User Access

The deployment of XProtect on AWS cloud infrastructure opens for a wide set of ways to provide flexible access to the XProtect VMS system for both on-premises users, remote users and roaming users. This section discusses these access options and suitable architectures for the user access provisioning. No single client access architecture is the right solution, as the choice is highly dependent on the individual user’s access and usage patterns.

On-premises deployed XProtect clients

The most straightforward way of facilitating user access to the cloud deployed XProtect VMS system is to install the Windows-based XProtect Smart Client application for security operators, and the Windows based XProtect management client for system administrators. Both these clients are available from a download service that is installed together with the XProtect VMS software in the XProtect VPC.

The XProtect clients are using the network topology connecting the customer’s on-premises environment(s) to the AWS cloud to access the VMS system in the XProtect VPC. This setup is to a large degree similar to a traditional on-premises deployment, with the difference that the XProtect VMS servers resides in the AWS cloud, rather than as physical servers on-premises. However, as there is an AWS service charge for transmitting data out of a VPC, the consumption of data egress should be carefully considered in this setup.

Adaptive Streaming

To optimize the Smart Client performance and reduce the AWS data egress costs, Milestone recommends the use of the Adaptive Streaming feature, available in XProtect Corporate and XProtect Expert. Adaptive Streaming enables the Smart Client to automatically select the media video stream with the most appropriate resolution for a given camera view. By selecting the stream that is most optimal, the amount of data to be transferred to and handled by the Smart Client is reduced, thus increasing the performance of the Smart Client.

1 Most appropriate resolution means the stream with the lowest resolution, which is greater than the size of the Smart Client view item in which the stream is to be shown.

Figure 9. Adaptive streaming is used to start the camera stream that is most suitable for the displayed view

Figure 10 illustrates the reduction in data egress from the XProtect VPC, when using adaptive streaming to select the most suitable stream for the Smart Client, rather than transmitting the full 1080p stream. The graph depicts the reduction in data throughput of adapted streams compared with the throughput when transmitting a full 1080p stream for different number of video streams displayed on a Smart Client workstation with a HD 1080p monitor and an UHD 2160p monitor, respectively. The graph assumes that the default camera resolution for all cameras in the XProtect VMS system is 1080p, while each camera has a set of additional lower resolution streams (720p, 480p, 360p and 240p) defined too, that can be used when the camera is included in a camera view containing several other cameras.

Figure 10. Reduction in transferred data when using adaptive streaming

An example of the potential savings that can be achieved with the Adaptive Streaming capability is when a Smart Client user is viewing 16 cameras (in a four by four view) on a display with HD (1080p) resolution. Without Adaptive Streaming, 16 1080p streams would need to be transmitted. However, as a four by four camera split on a HD monitor with 1080 x 1920 pixels would only leave each camera tile with less than 270 x 480 pixels, the Adaptive Streaming function can select the 360 x 480 video streams from the cameras. This corresponds to a 92% reduction in data egress from the AWS Cloud, which translates to an equally large saving in data egress costs.

In addition to providing substantial savings on data egress costs, Adaptive Streaming reduces the video processing load on the workstation used to host the Smart Client, which opens for additional savings on hardware as powerful workstations are needed.

Please note that Adaptive Streaming requires definition of multiple stream resolutions for each camera device that dynamically can be selected by the Smart Client. For playback of recorded video, it is only possible to view the video in the resolution it was recorded in.

Amazon AppStream 2.0

As an alternative to running the XProtect clients on workstations on-premises, AWS offers the possibility to run client applications as hosted user sessions in the AWS cloud using the Amazon AppStream 2.0 service. This makes it possible to use the full Smart Client virtually on any device, including Chromebooks, Macs, and PCs, thin clients, and tablets.

Users can access AppStream 2.0 hosted applications either view a browser, or an AppStream 2.0 client application. AppStream 2.0 is compatible with all major browsers and is hence an ideal solution for remote access by both the end-customers own personnel and trusted third parties such as monitoring stations and law enforcement. The AppStream 2.0 client exposes workstation peripherals as USB connected joysticks and input keyboards to the Smart Client application hosted in the cloud.

