Configuring Milestone Federated Architecture

XProtect Expert can only be federated as child sites.

Milestone Federated Architecture links multiple individual standard systems into a federated site hierarchy of parent/child sites. Client users with sufficient rights have seamless access to video, audio and other resources across individual sites. Administrators can centrally manage all sites from version 2018 R1 and newer within the federated hierarchy, based on administrator rights for the individual sites.

Basic users are not supported in Milestone Federated Architecture systems, so you must add users as Windows users through the Active Directory service.

Milestone Federated Architecture is set up with one central site (top site) and an unlimited number of federated sites (see Set up your system to run federated sites). When you are logged into a site, you can access information about all of its child sites and the child sites' child sites. The link between two sites is established, when you request the link from the parent site (see Add site to hierarchy). A child site can only be linked to one parent site. If you are not the administrator of the child site when you add it to the federated site hierarchy, the request must be accepted by the child site administrator.

The components of a Milestone Federated Architecture setup:

  1. Server with SQL Server
  2. Management server
  3. Management Client
  4. XProtect Smart Client
  5. Cameras
  6. Recording server
  7. Failover recording server
  8. to 12. Federated sites

Hierarchy synchronization

A parent site contains an updated list of all its currently attached child sites, child sites' child sites and so on. The federated site hierarchy has a scheduled synchronization between sites, as well as a synchronization every time a site is added or removed by the system administrator. When the system synchronizes the hierarchy, it takes place level by level, each level forwarding and returning communication, until it reaches the server that requests the information. The system sends less than 1MB each time. Depending on the number of levels, changes to a hierarchy can take some time to become visible in the Management Client. You cannot schedule your own synchronizations.

Data traffic

The system sends communication or configuration data when a user or administrator views live or recorded video or configures a site. The amount of data depends on what and how much is being viewed or configured.

Milestone Federated Architecture with other products

  • If the central site uses XProtect Smart Wall, you can also use the XProtect Smart Wall features in the federated site hierarchy. See Configure Smart Walls on how set up XProtect Smart Wall
  • If the central site uses XProtect Access and XProtect Smart Client user logs into a site in a federated site hierarchy, access request notifications from the federated sites also appear in XProtect Smart Client
  • You can add XProtect Expert 2013 systems or newer to the federated site hierarchy as child sites, not as parent sites
  • Milestone Federated Architecture does not require additional licenses
  • For more information about use cases and benefits, see the white paper about Milestone Federated Architecture.

Establishing a federated site hierarchy

Before you start building up the hierarchy in the Management Client, Milestone recommends that you map how you want your sites to link together.

You install and configure each site in a federated hierarchy as a normal standalone system with standard system components, settings, rules, schedules, administrators, users, and user rights. If you already have the sites installed and configured and only need to combine them in a federated site hierarchy, your systems are ready to be set up.

Once the individual sites are installed, you must set them up to run as federated sites (see Set up your system to run federated sites).

To start the hierarchy, you can log into the site that you want to work as the central site and add (see Add site to hierarchy) the first federated site. When the link is established, the two sites automatically create a federated site hierarchy in the Federated Site Hierarchy pane in the Management Client to which you can add more sites to grow the federated hierarchy.

When you have created a federated site hierarchy, users and administrators can log into a site to access that site and any federated sites it may have. Access to federated sites depend on the user rights.

There is no limit to the number of sites you can add to the federated hierarchy. Also, you can have a site on an older product version linked to a newer version and vice versa. The version numbers appear automatically and cannot be deleted. The site that you are logged into is always at the top of the Federated Site Hierarchy pane and is called home site.

Below is an example of federated sited in the Management Client. To the left, the user has logged into the top site. To the right, the user has logged into one of the child sites, the Paris Server, which is then the home site.

Status icons in Milestone Federated Architecture

The icons represent the possible states of a site:

Description

Icon

The top site in the entire hierarchy is operational.

The top site in the entire hierarchy is still operational, but one or more issues need attention. Shown on top of the top site icon.

The site is operational.

The site is awaiting to be accepted in the hierarchy.

The site is attaching, but is not yet operational.

Set up your system to run federated sites

To prepare your system for Milestone Federated Architecture, you must make certain choices when you install the management server. Depending on how your IT infrastructure is set up, choose between three different alternatives.

Alternative 1: Connect sites from the same domain (with a common domain user)

Before you install the management server, you must create a common domain user and configure this user as the administrator on all servers involved in the federated site hierarchy. How you connect the sites depends on the created user account.

With a Windows user account
  1. Start the installation of the product on the server to be used as the management server and select Custom.
  2. Select to install the Management Server service using a user account. The selected user account must be the administrator account used on all management servers. You must use the same user account when you install the other management servers in the federated site hierarchy.
  3. Finish the installation. Repeat steps 1-3 to install any other systems you want to add to the federated site hierarchy.
  4. Add site to hierarchy (see Add site to hierarchy).
With a Windows built-in user account (network service)
  1. Start the installation of the product on the first server to be used as the management server and select Single Computer or Custom. This installs the management server using a network service account. Repeat this step for all the sites in your federated site hierarchy.
  2. Log into the site that you want as your central site in the federated site hierarchy.
  3. In the Management Client, expand Security > Roles > Administrators.
  4. On the Users and Groups tab, click Add and select Windows User.
  5. In the dialog box, select Computers as object type, enter the server name of the federated site and click OK to add the server to the Administrator role of the central site. Repeat this step until you have added all the federated sites in this way and exit the application.
  6. Log into each federated site, and add the following servers to the Administrator role, in the same way as above:
    • The parent site server.
    • The child site servers that you want to connect directly to this federated site.
  7. Add site to hierarchy (see Add site to hierarchy).
Alternative 2: Connecting sites from different domains

To connect to sites across domains, make sure that the domains trust each other. You set up domains to trust each other in the Microsoft Windows Domain configuration. When you have established trust between the different domains on each site in the federated site hierarchy are placed, follow the same description as described in Alternative 1. For more information about how to set up trusted domains, see the Microsoft website (https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc961481(v=technet.10)/).

