Server homepage
The default Administrator account is provided with full Server Administrator permissions. Users who have Server-wide access will be taken to the server homepage when they first log in.
The homepage is split into three sections:
Summary information – including the server version number, total number of accounts created (and in use) and a link to the TVI encryption details
Domains in this server – either use the domain search function to find a domain, quick access to the first four domains, or use the Show all domains function to list all domains on the server
Manage this server – manage the domains, server-wide users, user roles and firmware uploaded to the server, as well as performing system management functions including licence management, and server settings
Managing server-wide administrators
Select the Server-wide administrators icon on the server homepage to display a list of all users who have system-wide access.
Users within this section can have different levels of permission, which will depend on the role they have been assigned. The role they have been given will provide server-wide access to potentially all domains, encoders, and users on the server – care should be taken to only create users in this section who require access to the entire sever.
Users within this section can be recipients of alarm notifications. However, domain users are unable to view them as normal domain users do not have visibility of system-wide users.
For more information on creating a server-wide user or changing an existing user’s role refer to EdgeVis Server Setup Guide Chapter III: Server Organisation Concepts and Controls -> Assigning a server-wide role to a user.
Monitoring active viewers
The summary bar on the server homepage displays the number of users viewing video streams, and the number of streams they are viewing. Click on the link to open the Viewers page which lists every viewer on the system - displaying the encoder being viewed, how long they have been viewing, and signifying if they are using any services (including PTZ and full-resolution retrieval).
If a user has accidentally left a video stream open in a viewing client it is possible to kick the user’s stream by clicking on their user name and using the Kick selected viewer menu option.
Additionally, many services (e.g. PTZ) can only be used by one user. If a viewer has any of these services in use then additional menus options will be presented to allow those services to be freed.
Messaging configuration
EdgeVis Server can communicate with users using various mechanisms:
iOS and Android push notifications (for users of EdgeVis Client) - for alarm notifications
SMS - for alarm notifications
Email - for alarm notifications and account management e-mails
Each of these services rely on third-party software/services and must be enabled with the appropriate settings.
For further details on enabling each service refer to the later chapter Messaging Configuration.
Automated account creation emails
EdgeVis Server supports two different modes of account creation:
E-mail new user(s) their account automatically
Administrator enters each user’s account name, e-mail address, and role
EdgeVis Server sends an e-mail to each user automatically
User receives a link that allows them to create their own password
Offline
Admins create a user’s account and password, and then manually distributes the login details
In most circumstances it is more convenient to have users receive their login details via e-mail and improve security by ensuring passwords are only known by their respective users. Additionally, users can reset their own passwords using an automated e-mail system directly from the server login page. E-mails sent can be customised using individual templates.
However, it is recognised that not all installations have access to an e-mail server and so it is possible to create accounts in an offline manner. This is the default mode and requires no further configuration.
Enabling the e-mail account system
A pre-requisite is to ensure that e-mail is configured and working on your EdgeVis Server. The chapter Messaging Configuration outlines the how to enable e-mail and provides examples for various common e-mail systems.
To enable e-mail accounts, go to the server’s User Settings page (under Server home page -> Advanced settings). From the available options select Automated account management e-mails. This will display the current setting.
To enable e-mail accounts use the Edit settings menu button on the right.
After ticking the enable button, it is also possible to customise the e-mails sent by EdgeVis. There are three e-mails the server can send:
New user – sent when a new account is created
Password reset – sent when the user asks to reset their password
E-mail changed – sent to the old e-mail address when the user changes their e-mail address.
Security Improvement - New in Version 8.5
As of EdgeVis Server version 8.5 and above, servers with the e-mail account system enabled have an extra security feature that warns users (via e-mail) if their password has been changed as shown below.
EdgeVis does not include an HTML editor and it is recommended to copy and paste the current template into your HTML editor of choice for editing, before pasting back into the server.
There are a number of live substitutions that the server can make when sending the e-mail – click the Available e-mail template placeholder tags help link that outlines the tags that can be used in each type of e-mail.
Testing the e-mail system
Once enabled, and you have modified the templates as necessary, a new option appears on the Available e-mail template placeholder tags page to help test the system without sending out real e-mails to users.
Select the Send test e-mail menu button to send test e-mails to a specific e-mail address.
After entering the e-mail address select the desired template to send.
If you have edited the built-in templates it is highly recommended to send test e-mails to various e-mail systems (e.g. Gmail, Outlook, iOS Mail) as:
HTML rendering of e-mail is not as consistent as Web browsers
EdgeVis Server will auto-create a plain-text version of the HTML template for users who are using older templates or have disabled HTML rendering for security/privacy reasons.
