Installation and deployment steps

  1. Check prerequisites

  2. Run the installation script

  3. Activate the BriefCam license

  4. Set up the deployment

  5. Define and activate the cameras

  6. Disable face recognition and license plate recognition (optional)

  7. Update the SSO address

  8. Install BriefCam Embedded Client for Milestone XProtect plug-in

  9. Using an HTTPS host (optional)

STEP 1 - Check prerequisites

XProtect Rapid REVIEW will not work if the minimum requirements are not met. For additional information, see the APPENDIX: XProtect Rapid REVIEW hardware recommendations.

Make sure an adequate site survey was performed and the following requirements are met:

Server At least one dedicated server for XProtect Rapid REVIEW (it cannot be installed on the same server with the VMS)
Memory At least 32GB of RAM
Storage

  • At least 250GB of free space for the application

  • At least 250GB for the database (on SSD drives)

  • At least 0.5T drive for data storage (video and metadata)

Refer to the APPENDIX: XProtect Rapid REVIEW hardware recommendations for recommended storage size.

GPUs At least one supported GPU
CPU For each GPU, at least 4 cores at 2.5GHz and above
Drivers

For the server with the GPU, make sure to download a supported version of the NVIDIA driver (461.72 or higher).

For the Tesla family of cards, the supported versions are 461.33 or higher.

Make sure to restart the computer after installing the NVIDIA driver.
Network connectivity between BriefCam and the VMS Ensure a minimum of 1 Gbps of throughput is available. This is relevant for deployments with less than 300 cameras on site. For larger deployments, consult with your BriefCam Account Manager.
Operating System Windows 10 Pro version 1803 or higher, Windows Server 2016 or Windows Server 2019 (You can check the Windows versions by running winver.exe.) For the Windows 10 'N' edition, you need to install 'Media Feature Pack' and 'Windows Media Player' via the Windows optional features menu. For more information, click here.
Windows Updates Make sure that the latest Windows updates are installed.
.NET Framework

If the computer is running Windows 10 or Windows Server 2016, download and install .NET Framework 4.7.2 Runtime or higher.

Make sure to restart the computer after installing .NET Framework.
Permissions Current logged in user has full local admin rights and full Registry Read/Write permissions.
Browsers

Mozilla Firefox v. 69.* and above

Google Chrome v. 77.* and above

Microsoft Edge v. 80 and above

 
Ports See the Firewall Consideration and Ports Availability section below.

Firewall Consideration and Ports Availability

Internal (Local) Ports

On each server, the following ports should be opened for internal communication:

  • On each server, all outbound ports should be opened, to allow communicating with other servers as needed.

  • On each server, the following inbound ports should be opened according to the installed services. The BriefCam application listens for incoming traffic from these ports. The installer will create the relevant Windows firewall rules for these ports.

Component Port #
BI Face Recognition Service TCP 2556, TCP 13004
Face Recognition Matching Service TCP 2553, TCP 13002
Filtering Service TCP 2555, TCP 13001 TCP 2557
License Service TCP 1947
Lighthouse Service TCP 2557
LPR Matching Service TCP 2554, TCP 13003
Milestone TCP 554, TCP 8080
MilestoneSSOProvider TCP 8030
Notification Service TCP 7080
PostgreSQL Redis TCP 5432
Redis TCP 6379
Storage TCP 139, TCP 445
Video Streaming Gateway Service TCP 5010
VSServer Service TCP 1112, TCP 1113
Web Services (BOA, ProWebApi, AdminWebApi) HTTP (80)

External Ports

The following ports should be opened to traffic coming from the end users’ browsers.

Component Port # Comment
Web Services HTTP (80)  
Video Streaming Gateway Service TCP 5010 Not needed when using a load balancer
Notification Service TCP 7080

Additionally recommend prerequisites

  • Set the default system language to English during the installation. If the language is a language other than English, the installation may end with an error. The system language can be set to any preferred language after the installation.

  • Disable antivirus scans from all BriefCam folders. For more information, see the Antivirus guidelines from BriefCam.

