Category: User Guides

How to Open Client Instances Automatically on Login

Post author By Bhargav Atturu
Post date July 24, 2018

If you’ve got a single monitor viewing station you may choose to run the client upon login during the install process of the exacqVision client. If you want to change that behavior to enable or disable it after you’ve already installed the client, just download the client installer from our website and run it again so you can change the option.

In cases where you may have multiple monitors and want to open several client instances, usually one for each monitor, we provide the following Knowledge Base articles on creating the shortcuts needed. Those shortcuts allow a user to run them to open the client to a specific saved view or event monitoring profile.

Opening exacqVision Client on Separate Monitors Using Short Cuts with Client 9.4 and Higher
Opening exacqVision Client on Separate Monitors Using Short Cuts with Client 9.2 and Earlier

To run the client shortcuts automatically upon login you will first need to have followed one of the articles above and then proceed with the following steps.

Windows

On windows systems you will place either the XDV file created for client 9.4 and higher, or the shortcut created for client 9.2 and earlier, into the Windows Startup folder. There are two different locations for this.

All users: %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Single user: %SystemDrive%\Users\%Username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

If placed in the first path listed above, the clients will open automatically for any user that logs into the system. If placed in the second path listed above, they will only open for the user account you replace %Username% with.

Now logging back into the machine with this user account should open the client instances based on the settings in your XDV files.

Linux

Open a Terminal prompt.

Move the XDV files for client 9.4 and higher, or the XML created for client 9.2 and earlier, to the place you’d like to store them on the system. Training in the use of Ubuntu/Linux or the Terminal is outside the scope of exacqVision support if you experience problems with these steps.

To move a file, type:

sudo mv ˂FilePath˃/˂FileName˃

Then you will need to change the permissions of the XDV files, type:

sudo chmod 766 ˂FilePath˃/˂FileName˃ (Ex. sudo chmod 766 /home/admin/Desktop/Monitor1.xdv )

In the following steps you will need to specify the name of the user account. In each example, replace ‘$USER’ with the name of the user account you are configuring. For example, if you created a user account named ‘securityguard’, you would replace ‘$USER’ in each command with ‘securityguard’.

Change your directory to the home directory of the user account. If you are targeting a Kiosk user account you will either need to elevate to root user or change the permissions on the directories as you go.

sudo chmod 777 /home/$USER cd /home/$USER sudo chmod 777 .config cd .config sudo chmod 777 autostart cd autostart ls

Typing ‘ls’ above will list the files in the directory you’ve entered. Look for the file named ‘evc.desktop’. This file will only exist if you chose to start the client when logging in during your install. If it does not exist, create a new one by typing:

sudo touch evc.desktop sudo chmod 766 evc.desktop

Now edit the ‘evc.desktop’ file by typing:

sudo gedit evc.desktop

When opened the file will resemble the following:

If your file is empty, it is either because you just created it, or you made a typo. In Linux if you try to open a file that does not already exist it will attempt create it.

Change the ‘Exec’ line to the following:

Exec=bash -c "sleep 5 && padsp /user/local/exacq/client/edvrclient -F˂FilePath˃/˂FileName˃"

In the following example, the XDV file was placed inside the client install directory. There should be no space between the -F option and the file path.

Ex. Exec=bash -c "sleep 5 && padsp /user/local/exacq/client/edvrclient -F/usr/local/exacq/client/Monitor1.xdv"

From this point you need to create a new evc#.desktop file using the steps above for each XDV file you have. For simplicity, number them in order… evc1.desktop, evc2.desktop, etc.

Now logging back into the machine with this user account should open the client instances based on the settings in your XDV files.

Tags Guest, Client Login, Open Client Automatically, Client Opens On Login, KB-00096-96-210203, 743

User Guides exacqVision Client Categories

Changing the Kiosk User Language On Ubuntu/Linux

Post author By Bhargav Atturu
Post date July 19, 2018

Systems built by Exacq with Ubuntu 16.04 and higher will have an ‘Exacq Kiosk User’ icon on the administrator’s Desktop. More details on Kiosk users can be found at KB:22542.