Security of links within e-mails
New user and Change password e-mails contain links that allow the user to set new passwords on the server. In order to better protect user accounts there are a number of protections the server employs with these e-mail links:
Each link can only be used once
The link is only valid for 24 hours for a new user, or 3 hours for a password reset
Should a user try to use the link a second time they will be directed to complete a password reset request. This would ensure only the original recipient received subsequent links. For expired links the system will automatically send the user another e-mail with a fresh link.
Disabling automated e-mail accounts
It is possible to disable the e-mail account feature at any point – however it is not recommended to subsequently toggle this setting on a production server as all existing automated e-mails will cease to work when the e-mail accounts are disabled.
Login and password policies
It is possible to configure encoder and user accounts to follow organisational policies regarding account usage and password rules and complexity. These settings can be set at both server and domain level. By default, the server settings:
Propagate down to all domains
Can be locked so that no domain administrator can change them
If not locked, can be overridden by a domain administrator
Password settings
By default, EdgeVis Server will allow any password to be set that is 5 characters or more and will not expire it or prevent its reuse. It is possible to set stricter rules to enforce a stronger password policy.
These settings can be configured independently for users and encoders and are available from the Password settings section of User settings and Encoder settings respectively. Options include:
Reuse period – stop users from reusing previously used passwords
Expiry period for domain users – force password changes on domain-level users after a defined number of days. System-wide user account passwords never expire
Minimum length – force users to set longer passwords.
Check for common words – ensure users don’t use dictionary words (or variations such as ‘P@sswOrd’)
It is also possible to force users to use numbers, uppercase characters and symbols.
Note: Any new settings will only take effect on subsequent password changes. Existing passwords will remain unchanged.
Viewing client settings
It is possible to set additional options that control the client’s behaviour:
Viewer timeout – viewing clients can auto-disconnect from a video stream after the specified period
Account lock out – auto-lock user accounts if too many failed login attempts are made
Enable single sign-on mode – by default a username can be used by multiple viewing clients simultaneously. Enable this option to only allow each username to be used by one viewing client (who may view multiple streams).
Allow users to save password within client – this will determine whether the viewing client will allow the user to save their login credentials.
Global settings
There are a number of settings that are applied globally on the server within the User settings section that can’t be set on a per-domain basis. These are contained within the Account Settings section:
Account inactivity limit – expire old accounts after a period of inactivity
Minimum length of names – by default any username must be a minimum of 2 characters long
Two factor authentication (2FA)
EdgeVis can protect user accounts using two factor authentication (2FA). This uses the industry standard 6-digit code scheme used by many other systems, and is recommended for maximum security. 2FA is not applicable to encoder accounts.
Recommended 2FA apps
As part of enrolling for 2FA, users will need to scan a QR code into a suitable 2FA app that can then generate the 6-digit login tokens.
There is no EdgeVis 2FA app supplied by Digital Barriers, and it is recommended to use one of the many third-party 2FA apps available. Two common free applications are Google Authenticator and Authy – both can be found on iOS and Android app stores.
Note: Google Chrome has an Authenticator extension in its app store. This app is not a Google app and is not connected to Google Authenticator, and does not synchronise its registered 2FA services with Google Authenticator.
Enabling 2FA for users
The following settings are available from the Two-factor authentication settings section of User settings at both server and domain level.
The first setting (Two factor authentication mode) has three options:
Off
Optional (default)
Mandatory
By default, EdgeVis allows users to enrol in 2FA if they desire. However, many corporate policies mandate the compulsory use of 2FA – set the 2FA mode to mandatory to force all users to enrol.
The second setting allows admins to decide how many 2FA backup codes the user is presented with during the enrolment process (or even disable them all together). These codes are one-time emergency codes the user can use should they lose their 2FA device/app.
Finally, admins can decide whether to allow users to create app-specific passwords. These can be used with third party applications (e.g. Milestone VMS) that support EdgeVis, but do not support 2FA.
User enrolment in 2FA
When 2FA mode is set to mandatory:
EdgeVis Client users will be automatically directed to the EdgeVis Server web interface where enrolment must be completed.
EdgeVis Server users will be prompted to complete enrolment after entering their username and password.
The user is presented with a QR code – they scan this into their Authenticator app.
The app then presents a 6-digit code – this must be entered below the QR code in EdgeVis Server to complete setup.
When 2FA is optional:
A user must log into EdgeVis Server to enable 2FA
After logging in users can enrol in 2FA from the My Settings page.
The Enrol button will present the user with a QR code – they scan this into their Authenticator app.
The app then presents a 6-digit code – this must be entered below the QR code in EdgeVis Server to complete setup.
