Upgrade requirements
- Have your software license file (see Licenses (explained)) (.lic) ready:
- Service pack upgrade: During the installation of the management server, the wizard may ask you to specify the location of the software license file. You can use both the software license file you got after your purchase of your system (or latest upgrade) and the activated software license file you got after your last license activation
- Version upgrade: After you purchased the new version, you receive a new software license file. During the installation of the management server, the wizard asks you to specify the location of the new software license file
- Have your new product version software ready. You can download it from the download page on the Milestone website.
- Make sure that you have backed up the system configuration (see Backing up and restoring your system configuration (explained))
The management server stores the system configuration in a SQL Server database. The SQL Server database can be located in a SQL Server instance on the management server machine itself or in a SQL Server instance on the network.
If you use a SQL Server database in a SQL Server instance on your network, the management server must have administrator permissions on the SQL Server instance whenever you want to create, move or upgrade the SQL Server database. For regular use and maintenance of the SQL Server database, the management server only needs to be a database owner.
- If you plan to enable encryption during installation, you need to have the proper certificates installed and trusted on relevant computers. For more information, see Secure communication (explained).
The system verifies the software license file before you can continue. Already added hardware devices and other devices that require licenses will enter a grace period. If you have not enabled automatic license activation (see Enable automatic license activation), remember to activate your licenses manually before the grace period expires. If you do not have your software license file, contact your XProtect reseller.
When you are ready to start the upgrade, follow the procedures in Upgrade best practices.
Upgrade XProtect VMS to run in FIPS 140-2 compliant mode
From version 2020 R3, XProtect VMS is configured to run so that it uses only the FIPS 140-2-certified algorithm instances.
For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening guide.
For FIPS 140-2 compliant systems, with exports and archived media databases from XProtect VMS versions prior to 2017 R1 that are encrypted with non FIPS-compliant cyphers, it is required to archive the data in a location where it can still be accessed after enabling FIPS.
The following process describes what is necessary to configure XProtect VMS to run in FIPS 140-2 compliant mode:
- Disable the Windows FIPS security policy on all of the computers that are part of the VMS, including the computer that hosts SQL Server.
When you upgrade, you cannot install XProtect VMS when FIPS is enabled on the Windows operating system.
- Ensure standalone third-party integrations can run on a FIPS enabled Windows operating system.
If a standalone integration is not FIPS 140-2 compliant, it cannot be run after you set Windows operating system to operate in FIPS mode.
To prevent this:
- Make an inventory of all your standalone integrations to XProtect VMS
- Contact the providers of these integrations and ask if the integrations are FIPS 140-2 compliant
- Deploy the FIPS 140-2 compliant standalone integrations
- Ensure that the drivers, and hence the communication to the devices, adhere to FIPS 140-2 compliance.
XProtect VMS is guaranteed and can enforce FIPS 140-2 compliant mode of operation if the following criteria are met:
- Devices use only compliant drivers to connect to XProtect VMS
See the FIPS 140-2 compliance section in the hardening guide for more information about drivers that can assure and enforce compliance.
- Devices use device pack version 11.1 or higher
Drivers from the legacy driver device packs cannot guarantee a FIPS 140-2 compliant connection.
- Devices are connected over HTTPS and on either Secure Real-Time Transport Protocol (SRTP) or Real Time Streaming Protocol (RTSP) over HTTPS for the video stream
Driver modules cannot guarantee FIPS 140-2 compliance of a connection over HTTP. The connection may be compliant, but there is no guarantee that it is in fact compliant.
- The computer that is running the recording server runs Windows OS with FIPS mode enabled
- Devices use only compliant drivers to connect to XProtect VMS
- Ensure that data in the media database is encrypted with FIPS 140-2 compliant ciphers.
This is done by running the media database upgrade tool. For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening guide.
- Before you enable FIPS on the Windows operating system, and after you have configured your XProtect VMS system and ensured that all components and devices can run on a FIPS enabled environment, update your existing hardware passwords in the XProtect Management Client.
To do this, in the Management Client, from the selected recording server in the Recording Servers node, right-click and select Add Hardware. Progress through the Add hardware wizard. This will update all the current credentials and encrypt them to be FIPS-compliant.
You can enable FIPS only after you have upgraded the entire VMS, including all clients.