MilestoneXProtectVMSproducts SystemArchitectureDocument en-US

Download as pdf or txt
Download as pdf or txt
You are on page 1of 73

Milestone Systems

XProtect® VMS 2023 R2

System architecture document

XProtect Corporate
XProtect Expert
XProtect Professional+
XProtect Express+
XProtect Essential+
System architecture document | XProtect® VMS 2023 R2

Contents
Copyright, trademarks, and disclaimer 5

Introduction 6

Target audience and purpose 7

Overall system architecture 8

Server components 9

Management server 9

Recording server 9

Media database 10

Event server 10

Log server 11

SQL Server 11

Mobile server 11

API Gateway 12

Client components 13

XProtect Management Client 13

XProtect Smart Client 13

XProtect Web Client 13

XProtect Mobile client 13

Encryption 15

Introduction to certificates 16

Identity Provider (explained) 18

Additional products and components 19

MIP SDK 19

Milestone Software Manager 20

XProtect Smart Wall 20

XProtect Incident Manager 20

XProtect Access 21

XProtect Transact 21

2 | Contents
System architecture document | XProtect® VMS 2023 R2

XProtect LPR 22

Milestone Interconnect 22

XProtect DLNA Server 23

Milestone Open Network Bridge 23

System communication and data flow 25

Server communication 25

Login from XProtect Smart Client as an AD user 26

Login from XProtect Smart Client as a basic user 27

Login from XProtect Smart Client with an external IDP 28

Live video and audio 29

Live video multicasting 30

Matrix 31

Management server – view update 32

XProtect Smart Wall 33

Play back video and audio 34

Login from XProtect Web Client and XProtect Mobile as an AD user 35

Login from XProtect Web Client and XProtect Mobile as a basic user 36

Login from XProtect Web Client and the XProtect Mobile client with an external IDP 37

Live video for XProtect Web Client and XProtect Mobile 38

Recording and playback video for XProtect Web Client and XProtect Mobile 39

Video push 40

Milestone Interconnect live 41

Milestone Interconnect recording options 42

Milestone Interconnect play back 43

XProtect DLNA Server 44

Milestone Open Network Bridge 45

Management Client configuration update 46

Log server 47

Event server 47

XProtect Transact 48

3 | Contents
System architecture document | XProtect® VMS 2023 R2

XProtect LPR 49

View and manage alarms 50

Data collector 51

Recording server failover 52

Evidence lock 53

XProtect Incident Manager 54

Move hardware 55

Ports used by the system 56

Application pools 71

Application pools in Milestone XProtect 71

Working with application pools 72

Open the Application Pools page 72

4 | Contents
System architecture document | XProtect® VMS 2023 R2

Copyright, trademarks, and disclaimer


Copyright © 2023 Milestone Systems A/S

Trademarks

XProtect is a registered trademark of Milestone Systems A/S.

Microsoft and Windows are registered trademarks of Microsoft Corporation. App Store is a service mark of
Apple Inc. Android is a trademark of Google Inc.

All other trademarks mentioned in this document are trademarks of their respective owners.

Disclaimer

This text is intended for general information purposes only, and due care has been taken in its preparation.

Any risk arising from the use of this information rests with the recipient, and nothing herein should be construed
as constituting any kind of warranty.

Milestone Systems A/S reserves the right to make adjustments without prior notification.

All names of people and organizations used in the examples in this text are fictitious. Any resemblance to any
actual organization or person, living or dead, is purely coincidental and unintended.

This product may make use of third-party software for which specific terms and conditions may apply. When that
is the case, you can find more information in the file 3rd_party_software_terms_and_conditions.txt
located in your Milestone system installation folder.

5 | Copyright, trademarks, and disclaimer


System architecture document | XProtect® VMS 2023 R2

Introduction
This document contains illustrations and descriptions of communication and dataflow between the most
common system components in a distributed system.

The document shows a range of scenarios with a supporting illustration and a description of actions
supplemented by information about port numbers, protocols and bandwidth usage.

The illustrations are simplified and primarily focus on the general dataflow between system components. This
means that less important flows may have been omitted in order to reduce the level of complexity.

6 | Introduction
System architecture document | XProtect® VMS 2023 R2

Target audience and purpose


This document is primarily aimed at system integrators and IT administrators. It gives insight on the benefits
and simplicity of using Milestone XProtect as a VMS and you can use it for assistance in the process of selecting,
deploying, administrating, maintaining, and expanding a Milestone XProtect VMS.

Read the document for guidance on the following subjects:

l Overall system architecture

l Primary system components and their functions

l Data flow and communication through the system

l Basic system design

To benefit from the information in this document, you should have a general experience with administrating an
IT installation.

7 | Target audience and purpose


System architecture document | XProtect® VMS 2023 R2

Overall system architecture


To enable scaling of thousands of cameras across multiple sites, the system consists of several components that
handle specific tasks. You can install all components on a single server if the server can handle the load, or you
can install the components on separate, dedicated servers to scale and distribute the load.

Depending on hardware and configuration, smaller systems with 50 to100 cameras can run on a single server.

For systems with more than 100 cameras, Milestone recommends that you use dedicated servers for all or
some of the components.

As a starting point, all components need not be available in all installations. Components such as failover
recording servers or mobile servers can be added if the functionality they offer is needed at a later time for
hosting and providing access to both XProtect Web Client and XProtect Mobile.

The components of the XProtect VMS

8 | Overall system architecture


System architecture document | XProtect® VMS 2023 R2

Server components

Management server
The management server is the central VMS component. It stores the configuration of the surveillance system in
a SQL database, either on a SQL Server on the management server computer itself or on a separate SQL Server
on the network. It also handles user authentication, user permissions, the rule system and more.

To improve system performance, you can run several management servers as a Milestone Federated
Architecture™. The management server runs as a service and is typically installed on a dedicated server.

Failover management server

You can get failover support on the management server by installing the management server in a Microsoft
Windows cluster. The cluster ensures that another server takes over the management server function in case
the first server fails.

Recording server
Recording servers are computers where you have installed the Recording Server software, and configured it to
communicate with the management server. A surveillance system typically consists of several recording
servers.

The recording server is responsible for all communication, recording, and event handling related to devices such
as cameras, video and audio encoders, I/O modules, and metadata sources. Examples of actions the recording
server handles:

l Retrieve video, audio, metadata and I/O event streams from the devices

l Record video, audio and metadata from devices

l Provide operators with access to live and recorded video, audio and metadata

l Provide operators with access to device status

l Trigger system and video events on device failures or events

l Perform motion detection and generate smart search metadata

The recording server is also responsible for communicating with other Milestone products when using the
Milestone Interconnect™ technology. For more information, see Milestone Interconnect on page 22.