STEP 2 – Run the installation script

  1. Extract the XProtect Rapid REVIEW package (RapidREVIEW_v6.x.xxxxx.zip)

    The extracted folder includes a main folder called deploy with the installation script and multiple installer files:

      • BriefCam Milestone plug-in

      • BriefCam Embedded Client for Milestone XProtect plugin

      • BriefCam PostgreSQL

      • BriefCam Server

      • BriefCam Web Services

    Note: You do not need to run any of the installers (except for the embedded client installer). The installation script automatically installs XProtect Rapid REVIEW for you.

    If you are using the latest Windows Update and a Windows Defender alert appears, click the More info link and click Run anyway.

  1. If you want to change the target directory for a server application or its associated data from C:// to a different location, open the config.json file (located in the deploy folder) and change all of the paths that are highlighted in the illustration below to the new location.

  1. Open Windows PowerShell 64 bit as an Administrator.

  2. Run the following PowerShell command to enable running remote signed scripts:

Set-ExecutionPolicy RemoteSigned

  1. When asked if you want to change the execution policy, type in a and press Enter.

  2. Open the deploy installation folder:

    cd [your extracted folder]\deploy

  1. Set seven variables by running each of the below commands separately. Replace the text in quotation marks (" ") with your values. Note that all of the strings should only have whole numbers and/or English letters:

    Command Description
    $env:BC_USR="USER_NAME"

    The user that runs BriefCam services.

    $env:BC_PWD="USER_PASSWORD" The user’s password.
    $env:PG_BC_USR="PG_BC_USR" The BriefCam application user for the PostgreSQL database. This cannot be the same as the PG_BC_ADMIN_USR mentioned below.
    $env:PG_BC_PWD="PG_BC_PWD" The password of the user above (PostgreSQL user).
    $env:PG_BC_ADMIN_USR="PG_BC_ADMIN_USR" The root admin user for the PostgreSQL datbase. This cannot be the same as the PG_BC_USR mentioned above.
    $env:PG_BC_ADMIN_PWD="PG_BC_ADMIN_PWD" The password of the user above (PostgreSQL root admin user).
    $env:BC_PASS_PHRASE = "Welcome1" This pass phrase will be used to generate an encryption key to secure connection strings and other sensitive data.

    For the most reliable performance, the user that runs BriefCam services, the BC_USR, should be part of the Administrators role in XProtect Management Client and additionally, this user should have local administrator rights on the server where the deployment is performed.

    If a user that runs BriefCam services logs on using the Windows authentication (current user) option and this user is not part of the Administrators role in XProtect Management Client, authentication in BriefCam via the BriefCamMilestone SSO provider might fail. The failure to authenticate will have the effect that the BriefCam tab in XProtect® Smart Client will load without content.

  2. If a domain user is required, set the domain name itself in the config file (config.json):

    "bc_domain: "user-domain-name"

  1. Run the following command to start the installation:

    .\deploy.ps1 -local

For example:


The installation may take 10-25 minutes.

Troubleshooting

If an error occurs, the error appears in the screen above and in the deploy.log and deploy-trace.log files, which are located in the deploy directory.

If you receive the following error, you ran the wrong version of PowerShell:

ERROR: The term 'get-localuser' is not recognized as the name of a cmdlet. function. script file or operable program. Check the spelling of the name, or if a path was include, verify that the path is correct and try again.

If the installation failed:

  1. Investigate the log files (deploy.log and deploy-trace.log) and fix the issue.
  2. Reinstall BriefCam:
    1. Run the following command in PowerShell to remove all installation components:

    3. .\deploy.ps1 -uninstall -local -purge

    For example:


    1. Rerun the installation script.

STEP 3 – Activate the BriefCam license

  1. On the XProtect Rapid REVIEW computer, launch the BriefCam License Activation application from the Start menu.

  2. Enter the product key that you received from BriefCam, and click Activate.

  1. Upon successful activation, the following dialog box will appear.

  2. Click OK to close the dialog box, and then click Close in the main application window to close the License Activation application.

STEP 4 – Set up the deployment

  1. In a browser, enter the URL of the computer where XProtect Rapid REVIEW was installed followed by slash (/) and the word admin, that is: http://[computer name]/admin. The BriefCam Administrator Console will open.

  2. Log into the console. The user is Administrator and the password is changeit.

  3. Change the password.

You’ll now set up the deployment from the Deployment section.

