This article provides you with information related to the Windows Firewall, how to access, configure and adjust it.
A firewall is a program installed on your machine or a piece of hardware in your network, that uses a rule-set to block or allow access to a computer, server or network. It seperatres dedicated network segments, likly your LAN from the Internet. Firewalls can permit traffic to be routed through a specific port to a program or destination, while blocking all other traffic.
The Windows Firewall interface can be accessed multiple ways. The way we will look during this TB is via the Windows search function.
Click the Windows icon and type in “firewall“. Then, click on the “Windows Firewall with Advanced Security” icon.
The GUI provides you a general overview, about the basic function of the software. Displaying the current status of the firewall also which profiles are currently set up. By default the firewall should be enabled.
We strongly recommend that the Windows Firewall is enabled on all your Bosch devices featuring a Windows Operating System.
There are 3 different profiles within your Windows Firewall, which are simply groups of different firewall rule-sets, depending where your machine is currently connected.
Public Profile: This profile is used when the computer is connected directly to a public network like a restaurant, library or airport. This profile should be the most restrictive because security is usually not well controlled in public places.
Private Profile: This profile is used if your are only connected to a private network, not directly to the Internet. In these cases, your device is located behind a router or hardware firewall. Which allows to set this profil less restrictive.
Domain Profile: This profile is used when the machine is connected to a domain controller, which in turn is controlling a windows domain. This profile should be the least restrictive of the other profiles because security is usually very well controlled within a domain.
by default the Windows Firewall behavior is the following:
Windows Firewall never blocks outgoing traffic. Any requests sent out from the server will not be hindered in any way.
Windows Firewall blocks all incoming traffic, except for traffic that is in responses to a request. This means that if you make a request to Google, Google’s inbound reply to your outbound request will not be blocked.
Windows Firewall blocks all other traffic. This means that any traffic that is not explicitly allowed is blocked in the firewall.
In the Windows Firewall we can filter connection in two different kinds: port exceptions (rule assigned to a dedicated port number) and program exception (rule assigned to a dedicated program)
In general we need to distinguish between the inbound (frome somewhere to your machine) and outbound (from your machine to somewhere) rule-set.
Open a port in the firewall (inbound rule)
In the Windows Firewall with Advanced Security window, right-click "Inbound Rules", and then click "New Rule..." in the action pane.
"Rule Type" dialog box, select "Port" depending on your need and then click "Next".
In the "Protocol and Ports" dialog box, select "TCP". Then select "Specific local Ports", and then type the port number and then click "Next".
In the "Action" dialog box, select "Allow the connection" and then click "Next".
In the "Profile" dialog box, select any profiles that apply and then click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
In the "Name" dialog box, type a name and description for this rule, and then click "Finish".
At this point, you will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window panel.
Open a program in the firewall (inbound rule)
Click on the "Inbound Rules" option on the top left of the firewall interface. Then, click on the "New rule…"
Under "Rule Type" dialog box, select the option "Program" and then click "Next".
Select the option "This Program path" browse to the path/location of the program and click "Next".
Next, we select the option “Allow the connection” and then click “Next”.
Select the "Profile" the rule will be applied to and click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
Select a "Name" and "Description" for this rule and then Click “Finish”.
At this point, you will be dropped back to the main firewall screen. You will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window pane
Edit a port / program in the firewall
Right-click on the rule which will open a context menu. Then click "Properties" and adjust the rule according your needs .
Close a port / program in the firewall
Right-click on the rule which will open a context menu. Then click " Delete".
Adjust program rule after BVMS upgrade
In case you upgraded your current BVMS up to BVMS10, refering to the article TSG-Upgrading-VRM-from-32bit-to-64bit you need to adjust the inbound + outbound rule "Bosch VRM Server" and "USB Transcoder".
Therefore right-click on the rule which will open a context menu. Then click "Properties" and adjust the programs path to:
Bosch VRM Server: "C:\Program Files\Bosch\Video Recording Manager\VRM Server\bin\rms.exe"
USB Transcoder: "C:\Program Files (x86)\Bosch\Video Recording Manager\VRM Server\bin\usbsvc.exe" Keep in mind, that you need to perform this action on all four rules (inbound and outbound)
Alternatively download the attachment set_fw_rules.zip (1 KB) locally to your device, extract the archive and run the PowerShell script "set_fw_rule_trancoder.ps1" as administrator. The script will adjust all necessary rules.