Milestone recommends Milestone Interconnect for creating connected multi-site systems with multiple domains.

Alternative 3: Connect sites in workgroup(s)

When you connect sites inside workgroups, the same administrator account must be present on all servers you want connected in the federated site hierarchy. You must define the administrator account before you install the system.

  1. Log into Windows using a common administrator account.
  2. Start the installation of the product and click Custom.
  3. Select to install the Management Server service using the common administrator account.
  4. Finish the installation. Repeat steps 1-4 to install any other systems you want to connect. You must install all of these systems using the common administrator account.
  5. Add site to hierarchy (see Add site to hierarchy).

Milestone recommends Milestone Interconnect for creating connected multi-site systems when the sites are not part of a domain.

You cannot mix domain(s) and workgroup(s). This means that you cannot connect sites from a domain to sites from a workgroup and vice versa.

Add site to hierarchy

As you expand your system, you can add sites to your top site and to its child sites as long as the system is set up correctly.

  1. Select the Federated Site Hierarchy pane.
  2. Select the site to which you want to add a child site, right-click, and click Add Site to Hierarchy.
  3. Enter the URL of the requested site in the Add Site to Hierarchy window and click OK.
  4. The parent site sends a link request to the child site and after a while, a link between the two sites is added to the Federated Site Hierarchy pane.
  5. If you can establish the link to the child site without requesting acceptance from the child site administrator, go to step 7.

    If not, the child site has the awaiting acceptance icon until the administrator of the child site has authorized the request.

  6. Make sure that the administrator of the child site authorizes the link request from the parent site (see Accept inclusion in the hierarchy).
  7. The new parent/child link is established and the Federated Site Hierarchy pane is updated with the icon for the new child site.

Accept inclusion in the hierarchy

When a child site has received a link request from a potential parent site where the administrator did not have administrator rights to the child site, it has the awaiting acceptance icon.

To accept a link request:

  1. Log into the site.
  2. In the Federated Site Hierarchy pane, right-click the site and click Accept Inclusion in Hierarchy.

    If the site runs the XProtect Expert version, you right-click the site in the Site Navigation pane.

  3. Click Yes.
  4. The new parent/child link is established and the Federated Site Hierarchy pane is updated with the normal site icon for the selected site.

Changes that you make to child sites located far from the parent site can take some time to be reflected in the Federated Site Hierarchy pane.

Set site properties

You can view and, possibly, edit properties on your home site and its child sites.

  1. In the Management Client, in the Federated Site Hierarchy pane, select the relevant site, right-click, and select Properties.

  2. If needed, change the following:

    General tab (see General tab)

    Parent Site tab (see Parent Site tab) (available on child sites only)

    Due to synchronization issues, any changes made to remote children might take some time to be reflected in the Site Navigation pane.

Refresh site hierarchy

Regularly the system automatically synchronizes the hierarchy through all levels of your parent/child setup. You can refresh it manually, if you want to see changes reflected instantly in the hierarchy, and do not want to wait for the next automatic synchronization.

You need to be logged into a site to perform a manual refresh. Only changes saved by this site since the last synchronization are reflected by a refresh. This means that changes made further down in the hierarchy might not be reflected by the manual update, if the changes have not reached the site yet.

  1. Log into the relevant site.
  2. Right-click the top site in the Federated Site Hierarchy pane and click Refresh Site Hierarchy.

    This will take a few seconds.

Log into other sites in the hierarchy

You can log into other sites and administrate these. The site you are logged into is your home site.

  1. In the Federated Site Hierarchy pane, right-click the site that you want to log into.
  2. Click Log into Site.

    The Management Client for that site opens.

  3. Enter login information and click OK.
  4. After login is complete, you are ready to do your administrative tasks for that site.

Detach a site from the hierarchy

When you detach a site from its parent site, the link between the sites are broken. You can detach sites from the central site, from the site itself or its parent site.

  1. In the Federated Site Hierarchy pane, right-click the site, and click Detach Site from Hierarchy.
  2. Click Yes to update the Federated Site Hierarchy pane.

    If the detached site has child sites, it becomes the new top site for this branch of the hierarchy, and the normal site icon changes to a top site icon.

  3. Click OK.

The changes to the hierarchy are reflected after a manual refresh or an automatic synchronization.

Federated site properties

This section describes the General tab and the Parent Site tab.

General tab

You can change some of the information related to the site that you are currently logged in to.

Name

Description
Name

Enter the name of the site.
Description

Enter a site description.
URLs

Use the list to add and remove URL(s) for this site and indicate if they are external or not. External addresses can be reached from outside the local network.
Version

The version number of the site's management server.
Service account

The service account under which the management server is running.
Time for last synchronization

Time and date of the last synchronization of the hierarchy.
Status for last synchronization

The status of the last synchronization of the hierarchy. It can be either Successful or Failed.

Parent Site tab

This tab shows information about the parent site of the site that you are currently logged in to. The tab is not visible if your site has no parent site.

Name

Description
Name

Shows the name of the parent site.
Description

Shows a description of the parent site (optional).
URLs

Lists URL(s) for the parent site and indicates if they are external or not. External addresses can be reached from outside the local network.
Version

The version number of the site's management server.
Service account

The service account under which the management server is running.
Time for last synchronization

Time and date of the last synchronization of the hierarchy.
Status for last synchronization

The status of the last synchronization of the hierarchy. It can be either Successful or Failed.