  1. From the Deployment section, click Hosts.

  2. Next to the host name, click on the settings icon .

  3. From the Templates menu, select All In One, and click Apply.

  1. Clear the Alert Processing Server, BI Face Recognition Service, and BI Rule Engine Service check boxes (these options will not be needed).

  2. From the Deployment section, click GPUs.

  3. Click on the edit icon ().

  4. In the Mode column, select On Demand.

  5. If face recognition will be used, select the Face Recognition check box.

  1. Verify that the number of workers under Workers is set to 4.

  2. From the Deployment section, click Services.

  3. Select the check box at the top left of the table.

  4. Click the start button (as shown in the image below).

STEP 5– Define and activate the cameras

  1. Open the Settings section and click Camera Management (as shown in the image below).

  1. Click Add directory. The Add Directory dialog box opens.

  1. From the Video Integration field, select Milestone Integration.

  1. In the Directory Name field, enter a display name for the user directory.

  2. In the Address field, enter the address of the Milestone VMS server.

  3. In the User name and Password fields, enter an administrator user name and password of the VMS server. With an admin user you can make sure that all cameras can be accessed.

  4. Click Add to add the directory.

  5. Click the zoom () icon to the right of the new directory and select the Add / Edit Cameras option.

  6. For all of the cameras, select the check box in the camera’s Activated column and click the Activate button (located in the bottom right corner), as shown in the image below.

STEP 6 – Disable face recognition and license plate recognition (optional)

If you want to disable face recognition and/or license plate recognition:

  1. Set the clientEnableFaceRecognition environment setting to false. This removes the Face Recognition functionality from the UI.

  2. Set the MetaData.EnableFaceRecognition environment setting to false. This disables the Face Recognition engine.

  3. Set the EnableLPR environment setting to false. This removers the License Plate Recognition functionality from the UI.

STEP 7 – Update the SSO address

  1. On the XProtect Rapid REVIEW computer, go to C:\Program Files\BriefCam\BriefCam Server and open the MilestoneSSOProvider.exe.config file.

  1. Edit the MilestoneAddress setting with the IP address of the Milestone VMS server.

Note: If STEP 7 is performed later, you will need to restart the IIS services.

STEP 8 – Install BriefCam Embedded Client for Milestone XProtect plug-in

On each XProtect Rapid REVIEW client computer, install BriefCam’s embedded client for Milestone XProtect plugin.

  1. Click the BriefCam Embedded Client for Milestone XProtect plug-in file to download it and then run it.

  2. The installation checks for prerequisites, such as Microsoft .NET Framework 4.7.2 Full and Microsoft Visual C++ 2015 2017 2019 Redistributable Package (x64).

  3. If anything is missing, you will be prompted to install the missing prerequisites and click Install.

  4. In the Welcome screen, click Get Started.

  5. Read the license, accept the License Agreement terms and click Next.

  1. Select the installation destination path and click Next.
    Note that the installation path must be the same directory where Milestone XProtect Smart Client is installed. (This may vary slightly between client computers and between Milestone versions.)

  1. Enter the BriefCam Web Application URL (which is the address of the BriefCam computer followed by /synopsis and verify that the provided URL is correct by clicking the Verify URL button (as shown below).

  1. In the BriefCam Open API (BOA) Server Address field, enter the address of the BriefCam computer followed by /BOA.

  1. Click Next.

  1. Click Install and then click Finish.

  1. In the BriefCam Administrator Console, restart the services by selecting all of the services, clicking the stop button () and then the start button (), as shown in the image below.

  1. Restart IIS by opening the Windows services and right-click the World Wide Web Publishing Service. Then click Restart.

Note: An admin user is automatically created by the SSO when logging into the Milestone client using the Basic authentication or Windows authentication method.

If you want to log into the Milestone client using the Windows authentication (current user) option, add the BriefCam user (by default this is BCUser) to the Administrators group in MilestoneXProtect Management Client.

When you have completed the steps, a BriefCam tab will appear in the MilestoneXProtect Smart Client.

In BriefCam, for security reasons, users are automatically logged out if no activity is detected for 20 minutes. Therefore, a user may be automatically logged off the BriefCam functionality while the Milestone VMS is still running.

STEP 9 – Using an HTTPS host (optional)

To work with SSL and BriefCam, using a load balancer is required.

This section describes the steps to take to use the NGINX load balancer as an https host for BriefCam services.

