The attached document describes the different components that Bosch Video Management System offers to to establish a connection between Bosch Video Management System and a 3rd party management system. This description helps you in writing your own commands for controlling Bosch VMS from inside your management system.
This article provides you with information related to the Windows Firewall, how to access, configure and adjust it.
A firewall is a program installed on your machine or a piece of hardware in your network, that uses a rule-set to block or allow access to a computer, server or network. It seperatres dedicated network segments, likly your LAN from the Internet. Firewalls can permit traffic to be routed through a specific port to a program or destination, while blocking all other traffic.
The Windows Firewall interface can be accessed multiple ways. The way we will look during this TB is via the Windows search function.
Click the Windows icon and type in “firewall“. Then, click on the “Windows Firewall with Advanced Security” icon.
The GUI provides you a general overview, about the basic function of the software. Displaying the current status of the firewall also which profiles are currently set up. By default the firewall should be enabled.
We strongly recommend that the Windows Firewall is enabled on all your Bosch devices featuring a Windows Operating System.
There are 3 different profiles within your Windows Firewall, which are simply groups of different firewall rule-sets, depending where your machine is currently connected.
Public Profile: This profile is used when the computer is connected directly to a public network like a restaurant, library or airport. This profile should be the most restrictive because security is usually not well controlled in public places.
Private Profile: This profile is used if your are only connected to a private network, not directly to the Internet. In these cases, your device is located behind a router or hardware firewall. Which allows to set this profil less restrictive.
Domain Profile: This profile is used when the machine is connected to a domain controller, which in turn is controlling a windows domain. This profile should be the least restrictive of the other profiles because security is usually very well controlled within a domain.
by default the Windows Firewall behavior is the following:
Windows Firewall never blocks outgoing traffic. Any requests sent out from the server will not be hindered in any way.
Windows Firewall blocks all incoming traffic, except for traffic that is in responses to a request. This means that if you make a request to Google, Google’s inbound reply to your outbound request will not be blocked.
Windows Firewall blocks all other traffic. This means that any traffic that is not explicitly allowed is blocked in the firewall.
In the Windows Firewall we can filter connection in two different kinds: port exceptions (rule assigned to a dedicated port number) and program exception (rule assigned to a dedicated program)
In general we need to distinguish between the inbound (frome somewhere to your machine) and outbound (from your machine to somewhere) rule-set.
Open a port in the firewall (inbound rule)
In the Windows Firewall with Advanced Security window, right-click "Inbound Rules", and then click "New Rule..." in the action pane.
"Rule Type" dialog box, select "Port" depending on your need and then click "Next".
In the "Protocol and Ports" dialog box, select "TCP". Then select "Specific local Ports", and then type the port number and then click "Next".
In the "Action" dialog box, select "Allow the connection" and then click "Next".
In the "Profile" dialog box, select any profiles that apply and then click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
In the "Name" dialog box, type a name and description for this rule, and then click "Finish".
At this point, you will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window panel.
Open a program in the firewall (inbound rule)
Click on the "Inbound Rules" option on the top left of the firewall interface. Then, click on the "New rule…"
Under "Rule Type" dialog box, select the option "Program" and then click "Next".
Select the option "This Program path" browse to the path/location of the program and click "Next".
Next, we select the option “Allow the connection” and then click “Next”.
Select the "Profile" the rule will be applied to and click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
Select a "Name" and "Description" for this rule and then Click “Finish”.
At this point, you will be dropped back to the main firewall screen. You will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window pane
Edit a port / program in the firewall
Right-click on the rule which will open a context menu. Then click "Properties" and adjust the rule according your needs .
Close a port / program in the firewall
Right-click on the rule which will open a context menu. Then click " Delete".
Adjust program rule after BVMS upgrade
In case you upgraded your current BVMS up to BVMS10, refering to the article TSG-Upgrading-VRM-from-32bit-to-64bit you need to adjust the inbound + outbound rule "Bosch VRM Server" and "USB Transcoder".
