Professional Documents
Culture Documents
Administrator's Guide
Control Center Web
Legal Considerations
LAWS THAT CAN VARY FROM COUNTRY TO COUNTRY MAY PROHIBIT CAMERA SURVEILLANCE . P LEASE ENSURE THAT THE RELEVANT LAWS
ARE FULLY UNDERSTOOD FOR THE PARTICULAR COUNTRY OR REGION IN WHICH YOU WILL BE OPERATING THIS EQUIPMENT . INDIGO VISION
LTD. ACCEPTS NO LIABILITY FOR IMPROPER OR ILLEGAL USE OF THIS PRODUCT.
Copyright
COPYRIGHT © INDIGOVISION LIMITED. ALL RIGHTS RESERVED.
THIS MANUAL IS PROTECTED BY NATIONAL AND INTERNATIONAL COPYRIGHT AND OTHER LAWS. UNAUTHORIZED STORAGE, REPRODUCTION,
TRANSMISSION AND/OR DISTRIBUTION OF THIS MANUAL, OR ANY PART OF IT, MAY RESULT IN CIVIL AND/OR CRIMINAL PROCEEDINGS.
I NDIGO V ISION IS A TRADEMARK OF I NDIGO V ISION L IMITED AND IS REGISTERED IN CERTAIN COUNTRIES . I NDIGO U LTRA , I NDIGO P RO ,
I NDIGO L ITE , I NTEGRA AND C YBER V IGILANT ARE REGISTERED TRADEMARKS OF I NDIGO V ISION L IMITED . C AMERA G ATEWAY IS AN
UNREGISTERED TRADEMARK OF INDIGOVISION LIMITED. ALL OTHER PRODUCT NAMES REFERRED TO IN THIS MANUAL ARE TRADEMARKS OF
THEIR RESPECTIVE OWNERS.
S AVE AS OTHERWISE AGREED WITH I NDIGO V ISION L IMITED AND / OR I NDIGO V ISION , I NC ., THIS MANUAL IS PROVIDED WITHOUT EXPRESS
REPRESENTATION AND / OR WARRANTY OF ANY KIND . T O THE FULLEST EXTENT PERMITTED BY APPLICABLE LAWS , I NDIGO V ISION L IMITED
AND I NDIGO V ISION , I NC . DISCLAIM ALL IMPLIED REPRESENTATIONS , WARRANTIES , CONDITIONS AND / OR OBLIGATIONS OF EVERY KIND IN
RESPECT OF THIS MANUAL . A CCORDINGLY , SAVE AS OTHERWISE AGREED WITH I NDIGO V ISION L IMITED AND / OR I NDIGO V ISION , I NC ., THIS
MANUAL IS PROVIDED ON AN “AS IS”, “WITH ALL FAULTS” AND “AS AVAILABLE” BASIS. PLEASE CONTACT INDIGOVISION LIMITED (EITHER BY
POST OR BY E-MAIL AT TECHNICAL.SUPPORT@INDIGOVISION.COM) WITH ANY SUGGESTED CORRECTIONS AND/OR IMPROVEMENTS TO THIS
MANUAL.
S AVE AS OTHERWISE AGREED WITH I NDIGO V ISION L IMITED AND / OR I NDIGO V ISION , I NC ., THE LIABILITY OF I NDIGO V ISION L IMITED AND
I NDIGO V ISION , I NC . FOR ANY LOSS ( OTHER THAN DEATH OR PERSONAL INJURY ) ARISING AS A RESULT OF ANY NEGLIGENT ACT OR
OMISSION BY INDIGOVISION LIMITED AND/OR INDIGOVISION, INC. IN CONNECTION WITH THIS MANUAL AND/OR AS A RESULT OF ANY USE OF
OR RELIANCE ON THIS MANUAL IS EXCLUDED TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAWS.