Once enabled the user will be requested to enter a 2FA code every time they log in to EdgeVis Server. EdgeVis Client users will see one of two behaviours:
If the user is allowed to save their password (and chooses to do so), EdgeVis Client will only request the 2FA code when adding the server to their list of available servers.
If the user is not allowed to save their password, or chooses not to, then they must enter their password and 2FA code every time they attempt to connect to the server.
Resetting a user’s 2FA registered app/device
There are occasions when a user may no longer have access to the app or device that generates the 6-digit codes. In this circumstance it is advisable to reset a user’s 2FA registered device, so that they can re-enrol.
If the user has access to a backup code (that they recorded/downloaded during the original enrolment) then they can log into EdgeVis Server and reset their 2FA settings themselves. The My Settings page will have a Reset option in the Two-factor authentication section.
If the user does not have any backup codes available then they must contact an administrator who has the necessary permissions to edit their account. Again, the Administrator should use the Reset option in the Two-factor authentication section.
TVI Encryption
EdgeVis Server can employ AES-256 encryption to the TVI links between the server and all encoders/viewers, securing all transmissions from interception. Encryption keys are generated on the fly and are regularly rotated for maximum security.
The first detail on the TVI Encryption page will display the encryption strength (if enabled).
To ensure encoders/viewers are connecting to the intended server (and not a hostile man-in-the-middle) the server, during installation, creates a unique public/private key pair to verify the identity of the server. The private key is stored on the server and never distributed to users.
The public key can be distributed to users as:
a server fingerprint that contains a shorter (40 character) human readable version of the public key. Users setting up an encoder using the web setup interface, or connecting to a sever using a viewing client will be asked to visually confirm the fingerprint of the server during the initial connection to the server.
Use the Copy to clipboard function to copy the server’s fingerprint to the clipboard for distribution to users.an encryption pack, which is a file that contains the server’s public key. Older encoders (without interactive web configuration interfaces) must use the encryption pack during USB configuration.
Use the Download encryption pack menu option to download the encryption pack.
Note: It is safe to distribute this information to users as it is not used during the encryption process – it is only used to verify the identity of the server. If this information is lost/stolen, there is no security risk or requirement to reset the server’s encryption fingerprint/pack.
SSL configuration
The EdgeVis Server web management portal uses a self-signed SSL certificate by default. This allows the server to encrypt the web traffic but will fail browser security checks which require web sites to have a publicly verifiable SSL certificate installed on the server.
While this does not prevent the web portal’s traffic being encrypted, it can be disconcerting to end-users and can open the server to man-in-the-middle attacks.
EdgeVis Server supports:
Manual creation and upload of a valid SSL certificate (verified by a third-party certificate authority)
Auto-generation of an SSL certificate using the free Let’s Encrypt service
Using either of these schemes will remove the security warning and provide users with the standard ‘green padlock’ they expect to see on a secure website.
For further details on using a custom SSL certificate refer to the later chapter Using an SSL certificate with the web management portal.
Sending automated maintenance alerts
It is possible to configure EdgeVis Server to send alerts when a server or encoder detects an unusual event (e.g. an encoder’s camera has gone offline). These alerts can be sent using the same mechanisms as the alarm management system:
As an e-mail to an external e-mail address
As an SMS message to a phone number
To an EdgeVis user (and respecting their message settings - push notification/e-mail/SMS)
There are two classes of maintenance alerts:
Server alerts
Multi-server health monitoring
Database backup progress
Firmware uploads
Licensing issues
Encoder alerts
Encoder disconnects
Recording disk issues
Environmental issues (temperature/voltage)
It is possible to create a rule to send alerts at both the server level and the domain level (if the user has the appropriate permission).
Editing maintenance alerts
At the server level, and individual domain level there is a list of current active rules for sending alerts (at the locations specified in the previous table).
The icon for each rule will signify if it’s an e-mail, SMS, or EdgeVis recipient. To edit an existing rule, select it from the list. Select the Add new maintenance alert rule menu item to create a new rule.
Select the desired recipient type – either e-mail, SMS or EdgeVis user.
Selecting an EdgeVis user will allow selection from any user within the server-wide administrators group (and domain-users if creating the rule in a domain).
EdgeVis users will be sent alerts based on their notification preferences (e-mail, SMS or push notification) and control the delivery mechanism themselves.
There are a number of choices for the types of alerts to send:
All maintenance alerts (both server and encoder)
Custom selection
All server alerts
All encoder alerts
Selecting Custom selection allows the user to see a list of all notifications available, in both the Server and Encoder groupings.
Once a server grows beyond a small number of encoders/users it is not recommended to utilise the All XXX alerts options as this can generate a significant number of alerts.