Click to run this program.

There should be no users listed here when you begin. If there are already Kiosk user accounts created, the following configuration steps will only apply to new accounts created. If you wish to use an account name you have already added, you will need to remove it and add it back in later steps.

To remove an existing Kiosk user account, enter the name again and you will be asked if you wish to Delete the account. Click on ‘Delete this User’.

Once you have removed the Kiosk user account(s), you will be returned to the Kiosk user setup program, click the ‘Quit’ button.

You should also check the ‘User and Group’ settings to see if other user accounts exist. This can be found under the Applications > System Tools > Administration menu on the Desktop.

In the top-right corner of the Desktop, click on the monitor icon and select ‘System Settings…’.

Open the ‘Language Support’ option

In the ‘Language Support’ dialog you will see some languages may already be installed. Click on ‘Install / Remove Languages’ if you do not see your desired language listed.

Scroll through the list of languages and check mark and languages you wish to install. You may select more than one if needed. Click ‘Apply’. You will be prompted to enter administrator credentials.

When you have returned to the ‘Language Support’ dialog you will need to find the language you installed in the list. Click and drag the language name to the top of the list, as seen in the example below where ‘Deutsch’ has been placed above ‘English’ in the list. Despite being grayed out you can still drag these to the top.

When the language chosen has been moved to the top of the list, click the button labeled ‘Apply System-Wide’. The change will not take effect until the user logs in again. Click the ‘Close’ button.

From the Desktop, log out of the system as administrator and log back in with the same administrative account. You should now see that the exacqVision Client appears in the language chosen.

Now you will create your Kiosk user. Click on the ‘Exacq Kiosk User’ icon on the Desktop again.

When the dialog appears, enter the name of the user account you wish to create and click ‘OK’.

A new dialog will appear. Enter the password you wish to assign to the Kiosk user. Change the drop-down menu to the language locale you want to assign to the user and click ‘OK’.

When you have returned to the ‘Exacq Kiosk User’ dialog, click on the ‘Quit’ button to return to the Desktop.

Open the Terminal program.

From the Terminal prompt you will create an SSH session to the Kiosk user’s account. At the prompt, type:

ssh user@localhost

In this example the Kiosk user was named ‘user’, replace ‘user’ with the name you gave the account in the previous steps.

When you press ‘Enter’ you will be prompted to enter the password you assigned to the Kiosk user in the previous steps. Type this password and press ‘Enter’. NOTE: The Linux Terminal does not display text when entering passwords, but you are entering keystrokes.

When the prompt returns, type:

cd /home/$USER

Press ‘Enter’. At the next prompt, type:

nano .pam_environment

Press ‘Enter’.

You should now see the following:

This is the nano text editor in Terminal. You may use the arrow keys on the keyboard to move the cursor. Delete all but the second line, reading ‘LC_TIME=XX_XX.UTF-8’, where XX_XX specifics the language. The final file should appear like the example below:

Press ‘CTRL+X’ on the keyboard to exit the nano editor.

When prompted below, press ‘Y’ and then ‘Enter’.

Another prompt appears, press ‘Enter’.

You may now close the Terminal and log out from the Desktop. When you log back into the operating system as your new Kiosk user the exacqVision Client will now display in your chosen language.

Changing-the-Kiosk-User-Language-On-Ubuntu-Linux.pdf

Tags Guest, Linux, Ubuntu, Language Change, Change Kiosk Language, Terminal Use, KB-00099-99-210203, 756

User Guides Documentation Categories Products

exacqVision v9.2 Hardening Guide

Post author By Ryan Ramage
Post date May 24, 2018

exacqVision-92-Security-Hardening-Guide.pdf

Tags Cyber Security, Cybersecurity, exacqVision Cybersecurity Overview, Cybersecurity Overview, 19834, exacq Vision v9.2 Hardening Guide

User Guides exacqVision Client Categories Products

M-Series Translations

Post author By Bhargav Atturu
Post date February 8, 2018

1. Start LXTerminal.

2. Change to admin user.

su admin

3. Change to the admin home directory.

cd

4. Download and execute the m-series script from translations server.

curl -fsSL https://translate.exacq.com/m-series.sh | sh

5. Progress messages will scroll as the script executes. The last will be about installing the m-series lang.

Enable Translations

The process is the same for any language, but this example shows application of Japanese.

