Time is everything: meetings, public transportation, religion, transactions: the whole world is working because the concept of “time” exists. Within a security (or any other) system this is not different: recording schedules, logging, authorizations, encryption keys, timelines, all of these concepts can exist because of time. As a result, time can either make or break a system: problems can appear only due to a time difference of a couple of seconds between two system components.
The attached document describes how time services can be configured in a BVMS environment.
This article provides you with information related to the Windows Firewall, how to access, configure and adjust it.
A firewall is a program installed on your machine or a piece of hardware in your network, that uses a rule-set to block or allow access to a computer, server or network. It seperatres dedicated network segments, likly your LAN from the Internet. Firewalls can permit traffic to be routed through a specific port to a program or destination, while blocking all other traffic.
The Windows Firewall interface can be accessed multiple ways. The way we will look during this TB is via the Windows search function.
Click the Windows icon and type in “firewall“. Then, click on the “Windows Firewall with Advanced Security” icon.
The GUI provides you a general overview, about the basic function of the software. Displaying the current status of the firewall also which profiles are currently set up. By default the firewall should be enabled.
We strongly recommend that the Windows Firewall is enabled on all your Bosch devices featuring a Windows Operating System.
There are 3 different profiles within your Windows Firewall, which are simply groups of different firewall rule-sets, depending where your machine is currently connected.
Public Profile: This profile is used when the computer is connected directly to a public network like a restaurant, library or airport. This profile should be the most restrictive because security is usually not well controlled in public places.
Private Profile: This profile is used if your are only connected to a private network, not directly to the Internet. In these cases, your device is located behind a router or hardware firewall. Which allows to set this profil less restrictive.
Domain Profile: This profile is used when the machine is connected to a domain controller, which in turn is controlling a windows domain. This profile should be the least restrictive of the other profiles because security is usually very well controlled within a domain.
by default the Windows Firewall behavior is the following:
Windows Firewall never blocks outgoing traffic. Any requests sent out from the server will not be hindered in any way.
Windows Firewall blocks all incoming traffic, except for traffic that is in responses to a request. This means that if you make a request to Google, Google’s inbound reply to your outbound request will not be blocked.
Windows Firewall blocks all other traffic. This means that any traffic that is not explicitly allowed is blocked in the firewall.
In the Windows Firewall we can filter connection in two different kinds: port exceptions (rule assigned to a dedicated port number) and program exception (rule assigned to a dedicated program)
In general we need to distinguish between the inbound (frome somewhere to your machine) and outbound (from your machine to somewhere) rule-set.
Open a port in the firewall (inbound rule)
In the Windows Firewall with Advanced Security window, right-click "Inbound Rules", and then click "New Rule..." in the action pane.
"Rule Type" dialog box, select "Port" depending on your need and then click "Next".
In the "Protocol and Ports" dialog box, select "TCP". Then select "Specific local Ports", and then type the port number and then click "Next".
In the "Action" dialog box, select "Allow the connection" and then click "Next".
In the "Profile" dialog box, select any profiles that apply and then click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
In the "Name" dialog box, type a name and description for this rule, and then click "Finish".
At this point, you will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window panel.
Open a program in the firewall (inbound rule)
Click on the "Inbound Rules" option on the top left of the firewall interface. Then, click on the "New rule…"
Under "Rule Type" dialog box, select the option "Program" and then click "Next".
Select the option "This Program path" browse to the path/location of the program and click "Next".
Next, we select the option “Allow the connection” and then click “Next”.
Select the "Profile" the rule will be applied to and click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
Select a "Name" and "Description" for this rule and then Click “Finish”.
At this point, you will be dropped back to the main firewall screen. You will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window pane
Edit a port / program in the firewall
Right-click on the rule which will open a context menu. Then click "Properties" and adjust the rule according your needs .
Close a port / program in the firewall
Right-click on the rule which will open a context menu. Then click " Delete".
Adjust program rule after BVMS upgrade
In case you upgraded your current BVMS up to BVMS10, refering to the article TSG-Upgrading-VRM-from-32bit-to-64bit you need to adjust the inbound + outbound rule "Bosch VRM Server" and "USB Transcoder".
Therefore right-click on the rule which will open a context menu. Then click "Properties" and adjust the programs path to:
Bosch VRM Server: "C:\Program Files\Bosch\Video Recording Manager\VRM Server\bin\rms.exe"
USB Transcoder: "C:\Program Files (x86)\Bosch\Video Recording Manager\VRM Server\bin\usbsvc.exe" Keep in mind, that you need to perform this action on all four rules (inbound and outbound)
Alternatively download the attachment set_fw_rules.zip (1 KB) locally to your device, extract the archive and run the PowerShell script "set_fw_rule_trancoder.ps1" as administrator. The script will adjust all necessary rules.