Therefore right-click on the rule which will open a context menu. Then click "Properties" and adjust the programs path to:
Bosch VRM Server: "C:\Program Files\Bosch\Video Recording Manager\VRM Server\bin\rms.exe"
USB Transcoder: "C:\Program Files (x86)\Bosch\Video Recording Manager\VRM Server\bin\usbsvc.exe" Keep in mind, that you need to perform this action on all four rules (inbound and outbound)
Alternatively download the attachment set_fw_rules.zip (1 KB) locally to your device, extract the archive and run the PowerShell script "set_fw_rule_trancoder.ps1" as administrator. The script will adjust all necessary rules.
Time is everything: meetings, public transportation, religion, transactions: the whole world is working because the concept of “time” exists. Within a security (or any other) system this is not different: recording schedules, logging, authorizations, encryption keys, timelines, all of these concepts can exist because of time.
As a result, time can either make or break a system: problems can appear only due to a time difference of a couple of seconds between two system components.
This article describes how time services can be configured in a BVMS environment.
Time: what is the challenge?
Each device has its own internal clock, which is based on a hardware mechanism. This mechanism acts like a watch: try to put two watches together and synchronize them on the millisecond. A security system consists out of more than two devices, it can consist of thousands of devices.
Synchronizing the time of all these devices by hand is a very time consuming task. Additionally, due to small differences in electronic components, devices can have deviations from one another.
These deviations cannot be detected by the human eye, but can result in considerable time differences when a device is running for months.
The Network Time Protocol (NTP) was created to solve these challenges. The Network Time Protocol is a network-based protocol for clock synchronization between system components. The protocol utilizes a standard IP network to communicate and can maintain a time difference (considering a local area network) of less than one millisecond between components. The Network Time Protocol is a standard protocol and documented in RFC 5905.
The operation and configuration of the Network Time Protocol are complex: a hierarchical architecture needs to be set-up including several layers of systems which are able to run the Network Time Protocol. To reduce complexity the Simple Network Time Protocol (SNTP) was created. The Simple Network Time Protocol is mainly used when less accuracy (deviations of 1-2 seconds are acceptable).
Windows Time Service
The Bosch Video Management System is running on Microsoft Windows Server operating systems. Windows includes an internal time service, which is explained on Microsoft Technet:
“The Windows Time service, also known as W32Time, synchronizes the date and time for all computers running in an AD DS domain. Time synchronization is critical for the proper operation of many Windows services and line-of-business applications. The Windows Time service uses the Network Time Protocol (NTP) to synchronize computer clocks on the network so that an accurate clock value, or time stamp, can be assigned to network validation and resource access requests. The service integrates NTP and time providers, making it a reliable and scalable time service for enterprise administrators.
The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such. For more information, see Microsoft Knowledge Base article 939322,Support boundary to configure the Windows Time service for high-accuracy environments (http://go.microsoft.com/fwlink/?LinkID=179459).”
Source: Windows Time Service Technical Reference - Microsoft Technet
The Windows Time service is based on the Simple Network Time Protocol.
The Network Time Protocol requires a very complex infrastructure, which impacts the total installation and configuration effort of the system. The Simple Network Time Protocol (also used for the Windows Time Service) reduces the complexity, but at the same time also reduces the accuracy.
For most security applications the Simple Network Time Protocol provides sufficient accuracy. Bosch recommends to use the Windows Time service, based on the Simple Network Time Protocol, as basis for time synchronization in a security network. This article provides best-practices on how to configure the Bosch Video Management System and related components in a time synchronization environment based the Windows Time service.
Alternatively, the Network Time Protocol can be used whenever it is already existing inside an infrastructure or when event accuracy with a deviation less than one second is required. Due to the complexity of the infrastructure Bosch does not make any recommendations related to the Network Time Protocol.
Management server configuration
A. Operating system configuration
This section also applies for the Video Recording Manager and Mobile Video Service when these are not running on the management server.
Microsoft has prepared a lot of documentation related to time configuration Go to the Microsoft Support: How to configure an authoritative time server in Windows Server page and scroll down to the section “Configuring the Windows Time service to use an external time source”. Click the download button under the “Here’s an easy fix” section.