Bosch has been providing 2 types of VRM packages: a 32bit and a 64bit version. Since VRM 3.82 we are only offering the 64bit version.
As all of our released DIVAP IP units started off as 32bit VRM which includes a Transcoder service.
If you do not use the Start.exe included in the VRM Master Installer, you will not be offered the oppertunity to also upgarde the Transcoder. Just running the Setup_VRM_Service_<version>.exe found in the <Install\Bosch> folder, will cause the Transcoder service to stop functioning!
This includes if the upgarde is done via BVMS installer.
Since BVMS 10.0, VRM 3.82 "64bit" was implemented.
Due to the fact that BVMS does not manage the transcoder, it was not installed.
Also see Firewall settings: HowTo Configure Windows Firewall Rules, includes PS script to adjust the VRM 64bit and Transcoder rules.
Download the appropriate VRM version from our Downloadstore
Run the Start.exe
Deselect all components and choose only the Transcoder Service
Click on "Install"
To confirm that the Transcoder is fully functional, open your browser and navigate to the VRM Monitor:
Log in with you Credentials
Standard Service Documents The calculation of the storage capacity is done in different way in Configuration Client and VRM Monitor: - In BVMS Configuration Client Capacity (GB) stands for the available physical capacity of the storage, as calculated and provided by the storage vendor (for example NetApp). -In VRM Monitor – under Target Overview – Total is listed the number of all available blocks multiplied by the size of the blocks that is by default 1GB. This calculation concerns the logical storage and depends on the way the storage is used (for example how many Luns are imported in the system).
When using Configuration Manager, each device has a status icon.
The method below shows you how to generate an updated certificate for Bosch IP Camera's and VRM Servers
Here we are talking about Certificates, the Icon is colored Yellow with an exclamation mark.
Using the mouse over Tooltip, the device is saying exactly what is wrong with the certificate connection.
VRM on a DIVAR IP 5000:
Right click on the device to Show Certificates, if you wish to view them.
We can see that there are multiple things wrong.
The Cert is not Trusted
Cert Name mismatch.
First is inconsistent date:
All IP devices and PC’s must be synchronized on Date time page (group General)
Second is invalid certificate
First quick look on certificate requirement level, navigate to Preferences -> Configuration Manager -> Access -> Security:
The certificate must just be valid - self signed certificate matching host name/IP address will be sufficient.
We need to generate a new certificate on Certificate page.
Clicking "Generate certificate" button:
should open a certificate creation dialog - most important options are matching common name and matching validity time.
After the certificate is created correct usage must be set as shown below:
IP Camera Certificate
To apply changes VRM must be restarted.
If certificate requirement is higher, then a validatable chain of certification must be used (This would be setup by a System Integrator or IT Administrator):
Trusted - the signing entity CA (e.g. VeriSign) must be trusted on target PC
Issued by this CA - There is a Micro CA setup on this PC.
Related Products: VRM, Genetec Security Center
It is possible to use VRM free of charge (no extra VRM license is required) within Genetec Security Center. Genetec is sending encrypted secret to the VRM server with the number of the licensed channels. When VRM receives and validates this, it can be used for that number of channels for 24 h. A periodic license update is send by Genetec, so the VRM licensing is guaranteed as long as it is used with Genetec Security Center.
Default settings, if not extra configuration is needed or done.
-License for 1000 Cameras
- License update is done every hour
How to license more than 1000 cameras or change the license update period for VRM within Genetec Security Center:
Open the Config Tool and Launch a Video Task
Select the Archiver
Go to the Resource Tab and click on Extensions
From the Tab Installed extensions select Bosch.
In the Tab VRM add a new VRM and/or select already configured VRM.
Click on Advanced settings and add the following parameters
If you need to license the system with more than the default 1000 licenses – create the parameter with Name VrmLicenseRequestCount and as value put the required number of licenses. The parameter name is case sensitive
If you need to change the duration of the period between each license request (there is always one license request when the archiver starts) – create the parameter with Name VrmLicenseRequestPeriod. The duration of the period is in milliseconds. The default value is one hour. If the value is set to 0, the license request are disabled. The parameter name is case sensitive
Press Enter to confirm the entry and then Close
Press Apply and then OK.
