Pelco VideoXpert-enterprise-3.16-System-Design-Guide design-guides

VideoXpert® Enterprise v 3.16

System DesignGuide

Document number:C5673M-L

Publication date:03/22

VideoXpert® Enterprise v 3.16 System DesignGuide

Table of Contents

Understanding the VideoXpert® Enterprise System 4

Scoping System Licenses 5

Planning for Device Discovery 6

Planning for FISMA/NISTCompliance 7

Selecting Servers 8

Choosing to Use One or More VideoXpert Core(s) 8

Choosing to Use One or More VideoXpert Media Gateway(s) 8

Planning to Use VideoXpert Aggregation 9

Growing theVideoXpertSystem 9

Using Active-Active Failover (Single CMG vs Multi-CMG Environments) 10

Clustering Core Servers 10

Working with Clusters 11

Aggregating Systems 11

Using LDAP Authentication 11

Planning for Multi-System Access 12

Understanding Operator Workspace Topology 13

Selecting Recorders 14

Using VideoXpert Storage (VxStorage) for Recording 14

Using VSM, NSM5200, and NSM5300 Servers as VideoXpert Recorders 14

Planning for Recording 15

Correlating Recording Storage Platforms and Their Requirements 15

Understanding Camera Support 16

Planning for Camera SDCard Data Retrieval 16

Planning for Auto-Backfill 16

Planning for Recording Schedule Capabilities 17

Using Volumes and Volume Groups 17

Using External NAS Storage (Archive Volume Groups) 17

Using VSM and NSM5300 Models as VideoXpert Recorders 18

Planning for Redundant Recording 18

Configuring VideoXpert Storage Failover Recording 18

Planning a BackupStrategy for Recorder Database Entries 20

Understanding VideoXpert Storage Failover and Redundant Recording 20

Selecting Independent Backup Storage 20

Evaluating Additional System Components 21

Selecting a Load Balancer 21

Using VideoXpert Internal Load Balancing 21

C5673M-L | 03/22 2

VideoXpert® Enterprise v 3.16 System DesignGuide

Using an External Load Balancer 21

Using a Network Time Protocol (NTP) Server 21

Selecting a DHCP Server 22

Supporting DNS 22

Designing Export Archive Storage 22

Understanding Network Operation Modes 23

Using Rendezvous Points (RP) 23

Using PIM Modes for Multicast Routing 23

Using PIM Dense Mode (PIM-DM) 23
Using PIM Sparse Mode (PIM-SM) 24
Using Sparse-Dense Mode (PIM-SDM) 25

Using DVMRP for Multicast Routing 25

Planning Network Traffic Flow 26

Addressing Traffic and System Limitations 26

Addressing Client-Side Display Limitations 27
Understanding Secondary and Tertiary Stream and Camera Settings 27
Understanding VxOpsCenter 6 x 6 and 8 x 8 Layout Requirements 27

Determining Streaming Delivery 28

Making VxOpsCenter Streams Adjustments 29
Planning for MJPEG Video Streaming 29
Planning for 4KSupport for Videos, Cameras, and Monitors 29
Planning for H.264 and H.265 Streaming 29

Planning to Use Additional Features 30

Planning for SNMP Monitoring 30

Planning to Use Maps 30

Planning to Use Integrations and Plugins 30

Planning for Event Reporting, Logs, and Notifications 32

Understanding Event Types 32

Using Reports 32

Locating Logs 33

Planning for Notifications 33

Appendix A:Video Streaming Diagrams 34

Multicast Recording, Multicast Viewingof a PelcoCamera 34

Unicast Recording, Multicast Viewing (With a VXSProxy)of a PelcoCamera 35

Unicast Recording, Multicast Viewingof a PelcoCamera 36

Unicast Recording, Multicast Viewing of an ONVIFCamera 37

Unicast Recording, Unicast Viewingof a PelcoCamera 38

Appendix B:NetworkProtocols and Ports Reference 39

Appendix C:Live Video Streaming Performance 43

C5673M-L | 03/22 3

VideoXpert® Enterprise v 3.16 System DesignGuide

Understanding the VideoXpert® Enterprise System

VideoXpert is a video management solution designed to fit surveillance operations of any size. Whether
your operation has 100 cameras or 10,000, VideoXpert presents a solution to display, record, and
manage your video resources. But VideoXpert Enterprise is more than a VMS. It is an enterprise-level
video and data management solution designed to combine input from multiple systems, for a cohesive,
real-time understanding of events taking place in your environment.