Contact address
IndigoVision
Caledonian Exchange,
1st Floor, 19a Canning Street,
Edinburgh,
EH3 8EG
Legal Considerations 2
Copyright 2
Contact address 2
3 Installation 8
System requirements 8
Browser compatibility 8
Certificates 8
Install the media server 9
Enable Hyper-V 9
Configure Hyper-V networking 10
Create the virtual machine for the media server 10
Install the media server on the virtual machine 11
Site Database Server configuration 12
Install the application server 13
Time synchronisation 15
6 Operations 23
Transfer files between the media server and Control Center Web application server 23
Configure permissions for Control Center Web to read the Site Database Files directory 24
Change the media server password 24
Change the media server network settings 24
Configure NTP on the media server 26
Change keyboard mapping for media server 27
Change the media server address in the application server 27
Change the site database location 27
Manually install an existing certificate 28
Request a certificate from a Certificate Authority 28
Export certificate from Windows for use in the media server 29
Create the certificate request file 30
Import the certificate in Windows 30
Export the certificate and private key from Windows 30
Transfer the certificate files to the media server 31
Convert the certificate and private key file 31
9 Troubleshooting 35
I am configured to use Windows authentication, but cannot login 35
When I log in, I receive an error saying that the service is unavailable 35
When I select a camera in live mode, I cannot view video 37
When I view live video, the web browser displays error messages 37
When I select recorded footage on an alarm, I cannot view video 38
When I select recorded footage on an alarm, I cannot hear audio 39
I cannot see available presets for my PTZ camera 39
I cannot log in using the Control Center Mobile Android app 39
I cannot log in using the Control Center Mobile iOS app 40
Control Center Mobile is not working on Android 40
This guide is written for users of IndigoVision Control Center Web. It provides installation
and configuration information for the system, as well as details of operation.
Please ensure you read the instructions provided in the guide before using the system.
Safety notices
This guide uses the following formats for safety notices:
Indicates a hazardous situation which, if not avoided, could result in death or serious injury.
Indicates a hazardous situation which, if not avoided, could result in moderate injury,
damage the product, or lead to loss of data.
Indicates a hazardous situation which, if not avoided, may seriously impair operations.
IndigoVision Control Center Web allows you to access an existing IndigoVision Control
Center system through a web browser.
Operators can access live video without having to install the Control Center software on a
PC. This makes using Control Center much easier for occasional users or operators on the
move.
Control Center Web provides the following:
• Access to low latency live video from any supported ONVIF camera
• Active alarm management
• Recorded video and audio from the time of an alarm
• Access to a Control Center site securely over the Internet
• Ability to control access through the Control Center site database
Control Center Web does not require plugins or other software to be installed in the web
browser.
Components
Control Center Web consists of the following components:
• Control Center Web application server
A web service that runs in IIS to provide the business logic for Control Center Web. It
also serves the client application to users.
You must configure the Control Center Web application server with a Site Database
Server, a Site Database Files directory, and media server in order to operate.
• Control Center Web media server
A physical or virtual machine, which provides services to adapt video streams from
cameras within the IndigoVision system, to allow the streams to be viewed using a
standard web browser or mobile application.
You can install it on the same PC as the application server, using virtualization
technology such as Microsoft Hyper-V.
• Control Center Mobile
A native mobile app that runs on Apple iOS or Android, and can access Control
Center Web without requiring a separate web browser.
Web Browser
Media Server
Application Server
The Site Database Server and Site Database Files must be installed and configured before
Control Center Web. You can use the same site database for Control Center Web and
Control Center. This allows you to use the same user accounts and camera viewing
permissions for both Control Center Web and Control Center.
To perform administrative tasks in the site database, for example user management and
camera configuration, you must use Control Center.
System requirements
You can install Control Center Web on one of the following Windows operating systems:
• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2 (recommended)
• Windows 10 64-bit
IndigoVision recommends that you install Control Center Web on a server-style system,
with a server network adaptor, and the following minimum requirements:
• Server class PC
• 8 GB of RAM
The IndigoVision Enterprise NVR- AS 4000 1U and 2U and IndigoVision Hybrid NVR
Workstation are all compatible with Control Center Web . These platforms can be used to
run both the NVR-AS software and Control Center Web simultaneously.
Control Center Web is compatible with common virtualization software, including VMWare
ESXi and Microsoft Hyper-V.
Browser compatibility
The Control Center Web client application is compatible with the following web browsers:
• Mozilla Firefox 54.0 or later
• Google Chrome™ 60.0 or later
• Microsoft Edge 79 or later
IndigoVision recommends that all browsers are kept up to date with the latest security
updates.