1. Open System Settings dialog. Enter the admin password when prompted.

2. On the Language and Keyboard tab, press Configure Locale.

3. Check ja_JP.UTF-8 from the list and press Forward.

4. Select ja_JP.UTF-8 from the drop-down and press Forward.

5. Reboot the system. It should boot back up in Japanese.

M-Series-Translations.pdf

Tags Guest, Linux, M-Series, Translation, Language Change, KB-00093-93-210203, 707

User Guides Documentation exacqVision Server Categories Products

Downgrading Software on Ubuntu/Linux OS

Post author By Bhargav Atturu
Post date December 27, 2017

Ubuntu/Linux uses the ‘gdebi’ package installer to run .DEB packages. This will automatically check if you are attempting to install an older package than is already installed and warn you if a newer version is already installed. If you choose to downgrade the version of your ExacqVision Server, Client, or Web Service software you will need to perform this from the Terminal.

If you don’t already have the installer for the previous version you want to change to, you may locate these on our Legacy Downloads page.

Copy the installer of your desired software version to the Desktop.
Open Terminal by pressing CTRL+ALT+T.
Type the following:
sudo dpkg -i /pathtofile/filename

In the place of pathtofile, enter the file path and in the place of filename enter the name of your installer file.
- An example line would look like:
 sudo dpkg -i /home/admin/Desktop/exacqVisionServer-8.4.2.111542.deb
Press Enter and ‘dpkg’ will perform the install of the previous version, replacing the later version.

Tags KB-00116-116-210205, Downgrading, 947, Guest, Linux, Client, Downgrade, Webservice, Server, Software

User Guides Documentation exacqVision Server Categories Products

Uninstalling Software on Linux (Ubuntu)

Post author By Bhargav Atturu
Post date December 27, 2017

In certain circumstances, such as a broken or mis-configured software package, it may be necessary to uninstall the ExacqVision Server, Client or Web Service software.

On Linux (Ubuntu) this can be accomplished via the Synaptic Package Manager. But if that is not installed or you are unsure how to find or use this, an uninstall can be completed through the Terminal.

Open Terminal by pressing CTRL+ALT+T.
Type in the command below for the program you want to uninstall:
- Server: sudo apt remove edvrserver
- Client: sudo apt remove edvrclient
- Web Service: sudo apt remove webservice

NOTE: The apt command is a higher level package manager. If you wish to use a lower-level package manager with more options, or are using Ubuntu 14.04 or earlier, use apt-get instead of apt.

NOTE: If using apt-get adding the purge parameter forces removal of program configuration files. An example use with removal of the server application is:
sudo apt-get remove --purge edvrserver

Tags Webservice, Server, KB-00117-117-210205, Uninstall, Linux Software, 951, Guest, Linux, Client

exacqVision Webservice Windows x64 exacqVision Webservice Linux x64 exacqVision Webservice Linux exacqVision Webservice Windows User Guides Documentation Categories exacqVision Webservice Products

Configuring Nginx or Apache as a Web Service Gateway

Post author By Bhargav Atturu
Post date December 15, 2017

Description

The 9.0 release of the web service has replaced Apache with an in-house developed web frontend (WFE) for handling API requests. Certain users may wish to configure a gateway web server to enforce custom policies.

The following provides users with a reference for configuring either Nginx or Apache as a gateway. Additionally, it describes various undocumented settings in the new frontend configuration should the user need to modify them.

