Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 57 Next »

Introduction

About This Guide

This guide is intended to be used as a standard guide for the Freedom Access Control System. General Linux knowledge and Freedom Certification Training Knowledge are expected.

Additional Documentation

To find documentation available for all products, go to https://www.identiv.com/viscount.

To find related vendor documentation on Cisco Switches, go to www.cisco.com.

To find related vendor documentation on Veridt Readers, go to www.veridt.com.

Initial Software Configuration

Administration Management

Starting the Freedom Administration System

Launch a web browser (Internet Explorer, Firefox, or other browser that allows pop-ups).

In the Address field, type http://<freedom ip address>/ and press Enter.  For convenience, this page should be bookmarked.

In most cases the default IP address of a server or a panel is 192.168.123.101; however, it might be different depending on the configuration specified. Please check the sticker located on the unit if the default IP address is not working.

Login and Log Out

To login to Freedom:

  1. Enter the Default Username and the Password.

  2. Click on the LOGIN button.

With certain older browsers pressing the Enter key causes an error message. Make sure to use the mouse to click on the Login button.

To log off, click on the Log Out button.

As a security feature, after a certain period of inactivity Freedom will automatically log you off. At that point, the login page will appear, and the user will have to log back in.

Navigating the Freedom Software

Below is a screenshot of the Freedom Administration software. It shows the optional Alert Level bar. Below the Alert Level bar, is the Navigation Tabs. It allows you to access the main areas of the Freedom software – the current tab is underlined (i.e. the System tab below). To the right of the Navigation Tabs is the Site dropdown box where you can select the site to view or configure. The Log Out button is located beside the Site drop down menu. The Actions Bar near the bottom of the screen contains buttons to add, delete, edit and save. The Quick Links at the bottom of the page reveal company, service, contact, version information. The manual can also be downloaded from the quick links bar.

Each Navigation Tab contains Navigation Links on the left-hand side. If a navigation link contains a blue arrow at the end of the line, it can be opened to reveal its own sub links. The current link is highlighted, and its selected sub link is indicated by a black arrow.

You can close an open link by clicking its orange down arrow.

Adding a New Administrator and Deleting the Default Account

The first Administrator account created should be given full permissions to manage all aspects of a Freedom installation.  Additional accounts can be given less control over the installation depending on the role that each user plays in managing or supporting the installation. Users with an Administrator Account for the installation cannot create, modify or delete other accounts that have more privileges than their own. The extent to which one can create, modify, or delete accounts is limited to users with fewer privileges than the account under which one is currently logged in.

It is recommended that the first item done after login is to create an Administrator Account with full access to all pages so that the default “freedom” user may be deleted. This will eliminate any security problems that might occur if the default user name is kept.  Before deleting the default user, the new one should be tested.

To create an Administrator Account with full access and delete the default user:

  1. Log in to Freedom using the instructions in Login and Log Out above.

  2. Click on the System navigation tab at the top of the screen.

  3. On the left, click the Administration link.

  4. Click the Admin Users sub link.

  5. In the Actions bar, click on Add Admin User. The following screen is displayed:

  6. Enter the User ID, Last Name, and First Name.

  7. Enter a Password that is different than the one provided.

  8. Verify the Password.

  9. Beside Business, select All.

  10. Beside Sites, select ALL.

  11. Select Full Access for all of the parameters from Suites to Active Directory.

  12. For Mustering, select the required level.

  13. Select the Language that this full administrator would like to use.

  14. Select the View Suite/User Page Size 10, 25, or 50 to set the default number of suites/users per page this admin user sees when viewing the listing.

  15. Click Save to save the full access admin user.

  16. Click the [Log Out] button to log off and test the new user ID.

  17. Log in with the user ID and password that was created in the previous steps.

  18. Verify that you can log in successfully and that your new user has full privileges.

  19. Log out once more and log in using the default user account name.

  20. Click on the System tab, Administration, Admin Users and select the default “freedom” user account.

  21. Change one of its privileges and click Save.

  22. Log out and log in again as your newly created user.

  23. Go to Admin Users again and select the default “freedom” user account.

  24. Click on Delete and OK.

Once the admin user is saved, the user ID field cannot be edited.  This field specifies a unique admin user profile. You can change the other fields after an admin user profile has been saved.

Site Administrator Management

In addition to the full access administrator, there can be limited administrative users that have the capacity to add/modify/delete card holder access. The privileges of these admin users can be fine-tuned to restrict or grant access to certain functions of the software. These restrictions include the modification of Controlled Areas, Access Groups, Devices, and Users. Admin users can also be assigned to certain sites within Freedom, further restricting and partitioning data, thereby limiting their Admin access.


To add an Admin User:

Follow Steps 1 to 15 above to add new Admin Users. Each of the software’s tabs or links is listed with the following options:

  • No Access: the tab or action will not appear in the toolbar or action menu for this admin user

  • Read Only: only read permissions are given to selected tabs or actions

  • Full Access: the user can modify every aspect of the section

You will be able to assign Admin Users to the sites that they are allowed to administer (i.e. The user hoffjenn01 is limited to the control of the sites Distribution Centre, Huston Office and Sales Office - Vancouver). Once the admin user logs in to the system, the sites that they have access to will appear in a dropdown list on the top-right corner of the screen. By selecting a Site from the dropdown list, the Admin User will only see data corresponding to that Site. Also, any data added (i.e. adding a controlled area) will be added to the Site that is currently selected.

Non-admin Users (cardholders) are considered global, and are not assigned to any particular Site. This is because a User may travel and have access to multiple sites. However, when assigning Access Groups to a User, the available access groups are filtered by the Sites that the Admin User has access to.

System Management

Set Date, Time, Time Zone Settings

Date and time settings for Freedom servers can be set either manually or by using a network time protocol (NTP) server. An NTP server is the recommended method for keeping the date and time in sync with other systems.

Setup Network Time Protocol (NTP) Settings

An NTP server is the recommended method for keeping the date and time in sync with other systems. However, it does require either a local NTP server or an internet connection. NTP Server could be an internal company facing NTP server or an external public facing.

To set the system time and date using NTP Settings:

  1. Click on the System navigation tab.

  2. On the left, click the Utilities link.

  3. Click the System Date/Time sub link. The following screen is displayed.

  4. Select a Time Zone from the dropdown box.

  5. Check the Enable NTP box.

  6. Enter an IP address or a hostname for the NTP Server pool.ntp.org is a commonly used public NTP server. If no local NTP server is available this hostname can be used.

  7. Click Save.

When changing the time or the date of a Freedom/Enterphone System, the synchronizing of schedules and events are not done until the following day at midnight. For proper scheduling, please restart the Freedom server using the reboot link from the Utilities section.

Change Date and Time Manually

If you are not using an NTP server, you can set the date and time manually.

  1. Click on the System navigation tab.

  2. On the left, click the Utilities link.

  3. Click the System Date/Time sub link.

  4. Select a Time Zone from the dropdown box

  5. Select the date from Set Date.

  6. Select the time from Set Time.

  7. Click Save to save the date and time.

  8. Once the date is set, click the Reboot link at the bottom of the Utilities list.

  9. Click the Reboot button.

Reboot button will be hidden if Freedom portal is accessed from laptop, due to browser resolution size. So use zoom out option on the web browser to reduce the resolution from 100% to 80%.

System Card Format Support

The Freedom Server has a built-in set of Card Format Definitions that determine how Wiegand data is being translated (e.g. Wiegand 75 bit, FIP-201 200 bit).  Upon card swipe, Freedom performs a sequential look up of this list to find the best fitting definition.

To adjust this lookup behavior:

  1. Click on the System navigation tab.

  2. On the left, click the Manage Card Format link.

  3. To speed up card format search, put the most relevant definition at the top of the list. If the installation is using Indala 36 bit cards for example – put the Indala 36 bit definition above all other 36 bit formats to ensure correct Wiegand data translation. Use the up/down arrows beside each definition to adjust the order of format preferences.

In case no suitable definition is available, use the Default Card Format drop down list to select a default format. Please note that card format definition in Freedom is highly customizable. Please feel free to contact Viscount Technical Support (vsicountsupport@identiv.com ) should you require a custom format.

Customize Dealer and Installer Pages

The links for Dealer and Installer from the Freedom Administration software can be configured to match the company who sold and installed the MESH system.

  1. Click on the System navigation tab.

  2. On the left, click the Administration link.

  3. Click the System Parameters sub link.

  4. Edit the dealer.ini and installer.ini files using the in-browser editor or save and edit them locally and restore them. 

For more information, please refer to the instructions in the MESH Parameter Files section.

Freedom Encryption Bridges

Viscount’s Freedom Encryption Brides allow door hardware to be connected to Freedom servers. Bridges for card readers communicate with Freedom software. Data is received from card readers, encrypted and sent via IP to a Freedom server for processing. Relays on the Freedom Bridge are activated by commands from a Freedom server to lock or unlock doors.

Discovering Freedom Bridges on a Network

Freedom Bridges can be discovered using one of two methods. Either using the Bridge Discovery Tool located in the Freedom Administration Software or using the standalone Windows tool called Bridge Configuration Utility (BridgeUtil). For most systems, the built-in web based discovery tool will be sufficient. If a Freedom bridge is not located on the same LAN as the Freedom server or is behind a switch/router where UDP MultiCast traffic is being blocked, the bridge utility application should be used on a PC located on the network where UDP traffic is not being blocked.

Finding a Freedom Bridge on the Network

Once a Freedom Bridge is connected to the network, you can scan the network for the added device and add it to the Freedom Administration Software using the Freedom Bridge Utility.

You can also find the Freedom Bridge Utility at the bottom of the Devices - Main page, and clicking on the Freedom Bridge Discovery Tool check box.

Using the Web Based Freedom Bridge Utility

  1. Click on the System navigation tab.

  2. On the left, click the Utilities link.

  3. Click the Bridge Utility sub link.

  4. Click the [Scan Devices] button. This process might take a minute or two.

  5. Click on the MAC address of the device you wish to provision.

  6. Assign the appropriate IP information to the device or choose DHCP. You may need to contact your system admin for this information. If the DHCP checkbox is checked, the IP, Netmask and Gateway fields are automatically populated once the bridge receives the DHCP information.

  7. To update Bridge Configuration only, click on Save. Note that it might take up to two minutes to save.

  8. To update and add the Bridge to Freedom, check Save & Add Device To Freedom checkbox and click Save.

  9. Enter the name by which you’d like to refer to the device and click the Save button.

Make sure that the device is not already configured and locked. This is indicated by the Status column on the scan device list. If the device is already configured and locked, it will need to be reset by holding down the reset button of the device for 40 seconds. Once it is reset, it can then be scanned and added to the software.

Lock Bridge Configuration

This is an option in freedom bridge configuration to lock the system configuration of the bridge. Once you choose to lock the configuration, no changes to the configuration can be made remotely. 

In order to remove the lock, it requires a manual reset of the bridge that will reset the IP address and require the IP’s be reset.

Windows Based Bridge Discovery Utility

The Freedom Bridge settings can be changed by using Viscount’s Bridge Utility. This program (BridgeUtil.exe) is self-contained, does not require a special install program and should run on Windows XP, 7, 8.1 and 10.

It is required when using the web-based scanning utility that if the bridge is not on the same network, or being routed where UDP traffic may not pass, the broadcast request may not reach the bridge.  In order to use this utility, you must be able to send and receive UDP traffic on the same network. 

Download BridgeUtil.exe from Freedom Application

  1. Click on the System navigation tab.

  2. On the left, click on the Utilities link.

  3. Click the Download sub link.

  4. Click on the BridgeUtil link and save the executable on the PC.

  5. Locate the BridgeUtil.exe from where it was downloaded. Right click on the executable and select “Run as administrator”

An unknown publisher warning might pop-up. This can be safely ignored by pressing the [Yes] button.

BridgeUtil is a program that requires access to certain ports on the PC. These ports are used to discover bridges. If the following Windows Security Alert comes up, select the network that the PC is currently on. If unsure of which network, it is safe to select all the available networks. Then hit [Allow access]. 

If the PC has more than 1 IP address, (ie WiFi and Ethernet). Select the IP address of the network that the bridges are connected to then hit ok

Once the utility starts, click on the [Scan Devices] button and all the bridges on the local network will be displayed by MAC and IP addresses.

The last bridge displayed has an asterisk next to the IP address. This indicates that there are multiple bridges configured with the same IP address.

6. Double click on the MAC address of the bridge that needs to be configured. 

The settings may be changed and updated as needed. When done hit the Save button

Device Properties

Each Freedom Bridge model displays a different properties section. For example, a single port Freedom Bridge will only have one reader, input and output properties section; two ports will have two and so on.

The following tables describe the properties for Freedom bridges.

Reader Properties

Options

Description

Description

Reader description identifies the reader.