The recording server supports encryption of data streams to the clients and services as well as encryption of the
connection with the management server.For more information, see the certificates guide about how to secure
your XProtect VMS installations.

9 | Server components
System architecture document | XProtect® VMS 2023 R2

Failover recording server

The failover recording server is responsible for taking over the recording task in case a recording server fails.

The failover recording server operates in two modes:

Cold standby, for monitoring multiple recording servers

In a cold standby failover recording server setup, you group multiple failover recording servers in a failover
group. The entire failover group is dedicated to take over from any of several preselected recording servers, if
one of these becomes unavailable. You can also specify a secondary failover server group that takes over from
the primary group if all the recording servers in the primary group are busy

Hot standby, for monitoring a single recording server

In a hot standby failover recording server setup, you dedicate a failover recording server to take over from one
recording server only. With this approach, the failover recording server is continuously synchronized with the
correct/current configuration of the recording server it is dedicated to and it can take over much faster than a
cold standby failover recording server.

Media database
The system stores the retrieved video, audio and metadata in the customized high performance Milestone
media database which is optimized for recording and storing audio and video data.

The media database supports various unique features including multistage archiving, video grooming,
encryption and adding a digital signature to the recordings.

Event server
The event server handles the tasks related to events, alarms, and maps and also third-party integrations via the
Milestone Integration Platform.

Events:

l All system events are consolidated in the event server so there is a single place and interface for
partners to make integrations that use system events

l The event server offers third-party access for sending events to the system via the Generic events or
Analytics events interface

Alarms:

l The event server hosts the alarm feature, alarm logic, alarm state and handling of the alarm database.
The alarm database is stored in the same SQL database as the management server uses

Maps:

l The event server also hosts maps. You configure and use maps in the XProtect Smart Client

10 | Server components
System architecture document | XProtect® VMS 2023 R2

Milestone Integration Platform:

l You can install third-party developed plug-ins on the event server and utilize access to system events

You can get failover support on the event server by installing the event server in a Microsoft Windows cluster.
The cluster ensures that another server takes over the event server function in case the first server fails.

Log server
The log server stores all log messages for the entire system. The log server typically uses the same SQL Server
as the management server but has its own SQL database. The log server is also typically installed on the same
server as the management server. If you need to increase the performance of the management server or log
server, you can install the log server on a separate server and use a separate SQL Server.

The system can through the log server write three types of log messages:

l System logs: the system administrator can choose to log errors, warnings, and information, or a
combination of these. The default is to log errors only

l Audit logs: the system administrator can choose to log user activity in clients in addition to login and
administration logs

l Rule-triggered logs: the system administrator can use the rule log to create logs on specific events

SQL Server
The management server, the event server and the log server use SQL databases on one or two SQL Server
installations to store, for example, configuration, alarms, events and log messages.

The Milestone XProtect installer includes Microsoft SQL Server Express which is free edition of SQL Server.

For very large systems or systems with many transactions to and from the SQL databases, Milestone
recommends that you use a Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition of
the SQL Server on a dedicated computer on the network and on a dedicated hard disk drive that is not used for
other purposes. Installing the SQL Server on its own drive improves the entire system performance.

Mobile server
XProtect Mobile server handles logins to the system from XProtect Mobile client or XProtect Web Client.

A XProtect Mobile server distributes video streams from recording servers to XProtect Mobile client or XProtect
Web Client. This offers a secure setup where recording servers are never connected to the Internet. When a
XProtect Mobile server receives video streams from recording servers, it also handles the complex conversion
of codecs and formats allowing streaming of video on the mobile device.

11 | Server components
System architecture document | XProtect® VMS 2023 R2

API Gateway
The MIP VMS API provides a unified RESTful API, based on industry standard protocols such as OpenAPI, for
accessing XProtect VMS functionality, simplifying integration projects and serving as a basis for cloud connected
communication.

The XProtect VMS API Gateway supports these integration options through the Milestone Integration Platform
VMS API (MIP VMS API).

The API Gateway is installed on-premise and is intended to serve as a front-end and common entry point for
RESTful API services on all the current VMS server components (management server, event server, recording
servers, log server, etc). An API Gateway service can be installed on the same host as the management server
or separately, and more than one can be installed (each on their own host).

The RESTful API is implemented in part by each specific VMS server component, and the API Gateway can simply
pass-through these requests and responses, while for other requests, the API Gateway will convert requests and
responses as appropriate.

Currently, the configuration API, hosted by the management server, is available as a RESTful API.

For more information, see the API Gateway administrator manual and the Milestone Integration Platform VMS
API reference documentation.

12 | Server components
System architecture document | XProtect® VMS 2023 R2

Client components

XProtect Management Client


The Management Client is the administration interface for all parts of the system.

The VMS is designed for large-scale operation so the Management Client is designed to run remotely from, for
example, the administrator’s computer.

You can access the settings in the Management Client from a tree structure where you can open items and sub
items.

For more information, see the administrator manual for XProtect VMS.

XProtect Smart Client


XProtect Smart Client is the main client for the VMS. It is designed to run remotely from the operators’ computer
for day-to-day use in order to manage IP surveillance cameras. It provides instant control of cameras and
connected security devices and quick access to live and recorded video and metadata.

XProtect Smart Client has an adaptable user interface that can be optimized for individual operators’ tasks and
adjusted according to specific skills and authority levels.

For more information, see the user manual for XProtect Smart Client.

XProtect Web Client


XProtect Web Client is a client designed for the occasional or remote user that needs easy access to live
monitoring, playback and export. XProtect Web Client also provides access to activating system events and
outputs.

For more information, see the user manual for XProtect Web Client.

On the System Requirements web page, you can find information about compatible browsers under XProtect
Web Client.

XProtect Mobile client


The XProtect Mobile client is a mobile surveillance solution and it offers easy access to cameras, views and other
functionality that is set up in the management clients.

It runs on an Android tablet or smartphone or on an Apple® tablet, smartphone or portable music player.

You can use the XProtect Mobile client as a remote recording device by using the device's built-in camera and
the Milestone Video Push feature. With Video Push activated, video from the device's camera is streamed back
to the VMS and recorded as if it was from a standard camera.

For more information, see the user manual for XProtect Mobile.

13 | Client components
System architecture document | XProtect® VMS 2023 R2

On the System Requirements web page, you can find information about which operating systems are compatible
with XProtect Mobile.

14 | Client components
System architecture document | XProtect® VMS 2023 R2

Encryption
This section gives you an introduction to encryption and certificates.

