Basic steps – Network
Use secure and trusted networks connection
Network communications must be secure, whether or not you are on a closed network. By default, secure communications should be used when accessing the VMS. For example:
- VPN tunnels or HTTPS by default
- Latest version of the Transport Layer Security (https://datatracker.ietf.org/wg/tls/charter/) (TLS, currently 1.2) with valid certificates that meet industry best practices, such as from Public-Key Infrastructure (X.509) (https://datatracker.ietf.org/wg/ipsec/documents/) and CA/Browser Forum (https://cabforum.org/).
Otherwise, credentials may be compromised and intruders might use them to access the VMS.
Configure the network to allow client computers to establish secure HTTPS sessions or VPN tunnels between the client devices and the VMS servers.
Learn more
The following control(s) provide additional guidance:
- NIST SP 800-53 SI-2 Flaw remediation
- NIST SP 800-53 CM-6 Configuration Settings
- NIST SP 800-53 SC-23 Session Authenticity
Use firewalls to limit IP access to servers and computers
Milestone recommends that you use secure connections, and the following additional steps:
- Use secure device authentication
- Use TLS
- Use device whitelisting to authenticate devices
- Use firewalls to limit network communication between servers and client computers and programs.
All XProtect components and the ports needed by them are listed in individual sections below. To ensure, for example, that the firewall blocks only unwanted traffic, you need to specify the ports that the XProtect VMS uses. You should only enable these ports. The lists also include the ports used for local processes.
They are arranged in two groups:
- Server components (services)—Offer their service on particular ports which is why they need to listen for client requests on these ports. Therefore, these ports need to be opened in the Windows Firewall for inbound connections.
- Client components (clients)—Initiate connections to particular ports on server components. Therefore, these ports need to be opened for outbound connections. Outbound connections are typically open by default in the Windows Firewall.
If nothing else is mentioned, ports for server components must be opened for inbound connections, and ports for client components must be opened for outbound connections.
Do keep in mind that server components can act as clients to other server components as well.
The port numbers are the default numbers, but this can be changed. Contact Milestone Support, if you need to change ports that are not configurable through the Management Client.
Server components (inbound connections)
Each of the following sections list the ports which need to be opened for a particular service. In order to figure out which ports need to be opened on a particular computer, you need to consider all services running on this computer.
Restrict remote access to the Management Server by adding firewall rules to only allow Recording Servers to connect to TCP port 9000.
Management Server service and related processes
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 80 |
HTTP |
IIS |
All servers and the XProtect Smart Client and the Management Client |
The purpose of port 80 and port 443 is the same. However, which port the VMS uses depends on whether you have used certificates to secure the communication.
|
| 443 |
HTTPS |
IIS |
||
| 445 |
TCP |
Management Server service |
Management Server Manager. |
Enable Windows Active Directory users to be added to roles. |
| 6473 |
TCP |
Management Server service |
Management Server Manager tray icon, local connection only. |
Showing status and managing the service. |
| 8080 |
TCP |
Management server |
Local connection only. |
Communication between internal processes on the server. |
| 9000 | HTTP | Management server | Recording Server services | Web service for internal communication between servers. |
| 12345 |
TCP |
Management Server service |
XProtect Smart Client |
Communication between the system and Matrix recipients. You can change the port number in the Management Client. |
| 12974 |
TCP |
Management Server service |
Windows SNMP Service |
Communication with the SNMP extension agent. Do not use the port for other purposes even if your system does not apply SNMP. In XProtect 2014 systems or older, the port number was 6475. In XProtect 2019 R2 systems and older, the port number was 7475. |
SQL Server service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 1433 |
TCP |
SQL Server |
Management Server service |
Storing and retrieving configurations via the Identity Provider. |
| 1433 |
TCP |
SQL Server |
Event Server service |
Storing and retrieving events via the Identity Provider. |
| 1433 |
TCP |
SQL Server |
Log Server service |
Storing and retrieving log entries via the Identity Provider. |
Data Collector service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 7609 |
HTTP |
IIS |
On the management server computer: Data Collector services on all other servers. On other computers: Data Collector service on the Management Server. |
System Monitor. |