The BVMS Project Checklist is an Excel-based tool which makes it easier to design a BVMS system. The attachments include a document describing how to use the project checklist and the project checklist itself.
When working with previous versions of BVMS, remote connectivity was cumbersome due to the amount of port mapping that needed to be configured. BVMS 7.5 provides a new method of remote connectivity utilizing Secure Shell (SSH) Tunnelling.
The attached document (attachments can be found on the bottom of the page) describes the set-up and configuration of the SSH functionality in BVMS.
Related Products: BVMS Operator Client, BRS
BVMS CS gets from BRS the camera states and the events. BVMS OC connects to BRS for camera live view and playback.
The BVMS OC to BRS connection is DCOM based (BVMS CS to BRS connection - either web services or DCOM).
Troubleshooting and information providing steps:
1. Connectivity issues between BVMS OC and BRS. We speak for BVMS OC to BRS connectivity issue when:
BVMS CC scans the BRS and BVMS CS gets the camera states and events (red dot on camera icon when the camera is recording for example)
but BVMS OC get no live view or playback from the BRS cameras.
Step 1. Check if the cameras are correctly configured in BRS and that BRS itself gets live view and recording from the cameras
Step 2. DCOM "ConnectionServer" is not registered correctly.
navigate to "Component Services - Computers - My Computer - DCOM Config"
check if entry "ConnectionServer" is listed.
if there is no such entry, register the ConnectionServer out of the installation dir. Open console and navigate to the BVMS installation DCOM directory, e.g. C:\Porgram files (x86)\Bosch\VMS\DCOM
type "ConnectionServer.exe /regserver" - press enter
refresh DCOMconfig window and check if entry "ConnectionServer" is listed.
Restart OC and BRS cameras should work.
Step 3. Check and correct the DCOM settings on OC.
go to Computer and then to MyComputer
right click on MyComputer and open properties
switch to DCOM-Security
Go one after other to both tabs "Edit Limits" and for the accounts "Everyone" and "Anonymous" check all the checkers under the option "Allow"
restart the PC
2. BVMS OC doesn’t get BRS cameras Live View, but playback from the same cameras works.
Reproduce the issue, note the date and time.
Is there other BVMS OC machine where the liveview works as expected?
Is the live view working in BRS itself?
provide the answer to the above questions and the BVMS OC Configuration Collector Logs to technical support
3. BVMS OC doesn’t get playback from BRS cameras, but gets live view from the same cameras
Does the BVMS OC find the time line of the recording?
Is it possible to get the playback of the camera on the BRS Appliance itself?
Is there other BVMS OC machine where the playback works as expected?
Is the playback working in BRS itself?
Reproduce the issue
provide the answer to the above questions and the BVMS OC Configuration Collector Logs to technical support
BVMS Installer - Windows Pending Restart Message
The pop-up dialog window message: "Setup has detected a pending restart. Please reboot the system and rerun the installation" appears when attempting to run the valid BVMS windows installer package.
BVMS Installer Pending Restart Message
This is a known Windows specific problem when another (non-BVMS) installer does not properly manage its creation and deletion of the “PendingFileRenameOperations” registry key. The most common user created way for this key value to be left resident in the system is when an installation prompts for a restart, yet the system is not expeditiously restarted.
A. Restart the affected workstation
B. If the issue still persists, delete the orphaned "PendingFileRenameOperations" registry key value
Open a registry editor, such as Regedit.exe or Regedt32.exe.
Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\"
In the right navigation pane, right-click the "PendingFileRenameOperations" key value and select delete
Close Registry Editor.
Run the software Installer again as Administrator
Note: This message is not a Bosch product failure message. This is a problem within windows and it's registry clean-up handling. This is a Windows work around.
This article guides you through the process of installing the BVMS Logbook Health Checker. The Bosch VMS Logbook Health Checker is a tool that is capable of fixing the overflow of the Bosch VMS Logbook database before it occurs.
Standard Service Documents The calculation of the storage capacity is done in different way in Configuration Client and VRM Monitor: - In BVMS Configuration Client Capacity (GB) stands for the available physical capacity of the storage, as calculated and provided by the storage vendor (for example NetApp). -In VRM Monitor – under Target Overview – Total is listed the number of all available blocks multiplied by the size of the blocks that is by default 1GB. This calculation concerns the logical storage and depends on the way the storage is used (for example how many Luns are imported in the system).