XProtect systems support secure communication:

From To

Recording Server Management Server

Management Server Recording Server

Clients, servers, and integrations that retrieve data streams from


Recording Server
the recording server

Mobile devices Mobile Server

Data Collector servers affiliated with


Management Server
remote servers

Data Collector servers affiliated with remote servers Management Server

When do you need to install certificates?

First, decide whether your system actually needs encrypted communication.

Don't use certificates with recording server encryption if you are using one or more integrations that don't
support HTTPS communication. This is, for example, third-part MIP SDK integrations that don't support HTTPS.

Unless your installation is made in a physically isolated network, it's recommended that you secure the
communication by using certificates.

This document describes when to use certificates:

l If your XProtect VMS system is set up in a Windows Workgroup environment

l Before you install or upgrade to XProtect VMS 2019 R1 or newer, if you want to enable encryption during
the installation

l Before you enable encryption, if you installed XProtect VMS 2019 R1 or newer without encryption

l When you renew or replace certificates due to expiry

15 | Encryption
System architecture document | XProtect® VMS 2023 R2

Introduction to certificates
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for secure
communication over a computer network. In HTTPS, the communication protocol is encrypted using Transport
Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).

In XProtect VMS, secure communication is obtained by using TLS/SSL with asymmetric encryption (RSA).

TLS/SSL uses a pair of keys—one private, one public—to authenticate, secure, and manage secure connections.

A certificate authority (CA) is anyone who can issue root certificates. This can be an internet service that issues
root certificates, or anyone who manually generates and distributes a certificate. A CA can issue certificates to
web services, that is to any software using https communication. This certificate contains two keys, a private key
and a public key. The public key is installed on the clients of a web service (service clients) by installing a public
certificate. The private key is used for signing server certificates that must be installed on the server. Whenever
a service client calls the web service, the web service sends the server certificate, including the public key, to the
client. The service client can validate the server certificate using the already installed public CA certificate. The
client and the server can now use the public and private server certificates to exchange a secret key and thereby
establish a secure TLS/SSL connection.

For manually distributed certificates, certificates must be installed before the client can make such a verification.

See Transport Layer Security for more information about TLS.

In XProtect VMS, the following locations are where you can enable TLS/SSL encryption:

l In the communication between the management server and the recording servers, event servers, and
mobile servers

l On the recording server in the communication with clients, servers, and integrations that retrieve data
streams from the recording server

l In the communication between clients and the mobile server

Certificate distribution

The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in XProtect VMS.

16 | Encryption
System architecture document | XProtect® VMS 2023 R2

A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (server) and by the party that
verifies the certificate (clients).

The public CA certificate must be trusted on all client computers. In this way the clients can verify the validity
of the certificates issued by the CA.

The CA certificate is used to issue private server authentication certificates to the servers.

The created private SSL certificates must be imported to the Windows Certificate Store on all servers.

Requirements for the private SSL certificate:

l Issued to the server so that the server's host name is included in the certificate, either as subject (owner)
or in the list of DNS names that the certificate is issued to

l Trusted on all computers running services or applications that communicate with the service on the
servers, by trusting the CA certificate that was used to issue the SSL certificate

l The service account that runs the server must have access to the private key of the certificate on the
server.

Certificates have an expiry date. XProtect VMS will not warn you when a certificate is
about to expire. If a certificate expires, the clients will no longer trust the server with the
expired certificate and thus cannot communicate with it.
To renew the certificates, follow the steps in this guide as you did when you created
certificates.

For more information, see the certificates guide about how to secure your XProtect VMS installations.

17 | Encryption
System architecture document | XProtect® VMS 2023 R2

Identity Provider (explained)


Identity Provider app pool (IDP) is a system entity that creates, maintains, and manages identity information for
basic users.

Identity Provider also provides authentication and registration services to relying applications or services, in this
case: Recording Server, Management Server, Data Collector, and Report Server.

When you log in to XProtect clients and services as a basic user, your request goes to the Identity Provider. When
authenticated the user can call the management server.

Identity Provider runs in the IIS as a part of the management server using the same SQL Server with a separate
database and is responsible for creating and handling OAuth communication tokens that services use when
communicating (Surveillance_IDP).

Identity Provider logs can be found at: \\ProgramData\Milestone\IDP\Logs.

18 | Identity Provider (explained)


System architecture document | XProtect® VMS 2023 R2

Additional products and components


Available functionality depends on the system you are using. See the complete feature list, which is available on
the product overview page on the Milestone website (https://www.milestonesys.com/solutions/platform/product-
index/).

MIP SDK
The Milestone Integration Platform Software Development Kit (MIP SDK) is a comprehensive tool that makes it
easy to create applications, plug-ins or integrations for Milestone’s XProtect products.

MIP

The open platform is integrated in the following Milestone XProtect system components and applications:

l XProtect Smart Client

l XProtect Management Client

l Management Application

l Management Server

l Event Server

MIP SDK

To have a truly open platform and a community around it Milestone provides the SDK that contains:

l The tools for developing integrations

l Documentation of a set of interfaces

l A set of wrapper .NET DLLs providing an easy interface to a variety of functionality

l A large collection of samples demonstrating different ways of using the MIP SDK

l Short descriptions and how-to guides

l A small application to display links to this information

l Libraries

The MIP SDK is also used internally by Milestone software development teams.

For more information, see the MIP SDK and Develop Forum webpages.

19 | Additional products and components


System architecture document | XProtect® VMS 2023 R2

Milestone Software Manager


Milestone Software Manager is a tool that you, from a central point, can use to remotely install and upgrade
recording servers, recording server device packs and XProtect Smart Clients on servers or PCs in the network.

For larger installations, the tool makes it easy and fast to remotely upgrade the components that are installed on
servers and client PCs.

For more information, see the XProtect Smart Wall webpage and manual.

XProtect Smart Wall


XProtect Smart Wall is designed for control centers to display live video from selected cameras on one or more
video wall displays.

There are several ways you can select the cameras:

l Manually using the XProtect Smart Client

l Via the VMS’ rule system on events and/or time schedule

l Via MIP SDK integrations

XProtect Smart Wall does not require a dedicated XProtect software component itself, nor does it use a
dedicated XProtect client - all the required components are included in the standard XProtect Corporate
management server and XProtect Smart Client. It just needs a PC running XProtect Smart Client to show the
Smart Wall views.

XProtect Smart Wall is included in XProtect Corporate. You can purchase it as an add-on
for XProtect Expert.

For more information, see the XProtect Smart Wall webpage and manual.

XProtect Incident Manager


XProtect Incident Manager is a Milestone add-on that enables organizations to document incidents and combine
them with sequence evidence (video and, potentially, audio) from the XProtect VMS.

