This page is not yet available in your language.

Use firewalls to limit IP access to servers and computers

Milestone recommends that you use secure connections, and the following additional steps:

  • Use secure device authentication
  • Use TLS
  • Use device whitelisting to authenticate devices
  • Use firewalls to limit network communication between servers and client computers and programs.

All XProtect components and the ports needed by them are listed in individual sections below. To ensure, for example, that the firewall blocks only unwanted traffic, you need to specify the ports that the XProtect VMS uses. You should only enable these ports. The lists also include the ports used for local processes.

They are arranged in two groups:

  • Server components (services)—Offer their service on particular ports which is why they need to listen for client requests on these ports. Therefore, these ports need to be opened in the Windows Firewall for inbound connections.
  • Client components (clients)—Initiate connections to particular ports on server components. Therefore, these ports need to be opened for outbound connections. Outbound connections are typically open by default in the Windows Firewall.

If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports for client components must be opened for outbound connections.

Do keep in mind that server components can act as clients to other server components as well.

The port numbers are the default numbers, but this can be changed. Contact Milestone Support, if you need to change ports that are not configurable through the Management Client.

Server components (inbound connections)

Each of the following sections list the ports which need to be opened for a particular service. In order to figure out which ports need to be opened on a particular computer, you need to consider all services running on this computer.

Restrict remote access to the Management Server by adding firewall rules to only allow Recording Servers to connect to TCP port 9000.

Management Server service and related processes

Port number

Protocol

Process

Connections from...

Purpose

80

HTTP

IIS

All XProtect components

 

The Management Server service and Recording Server services

Main communication, for example, authentication and configurations.

 

Handles registration of recording servers and management servers via the Authorization Server service.

443

HTTPS

IIS

XProtect Smart Client and the Management Client

 

The Management Server service and Recording Server services

 

Authentication of basic users.

 

Handles registration of recording servers and management servers via the Authorization Server service.

6473

TCP

Management Server service

Management Server Manager tray icon, local connection only.

Showing status and managing the service.

8080

TCP

Management server

Local connection only.

Communication between internal processes on the server.

9000 HTTP Management server Recording Server services Web service for internal communication between servers.
9000

TCP

Management Server service

Recording Server services

Authentication, configuration, token exchange.

12345

TCP

Management Server service

XProtect Smart Client

Communication between the system and Matrix recipients.

You can change the port number in the Management Client.

12974

TCP

Management Server service

Windows SNMP Service

Communication with the SNMP extension agent.

Do not use the port for other purposes even if your system does not apply SNMP.

In XProtect 2014 systems or older, the port number was 6475.

In XProtect 2019 R2 systems and older, the port number was 7475.

SQL Server service

Port number

Protocol

Process

Connections from...

Purpose

1433

TCP

SQL Server

Management Server service

Storing and retrieving configurations.

1433

TCP

SQL Server

Event Server service

Storing and retrieving events.

1433

TCP

SQL Server

Log Server service

Storing and retrieving log entries.

Data Collector service

Port number

Protocol

Process

Connections from...

Purpose

7609

HTTP

IIS

On the management server computer: Data Collector services on all other servers.

On other computers: Data Collector service on the Management Server.

System Monitor.

Event Server service

Port number

Protocol

Process

Connections from...

Purpose

1234

TCP/UDP

Event Server Service

Any server sending generic events to your XProtect system.

Listening for generic events from external systems or devices.

Only if the relevant data source is enabled.

1235

TCP

Event Server service

Any server sending generic events to your XProtect system.

Listening for generic events from external systems or devices.

Only if the relevant data source is enabled.

9090

TCP

Event Server service

Any system or device that sends analytics events to your XProtect system.

Listening for analytics events from external systems or devices.

Only relevant if the Analytics Events feature is enabled.

22331

TCP

Event Server service

XProtect Smart Client and the Management Client

Configuration, events, alarms, and map data.

22333

TCP

Event Server service

MIP Plug-ins and applications.

MIP messaging.

Recording Server service

Port number

Protocol

Process

Connections from...

Purpose

25

SMTP

Recording Server Service

Cameras, encoders, and I/O devices.

Listening for event messages from devices.

The port is disabled by default.

5210

TCP

Recording Server Service

Failover recording servers.

Merging of databases after a failover recording server had been running.

5432

TCP

Recording Server Service

Cameras, encoders, and I/O devices.

Listening for event messages from devices.

The port is disabled by default.