Gateway Configuration

The following sections explain how to set up Nginx or Apache to proxy requests to the web service. For the purposes of this guide, it is assumed the gateway server will be installed on the same machine as the web service and the service is listening on port 8080. The gateway must use a different listening port number than the ExacqVision Web Service.

Note: You may wish to backup the existing host files if they exist.

Nginx

Edit the virtual hosts file, located in:

Windows:
C:\nginx\conf\sites-available\default

Linux:
/etc/nginx/sites-available/default

with the following configuration:

server {
    listen 80 default_server;
    server_name localhost;

    location / {
        proxy_pass http://127.0.0.1:8080;
    }
}

Apache

NOTE: The installation directory for Apache on Windows will vary based on how it was installed.

Run the OS-specific command to enable the necessary modules for Apache.

Windows:
Ensure the following lines in <apache install directory>\conf\httpd.conf are UNcommented; they do NOT begin with a ‘#‘.

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so

Linux:
Open Terminal, by pressing CTRL+ALT+T and run the following commands:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests

Edit the virtual hosts file with the following configuration:

<VirtualHost *:80>
 ProxyPreserveHost On

 ProxyPass / http://127.0.0.1:8080/
 ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>

NOTE: You MUST have the ‘/’ at the end of each address, unlike Nginx.

Apache and Nginx will require restart before they can accommodate proxy requests.

Modifying the Web Frontend (WFE) configuration

The configuration for WFE contains several options that are omitted by default. These options can be used to place additional constraints on the web service if necessary.

The configuration file, which is stored as JSON, is located at:

Windows:
C:\ProgramData\Webservice\conf\wfe.json

Linux:
/etc/webservice/wfe.json

If you wish to restrict the service to listen for HTTP requests on a particular NIC, you can do so by specifying the NIC’s address using the webserver.address key:

{
    "webserver": {
        "listen": 8080,
        "address": 192.168.1.115,
        [...]
    }
}

NOTE: If the target is an IPv6 address, you MUST enclose the address in square brackets [ ].

The same can be done for HTTPS requests with the webserver.tls.address key:

{
    "webserver": {
        "listen": 8080,
        "tls": {
            "listen": 443,
            "address": [fe80::...],
            [...]
        }
    }
}

The way the web service handles HTTP requests when HTTPS is configured can be controlled with the webserver.tls.httpPolicy key:

{
    "webserver": {
        "listen": 8080,
        "tls": {
            "listen": 443,
            "httpPolicy": (redirect|disable),
            [...]
        }
    }
}

The key can be one of the following values:

“redirect” will cause HTTP traffic to be redirected to HTTPS
“disable” will reject any requests not sent over HTTPS

NOTE: This key will only take effect if SSL is configured.

Tags Guest, Web Server, Web Gateway, Apache, KB-00119-119-210205, Nginx, WFE, 963, Redirect

User Guides Documentation exacqVision Server Categories Products

Security Whitepaper

Post author By Bhargav Atturu
Post date July 11, 2017

Login Delay

exacqVision Server implements a login delay, in order to address the risk of various flavors of brute force attacks. More information on the nature of these attacks can be easily found elsewhere; hence, they will not be further described here.

The login delay mechanism introduces a progressive delay before completing authentication. The objective here is to increase the time required in order to carry out various flavors of intrusion attempt. The delay increases 1 second with each subsequent authentication failure, to a maximum of 26 seconds. Do note the following version-specific behaviors:

Beginning with server version 6.6.0, when login delay was first introduced, a subsequent successful login with good credentials would immediately reset the delay mechanism and emit successful login response.
Server 8.6.0 then began to apply the same delay to the first subsequent successful login as well, in keeping with security best practices (see https://cwe.mitre.org/data/definitions/307.html ). However, a few ensuing problems were then observed:
1. If the delay value had increased to a large value, it would cause a Client with good credentials to arbitrarily wait for the entire delay, and give an impression of defective behavior like server or connection having stalled or otherwise become unresponsive.
2. The web service has always abandoned a connection after 10 seconds. Therefore, once the delay value had reached 10 seconds, no web service could then connect to that server unless a client were used to “unlock” the account in question, even if the web service were using correct credentials.
3. In a network arrangement where all remote clients come in via gateway and hence appear with identical IP address, one “bad” client could effectively cause a denial of service for all other remote clients.