Figure: Download the Microsoft Windows Time service configuration utility
The utility will configure external time servers. To select these, browse to http://pool.ntp.org and select two servers which are related to the geographical location of the system, for example “de.pool.ntp.org” and “nl.pool.ntp.org”, referring to Germany and the Netherlands. Another (local or external) (S)NTP server can also be chosen.
Start the Microsoft configuration utility and configure it as indicated and shown in the figure below.
Administrative access is required to run the utility.
Figure: Pool.ntp.org locations
Figure: Windows Time service configuration
Alternatively the configuration can be done from the command-line, using the command shown below.
net stop w32time w32tm /config /syncfromflags :manual /manualpeerlist : "nl.pool.ntp.org, de.pool.ntp.org" net start w32time
The configuration can be verified by starting the Windows Command prompt and issuing the command “w32tm /query / status”, as shown in the figure below. Notice the time source, this should point towards the configured servers.
Figure: verifying configuration
It can take up to one minute before the correct time source is displayed.
When there is a problem, the configured (S)NTP server can be tested by issuing the “w32tm /stripchart /computer:de.pool.ntp.org”, which should result in the output displayed in the figure below.
Figure: test the (S)NTP service
When an unexpected result is returned, it is recommended to check access to the specific (S)NTP server. A firewall might prevent the communication between the (S)NTP server and the management server.
B. BVMS Management Server configuration
BVMS automatically points devices to its own time-server. This can be changed by editing the BvmsCenterlServer.exe.config file, located in C:\Program Files\Bosch\VMS\bin\. Find the key "TimeServerIPAddress" and adjust the value, as shown in the example below (192.168.0.1).
<!-- Ip address of the time server for VRM/NVR encoders(defaults to the Central-Server IP if not set) . --> < add key = "TimeServerIPAddress" value = "192.168.0.1" />
C. Workstation configuration
The Bosch Video Management System Operator client runs on a Windows workstation. When the workstation and server are part of the same Microsoft Active Directory service domain, no manual time synchronization needs to be configured.
Figure: workstation configuration, "192.168.0.200" needs to be replaced by the IP address or Fully Qualified Domain Name of the management server.
When the Bosch Video Management System workstation and management Server are not joined in a domain, or into the same domain, the workstation(s) need to be manually configured to use the management server as a time server. To achieve this, the description above can be used. Instead of using the pool.ntp.org as a server, the management server is now entered.
D. Camera configuration
If a camera is connected to a BVMS system the time server will be automatically configured.
BVMS Installer - Windows Pending Restart Message
The pop-up dialog window message: "Setup has detected a pending restart. Please reboot the system and rerun the installation" appears when attempting to run the valid BVMS windows installer package.
BVMS Installer Pending Restart Message
This is a known Windows specific problem when another (non-BVMS) installer does not properly manage its creation and deletion of the “PendingFileRenameOperations” registry key. The most common user created way for this key value to be left resident in the system is when an installation prompts for a restart, yet the system is not expeditiously restarted.
A. Restart the affected workstation
B. If the issue still persists, delete the orphaned "PendingFileRenameOperations" registry key value
Open a registry editor, such as Regedit.exe or Regedt32.exe.
Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\"
In the right navigation pane, right-click the "PendingFileRenameOperations" key value and select delete
Close Registry Editor.
Run the software Installer again as Administrator
Note: This message is not a Bosch product failure message. This is a problem within windows and it's registry clean-up handling. This is a Windows work around.
The attached document describes how a Tattile camera can be connected to BVMS and describes the provided functionality in the BVMS operator client. We recommend keeping the Tattile camera documentation and BVMS configuration manual at hand to fine tune the system configuration to the specific needs of your project.
Logs are definitely important. We would even say they are the most important thing for a system to function properly.
At some point, the Central Support Team may ask you to provide them with the BVMS Configuration Collection.
This article explains you how and where you can get the BVMS Configuration Collection of your system.
