System communication and data flow

The following illustrations provide an overview of the flow of data between XProtect components.

For a complete list of the ports that must be enabled for communication between components, see Ports used by the system.

Server communication

  1. Management server - Recording server

  2. Recording server - Media database

  3. Management server - Internal

  4. SQL Server database communication

  5. Management server - Mobile server

  6. Authentication of basic users by the Identity Provider

  7. API Gateway - Management server

Login from XProtect Smart Client as an AD user

  1. XProtect Smart Client connects to the management server and attempts to log in

  2. The management server contacts Active Directory to authenticate the user

  3. User-specific configuration is retrieved from the SQL Server database

  4. Login is granted and the configuration is sent to XProtect Smart Client

Login from XProtect Smart Client as a basic user

  1. XProtect Smart Client attempts to connect to the management server as a basic user

  2. The login request goes to the Identity Provider for authentication

  3. User-specific configuration is retrieved from the SQL Server database

  4. Login is granted and the configuration is sent to XProtect Smart Client

Login from XProtect Smart Client with an external IDP

  1. Login from XProtect Smart Client launches a web browser on the client computer.

  2. The login request goes from the web browser to the Identity Provider for authentication.

  3. The web browser is redirected to the external IDP login page where the user enters credentials and the browser receives an authorization code.

  4. The Identity Provider requests information about the user from the external IDP and receives a list of claims. If a new user logs in to the VMS, the user is created in the VMS.

  5. The web browser is redirected to XProtect Smart Client with the authorization code from the Identity Provider.

  6. XProtect Smart Client gets an access token from the Identity Provider.

  7. XProtect Smart Client login to the management server using the access token.

  8. Verification of user permissions according to claims to role mapping.

  9. The user logs in to XProtect Smart Client upon successful authorization.

Live video and audio

  1. Live streams from cameras retrieved by the recording server

  2. Streams are sent to XProtect Smart Client on request

Live video multicasting

  1. Live streams from cameras retrieved by the recording server

  2. Recording server sends multicast stream to the multicast enabled network. This requires that all switches handling the data traffic between the XProtect Smart Client and the recording server must be configured for multicast

  3. The multicast stream is received by all XProtect Smart Clients on request

Matrix

  1. XProtect Smart Client user selects to send a camera to a Matrix-recipient

  2. Information is sent to management server

  3. Management server sends request to Matrix-recipient on specified IP address and port (XProtect Smart Client B)

  4. Streams are sent to XProtect Smart Client from recording server on request

Management server – view update

  1. View updated on XProtect Smart Client

  2. The system configuration is stored in the SQL Server database

  3. The management server sends notification about view update to XProtect Smart Clients

  4. XProtect Smart Clients retrieves and applies the new view

XProtect Smart Wall

  1. An XProtect Smart Client user updates the XProtect Smart Wall view

  2. The XProtect Smart Wall view configuration is updated and stored in the SQL Server database

  3. The management server sends a notification to the XProtect Smart Client running the XProtect Smart Wall

  4. The XProtect Smart Client running the XProtect Smart Wall retrieves and applies new layout

Play back video and audio

  1. Recording stream from cameras retrieved by the recording server

  2. The stream is recorded in the recording server database based on rules

  3. The recorded stream is retrieved by XProtect Smart Client on playback request

Login from XProtect Web Client and XProtect Mobile as an AD user

  1. Login request from XProtect Web Client or XProtect Mobile received on the mobile server

  2. The mobile server forwards request to the management server

  3. The management server contacts Active Directory to authenticate the user

  4. User-specific configuration is retrieved from the SQL Server database

  5. Information returned to the mobile server

  6. The login is granted and configuration is sent to XProtect Web Client or XProtect Mobile

Login from XProtect Web Client and XProtect Mobile as a basic user

  1. Login request from XProtect Web Client or XProtect Mobile received on the mobile server

  2. The mobile server forwards a request to the management server

  3. The login request goes to the Identity Provider for authentication

  4. User-specific configuration is retrieved from the SQL Server database

  5. Information returned to the mobile server

  6. The login is granted and configuration is sent to XProtect Web Client or XProtect Mobile

Login from XProtect Web Client and the XProtect Mobile client with an external IDP

  1. In XProtect Web Client or in the XProtect Mobile client, the user selects to log in via an external IDP. The login request launches a web browser.

  2. The web browser is redirected to the external IDP login page where the user enters credentials.

  3. The Identity Provider receives an authorization code from the external IDP to be exchanged for an access token. Then the Identity Provider requests information about the user from the external IDP and gets a list of claims. If a new user logs in to the VMS, the user is created in the VMS.

  4. The Identity Provider returns an authorization code to XProtect Web Client or the XProtect Mobile client.

  5. XProtect Web Client or the XProtect Mobile client requests an access token from the Identity Provider.

  6. XProtect Web Client or the XProtect Mobile client logs in to the mobile server using the access token.

Live video for XProtect Web Client and XProtect Mobile

  1. Live stream(s) from cameras retrieved on the recording server

  2. Streams are sent to the mobile server for transcoding or as direct streaming

  3. Video is streamed to the clients

Recording and playback video for XProtect Web Client and XProtect Mobile

  1. Recording stream from cameras retrieved on the recording server

  2. The stream is recorded in the recording server database based on rules

  3. Recordings are sent to the mobile server for transcoding or as direct streaming

  4. Video is streamed to clients

Video push

  1. Video push stream from a device running XProtect Mobile is sent instantly to the mobile server

  2. The video push stream is retrieved by recording server using the specific video push device driver

Milestone Interconnect live

Illustrates how XProtect Smart Client users, specified for the interconnected system, only need to log into the management server on the central site to view video.