Recommendations

BriefCam recommends using NGINX.

It is recommended to install the load balancer on a separate computer.

If you are working in a virtualized environment, the load balancer must be on a separate computer.

If you are working in a non-virtualized (physical servers) environment, you can have the load balancer on the same computer as the Web Services (although it is not recommended). However, if you install the load balancer on the same computer as the Web Services, IIS must be on a different port than port 80, since port 80 is for NGINX.

Prerequisites

  • Make sure that port 80 is not in use by another application.

  • If IIS is installed, make sure to stop it or change its default port.

Steps

  1. Download NGINX 1.19.x load balancer or later from this link: http://nginx.org/en/download.html.

  2. Extract the NGINX zip files to drive C:. It is important to have the NGINX extracted so that the path is: C:\NGINX.

  3. Create or use an already created self-signed certificate separated into two files: .crt and .key:

    For information about how to create a certificate, see one of these links:

    To use an already created certificate from the current folder, place both the certificate’s .crt and .key files in the following path: C:\NGINX\certificates\.

  1. Download the nginx.conf file from: https://bcftpuser:BCreleases01!@bcftp.briefcam.com/nginx/nginx.conf and save it to c:\nginx\conf (replacing the existing file).

  2. In the nginx.conf file’s http section, modify the server name where the components are running (web services, notification services, and Video Streaming Gateway Services).

  3. If you have multiple nodes of a service, add a semicolon (;) after the first node and add a second row with the name of the second node. In the example below, there are two Web Services nodes.

  4. In the nginx.conf file’s BriefCam System using SSL certificate section you set up HTTPS as follows:

    1. In the server_name node, replace www.example.com with the address of the load balancer.

    2. Comment the alias node by adding an ampersand (#) at the beginning of the row.

    3. In the ssl_certificate row, enter the full path to the .crt file including the file name.

    4. In the ssl_certificate_key row, enter the full path to the .key file including the file name.

  5. Download the latest release of the NSSM zip files from this link: https://nssm.cc/download and place them on the load balancer computer.

  6. Extract the NSSM zip file to a folder, for example: C:\NSSM\.

  7. Open CMD as administrator, navigate to the new NSSM\win32 folder and run the following commands:

    • nssm install NGINX “C:\nginx\nginx.exe”

    • nssm set NGINX AppDirectory C:\nginx

    • nssm set NGINX DisplayName “NGINX Web Server”

    • nssm set NGINX Description “NGINX Web Server”

    • nssm set NGINX Start SERVICE_AUTO_START

In the examples below, replace the string www.example.com with the address of the load balancer.
For example: Load balancer = LB01.briefcam.com.

  1. On any host that is running the application (browser), make sure the domains (or host name) can be resolved by the DNS. If no DNS is available, you can edit the hosts file and add the IP address of the load balancer using the following syntax:

    • 10.x.x.x www.example.com

    For example: 10.0.0.143 www.example.com

  2. Restart the load balancer computer, open services.msc and try to start the newly created NGINX Web Server service.

    • If the service does not start, there may be an issue with its path. To try and solve this issue, run NSSM install on the same folder as described under step 8 and define the service via the NSSM GUI (making sure to specify the parameters properly).

  3. Edit both web config .js files on the BriefCam server (located at C:\Program Files\BriefCam\WebServices\ProWebClient\webConfig.js and C:\Program Files\BriefCam\WebServices\ProWebAdminClient\web.config.js) using the syntax below. This syntax refers to the load balancer address. The endpoints in both files must point to the load balancer.

    • //www.example.com/ProWebApi/

    • //www.example.com/AdminApi/

  4. In the BriefCam Administrator Console, set the environment settings with the following values:

    • DB.LocalStorageAddress : “//www.example.com/ProWebApiStorage"

    • BaseVideoUrl: “https://www.example.com/vsg”

    • ClientNotificationEndPoint: “//www.example.com/signalr" (without port 7080)

    5. VideoProcessingGatewayUrl in https is not supported.

    VideoProcessingGateWayUrl will use http and not https because it is communicating between two internal processes (real-time engine and Video Processing gateway web service). This is on purpose to save resources.