You can store the following information about the incidents in incident projects:

l Sequences with video and, potentially, audio from the XProtect VMS

l Incident properties like type, status, categories, and data elements

l Information like comments, descriptions, and information about calls.

All the required components for XProtect Incident Manager are included in the standard XProtect VMS
management server and XProtect Smart Client.

20 | Additional products and components


System architecture document | XProtect® VMS 2023 R2

XProtect Access
The access control integration feature introduces new functionality that makes it simple to integrate customers’
access control systems with XProtect. You get:

l A common operator user interface for multiple access control systems in XProtect Smart Client

l Faster and more powerful integration of access control systems

l More functionality for the operator (see below)

In XProtect Smart Client, the operator gets:

l Live monitoring of events at access points

l Operator aided passage for access requests

l Map integration

l Alarm definitions for access control events

l Investigation of events at access points

l Centralized overview and control of door states

l Cardholder information and management

The use of XProtect Access requires that you have purchased a base license that allows
you to access this feature within your XProtect system. You also need an access control
door license for each door you want to control.

You can use XProtect Access with access control systems from vendors where a vendor-
specific plug-in for XProtect Access exists. You must install this plug-in on the event server
before you can start an integration.

For more information, see the XProtect Access webpage and administrator manual.

XProtect Transact
XProtect Transact is an add-on to Milestone's IP video surveillance solutions XProtect VMS and XProtect
Professional VMS.

XProtect Transact is a tool for observing ongoing transactions and investigating transactions in the past. The
transactions are linked with the digital surveillance video monitoring the transactions, for example to help you
prove fraud or provide evidence against a perpetrator. There is a 1-to-1 relationship between the transaction
lines and video images.

The transaction data may originate from different types of transaction sources, typically point of sales (PoS)
systems or automated teller machines (ATM).

For more information, see the XProtect Transact webpage and administrator manual.

21 | Additional products and components


System architecture document | XProtect® VMS 2023 R2

XProtect LPR
XProtect LPR offers video-based content analysis (VCA) and recognition of vehicle license plates that interacts
with your surveillance system and your XProtect Smart Client.

To read the characters on a plate, XProtect LPR uses optical character recognition on images aided by
specialized camera settings.

You can combine LPR (license plate recognition) with other surveillance features such as recording and event-
based activation of outputs.

Examples of events in XProtect LPR:

l Trigger surveillance system recordings in a particular quality

l Activate alarms

l Match against positive/negative match lists

l Open gates

l Switch on lights

l Push video of incidents to computer screens of particular security staff members

l Send mobile phone text messages

With an event, you can activate alarms in XProtect Smart Client.

For more information, see the XProtect LPR webpage and administrator manual.

Milestone Interconnect
Milestone Interconnect allows you to integrate several XProtect or Milestone Husky™ installations with one
XProtect Corporate central site. You can also install these sites, called remote sites, on mobile units, for
example, boats, busses or trains. This means that such sites do not need to be permanently connected to a
network.

The central site considers the remote site as an advanced camera or multi-channel encoder with edge storage
capabilities.

Each remote site runs independently and can perform surveillance tasks as configured. Depending on the
network connections and appropriate user permissions, Milestone Interconnect offers you direct live viewing of
remote site cameras and play back of remote site recordings on the central site.

It also offers you the possibility to transfer remote site recordings to the central site based on either system-
defined events, rules, schedules or by manual requests from XProtect Smart Client users.

The central site can only see and access devices that the user account specified on the remote site has access
to. This allows local system administrators on the remote sites to control which devices should be made
available to the central site and its users.

22 | Additional products and components


System architecture document | XProtect® VMS 2023 R2

On the central site, you can view the status for the interconnected cameras, but not the entire status of the
remote site. Instead, to monitor the remote site, you can use remote site events to trigger alarms or other
notifications on the central site.

Only XProtect Corporate systems can work as central sites. All other products can act as remote sites including
XProtect Corporate. How specific the products interact in a Milestone Interconnect setup depends on the version
of the XProtect or Milestone Husky installations, the number of cameras and how devices and events are
configured on the remote site.

For more information, see the Milestone Interconnect webpage and documentation.

It is not possible to add systems with free XProtect installation as remote sites.

XProtect DLNA Server

As of 2023 R2, this product is no longer supported by Milestone.

DLNA (Digital Living Network Alliance) is a standard for connecting multimedia devices. Electronic manufactures
get their products DLNA certified to ensure interoperability between different vendors and devices and thereby
enable them to distribute multimedia content such as audio, video, and photos.

Public displays and TVs are often DLNA certified and connected to a network. They are able to scan the network
for media content, connect to the device, and request a media stream to their built-in media player. XProtect
DLNA Server can be discovered by certain DLNA certified devices and deliver live video streams from selected
cameras to DLNA certified devices with a media player.

The DLNA devices have a live video delay of 1-10 seconds. This is caused by different
buffer sizes in the devices.

XProtect DLNA Server must be connected to the same network as the XProtect system and the DLNA device
must be connected to the same network as XProtect DLNA Server.

Milestone Open Network Bridge


The ONVIF standard facilitates full video interoperability in multivendor installations and ensures information
exchange by defining a common protocol. The protocol contains ONVIF profiles, which are collections of
specifications for interoperability between ONVIF compliant devices.

Milestone Open Network Bridge is compliant with the parts of ONVIF Profile G and Profile S that provide access
to live and recorded video, and the ability to control pan-tilt-zoom cameras:

23 | Additional products and components


System architecture document | XProtect® VMS 2023 R2

l Profile G - Provides support for video recording, storage, search, and retrieval. For more information, see
ONVIF Profile G Specification (https://www.onvif.org/profiles/profile-g/).

l Profile S - Provides support for streaming live video using the H.264 codec, audio streaming, and pan-tilt-
zoom (PTZ) controls. For more information, see ONVIF Profile S Specification
(https://www.onvif.org/profiles/profile-s/).

For more information about the ONVIF standard, see the ONVIF® website (https://www.onvif.org/).

ONVIF Profiles support “get” functions that retrieve data, and “set” functions that configure settings. Each
function is either mandatory, conditional, or optional. For security reasons, Milestone Open Network Bridge
supports only the mandatory, conditional, and optional “get” functions that do the following:

l Request video

l Authenticate users

l Stream video

l Play recorded video

For more information, see the administrator manual for Milestone Open Network Bridge.

24 | Additional products and components


System architecture document | XProtect® VMS 2023 R2

System communication and data flow


The following illustrations provide an overview of the flow of data between XProtect components.

For a complete list of the ports that must be enabled for communication between
components, see Ports used by the system.

