Before you start deployment

Before you deploy the XProtect BYOL CloudFormation, you must meet the following AWS deployment prerequisites and XProtect VMS prerequisites.

It is highly recommended that you consult the Milestone Cloud Solutions training track for interactive courses that cover Milestone cloud fundamentals, as well as XProtect on AWS design and deployment.

AWS deployment prerequisites

Have an AWS account and a CloudFormation service role

You must create a new AWS account or use an existing AWS account that the administrator in your organization has created and a CloudFormation service role with the necessary permissions.

If an administrator in your organization has created an AWS account and a CloudFormation service role for you, you can skip the rest of this section. Continue to XProtect VMS prerequisites or Configuration and deployment.

If you are an AWS Identity and Access Management (IAM) Administrator, you have more permissions than necessary to run XProtect. For improved security of your XProtect production environment, you should create a CloudFormation service role with only the necessary permissions for XProtect. All users should use this service role when deploying the XProtect stack.

It is not recommended to use root user credentials to manage or deploy your AWS infrastructure.

  1. If your organization does not have an AWS account or if you want to run XProtect on a separate AWS account, create an AWS account. Otherwise, log into your existing AWS account.

    You can find information about how to create an AWS account in AWS Knowledge Center.

  2. The first step in creating a service role is to create a policy with the necessary permissions:
    1. In the AWS Management Console, open the Identity and Access Managemnt (IAM) page .
    2. Select the Policies node and select the Create Policy button.

      3. Create a AWS policy with the necessary permissions for XProtect.

    3. Select the JSON tab and follow this link to open a .txt file with a script that includes the necessary permissions. Copy and paste the content of the .txt file into the JSON tab. You can also copy and paste from the JSON script appendix.

      If wanted, you can download the .txt file and change the file extension to .json (XProtectCloudFormationServicePolicy.json).

    4. Select the Next: Tags button.
    5. Enter a name and a description for the policy and select the Create policy button.
  3. The next step in creating a service role is to create a role that you combine with the policy that you just created:
    1. Return to the Identity and Access Management (IAM) page and select the Roles node and then the Create role button.

      2. Create an AWS CloudFormation service role and combine it with your new AWS policy for XProtect.

    2. Select AWS service, CloudFormation , and the Next: Permissions button .

      3. Create an AWS CloudFormation service role and combine it with your new AWS policy for XProtect.

    3. In the Filter policies field, enter the first letters of the name of the policy that you created earlier.
    4. Select the policy and select the Next: Review button.
    5. Enter a name and description for the role and select the Create role button.

Have a key pair

To connect to the EC2 instance, you must create or use an existing key pair.

For information about how to create a key pair in the EC2 console or to import your own public key, see Create a key pair using Amazon EC2.

XProtect VMS prerequisites

Secure sensitive data

When installing your XProtect VMS, make sure you secure your installation and the collected surveillance data. For more information about data protection and the usage data collection, see the GDPR privacy guide.

Obtain a software license (.lic) file and register your XProtect Software License Code (SLC)

XProtect BYOL requires a software license (.lic) file and associated Software License Code (SLC), which must be registered in Milestone Customer Dashboard.

If you have not yet purchased a license, get a license for your desired XProtect version from a Milestone distributor or reseller using the Milestone partner network.

Register your SLC in Milestone Customer Dashboard:

  1. Log in to Milestone Customer Dashboard.

  2. Register software license codes (SLCs) in Milestone Customer Dashboard.

For more information about how to get your software license (.lic) if you have previously registered your SLC, see Get a software license (.lic) file in Milestone Customer Dashboard.

Prepare an EC2 instance hostname

To connect your XProtect BYOL deployment to your on-premises infrastructure, prepare a name for your EC2 instance that will also act as a Windows Active Directory (AD) hostname and domain name in your network topology. The name of the EC2 instance is entered into the Instance Hostname field when you deploy the XProtect BYOL CloudFormation.

If you do not plan to include your deployment to an existing network topology, it is still important to consider a valid EC2 Instance Hostname as XProtect VMS does not support changing the hostname after deployment.

For more information about AD naming conventions and character limits, see Naming conventions in Active Directory.

Prepare cameras and devices

Make sure camera models and firmware are supported by the XProtect system.

On the Milestone website, you can find a detailed list of supported devices and firmware versions (https://www.milestonesys.com/supported-devices/). Milestone develops unique drivers for devices or device families, and generic drivers for devices based on standards like ONVIF, or devices that use the RTSP/RTP protocols.

Some devices that use a generic driver and that are not specifically listed as supported may work, but Milestone does not provide support for such devices.

For security reasons, Milestone recommends that you change camera credentials from their manufacturer defaults. For more information, see Change passwords on hardware devices.

Assign static IP addresses or make DHCP reservations to all cameras and devices.

See the camera’s documentation for information about network configuration. If your system is configured with default port settings, you must connect the camera to HTTP port 80. You can also choose to change the default port settings.

Network bandwidth consumption

To make sure that sufficient bandwidth is available on your network, you must understand how and when the system consumes bandwidth. The main load on your network consists of three elements:

  • Camera video streams
  • Clients displaying video
  • Archiving of recorded video

The recording server retrieves video streams from the cameras, which results in a constant load on the network. Clients that display video consume network bandwidth. If there are no changes in the content of the client views, the load is constant. Changes in view content, video search, or playback, make the load dynamic.

Archiving of recorded video is an optional feature that lets the system move recordings to a network storage if there is not enough space in the internal storage system of the computer. This is a scheduled job that you have to define. Typically, you archive to a network drive which makes it a scheduled dynamic load on the network.

Your network must have bandwidth headroom to cope with these peaks in the traffic. This enhances the system responsiveness and general user experience.

Virus scanning (explained)

The XProtect software contains a database and as with any other database you need to exclude certain files and folders from virus scanning. Without implementing these exceptions, virus scanning uses a considerable amount of system resources. On top of that, the scanning process can temporarily lock files, which could result in a disruption in the recording process or even corruption of databases.

When you need to perform virus scanning, do not scan recording server folders that contain recording databases (by default C:\mediadatabase\, as well as all subfolders). Also, avoid performing virus scanning on archive storage directories.

Create the following additional exclusions:

  • File types: .blk, .idx, .pic
  • Folders and subfolders:
    • C:\Program Files\Milestone
    • C:\Program Files (x86)\Milestone
    • C:\ProgramData\Milestone

Your organization may have strict guidelines regarding virus scanning, but it is important that you exclude the above folders and files from virus scanning.