Default Card Format

This field specifies the card that is being used with this bridge device. Auto card format will try to match the best fitting card format. The auto card format behavior can be managed by going to System, Devices and then Manage Card Format. For more information see the section on Managing Card Formats.

Input Properties

Options

Description

Description

This field identifies what input signal is being monitored.

Activate Relay Output

This option configures the Freedom Bridge to activate the specified relay when the input is shorted.  Note: This feature is executed in the Freedom Bridge hardware level and it does not require a connection to a Freedom server. Thus, this is generally used as a “Request to Exit” function (e.g. via a push button).

Activate Relay Output: Relay:

This drop-down list specifies which relay is to be activated as input event occurs. This drop-down menu is only active if the above Active Relay Output checkbox is checked.

Default Activation Time

This drop-down list specifies the number of seconds that the relay activates as input event occurs.

Supervised Input Ready:

This checkbox is for Freedom Bridge Devices that are equipped with supervised inputs. This field should be left uncheck, unless the optional Supervised Input Board is connected. For specific instructions on how to connect the supervised input board, please see the appropriate instructions.

LED Properties

Description: Identifies the LED when adding to Port Trigger Actions or viewing in Activity Logs.

Buzzer Properties

Description: Identifies the Buzzer output when adding to Port Trigger Actions or viewing in Activity Logs.

Relay Properties

Options

Description

Description

Description of the relay output. Identifies the relay in the Controlled Areas and Port Triggered Actions.

Default Relay Position

Default power up position of the relay.

Schedules

Schedule Management

A Schedule is a given period of time that is applied to different aspects of the software. If a Schedule is added to a Controlled Area, then that schedule activates the devices and outputs in that Controlled Area. If a schedule is linked to a Controlled Area, under User or Guest Access Groups, then the schedule enables or disables access to that controlled area only to the users that are contained in that User Access Group.

A single schedule can contain more than one Period. For example, a schedule named Business Hours can contain a period Monday through Friday, 9 AM ON TIME and 6 PM OFF TIME. If needed, multiple periods can be added to a single schedule.

In addition, Special Days can be added to enable or disable access for certain days only. For example, if a special day is set to January first then that schedule can be turned off on every January first or it can be set to be active only on January first.

The current state (on or off) of all the schedules can be seen on the Schedule tab.

Adding a Schedule

  1. Click on the Schedules navigation tab.

  2. In the Actions bar, click on Add Schedule. The following screen is displayed:

  3. Enter a Name and Description.

  4. Select Weekdays OR Special Days.

    1. If you select Weekdays, check the box for each Week Day this schedule applies to and check the box for each Type of Special Day you would like to exclude from this schedule. To add a Special Day, see instructions in the previous section.

    2. If you select Special Days then you wish to apply this schedule ONLY to the Type of special day that you select in the dropdown box.

  5. Enter an ON Time for this schedule.

  6. Enter an OFF Time for this schedule.

  7. Under Effective Dates, check the Always On box if this schedule is to remain in effect at all times or, if not, enter a Start Date and an Expire Date for this schedule.

  8. Click Save.

Special Days (Holidays)

Special days are an optional addition to a schedule. They can be used for holidays or any other day where a schedule needs an explicit or relative period. Special days are added to schedules as a period so they may need to be configured before adding a schedule.

Adding a Special Day

  1. Click on the Schedules navigation tab.

  2. On the left, click the Special Days link.

  3. In the Actions bar, click Add Special Day. The following screen is displayed.

  4. Enter the Name of the Special Day.

  5. Choose a number for this Type of special day, number between 1 and 12. Special day types allow grouping of different special days. For example, a Type 1 special day labeled First of Every month, could contain the first day of every month. In this case there will need to be 12 special days added, all of them belonging to the Type 1 group.

  6. Select Explicit or Relative. An explicit day is a particular day of the year while a Relative day is a day that will occur every month i.e. the first Monday of every month.

  7. Enter the Month and Day of the special day if Explicit was selected; select the Day of the Week if Relative was selected.

  8. Click Save.

Assigning a Special day to a Schedule

Once a special day is added, it can be programmed to be a part of a schedule.

Controlled Areas

In general, Freedom has two different types of Controlled Areas - Door and Floor Areas.

Door Areas are areas that has readers, in this case the Door Area represents the in-cab reader. Floor Areas contains relay outputs that activates elevator access (e.g. button in the cab).

The administrator needs to first "link" a Door Area to its associated Floor Area(s). That means all floors that are accessible by the elevator needs to be linked to the Door; in this particular case the Door is simply the in-cab reader.

Floor Controlled Area is an Access Control Object that represents a floor. It contains the Freedom Bridge output ports that are typically connecting to elevator control modules in the building. Floor areas can be linked to door areas in such a way that when Freedom server grants access to a door, its associated floor area outputs can be activated. The card holder’s floor access rights then determines which floor area should be activated.

How to set up

First, the administrator needs to create Door Areas to hold the elevator readers. Then for each controlled area, “link” the corresponding Floor Areas to it. In the above example, a Door Area called Elevator A is created that hosts “Cab A Reader”. This door needs to have linked Floor Areas “Cab A - FL 1”, “Cab A – FL 2” and “Cab A - FL3” that contain relays to elevator A’s control:

Elevator B would follow the same idea except that it is using Elevator B reader, Floor Area Cab B – FL 1 through to FL 3.

Freedom offers two ways to handle Floor Access

Use separate Floor Access Groups

This is the original method implemented in 9.2 up to 10.1. The user will need to be assigned to a User Access Group that allows access to the various elevators. Floor Access Groups are then assigned to the user to give access to his floor.

This is how the User Access Group would look like for the above example:

This is how the Floor Access Group looks like for 1st Floor:

For the card holder that have access to the 1st Floor, this is how his User and Floor Access Groups look like:

No separate Floor Access Group

This is a new option implemented in later versions of 10.1 and 9.2c. It reduces database migration effort from older systems such as 9.1, 8.7 and below.

To switch to this mode, in siteEngine.ini, set property “UseFloorAccessGroups” to “no”. Restart the server after update (please note that once this mode is chosen, returning to the old method may require some database clean up).

Once this mode is set, the “Floor Access Group” menu item will disappear from the Access tab:

In the above example instead of having one Resident User Access Group and 3 Floor Access Groups; we need 3 Resident user groups, each one covers elevator door access and one floor

Each Residents group would have access to Elevator A and Elevator B controlled area:

Floor Access is immersed into User Access Group in the second tab labeled “Floor Access and Schedules”. In the “Resident FL 1” User Access Group, it includes access to the first floor for both elevators:

When assigning Access Group, the administrator will select a group that will give the card holder access to both elevators and his corresponding floor. Note that in this mode, the Floor Access Group select box is not present.

Controlled Area Configuration

Configure a Door Controlled Area

Controlled Areas are areas in a facility that are controlled by one or more devices such as Card Readers. Any area within a facility that requires controlled entry or exit must be set as a Controlled Area. An area can also be set to change from Secure to Unsecure based upon schedules or manual control. 

Adding a Door Controlled Area

  1. Click on the Controlled Areas navigation tab.

  2. In the Actions bar, click Add Controlled Area. The following screen is displayed:

  3. Enter a Name that describes the controlled area.

  4. Enter an optional Description.

  5. Select Door Area as the Area Type.

  6. Select a Reader for the controlled area.

  7. By default, Freedom assigns the input 1 as Door Contact and input 2 as Request to Exit. To choose a custom setting, check Custom and select the desired input mapping.

  8. Click Save.

If no reader is assigned to this controlled area now, it can be assigned later using the Assign Device button. See the Assign a Device to a Controlled Area section for more information. For information on Floor Area refer Elevator Configuration.

Once the controlled area is saved, different aspects of it can be modified.

Config Tab

The Config tab allows the configuration of the reader that is assigned to the controlled area.

For a Door area:

  1. Select a Card Format for the Reader; set it to Auto to default to the system settings.

  2. For the Door Contact, check the Suprv Ready box to indicate that the bridge input has supervised resistors set.

  3. Set the Door Contact Switch to Normally Open or Normally Closed.

  4. For Request to Exit, check the Suprv Ready box to indicate that the bridge input has supervised resistors set.

  5. Set the Request to Exit Switch to Normally Open or Normally Closed.

  6. Check the Activate Relay to set the lock to trigger when the REX is fired and select a Relay and enter the number of seconds for it to remain active.

  7. For each of the Outputs, enter a Delay time (the number of minutes/seconds the relay will fire) and an Activation Time (the number of minutes/seconds the relay stays open).

  8. Select an Output for this door.

  9. Enter an optional Description.

  10. For each output, enter a Delay time (the number of minutes/seconds until the relay will fire) and an Activation Time (the number of minutes/seconds the relay stays open). Click the Show Accessibility box to enter an Accessibility Delay time and an Accessibility Activation time: this is a separate set of delays and activation times for users with special needs (e.g. wheelchair, crutches) that are used if the Accessibility check box is selected in that user’s setup page. See Chapter Users for more information on setting up a User.

  11. Check the Latch Allowed box to allow the corresponding output to remain open(latched) when it is set to Open state either by the Administrator or through Unlock Schedule.

  12. To add another Output line, click the button beside the first output line.

  13. Click Save when all outputs are configured.

Unlock Schedule Tab

A Schedule is a given period of time that is applied to a Controlled Areas and Access Groups and is used to schedule device activation and alarms. If a schedule is added to a Controlled Area, then that schedule activates the devices and outputs in that Controlled Area. If a schedule is linked to a Controlled Area, under User or Guest Access Groups, then the schedule enables or disables access to that Controlled Area only to the users that are contained in that User Access Group.

For more information about schedules, please refer to Schedules.

In the Unlock Schedule tab on the View/Edit Controlled Area screen:

  1. Select a Schedule for this controlled area.

  2. Select an ON action.

  3. Select an OFF action.

  4. Select the box below each Alert Level that corresponds to the users in this controlled area: Low, Guarded, Elevated, High or Severe.

  5. To add another Schedule line, click the  button beside the first schedule line.

  6. Click Save.

 For more information regarding alerts, please refer to Alert Levels.

Door Monitor Tab

There are two Door Monitor Alarms for a controlled Door area: a Door Held Open Alarm that indicates a door being held open for a given period of time and a Door Forced Open Alarm that indicates that a door is being forced open without the use of a reader or an entry/exit device.

Freedom tracks the status of a monitoring device and tracks the state of an entry and an exit device.  Once an event is triggered, two output actions can be activated for generating a buzzer or an alarm.

In the Door Monitor tab on the View/Edit Controlled Area screen:

Door Held Open Alarm

  1. Under Door Held Open Alarm, check the Enable box.

  2. Enter the number of seconds in the Held Open Time box before the alarm will sound.

  3. Select an output in the Output 1 dropdown box; in the Action box, select Activate or Deactivate; in the Duration box, select the number of seconds the alarm will sound.

  4. Repeat Step 3 for Output 2 if necessary.

  5. Select the Schedule from the dropdown box that you would like applied to the action, or select Always On if you need the action to be enabled 24/7; check the Effective Except for this Schedule box to have the alarm sound during all schedules except this one.

  6. Check the General Alarm box if you need this action to generate an alarm in the Events tab.

  7. Check the Ack. Required box to require an acknowledgement from the AMS Server.

  8. Select a Severity level from the dropdown box: Warning, Error, Alert, Critical, or Emergency.

  9. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server. To create a new alarm instruction, click the Alarm Instructions link and click Add Alarm Instruction in the Actions bar.

  10. Once done, click save at the bottom of the window

Door Forced Open Alarm

  1. Under Door Forced Open Alarm, check the Enable box.

  2. Select an output in the Output 1 dropdown box; in the Action box, select Activate or Deactivate; in the Duration box, select the number of seconds the alarm will sound.

  3. Repeat Step 2 for Output 2 if necessary.

  4. In the Racing box, enter the number of seconds when the door contact state change is reported before the push button bar signal reaches the system.  If Racing is set to 1, then the DFO will not fire if a REX is detected within one second of the door contact change state.

  5. In the Shunt Window box, enter the number of seconds. This options shunts the alarm when the REX opens the door (no card scan releases the door).

  6. Select the Schedule from the dropdown box that you would like applied to the action or select Always On if you need the action to be enabled 24/7; check the Effective Except for this Schedule box to have the alarm sound during all schedules except this one.

  7. Check the Generate Alarm box if you need this action to generate an alarm in the Events tab.

  8. Check the Ack. Required box to require an acknowledgement from the AMS Server.

  9. Select a Severity level from the dropdown box: Warning, Error, Alert, Critical, or Emergency.

  10. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server. To create a new alarm instruction, click the Alarm Instructions link and click Add Alarm Instruction in the Actions bar.