7563

TCP

Recording Server Service

XProtect Smart Client, Management Client

Retrieving video and audio streams, PTZ commands.

8966

TCP

Recording Server Service

Recording Server Manager tray icon, local connection only.

Showing status and managing the service.

9001 HTTP Recording Server Service Management server

Web service for internal communication between servers.

If multiple Recording Server instances are in use, every instance needs its own port. Additional ports will be 9002, 9003, etc.

11000

TCP

Recording Server Service

Failover recording servers

Polling the state of recording servers.

12975

TCP

Recording Server Service

Windows SNMP service

Communication with the SNMP extension agent.

Do not use the port for other purposes even if your system does not apply SNMP.

In XProtect 2014 systems or older, the port number was 6474.

In XProtect 2019 R2 systems and older, the port number was 7474.

65101

UDP

Recording Server service

Local connection only

Listening for event notifications from the drivers.

In addition to the inbound connections to the Recording Server service listed above, the Recording Server service establishes outbound connections to the cameras.

Failover Server service and Failover Recording Server service

Port number

Protocol

Process

Connections from...

Purpose

25

SMTP

Recording Server Service

Cameras, encoders, and I/O devices.

Listening for event messages from devices.

The port is disabled by default.

5210

TCP

Recording Server Service

Failover recording servers

Merging of databases after a failover recording server had been running.

5432

TCP

Recording Server Service

Cameras, encoders, and I/O devices.

Listening for event messages from devices.

The port is disabled by default.

7474

TCP

Recording Server Service

Windows SNMP service

Communication with the SNMP extension agent.

Do not use the port for other purposes even if your system does not apply SNMP.

7563

TCP

Recording Server Service

XProtect Smart Client

Retrieving video and audio streams, PTZ commands.

8844

UDP

Failover recording servers

Local connection only.

Communication between the servers.

8966

TCP

Failover Recording Server Service

Failover Recording Server Manager tray icon, local connection only.

Showing status and managing the service.

8967

TCP

Failover Server Service

Failover Server Manager tray icon, local connection only.

Showing status and managing the service.

8990

TCP

Failover Server Service

Management Server service

Monitoring the status of the Failover Server service.

9001 HTTP Failover Server Service Management server Web service for internal communication between servers.

Log Server service

Port number

Protocol

Process

Connections from...

Purpose

22337

HTTP

Log Server service

All XProtect components except for Management Client and the recording server.

Write to, read from, and configure the log server.

In addition to the inbound connections to the Failover Recording Server service listed above, the Recording Server service establishes outbound connections to the cameras.

Mobile Server service

Port number

Protocol

Process

Connections from...

Purpose

8000

TCP

Mobile Server service

Mobile Server Manager tray icon, local connection only.

SysTray application.

8081

HTTP

Mobile Server service

Mobile clients, Web clients, and Management Client.

Sending data streams; video and audio.

8082

HTTPS

Mobile Server service

Mobile clients and Web clients.

Sending data streams; video and audio.

LPR Server service

Port number

Protocol

Process

Connections from...

Purpose

22334

TCP

LPR Server Service

Event server

Retrieving recognized license plates and server status.

In order to connect, the Event server must have the LPR plug-in installed.

22334

TCP

LPR Server Service

LPR Server Manager tray icon, local connection only.

SysTray application

Milestone ONVIF Bridge service

Port number

Protocol

Process

Connections from...

Purpose

580

TCP

ONVIF Bridge Service

ONVIF clients

Authentication and requests for video stream configuration.

554

RTSP

RTSP Service

ONVIF clients

Streaming of requested video to ONVIF clients.

XProtect DLNA Server service

Port number

Protocol

Process

Connections from...

Purpose

9100

HTTP

DLNA Server Service

DLNA device

Device discovery and providing DLNA channels configuration. Requests for video streams.

9200

HTTP

DLNA Server Service

DLNA device

Streaming of requested video to DLNA devices.

XProtect Screen Recorder service

Port number

Protocol

Process

Connections from...

Purpose

52111

TCP

XProtect Screen Recorder

Recording Server Service

Provides video from a monitor. It appears and acts in the same way as a camera on the recording server.

You can change the port number in the Management Client.

Learn more

The following control(s) provide additional guidance:

  • NIST SP 800-53 CA-3 System Interconnections
  • NIST SP 800-53 CM-6 Configuration Settings
  • NIST SP 800-53 SC-7 Boundary Protection