One of the primary reasons for AppStream 2.0 being an interesting architecture for user access is that the AppStream 2.0 service pricing includes the AWS cloud egress costs. Transferring multiple raw high resolution video streams from the cloud to on-premises can be relatively costly, and a cost that can be eliminated with AppStream 2.0.

In addition to the savings on data out transfer, AppStream 2.0 offers several additional advantages for efficient and secure user access to the XProtect VMS system, including:

• Reduced workstation HW costs

As video decoding and rendering is made in the AppStream 2.0 service, significant savings can be made on the workstation infrastructure. Less powerful workstation or even, thin client PCs can be used reducing the initial capital expenditure.

• Centrally managed applications

Eliminating the need for local installation of the XProtect clients, and related plugins and third-party applications, the application layer can be managed and updated centrally.

• Optimized workstation fleet management
  

Manage workstation deployment and operating system updates from a single point.

• Secure applications and data

XProtect clients or data are not stored on users' devices. The client experience is streamed as encrypted pixels and access to data is secured within the customer's network. AppStream 2.0 runs on AWS, and leverages the data center and network architecture infrastructure built for the most security-sensitive organizations.

Figure 11. Principle architecture for Amazon AppStream 2.0 deployment

As illustrated in the figure Figure 11, AppStream 2.0 is deployed in a separate VPC outside the customer’s AWS account offered as an AWS managed service connected to the XProtect VPC. User instances of the XProtect Smart Client and management client applications run on a so-called Fleet of AppStream 2.0 EC2 instances, where streamed client experiences are provided through a Streaming Gateway to the user. The use of AppStream 2.0 is governed by a Stack definition, which includes available AppStream 2.0 images, user access policies, storage configurations and an associated AppStream 2.0 Fleet.

Appendix E – AppStream 2.0 dimensioning includes performance test results for Smart Client execution on AppStream 2.0, as well as recommendations for suitable EC2 AppStream 2.0 Fleet instance types.

Milestone does not provide client images for AppStream 2.0. Instead system integrators and end-customers are advised to use the AppStream 2.0 image builder, which is a tool used for creating AppStream 2.0 images, and available as part of the AppStream 2.0 console. Please refer to AWS service information for more details about AppStream 2.0: https://aws.amazon.com/appstream2/

Web and Mobile access

The XProtect VMS software includes native support for remote users accessing the system via web browsers (XProtect Web Client) and roaming users using tablets or smartphones (XProtect Mobile). While XProtect Web Client is an ideal system access for occasional users, and IT environments with zero install footprint policies, XProtect Mobile is an optimized application for a wide set of roaming users, including guards and first responders.

The XProtect mobile server facilitates secure and encrypted HTTPS communication with the web and mobile clients. Dependent on the specific customer use case and IT policies, the mobile server can be co-hosted in the XProtect VMS on AWS or placed on the customer’s premise. A cloud deployed mobile server would provide the greatest flexibility and scalability in most customer deployments.

Milestone recommends deploying the XProtect mobile server component on one, or more, dedicated EC2 instances. It is also recommended to configure the EC2 instance(s) for the mobile server in a separate public subnet attached to an internet gateway. The mobile server subnet shall be secured with proper Security Group settings on both the incoming side and on the attachment towards the subnet used for the core XProtect VMS services.

In situations where the users of the Mobile and Web Clients primarily reside within the customers on-premises LAN environment, the mobile server used to facilitate the user remote access can be deployed on the customer’s premise.

The mobile server offers two principal methods to optimize the communication and the data throughput for the web and mobile clients:

• Adaptive transcoding

The mobile server transcodes video streams to a lower bandwidth intense format that adapts to the pace the clients can consume the video. This gives a robust communications and fluent rendering when used across low bandwidth connections. In this mode, it is possible to define thresholds for maximum framerate and throughput, which provides excellent means of controlling VPS data egress costs.

• Adaptive streaming

In adaptive streaming mode, the mobile server applies the same stream handling methodology as the Smart Client (discussed in section: Adaptive Streaming), when sending streams to the XProtect Web Client.

Both these methods provide excellent opportunities for optimizing the data throughput used by remote users, and hence are a good way for cost control of data egress costs.

When utilizing adaptive transcoding Milestone recommends using EC2 GPU enabled instances, where the g4dn family is a good option.