Server 8.6.x then reduced the delay on good login to a brief duration, in order that web service would not become seemingly “locked out”, and therefore would not have to be “unlocked” via another client or web service.

In a nominal scenario, users consistently log in to the server with correct username and password, and therefore would never encounter the login delay. This is made likely by virtue of the fact that ESM, Client, and the web service all persist server lists (per-user for Client, per-system for ESM and web service). Here, complications arise once a user’s password has been changed, which may never occur on legacy systems with no password change enforcement. But at the same time, every new server list entry presents an opportunity for bad credential usage, and therefore at least some encounter with the login delay mechanism.

Security-Whitepaper.pdf

Tags KB-00138-138-210208, Whitepaper, Login Delay, Security Whitepaper, 1124, Guest, Server, Security

User Guides exacqVision Server Categories Products

Installing Windows Security Essentials on Win7 based evServers

Post author By Bhargav Atturu
Post date May 17, 2017

Stop exacqvision Server Service (Control Panel -> Administrative Tools ->Services -> exacqVision Server : Stop)
Download Windows Security Essentials Package (mseinstall.exe, x64) from Microsoft website, and execute the installer on the target machine.
Select all default options, except for the ones listed below.
1. Do not join the program (Optional)
2. Unselect both options below:
3. Do not immediately scan
4. The system will update automatically (if connected to the internet) and come to the following page:
5. If Internet was not accessible, connect to the internet, and update definitions. Make sure the system shows the latest definitions are installed.
6. On the settings page, schedule a daily scan to a time of your convenience.
7. Click on ‘Exclude Files and Locations’, and hit Browse.
8. Select all the Data Drives (on which Video is stored) and choose the exacq install location (C:\Program Files\exacqVision), and hit OK.
9. All Data drives and the exacq install directory should be shown, separated with a semi-colon.
10. Hit ‘Add’, and all the data drives and the exacq install directory should be on the excluded list.
11. Come back to Home page and run a full scan.

Installing-Windows-Security-Essentials-on-Win7-based-evServers.pdf

Tags Server, Installing, Security, KB-00143-143-210208, Win7, 1172, Guest, Windows

User Guides Documentation exacqVision Enterprise Categories Products

How to Add AD/LDAP Security Group to ESM

Post author By Bhargav Atturu
Post date February 1, 2017

Step 1:

Log into ESM and navigate to the Domain settings page. If you haven’t yet configured this, you will need to add your domain settings. You must have the proper Base DN, Binding DN and credentials for the account you will use to connect to Active Directory/LDAP. If you do not know these, contact your Active Directory/Network Admin. You will also need to know the IP address/Hostname and port number of that server.

Step 2:

After connecting to AD/LDAP, you need to add a group to ESM. A group named Root will exist by default. Any new groups will be nested under the Root group. In ESM groups contain both servers and users.

Once the group is added you will see it on the Group List page. Click the group name to go to the group settings page.

Step 3:

In the section titled Domain Associations, click on the pencil-shaped Edit button.

The Domain group drop-down menu will be populated with a list of AD/LDAP security groups. This will only show groups nested under your Base DN. If you do not see your group listed here, make sure you are using the correct Base DN.

You may choose to provide users in this group with the ability to log in to ESM, the exacqVision server, or both. If you provide them with server log in privileges this will be pushed out to all the servers inside that ESM group.

Once you’ve chosen which privileges to provide click the Associate button to finalize.

How-to-Add-AD-LDAP-Security-Group-to-ESM.pdf

Tags Guest, ESM, KB-00166-166-210204, AD/LDAP, Security Group, Add AD/LDAP, 924