service. To figure out which
ports need to be opened on a particular computer, you need to consider all services running on the computer.
Management Server service and related processes
Port
Protocol Process Connections from... Purpose
number
All XProtect Main communication, for

components example, authentication and
configurations.
80 HTTP IIS The Management Registration of recording
Server service and servers and management
Recording Server servers by the Identity Server
services app pool (IDP).
443 HTTPS IIS XProtect Smart Client Authentication of basic users.
53 | Ports used by the system

Port
number
and the Management

Client
Management Server
Management Showing status and managing
6473 TCP Manager tray icon,
Server service the service.
local connection only.
Communication between
Management Local connection
8080 TCP internal processes on the
server only.
server.
Web service for internal

Management Recording Server
9000 HTTP communication between
server services
servers.
Communication between the

system and Matrix recipients.
Management
12345 TCP XProtect Smart Client You can change the port
Server service
number in the Management
Client.
Communication with the SNMP

extension agent.
Do not use the port for other

purposes even if your system
does not apply SNMP.
Management Windows SNMP
12974 TCP In XProtect 2014 systems or
Server service Service
older, the port number was
6475.
In XProtect 2019 R2 systems

and older, the port number was
7475.
SQL Server service

Port
number
Management Server Storing and retrieving

1433 TCP SQL Server
service configurations.
1433 TCP SQL Server Event Server service Storing and retrieving events.
1433 TCP SQL Server Log Server service Storing and retrieving log entries.
Data Collector service
Port
number
On the management server computer: Data

Collector services on all other servers. System
7609 HTTP IIS
On other computers: Data Collector service on Monitor.
the Management Server.
Event Server service
Port
number
Listening for generic

Event Any server sending generic events from external
1234 TCP/UDP Server events to your XProtect systems or devices.
Service system. Only if the relevant data
source is enabled.
Event Any server sending generic Listening for generic

1235 TCP
Server events to your XProtect events from external

Port
number
systems or devices.
service system. Only if the relevant data
source is enabled.
Listening for analytics

events from external
Event Any system or device that systems or devices.
9090 TCP Server sends analytics events to your
service XProtect system. Only relevant if the
Analytics Events feature is
enabled.
Event
XProtect Smart Client and the Configuration, events,
22331 TCP Server
Management Client alarms, and map data.
service
Event
22333 TCP Server MIP Plug-ins and applications. MIP messaging.
service
Recording Server service
Port Connections
Protocol Process Purpose
number from...
Listening for event messages from

devices.
Recording Cameras,
The port is disabled by default.
25 SMTP Server encoders, and
Service I/O devices. (Deprecated) Enabling this will open a
port for non-encrypted connections
and is not recommended.
5210 TCP Recording Failover Merging of databases after a failover

Port Connections
number from...
Server recording
recording server had been running.
Service servers.
Recording Cameras, Listening for event messages from

5432 TCP Server encoders, and devices.
Service I/O devices. The port is disabled by default.
XProtect Smart
Recording
Client, Retrieving video and audio streams,
7563 TCP Server
Management PTZ commands.
Service
Client
Recording
Recording
Server Manager Showing status and managing the
8966 TCP Server
tray icon, local service.
Service
connection only.

communication between servers.
Recording
Management If multiple Recording Server
9001 HTTP Server
server instances are in use, every instance
Service
needs its own port. Additional ports
will be 9002, 9003, etc.
Recording Failover
11000 TCP Server recording Polling the state of recording servers.
Service servers

extension agent.
Recording Do not use the port for other

Windows SNMP
12975 TCP Server purposes even if your system does
service
Service not apply SNMP.
In XProtect 2014 systems or older,

the port number was 6474.

