Before you start installation

Milestone recommends that you go through the requirements described in the next sections, before you start the actual installation.

Prepare your servers and network

Operating system

Make sure that all servers have a clean installation of a Microsoft Windows operating system, and that it is updated with all the latest Windows updates.

For information about the system requirements for the various VMS applications and system components, go to the Milestone website (https://www.milestonesys.com/systemrequirements/).

Microsoft^® .NET Framework

Check that all servers have Microsoft .NET Framework 4.8 or higher installed.

Network

Assign static IP addresses or make DHCP reservations to all system components and cameras. To make sure that sufficient bandwidth is available on your network, you must understand how and when the system consumes bandwidth. The main load on your network consists of three elements:

Camera video streams
Clients displaying video
Archiving of recorded video

The recording server retrieves video streams from the cameras, which results in a constant load on the network. Clients that display video consume network bandwidth. If there are no changes in the content of the client views, the load is constant. Changes in view content, video search, or playback, make the load dynamic.

Archiving of recorded video is an optional feature that lets the system move recordings to a network storage if there is not enough space in the internal storage system of the computer. This is a scheduled job that you have to define. Typically, you archive to a network drive which makes it a scheduled dynamic load on the network.

Your network must have bandwidth headroom to cope with these peaks in the traffic. This enhances the system responsiveness and general user experience.

Prepare Active Directory

If you want to add users to your system through the Active Directory service, you must have a server with Active Directory installed and acting as domain controller available on your network.

For easy user and group management, Milestone recommends that you have Microsoft Active Directory^® installed and configured before you install your XProtect system. If you add the management server to the Active Directory after installing your system, you must reinstall the management server, and replace users with new Windows users defined in the Active Directory.

Basic users are not supported in Milestone Federated Architecture systems, so if you plan to use Milestone Federated Architecture, you must add users as Windows users through the Active Directory service. If you do not install Active Directory, follow the steps in Installation for workgroups when you install.

Installation method

As part of the installation wizard, you must decide which installation method to use. You should base your selection on your organization's needs, but it is very likely that you already decided on the method when you purchased the system.

Options	Description
Single Computer	Installs all server and client components, as well as SQL Server on the current computer. When the installation completes, you get the possibility to configure your system through a wizard. If you agree to continue, the recording server scans your network for hardware, and you can select which hardware devices to add to your system. The max number of hardware devices that can be added in the configuration wizard depends on your base license. Also, cameras are preconfigured in views, and a default Operator role is created. After installation, XProtect Smart Client opens, and you are ready to use the system.
Custom	The management server is always selected in the system component list and is always installed, but you can select freely what to install on the current computer among the other server and client components. By default, the recording server is not selected in the component list, but you can change this. You can install the not selected components on other computers afterwards.

Options

Description

Single Computer

Installs all server and client components, as well as SQL Server on the current computer.

When the installation completes, you get the possibility to configure your system through a wizard. If you agree to continue, the recording server scans your network for hardware, and you can select which hardware devices to add to your system. The max number of hardware devices that can be added in the configuration wizard depends on your base license. Also, cameras are preconfigured in views, and a default Operator role is created. After installation, XProtect Smart Client opens, and you are ready to use the system.

Custom

The management server is always selected in the system component list and is always installed, but you can select freely what to install on the current computer among the other server and client components.

By default, the recording server is not selected in the component list, but you can change this. You can install the not selected components on other computers afterwards.

Single Computer installation

Example of a Single Computer installation.

Typical system components in a system:

Active Directory
Devices
Server with SQL Server
Event server
Log server
XProtect Smart Client
Management Client
Management server
Recording server
Failover recording server
XProtect Mobile server
XProtect Web Client
XProtect Mobile client
XProtect Smart Client with XProtect Smart Wall

Custom installation - example of distributed system components

Example of a Customer installation with distributed system components.

Decide on a SQL Server edition

Microsoft® SQL Server® Express is a free edition of SQL Server and is easy to install and prepare for use compared to the other SQL Server editions.

The installation wizard installs Microsoft SQL Server Express 2022 unless SQL Server is already installed on the computer. When you install XProtect VMS as an upgrade, the wizard keeps the previous SQL Server installation.