  11. Click Save.

Advanced Tab

The Advanced tab on the Controlled Areas screen contains additional configuration flags:

Options

Description

Toggle

Sets the Controlled area to Secure or Unsecure based upon an event other than a schedule.  For example, an Authorized Card can change the state.  Check the box for this function. Also provides ability to Disable the Door Monitor Event.  Alarms are now enabled by default. This will not generate the alarm unless the Generate Alarm box is checked.

Multi-Factor

Sets the number of Authorized Card Reads necessary to allow entry to the Area. Allows ability to implement 2-Factor or 3-Factor identification.

Auth Mode

Relates to Multi-Factor. Sets the number of Users required for entry to the Area. Two Factor authentications for the number of factors to be used to activate an access granted: Single User, Multi-User, Guard Group.

Guard Access Group

Defines the access group required for two-authentication.

Auth Timeout

Relates to Multi-Factor. Set the number of seconds allowed between card reads. Note: a device that has Multi-Factor set can only reside in one Controlled Area. 

Exit Reader

Defines the exit reader. Required for counting for zone groups for Anti-passback and/or Muster reporting.

 

 

Multi Card Swipe Tab

The multiple swipe action is intended to place a multiple actions to change the state of a single Controlled Area, or an entire zone group on a pre-set number of card scans, in a defined window of seconds.

It is a recommended best practice to have the least secure action as the lower number, and the higher secure action as the higher number.

Assigning a Multi Swipe Action by Group

In the Multiple Swipe tab on the View/Edit Controlled Area screen:

  1. Select the Card Swipe Interval: the number of seconds that you count the multiple swipes for this controlled area.

  2. Select a specific User Group if only the identified user group will have access to take action on this reader; select ANY to allow all user groups to have access.

  3. Select a Controlled Area or a Zone Group to activate.

  4. Select Open, Close or LOCKDOWN in the Action dropdown box.

  5. Select a Schedule or select Always On.

  6. Click Save.

Floors Tab

The Floors tab allows you to link one Controlled area to floors. Typically the controlled area is an elevator reader area and the linked Floor Controlled Areas are the floors that the reader would provide access to.

In the Floors tab on the View/Edit Controlled Area screen:

  1. Select a Floor Controlled Area from the Linked Floor Area dropdown box to link to this controlled area.
    NOTE: More details on Floor Controlled Areas can be found in Chapter Elevator Configuration.

  2. Enter a Delay time (a pause before the relay fires, default is 0 second) and an Activation Time (the duration that the relay activates, default is 5 seconds).

  3. Click the Show Accessibility box to enter an Accessibility Delay time and an Accessibility Activation time. This is a separate set of delays and activation times for users with special needs (e.g. wheelchair, crutches) that are used if the Accessibility check box is selected in that user’s setup page. See Chapter Users for more information on setting up a User.

  4. To link another floor to this controlled area, click the add button +

  5. Click Save.

Assign a Device to a Controlled Area

The following steps allow the user to associate a device to a Door Controlled Area that has not been assigned a device previously.

  1. Click on the Controlled Areas navigation tab and select the Controlled Area that was just created.

  2. In the Actions bar, click Assign Device.

  3. In the Assign/Replace Door Reader screen, select a Reader for this controlled area.

  4. Select Default or Custom

Default: will assign Input 1 to Door Contact, and Input 2 to REX.

 Custom: Allows you to determine which input is the door contact, and which is the request-to-exit.

5. Click Save. The screen expands with more options. The administrator will be able adjust Controlled Area parameters as described in the above sections.

Alarm Instructions

A customized message can be configured that will be passed to the AMS Server and displayed in the log when an Alarm is triggered.  Alarm instructions can be used by Controlled Area’s Door Monitors or Port Triggered Actions in the next chapter.

To create an alarm instruction:

  1. In the Controlled Areas navigation tab, click the Alarm Instructions link.

  2. In the Actions bar, click Add Alarm Instruction. The following screen is displayed:

  3. Enter a Description of the alarm instruction.

  4. Enter any Details that pertain to this instruction.

  5. Click Save.

Alarm Resolutions

Alarm resolutions are for the clear step of the alarm response process.

To create an alarm resolution:

  1. In the Controlled Areas tab, click the Alarm Resolutions link.

  2. In the Actions bar, click Add Alarm Resolution. The following screen is displayed:

  3. Enter a Description of the alarm instruction.

  4. Enter any Details that pertain to the instruction.

  5. Click Save.

Port Triggered Actions

Port triggered actions are output actions, such as alarms, triggered by a conditional input or output event from a device. Port triggered actions are useful for alarm monitoring and requests to exit.

If a port is triggered and either of two conditions is true, the Output Action is triggered. This output action can have a delay and an activation duration.

E.g. If Input 1 from a Freedom Bridge is closed and the Front Door Reader’s Output is Not-Active then Front Door Reader’s Output should be Activated.

Adding a Port Triggered Action

  1. Click on the Controlled Areas navigation tab.

  2. On the left, click the Port Triggered Actions link.

  3. In the Actions bar, click Add Port Trigger. The following screen is displayed:

  4. Enter a Name for this action.

  5. Select a Port Event from the dropdown list and select the state of the event: For inputs, choose Reset, Set, Error Break, or Error Short.

    For outputs, choose Activate or Non Active.

  6. Choose up to two Condition States for an output port and the condition of that device’s output port.

  7. Combine two conditions with AND or OR from the dropdown list. For example, if Front Reader’s Output Port is Not-Active AND Front Door Trip Input 1 is Active then the Output Action is triggered.

  8. Select an Output Action and select Deactivate, Activate, Buzzer On, Buzzer Off, Latch Active, Unlatch Active or No Action.

  9. Enter the Delay before activation for the output action.

  10. Enter the Activation Time for the output action.

  11. Select a Controlled Area and its associated action: Open, Close, Enable panel, Disable panel, LOCKDOWN or Toggle.

  12. Select a Schedule that defines the time that the Port Triggered Action is going to be used or leave it as Always On.

  13. Generate an Alarm enables or disables logging of this Port Triggered Action in the alarm logs, desktop alarm client and AMS servers.

  14. Choose the Severity of the alarm level: Info, Warning, Error, Critical, Alert, or Emergency, when set to Alarm this will log the action to the Alarm Log. 

  15. If needed, a customized message can be added in the Instruction field that will be displayed in the log when the Alarm is triggered. The Instruction dropdown menu passes the selected instructions to the AMS Server.

  16. Select an Alarm Area.

  17. To lag an NVR camera clip to the port triggered event, select the camera from the NetCam drop-down list. Before Event and After Event specify the time window (in seconds) of the clip relative to the event.

  18. Click Save.

Zone Groups

Zone Group Management and Anti-Passback

Zone Groups allow users to group various Controlled Areas to form a Perimeter Security Zone where Anti-password rules can be applied.

Adding Zone Groups

  1. Click on the Controlled Areas navigation tab.

  2. On the left, click the Zone Groups link.

  3. In the Actions bar, click on Add Zone Group.

  4. Enter a Name for the zone group.

  5. Enter an optional Description of the group.

  6. Check the Anti Passback Enabled box to enforce anti-passback for this zone group.

  7. In the Anti Passback Forgiveness dropdown box select from the following options:

Options

Description

Never

User cannot re-enter the perimeter until they pass through an exit reader or enter an area that is outside of the zone group. Otherwise Freedom administrators have to manually reset the user’s anti-passback lock.

Midnight

Anti-passback lock will be forgiven at midnight.

Every 12 hours

This forgives anti-passback locks twice a day: at noon and midnight.

Every 6 hours

This forgives anti-passback locks every 4 hours (e.g. midnight, 6am, noon, 6pm).

Every 2 hours

This forgives anti-passback locks every 2 hours (e.g. midnight, 2am, 4am, etc.)

Every hour

This forgives anti-passback at the top of every hour.

Every 30 minutes

This forgives anti-passback at the top and 30 minutes of the hour.

8. Check the APB Enforced on Exit Readers box to enable this feature; anti-passback is imposed on exit readers also. You must set EnforceExitAccessRight to Yes in siteEngine.ini – go to the System tab, Administration, System Parameters page to edit this file.
9. Select a group of users in the Exempt Access Groups if you want them to be exempt from anti pass back rules.
10. Click Save.

Assigning Controlled Areas to Zone Groups

Once Zone Groups are created, controlled areas can be assigned to the zone groups.  A Zone Group is a security perimeter that contains multiple controlled areas.  Each zone group can exercise anti-passback rules onto its controlled areas. For example, a building with two entrances can be seen as a zone group with two controlled areas (doors).  If the anti passback rule is enforced in this building, a person cannot enter through one door and re-enter to either door without first exiting the building.

To assign a Controlled Area to a Zone Group:

  1. Click on the Controlled Areas navigation tab.

  2. On the left, click on the Zone Groups link.

  3. Click on the Zone Group to edit.

  4. In the Controlled Areas drop down box, select all the Areas that are to be included.

  5. Click Save

 Resetting Anti-Passback Manually

Freedom Administrators can manually reset Anti-passback locks by editing the zone group record:

  1. Click on the Controlled Areas navigation tab.

  2. On the left, click on the Zone Groups link.

  3. Click on the Zone Group to edit.

  4. In the Edit Zone Group page, click the [Forgive All] button.

  5. Click Save.

 

Manually Reset a User’s Anti-Passback Lock

Freedom Administrators can manually reset a user’s anti-passback lock via the Users page:

  1. Click on the Muster navigation tab.

  2. Check the box in the Reset column next to the user and click the [Reset] button above it.

 

Mustering

The Muster tab has two sub links: Muster/Anti Passback and Emer. Mustering. This functionality must be turned on in licensing.

Muster/Anti-Passback

This page shows a live view of the number of users who have entered into or exited from a Controlled Area. You can also go here to identify who is in what areas for anti-passback.

Emergency Mustering Report

The Emergency Mustering Report tab allows you to create custom area reports by Access Group and Controlled Area to support operations. This report is useful when security staffs want to find out who are in the designated safety area (e.g. a zone group) during an emergency.

To create a custom Mustering Report:

  1. Click on the Muster navigation tab.

  2. On the left, click on the Emer. Mustering link. The following screen appears:

  3. Select the Zone Group which represents the designated safety zone.

  4. Select Access Groups to report on.

  5. Select User Categories to report on.

  6. Enter an Alarm Message Token to identify when a tagged event is enabled; it will grab the last event date and time as an anchor point to help highlight users who have entered the safety zone before the alarm took place. If there is no alarm required, leave this input blank.

  7. Select the Zone Groups to be excluded in Report and select In, Out, or Both from the State dropdown box for each Controlled Area selected. This feature helps to filter areas from the report that is not relevance to the alarm event.

  8. Click the Add button to add this report to your list of Mustering Reports. These reports will list at the top of the screen and as sub links on the left once they are created.

Access Groups

Access Group Management

An Access Group is an organizational unit in which users can be placed.  This lets the administrator apply access rights to groups instead of people, for ease of administration.  This also lets the administrator make changes to a group of people as opposed to having to change the rights individually.  An access group can have 1 or thousands of people (user accounts) assigned to it. There are also Floor Access Groups that allow access to specific floors and Guest Access Groups that work in conjunction with MESH panels. The instructions for adding each type of group are the same.

Adding a User, Floor or Guest Access Group          

  1. Click on the Access navigation tab.

  2. Click on the User Access Groups, Floor Access Groups or Guest Access Groups link.

  3. In the Actions bar, click on Add Access Group. The following screen is displayed:

  4. Enter a Name and a Description.

  5. Select the Risk Levels during which this group will have access: Low, Guarded, Elevated, High or Severe (the current risk level is always displayed at the top of the Freedom screen)
    For more information on Risk Levels see the Alert Level Management section.

  6. Select a Controlled Area for this group.

  7. Select a Schedule for the Controlled Area. If that controlled area is not going to be accessed by that User Access Group, leave the schedule as Always Off.

  8. If you need an additional line for extra Controlled Areas and/or Schedules, click the + button beside the current line. To delete a line, click the button.

  9. Click Save.

Global User Access Groups

In Freedom version 11, User Access Groups can be global to all sites. This makes Access administration more efficient for large enterprise systems. For example, all employees within an enterprise are assigned a general Access Group “Employees”. This group can be associated with any controlled area/schedule pairs in any sites.

To create a Global User Access Group:

  1. Click on the Access navigation tab.

  2. Click on the User Access Groups.

  3. Enter a Name and a Description.

  4. Click Global Group check box.

  5. Click Save to create the Access Group.

Once a Global Group is added, it will be visible to all sites. Administrators can associate it with any controlled area-schedule pairs that are local to the selected site.
Notice the Icon that highlights the Global Access Group “Employees”.

Users

Configuring a User’s Access

A User’s right to access through a door or to a floor is set up by entering a person into an Access Group. This Access Group is set to have rights to gain access to certain areas (controlled areas) of a facility at certain times (schedules).  The following chart is a guide to setting up a person’s access rights.