Certificates
Control Center Web requires a certificate to secure the service. You must use one of the
following options:
• Use a certificate signed by a trusted public Certificate Authority (CA)
Using a public CA to secure the service is the best option in several ways.
It has the major advantage of not requiring certificates to be installed on the client
devices. This is particularly useful when you wish to deploy Control Center Web on
the Internet to give access to individuals outside of your organization.
However, it will usually involve paying a fee to the CA vendor.
• No need to install certificates on client devices
• No need to setup a private CA server
Control Center Web can generate and install a self-signed certificate automatically.
This allows the system to be set up quickly, and has no cost implications. However,
self-signed certificates do not provide the same level of security as CA signed
certificates.
• No need to setup a private CA server
• No fee for CA vendor
• Easy to set up
• Insecure
When installing Control Center Web, it is important that you are aware of these options,
and understand which option best fits your deployment. This choice is not permanent and
you can change the certificate after installation.
1
To securely deploy Control Center Web for use over the Internet, separate SSL/TLS
certificates will be required for the Control Center Web application server and the media
server.
Alternatively, a wildcard SSL/TLS certificate can be used for both servers (e.g.
*.yourdomain.com).
Enable Hyper-V
To use Hyper-V on Windows Server 2012 R2, you must enable it as a server role.
1. In the Server Manager application, select Add Roles and Features.
2. In the Installation Type screen, select Role-based or feature based installation.
The media server can now be used with the application server as part of Control Center
Web .
If you have already generated a service authentication token, there is no need to generate
another. The same token can be used by multiple applications.
If the Site Database Server is using a self-signed certificate, the Site Database Server
certificate must be installed on the PC that hosts the Control Center Web application
server.
1
This is only required if you are using a self-signed certificate on the Site Database Server.
To export the self- signed Site Database Server certificate and install it on the Control
Center Web host, follow these steps::
1. On the Site Database Server, navigate to Start > Control Panel.
2. Search for the Manage computer certificates application within the Control Panel
and open it.
3. Select Personal > Certificates.
4. Search for the certificate with the following in the friendly name column: Self Signed
Site Database Server Certificate.
5. Right click on the certificate and select All tasks > Export…
6. Follow the wizard to export the certificate.
• Do not export the private key
• Accept the other default options
7. Copy the resulting .cer file to the Control Center Web application server host PC.
8. Open the certificate on the Control Center Web application server host PC and click
Install…
9. Follow the wizard and do the following:
• Install the certificate to the Local Machine
• Select the Trusted Root Certificate Authorities store
10.The Control Center Web application server host PC will now trust connections with
the Site Database Server.
1
If access to the directory hosting the Site Database Files is restricted, the user account
installing the application must have access to this location for installation to complete.
6. Click Next.
The Site Database Server Configuration dialog opens.
7. Enter the hostname or IP address and port of the Site Database Server and the
service authentication token noted earlier.
If using Windows Server 2012 R2 to host the application server, the address of the Site
Database Server entered here must exactly match the Common Name or Subject field in
the Site Database Server certificate.
8. Click Next.
The Site Database Files Configuration dialog opens.
9. Update the following fields:
• Select the Control Center Site Database Files location:
Enter the location of the Site Database Files directory. The location can be on a
local drive or a network location, using a local address or UNC path (for example:
\\exampleserver\IndigoSiteDB).
• Specify a different Windows user to access the directory:
If the location specified above is a network location that requires credentials to
access, enter them here.
10.A valid SSL/TLS certificate must be installed in order for Control Center Web to
operate.
► For more information, see "Configure permissions for Control Center Web to read
the Site Database Files directory" on page 24
Time synchronisation
All devices in the IndigoVision system, including Control Center Web application server,
media server, Control Center, NVR-AS and camera equipment, must be time synchronised
using the same NTP hierarchy. If they are not, warnings are issued, and certain
functionalities may not behave correctly, including aspects of video playback.
► For more information on installing a Windows NTP Server, refer to the "IndigoVision
Control Center Installation Guide" appendix E: "How to install a Windows NTP Server".
