During the introduction of BVMS 10.0 the BVMS Plus unmanaged site expansion licenses were not introduced, even though this functionality was announced to be available.
The LIF file attached to this article (in the zip archive) can be imported in BVMS Plus 10.0 installations using the license manager (the license manager can be found in the "Tools" menu of the BVMS Configuration Client). Once imported, the purchased licenses (MBV-XSITEPLU-100) can be activated.
BVMS Installer - Windows Pending Restart Message
The pop-up dialog window message: "Setup has detected a pending restart. Please reboot the system and rerun the installation" appears when attempting to run the valid BVMS windows installer package.
BVMS Installer Pending Restart Message
This is a known Windows specific problem when another (non-BVMS) installer does not properly manage its creation and deletion of the “PendingFileRenameOperations” registry key. The most common user created way for this key value to be left resident in the system is when an installation prompts for a restart, yet the system is not expeditiously restarted.
A. Restart the affected workstation
B. If the issue still persists, delete the orphaned "PendingFileRenameOperations" registry key value
Open a registry editor, such as Regedit.exe or Regedt32.exe.
Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\"
In the right navigation pane, right-click the "PendingFileRenameOperations" key value and select delete
Close Registry Editor.
Run the software Installer again as Administrator
Note: This message is not a Bosch product failure message. This is a problem within windows and it's registry clean-up handling. This is a Windows work around.
BVMS Mobile Video Service - Creating a Self-Signed Certificate to establish a trusted connection
Some sites may request or require that the connection to the Mobile Video Service is a trusted connection. The following procedure will allow you to create a self signed certificate to allow a trusted connection between a web browser and MVS.
-Navigate to the Microsoft Management Console
Run command mmc.exe
Go to File ---> Add/Remove Snap-in…
Highlight Certificates and Add for Computer Account
You should see certificates listed for Local Computer
Save a copy of this console to the Desktop
-Run Windows PowerShell ‘as administrator’ on the MVS Server
Run the following commands in Windows Power Shell to create the self-signed certificate including the IP address of the MVS and the DNS name so both will work when accessing from a web browser.
$todaydt = Get-Date
$20years = $todaydt.AddYears(20)
New-SelfSignedCertificate -DnsName "mvsIPaddress",”DNSname” -notafter $20years
If creation was successful, you will see a thumbprint with a hash as well as the subject CN=ipaddress
-Navigate back to your saved MMC console
Find the newly created certificate under the Personal ---> Certificates directory
Copy the Certificate to Trusted Root Certification Authorities ---> Certificates directory
-Navigate to the IIS Manager
Highlight the server machine name on the top-left and then double-click Server Certificates
Double-click the created certificate and verify that a private key corresponds to the certificate and that the certificate is OK under the Certification Path
Expand the server machine name on the left to reveal the Sites
Select Bindings… on the far right-hand side
Edit the Binding for 443
Select the newly created certificate under the SSL certificate dropdown
Click Yes that you want to change the binding
Add… new binding
Choose BoschVms in the SSL certificate dropdown
-Navigate to the BVMS Config Client to edit the MVS URL
Change the MVS URL to reflect port 444
Red X should go away
Save/Activate (BVMS will be bound on the new port and still be able to communicate with the MVS server
-Open Internet Explorer (as administrator) and navigate to the MVS URL using the IP address or the DNS Name
Continue to the site with the certificate error
Click on the certificate error in the navigation bar
Click View Certificates and then Install Certificate
Install for the Local Machine
Place certificate in the Trusted Root Certification Authorities store
Click Finish and close out the browser
Open IE again and navigate back to the MVS. There should be no more error.
*The reason behind changing the port to 444 is to make browser access for basic users easier. This way basic users only have to enter the IP address or DNS name and do not have to enter a special port in the URL.
This article provides you with information related to the Windows Firewall, how to access, configure and adjust it.
A firewall is a program installed on your machine or a piece of hardware in your network, that uses a rule-set to block or allow access to a computer, server or network. It seperatres dedicated network segments, likly your LAN from the Internet. Firewalls can permit traffic to be routed through a specific port to a program or destination, while blocking all other traffic.
The Windows Firewall interface can be accessed multiple ways. The way we will look during this TB is via the Windows search function.
Click the Windows icon and type in “firewall“. Then, click on the “Windows Firewall with Advanced Security” icon.
The GUI provides you a general overview, about the basic function of the software. Displaying the current status of the firewall also which profiles are currently set up. By default the firewall should be enabled.
We strongly recommend that the Windows Firewall is enabled on all your Bosch devices featuring a Windows Operating System.
There are 3 different profiles within your Windows Firewall, which are simply groups of different firewall rule-sets, depending where your machine is currently connected.
Public Profile: This profile is used when the computer is connected directly to a public network like a restaurant, library or airport. This profile should be the most restrictive because security is usually not well controlled in public places.
Private Profile: This profile is used if your are only connected to a private network, not directly to the Internet. In these cases, your device is located behind a router or hardware firewall. Which allows to set this profil less restrictive.