At the webpage of the VRM one can check if the number of licenses is changed.
This article describes how to set LUNs on a target to Read Only via Configuration Manager.
If you want to move a Storage from one VRM to another, this procedure is needed in Order to retain your video footage until the desired Retention Time is over. All you need is the Configuration Manager on a PC in the same Network as the VRM. If you don’t have the Configuration Manager, you can download it here.
Please be aware that setting the LUNs to Read only will decrease the Capacity of the VRM, which might lead to a lower Minimum Retention Time then desired. Calculate upfront, if the available Storage is enough!
Start the Configuration Manager and add the local VRM to the System.
Change to the Tab My devices and select the Target on the Storage Device you want to move.
Set all LUNs to the Type Read Only. It should look like this then.
Now press the button Set and acknowledge it in the next window.
After, the window looks like this and the LUNs are now in Read Only Mode.
Now you need to wait until your desired Retention time passed (eg 30 days), afterwarts you can remove the Storage from the VRM and add it to another VRM (In this Process the Storage needs to be Factory defaulted to work).
The Bosch VRM Monitor page does not open correctly, but instead displays an Error.
Any Replay client requesting video from the Bosch Video Recording Manager service, only receives the Time-Line but the video is alway Black.
Bosch VRM by default uses Ports 80 & 443.
In most cases the problem is caused by another web server (e.g. IIS) that is installed on the same machine and is also making use of the default web ports 80 & 443.
Bosch Video Recording Manager (VRM)
Bosch Video Managment System (BVMS)
Bosch Video Client (BVC)
Bosch Video Security Client (VSC)
Any Replay Client/ Managment System which accesses recorded video data via HTTP/HTTPS
Disable any of the other web services or change the default Ports they are using.
Possible Communication Issue between BVMS 8.0 Central Server and Video Recording Manager (VRM) 3.7x with BVMS 8.0 installed on different Servers.
Communication can get interrupted and configuraiton might fail if the below desribed actions are not performed. If your system is affected or not is described here as follows:
There can be authentication issues between the BVMS Central Server and the Video Recording Manager in case they are installed on different Servers.
It is possible to see reports at the BVMS 8.x system alarms that VRM reports wrong version
Please check in the VRM debug logging if the following logline indications can be found
CONFIG;DEBUG;SENDING XPATH /SYSTEM/DEVICES/DEVICE as well as HAS NO CONFIGURED NODE, SET TO CONFIGURED
CONFIG;INTERNAL;/SYSTEM/DEVICES CHANGED IN CONFIG. DEVICEID= [DEVICE IP]\0;SYSINFO;INTERNAL;LINE 1 HAS NO CONFIGURED NODE, SET TO CONFIGURED
In general please keep in mind, that it is strongly recommended to use VRM 3.71.00xx with BVMS 8.0. Do not use any older VRM version like 03.71.0022. The 03.71.0029 and Releaseletter is available at the BOSCH DownloadStore (status update 2018-10-26). https://downloadstore.boschsecurity.com/FILES/Setup_VRM_03.71.0029_win32.zip Release Letter: https://downloadstore.boschsecurity.com/FILES/Bosch_Releaseletter_VRM_3.71.0029.pdf
At the VRM system / server, please check and ensure that the following Microsoft software packages are pre-installed:
.NET framework 4.6.2 or higher
Redistributables for Visual Studio 2015
In case one component is missing, please perform the following steps:
Download the missing Microsoft components. Note: When using BVMS 8.0 the VRM is typically a 32-Bit VRM software. Therefore the 32-Bit Microsoft packages are needed. Component that was seen as missing is the >> “Visual C++ Redistributable for Visual Studio 2015” https://www.microsoft.com/en-US/download/details.aspx?id=4814 Please choose the 32-Bit version of that when using with 32-Bit VRM and the >> .NET framework 4.6.2 or higher (NDP462-KB3151800-x86-x64-AllOS-ENU.exe) https://www.microsoft.com/en-US/download/details.aspx?id=53344
Stop the VRM (rms.exe) service in Windows services
Install those components with Administrator rights at the VRM server Reboot the server after installation of the Microsoft components
Check if the VRM service is running and if needed Re-Start the VRM (rms.exe) service
Check that the combination of messages are not longer seen in the VRM debug logging
The VRM package is enhanced and useres should no longer run into this issue with VRM 3.81 and newer versions. Please be aware that BVMS releases are tested with certain VRM verions. This still can offer to install a newer VRM than originally rolled-out in the BVMS overall installer. For all VRM versions 3.7x and below 3.81 it is needed to add this packages.