Additionally, details for configuring NTP on the media server can be found in the
Configure NTP on the media server section of the Operations chapter.
The installation is complete.
You can login to Control Center Web using a compatible browser.
► For more information, see "Browser compatibility" on page 8
You must login using the login details of a valid user in the configured Control Center site
database.
IndigoVision recommends that you use the Control Center Mobile app when using Control
Center Web from mobile devices.
You can use Control Center Mobile on Android™ and iOS devices.
Compatibility
You can install Control Center Mobile on one of the following operating systems:
1If the Google Chrome browser is installed on an Android device, the Control Center Mobile Android app will make use of it to
provide increased performance and feature compatibility. IndigoVision recommend that Google Chrome is installed and up to date
on Android devices.
6. Select OK.
You can deploy IndigoVision Control Center Web safely over the Internet. Control Center
Web sends user and video data over encrypted channels to keep your IndigoVision system
secure.
Figure 2 shows a typical deployment of Control Center Web using IPV4 networks.
The client device is on a separate private network connected to Control Center Web
through the Internet. The client can access the application and all of its features from
outside of the network where Control Center Web is installed.
To allow this, you must do the following:
• Configure Control Center Web with a TURN server
A TURN server is a network service that allows the video traffic to traverse network
address translation (NAT) devices.
• Configure port forwarding and DNS
You must configure the deployment NAT and firewalls on the network hosting
Control Center Web to allow application server and media server traffic through.
To protect your installation, you should secure access to the TURN server with a valid
TLS/SSL certificate. This can be requested from a Windows PC and exported to the media
server:
1. Generate a certificate request in Windows and submit to a suitable Certificate
Authority (CA).
2. Import the returned certificate file into Windows.
3. Export the certificate file and private key.
4. Transfer the file to the media server.
5. Convert the file into a usable format.
6. Configure the TURN server to use the certificate.
► For full guidance on this, see "Export certificate from Windows for use in the media
server" on page 29.
IndigoVision recommend that you only use secure communications channels with the
TURN service.
The self- signed certificate generated by Control Center Web cannot be used with the
TURN server. If you plan to make such a server accessible from the Internet, leave this
setting empty. This allows the TURN server to operate using insecure communication
channels.
In this mode the media and data channels for your system are still encrypted, but the TURN
service itself is not secured.
• pkey: The path to the private key file for the certificate file.
Ensure that the key file is stored within the /etc directory or one of its
subdirectories.
1
Password-protected private key files cannot be used with the TURN server.
Client devices must be able to access the MediaServerUrl from the application server on
the local network.
Unless you are using split-horizon DNS, you should use the IP address for the media
server in the MediaServerUrl field.
► For more information on DNS configuration, see "Configuring port forwarding and DNS"
on page 20.
Table 2 shows an example port forwarding configuration. The destination port numbers
may be different for your configuration.
You must configure the media server and application server with different fully qualified
domain names which resolve correctly to the public address of your network.
If you use the DNS configuration in Table 3, clients operating within your private network
will route all HTTPS traffic through your network's public IP address.
For larger sites, IndigoVision recommend that you set up split-horizon DNS, using a private
DNS server. This allows clients on your private network to resolve the application server
FQDN directly to the application server IP address.
It is essential that the certificates which you use to secure the application server and the
TURN server match the fully qualified domain name.
IPv6 Networks
IndigoVision Control Center Web supports IPv6 network deployments.
The Control Center Web application server, media server and client devices can all be
used with IPv6 networks.
If your deployment network and client devices are all using IPv6 networking, then you do
not need to configure TURN. The TURN service is only required for NAT traversal.
► For more information about the Control Center Web firewall configuration, refer to the
Control Center Installation Guide
If you are using IPv6, you must still configure IPv4 addresses for the cameras in your site
database.
Application server
1. Open the Windows Update tool.
2. Click Turn on automatic updates.
Windows Update proceeds to check for updates. Continue with the steps whilst this
process is underway.
3. Navigate to Change Settings > Important updates, and select Install updates
automatically (recommended).