Action:Prior to obtaining a quote for or purchasing a system, contact a Pelco Technical Sales
Engineer to validate your system configuration.

C5673M-L | 03/22 4

VideoXpert® Enterprise v 3.16 System DesignGuide

Scoping System Licenses

VideoXpert is licensed for the system, for upgrades, and by channel—the video streams you view and
record. It comes with one (1) license to start. The demo license provides unlimited channels that are
active for a period of 60 days. These are active only the first time you install the software, or if the
software was pre-installed, the first time you start up the system. In order for the system to function
beyond the evaluation period, add the appropriate quantity of licenses to the system.

Action:Ensure that you have enough licenses. See the current version of the VideoXpert
Enterprise Product Specification for available SKUs. Contact a Pelco Sales Representative for
more information.

C5673M-L | 03/22 5

VideoXpert® Enterprise v 3.16 System DesignGuide

Planning for Device Discovery

When adding devices to VideoXpert, the system issues a discovery message and then listens for devices
for up to five minutes. Using the discovery process, VideoXpert adds your VideoXpert devices, including
Pelco cameras and many third-party cameras. You must then manually commission the devices.

Action:Ensure that there are enough licenses for all of the devices on the system, and ensure that
there will be enough bandwidth available to perform Device Discovery without interfering with
system operation.

C5673M-L | 03/22 6

VideoXpert® Enterprise v 3.16 System DesignGuide

Planning for FISMA/NISTCompliance

VideoXpert is compatible with current FISMA/NIST requirements. If your organization must comply with
these requirements, establish a Risk Management Framework which includes:

l

Categorizing the system

l

Selecting security controls

l

Implementing security controls

l

Assessing the system

l

Authorizing the system

l

Performing continuous monitoring

The current version of the VideoXpert Configuration Guide for FISMA/NIST Environments includes
configuration guidance and information needed to build a system documentation package for security
control assessments. Specifically, the guide will help organizations documenting the system through the
RMF process with information about how to categorize the system, which NIST-based security controls
are applicable, and how VideoXpert Enterprise implements NIST-based security controls. Testing of
these controls has also been performed by Pelco with VideoXpert Enterprise installed on a FISMA
representative system to ensure functionality under a secure configuration with DISA STIG rules applied.

Note:NIST security control baseline has many allowances for organization-defined settings.
While the VideoXpert Configuration Guide for FISMA/NIST Environments describes an RMF­friendly implementation for Pelco VideoXpert including NIST security controls and DISA STIG
rules, it might not precisely match your organizationally-defined settings.

Action:To configure your system for FISMA/NISTcompliance, contact Pelco Professional
Services to obtain the VideoXpert Configuration Guide for FISMA/NIST Environments.

C5673M-L | 03/22 7

VideoXpert® Enterprise v 3.16 System DesignGuide

Selecting Servers

VideoXpert requires both Core and Media Gateway servers. Although you can leverage separate Core
and Media Gateway servers for systems of sufficient scale, most systems can easily support servers
running both the Core and Media Gateway (CMG) services. A single CMG server provides the complete
range of VideoXpert functionality that you would expect for systems with fewer than 2000 cameras and
100 simultaneous users.

However, for environments that are especially large, require exceptional redundancy, or incorporate a
high number of low bandwidth and aggregated users, you might install individual Core and Media
Gateway servers.

Action:Determine whether to use a CMG or separate VideoXpert Core server(s) and Media
Gateway server(s) based on the number of cameras and users on your system. See the following
sections for details.

Notice: Mainstream support through Microsoft for the Windows Server 2012 operating system
ended October 2018. Beginning October 2022, Pelco will no longer provide support for future
major software updates on this operating system. To prevent support disruption and continue to
take advantage of future updates, Pelco recommends that you purchase new servers with, or
upgrade the operating system of existing servers, to Windows Server 2016 or newer. For
information on upgrade options please contact Microsoft Corporation.