Typically schedules are configured and then controlled areas are configured.  Once done these are attached to an Access Group.  The final step is to assign a User to an Access Group

Adding a User Account

In order to assign cards or key fobs to people, User Accounts must be set-up.  During this process a User is assigned to an Access Group (or multiple Access Groups) which in turn defines their Access Rights.  To set up a User Account do the following:

  1. Click on the Users navigation tab.

  2. In the Actions bar, click on Add User.  The following screen is displayed. 

  3. Enter the user’s Last Name.

  4. Enter the user’s First Name.

  5. Select Yes or No to Display this user’s name in the Directory if there is an intercom on the panel.

  6. Select this user’s Suite. This is also for Intercom functionality

  7. Enter the MESH Card Number.

  8. Enter the Wiegand Card Number that is assigned to the user or click on the [Read Card] button and present the card to the reader - the Wiegand number will automatically fill in the field. If the number is unknown, a card reader can be set up as an enrolment reader. To set up an enrolment reader, click on Select Enrolment Reader from the left menu and select the appropriate card reader.

  9. Enter a PIN number for the card. This is for Intercom functionality.

  10. Enter the user’s Email address.

  11. Enter the user’s Telephone number.

  12. Select the User Access Groups in the Available box that should be assigned to this user and click the right arrow button to move the group to the Selected box.

  13. Select the Floor Access Groups for this user.

  14. Enter the Date that the user’s access rights will Start.

  15. Select Never, or enter the Date that the access rights of this user will Expire.

  16. Click the Accessibility box if this is a user with special needs (i.e. wheelchair or crutches) that requires the longer Accessibility Delay and Activation times configured in Controlled Areas.

  17. Select Yes to Enable Admin Functions if this user is an administrator – the View/Edit Admin User options will become available.

  18. Click Save.

User Categories

You now have the ability to filter a global database of users by user category. Admin Users can be configured to see specific user categories.

  1. Click on the Users navigation tab.

  2. On the left, click on the User Categories link.

  3. To add a new user category enter a Category ID number and a Category Name and click the add  button.

  4. To remove a User Category click the delete  button.

Once you have created all of your User Categories you can assign them to your Admin Users in order to filter the users they have access to. Please refer to the Admin Users section to assign the categories.

Elevator Configuration

Elevator Management

In Freedom each reader can only be assigned to one Door Area only. In order for Freedom to activate floor relays upon a card swipe, it now has a new Floor Controlled Area type that can link to a Door Area where the elevator reader resides. Each Floor Area contains outputs that would activate its corresponding elevator controls. In order for users to obtain access to floors, they would need to have both User Access Groups (for card access) and Floor Access Groups (for elevator/floor access).

Installing Hardware

  • Install a Wiegand reader in the cab, connect its Wiegand wires to a FB9 adaptor.

  • On the FB9 adaptor board, change the address to 1 using the dip switch.

  • Run an RS485 cable long enough to connect the FB9 adaptor to the FB5 board which is located in the elevator/engine room of the building. This cable will likely run along the elevator shaft. Relays on the FB5 would be used to interface with the Elevator Control System in the elevator/engine Room.

Device Setup

In the Freedom Software, make sure that the FB5 (Digital IO) device has been added in the System – Devices tab. See Freedom Bridge Configuration for more information.

Create a Controlled Area - Type Floor

  1. Click on the Controlled Areas navigation tab.

  2. In the Actions bar, click Add Controlled Area.

  3. Enter a Name and Description for the Controlled Area.

  4. Select Floor Area in the Area Type dropdown box.

  5. Click Save.

Add All Outputs that Belong to that Floor

This is intended to trigger all of the outputs that a user has access to.  If a user has access to multiple floors, you would select all of the outputs that complete the circuit.

  1. Once the Controlled Area is saved, the Outputs and Unlock Schedule tabs appear.

  2. Select a device Output for this Floor controlled area. You may select and add multiple Floor Areas. Click the plus sign button to add the selected Output(s).

  3. To create an unlock schedule, click on the Unlock Schedule tab. Please see the Unlock Schedules section of the Controlled Areas chapter earlier in this document for more information.

  4. Click Save.

Link Floor Areas to the Elevator Reader’s Door Area

Create a Door Area and assign it with the elevator reader. Link all the Floor Areas that the reader can provide access to.

  1. Create a new Controlled Area with the elevator reader.

  2. In the new Controlled Area’s Floor tab, select all the associated Floor Areas; specify the desired activation time and click +.

Create a Floor Access Group

Create a floor access group to link the controlled area to a floor.  You can have multiple floor access groups added to a single controlled access group.

  1. Click on the Access navigation tab.

  2. On the left, click on the Floor Access Group sub link.

  3. In the Actions bar, click Add Floor Access Group.

  4. Enter a Name and a Description and click Save.

  5. Check the box(es) beside the Risk Level allowed for this floor.

  6. Selected the Controlled Area to link to this floor access group. If you need additional controlled area click the button to add another line.

  7. Click Save.

Assign Groups to the User

Add permissions to a floor access group in the User account.  This grants access to the floor access group relays defined under the floor group created.

  1. Click on the Users navigation tab.

  2. Click on a User.

  3. Scroll down to the Floor Access Group boxes and click on the Available Floor Access Group to move it to Selected. Select all floor access groups for this user.

  4. Click Save.

Example Scenario

The builder has 3 floors with one elevator cab. A reader is installed inside the elevator cab. As the tenant enters the elevator, he/she needs to present a card to access the floor(s) that he/she has rights to.

Controlled Area Configuration

  1. Click on the Controlled Areas navigation tab.

  2. In the Actions bar, click Add Controlled Area.

  3. First we want to create a Door Controlled Area for the Elevator Reader. In this example select the FB5’s Reader 1 and this will be the cab reader.

  4. Since there are 3 floors, you will create 3 Floor Controlled Areas. Name the first one Floor 1 Elevator Control and enter an extra Description line if necessary.

  5. Select Floor Area in the Area Type dropdown box.

  6. Select the FB5’s Reader 1 as its (Entrance) Reader. This Reader 1 will be the cab reader. 

  7. Click Save.

  8. The Outputs and Unlock Schedule grid will appear. In the Outputs tab, select the FB5 Relay that activates Elevator Control Access to Floor 1 (e.g. relay 1).

  9. Click on the Unlock Schedule tab to assign a schedule for this elevator if desired. For more information, please refer to the Unlock Schedule section of Chapter Controlled Areas.

  10. Click Save.

  11. Repeat Steps 2 to 9 to create a Floor 2 Elevator Controlled Area and add the same FB5 Reader in it as its entrance reader. In the Outputs tab, add the FB5 Relay that activates Elevator Control Access to Floor 2 (e.g. relay 2).

  12. Repeat Steps 2 to 9 to create Floor 3 Elevator Controlled Area and add the same entrance reader and Floor 3 relay (e.g. relay 3).

  13. Return to the Door Controlled Area created in Step 3, go to the Floors tab and add the three Floor Controlled Areas to it.

Create a Floor Access Group

Create a floor access group to link the controlled area to a floor.  You can have multiple floor access groups added to a single controlled access group.

  1. Click on the Access navigation tab.

  2. On the left, click on the Floor Access Group sub link.

  3. In the Actions bar, click Add Floor Access Group.

  4. Enter a Name and a Description and click Save.

  5. Check the box(es) beside the Risk Level allowed for this floor.

  6. Selected the Controlled Area to link to this floor access group. If you need additional controlled area click the button to add another line.

  7. Click Save.

Assign Groups to Users

You can assign a User Access Group to give general access to your users or a Floor Access Group to give them access to specific floors.

  1. Click on the Users navigation tab.

  2. Select a Floor 1 user from the list of users.

  3. Scroll down to User Access Group or Floor Access Group. Click on the “Floor 1” Access Group in the Available box to move it to the Selected box.

  4. Repeat Step 3 for all Floor 1 users.

  5. Repeat Step 3 to add the “Floor 2” Access Group to all Floor 2 users and “Floor 3” Access Group to all Floor 3 users.

  6. Click Save.

Operation

As a Floor 1 User presents the access card to the cab reader, the reader LED should light up (access granted) and allow elevator access to Floor 1 (e.g. Floor 1 button lights up).

Similarly Floor 2 User’s card would allow the user to access floor 2 inside the cab.

Events

Event Management

Freedom systems keep logs of certain activities and problems with devices under the Events tab.

The Events tab displays information such as the access attempts to the building and if they are granted or not.  Calls placed, answered and wrong numbers dialed from the panels are logged.  If a MESH Panel has the optional camera installed, a snapshot of the user is taken once access is granted by a suite. Scheduled opening or closing of a controlled area and any communication loss or device problems are also displayed. Alarm logs will also be displayed under the optional AMS Server. Preventative and pro-active measures should include the scheduled review of these event logs.

Viewing Events

The Events page refreshes automatically depending on login settings and is divided into a grid. The grid sections contain information about the event that took place. Multiple devices whose states are changed as a result of one event are grouped together to help with readability. Expanding an event will show all the resultant device changes.

 

  1. Click on the Events navigation tab. The following screen is displayed:

  2. Check the boxes above the grid to display the following options:
    Live Update: check this box to update the table when there is live data or pause it for discussion and/or troubleshooting.
    Local Time: the local monitoring time of the system.
    Category: the final category of what is occurring.
    Event Code: the events that are supposed to occur.
    Current Site Only: the current site; leave unchecked to show data for all sites.
    Access Events Only: only show access related events.  To see all I/O and logic leave this box unchecked.

  3. From the Display dropdown box, select Today, Last 3 days, This week or This month.

  4. Select the number of entries to Show on one page.

  5. You can filter the view by entering Search criteria and/or selecting the Type of event you’d like to view from the dropdown box. Type in the search text and hit Enter.

 As user is entering search content, Freedom will provide type-ahead hints for the user. If the user prefers using a wildcard search, type ‘*’ to suspend type-ahead and continue to enter search text.


Freedom version 11 allows search criteria to contain multiple search categories. Implicate OR gate is applied to search criteria of the same category and an implicit AND gate is applied to search criteria of different categories. In the following example, the criteria reads: “Last Name is ‘Lee’ or Last Name is ‘Hudson’ AND controlled area is ‘Front Internal Door’”.

To search for a specific event of a particular time window, please refer to Searching Events in the next section.

Event Groups & Categories

All events fall into one of the following groups and categories. In addition, every event in the system has an event id associated for searching.

Event Groups

Category

Description

Access Control Activity

User

Cardholder activity on the system.

 

Port

Identifier to what device the activity occurred.

 

Door

The controlled area that the activity occurred.

System

System

The system that the activity occurred.

 

Device

The bridge or device the activity occurred.

 

Port

The port the system data occurred.

 

Database

The database the system data occurred.

 

Credential

The credential data or error information.

 

LDAP

Active Directory sync data and errors.

 

Network

Data errors and other critical network data.

Admin

Login/Logoff

Administrator authentication log.

 

Operator Action

Action done by the operator using AMS-Lite.

External System

Video

Video activity events and errors.

Searching Events

You can search events to track access or errors over several days. When searching events, it is possible to filter results by particular devices or events and it is also possible to generate a PDF or a CSV document from your search results.

  1. Click on the Events navigation tab.

  2. On the left, click on the Search Events link. The following screen is displayed: 

  3. Enter a From and To Date and Times for the data you wish to search.

  4. Enter Search Criteria in the Filters input box.

  5. Click the [Search] button to retrieve result set records.

  6. Result set will be shown on the area below the search criteria. The user may choose to download a copy of the result set in either CSV or PDF format by clicking the corresponding buttons.

Set Audit Data Search Criteria

  1. Click on the System navigation tab.

  2. On the left, click on the Utilities link.

  3. Click on the Audit Data sub link.  The following screen is displayed:

  4. Enter a From and To Date and Times for the data you wish to search.

  5. Enter a User ID.

  6. In the Change box, enter a specified string from the audit logs to search through the data that has changed.

  7. Select an Action.

  8. In the Original Data box, enter a specified string from the audit logs to search through the original data. For example, you could search for a card number in the original field to find out who previously had this card.

  9. Select a Function.

  10. Click the [Search] button.

Export to a CSV File

You can export Event and User search data to a CSV file by clicking the CSV button.

Export to a PDF File

Data on the Device tab can be exported to a PDF file by using the PDF button.

For more information about reports, please refer to the Chapter Reports.

Enhanced Access Denied Diagnostics

Freedom now has the ability to display why a user was denied in the system with all of the possible complex options.  This data will also display in the activity details.

