A green icon indicates a secure (HTTPS) connection is being used for either or both the configuration connection to the device and/or the video stream.
Product
exacqVision Client
Solution
The green lock and gear icons are used as a visual indicators of the connection protocol being used by the camera. They can be found on the Cameras configuration page, the Add IP Cameras page and the Camera Recordings page.
No Icon indicates standard connections are being used.
Green gear indicates that the device is secure, but the video stream is standard.
Green lock indicates that both the device and video stream are secure.
exacqVision’s default method for archiving recorded data uses the SMB protocol. Using an exacqVision S-Series storage system makes configuring archiving simple. Users may also archive to SMB shares configured on their own third-party systems, but installing and configuring Samba or SMB Shares on non-Exacq built systems is outside the scope of Exacq Support.
There have been several iterations of SMB since the protocol was first introduced. Devices wishing to communicate via SMB must first perform a negotiation to determine which version they will use. The version and dialect of SMB chosen will determine what features are used.
<br><br>
Versions
Discussing versions quickly becomes a tangled web, which we will try to unravel here.
When capturing the network traffic between two devices, using applications such as Wireshark, the protocol will be listed as SMB2, which supports many dialects including 2.1, 3.0, 3.1, which can cause some confusion as many people will refer dialects as versions. We will be using the term dialect for these here.
Introduced in 2015, dialect 3.1.1 is the latest release of SMB at the moment. While SMB is the protocol used, SMB is implemented on Linux systems using an application named Samba. Samba provides support for SMB as well as other protocols, thus it has it’s own version numbering separate from SMB. Samba has supported SMB dialect 3.1.1 since Samba 4.3.
How to check the version of Samba installed on your S-series or other Linux system:
Open a Terminal window, by pressing CTRL+ALT+T
Type samba --version, and press Enter.
<br><br>
Server Signing
Server signing is a security method used by SMB. When signing is enabled, every SMB message includes a signature key and a hash of the entire message is included in the message header.
How does signing help protect data? In addition to verifying the identities of the sending and receiving devices, the nature of hashing means that if an attacker changes the message between the NVR and the archive share, the hash will no longer match.
<br><br>
Encryption
SMB version 2.0 provides encryption, but used HMAC-SHA256 encryption. SMB 3.0 updated the encryption used to AES-CMAC and AES-CCM. SMB 3.1.1 then updated to support AES-128-GCM and AES-128-CCM as well as other security enhancements.
SMB Dialect
Encryption Method
2.0
HMAC-SHA256
3.0
AES-CMAC and AES-CCM
3.1.1
AES-128-GCM and AES-128-CCM
<br><br>
Manual Enforcement
As mentioned above, when two devices attempt to communicate using SMB they first negotiate the connection to determine the version and dialect they will use.
The client first advertises to the server which versions and dialects it supports. The server replies with the highest version and dialect it supports so they can agree. In the case of exacqVision’s Archiving, the client is the recording NVR system and the server is the S-Series system.
IMPORTANT: Because the protocol automatically selects the highest version both devices support, and because SMB signing and encryption are mature technologies, there is usually no need to manually configure settings. It is recommended only in situations where specific network requirements must be enforced to function properly.
<br>
To manually configure SMB:
On the S-Series server, open a Terminal window by pressing CTRL+ALT+T
Use sudo permissions to edit /etc/samba/smb.conf
Locate the [global] settings section.
Beneath the [global] tag, add the following lines: server signing = mandatory server min protocol = SMB3_11 server max protocol = SMB3_11
Save your changes, then exit the file.
Restart Samba by entering sudo /etc/init.d/samba restart
The entries given for Step 4 above enforce server signing as well as SMB dialect 3.1.1. Attempts to connect with anything else would fail. A list of possible options for these three entries is given below.
server signing = [default, auto, mandatory, disabled]
server min protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]
server max protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]
Note: ‘server min protocol’ should be the same or lower than ‘server max protocol’. If these are different values the client and server must support a dialect in between these values. If these are the same value, they must support that specific dialect.
IMPORTANT: Without editing the configuration at all, the default behavior when these fields are excluded from the smb.conf file are the same as entering the following: server signing = auto server min protocol = SMB2_02 server max protocol = SMB3
Exacq supports the following RS-422 and RS-485 PTZ protocols. With each protocol, you can specify the baud rate, data bits, stop bits, parity, flow control, and maximum line length.
Protocol
Supported PTZ Presets
AD-M3200
96
AD-M3200 Multi
96
AD-MP48
96
AD-MP48 Multi
96
AD-RS422
96
Bosch (OSRD)
99
GE-ASCII
64
GE-Impac
32
HSD-Pelco-D
128
Panasonic
64
Pelco-D
32
Pelco-P
32
<br>
NOTE: Devices that require the use of other protocols, not listed above, may still be used with supported encoders. Supported encoders may be found on our IP Camera Integration database.