Note: If using a third-party SMS/e-mail provider please monitor alert generation to ensure that the costs of using this service are understood. On a larger server it is possible for hundreds of alerts to be generated per day.
Firmware management
EdgeVis Server allows the firmware on encoders to be remotely upgraded. It is possible for server-wide administrators to upload encoder firmware to EdgeVis Server, where users with the appropriate permissions may then select from any of the uploaded firmware to upgrade (or downgrade) their encoder to a newer (or older) version.
From the server home page select the Encoder firmware button – this will then list all firmware that have been uploaded to the server, along with a breakdown of the firmware version of encoders on the server (both online and offline).
As an EdgeVis deployment could consist of different encoder families (each with their own dedicated firmware) it is possible to narrow down the list of firmware to a particular product. Select the desired product from the Show summary for list box to narrow down the list of firmware, and installation statistics, to a particular model.
Note that a firmware may be listed under multiple products, e.g. the same firmware can be used to upgrade an HD-IP150 and an HD-IP250. Click on a firmware to list the products a firmware may be used with.
To add a new firmware to the list, select the Upload firmware menu option on the right, and select a firmware on the local PC to upload to the server.
To delete an existing firmware, click on the firmware from the list and select the Delete firmware menu option.
Upgrading an encoder’s firmware
Any user whose role includes the ‘Upload a firmware to the encoder’ permission has the ability to upgrade (or downgrade) an encoder’s firmware. To view an encoder’s current firmware, and/or upgrade the firmware:
Select the encoder by clicking the encoder’s account icon within the appropriate domain.
The Status and diagnostics section will list the encoder’s current firmware – select this item to view further information.
Use the Upgrade firmware menu item on the right to view available firmware – selecting one will begin the transfer of the firmware to the encoder.
The firmware is sent to the encoder using the same secure channel as the video and is trickle-fed to ensure that the video stream continues uninterrupted during the transfer.
Once the transfer is complete the encoder will reboot and apply the new firmware – this should only take around 1-2 minutes.
Warning: downgrading encoder firmware
EdgeVis generally has no restrictions on downgrading an encoder’s firmware. However, downgrading is generally not recommended for deployed encoders as there may be unintended consequences - feature changes in later firmware may temporarily break (or remove) certain encoder functionality if downgraded.
Examples include newer changes in recording formats that earlier firmware do not understand or upgraded transmission encryptions that are required to connect to a server.
Should issues be encountered after a downgrade it is possible to reset the encoder to a ‘factory fresh’ condition by:
Factory-resetting the encoder
Reformatting the encoder’s recording disk (if appropriate)
This should wipe any incompatible settings/recordings, allowing the encoder to operate correctly again.
Digital Barriers does not test encoder firmware downgrading and accepts no responsibility should the user encounter any issues or require the encoder to be returned for repair.
Note: It is never recommended to downgrade a firmware below the version supplied with the encoder – modem drivers may be required that are not present on earlier firmware.
Bulk firmware update
For users with many encoders to upgrade it is possible to batch upgrade encoders with older firmware. From the Firmware management page select the Bulk update encoders menu option. This will present a selection tool that allows the user to:
Select which encoder model to upgrade.
Either select all encoders or to narrow down the list to a specific domain.
Select encoders with either a specific firmware, or firmware older/newer than a specific version.
The info message at the bottom of the page will show how many encoders meet these criteria (the next page allows a fine-grained choice of including/excluding an encoder.
Finally select which firmware to upgrade all selected encoders with.
Once the user has confirmed which encoders to upgrade, EdgeVis Server will begin firmware upgrades on each encoder. This uses the same process as manually upgrading the encoder described above.
Backing up and restoring EdgeVis Server
It is possible to save the EdgeVis Server databases (which include all domains/roles/accounts/alarm rules) to a single file on the server PC. This can be used to keep a backup copy of the server or to easily transfer the EdgeVis Server to a different server machine.
To start the process, select the Server backup/restore icon on the server homepage, and then use the Create database backup menu option. A prompt dialog will request a file name to be entered. The database will now be backed up and stored in a folder called ‘backup’ in the EdgeVis Server application directory (typically c:\Program Files (x86)\EdgeVis Server\). This file can be stored securely or copied to the same folder on the new EdgeVis Server machine.
To restore a database, select the Server backup/restore icon on the server homepage – this will list all backups stored on the server. Select the desired backup and use the Restore database backup menu option to begin the restore. Once the restore has begun, the interface will log the user out. There is no indication when the restore is complete – please allow approximately 60 seconds before attempting to log back in.
Note: Restoring the database will delete all existing domains/roles/accounts/alarm rules, before restoring from the backup. This may also delete the account being used by the person restoring the database.
It is recommended to perform a database backup before performing a restore.