Domain Profile: This profile is used when the machine is connected to a domain controller, which in turn is controlling a windows domain. This profile should be the least restrictive of the other profiles because security is usually very well controlled within a domain.
by default the Windows Firewall behavior is the following:
Windows Firewall never blocks outgoing traffic. Any requests sent out from the server will not be hindered in any way.
Windows Firewall blocks all incoming traffic, except for traffic that is in responses to a request. This means that if you make a request to Google, Google’s inbound reply to your outbound request will not be blocked.
Windows Firewall blocks all other traffic. This means that any traffic that is not explicitly allowed is blocked in the firewall.
In the Windows Firewall we can filter connection in two different kinds: port exceptions (rule assigned to a dedicated port number) and program exception (rule assigned to a dedicated program)
In general we need to distinguish between the inbound (frome somewhere to your machine) and outbound (from your machine to somewhere) rule-set.
Open a port in the firewall (inbound rule)
In the Windows Firewall with Advanced Security window, right-click "Inbound Rules", and then click "New Rule..." in the action pane.
"Rule Type" dialog box, select "Port" depending on your need and then click "Next".
In the "Protocol and Ports" dialog box, select "TCP". Then select "Specific local Ports", and then type the port number and then click "Next".
In the "Action" dialog box, select "Allow the connection" and then click "Next".
In the "Profile" dialog box, select any profiles that apply and then click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
In the "Name" dialog box, type a name and description for this rule, and then click "Finish".
At this point, you will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window panel.
Open a program in the firewall (inbound rule)
Click on the "Inbound Rules" option on the top left of the firewall interface. Then, click on the "New rule…"
Under "Rule Type" dialog box, select the option "Program" and then click "Next".
Select the option "This Program path" browse to the path/location of the program and click "Next".
Next, we select the option “Allow the connection” and then click “Next”.
Select the "Profile" the rule will be applied to and click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
Select a "Name" and "Description" for this rule and then Click “Finish”.
At this point, you will be dropped back to the main firewall screen. You will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window pane
Edit a port / program in the firewall
Right-click on the rule which will open a context menu. Then click "Properties" and adjust the rule according your needs .
Close a port / program in the firewall
Right-click on the rule which will open a context menu. Then click " Delete".
Adjust program rule after BVMS upgrade
In case you upgraded your current BVMS up to BVMS10, refering to the article TSG-Upgrading-VRM-from-32bit-to-64bit you need to adjust the inbound + outbound rule "Bosch VRM Server" and "USB Transcoder".
Therefore right-click on the rule which will open a context menu. Then click "Properties" and adjust the programs path to:
Bosch VRM Server: "C:\Program Files\Bosch\Video Recording Manager\VRM Server\bin\rms.exe"
USB Transcoder: "C:\Program Files (x86)\Bosch\Video Recording Manager\VRM Server\bin\usbsvc.exe" Keep in mind, that you need to perform this action on all four rules (inbound and outbound)
Alternatively download the attachment set_fw_rules.zip (1 KB) locally to your device, extract the archive and run the PowerShell script "set_fw_rule_trancoder.ps1" as administrator. The script will adjust all necessary rules.
The attached document aims to provide concerned parties, such as customers, users, operators or consultants, with an overview of data privacy and protection related features of BVMS Person Identification. Moreover, this document describes how data, as processed during the Person Identification steps, can be classified. Finally, this document lists technical measures for data protection in the context of BVMS Person Identification.
As video surveillance use grows in commercial, government and private use cases, the need for low-cost storage at scale is growing rapidly. BVMS, Bosch cameras, HPE hardware and SUSE Enterprise Storage provide a platform that is an ideal target for recording these streams.
There are numerous difficulties around storing unstructured video surveillance data at massive scale. Video surveillance data tends to be written only once or become stagnant over time. This stale data takes up valuable space on expensive block and file storage, and yet needs to be available in seconds. With this massive scale, the difficulty of keeping all the data safe and available is also growing. Many existing storage solutions are a challenge to manage and control at such scale. Management silos and user interface limitations make it harder to deploy new storage into business infrastructure.
The solution is software-defined storage (SDS). This is a storage system that delivers a full suite of persistent storage services via an autonomous software stack that can run on an industry standard, commodity hardware platform. Bosch, Hewlett Packard Enterprise (HPE) and SUSE have partnered to deliver the benefits of SDS to the video surveillance industry. Using SUSE Enterprise Storage™ on HPE ProLiant DL and Apollo servers in a Bosch video surveillance environment simplifies the management of today’s volume of data, and provides the flexibility to scale for all enterprise storage needs.
The full description can be found in the attached whitepaper.
Trying out the BVMS Lite is easy! Download BVMS Lite from the downloadstore and use the quick installation guide to set-up the system. BVMS Lite contains 8 video channels, 2 workstations, 1 DVR, 2 keyboards, and 1 intrusion panel and can be used without a time limit. BVMS Lite can be expanded to 42 channels using license extensions.
A step-by-step instruction on how to install the BVMS Lite license can also be found as an attachment to this page.
have you ever wondered how to best transition from the Project Assistant to (B)VMS?