Server communication

1. Management server - Recording server

2. Recording server - Media database

3. Management server - Internal

4. SQL database communication

5. Management server - Mobile server

6. Authentication of basic users by the Identity Provider

7. API Gateway - Management server

25 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Login from XProtect Smart Client as an AD user

1. XProtect Smart Client connects to the management server and attempts to log in

2. The management server contacts Active Directory to authenticate the user

3. User-specific configuration is retrieved from the SQL database

4. Login is granted and the configuration is sent to XProtect Smart Client

26 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Login from XProtect Smart Client as a basic user

1. XProtect Smart Client attempts to connect to the management server as a basic user

2. The login request goes to the Identity Provider for authentication

3. User-specific configuration is retrieved from the SQL database

4. Login is granted and the configuration is sent to XProtect Smart Client

27 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Login from XProtect Smart Client with an external IDP

1. Login from XProtect Smart Client launches a web browser on the client computer.

2. The login request goes from the web browser to the Identity Provider for authentication.

3. The web browser is redirected to the external IDP login page where the user enters credentials and the
browser receives an authorization code.

4. The Identity Provider requests information about the user from the external IDP and receives a list of
claims. If a new user logs in to the VMS, the user is created in the VMS.

5. The web browser is redirected to XProtect Smart Client with the authorization code from the Identity
Provider.

6. XProtect Smart Client gets an access token from the Identity Provider.

7. XProtect Smart Client login to the management server using the access token.

8. Verification of user permissions according to claims to role mapping.

9. The user logs in to XProtect Smart Client upon successful authorization.

28 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Live video and audio

1. Live streams from cameras retrieved by the recording server

2. Streams are sent to XProtect Smart Client on request

29 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Live video multicasting

1. Live streams from cameras retrieved by the recording server

2. Recording server sends multicast stream to the multicast enabled network. This requires that all switches
handling the data traffic between the XProtect Smart Client and the recording server must be configured
for multicast

3. The multicast stream is received by all XProtect Smart Clients on request

30 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Matrix

1. XProtect Smart Client user selects to send a camera to a Matrix-recipient

2. Information is sent to management server

3. Management server sends request to Matrix-recipient on specified IP address and port (XProtect Smart
Client B)

4. Streams are sent to XProtect Smart Client from recording server on request

31 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Management server – view update

1. View updated on XProtect Smart Client

2. The system configuration is stored in the SQL database

3. The management server sends notification about view update to XProtect Smart Clients

4. XProtect Smart Clients retrieves and applies the new view

32 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

XProtect Smart Wall

1. An XProtect Smart Client user updates the XProtect Smart Wall view

2. The XProtect Smart Wall view configuration is updated and stored in the SQL database

3. The management server sends a notification to the XProtect Smart Client running the XProtect Smart Wall

4. The XProtect Smart Client running the XProtect Smart Wall retrieves and applies new layout

33 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Play back video and audio

1. Recording stream from cameras retrieved by the recording server

2. The stream is recorded in the recording server database based on rules

3. The recorded stream is retrieved by XProtect Smart Client on playback request

34 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Login from XProtect Web Client and XProtect Mobile as an AD user

1. Login request from XProtect Web Client or XProtect Mobile received on the mobile server

2. The mobile server forwards request to the management server

3. The management server contacts Active Directory to authenticate the user

4. User-specific configuration is retrieved from the SQL database

5. Information returned to the mobile server

6. The login is granted and configuration is sent to XProtect Web Client or XProtect Mobile

35 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Login from XProtect Web Client and XProtect Mobile as a basic user

1. Login request from XProtect Web Client or XProtect Mobile received on the mobile server

2. The mobile server forwards a request to the management server

3. The login request goes to the Identity Provider for authentication

4. User-specific configuration is retrieved from the SQL database

5. Information returned to the mobile server

6. The login is granted and configuration is sent to XProtect Web Client or XProtect Mobile

36 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Login from XProtect Web Client and the XProtect Mobile client with
an external IDP

1. In XProtect Web Client or in the XProtect Mobile client, the user selects to log in via an external IDP. The
login request launches a web browser.

2. The web browser is redirected to the external IDP login page where the user enters credentials.

3. The Identity Provider receives an authorization code from the external IDP to be exchanged for an access
token. Then the Identity Provider requests information about the user from the external IDP and gets a
list of claims. If a new user logs in to the VMS, the user is created in the VMS.

4. The Identity Provider returns an authorization code to XProtect Web Client or the XProtect Mobile client.

5. XProtect Web Client or the XProtect Mobile client requests an access token from the Identity Provider.

6. XProtect Web Client or the XProtect Mobile client logs in to the mobile server using the access token.

37 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Live video for XProtect Web Client and XProtect Mobile

1. Live stream(s) from cameras retrieved on the recording server

2. Streams are sent to the mobile server for transcoding or as direct streaming

3. Video is streamed to the clients

38 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Recording and playback video for XProtect Web Client and XProtect
Mobile

1. Recording stream from cameras retrieved on the recording server

2. The stream is recorded in the recording server database based on rules

3. Recordings are sent to the mobile server for transcoding or as direct streaming

4. Video is streamed to clients

39 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Video push

1. Video push stream from a device running XProtect Mobile is sent instantly to the mobile server

2. The video push stream is retrieved by recording server using the specific video push device driver

40 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Milestone Interconnect live

Illustrates how XProtect Smart Client users, specified for the interconnected system, only need to log into the
management server on the central site to view video.

1. Live stream(s) from the remote site cameras retrieved by the remote site recording server

2. Live streams from the remote site recording server retrieved by the central site recording server

3. Stream(s) are sent to XProtect Smart Client on request

41 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Milestone Interconnect recording options

Some of the different options when configuring your system recording settings:

l No recording

l Record at remote site only

l Retrieve recordings from remote site on request

l Retrieve recordings from remote site based on rule (time profile)

l Record at central site only

l Retrieve recordings from remote site after site link down

l Record at both sites

l Combinations of above and other options

42 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Milestone Interconnect play back

Illustrates when recording is done on both sites. Recordings can be retrieved to the central site based on
schedule, event or request. XProtect Smart Client users, specified for the interconnected system, only need to
log into the management server on the central site to view video.