Choosing to Use One or More VideoXpert Core(s)

VideoXpert Core is the heart of the VideoXpert System, it maintains the database of cameras, recording
devices, users, and permissions. Core works with VxToolbox, from which you can configure and manage
the system. Through VxToolbox, you can administer user accounts and permissions, determining the
system functions and devices users can access. You can create and assign “tags” to quickly organize
cameras and devices within the system. You can also configure and respond to events within the system.

Choosing to Use One or More VideoXpert Media Gateway(s)

The VideoXpert Media Gateway routes video traffic to appropriate users as requested. The Media
Gateway:

l

Routes the video to the workstation in a multicast environment

l

Accesses the video in a unicast environment

l

Transcodes the video for low-bandwidth connected VxOpsCenter clients

You can set the communication method, unicast or multicast, from the Video Source to the Media
Gateway, and from the Media Gateway to the client. The media gateway is capable of transcasting
multicast from the source to unicast for the client, and from unicast to multicast.

Like Core servers, Media Gateways can be added to VideoXpert modularly. You can add Media
Gateways to the system as the media delivery needs increase.

C5673M-L | 03/22 8

VideoXpert® Enterprise v 3.16 System DesignGuide

Planning to Use VideoXpert Aggregation

VideoXpert Enterprise with Aggregation allows for expansion at any level of your security environment.
Your system begins with a single server running Core and Media Gateway software. Your system can
use dedicated VxOpsCenter Clients to view live and recorded video, or it can use VxPortal, which fully
utilizes HTML5 browser technology to deliver a similarly rich experience with no client software required.
As your surveillance needs grow, you can add servers to expand modularly within a single environment,
or you can aggregate multiple VideoXpert Enterprise systems to provide a single point of access for
distributed video management networks.

Caution:Although VideoXpert Professional and VideoXpert Enterprise systems can be
aggregated into the same Enterprise system, it is not recommended that you have cross­aggregation between multiple systems simultaneously.

Growing theVideoXpertSystem

If your system grows to support additional users, cameras, or sites, or you just want to provide
redundancy within your VideoXpert system, you can separate your VideoXpert Core and Media Gateway
servers, and increase system capacity by clustering servers. If you are using aggregation, you can also
aggregate other VideoXpert systems.

Consider using separate Core and Media Gateway servers when:

l

There is a high number of simultaneous users.

l

The system must scale to a high number of cameras and users.

l

You have high expectations for availability and redundancy.

C5673M-L | 03/22 9

VideoXpert® Enterprise v 3.16 System DesignGuide

The table below lists typical deployment scenarios, with the maximum number of cameras and
concurrent system users for each deployment; these numbers represent the limits at which the system
becomes unusable (high latency in control requests).

Deployment Cameras Users Availability Additional Requirements

Single CMG 2500 100 Not fault tolerant N/A

Dual CMG 2500 100 Active-Active single

failover

Dual CMG (NSVR) 7500 400 Hot-standby failover N/A

Triple CMG 10000 500 Active-Active single

failover

Single Core/ Gateway 3000 200 Not Fault Tolerant N/A

Multi-Core / Gateway >10000 >500 High Availability Independent load balancer

The table presents absolute maximums for VideoXpert deployment scenarios. Your experience might
differ based on your network configuration, network equipment, average video bitrates, and other criteria.

Action:Build the system with at least 10% additional capacity (in terms of cameras, users, or
preferably both), to ensure that the system is responsive and has additional capacity to take on
new users or cameras. When planning a VideoXpert deployment, contact Pelco to ensure that the
system has the capacity to support your environment and needs.

N/A

N/A

Using Active-Active Failover (Single CMG vs Multi-CMG Environments)

A single CMG can host nearly 2500 cameras and 100 concurrent users, but the system is not fault
tolerant; anything that could bring down the server will interrupt access to VideoXpert.

Action: Pelco recommends that if video is mission critical to the business, build a system with at
least two CMG servers.

Clustering Core Servers

In your VideoXpert environment, Core or CMG servers host the database. Clustering your Core or CMG
servers provides redundancy and enables VideoXpert to scale.