Event ID

Description

10202

Denied - CA Locked Down

10203

Denied - Invalid License

10204

Denied - Anti Passback

10205

Denied - Card Disabled

10206

Denied - User Deactivated

10207

Denied - User Expired

10208

Denied - Access Expired

10209

Denied - Risk Level

10210

Denied - Start Date Error

10211

Denied - Certificate Revoked

10212

Denied - Certificate Chain Invalid

10213

Denied - Certificate Signature Invalid

10214

Denied - Certificate Timestamp Invalid

10215

Denied – SSL Validation Error

Reports

Reporting Management

In most sections of the Administration Software it is possible to generate a report (or several types of reports) for that section. Reports are generally used for auditing purposes and to view the data for a section in one place making at-a-glance viewing and printing easier. Generated report files are in the PDF file format. Adobe’s Acrobat Reader might be required to view these files.

Because generating reports requires accessing data that may be privileged, it is important that the user you are logged in as and under which you would like to generate a report has adequate permissions to access the report generating functionality of Freedom.

Creating PDF Report Files

PDF files can be generated from most pages by clicking on the [PDF] button beside the Search box. This will generate a PDF file and the user will be asked to save the PDF file on a local folder or the file will saved to a default location, depending on browser settings.

PDF reports can be generated for the following pages: System, Suites and Businesses, Users, User and Guest Access Groups, Controlled Areas and Port Triggered Actions, Schedules and Special Days.

Creating CSV Report Files

A CSV file can also be generated on the Users, Suites and Businesses, and Events pages. To download, click on the [CSV] button next to the Search box.

 Reports Available By Page

Page

Report Name

Description

Users

Users Report

Creates a list of all of the users in the database for review.

Access

User Access

Creates a list of all of the user access groups in the list.

 

Guest Access

Creates a list of all of the guest access groups in the list.

Controlled Area

Controlled Areas

Creates a list of all of the controlled areas.

 

Port Triggers

Creates a list of all port triggered actions currently in the system.

Schedules

Schedule

Creates a list of all schedules and their respective periods.

 

Special Days

Creates a list of all of the special days currently in the system.

Events

Attendance

Working in accordance with anti-pass back for in-out readers to determine if someone was in the building.

 

Alarm Monitor

Reports all alarms that occurred on the system between the requested date and time.

 

Alarm Activity

Reports all alarms that occurred on the system between the activity and the real system.

Suites

Suites

Provides a list of all the suites in the system.

 

Businesses

Provides a list of all of the Business units in the system.

Time and Attendance Reports

The Freedom System is capable of generating reports of who has entered a particular Controlled Area in a given time frame, and who is currently in a particular area. This controlled area needs to have an Entrance and an Exit reader programmed. A report can also be generated in PDF format or CSV to be imported into a spreadsheet or database application.

  1. Click on the Events navigation tab.

  2. On the left, click on the Reports link.

  3. Click on the Attendance sub link.

  4. Enter a From/To date and time.

  5. Select the Zone Group(s) of interest.

  6. Optionally select User Category of interest.

  7. Optionally provide a Suite number, Card number, First or a Last name.

  8. Select either CSV or PDF report type. The two additional types – CSV summary and PDF Summary reports would show daily card holder attendance summaries. All access transaction details are omitted.

  9. Click the Search button.


Backup & Restore

Manual Backup and Restore Configuration (Data)

It is recommended that regular backups of the database are made. Backup files should be stored on digital media such as flash drives or CDs and preferably kept in a secure place.  Because the backup files can contain sensitive information they should be protected from unauthorized access.

Manually Backup Data

  1. Click on the System navigation tab.

  2. On the left, click on the Administration link.

  3. Click on the Backup Data sub link.

  4. Find the location to store the file on the local computer.

  5. Click Save

Manually Restore Data

  1. Click on the System navigation tab.

  2. On the left, click on the Administration link.

  3. Click on the Restore Data sub link.

  4. Click the Choose File button. This will display the contents of the local computer.

  5. Find and open the backup file.

  6. Select the type of Restore:

Select Data Only if using a backup file from another unit.

OR

Select All Settings only if using a backup file from the same unit.

Restoring All Settings using a backup file from another Mesh Unit might have adverse effects.

7. Click the RESTORE button.

8. Reboot the system using the reboot link in the Utilities section.

Local Automatic Backup and Recovery Management

Mesh systems do an automatic backup every day. These backup files can be used to bring the system back to a previous state before a file corruption may have occurred. These are done locally, and are part of the standard internal operation of all Mesh and Mesh systems.

Restore Database from Local Automatic Backup

  1. Click on the System navigation tab.

  2. On the left, click on the Administration link.

  3. Click on the Backup Data sub link.

  4. Click the plus (+) sign beside Restore from a system backup. This will display a list of previously saved back up files. These files are sorted by date.

  5. Click the Restore button beside the correct backup file.

  6. Reboot the system using the Reboot link from the Utilities section.

 Manual Backup of History (Event Logs)

All activates a system performs such as dialing a suite from the panel, allowing PIN access, and allowing (or denying) access control activities. Anyone whose user profile grants them access to the log can view and search the logs, and if the optional camera is installed, view photographs of people who use a system to access a building. Once a date is specified for backup a compressed ZIP file is created.

This file can be uncompressed using standard compression utilities built in to Windows. After uncompressing the logs a program like Open Office or Microsoft Excel is needed to view the uncompressed comma separated value (CSV) file. The log backup file cannot be restored back. It is only for auditing purposes.

Backup Local Business Admin Users

Because business admin users can’t access the System tab, the backup log instructions are different. Please refer to the Backup of Logs for Business Users section for more information.

Open Log Files  

  1. Decompress the Log file that was saved in the previous sections.

  2. Use either Microsoft Excel or a CSV compatible application to view the CSV file.

 Setting Up Remote Automatic Backups

  1. Click on the System navigation tab.

  2. On the left, click on the Utilities link.

  3. Click on the Remote Backup sub link.

  4. Select the Backup Method:

  • CIFS/SMB  (Linux System Backup)

  • FTP   

  • SFTP

5. In the Server field, enter the IP address with the corresponding protocol.
6. Enter the Remote file system Path.
7. Enter the User name and Password that have permissions to write to the server and path.
8. Select the Frequency of backups to be sent to the file:

  • Now – Sends when you select save. Recommended to be used for testing the initial backup testing.

  • Hourly

  • Daily

  • Weekly

  • Monthly

9. Click Save

Importing Data

To import data to the database, import a template from the Import Data screen under the System 🡪 Administration 🡪 Utilities tab. When importing data to the database it will be added to existing data. Existing data will not be replaced by this function. Suite, Suite Code, and Business Name have to be unique in the imported data and existing data. User field does not need to be unique, but it will create duplicates if identical names are imported.

Obtain a Data Template

  1. Click on the System navigation tab.

  2. On the left, click on the Utilities link.

  3. Click on the Import Data sub link.

  4. At the bottom of the page under To obtain a Data File Template, right click on the template and select “Save Target As...”, ”Save Link As...”, or equivalent option from the pop-up menu that appears.

  5. Select a directory to save the Mesh data backup file in the ”Save as” dialog box.

  6. Name the template with the .xls extension. For example, user-template.xls.

  7. If the “Download complete” dialog box persists after the copy completes, click Close. Follow these steps carefully to append data to the database.

 Setting up a database file to import:

  1. Open the template file using MS Excel, or compatible spreadsheet application. Fill in the data.

  2. Do not delete or change the header cells in the template or the import will fail.

  3. Save the file to the comma separated values (*.csv) format.

  4. Always import the Business file first, followed by the Suites file, then the Users file.

  5. The result page displays the imported lines that generated errors. To correct the errors, create a new data file with the corrected data of those lines only and import the new data file.

  6. In the Users template, leave the User Id column blank.  This field is reserved for the Mesh system.

Importing Data

  1. Select the type of data that is being imported from the Target Data table dropdown menu.

  2. Click Browse.

  3. Find the data file that is being imported; make sure it is in CSV format.

  4. Click the Import button to add the data to the database, if no errors are displayed the importing is complete.

Commercial Database Replication

Database Replication Setup 

This is used for Freedom Systems that are intended to be used as redundant systems that communicate all information to make a hot standby for all bridges and users to communicate to in the event of failure.   These are also the steps to deploy remote Freedom cube appliances for the sections that are needed.

The instructions below are to setup database replication between 2 or more Freedom servers.  Before starting, verify that the full version numbers between the master and the slave nodes are identical.  

Configuring the Master Server

  1. Configure the firewall to allow incoming connections on port 31415.

  2. Login to the Freedom administration software using the system user.  Call Viscount Support if you need the system password.  

  3. Click on the System navigation tab.

  4. On the left, click on the Administration link.

  5. Click on the System Parameters sub link.

  6. Click on the siteEngine.ini file to edit it.

  7. Edit the line that reads DBMode=single and change it to DBMode=master

  8. Click Save.

  9. Select and edit a different System Parameters file called start.ini

  10. Edit the line that reads #sds.service=no and change it to sds.service=yes

  11. Click Save and Reboot the server.

  12. Once the system is rebooted, log back in with the system user and go the System tab.

  13. In the scope pane on the left, click on Utilities.

  14. Click DB Replication. |

  15. Fill in the text boxes on the screen. 

    1. Host Name: This is the IP address of the master server.

    2. Sync Name: Name for the configuration. Enter something that will identify the master server. This field must be alpha numeric.

    3. Sync Protocol: Select http or https. In order to use https, additional configurations are required to install SSL certificate on the master and slave server.

    4. Sync Port Number: Select the TCP port number that slave servers will be connecting to.  The TCP port number selected must be configured in the firewall to allow incoming connection. The Freedom server is preconfigured to support port 31415, additional configurations on the server are required if other port number is used.

  16. Click the Save button.  The master node configuration will be displayed in the Master Node section. The Delete button of the master node allows users to remove the master configuration from the server. It will be disabled if there are slave nodes attached to the master. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process. The Refresh Server Cache button allows users to refresh the Freedom server cache to the slave nodes.

Configuring Slave Server

  1. Login to the Freedom administration software using the system user.  Call Viscount Support if you need the system password  

  2. Click on the System navigation tab.

  3. On the left, click on the Administration link.

  4. Click on the System Parameters sub link.

  5. Click on the siteEngine.ini file to edit it.

  6. Edit the line that reads DBMode=single and change it to DBMode=slave

  7. Click Save.

  8. Select and edit a different System Parameters file called start.ini

  9. Edit the line that reads #sds.service=no and change it to Change to sds.service=yes

  10. Click Save and Reboot the server.

  11. Once the system is rebooted, log back in with the system user and go the System tab.

  12. In the scope pane on the left, click on Utilities.

  13. Click DB Replication.

  14. Fill in the text boxes on the screen.

    1. Master Node Registration URL: The URL that the slave server will be connecting to for data replication. The URL should be set to the Sync URL configured on the master server.

    2. Sync Name: Name for the configuration. Enter something that will identify the slave server. This field must be alpha numeric.

  15. Click the Attach button. The slave node configuration will be displayed in the Node section. The Detach button allows users to remove the node from the data replication. Detaching a slave node is a two steps process, refer to the Detaching Slave Server section below for details. The Stop Replication button allows users to stop the database replication process. The Restart Replication button allows users to restart the database replication process.


  16. To verify the slave server is configured properly, login to the master server and go to the System tab. Click on Utilities on the left and select DB Replication.  The client node should be listed.

  17. To verify that the configuration is good, add a controlled area on the master node and verify that it appears on the slave.

Detaching Slave Server

Detaching a slave server from the master server is a two steps process.

  1. Logon to the slave server with the system user and go the System tab.

  2. In the scope pane on the left, click on Utilities.

  3. Click DB Replication.

  4. Click the Detach button to detach the node from the master.

  5. Logon to the master server with the system user and go the System tab.

  6. In the scope pane on the left, click on Utilities.

  7. Click DB Replication.

  8. Find the client node and click the Delete button to detach the slave server.

 Microsoft Active Directory (AD) Integration

Active Directory Overview

Active Directory integration is a way to integrate the Physical Access Control System with the existing logical infrastructure.  In order to configure Active Directory you must login with the system account.

This section covers how to converge the logical provisioning that exists in Microsoft Active Directory with the logical access control of Freedom. It is intended to go over the basic configuration of Active Directory with Freedom to get your system up and running.

Single Server Deployment Example

Freedom Commercial or Freedom Enterprise links the Freedom application to each server; there are three methods of deployment.

Understanding Graceful Access

The Freedom access control system uses graceful access to link multiple different systems together.

Design Consideration

When deploying Freedom it is possible to deploy each server in a global environment to be an extension to be managed by a different administrator.  There is a pricing difference from the Freedom Commercial to Freedom Enterprise versions of the active directory licensing. 

For training on active directory implementation, please reach out to trainingsupport@identiv.com

Active Directory Configuration

To configure Active Directory in Freedom:

  1. Login to Freedom with the system account.

  2. Click on the System navigation tab.

  3. On the left, click on the Active Directory link.


Options

Description

Connection Timeout

The connection timeout in seconds to the active directory.