Port Connections
number from...
In XProtect 2019 R2 systems and

older, the port number was 7474.
Recording
Local connection Listening for event notifications from
65101 UDP Server
only the drivers.
service
In addition to the inbound connections to the Recording Server service listed above, the
Recording Server service establishes outbound connections to cameras, NVRs and remote
interconnected sites (Milestone Interconnect ICP).
Failover Server service and Failover Recording Server service
Port
number
Listening for event messages

from devices.
Failover
The port is disabled by default.
Recording Cameras, encoders,
25 SMTP
Server and I/O devices. (Deprecated) Enabling this will
Service open a port for non-encrypted
connections and is not
recommended.
Failover
Merging of databases after a
Recording Failover recording
5210 TCP failover recording server had
Server servers
been running.
Service
Failover
Cameras, encoders, Listening for event messages
5432 TCP Recording
and I/O devices. from devices.
Server

Port
number
Service The port is disabled by default.

Failover extension agent.
Recording Windows SNMP
7474 TCP Do not use the port for other
Server service
Service purposes even if your system
does not apply SNMP.
Failover
Recording Retrieving video and audio
7563 TCP XProtect Smart Client
Server streams, PTZ commands.
Service
Failover
Recording Communication between the
8844 UDP Local connection only.
Server servers.
Service
Failover Failover Recording

Recording Server Manager tray Showing status and managing the
8966 TCP
Server icon, local connection service.
Service only.
Failover Failover Server

Showing status and managing the
8967 TCP Server Manager tray icon,
service.
Service local connection only.
Failover
Management Server Monitoring the status of the
8990 TCP Server
service Failover Server service.
Service
Failover
9001 HTTP Server Management server
communication between servers.
Service

In addition to the inbound connections to the Failover Server / Failover Recording Server
service listed above, the Failover Server / Failover Recording Server service establishes
outbound connections to the regular recorders, cameras, and for Video Push.
Log Server service
Port
number
All XProtect components except for Write to, read from,

Log Server
22337 HTTP Management Client and the and configure the log
service
recording server. server.
Mobile Server service
Port
number
Mobile
Mobile Server Manager tray icon,
8000 TCP Server SysTray application.
local connection only.
service
Mobile
Mobile clients, Web clients, and Sending data streams;
8081 HTTP Server
Management Client. video and audio.
service
Mobile
Sending data streams;
8082 HTTPS Server Mobile clients and Web clients.
video and audio.
service
Mobile Server Video

Mobile Push.
40001 -
HTTP Server Recording server service
40099 This port range is
service
disabled by default.
LPR Server service

Port
number
Retrieving recognized license

plates and server status.
LPR Server
22334 TCP Event server In order to connect, the Event
Service
server must have the LPR plug-in
installed.
LPR Server Manager tray

LPR Server
22334 TCP icon, local connection SysTray application
Service
only.
Milestone Open Network Bridge service
Port Connections
number from...
Milestone Open
Authentication and requests
580 TCP Network Bridge ONVIF clients
for video stream configuration.
Service
Streaming of requested video

554 RTSP RTSP Service ONVIF clients
to ONVIF clients.
XProtect DLNA Server service
Port Connections
number from...
Device discovery and providing DLNA

DLNA Server
9100 HTTP DLNA device channels configuration. Requests for
Service
video streams.
DLNA Server Streaming of requested video to

9200 HTTP DLNA device
Service DLNA devices.

XProtect Screen Recorder service
Port Connections
number from...
Provides video from a monitor. It

XProtect appears and acts in the same way as a
Recording camera on the recording server.
52111 TCP Screen
Server Service
Recorder You can change the port number in the
Management Client.
Server components (outbound connections)
Management Server service
Port
Protocol Connections to... Purpose
number
The License server that hosts the

License Management service.
Communication is via Activating
443 HTTPS
https://www.milestonesys.com/ licenses.
OnlineActivation/
LicenseManagementService.asmx
Server service
Port
number
Recording servers and failover Authentication, configuration, and data

80 HTTP
recording servers streams; video and audio.
443 HTTPS Recording servers and failover Authentication, configuration, and data

Port
number
Recording servers and failover

554 RTSP Data streams; video and audio.
recording servers
11000 TCP Failover recording servers Polling the state of recording servers.
40001 – Mobile Server Video Push.