1. Recording stream from the remote site cameras retrieved by the remote site recording server

2. The stream is recorded in the remote site recording server database based on rules

3. Recording stream from the remote site recording server retrieved by the central site recording server

4. The stream is recorded in the central site recording server database based on rules. Recordings not
available due to remote site link downtime can be retrieved automatically or based on schedule, event or
request

5. The recorded stream(s) are retrieved by XProtect Smart Client on playback request

43 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

XProtect DLNA Server

1. The XProtect DLNA Server connects to the management server to authorize itself with the provided
credentials

2. A DLNA device scans the network and connects to the XProtect system via the XProtect DLNA Server and
requests a live camera video stream

3. XProtect DLNA Server retrieves the requested camera video stream from the recording server

4. XProtect DLNA Server sends the live video stream from the requested camera to the DLNA device

44 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Milestone Open Network Bridge

1. Login, stream or PTZ request from ONVIF client received on the Milestone Open Network Bridge server.
The Milestone Open Network Bridge is a gateway for non-Milestone clients to the Milestone VMS

2. The Milestone Open Network Bridge forwards the login request to the management server to
authenticate the user.
Access to the Milestone VMS is granted and sent to the Milestone Open Network Bridge server

3. Requested live or playback stream from the recording server is retrieved by the Milestone Open Network
Bridge server

4. Video is streamed to the ONVIF client

45 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Management Client configuration update

1. Configuration updated on the Management Client

2. Changes are stored on the management server

3. Configuration update sent to relevant components. In this case, the recording server

4. If updates concern cameras, the recording server applies new settings

46 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Log server

1. The Management server or recording server creates a log message

2. The log message is forwarded to the log server

3. The log message is stored in the log server's SQL database

Event server

The event server sends data to XProtect Smart Client to show in alarm list, XProtect Access or the map overview.
The event server Plug-in is a client to the access control system.
The XProtect Smart Client user responds to the notification and returns data to event server.

47 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

XProtect Transact

1. Transaction data generated by the transaction source is sent to the event server and stored

2. The event server sends transaction data to XProtect Smart Client. View items containing transaction data
and the associated video is updated

48 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

XProtect LPR

1. Live streams from cameras configured for LPR (License Plate Recognition) retrieved by the recording
server

2. Streams from the recording server retrieved by the LPR server

3. The LPR server recognizes license plates by comparing them with the license plate styles of the installed
country modules. Found license plates are compared with the match list requests from the event server
LPR plug-in

4. The event server sends events and alarms to XProtect Smart Client when there is a match

49 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

View and manage alarms

1. XProtect Smart Client requests an alarm list from event server

2. The alarm list is retrieved from the SQL database and returned to XProtect Smart Client

3. The alarm is handled and its state/details is updated by the user

4. New state/details stored in the SQL database

50 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Data collector

1. System status received on management server delivered by: log server, event server, recording server,
failover recording server and mobile server

2. The collected data is stored in an SQL database on a SQL Server

3. XProtect Smart Client or the Management Client requests status via System Monitor

4. Requested data is collected from an SQL database on a SQL Server

5. Data returned to clients

51 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Recording server failover

1. Video streamed from the recording server

2. Alive messages exchanged between recording and failover recording server

3. Cold standby: failover message sent, configuration retrieved, start failover


Hot standby: failover message sent, start failover

4. Configuration updated with active failover recording server

5. Update configuration message sent to the management server

6. Update message distributed to all clients

7. Video streamed from failover recording server

52 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Evidence lock

1. The user creates an evidence lock in XProtect Smart Client. XProtect Smart Client sends the information
to the management server

2. The management server informs the recording server to store and protect the locked recordings in the
Media database

3. The management server stores information about the evidence lock in the SQL database

53 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

XProtect Incident Manager

Flow Actions and components

An operator of XProtect Smart Client starts, saves, edits, or deletes an incident project. Information
about the incident project and its data is saved in the add-on’s own SQL database Surveillance_IM.
1 The activities related to incident projects are - depending on the activity - logged in the add-on’s own
SQL database Surveillance_IM, in the Log Server service’s SQL database SurveillanceLogServerV2,
or in both.

A Management Client administrator creates, edits, or deletes an incident property. The incident
2 property definition is saved in the add-on’s own SQL database Surveillance_IM. The user activity is
logged in the Log Server service’s SQL database SurveillanceLogServerV2.

54 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Move hardware

1. The user moves hardware from recording server 1 to recording server 2 in Management Client

2. The management server receives the update in the system configuration and stores it in the SQL
database

3. The management server sends update to recording server 1

4. The management server sends update to recording server 2

5. Recording server 2 connects to Hardware. All new recordings are stored in the recording server 2
database

Old recordings are still available on recording server 1. The system deletes them when the retention time
expires. Recordings marked with evidence lock are not deleted until the evidence lock's retention time expires.

Clients connect to recording server 2

55 | System communication and data flow


System architecture document | XProtect® VMS 2023 R2

Ports used by the system


All XProtect components and the ports needed by them are listed below. To ensure, for example, that the firewall
blocks only unwanted traffic, you need to specify the ports that the system uses. You should only enable these
ports. The lists also include the ports used for local processes.

They are arranged in two groups:

l Server components (services) offer their service on particular ports which is why they need to listen for
client requests on these ports. Therefore, these ports need to be opened in the Windows Firewall for
inbound and outbound connections

l Client components (clients) initiate connections to particular ports on server components. Therefore,
these ports need to be opened for outbound connections. Outbound connections are typically open by
default in the Windows Firewall

If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports
for client components must be opened for outbound connections.

Do keep in mind that server components can act as clients to other server components. These are not explicitly
listed in this doc.

The port numbers are the default numbers, but this can be changed. Contact Milestone support, if you need to
change ports that are not configurable through the Management Client.

Server components (inbound connections)

Each of the following sections list the ports that need to be opened for a particular service. To figure out which
ports need to be opened on a particular computer, you need to consider all services running on the computer.

Management Server service and related processes

56 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port Connections
Protocol Process Purpose
number from...

The purpose of port 80 and port 443 is the same.


However, which port the VMS uses depends on
whether you have used certificates to secure the
80 HTTP IIS communication.

All servers l When you have not secured the


and the communication with certificates, the VMS
XProtect uses port 80.
Smart Client
l When you have secured the
and the
communication with certificates, the VMS
Management
uses port 443 except for communication
Client
from the event server to the management
443 HTTPS IIS server. The communication from the
event server to the management server
uses Windows Secured Framework (WCF)
and Windows authentication on port 80.

Management
Server
Management Manager
6473 TCP Server tray icon, Showing status and managing the service.
service local
connection
only.

Local
Management Communication between internal processes on
8080 TCP connection
server the server.
only.

Recording
Management Web service for internal communication between
9000 HTTP Server
server servers.
services

Communication between the system and Matrix


Management recipients.
XProtect
12345 TCP Server
Smart Client You can change the port number in the
service
Management Client.

57 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port Connections
Protocol Process Purpose
number from...

Communication with the SNMP extension agent.