Related Products: BVMS SDK, BVMS
BVMS Scriptlets can be debugged via logging to a logger file or messaging to the Operator workstation.
This article describes how to enable BVMS Scriplet logging.
You can log to the Server Script log or the Client Script log. Logs are default send to C:\ProgramData\Bosch\VMS\Log
1.Creating Log files
ClientScriptLogger – automatically created
Creates file “ClientScriptLog.txt”
ServerScriptLogger - automatically created
Creates file “ServerScriptLog.txt”
2.Log information to the log files
There are 3 methods to log information:
public void DemoLogger()
Logger.Info("Hello World script started");
Logger.Error("Hello World script started");
Logger.Debug("Hello World script started"); // Not writing to ClientScriptLog.txt !
3.Logging Location - C:\ProgramData\Bosch\VMS\Log. The logs are automatically collected by the BVMS Configuration Collection Tool.
4.Changing the location of the BVMS Scriplet Logging.
Server Scripts :
Logging Directory can be found in the file:
C:\Program Files (x86)\Bosch\VMS\AppData\Server\CentralServer\BvmsLogCfg.xml
and is defined by the ServerScriptLogAppender path:
<appender name="ServerScriptLogAppender" type="Bosch.Vms.Shared.Logging.Imp.RollingFileAppender, Bosch.Vms.Shared.Logging.Imp">
Client Scripts :
Logging Directory can be found in the file:
C:\Program Files (x86)\Bosch\VMS\AppData\Client\OpClient\ApplicationWiring\Nvr\LogCfg.xml
and is defined by the ClientScriptLogAppender path:
<appender name=“ClientScriptLogAppender" type="Bosch.Vms.Shared.Logging.Imp.RollingFileAppender, Bosch.Vms.Shared.Logging.Imp">
How can I find the source (details of the workstation) and credentials that are used to attempt to login into BVMS (when the attempt has failed)?
The username that is used to login is saved into the BVMS logbook and can be found by searching the logbook from the Operator Client (username of login is "blabla").
The details of the workstation (mainly the IP address) is logged into the BVMS client log files. These can be found on the workstations in the directory: C:\ProgramData\Bosch\VMS\Log
(Hint: for log file analysis a lot of free / open source tools are available. Snaketail is one of these tools, and can be found here.)
Open the BVMSClientLog.txt (there could be multiple files which are all related to a different timeframe) and search for the phrase "InvalidCredentialException". If an user has tried to login to the system the following log lines should be present in the log file:
2019-03-17 18:31:53,668 75516 [GUI Thread] INFO Bosch.Vms.Frontend.OpClient.Wcf.DataAccessServiceClient ConnectAndAuthenticate - Call failed with InvalidCredentialException
2019-03-17 18:31:53,670 75518 [GUI Thread] INFO Bosch.Vms.Frontend.OpClient.ServerManagement.CentralServerManager AuthenticateAtMainServer - Main-Server 192.168.20.190: WCF online authentication result is WrongUserOrPassword
This needs to be checked for every workstation which runs the BVMS Operator Client.
Related Products Bosch Video Management System Issue When opening a new Image pane in Live Mode, the camera image is discolored, i.e. there is a green cast or the image is displayed in black and white. When viewing the same camera image with the webbrowser, the live image is properly colored. Solution Update the graphics card driver. Refer to BVMS release notes: they list the recommended graphics card driver versions to be used.
The VRM eXport wizard is a tool that allows you to export video directly from the VRM. You can find the VRM eXport wizard setup file in the bonus directory of the BVMS zip file. Exports made with the VRM eXport Wizard 1.20.0010 can be open in BVMS (Viewer) 9.0 or newer. The attached document describes how to use the VRM eXport Wizard. BVMS 10 comes with the VRM eXport Wizard 1.20.0016.
Related Products BVMS OPC Server Question List with restricted symbols when using BVMS OPC Server. Answer BVMS OPC server restricts the use of some symbols in the camera names. We can divide them into 3 groups: - XML restricted symbols. For the OPC server the device configuration is exported in a XML file. So no reserved XML characters should be used as they will be replaced by blanks when exporting the OPC file. XML restricted characters: : & < > " ' - OPC Specification restricted symbols. OPC Specification restricts the use of: " ´ ` ' # - OPC namespace delimiters: . , /