  1. Live stream(s) from the remote site cameras retrieved by the remote site recording server

  2. Live streams from the remote site recording server retrieved by the central site recording server

  3. Stream(s) are sent to XProtect Smart Client on request

Milestone Interconnect recording options

Some of the different options when configuring your system recording settings:

  • No recording

  • Record at remote site only

  • Retrieve recordings from remote site on request

  • Retrieve recordings from remote site based on rule (time profile)

  • Record at central site only

  • Retrieve recordings from remote site after site link down

  • Record at both sites

  • Combinations of above and other options

Milestone Interconnect play back

Illustrates when recording is done on both sites. Recordings can be retrieved to the central site based on schedule, event or request. XProtect Smart Client users, specified for the interconnected system, only need to log into the management server on the central site to view video.

  1. Recording stream from the remote site cameras retrieved by the remote site recording server

  2. The stream is recorded in the remote site recording server database based on rules

  3. Recording stream from the remote site recording server retrieved by the central site recording server

  4. The stream is recorded in the central site recording server database based on rules. Recordings not available due to remote site link downtime can be retrieved automatically or based on schedule, event or request

  5. The recorded stream(s) are retrieved by XProtect Smart Client on playback request

XProtect DLNA Server

As of 2023 R2, XProtect DLNA Server is no longer supported by Milestone.

  1. The XProtect DLNA Server connects to the management server to authorize itself with the provided credentials

  2. A DLNA device scans the network and connects to the XProtect system via the XProtect DLNA Server and requests a live camera video stream

  3. XProtect DLNA Server retrieves the requested camera video stream from the recording server

  4. XProtect DLNA Server sends the live video stream from the requested camera to the DLNA device

Milestone Open Network Bridge

  1. Login, stream or PTZ request from ONVIF client received on the Milestone Open Network Bridge server. The Milestone Open Network Bridge is a gateway for non-Milestone clients to the Milestone VMS

  2. The Milestone Open Network Bridge forwards the login request to the management server to authenticate the user.
    Access to the Milestone VMS is granted and sent to the Milestone Open Network Bridge server

  3. Requested live or playback stream from the recording server is retrieved by the Milestone Open Network Bridge server

  4. Video is streamed to the ONVIF client

Management Client configuration update

  1. Configuration updated on the Management Client

  2. Changes are stored on the management server

  3. Configuration update sent to relevant components. In this case, the recording server

  4. If updates concern cameras, the recording server applies new settings

Log server

  1. The Management server or recording server creates a log message

  2. The log message is forwarded to the log server

  3. The log message is stored in the log server's SQL Server database

Event server

The event server sends data to XProtect Smart Client to show in alarm list, XProtect Access or the map overview. The event server Plug-in is a client to the access control system.
The XProtect Smart Client user responds to the notification and returns data to event server.

XProtect Transact

  1. Transaction data generated by the transaction source is sent to the event server and stored

  2. The event server sends transaction data to XProtect Smart Client. View items containing transaction data and the associated video is updated

XProtect LPR

  1. Live streams from cameras configured for LPR (License Plate Recognition) retrieved by the recording server

  2. Streams from the recording server retrieved by the LPR server

  3. The LPR server recognizes license plates by comparing them with the license plate styles of the installed country modules. Found license plates are compared with the match list requests from the event server LPR plug-in

  4. The event server sends events and alarms to XProtect Smart Client when there is a match

View and manage alarms

  1. XProtect Smart Client requests an alarm list from event server

  2. The alarm list is retrieved from the SQL Server database and returned to XProtect Smart Client

  3. The alarm is handled and its state/details is updated by the user

  4. New state/details stored in the SQL Server database

Data collector

  1. System status received on management server delivered by: log server, event server, recording server, failover recording server and mobile server

  2. The collected data is stored in a SQL Server database on SQL Server

  3. XProtect Smart Client or the Management Client requests status via System Monitor

  4. Requested data is collected from a SQL Server database on SQL Server

  5. Data returned to clients

Recording server failover

  1. Video streamed from the recording server

  2. Alive messages exchanged between recording and failover recording server

  3. Cold standby: failover message sent, configuration retrieved, start failover
    Hot standby: failover message sent, start failover

  4. Configuration updated with active failover recording server

  5. Update configuration message sent to the management server

  6. Update message distributed to all clients

  7. Video streamed from failover recording server

Evidence lock

  1. The user creates an evidence lock in XProtect Smart Client. XProtect Smart Client sends the information to the management server

  2. The management server informs the recording server to store and protect the locked recordings in the Media database

  3. The management server stores information about the evidence lock in the SQL Server database

XProtect Incident Manager

Illustration showing the system architecture and processes related to XProtect Incident Manager.

Flow Actions and components
1

An operator of XProtect Smart Client starts, saves, edits, or deletes an incident project. Information about the incident project and its data is saved in the extension’s own SQL Server database Surveillance_IM. The activities related to incident projects are - depending on the activity - logged in the extension’s own SQL Server database Surveillance_IM, in the Log Server service’s SQL Server database SurveillanceLogServerV2, or in both.

2 A Management Client administrator creates, edits, or deletes an incident property. The incident property definition is saved in the extension’s own SQL Server database Surveillance_IM. The user activity is logged in the Log Server service’s SQL Server database SurveillanceLogServerV2.

Move hardware

  1. The user moves hardware from recording server 1 to recording server 2 in Management Client

  2. The management server receives the update in the system configuration and stores it in the SQL Server database

  3. The management server sends update to recording server 1

  4. The management server sends update to recording server 2

  5. Recording server 2 connects to Hardware. All new recordings are stored in the recording server 2 database

Old recordings are still available on recording server 1. The system deletes them when the retention time expires. Recordings marked with evidence lock are not deleted until the evidence lock's retention time expires.

Clients connect to recording server 2