In a clustered environment, each Core or CMG server in the cluster hosts a complete copy of the
VideoXpert database.

In addition, you can install a copy of just the database on a server.

Note: VideoXpert itself performs all of the cluster configuration automatically during the setup
process. If configuring a system containing more than three servers, contact a Pelco Sales
Representatives or a Pelco Technical Sales Engineer.

Within each Core/CMG cluster, one server acts as the primary and the other servers operate as
secondaries. The primary server processes all write operations and pushes data to the secondaries.
Secondary servers replicate the primary server’s database asynchronously.

C5673M-L | 03/22 10

VideoXpert® Enterprise v 3.16 System DesignGuide

l

If you have two servers and one is unavailable, there is no loss of functionality.

l

If you have three servers and one is unavailable, there is no loss of functionality.

l

If you have three servers and two are unavailable, the available server is put into a read-only
state.

In a read-only state, users can still call up video, but would be unable to apply bookmarks, export
investigations, apply tags, and perform other similar operations within the system.

Working with Clusters

A clustered environment requires at least two VideoXpert Core, Media Gateway, or CMGservers.

l

Cores and Media Gateways must be on the same VLAN. They must also have static
IPaddresses, and these IP addresses must be different from each other.

l

Traffic will be managed by a single Core; if that Core fails, another Core will perform the
management tasks. Other tasks, such as export processing, are shared among all Cores.

l

A single Media Gateway will receive streaming requests, but will redirect streaming to other Media
Gateways to balance the load.

l

The Media Gateway trans-casts to suit the network topology and needs. While the system is
configured to get multicast streams from sources and to issue multicast streams to clients, you
can select the appropriate communication method both from sources to the Media Gateway and
from theMedia Gateway to clients. The network topology and need for users to access sources
simultaneously will inform your choice.

Use VxToolbox to configure clusters. See the current version of the VideoXpert® Toolbox Operations
Manual section titled Adding Systems.

Aggregating Systems

VideoXpert Enterprise with aggregation includes an aggregation server, through which you can provide
centralized access to a series of VideoXpert member—VideoXpert Professional and/or VideoXpert
Enterprise—systems. Through the VideoXpert Enterprise server acting as the aggregation system, you
can access and control settings and video for distributed VideoXpert systems.

When adding a member to the aggregation server, you will select your connection speed to the
aggregation server. Your connection speed determines both the performance of video within the
VideoXpert environment hosting the aggregation server and the number of video streams you can
reasonably expect to get simultaneously from the aggregated site.

At present, you cannot change settings for aggregated systems from the VideoXpert instance hosting the
aggregation server. You must change settings for member systems from the member itself.

The aggregation server does not inherit permissions, roles, or users from aggregated members. If
aggregating a VideoXpert Enterprise environment containing roles with restricted permissions, you must
re-create these roles and permissions with resource restrictions with the VideoXpert System acting as
the aggregation server.

Using LDAP Authentication

You can configure VideoXpert to validate user credentials from an LDAP server. While the system can
validate credentials over LDAP, you must create corresponding user IDs and roles within the VideoXpert
database against which to validate the credentials. These IDs and roles must match the IDs and Groups
in the LDAP directory exactly (including capitalization) in order for the authentication to pass through.
Using the LDAP interface DOES NOT alter the schema of the LDAP directory, so all permissions to the
VideoXpert system(s) must be defined in the VideoXpert system

C5673M-L | 03/22 11

VideoXpert® Enterprise v 3.16 System DesignGuide

You can select the authentication method and parameters used.

l

VideoXpert Authentication
When using VideoXpert Authentication, you can set passwords to expire at specific intervals, or to
never expire.

l

LDAP authentication using simple bind authentication
When using LDAP authentication with simple bind, you can set passwords to expire at specific
intervals, or to never expire.

l

LDAP authentication using two-stage binding
When using LDAPauthentication with two-stage binding, you can set passwords to expire at
specific intervals, or to never expire.

l

(Optional) If you select LDAP authentication, you can also retrieve users and roles from LDAP

l

LDAPauthentication using single sign-on (SSO)

–

SSO allows users to log in to multiple systems using a single set of login credentials.