Event Server service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 1234 |
TCP/UDP |
Event Server Service |
Any server sending generic events to your XProtect system. |
Listening for generic events from external systems or devices. Only if the relevant data source is enabled. |
| 1235 |
TCP |
Event Server service |
Any server sending generic events to your XProtect system. |
Listening for generic events from external systems or devices. Only if the relevant data source is enabled. |
| 9090 |
TCP |
Event Server service |
Any system or device that sends analytics events to your XProtect system. |
Listening for analytics events from external systems or devices. Only relevant if the Analytics Events feature is enabled. |
| 22331 |
TCP |
Event Server service |
XProtect Smart Client and the Management Client |
Configuration, events, alarms, and map data. |
| 22332 |
WS/WSS HTTP/HTTPS* |
Event Server service |
API Gateway and the Management Client |
Event/State Subscription, Events REST API, Websockets Messaging API, and Alarms REST API. |
| 22333 |
TCP |
Event Server service |
MIP Plug-ins and applications. |
MIP messaging. |
*A 403 error will be returned when accessing HTTP to access an HTTPS-only endpoint.
Recording Server service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 25 |
SMTP |
Recording Server Service |
Cameras, encoders, and I/O devices. |
Listening for event messages from devices. The port is disabled by default. (Deprecated) Enabling this will open a port for non-encrypted connections and is not recommended. |
| 5210 |
TCP |
Recording Server Service |
Failover recording servers. |
Merging of databases after a failover recording server had been running. |
| 5432 |
TCP |
Recording Server Service |
Cameras, encoders, and I/O devices. |
Listening for event messages from devices. The port is disabled by default. |
| 7563 |
TCP |
Recording Server Service |
XProtect Smart Client, Management Client |
Retrieving video and audio streams, PTZ commands. |
| 8966 |
TCP |
Recording Server Service |
Recording Server Manager tray icon, local connection only. |
Showing status and managing the service. |
| 9001 | HTTP | Recording Server Service | Management server |
Web service for internal communication between servers. If multiple Recording Server instances are in use, every instance needs its own port. Additional ports will be 9002, 9003, etc. |
| 11000 |
TCP |
Recording Server Service |
Failover recording servers |
Polling the state of recording servers. |
| 12975 |
TCP |
Recording Server Service |
Windows SNMP service |
Communication with the SNMP extension agent. Do not use the port for other purposes even if your system does not apply SNMP. In XProtect 2014 systems or older, the port number was 6474. In XProtect 2019 R2 systems and older, the port number was 7474. |
| 65101 |
UDP |
Recording Server service |
Local connection only |
Listening for event notifications from the drivers. |
In addition to the inbound connections to the Recording Server service listed above, the Recording Server service establishes outbound connections to:
- Cameras
- NVRs
- Remote interconnected sites (Milestone Interconnect ICP)
Failover Server service and Failover Recording Server service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 25 |
SMTP |
Failover Recording Server Service |
Cameras, encoders, and I/O devices. |
Listening for event messages from devices. The port is disabled by default. (Deprecated) Enabling this will open a port for non-encrypted connections and is not recommended. |
| 5210 |
TCP |
Failover Recording Server Service |
Failover recording servers |
Merging of databases after a failover recording server had been running. |
| 5432 |
TCP |
Failover Recording Server Service |
Cameras, encoders, and I/O devices. |
Listening for event messages from devices. The port is disabled by default. |
| 7474 |
TCP |
Failover Recording Server Service |
Windows SNMP service |
Communication with the SNMP extension agent. Do not use the port for other purposes even if your system does not apply SNMP. |
| 7563 |
TCP |
Failover Recording Server Service |
XProtect Smart Client |
Retrieving video and audio streams, PTZ commands. |
| 8844 |
UDP |
Failover Recording Server Service |
Communication between failover recording server services. |
Communication between the servers. |
| 8966 |
TCP |
Failover Recording Server Service |
Failover Recording Server Manager tray icon, local connection only. |
Showing status and managing the service. |
| 8967 |
TCP |
Failover Server Service |
Failover Server Manager tray icon, local connection only. |
Showing status and managing the service. |
| 8990 |
HTTP |
Failover Server Service |
Management Server service |
Monitoring the status of the Failover Server service. |
| 9001 | HTTP | Failover Server Service | Management server | Web service for internal communication between servers. |
In addition to the inbound connections to the Failover Server / Failover Recording Server service listed above, the Failover Server / Failover Recording Server service establishes outbound connections to the regular recorders, cameras, and for Video Push.