Do not use the port for other purposes even if


Management Windows your system does not apply SNMP.
12974 TCP Server SNMP In XProtect 2014 systems or older, the port
service Service number was 6475.

In XProtect 2019 R2 systems and older, the port


number was 7475.

SQL Server service

Port
Protocol Process Connections from... Purpose
number

SQL Management Server Storing and retrieving configurations via the


1433 TCP
Server service Identity Provider.

SQL Storing and retrieving events via the Identity


1433 TCP Event Server service
Server Provider.

SQL Storing and retrieving log entries via the


1433 TCP Log Server service
Server Identity Provider.

Data Collector service

Port
Protocol Process Connections from... Purpose
number

On the management server computer: Data Collector


services on all other servers. System
7609 HTTP IIS
On other computers: Data Collector service on the Monitor.
Management Server.

58 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Event Server service

Port
Protocol Process Connections from... Purpose
number

Listening for generic events


Event from external systems or
Any server sending generic devices.
1234 TCP/UDP Server
events to your XProtect system.
Service Only if the relevant data
source is enabled.

Listening for generic events


Event from external systems or
Any server sending generic devices.
1235 TCP Server
events to your XProtect system.
service Only if the relevant data
source is enabled.

Listening for analytics events


Event Any system or device that sends from external systems or
9090 TCP Server analytics events to your XProtect devices.
service system. Only relevant if the Analytics
Events feature is enabled.

Event
XProtect Smart Client and the Configuration, events,
22331 TCP Server
Management Client alarms, and map data.
service

WS/WSS Event Event/State Subscription,


API Gateway and the
22332 Server Events REST API and Alarms
HTTP/HTTPS* Management Client
service REST API.

Event
22333 TCP Server MIP Plug-ins and applications. MIP messaging.
service

*A 403 error will be returned when accessing HTTP to access an HTTPS-only endpoint.

Recording Server service

59 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port Connections
Protocol Process Purpose
number from...

Listening for event messages from


devices.
Cameras,
Recording The port is disabled by default.
encoders,
25 SMTP Server
and I/O (Deprecated) Enabling this will open
Service
devices. a port for non-encrypted
connections and is not
recommended.

Recording Failover Merging of databases after a


5210 TCP Server recording failover recording server had been
Service servers. running.

Cameras, Listening for event messages from


Recording
encoders, devices.
5432 TCP Server
and I/O
Service The port is disabled by default.
devices.

XProtect
Recording
Smart Client, Retrieving video and audio streams,
7563 TCP Server
Management PTZ commands.
Service
Client

Recording
Server
Recording Manager
Showing status and managing the
8966 TCP Server tray icon,
service.
Service local
connection
only.

Web service for internal


communication between servers.
Recording
Management If multiple Recording Server
9001 HTTP Server
server instances are in use, every instance
Service
needs its own port. Additional ports
will be 9002, 9003, etc.

60 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port Connections
Protocol Process Purpose
number from...

Recording Failover
Polling the state of recording
11000 TCP Server recording
servers.
Service servers

Communication with the SNMP


extension agent.

Do not use the port for other


Recording Windows purposes even if your system does
12975 TCP Server SNMP not apply SNMP.
Service service In XProtect 2014 systems or older,
the port number was 6474.

In XProtect 2019 R2 systems and


older, the port number was 7474.

Recording Local
Listening for event notifications from
65101 UDP Server connection
the drivers.
service only

In addition to the inbound connections to the Recording Server service listed above, the
Recording Server service establishes outbound connections to:

l Cameras

l NVRs

l Remote interconnected sites (Milestone Interconnect ICP)

Failover Server service and Failover Recording Server service

Port
Protocol Process Connections from... Purpose
number

25 SMTP Failover Cameras, encoders, and Listening for event messages from

61 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port
Protocol Process Connections from... Purpose
number

devices.

Recording The port is disabled by default.


Server I/O devices.
(Deprecated) Enabling this will open a
Service
port for non-encrypted connections
and is not recommended.

Failover
Recording Failover recording Merging of databases after a failover
5210 TCP
Server servers recording server had been running.
Service

Failover Listening for event messages from


Recording Cameras, encoders, and devices.
5432 TCP
Server I/O devices.
Service The port is disabled by default.

Communication with the SNMP


Failover extension agent.
Recording
7474 TCP Windows SNMP service Do not use the port for other purposes
Server
Service even if your system does not apply
SNMP.

Failover
Recording Retrieving video and audio streams,
7563 TCP XProtect Smart Client
Server PTZ commands.
Service

Failover
Communication between
Recording
8844 UDP failover recording server Communication between the servers.
Server
services.
Service

Failover Failover Recording


Recording Server Manager tray Showing status and managing the
8966 TCP
Server icon, local connection service.
Service only.

62 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port
Protocol Process Connections from... Purpose
number

Failover Failover Server Manager


Showing status and managing the
8967 TCP Server tray icon, local
service.
Service connection only.

Failover
Management Server Monitoring the status of the Failover
8990 TCP Server
service Server service.
Service

Failover
Web service for internal
9001 HTTP Server Management server
communication between servers.
Service

In addition to the inbound connections to the Failover Server / Failover Recording Server
service listed above, the Failover Server / Failover Recording Server service establishes
outbound connections to the regular recorders, cameras, and for Video Push.

Log Server service

Port
Protocol Process Connections from... Purpose
number

Log All XProtect components except for


Write to, read from, and
22337 HTTP Server Management Client and the recording
configure the log server.
service server.

Mobile Server service

63 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port
Protocol Process Connections from... Purpose
number

Mobile
Mobile Server Manager tray icon,
8000 TCP Server SysTray application.
local connection only.
service

Mobile
Mobile clients, Web clients, and Sending data streams;
8081 HTTP Server
Management Client. video and audio.
service

Mobile
Sending data streams;
8082 HTTPS Server Mobile clients and Web clients.
video and audio.
service

Mobile Server Video


Mobile Push.
40001 -
HTTP Server Recording server service
40099 This port range is
service
disabled by default.

LPR Server service

Port
Protocol Process Connections from... Purpose
number

Retrieving recognized license plates


LPR and server status.
22334 TCP Server Event server
Service In order to connect, the Event server
must have the LPR plug-in installed.

LPR
LPR Server Manager tray
22334 TCP Server SysTray application
icon, local connection only.
Service

Milestone Open Network Bridge service

64 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port Connections
Protocol Process Purpose
number from...

Milestone Open Network ONVIF Authentication and requests for video


580 TCP
Bridge Service clients stream configuration.

ONVIF Streaming of requested video to


554 RTSP RTSP Service
clients ONVIF clients.

XProtect DLNA Server service

Port Connections
Protocol Process Purpose
number from...