4. Click OK to confirm.
5. After Windows has identified all pending updates, click the following to install all
important updates immediately:
a. "<number> important updates are available"
b. Install
Media server
1. Edit the 20auto-upgrades file:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
2. Uncomment the following lines by removing the two leading forward slash
characters:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
where 1 is once a day and 7 is every seven days
• This configures the server to daily perform a package list update, download
available updates, and install them.
• The downloaded packages are cleaned once a week.
3. Save the file and exit the editor.
This chapter describes common tasks required for the operation of the Control Center Web
device.
If user credentials were specified for the site database location during installation and these
need to be changed, Control Center Web must be uninstalled and then reinstalled using
the updated credentials.
4. When prompted, login to the media server with the following details:
• Username: msuser
• Default password: 1234
IndigoVision recommends that you change the default password after installation.
► For more information, see "Change the media server password" on page 24
Do not change the indentation of the text. Changing the indentation may impact how the file
is processed.
The adapter name, for example enp0s3 , may be different depending on your hardware
configuration.
• To switch to, or modify the static IP configuration, modify the previous example
as follows:
addresses: [ <STATIC_IP>/<NETMASK> ]
gateway4: <GATEWAY>
nameservers:
addresses:
- "<DNS_SERVER>"
- "<DNS_SERVER>"
9. To save your changes to the file, press Ctrl + X and follow any prompts.
10.Reboot the virtual machine, using the following command:
sudo reboot
The media server IP configuration is updated.
You must update the application server to use the new media server address.
► For more information, see "Change the media server address in the application server"
on page 27
If an upgrade or repair is performed, any changes made in this way will be lost.
1. In the IIS Manager tool, open the Control Center Web site.
2. Within the main Features View, open the Application Settings tool.
3. Update MediaServerUrl, using the format wss://MEDIA_SERVER_
ADDRESS:8888, where MEDIA_SERVER_ADDRESS is one of the following:
• If DNS is correctly configured:
a correctly qualified hostname, for example myserver.mydomain.com
• If DNS is not correctly configured:
the IP address of the media server, for example 192.168.1.2
When you make changes to the configuration using this dialog, the Control Center Web
application server restarts. Any logged-in users must log in again.
If an upgrade or repair is performed, any changes made in this way will be lost.
1. In the IIS Manager tool, open the Control Center Web site.
2. Within the main Features View, open the Application Settings tool.
3. Update ControlCenterSiteDbFiles with the location of the Site Database Files
that you want to use.
You can use a network share or a locally stored directory.
4. Update the SiteDatabaseServerAddress field to change the Site Database
Server IP address or hostname.
When you make changes to the configuration using this dialog, the Control Center Web
application server restarts. Any logged-in users must log in again.
Many public CA services will use an online web portal to request the certificate.
Some browsers require a Subject Alternate Name field in SSL/TLS certificates before they
are considered secure. IIS Manager does not populate this field. You can populate this field
using the Certificate Enrollment Wizard.
► For more information refer to "How to Request a Certificate with a Custom Subject
Alternative Name" at https://technet.microsoft.com/en-us/library/ff625722
(v=ws.10).aspx
The Certificate Authority may provide different formats of signed certificate, for example
.pfx, .pem, .crt, .cer, .ca-bundle etc. When installing the certificate through IIS, it should be
provided in .cer format. Alternatively, a .pfx format certificate can be installed during
Control Center Web installation.
If you have created a wildcard certificate that covers the Control Center Web and media
server, you do not need to generate a separate certificate.
1
Media Server 1.0 has known compatibility issues with modern web browsers. Existing
systems should be upgraded as soon as possible.
The format for configuring network settings changed between version 1.0 and 1.1, see
"Change the media server network settings" on page 24.
1
If you specified a user during installation of Control Center Web, make sure you have the
credentials to hand. Installation cannot complete without re-entering the credentials for that
user, or a user with similar access privileges.
Make sure that the Media Server URL begins with wss:// if upgrading from Control Center
Web 17.2 and Media Server 1.1 or earlier.
4. Provide the details for the Site Database Server and Site Database Files directory.
5. If you supplied a user during installation to access the location of the Site Database
Files, confirm the username and re-enter the associated password.