Log Server service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 22337 |
HTTP |
Log Server service |
All XProtect components except for the recording server. |
Write to, read from, and configure the log server. |
This port uses HTTP, but the communication is encrypted with message security which uses the WS-Security specification to secure messages. For more information, see Message Security in WCF.
Mobile Server service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 8000 |
TCP |
Mobile Server service |
Mobile Server Manager tray icon, local connection only. |
SysTray application. |
| 8081 |
HTTP |
Mobile Server service |
Mobile clients, Web clients, and Management Client. |
Sending data streams; video and audio. |
| 8082 |
HTTPS |
Mobile Server service |
Mobile clients and Web clients. |
Sending data streams; video and audio. |
| 40001 - 40099 | HTTP | Mobile Server service | Recording server service |
Mobile Server Video Push. This port range is disabled by default. |
LPR Server service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 22334 |
TCP |
LPR Server Service |
Event server |
Retrieving recognized license plates and server status. In order to connect, the Event server must have the LPR plug-in installed. |
| 22334 |
TCP |
LPR Server Service |
LPR Server Manager tray icon, local connection only. |
SysTray application |
Milestone Open Network Bridge service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 580 |
TCP |
Milestone Open Network Bridge Service |
ONVIF clients |
Authentication and requests for video stream configuration. |
| 554 |
RTSP |
RTSP Service |
ONVIF clients |
Streaming of requested video to ONVIF clients. |
XProtect DLNA Server service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 9100 |
HTTP |
DLNA Server Service |
DLNA device |
Device discovery and providing DLNA channels configuration. Requests for video streams. |
| 9200 |
HTTP |
DLNA Server Service |
DLNA device |
Streaming of requested video to DLNA devices. |
XProtect Screen Recorder service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 52111 |
TCP |
XProtect Screen Recorder |
Recording Server Service |
Provides video from a monitor. It appears and acts in the same way as a camera on the recording server. You can change the port number in the Management Client. |
XProtect Incident Manager service
|
Port number |
Protocol |
Process |
Connections from... |
Purpose |
|---|---|---|---|---|
| 80 |
HTTP |
IIS |
XProtect Smart Client and the Management Client |
The purpose of port 80 and port 443 is the same. However, which port the VMS uses depends on whether you have used certificates to secure the communication.