Audit Data Enabled

When this is enabled all changes made through the active directory integrations will be logged in the Audit logs. Enabling this option will dramatically increase the number of logs. The minimum hard disk space recommended is 500 GB when this feature is enabled.

Web Login Enabled

Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration. It is recommended that for these types of accounts you name them differently than your standard user base to support the integration.
To allow the login from this group, you must have the Web Login Enabled box checked.

User Sync Start Time

The start time of the synchronization on users, organizational units, and groups from LDAP connections. Multiple synchronization can be scheduled to run at different time of the day.

User Sync Read Timeout

The timeout in seconds before the query issued by user sync is aborted.

Force Update Enabled

This will force user updates from the active directory structure.

Live Update Enabled

This feature enables an OU, Group, and Access Group attribute check against active directory on every card scan. If disabled it will rely on the data from the scheduled synchronization.

Live Update Read Timeout

The timeout in seconds before the query issued by live update is aborted.

Live Update On Imported LDAP Connection

This setting is only applicable when multiple LDAP connections are configured. When enabled, if the PIN/carddata is already imported to Freedom, Live Update will be first performed on the LDAP connection where the PIN/carddata is imported from in order to speed up the Live Update process.

4. Click Save button to save the configuration

LDAP Connections

To add a new LDAP connection:

  1. On the Active Directory Configuration page, click the Add LDAP Connection button.


  2. On the LDAP Connection page, enter the connection information of the LDAP Server. 

Options

Description

Name

The name of the LDAP connection.

Server URL

The URL of the LDAP server.

Search Base

Using the query structure, this is the search base for all queries.

Domain

The DNS name of the domain that you would like to connect to.

Username (User ID)

This is a user that has permissions to query the active directory domain defined.

Password

Password of the active directory user.

3. Click the Test Connection button to confirm Freedom can connect to the LDAP server.

4. Click Save button to add the LDAP connection.

5. After the LDAP connection is saved, click the Cancel button to return to the Active Directory Configuration page.

6. On the Active Directory Configuration page, click the One Time Sync button to import the OUs and LDAP groups from the LDAPserver.

7. Go to the Events tab and check the LDAP synchronization status. After the LDAP synchronization is finished, go back to the Active Directory Configuration page and click the LDAP Connection that you just added. From the LDAP Connection page, you can specify the criteria for importing users and admin users from the LDAP Server.

Active Directory User Import

Filter Import by Organizational Unit and Group

From the search index provided in setup, the import screen populates with the Groups and Organizational Units (OUs).  When selected, it will filter and only pull the select users into the Freedom System to manage. 

Users, when moved in or out of these defined areas, will be added or deleted to the Freedom system.

To Import Users:

  1. On the LDAP Connection page, click the Import Users button.

  2. Click the AD Users Import/Sync tab.

  3. On the Import Users page: To import all users, check the Import All Users box. To import users from Groups and OUs, click the entry in the Available box to move it to the Selected box. To search users in nested Active Directory groups, select the Nested Group Search checkbox.

Options

Description

Import All Users From Groups

Imports all users who are part of the selected AD groups.

Import All Users From OUs

Imports all users found in the OU, and all sub OUs.

4. Click Save button to save the import user configuration.

User Attribute Mapping

There are two types of fields to map in the User Attributes Mapping tab.  Fields that are automatically mapped and user selected fields.

  1. On the Import Users page, click the User Attributes Mapping tab.

Automatically Mapped Fields

These fields are defined and statically mapped to AD attributes.

Freedom User Attribute

Active Directory Name

Username (User ID)

objectSID

First Name

givenName

Last Name

Sn

Display Name

displayName

Email

Mail

Telephone

telephone number

 Freedom Selected Mapped Fields

Freedom User Attribute

Mapping Behaviour and Features

Start Date

The date must be a properly formatted date. If specified, it will be the start date of the user access.

Expiry Date

The date must be a properly formatted date, and will disable the user credentials after the defined expiry date.

Card Data

Map to multiple AD attributes. When a card is deleted from active directory, it will be deleted in Freedom. Likewise, when a new card number is added to an user in active directory, it will be added to Freedom.

Pin

Select mapping to a single AD attribute. This attribute will be mapped to the User PIN in Freedom.  The value in this AD attribute must be unique.

Access Linked AD Attributes

Map to multiple AD attributes.  It will show up in a list of all possible assigned values across all users to assign to an access group.  So assigning of values to users can be mapped to access groups. If the user has this attribute, they will be granted access.

User Category

Select mapping to multiple AD attributes. The first value found in the mapped AD attributes will be used as the user’s category.

Custom Fields

Select mapping to a single AD attribute. If an attribute is a multiple value string, attribute is chosen in active directory.  Supporting a Custom Mapping Name.

 Users Import Exclusion Filters

To further refine the import criteria on importing users, you can use create exclusion filters based on the value of the user’s AD attributes.

  1. On the Import Users page, click the AD Users Import Filters tab. 

  2. There are two ways to specify the user import filter. By selecting the Attribute Exclusion Filter option, you can define filters to exclude certain users from importing to Freedom. Alternatively, you can select the Advanced LDAP Filter option to specify the actual import filter query for importing users to Freedom.

  3. Define Attribute Exclusion Filter

  4. Define LDAP filter query

  5. Click Save button to save the configuration.

Understanding Attribute Based Access Control

Leveraging the Access Group link to physical security allows the administration team to cut down on time associated with the users.

Active Directory Administrator Import

Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration.  It is recommended that for these types of accounts you name them differently than your standard user base to support the integration.

For this section to allow the login from this group, you must have the Web Login Enabled box checked on the configuration page.

Mapping Access Group Field to Physical Access Group

The Freedom system will pull into the attribute list a list of all possible attributes that are currently loaded within active directory.  On every card scan, Freedom will ask active directory if the user has the variable that is selected.

User Access Groups

The user access group can be linked to AD OUs, Groups or Access Linked AD attributes.

Attribute Based Access Control Use Cases

Besides associating a user access group to AD OU(s) and Group(s), you can select an AD attribute and use it as an Access Linked AD attribute.

This allows for several use cases around applying logical attributes to the physical space:

  • Umbrella Company Management: By Company name for contractors, employees, you can grant access to areas between time frames.

  • Business Specific Attributes: Every business have attributes that can drive access to physical areas:

  1. Title

2. Department

3. Training Level

  • Geographic Association: Allowing anyone from the state to have general access to your front door and lobby area.

  • Clearance Levels: Clearance in AD allows for internal controls on physical area the same way you would allow AD.

Personal Identity Verification

When equipped with FICAM capable readers, Freedom can perform real-time PKI verifications during PIV card access.

Cardholder Registration Tool – VeriCert

VeriCert is a desktop application that registers PIV credentials into Freedom PACS and Validation System. With VeriCert’s intuitive design, a PIV cardholder’s credential can be fully authenticated, validated, registered and provisioned within seconds, allowing the cardholder access to a specified set of doors.


Using VeriCert

Before enrolling cardholders, it is important to configure a few settings:

  1. Application Settings.

  2. Connection Settings.

Application Settings

The Application settings for VeriCert allow administrators to select a USB smartcard reader. Preferences, such as name parsing patterns, may also be found in VeriCert’s application settings.

  1. On the menu bar, click on Settings, and select Application Settings…

  2. From the Enrollment Reader dropdown list, select the USB smartcard reader detected by the software. To detect a newly installed reader, click the Refresh button to update the dropdown list.

  3. If the smartcard reader has a built-on keypad:

    1. Check Use Reader’s Keypad to Enter PIN to use the smartcard reader’s keypad to enter PIN.

    2. Uncheck Use Reader’s Keypad to Enter PIN to use the Workstation’s keyboard to enter PIN.

  4. From the Printed Name Pattern dropdown list, select the name pattern that will be used to parse the printed name on a PIV credential. The user is able to test the selected pattern by clicking the Test button to test if the pattern can produce the expected result.

  5. Click Save to update Application settings.

Other Application Settings

  • Proxy server – the URL of the proxy server through which the OCSP server can be accessed.

  • FICAM Compliance – this setting allows VeriCert to omit PKI validation during registration. This setting should always be checked during normal operation.

  • Match Cardholder Fingerprint – the setting tells VeriCert to find a finger print match during registration. If this setting is enabled but no matching fingerprint is obtained; VeriCert will fail registration.

  • Additional Validation Details – this setting lets VeriCert to record additional certificate details during validation and is useful for troubleshoot.

  • Site ID’s – this settings allows VeriCert to restrict the set of Access Groups that cardholders can be assigned to. By default this field is empty meaning cardholders can be assigned to Access Groups from all sites.

Connection Settings

The connection settings denote the Freedom API Server that VeriCert will connect to. VeriCert uses the Freedom API to enroll PIV cardholders and retrieve Access Groups to/from Freedom Access Control System.

  1. On the menu bar, click on Settings, and select Connection Settings…

  2. In the Protocol field, select the Freedom API protocol. Default is HTTP.

  3. In the Server Address field, enter the IP Address of the Freedom API Server. Default is 192.168.123.101.

  4. In the Port field, enter the port of the Freedom API Server. Default is 9000.

  5. In the Username field, enter a Freedom Admin User’s Username. Default is freedom.

  6. In the Password field, enter a Freedom Admin User’s Password. Default is viscount.

  7. Click on the Test Connection button to ensure that VeriCert can contact the Freedom API using the given settings. A Connection Successful notification will be shown if settings are correct.

  8. Click Save to update settings.

Enrolling Cardholders

  1. Insert the PIV card into the USB smartcard reader. VeriCert will take a moment to download and verify all required credentials.

  2. Enter PIN when prompted.

  3. Once the PIV credential is fully processed, verify the information and click the Next button

  4. Assign Access Group to the cardholder.

  5. Click Save Change to send cardholder data to Freedom.

Freedom PIV

Freedom can perform certification validation on PIV credentials during access. There are number of settings that can adjust the validation process such as status proxy update frequency, CRL download frequency, root and intermediate certificate store management, certificate policies, extended key usage extensions and PKI fault options.

PIV Configuration

In System tab, under PIV; the first menu item is OCSP/CRL Configuration that covers the back settings for PKI validation.

Enabled – this enables/disables real-time PKI/OCSP validation during card swipes. Note that when this feature is disabled, Freedom at a minimal will revert to downloaded CRL information to determine the validity of a credential.

Path Discovery Timeout – this specifies the time out (in seconds) limit for Freedom to discover certificate chains.

Status Proxy Update Frequency – this specifies the frequency in hours that Freedom should update the status of cardholders’ certificates. The cached status will be used when real-time OCSP validation is failing due to network errors.

Deny Access upon OCSP timeout/network error – when enabled, this prevents Freedom from granting access when network error occurs during OCSP query.

Falls back to cache upon network error – when enabled, Freedom will look up cached status for a cardholder’s validity when there is an OCSP related network error. Note that even when this feature is disabled, Freedom will always revert to CRL information when no real-time OCSP information is available.

Additional Validation Result Details – when enabled, Freedom will record additional validation details such as certificate serial numbers and URL information during PKI validation process.

Certificate Manager

Certificate Manager allow administrators to configure Freedom’s certificate store. This certificate store holds both root and intermediate certificates.

To add a certificate to the store:

  1. Go to System->PIV->Certificate Manage.

  2. To add a certificate, click the Browse/Choose File button and select the certificate from the file system.

  3. Click the button to add the certificate.

 

To remove a certificate:

Click the button beside the listed certificate.

Note that when a redundant certificate is being added, Freedom will ignore the new entry. A redundant entry means that the Issuer name and serial number of the certificate already exists in the store.

Certificate Policies

Freedom can impose certificate policy constraints on the three major certificates – PIV, Card Auth and CHUID Signature. These constraints are assigned in the form or OID strings.

To add a certificate policy constraint to a certificate:

  1. Go to System -> PIV -> Certificate Policies.

  2. Click the tab that represents the certificate type of interest.

  3. Enter the OID string (e.g. 2.16.840.1.101.3.2.1.48.11), enter the description text (optional) and click the button.

 To remove a Certificate Policy OID:

Click the X button next to the OID.

Extended Key Usage Extensions

Similar to Certificate Policies, Freedom allows administrators to specify required extended key usage extensions.

To add an extended key usage extension constraint to a certificate type:

  1. Go to System -> PIV -> Ext. Key Usage.

  2. Click the tab that represent the certificate type of interest.

  3. Enter the OID string (e.g. 2.16.840.1.101.3.2.1.48.13), enter the description (optional) and click the +  button.

To remove an extended key usage extension constraint:

Click the button next to the OID.