To check if your system meets the requirements for SQL Server editions, see https://www.milestonesys.com/systemrequirements/.

For very large systems or systems with many transactions to and from the SQL Server databases, Milestone recommends that you use the Microsoft® SQL Server® Standard or Microsoft® SQL Server® Enterprise edition of SQL Server on a dedicated computer on the network and on a dedicated hard disk drive that is not used for other purposes. Installing SQL Server on its own drive improves the entire system performance.

Select service account

As part of the installation, you are asked to specify an account to run the Milestone services on this computer. The services always run on this account no matter which user is logged in. Make sure that the account has all necessary user permissions, for example, the proper permissions to perform tasks, proper network and file access, and access to network shared folders.

You can select either a predefined account, or a user account. Base your decision on the environment that you want to install your system in:

Domain environment

In a domain environment:

Milestone recommends that you use the built-in Network Service account
It is easier to use even if you need to expand the system to multiple computers.
You can also use domain user accounts, but they are potentially more difficult to configure

Workgroup environment

In a workgroup environment, Milestone recommends that you use a local user account that has all necessary permissions. This is often the administrator account.

If you have installed your system components on multiple computers, the selected user account must be configured on all computers in your installations with identical user name, password, and access permissions.

Kerberos authentication (explained)

Kerberos is a ticket-based network authentication protocol. It is designed to provide strong authentication for client/server or server/server applications.

Use Kerberos authentication as an alternative to the older Microsoft NT LAN (NTLM) authentication protocol.

Kerberos authentication requires mutual authentication, where the client authenticates to the service and the service authenticates to the client. This way you can authenticate more securely from XProtect clients to XProtect servers without exposing your password.

To make mutual authentication possible in your XProtect VMS you must register Service Principal Names (SPN) in the active directory. An SPN is an alias that uniquely identifies an entity such as a XProtect server service. Every service that uses mutual authentication must have an SPN registered so that clients can identify the service on the network. Without correctly registered SPNs, mutual authentication is not possible.

The table below lists the different Milestone services with corresponding port numbers you need to register:

Service	Port number
Management Server - IIS	80 - Configurable
Management Server - Internal	8080
Recording Server - Data Collector	7609
Failover Server	8990
Event Server	22331
LPR Server	22334

The number of services you need to register in the active directory depends on your current installation. Data Collector is installed automatically when installing the Management Server, Recording Server, Event Server or Failover Server service.

You must register two SPNs for the user running the service: one with the host name and one with the fully qualified domain name.

If you are running the service under a network user service account, you must register the two SPNs for each computer running this service.

This is the Milestone SPN naming scheme:

VideoOS/[DNS Host Name]:[Port]
VideoOS/[Fully qualified domain name]:[Port]

The following is an example of SPNs for the Recording Server service running on a computer with the following details:

Hostname: Record-Server1
Domain: Surveillance.com

SPNs to register:

VideoOS/Record-Server1:7609
VideoOS/Record-Server1.Surveillance.com:7609

Virus scanning exclusions (explained)

As is the case with any other database software, if an antivirus program is installed on a computer running XProtect software, it is important that you exclude specific file types and folders, as well as certain network traffic. Without implementing these exceptions, virus scanning uses a considerable amount of system resources. On top of that, the scanning process can temporarily lock files, which could result in a disruption in the recording process or even corruption of databases.

When you need to perform virus scanning, do not scan Recording Server folders that contain recording databases (by default C:\mediadatabase\, as well as all subfolders). Also, avoid performing virus scanning on archive storage directories.

Create the following additional exclusions:

File types: .blk, .idx, .pic
Folders and subfolders:
- C:\Program Files\Milestone or C:\Program Files (x86)\Milestone
- C:\ProgramData\Milestone\IDP\Logs
- C:\ProgramData\Milestone\KeyManagement\Logs
- C:\ProgramData\Milestone\MIPSDK
- C:\ProgramData\Milestone\XProtect Data Collector Server\Logs
- C:\ProgramData\Milestone\XProtect Event Server\Logs
- C:\ProgramData\Milestone\XProtect Log Server
- C:\ProgramData\Milestone\XProtect Management Server\Logs
- C:\ProgramData\Milestone\XProtect Mobile Server\Logs
- C:\ProgramData\Milestone\XProtect Recording Server\Logs
- C:\ProgramData\Milestone\XProtect Report Web Server\Logs
- C:\ProgramData\Milestone\XProtect Recording Server\Secure\TablesDb
Exclude network scanning on the following TCP ports:
Product
TCP ports
XProtect VMS
80, 8080, 7563, 25, 21, 9000
XProtect Mobile
8081
or
Exclude network scanning of the following processes:
Product
Processes
XProtect VMS
VideoOS.Recorder.Service.exe, VideoOS.Server.Service.exe, VideoOS. Administration.exe
XProtect Mobile
VideoOS.MobileServer.Service.exe

Product	TCP ports
XProtect VMS	80, 8080, 7563, 25, 21, 9000
XProtect Mobile	8081

Product	Processes
XProtect VMS	VideoOS.Recorder.Service.exe, VideoOS.Server.Service.exe, VideoOS. Administration.exe
XProtect Mobile	VideoOS.MobileServer.Service.exe

Your organization may have strict guidelines regarding virus scanning, but it is important that you exclude the above folders and files from virus scanning.

How can XProtect VMS be configured to run in FIPS 140-2 compliant mode?

In order to run XProtect VMS in a FIPS 140-2 mode of operation you must:

Run Windows operating system in FIPS 140-2 approved mode of operation. See the Microsoft site for information on enabling FIPS.
Ensure standalone third-party integrations can run on a FIPS enabled Windows operating system
Connect to devices in a way that ensures a FIPS 140-2 compliant mode of operation
Ensure that data in the media database is encrypted with FIPS 140-2 compliant ciphers
This is done by running the media database upgrade tool. For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening guide.

Before you install XProtect VMS on a FIPS enabled system

While new XProtect VMS installations can be done on computers that are FIPS-enabled, you cannot upgrade XProtect VMS when FIPS is enabled on the Windows operating system.

If you are upgrading, before you install, disable the Windows FIPS security policy on all of the computers that are part of the VMS, including the computer that hosts SQL Server.

The XProtect VMS installer checks the FIPS security policy and will prevent the installation from starting if FIPS is enabled.

But, if you are upgrading from XProtect VMS version 2020 R3 and after, you do not need to disable FIPS.

After you have installed the XProtect VMS components on all of the computers and prepared the system for FIPS, you can enable the FIPS security policy on Windows on all of the computers in your VMS.

For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening guide.

Register Software License Code

Before you install, you must have the name and location of the software license file that you received from Milestone.

You can install a free version of XProtect Essential+. This version provides you with limited capabilities of the XProtect VMS for a limited number of cameras. You must have internet connection to install XProtect Essential+.

The Software License Code (SLC) is printed on your order confirmation and the software license file is named after your SLC.

Milestone recommends that you register your SLC on our website (https://online.milestonesys.com/) before installation. Your reseller may have done that for you.

Device drivers (explained)

Your system uses video device drivers to control and communicate with the camera devices connected to a recording server. You must install device drivers on each recording server on your system.

From the 2018 R1 release, the device drivers are split into two device packs: the regular device pack with newer drivers and a legacy device pack with older drivers.

The regular device pack is installed automatically when you install the recording server. Later, you can update the drivers by downloading and installing a newer version of the device pack. Milestone releases new versions of device drivers regularly and makes them available on the download page (https://www.milestonesys.com/downloads/) on our website as device packs. When you update a device pack, you can install the latest version on top of any version you may have installed.

The legacy device pack can only be installed if the system has a regular device pack installed. The drivers from the legacy device pack are automatically installed if a previous version is already installed on your system. It is available for manual download and installation on the software download page (https://www.milestonesys.com/downloads/).

Stop the Recording Server service before you install, otherwise you need to restart the computer.

To ensure best performance, always use the latest version of device drivers.

Requirements for offline installation

If you install the system on a server that is offline, you need the following:

The Milestone XProtect VMS Products 2023 R3 System Installer.exe file
The software license file (SLC) for your XProtect system
OS installation media including the required .NET version (https://www.milestonesys.com/systemrequirements/)