HTTP Mobile Server service
40099 This port range is disabled by default.
Failover Server service and Failover Recording Server service
Port number Protocol Connections to... Purpose
11000 TCP Failover recording servers Polling the state of recording servers.
Event Server service
Port
number
Milestone Customer Dashboard via Send status, events and error

443 HTTPS messages from the XProtect system
https://service.milestonesys.com/ to Milestone Customer Dashboard.
Log Server service
443 HTTP Log server Forwarding messages to the log server.

Cameras, encoders, and I/O devices (inbound connections)
Port
Protocol Connections from... Purpose
number

80 TCP

443 HTTPS

554 RTSP Data streams; video and audio.
recording servers
Cameras, encoders, and I/O devices (outbound connections)
Port
number
Recording servers and failover Sending event notifications

25 SMTP
recording servers (deprecated).
Sending event notifications.

5432 TCP The port is disabled by
recording servers
default.
Forwarding messages to
22337 HTTP Log server
the log server.
Only a few camera models are able to establish outbound connections.
Client components (outbound connections)
XProtect Smart Client, XProtect Management Client, XProtect Mobile server

Port
number
Management Server
80 HTTP Authentication
service
Management Server
443 HTTPS Authentication of basic users.
service
Retrieving video and audio streams, PTZ

7563 TCP Recording Server service
commands.
22331 TCP Event Server service Alarms.
XProtect Web Client, XProtect Mobile client
8081 HTTP XProtect Mobile server Retrieving video and audio streams.
8082 HTTPS XProtect Mobile server Retrieving video and audio streams.

[email protected]
About Milestone
Milestone Systems is a leading provider of open platform video management software; technology that helps
the world see how to ensure safety, protect assets and increase business efficiency. Milestone Systems
enables an open platform community that drives collaboration and innovation in the development and use of
network video technology, with reliable and scalable solutions that are proven in more than 150,000 sites
worldwide. Founded in 1998, Milestone Systems is a stand-alone company in the Canon Group. For more
information, visit https://www.milestonesys.com/.

Milestone XProtect VMS System Architecture Document

Uploaded by

Copyright:

Available Formats

Milestone XProtect VMS System Architecture Document

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Milestone XProtect VMS System Architecture Document

Uploaded by

Copyright:

Available Formats

Milestone Systems

XProtect® VMS 2020 R3

System architecture document

Target audience and purpose 6

Overall system architecture 7

XProtect Management Client 11

XProtect Smart Client 11

XProtect Web Client 11

XProtect Mobile client 11

Additional products and components 16

Milestone Software Manager 17

XProtect Smart Wall 17

XProtect DLNA Server 20

Milestone Open Network Bridge 20

System communication and data flow 22

Login from XProtect Smart Client 23

Live video and audio 24

Live video multicasting 25

Management server – view update 27

XProtect Smart Wall 28

Play back video and audio 29

Login from XProtect Web Client and XProtect Mobile 30

Live video for XProtect Web Client and XProtect Mobile 31

Milestone Interconnect live 34

Milestone Interconnect recording options 36

Milestone Interconnect play back 37

XProtect DLNA Server 38

Milestone Open Network Bridge 40

Management Client configuration update 41

View and manage alarms 47

Recording server failover 49

Ports used by the system 53

Copyright, trademarks, and disclaimer

XProtect is a registered trademark of Milestone Systems A/S.

4 | Copyright, trademarks, and disclaimer

Target audience and purpose

This document should enable the reader to understand:

l The overall system architecture

l The primary system components and their functions

l Provide guidelines to basic system design

6 | Target audience and purpose

Overall system architecture

The diagram below shows an overview of the system components.

7 | Overall system architecture

Failover management server

l Record video, audio and metadata from devices

l Provide operators with access to device status

l Trigger system and video events on device failures or events

l Perform motion detection and generate smart search metadata

Failover recording server

The failover recording server operates in two modes:

1. Standard failover, for monitoring multiple recording servers

2. Hot standby, for monitoring a single recording server

Milestone Integration Platform:

XProtect Management Client

XProtect Smart Client

XProtect Web Client

XProtect Mobile client

XProtect systems support secure communication:

Recording server Management server