Related Products: BVMS SDK, BVMS
BVMS Scriptlets can be debugged via logging to a logger file or messaging to the Operator workstation.
This article describes how to enable BVMS Scriplet logging.
You can log to the Server Script log or the Client Script log. Logs are default send to C:\ProgramData\Bosch\VMS\Log
1.Creating Log files
ClientScriptLogger – automatically created
Creates file “ClientScriptLog.txt”
ServerScriptLogger - automatically created
Creates file “ServerScriptLog.txt”
2.Log information to the log files
There are 3 methods to log information:
public void DemoLogger()
Logger.Info("Hello World script started");
Logger.Error("Hello World script started");
Logger.Debug("Hello World script started"); // Not writing to ClientScriptLog.txt !
3.Logging Location - C:\ProgramData\Bosch\VMS\Log. The logs are automatically collected by the BVMS Configuration Collection Tool.
4.Changing the location of the BVMS Scriplet Logging.
Server Scripts :
Logging Directory can be found in the file:
C:\Program Files (x86)\Bosch\VMS\AppData\Server\CentralServer\BvmsLogCfg.xml
and is defined by the ServerScriptLogAppender path:
<appender name="ServerScriptLogAppender" type="Bosch.Vms.Shared.Logging.Imp.RollingFileAppender, Bosch.Vms.Shared.Logging.Imp">
Client Scripts :
Logging Directory can be found in the file:
C:\Program Files (x86)\Bosch\VMS\AppData\Client\OpClient\ApplicationWiring\Nvr\LogCfg.xml
and is defined by the ClientScriptLogAppender path:
<appender name=“ClientScriptLogAppender" type="Bosch.Vms.Shared.Logging.Imp.RollingFileAppender, Bosch.Vms.Shared.Logging.Imp">
How can I use "virtual" cameras to demonstrate BVMS?
Demonstrating a video surveillance system typically requires a couple of cameras. However, when you only have a couple of cameras, the screen can look boring and empty. Did you know you can use the video streaming gateway to pull in any online JPEG picture as a camera into BVMS? This makes your demonstration more interesting! Additionally, you can set-up your own webserver and host customer JPEG images yourself. You can find a warehouse example below, fully based on JPEG based static images.
The attached document describes how to configure JPEG cameras.
My customers asks me to store the field of view of the cameras connected to BVMS. Is there an easy way to achieve this without opening every camera manually?
The embedded BVMS script engine makes this easy to achieve. The attached document explains how to achieve this and included an example script.
This article describes how to create a Certification Authority (CA) signed certificates for multiple cameras and distribute the CA certificate to multiple workstations. The attached step-by-step description was created for setting up BVMS recording authenticity feature in large systems.
Standard Service Documents The calculation of the storage capacity is done in different way in Configuration Client and VRM Monitor: - In BVMS Configuration Client Capacity (GB) stands for the available physical capacity of the storage, as calculated and provided by the storage vendor (for example NetApp). -In VRM Monitor – under Target Overview – Total is listed the number of all available blocks multiplied by the size of the blocks that is by default 1GB. This calculation concerns the logical storage and depends on the way the storage is used (for example how many Luns are imported in the system).
Depending on the license type you have installed in the Bosch Video Management System (BVMS), you can add a certain number and different types of cameras/ encoders. BVMS s upports 3 rd party cameras as well, but they need to be compliant to ONVIF Profile S.
This article explains how to add new ONVIF cameras to a system that runs in full Bosch Video Management System (BVMS) via the Configuration Client. We recommend using Bosch Workstations and Servers. They are fully tested and optimized for Bosch Video Management System.
PC/ Server/ Workstation
When you open BVMS Viewer Configuration Client for the first time, the following message is displayed:
"The system is running in an unregistered mode. Please activate your license package"
For a proper use of BVMS Viewer you need to activate the MBV-BVWR-100 License Viewer base, which is FREE! This can be found on the Bosch Security Systems Software License Manager (SLMS) platform.
Follow the steps below and find out how you can license BVMS Viewer for free.