PKI Fault Options

During card access, Freedom performs a long list of validations that adhere to FICAM requirements. For institutions that may not issue PIV cards that fulfil all FICAM requirements; administrators can optionally disable certain fault validations. The following are the options that can be disabled:

  1. Invalid CA Signature

  2. Invalid CA notBefore Date

  3. Invalid CA notAfter Date

  4. Invalid Name Chaining

  5. Missing Basic Constraints

  6. Invalid CA False Critical

  7. Invalid CA False not Critical

  8. Invalid Path Length Constraint

  9. keyUsage keyCertSign False

  10. keyUsage Not Critical

  11. keyUsage Critical CRLSign False

  12. Invalid inhibitPolicyMapping

  13. Invalid DN nameConstraints

  14. Invalid SAN nameConstraints

  15. Invalid Missing CRL

  16. Invalid Revoked CA

  17. ICAM Invalid CRL Signature

  18. Invalid CRL Issuer Name

  19. Invalid Old CRL nextUpdate

  20. Invalid CRL notBefore

  21. Invalid CRL Distribution Point

  22. Valid requiredExplicitPolicy

  23. Invalid requiredExplicitPolicy

  24. Valid GeneralizedTime

  25. Invalid GeneralizedTime

  26. Invalid SKID

  27. Invalid AKID

  28. Invalid CRL format

  29. Invalid CRL Signer

  30. Golden PIV-I path

  31. OCSP - Unable to get Issuer Cert Locally

To enabled or disable PKI Fault Options:

  1. Go to System -> PIV -> PKI Fault Options.

  2. Check or Uncheck fault options.

  3. Click Save to update.

CRL Summary

Freedom downloads CRL information for all cardholders in the database periodically. It provides a summary of the number of revoked certificates under each relevant issuer. See System -> PIV -> CRL Summary:

If CRL information cannot be obtained for more than 16 hours, this summary page will provide an alert that indicates ‘Download Overdue’.

PIV Card Single-Sign‐On Configuration

This section covers the steps to sign on to Freedom Admin using PIV cards.

  1. Enroll a PIV cardholder into Freedom by VeriCert.

  2. Go to Users, edit the user profile.

  3. Enable Admin function to the user.

  4. Enter the logon User ID, password and appropriate privileges.

  5. Click Save.

  6. Add the PIV card's Root Certificate in System -> PIV -> Certificate Manager.

  7. Restart Freedom server (System -> Utilities -> Reboot).

  8. In Windows, make sure “Certificate Propagation Service” is enabled and started.

  9. Insert PIV card into reader.

  10. In Chrome browser, go to https://<FreedomServerIP>:8443/

  11. Select the PIV Authentication Certificate for the card.

  12. Enter PIN.

  13. Once PIN is validated, the browse will log in to Freedom Admin.

Mobile Access

Freedom now provides location based access with mobile devices such as iPhone or Android. Traditionally each controlled area has to be associated with a reader. With this new “Geo Location” based feature, a controlled area can simply be assigned with a GPS co-ordinate or a proximity device such as a Bluetooth Beacon. Freedom first determines the user’s proximity to a door/controlled-area by comparing the location reported by the mobile. Once determined, Freedom then performs the corresponding access control operation. This feature conveniently bypasses the need for readers and access cards; instead a mobile device is used as credential identification.

Configuring Geo Location

To configure Geographic information:

  1. Select the Controlled Area

  2. Click the Geo Location tab.

  3. For GPS based access, select GPS radio button.

  4. Enter Latitude, Longitude, radius and the unit (e.g. Feet or Meter) which best cover the entrance area.

  5. Click Enabled to activate Geo Location access for this area.

  6. For Beacon based access, repeat steps 1 – 2 and click Beacon radio button instead.

  7. Select the Unique ID from the Beacon dropdown list. For details on allocating Beacons in Freedom, see next section Configuring Beacon Access.

  8. Click Enabled to activate Beacon access for the area.

Configuring Beacon Access

To configure Beacons in Freedom:

  1. Go to System.

  2. Click Mobile to expand its sub-menus.

  3. Click Beacon Config.

  4. Enter the following information:

Options

Description

Server

URL for the Beacon Server Portal

API Key

Key to access portal’s API.

API Version

Version of the portal’s API.

UUID

UUID for the Beacon count.

5. Click Sync checkbox to enable periodic update to Beacon status information. Default behavior is every two hours.

Mobile Device Registration

To register a Mobile user in Freedom, these are the general steps:

  1. Create the user and set the Mobile flag to true.

  2. Assign a mobile password for the user.

  3. Freedom server will automatically send the password to the mobile user via email.

  4. Once the password is obtained, the user may log on to the Freedom Mobile App and start enjoying the service.

Configuring email server on Freedom

  1. Go to System -> Mobile.

  2. Click Email Config.

  3. Enter the email server’s address and the sender address of the registration email.

Configuring registration Email Template

  1. Go to System -> Mobile.

  2. Click menu item Mobile Onboard Email Template.

  3. Enter Mail Subject Text, e.g. Mobile App Registration.

  4. Enter Mail Content that shall contain links to download Mobile App, user password and any information that is valuable to the registration process.

  5. A reserved token USER_PASSWORD can be embedded in the mail content which will then be replaced by the user password assigned during the registration process.

Managing Enterphone MESH Panels

MESH panels provide visitors with a way to communicate with tenants from the front common entrance. Tenants then can grant or deny access to the building. MESH panels display a list of users that can be dialed. For hardware installation please view the MESH Hardware Installation Guide.

By default MESH panels are added to a single controlled area. This allows the panel to grant access if the tenant presses the relay activation digit when dialed.

Enterphone MESH Panel Settings

MESH panel settings such as talk time, relay access digit and activation time can be configured. To access these settings;

  1. Click on the System navigation tab.

  2. On the left, click on the Enterphone MESH link.

  3. In the Actions bar, click Add Panel. The following screen is displayed:

  4. Enter the Panel ID. This ID number can be found in the sitepanel.ini file for this panel. See Mesh Parameter Files for more information.

When panels are working as Global panels, each panel in the Main-Peer network must have a unique Panel ID. The recommended ID’s would be to start from the default 10000 and onwards (e.g. 10000 Front Lobby Panel, 10001 Back Door Panel).

5. Enter a Name: this identifies the panel when adding it to Controlled Areas. This field should be changed if there is more than one panel.

6. Enter the Relay 1 or 2 Access digit: The digit on the telephone that the tenant must press to activate the appropriate relay.

7. Enter the Relay 1 or 2 Activation Time (Seconds): This specifies in how many seconds the relay should be activated for once a tenant grants access.

8. Enter the Talk Time: This is the maximum duration the call can occur (in seconds) before automatically hanging up.

9. Click Save.

Enterphone MESH (Controlled Area Tab)

The Enterphone MESH tab allows you to attach MESH panels to Controlled Areas. NOTE: MESH panels must have already been created in the System -> Enterphone MESH screen.

Please refer to the Mesh Panel Settings section for more details regarding MESH panels.

In the Enterphone MESH tab on the View/Edit Controlled Area screen:

  1. Select an Enterphone MESH panel from the dropdown box.

  2. To add a second panel to this controlled area, click the add + button. to

  3. Click Save.

Changing Screen Saver Image File

When MESH Panels are idle for more than the time set for the default screensaver time out, the default screensaver graphic is displayed. This graphic can be changed from the media files. Use the instructions in the Media Files section to access and change screensaver_1024x768.gif file.

This is the default screensaver picture. Edit this file using any graphic editing software that supports the GIF format. Keep in mind that the edited file’s name, resolution, and color settings must match this file. Once the editing is complete use the Update Media Files from the System tab to upload the edited screensaver_1024x768.gif file. Restart the Panel using the Reboot link at the bottom of the Utilities page.

Changing Screen Saver Timeout

By default, the screensaver activates after 60 seconds of inactivity. This number can be changed from the file sitePanel.ini.

  1. Click on the System navigation tab.

  2. On the left, click on the Administration link.

  3. Click on the System Parameters sub link.

  4. Click on the sitePanel.ini file.

  5. Edit the line screensaverTimeOut=60; change 60 to any other value. Do not edit any other value.

  6. Check the Reboot after save box. This will do a full restart of the panel after you save the file.

  7. Click Save.

Calibrate MESH Screen

MESH parameter files are used to configure the software on both the server and the panel.

MESH Parameters Files

MESH parameter files are used to configure the software on both the server and the panel. These files are located in the System Parameters link under the System -> Administration tab.  These files can be edited using the in-browser text field provided by clicking on the file or backed up by clicking on Download and edited with a text editor locally then uploaded back to MESH. Once the files are uploaded back to MESH the server must be restarted using the Reboot link at the bottom of the Utilities page or by checking the Reboot after save option on the Edit page.

Parameter files should only be changed if instructed by Viscount Technicians.

The following parameter files are user-modifiable:

dealer.ini

installer.ini

siteEngine.ini

sitePanel.ini

To Edit a Parameter file

  1. Click on the Administration link from the System navigation tab.

  2. Click on the System Parameters sub link.

  3. Click on the file you would like to edit.

  4. Make any changes necessary to the text presented in the text area.

  5. If you would like a backup of the existing file, choose Write Backup.

  6. Check the Reboot after save box if a reboot is required. Keep in mind that for the changes to take effect a full system reboot is required.

  7. Click Save.

To Backup Parameter Files

  1. Click on the Administration link from the System navigation tab.

  2. Click on the System Parameters link.

  3. Select the file you would like to back up.

  4. To back up, click the Download link next to the file.

  5. Select a location to back up the file.

  6. Name the file with the extension *.ini.

  7. Click Save.

Main and Peer Configuration (Sync MESH Units)

This form of replication only copies the Suite and User data to a remote panel to be loaded on the display.  This does not allow for a remote system to be working as a backup unit for bridge communication.

Main peer integration with a panel is intended to only be for one site, where the unit is on the same network.  Deploying multiple mesh panels across multiple sites is not support in Freedom 9.1.  Please see Mesh and Freedom Application Note (AN9019) for more details.

Main and peer configuration creates a link between two MESH units. This can be multiple MESH Panels to a single Freedom server or multiple Freedom servers to one Freedom server. The Main servers automatically start sharing data once a peer establishes communication. More information about main and peer configuration can be obtained from the Main

To Setup a Main and a Peer

Follow the instructions below on any unit that needs to be configured as a peer. No configuration is necessary on the main units.

  1. Open the siteEngine.ini using the instructions from System Parameters.

  2. Locate the line MainPeers=

  3. Add the IP address of the main server. For example, MainPeers=192.168.123.101

  4. Locate the line SystemName=

  5. Add an appropriate name for the peer. For example, SystemName=FrontPanel

  6. Save the siteEngine.ini

  7. Restart the MESH peer system

Once the configuration is done, connect to the Main server and log in. At this point there should be a button labeled with the names of Peer devices along the top of the Administration System’s interface. If there are any changes that need to be made to non-common data, these buttons can be used to connect to the Peer devices. If the button is absent from the Main Server or Panel, check over the configuration that was made up to this point then log out and log back in.

The buttons that allows access to peer units might not be visible immediately after the configuration.

Copy Common Data

Once the connection is established between a peer and a main, there may be some data inconsistencies. To clear all the data on the peer and copy everything from the main a Copy Common Data needs to be done.

  1. Click on the System navigation tab.

  2. On the left, click on the Administration link.

  3. Click on the Copy Common Data sub link.

  4. From the list of Available Servers, select the main server.

  5. Click Copy

This step could take a long time if the database is large.

MESH Panel File Configuration

On MESH Panels an additional configuration file exists that controls the configuration of Panel- specific options.

Use the steps described in Editing a Parameter file to edit the siteEngine.ini. The Panel will need to be restarted for any changes to this file to take effect.

Parameters in the sitePanel.ini file are:

Options

Description

serverName

localhost or the IP address of the panel

panelId

The panel ID. This field should not be changed.

screensaverTimeOut

The number of seconds before the screensaver becomes active (0 deactivates the screensaver).

codeprefix

Filters suites codes based on this digit so that only suites with codes beginning with this number (or range of numbers) are displayed on this panel.

switchDigit

Calling suites with codes beginning with this digit or range of digits (ex. ”1-5” or ”1,3,6”) will trigger the Call Redirector Board to use a second line.

 

ringAltCount

The number of rings the dialer will wait before calling a suite’s alternate number.

hbCode

If set, a button will be displayed at the top of the directory and when it is pressed, the suite whose code is entered will be dialed.

activateOnDialPanelId

The Panel ID of a panel that is in a Controlled Area whose devices should activate whenever a panel is in use.  This requires that a second panel be added to the local panel and that second ID used in the aforementioned Controlled Area.

directoryRows

The number of rows of suites displayed in the directory listing.

 

directoryColumns

The number of columns of suites displayed in the directory listing.

SSButtonHeight

Vertical placement of language buttons expressed in pixels from the top.

listBusTextCenter

Yes or No option to centre business names.