|
| 443 |
HTTPS |
IIS |
Server components (outbound connections)
Management Server service
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 443 |
HTTPS |
The License server that hosts the License Management service. Communication is via https://www.milestonesys.com/ OnlineActivation/ LicenseManagementService.asmx |
Activating licenses. |
Recording Server service
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 80 | HTTP |
Cameras, NVRs, encoders Interconnected sites |
Authentication, configuration, data streams, video, and audio. Login |
| 443 | HTTPS |
Cameras, NVRs, encoders |
Authentication, configuration, data streams, video, and audio. |
| 554 | RTSP | Cameras, NVRs, encoders | Data streams, video, and audio. |
| 7563 | TCP | Interconnected sites | Data streams and events. |
| 11000 | TCP | Failover recording servers | Polling the state of recording servers. |
| 40001 – 40099 | HTTP | Mobile Server service |
Mobile Server Video Push. This port range is disabled by default. |
Failover Server service and Failover Recording Server service
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 11000 | TCP | Failover recording servers | Polling the state of recording servers. |
Event Server service
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 80 | HTTP | API Gateway and the Management Server | Access the Configuration API from the API Gateway |
| 443 | HTTPS | API Gateway and the Management Server | Access the Configuration API from the API Gateway |
| 443 | HTTPS |
Milestone Customer Dashboard via |
Send status, events and error messages from the XProtect system to Milestone Customer Dashboard. |
Log Server service
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 443 |
HTTP |
Log server |
Forwarding messages to the log server. |
API Gateway
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 443 |
HTTPS |
Management Server |
RESTful API |
| 22332 | WS/WSS HTTP/HTTPS* | Management Client | Event/State Subscription, Events REST API, Websockets Messaging API, and Alarms REST API. |
Cameras, encoders, and I/O devices (inbound connections)
|
Port number |
Protocol |
Connections from... |
Purpose |
|---|---|---|---|
| 80 |
TCP |
Recording servers and failover recording servers |
Authentication, configuration, and data streams; video and audio. |
| 443 |
HTTPS |
Recording servers and failover recording servers |
Authentication, configuration, and data streams; video and audio. |
| 554 |
RTSP |
Recording servers and failover recording servers |
Data streams; video and audio. |
Cameras, encoders, and I/O devices (outbound connections)
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 25 |
SMTP |
Recording servers and failover recording servers |
Sending event notifications (deprecated). |
| 5432 |
TCP |
Recording servers and failover recording servers |
Sending event notifications. The port is disabled by default. |
| 22337 | HTTP | Log server | Forwarding messages to the log server. |
Only a few camera models are able to establish outbound connections.
Client components (outbound connections)
XProtect Smart Client, XProtect Management Client, XProtect Mobile server
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 80 |
HTTP |
API Gateway and Management Server service |
Authentication and other APIs in the API Gateway. |
| 443 |
HTTPS |
API Gateway and Management Server service |
Authentication of basic users when encryption is enabled and other APIs in the API Gateway. |
| 443 |
HTTPS |
Milestone Systems A/S (doc.milestonesys.com at 52.178.114.226) |
Management Client and Smart Client occasionally check if the online help is available by accessing the help URL. |
| 7563 |
TCP |
Recording Server service |
Retrieving video and audio streams, PTZ commands. |
| 22331 |
TCP |
Event Server service |
Alarms. |
XProtect Web Client, XProtect Mobile client
|
Port number |
Protocol |
Connections to... |
Purpose |
|---|---|---|---|
| 8081 |
HTTP |
XProtect Mobile server |
Retrieving video and audio streams. |
| 8082 |
HTTPS |
XProtect Mobile server |
Retrieving video and audio streams. |
Learn more
The following control(s) provide additional guidance:
- NIST SP 800-53 CA-3 System Interconnections
- NIST SP 800-53 CM-6 Configuration Settings
- NIST SP 800-53 SC-7 Boundary Protection
Use a firewall between the VMS and the Internet
The VMS should not connect directly to the Internet. If you expose parts of the VMS to the Internet, Milestone recommends that you use an appropriately configured firewall between the VMS and the Internet.
If possible, expose only the XProtect Mobile server component to the Internet, and locate it in a demilitarize zone (DMZ) with firewalls on both sides. This is illustrated in the following figure.
Learn more
The following control(s) provide additional guidance:
- NIST SP 800-53 CA-3 System Interconnections
Connect the camera subnet to the recording server subnet only
Milestone recommends that you connect the camera subnet only to the recording server subnet. The cameras and other devices need to communicate only with the recording servers. For more information, see Recording Server.
Learn more
The following control(s) provide additional guidance:
- NIST 800-53 SC-7 Boundary Protection