–

SSOcan be used with either Single-Stage or Two-Stage binding, and can be used with the
Synchronize Users and Roles From LDAP option.

–

SSOrequires valid certificates; each user must have a valid certificate that the system can
access.

–

When using LDAPauthentication with SSO, you cannot set passwords to expire. Password
expiration is controlled by the LDAP database policies.

Note:If VxOpsCenter is running on the same server as the VxPro or Core system, SSOwill not be
available. This is due to MSWindows limitations.

Planning for Multi-System Access

You can design the VideoXpert system to run using Single Server Access mode or Multi-Server Access
(MSA) mode. MSA mode enables access to multiple stand-alone VideoXpert systems simultaneously.

When the system is in MSA mode, and Multi-System Access opens without initial credentials is selected
in VxToolbox, users can sign-in to VxOpsCenter without signing-in to a specific system. Credentials will
be required when you select a VXSystem.

Action:Not all integration plugins function correctly when using MSA mode. If you are connecting
to a number of systems that all have Access Control or the VideoXpert Plates ALPR plugin, the
plugins for each of the systems can only connect to one of the third-party systems at a time. The
plugin must be manually reconfigured to connect to the other integration site.

Action:When defining the system connections in the VxOpsCenter client software, you can fine­tune the maximum network bandwidth to allow from the system. This will ensure that the video
streams to the workstation have the best resolution and image rate possible without over­saturating the network link(s) between the system and the user workstation.

Action:When planning to use MSAmode, ensure that the same user ID and passwords exist and
exactly match on all of the different systems. When using MSA mode, Pelco recommends that you
use LDAPto synchronize users and roles to each VXsystem. This will ensure that the username
and passwords match.

C5673M-L | 03/22 12

VideoXpert® Enterprise v 3.16 System DesignGuide

Understanding Operator Workspace Topology

The VxOpsCenter, running on an 8-monitor rackmount Workstation, supports up to eight monitors: two
connected directly to the Workstation, and the other six driven independently by Enhanced Decoders.
The Enhanced Decoders enable each monitor connected through a workstation to display up to 25 video
streams while maintaining a seamless user experience.

Enhanced Decoder-driven monitors operate just like native monitors; users can move windows across
monitors seamlessly. But, when the user requests a video stream or plugin, the Enhanced Decoder
communicates directly with VideoXpert servers to get and decode video. This enables operators to
maximize the display-capabilities of the VxOpsCenter without complicating the user experience.

Because the Enhanced Decoders do not run the VxOpsCenter application themselves, you might
experience better performance in quantity and responsiveness of HD streams on decoder-driven
monitors, instead of directly-connected monitors.

VxOpsCenter also supports Shared Display mode which provides monitor-wall functionality for a VX
Workstation or a Shared Display Decoder. Monitor walls are specific groups of monitors that are
frequently viewed or used together. A monitor wall does not require an 8-monitor workstation, and it can
be scaled as large as needed using configured monitor numbers. (Monitor numbers are configured in
VxOpsCenter.) Users can send tabs and video to the shared display and control the shared display
remotely. In order to connect to the VXSystem from VxOpsCenter, the user must have permissions that
allows the user to add monitors to the system.

If you require additional monitors on a monitor wall, Shared Display Decoders can be used in
combination with Enhanced Decoders to create a complete monitor wall experience.

C5673M-L | 03/22 13

VideoXpert® Enterprise v 3.16 System DesignGuide

Selecting Recorders

VideoXpert supports multiple recording platforms. In general, traffic and video delivery operates much
the same using any of the available recording platforms. If building a new system, you would typically use
VxStorage E-Series, VxStorage T-Series, and VXS5300 recorders; if migrating from an existing Endura
system, you can use NSM5200 and NSM5300 servers as recorders.

Action:Determine the recorders you will need for your system.