This article aims at providing you a recommendation and the answer is quite simple: Use the Project Assistant to its full extent and once the cameras are connected to the target network, perform a network scan using the BVMS Configuration Client, to add the respective cameras to the system. The remaining fine-grained settings can then be tackled within BVMS.
For details, please check out the attached presentation.
Let us know, if you have further questions and share your comments below.
Your Bosch Security App Team
Can I move the BVMS Logbook database to a separate Microsoft SQL Server to ease maintenance or increase the size of the Logbook?
The BVMS Logbook database can be moved to another SQL Server. The attched guide describes the steps that are necessary to migrate the database and describes how to confirm if the migration was successful.
The attached manual provides information for Mobile Video Service (MVS) within Bosch Video Management System. You can find:
- how to configure the router and Internet Information Service (IIS)
- how to add MVS to BVMS
- user guide
- some troubleshooting tips
How can I migrate the full configuration (including server configuration and user settings) of a BVMS system from one server to another?
(please note that, currently, the export mechanisms provided in the BVMS Configuration Client do not export the userdata. This is a known problem and being worked on. Until then this work-around should be applied).
Stop the BVMS Central Server service on the existing server from the Windows task manager or Services overview.
Stop the BVMS Central Server service on the new server from the Windows task manager or Services overview.
Copy the contents of the directory C:\programdata\Bosch\VMS\UserData on the existing server to the same directory on the new server (via the network or other media).
Copy the "elements.bvms" file located in the directory C:\programdata\Bosch\VMS\ on the existing server to the same location on the new server (via the network or other media).
Start the BVMS Central Server service on the new server from the Windows task manager or Services overview.
How can I find the source (details of the workstation) and credentials that are used to attempt to login into BVMS (when the attempt has failed)?
The username that is used to login is saved into the BVMS logbook and can be found by searching the logbook from the Operator Client (username of login is "blabla").
The details of the workstation (mainly the IP address) is logged into the BVMS client log files. These can be found on the workstations in the directory: C:\ProgramData\Bosch\VMS\Log
(Hint: for log file analysis a lot of free / open source tools are available. Snaketail is one of these tools, and can be found here.)
Open the BVMSClientLog.txt (there could be multiple files which are all related to a different timeframe) and search for the phrase "InvalidCredentialException". If an user has tried to login to the system the following log lines should be present in the log file:
2019-03-17 18:31:53,668 75516 [GUI Thread] INFO Bosch.Vms.Frontend.OpClient.Wcf.DataAccessServiceClient ConnectAndAuthenticate - Call failed with InvalidCredentialException
2019-03-17 18:31:53,670 75518 [GUI Thread] INFO Bosch.Vms.Frontend.OpClient.ServerManagement.CentralServerManager AuthenticateAtMainServer - Main-Server 192.168.20.190: WCF online authentication result is WrongUserOrPassword
This needs to be checked for every workstation which runs the BVMS Operator Client.
The entire BVMS installation package, available on the downloadstore, contains the client as well as the server components. When a BVMS client needs to be deployed, all of this data (over 2.5GB) needs to be copied to the target workstation, which can be quite a challenge in some environments.
Once the BVMS Management Server is set-up, it creates a client installation package (mainly used for the auto-upgrade functionality). This client installation package is a lot smaller compared to the full installation package and is located on the BVMS Management Server (assuming the default installation directory is used):
In order to use the client installation package: copy all the files in this directory from the management server to the new workstation and start BVMS.msi (please note Setup.exe will trigger the auto update mechanism, which will not work as there are no existing components to be updated). The MSI will start the installation process and will allow you to select Operator Client, Configuration client and/or SDK. Please note:
The correct version of the .NET framework will need to be installed manually before this procedure is used. This can be found in the zip file available in the product catalogue: “zip file extraction location”\ISSetupPrerequisites\Microsoft .NET Framework x.x.
Bosch software is distributed via the Bosch website, but can also be re-distributed by Bosch partners. It is important for the system-installer to check if the installation file he or she has received, matches exactly with the output of the engineering process. There are several risks that, in the distribution path, changes are made to the installation file. Keyloggers or other spyware could be added to the installation, or in theory video surveillance footage could be routed to external resources.
The attached document describes how the integrity of software can be checked.
The attached document describes the different components that Bosch Video Management System offers to to establish a connection between Bosch Video Management System and a 3rd party management system. This description helps you in writing your own commands for controlling Bosch VMS from inside your management system.
The BVMS Operator Cliet can be automatically logged in by using parameterized startup. For this, a new shortcut to the OperatorClient.exe needs to be created, and the target of the shortcut needs to be adjusted. The text between ** needs to be adjusted to the specific situation.
"*BVMS installation directory*\bin\OperatorClient.exe" /user="*username*" /password="*password*" /connection="*ip address*"
"C:\Program Files\BOSCH\VMS\bin\OperatorClient.exe" /user="Admin" /password="password123" /connection="192.168.20.120"
The connection parameter works with BVMS 9.0 and newer. The username and password parameters are working from BVMS 5.0 onwards.
The username and password are stored as cleartext in the target of the shortcut, which could be considered a security risk.