6. When ready, click Install to continue with the upgrade.
7. If the TURN settings were copied in step 1:
a. Return to the IIS Manager tool and open the Control Center Web site.
b. Open Application Settings.
c. Open the Web.config file stored earlier and locate the TurnServerUrl,
TurnServerUsername and TurnServerPassword.
d. Use these settings to update the settings in Application Settings.
Control Center Web is upgraded.
If you are using an HTTPS address and you cannot access the login page, check that IIS is
configured correctly.
There is an HTTPS binding configured with a valid security certificate.
If you did not use the default port of 443 for the HTTPS binding, the port number must be
specified in the browser.
• Ensure that Control Center Web can access the configured Site Database Files
directory.
On the PC where Control Center Web is installed, navigate to %PROGRAMDATA%
> IndigoVision > ControlCenterWeb > Logs in Windows explorer.
Open the latest log file CcWeb.log
If you find messages with the following format, then the configured Site Database
Files could not be found:
Check that you have configured the correct media server URL in the application
server.
► For more information, see "Change the media server address in the application
server" on page 27
Check if the media server is running.
Check if there is a valid network route between the application server and media
server. For instance use the “ping” command.
• Problems with the browser communicating with the media server
Check that the device running the web browser has a valid route to the media server,
for example by using the ping command in the Command Line Interface.
Check that the security certificate used by Control Center Web is considered
"secure" by a recent version of Google Chrome. You can achieve this by opening
the browser and navigating to your Control Center Web installation. For example,
in the current release of Google Chrome, secure installations display a green
padlock icon at the top of the browser window next to the URL.
If the installation is not secure, an error message occurs. In this case, you can
check the browser for more detail on the problem and resolve it by recreating the
certificate to satisfy the browser's requirements.
► For more information, See "Certificates" on page 8 and See "Request a
certificate from a Certificate Authority" on page 28.
If you are using a private Certificate Authority, ensure that the root certificate is installed on
the device.
► For more information, see "Install the Control Center Mobile certificate on an Android
device" on page 16
If you have configured Control Center Web with a self-signed certificate, make sure you
have ticked the Allow untrusted certificates check box on the login page.
If you are using a private Certificate Authority, ensure that the root certificate is installed on
the device.
► For more information, see "Install the Control Center Mobile certificate on an iOS
device" on page 17
If you have configured Control Center Web with a self-signed certificate, make sure you
have ticked the Allow untrusted certificates check box on the login page.
IndigoVision Control Center Web is designed to provide access to live video streams that
are optimized for mobile devices. To achieve this, the media server transcodes video from
the cameras before sending them on to the client devices.
Control Center Web uses the live profile from the site database to choose a media profile. A
configuration with higher resolution and frame rate will require more resources on the
media server and may increase the frequency of buffering on low-bandwidth networks.
In some deployments, you may want to optimize the system configuration to allow a greater
number of concurrent video streams through Control Center Web, for example if you have
a large number of users trying to stream video at the same time. To optimize the system
configuration for Control Center Web, you should choose suitable media profiles for the
cameras in the site database.
When you change the live profile for a camera in the site database. this affects the profile
used by both Control Center and Control Center Web.
To use a high resolution, high frame rate profile for Control Center but a lower frame rate or
lower resolution for Control Center Web, you can do one of the following:
• Configure a low resolution profile
Within Control Center, you can modify a camera's Live Video settings to switch video
profiles, specifying both the ONVIF Profile Token (High Res) and the ONVIF Profile
Token (Low Res). In this case, Control Center Web will use the low resolution media
profile for live streaming, therefore enhancing performance.
• Use a separate site database
This allows you to configure cameras with different profiles for Control Center and
Control Center Web. You can therefore retain high fidelity video in Control Center,
while increasing the number of streams available in Control Center Web.
• Use cloned cameras
You can clone cameras in the site database by adding them to the site while holding
down the CTRL key.
► For more information, refer to Control Center Help
You can configure one clone with the high fidelity profile for Control Center, and
another clone with a profile suitable for Control Center Web.
• Use a separate operator for Control Center Web
You can create an operator account which is only used for Control Center Web. You
can then configure the cameras to use a profile suitable for Control Center Web
when they are used with the new operator account.
► For more information, refer to Control Center Help
You can therefore retain high fidelity video in Control Center, while increasing the
number of streams available in Control Center Web.