Using VideoXpert Storage (VxStorage) for Recording

VxStorage is a RAID 6, dual power supply, high-availability recording software platform that captures
recorded video for your VideoXpert system. The VxStorage E-Series, VxStorage T-Series, and VXS5300
have the following features:

l

Through the user of camera drivers, the VxStorage can support most camera models from most
camera vendors.

l

VxStorage supports hot-standby failover configurations so that it can be configured for high­availability.

l

VxStorage has a flexible scheduling engine which allows you to extend the retention of data on
the system without sacrificing video quality.

l

On the VxStorageE-Series and VxStorage T-Series, the operating system is contained on an dual
SSD RAID 1 array; hard drives belonging to the RAID array are hot-swappable.

l

The VxStorage E-Series, VxStorage T-Series, and VXS5300 servers come with redundant power
supplies.

l

Server management uses the embedded iDRAC port which provides out-of-band diagnostics and
remote access to the server OS in the event of a failure.

l

VxStorage natively supports IP cameras via ONVIF S, G, Q, and T, and via native driver
packages.

You can configure storage through VxToolbox, making it easy to set recording schedules and assign
cameras to your storage servers. Storage supports motion, alarm, and bump-on-alarm style recording,
so you can always capture events relevant to your environment at high quality. You can set different
retention times per camera or camera group. Storage also supports redundant recording by assigning
cameras to multiple recorders, ensuring that VideoXpert continues recording video even if a single
storage server falls offline.

Using VSM, NSM5200, and NSM5300 Servers as VideoXpert Recorders

VideoXpert supports VSM, NSM5200, and NSM5300 servers as VideoXpert Recorders. NSM5200 and
NSM5300 servers provide migration paths to VideoXpert; both can operate as recorders within
VideoXpert while continuing to support their respective Endura environments.

The VSM, NSM5200, and NSM5300 recorders can be configured as a pool, where one unit acts as the
pool manager and the other units will take the camera assignments from the pool manager. This also
allows for automatic camera redistribution across the remaining pool members, in the event that one of
the pool members fails. The manager role is handled as an election process within the pool and will be
reassigned to another pool member if the pool manager fails.

C5673M-L | 03/22 14

VideoXpert® Enterprise v 3.16 System DesignGuide

Planning for Recording

Recorder types and the settings for recordings can vary widely as VideoXpert systems expand and
change. Devices assigned to recorders will record based on the schedule and recording triggers you
configure through VxToolbox.

Factors to consider when planning for recording include:

l

The number and type of data sources (video, audio, PTZ vs. fixed, etc.) that will be added to a
recorder

l

The recording behaviors (triggers)

l

The data source recording schedules

l

The global maximum retention period of recordings (The retention period for individual devices
must be shorter than the global retention period.)

l

The transmission method (multicast or unicast)

l

The stream(s) to record (primary, secondary, and/or tertiary)

l

Whether the system uses motion recording

l

Whether the system uses bump-on-alarm recording

l

Whether and how many data sources are using auto-backfill of recording gaps

l

The maximum bitrate of recordings

l

How many bookmarks are expected to be stored, the standard retention limit of unlocked
bookmarks, and the expected retention of locked bookmarks

Action:Ensure that you have enough recorders (standard and failover), recording space (per
recorder and system-wide), and appropriate network capacity to support the likely storage
requirements and network traffic.

Correlating Recording Storage Platforms and Their Requirements

VideoXpert supports the recording platforms identified in Table 1: Recording platforms.

Table 1: Recording platforms

NSM5300

(2.4.3 or

later)

VxPortal /
Pelco
Utilities

250 Mbps
in; 32
streams
out (per
pool)

Parameter

Maximum

VxStorage

T-Series

144TB 288 TB 48 TB 48 TB 48 TB

VxStorage

E-Series

VXS5300 VSM

capacity

RAIDlevel RAID6 RAID6 RAID 6 RAID6 RAID 6

Configure using VxPortal VxPortal VxPortal VxPortal / Pelco

Utilities

Bandwidth

1 Gb: 700 Mbps
in; 175 Mbps out

10 Gb: 1000
Mbps; 175 Mbps
out

1 Gb: 700 Mbps
in; 175 Mbps out

10 Gb: 2500
Mbps; 175 Mbps
out

450 Mbps in;
175 Mbps out

250 Mbps in; 32
streams out (per
pool)

C5673M-L | 03/22 15