  5. You now need to update certain parameters, so that the embedded client will reach BriefCam using an HTTPS protocol. In order to do this:

    a. Open the BriefCam.MilestoneEmbeddedViewer.dll.config file, which is located at: C:\Program Files\Milestone\XProtect Smart Client\MIPPlugins\BriefCam.

    b. Change the URLs (highlighted below) to include HTTPS:

    <appSettings>
    <!--Client site address-->
    <add key="serverAddress" value="https://SMB29/Synopsis/" />
    <!--Boa site address-->
    <add key="boaServerAddress" value="https://SMB29/BOA" />
    <!--add key="boaVersion" value="1.0" /-->
    <!--add key="keepAliveIntervalMS" value="60000" /-->
    <!--add key="httpTimeout" value="5000" /-->
    <!--add key="pageLoadTimeoutMS" value="1000" /-->
    <!--add key="BrowserLogLocation" value="c:\DotNetBrowserLog.txt" /-->
    </appSettings>

  6. Browse to the application and make sure that it works with https requests.

    For example:

Generic configurations

For any other type of load balancer, you need to configure the following redirect rules based on the URL:

  1. Notification Service

    Search for: /signalr

    Redirect to: notification-server:7080

  2. Video Streaming Gateway

    Search for: /vsg

    Use rewrite rule to remove /vsg from the url

    Redirect to: videostreaming-server:5010

  3. Web Services>

    Search for: /

    Redirect to: briefcam-webserver

Logging

To handle the log rotation:

  1. Download the log rotation text from here: Log rotation script and create a bat file:

    1. Copy the text from the link to a .txt file and name it LogRotation.

    2. Change the file extension from .txt to .bat.

  2. Save the script (.bat file) to C:\NGINX.

  3. Create an OS user (such as bcuser), a user on the OS level, or create a Windows user account. The user does not need admin rights.

  4. Edit the C:\NGINX folder’s security options and assign full control to the user that you created in step 3.

  5. Click Start (Windows key) and type secpol.msc to open the Local Security Policy utility.

  6. Go to Security settings > Local Policies > User Rights Assignment.

  7. Right-click Log on as a batch job and add the user.

  8. Add a daily scheduled task to run the C:\NGINX\LogRotation.bat file. Make sure to select Run whether user is logged on or not. By default, the last 10 days will be retained (retention period in days). If you want a different number of days, when running the batch file, enter the required number of days as a command line argument. For example, for 20 days, use: C:\NGINX\LogRotation.bat 20.

APPENDIX: XProtect Rapid REVIEW hardware recommendations

This section aims to assist in selecting hardware for a system that will run XProtect Rapid REVIEW.

At the core of these systems are the graphical processing units (GPUs) that are responsible for processing the original video and extracting metadata. The number/type of GPUs, the resolution of the original video, frame rate, and activity determine the number of hours of original video that can be processed per day (or per hour).

The more GPUs (and processing servers) a system has, the more original video it can process in an hour.

In addition to the GPUs, the system also relies on the CPU to support this video processing and the investigations that follow the processing – when the user filters through the various objects, measures proximity, and plays a VIDEO SYNOPSIS®.

The all-in-one, single server systems, cover a range of CPUs and a number of GPUs (from 1 to 4).

For systems that require more GPUs, BriefCam offers distributed architecture where the GPUs are located on dedicated Processing Servers alongside additional servers that run the BriefCam services (such as perform filtering and play a VIDEO SYNOPSIS®).

These hardware specs can be defined by their processing throughput (the number of hours of original video that can be processed within an hour of processing or per day). These are measured under certain input video characteristics, such as resolution and activity level.

When we refer to an activity level, we refer to the number of objects that pass through the scene in an hour, under certain movement patterns.

We benchmarked the throughputs in this document under medium activity – which refers to roughly 1,000 objects (people and vehicles detected by the analytics engine) per hour.

The throughputs listed below each hardware spec relate to the throughput of the machine (based on the throughput of the GPUs) – the VMS and network architecture and infrastructure need to support this throughput as well.

Several users can use the system concurrently, but this will increase the load on the system. Our recommendations and design assumptions are for a maximum of 2 concurrent users.

Face Recognition and License Plate Recognition Watchlist searches require resources. Our recommendations assume watchlists of less than 10,000 identities in total (across all of the used watchlists combined).

All-in-One Configurations