DLNA
Device discovery and providing DLNA channels
9100 HTTP Server DLNA device
configuration. Requests for video streams.
Service

DLNA
9200 HTTP Server DLNA device Streaming of requested video to DLNA devices.
Service

XProtect Screen Recorder service

Port Connections
Protocol Process Purpose
number from...

Provides video from a monitor. It appears and acts


XProtect Recording in the same way as a camera on the recording
52111 TCP Screen Server server.
Recorder Service You can change the port number in the
Management Client.

XProtect Incident Manager service

65 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port Connections
Protocol Process Purpose
number from...

The purpose of port 80 and port 443 is the same.


However, which port the VMS uses depends on
80 HTTP IIS whether you have used certificates to secure the
XProtect Smart communication.
Client and the
l When you have not secured the
Management
communication with certificates, the VMS
Client
uses port 80.
443 HTTPS IIS
l When you have secured the communication
with certificates, the VMS uses port 443.

Server components (outbound connections)

Management Server service

Port
Protocol Connections to... Purpose
number

The License server that hosts the


License Management service.
Communication is via Activating
443 HTTPS
https://www.milestonesys.com/ licenses.
OnlineActivation/
LicenseManagementService.asmx

Recording Server service

Port
Protocol Connections to... Purpose
number

Cameras, NVRs, Authentication, configuration, data streams, video,


80 HTTP
encoders and audio.

66 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port
Protocol Connections to... Purpose
number

Interconnected sites Login

Cameras, NVRs, Authentication, configuration, data streams, video,


443 HTTPS
encoders and audio.

Cameras, NVRs,
554 RTSP Data streams, video, and audio.
encoders

7563 TCP Interconnected sites Data streams and events.

Failover recording
11000 TCP Polling the state of recording servers.
servers

40001 – Mobile Server Video Push.


HTTP Mobile Server service
40099 This port range is disabled by default.

Failover Server service and Failover Recording Server service

Port number Protocol Connections to... Purpose

11000 TCP Failover recording servers Polling the state of recording servers.

Event Server service

Port
Protocol Connections to... Purpose
number

Milestone Customer Dashboard Send status, events and error messages from
443 HTTPS via the XProtect system to Milestone Customer
https://service.milestonesys.com/ Dashboard.

67 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Log Server service

Port number Protocol Connections to... Purpose

443 HTTP Log server Forwarding messages to the log server.

API Gateway

Port number Protocol Connections to... Purpose

Management
443 HTTPS RESTful API
sever

Cameras, encoders, and I/O devices (inbound connections)

Port
Protocol Connections from... Purpose
number

Recording servers and failover Authentication, configuration, and data


80 TCP
recording servers streams; video and audio.

Recording servers and failover Authentication, configuration, and data


443 HTTPS
recording servers streams; video and audio.

Recording servers and failover


554 RTSP Data streams; video and audio.
recording servers

Cameras, encoders, and I/O devices (outbound connections)

68 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port
Protocol Connections to... Purpose
number

Recording servers and failover Sending event notifications


25 SMTP
recording servers (deprecated).

Sending event notifications.


Recording servers and failover
5432 TCP The port is disabled by
recording servers
default.

Forwarding messages to the


22337 HTTP Log server
log server.

Only a few camera models are able to establish outbound connections.

Client components (outbound connections)

XProtect Smart Client, XProtect Management Client, XProtect Mobile server

Port
Protocol Connections to... Purpose
number

80 HTTP Management Server service Authentication

Authentication of basic users when encryption is


443 HTTPS Management Server service
enabled.

Milestone Systems A/S Management Client and Smart Client occasionally


443 HTTPS (doc.milestonesys.com at check if the online help is available by accessing
52.178.114.226) the help URL.

Retrieving video and audio streams, PTZ


7563 TCP Recording Server service
commands.

22331 TCP Event Server service Alarms.

XProtect Web Client, XProtect Mobile client

69 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Port number Protocol Connections to... Purpose

8081 HTTP XProtect Mobile server Retrieving video and audio streams.

8082 HTTPS XProtect Mobile server Retrieving video and audio streams.

API Gateway

Port number Protocol Connections to... Purpose

80 HTTP Management Server RESTful API

443 HTTPS Management Server RESTful API

70 | Ports used by the system


System architecture document | XProtect® VMS 2023 R2

Application pools
The VMS contains standard application pools such as.NET v4.5, .NET v4.5 Classic and the DefaultAppPool. The
application pools that are available on your system appear in the Internet Information Services (IIS) Manager. In
addition to the standard application pools mentioned above, a set of VideoOS application pools are delivered
with the Milestone XProtect VMS.

Application pools in Milestone XProtect


In the table below you can get an overview of the VideoOS application pools that are delivered with Milestone
XProtect.

Name Identity Purpose

.NET v4.5 ApplicationPoolId Standard IIS feature

.NET v4.5 Classic ApplicationPoolId Standard IIS feature

DefaultAppPool ApplicationPoolId Standard IIS feature

Hosts the XProtect API Gateway which


VideoOS ApiGateway NetworkService is the future public API and gateway to
the VMS.

Hosts legacy components such as the


VideoOS Classic NetworkService local help mainly to comply with
backwards compatibility.

Hosts the Identity Provider API. The


Identity Provider creates, maintains,
and manages identity information for
VideoOS IDP NetworkService
basic users and provides authentication
and registration services to relying
applications or services.

Hosts the XProtect Incident Manager


API. The XProtect Incident Manager
documents incidents and combine
VideoOS IM NetworkService
them with sequence evidence (video
and, potentially, audio) from their
XProtect VMS.

71 | Application pools
System architecture document | XProtect® VMS 2023 R2

Working with application pools


From the Application Pools page in the Internet Information Services (IIS) window you can add application
pools or set appplication pool defaults and you can view the applications hosted by each application pool.

Open the Application Pools page


1. From the Windows Start menu, open Internet Information Servces (IIS) Manager.

2. In the Connections pane, click the name of your environment, and then click Application Pools.

3. Under Actions, click Add Application Pool or Set Application Pool Defaults to perform any of these
tasks.

4. Select an application pool on the Application Pools page to display further options under Actions for
each application pool.

72 | Application pools
[email protected]

About Milestone

Milestone Systems is a leading provider of open platform video management software; technology that helps
the world see how to ensure safety, protect assets and increase business efficiency. Milestone Systems
enables an open platform community that drives collaboration and innovation in the development and use of
network video technology, with reliable and scalable solutions that are proven in more than 150,000 sites
worldwide. Founded in 1998, Milestone Systems is a stand-alone company in the Canon Group. For more
information, visit https://www.milestonesys.com/.

You might also like