With the VRM eXport Wizard 2.0 encrypted and unencrypted VRM recordings can be exported (VRM block export) from any video surveillance system based on Bosch Video Recording Manager (VRM) and exported recordings can be converted to mp4-files. Therefore, the VRM eXport Wizard 2.0 offers the following two options, compare also Figure 1:
Export VRM recordings of cameras
Convert already exported data to mp4-file
Export VRM recordings
To export recordings, no matter if encrypted or un-encrypted recordings, from a video surveillance system based on VRM, the user first needs to select and connect to the Bosch VRM system that contains the source video data the user wants to export. To optimize the data traffic, the user can further select the number of maximum sources exported in parallel and set the maximum bit rate used per source, see Figure 2.
Note: To avoid any performance loss of the VRM system it is not recommended to run the VRM eXport Wizard on the same hardware as the VRM itself or any other system critical server (e. g. VRM server, BVMS MS, etc.).
In the next step (Figure 3) the user selects the cameras and the time period that shall be included in the export. Additionally, the user can change the name of the export file and add a comment.
Once the user is done with the camera selection, the export destination has to be selected in the "Select Type and Destination" window, see Figure 4. Here the user can choose between CIFS export, iSCSI export and export to a file system.
Note: The tape export some users might know from previous older versions is no longer supported.
Once the destination is selected, the export process can be started. The VRM export Wizard informs about the current status of the export process and tells the user when the export is completed, compare Figure 5. The exported blocks can now be found on the before choosen destination platform.
Please note for mass exports, if the overall export time is longer than the respective retention time for a camera not all video data might be exported before being overwritten / deleted.
As already mentioned above, this export procedure works for unencrypted as well as encrypted VRM recordings (encrypted and unencrypted VRM blocks).
Unfortunately, for playback of the exported material we have to differentiate between encrypted and unencrypted exported recordings. For playback of unencrypted video data exported by the VRM eXport Wizard BVMS is the best choice, as the user can then also take advantage of the meta data like IVA information. For now, this is not possible for encrypted recordings, because the re-import of encrypted VRM block exports is not yet supported. Instead, the user has to take advantage of the new mp4 conversion functionality of the VRM eXport Wizard. Of course, the conversion also works for unencrypted recordings. Both cases are explained in the following.
Convert already exported data to mp4
To convert VRM block exports to mp4 format the user has to choose the option "Convert already exported data to mp4-file", see Figure 6.
Max file size per MP4 file is 500 MiB
How to convert unencrypted recordings to mp4?
In the "Select exported data for conversion" screen the user can choose the source, in this case unencrypted recording blocks, and the output directory, where the mp4 files shall be saved to, Figure 7. To choose the exported VRM blocks, which shall be converted to mp4 format, the user has to navigate to the corresponding camera folder and has to select the related BIN.file. This is illustrated in Figure 8. For unencrypted VRM blocks no further information is needed and conversion can be started by pressing the next button in the "Select exported data for conversion" screen.
Similar to the export procedure the VRM eXport Wizard also shows the status of the conversion process. Once it is successfully finished, the screen will look like in Figure 9.
How to convert encrypted recordings to mp4?
The conversion of encrypted VRM blocks starts in the same way as the "unencrypted recordings" case above. However, in the "Select exported data for conversion" screen the user needs to add a valid redundancy key for encryption. Therefore, the checkbox "Source is encrypted" needs to be checked and the redundancy key (a .pfx file) needs to be selected and the password needs to be entered, as demonstrated in Figure 10 and Figure 11.
The VRM eXport wizard is a tool that allows you to export video directly from the VRM. You can find the VRM eXport wizard setup file in the bonus directory of the BVMS zip file. Exports made with the VRM eXport Wizard 1.20.0010 can be open in BVMS (Viewer) 9.0 or newer. The attached document describes how to use the VRM eXport Wizard. BVMS 10 comes with the VRM eXport Wizard 1.20.0016.