 

directoryFont

Resize the directory font. 0 is the default, +1 will increase the size, -1 will decrease.

businessFont

Resize the business listing font.  0 is the default, +1 will increase the size, -1 will decrease.

displaySuiteCode

Yes or No option to display each suite’s code in the directory.

rightAlignSuiteCode

Yes or No option to place suite codes on the left or right side of the display.

Display Call Button 

Yes or No option that allows for removal of the call button beside a tenant’s name.

Search Only

Yes or No option that allows a user to use the panel only for searching for a tenant, no calling.

listTextColor

An RGB triplet that sets the colour of the suites listed in the directory.

listBusTextColor

An RGB triplet that sets the colour of the businesses listed in the directory.

listBGColor

An RGB triplet that sets the background colour of listings in the directory.

alternateBGColor

An RGB triplet that sets the alternating colour of listings in the directory.

cancelButtonColor

An RGB triplet of the color applied to the cancel button.

cancelButtonTextColor

An RGB triplet of the color applied to the text of the cancel button.

logoColor

An RGB triplet that sets the colour of the logo area.

buttonSelect

An RGB triplet of the colour applied to a button when it’s selected.

sbTrackColor

An RGB triplet of the colour applied to the back of the scroll bar.

keyColor

An RGB triplet that sets the colour of the touch keypad.

sbThumbColor

An RGB triplet that sets the color of the directory scroll button.

sbTrackColor

An RGB triplet that sets the colour of the directory scroll bar.

Business Administrator Management

MESH Panels can be programmed to divide buildings into multiple businesses. Each business can control its own controlled area without affecting other businesses or areas. In order to divide buildings into businesses, controlled areas that will control a business’ physical access need to be created. When adding a new business to the Administration Software, areas that are controlled by that business can be selected. Then admin users can be added to be part of that business.

Business admin users are restricted on what they can add or view. Also, business admin users do not have access to the System tab and are therefore unable to manage the system or view any system related information.  In addition, business admin users cannot add or delete suites, controlled areas or schedules.  They can add user access groups and link them only to the controlled areas that are associated with that business. Any of the activity logs that are related to other businesses are not viewable by that business admin user.  A single business can have more than one controlled area. Also, a single business admin user can belong to more than one business.

Create Business Users

  1. Add a Business using the instructions in the Businesses section of Chapter Suites.

  2. Add a new admin user using the instructions in the section: Site Administrator Management.

  3. From the Add Admin User screen, select the business name from the Business list.

To select more than one business for that business admin user hold down CTRL on the PC  (⌘ key on a Macintosh) and select additional businesses.

Backup of Logs for Business Users

Because business admin users can’t access the System tab, the backup log instructions are different.

  1. Click on the Events navigation tab.

  2. Select a range of dates in the From and To Dates. Note that the maximum number of days is 31.

  3. Click Search

  4. Download the search result in CSV Format.

Alarm Management System (AMS) Lite

Overview

It is important to note that if AMS is configured under the System tab, all monitoring features on a server are disabled.

In the System > AMS tab you have the ability to choose if you are able to view the Monitor tab.  This is also where you would go to disable video prior to the setup of video.  AMS Server will not be covered in this section; for information on setup of the AMS application please see.

Navigation Overview: Monitor Systems without Mapping Setup

AMS-Lite supports the ability to monitor the system without maps.  The purpose of this mode is that if the end user chooses not to use the mapping of devices, that there is a clear way to list and report on the status of all of the devices.

This is how the system looks if there are no maps loaded into the system. Should you require maps for your site, please refer to Chapter Controlled Areas - Maps.

Navigation Overview: Controlled Area Display

With this version of freedom there were many enhancements to the ability quick search, and apply actions to the controlled areas.  Including the ability to acknowledge and clear the alarms listed.

Number Of Pending Alarms

A Live Alarm List Count displays on the alarm icon on all screens and will indicate if there is an alarm on the sites that you have access to see.

Number of Pending Alarms by Site

List Alarms by site by clicking on the Site link. These links will take you to the site map at any time.

Acknowledge and Clear

In the center panel of the alarm monitor tab you will see the alarm data come into the system.  This is for the primary system.

Acknowledge and clear alarms with the ability to enable custom instructions for these acknowledge and clear alarms.

Once acknowledged the system will show the next step as clearing the alarm.

Clearing alarms allows for the setup of custom messages.

Once the alarm is cleared, the details of the alarm may be research on the events tab.

When a system is acknowledged and cleared, the documentation and notes of the operator show on the alarm monitor report. The following is showed on the report:

Navigation: Monitor With Maps And Video

This section does not cover how to setup and configure video services. Instead this covers only the over view of how to navigate using the video services.

Navigation Overview: Controlled Area Icon Supported Actions

Once the maps are installed, the center alarm monitoring screen shifts downwards, and allows for the mapping to show in the center, providing the following features:

  • While in Alarm the controlled area icon will flash red

  • While  Acknowledged the controlled area will have a solid red ring around the system:

  • Clicking on the alarm in the bottom alarm tray will snap to the alarm, and pull alarm video associated with the alarm on the right hand video alarm panel:

  • Rick clicking the controlled area will give you option to change the state of the controlled area, acknowledge and clear the alarms.

  • Selecting a controlled area will also show the activity history of that controlled area in the bottom left corner under the Controlled Area Activities.

  • Mapped live video streams may be scrolled over to display the live video feed.

  • While the bridge is connected the reader shows a dark black. If the reader is offline it show a grey.

  • If the camera is online it shows black. If the camera is disconnected it will show a grey with a line thorough it.

Live Video For Mapped Cameras

Scrolling over event video shows the video screen as shown below.

View All Cameras

The top of the live camera view has multiple options.

Select All Cameras (#) and this will bring up all cameras in the video panel to scroll through.

Navigation Overview: Login to NVR From Monitor Tab

Select the NVR Icon.  This icon links to the NVR of the selected video feed.  If you need to Export video from the NVR, or perform a more detailed review of the video, this is how you get there. Depending on the NVR, you may need a username and password.

Navigation Overview: Export View

Select the [Export View] Icon at the top right of the screen. This is know as the Export Video button which is covered later in this chapter. This does not export video, however, it exports the video to b monitor from a separate window.

This is to allow the operation of Freedom System, and Video monitoring on the same system, or two different monitors.

Navigation Overview: Select Video and Send to Export View

You can also select video to be exported, and move it to the next screen in a two screen scenario:

  1. Select the video video that you would like to export.  This video feed will then be marked around it as red (see photo above as an example).

  2. Select an area in the freedom Exported Video 4x4 that you would like the video to be displayed.

  3. The video now appears in that area.

Once a configuration is setup, it may be saved to be recalled.  All video saves are available across all systems.

Navigation Overview: Save Video Export View

  1. Export Video

  2. Create a name and enter it into the system:

  3. Select Save

Navigation Overview: Event Video

When an alarm comes in with an event clip associated the video will automatically be displayed in the alarm video.  This is that the Event video will show on the top, the alarm video will show on the bottom, and additional associated cameras will show below that.

The top video is event playback – in the above example it is showing the start of the video clip before the light is turned on.

Once an alarm occurs on the bridge it will show the event clip, live video, and up to 4 cameras if they are associated with the controlled area for a quick view.  You can click on the cameras to pull them up to view to track a person in the frames.

Navigation Overview: Event Clip Controls

In the bottom left corner there is a reply and pause for the event clips. In the bottom right hand corner you can click to save a snapshot of the image by pressing the camera in the bottom right hand corner of event clip screen as seen here:

Configure AMS Lite

It is important to note that if AMS is configured under the System tab, all monitoring features on a server are disabled.

Add a Map to AMS Lite

There are many web file formats supported.  Prior to trying to upload one of the files edit map files to support all web image formats:

  • JPG

  • JPEG 2000

  • JPEG / JIIF

  • GIF

  • PNG

  • TIFF

To add a map of a floor plan or other system (any web file format supported):

  1. In the Controlled Areas navigation tab, click on the Maps link. The following screen is displayed:

  2. Current maps are listed on the left and the controlled areas are listed on the right. Click on a map to view it; click on the  edit button to change the file associated with this map.

  3. To add a new map, click on the +Add Map button. The following screen is displayed:

  4. Enter Name and a Description for the map.

  5. Click the [Choose file] button beside Map Image to import the map file image.

  6. Click the [SAVE] button.

Place Controlled Area Icon On Map

Maps have been placed in the Controlled area tabs.  You can simply drag and drop all controlled areas from the right to the map.  Only one controlled area is supported per system.  The controlled area may only exist in one location at a time.

To configure controlled area maps:

  1. Click on the Controlled Areas navigation tab.

  2. On the left, click on the Maps link. The following screen appears:

  3. Drag and drop controlled areas onto the point.

Place Video Icon On Map

To setup the video portion of the system with video you must login as the system administrator account and ensure that the video is enabled.  If the video is not enabled, after turning this setting on, then you may need to check your server activation and ensure you have NVR Video licensing enabled.

This will allow the mapping of camera as an individual device.  To attach a video feed to a controlled area, you must navigate to Controlled Area, select the controlled area, select the Cameras tab.  This will then show the video icon attached to controlled area:

Mapping Icons

Scrolling over an icon will show the name, and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:

Remove Icon From Map

Scrolling over an icon will show the name, and a trash can icon. Click on the trash can icon to remove the controlled area or camera from the map:

 

Icons can be added to a map to indicate whether a controlled are is Closed, Open or in Lockdown. Freedom comes with three standard icons. Images of these icons can be changed in the Icons page.

 

Configure Custom Map Icons

Icons can be added to a map to indicate whether a controlled are is Closed, Open or in Lockdown. Freedom comes with three standard icons. Images of these icons can be changed in the Icons page.

To change a controlled area map icon:

  1. In the Controlled Areas navigation tab, click on the Icons link. The following screen is displayed:

  2. Click the [Choose file] button beside the icon to change and navigate to the new icon image and click Open.

  3. The selected file name is displayed. Click the [Update] button to replace the icon image with this new image.

Video Integration

Installation and Configure Video Services

Video Services have 3 main components for configuration:

  • Freedom Software:  Requests video streaming from the video service with no drivers required for the UI.

  • Video Service: Connects to the DVRs using the information provided by the freedom system and gathers the list of cameras from the DVR system.

  • Selected DVR:  The DVR is where the video clips are stored for retention purposes.

The video service may be installed on the Freedom server on a dedicated machine.  It is recommended that if there are more than 16 cameras that there be a dedicated server for the streaming of the video cameras.

Install Freedom Video Service

  1. Download the most recent file from the partner portal.

  2. Using WinSCP or another tool install the video service.

  3. Run the installation of the .rpm file by:

freedom-server# rpm –ivh fvid-service.rpm

4. Start the freedom video service:    

freedom-server# service fvid start

Configure Video Service

Once the video service is installed the next step is to configure Freedom to connect to the freedom video service.

  1. Click on the System navigation tab.

  2. On the left, click on the Video, and then Video Service link.

  3. Enter the required IP, port, and video data.

  4. In the Actions bar, click on Save.

  5. To test the service connection in the actions bar click Test Connection. If successful you have setup the connection!  If not check your setting and attempt to connect again.

Adding an NVR Server

  1. Click on the System navigation tab.

  2. On the left, click on the Video, and then NVR Servers link.

  3. In the Actions bar, click on Add NVR Server.

  4. Enter a Name and a Description for the NVR server. This is simply an identifier.

  5. Enter the IP Address of the server. The server needs to be on the same network as the Mesh Server

  6. Enter the Port number for the NVR server. The default port is 80; however this can be verified from the NVR server configuration.

  7. Enter a Username and Password. This can also be accessed from the NVR server’s settings or the NVR server’s manual.

  8. Select the type of NVR Server from the Type dropdown menu.

  9. Click the Save button once all the fields are completed.

Once the NVR Server is added all fields except the Type field can be changed. To change the type of the NVR Server, the added server must be deleted and re-added.

 Assign Camera to Controlled Area

In order to show a camera associated with a controlled area you must assign it in the controlled area. 

  1. Click on the Controlled Area navigation tab.

  2. On the left, click on the Controlled Area link that you wish to add camera to.

  3. In the Controlled Area, click on Cameras tab.

  4. Enter a Camera Name and click the add button.

  5. Set the first time in seconds. This marks the number of seconds of video that will be displayed in the event window.

  6. Set the second number; that is set to the post-event video length in seconds.

  7. When more than one camera is added select Primary on the camera that you want to display event video for when the controlled area generates an alarm.

  8. Select the + button to save the camera to the controlled area.

Video Display Configuration Options

You must set a system configuration flag in order to use AMS Lite.

To configure AMS Lite:

  1. Log in to Freedom as a system administrator.

  2. Click on the System navigation tab.

  3. On the left, click on the AMS link. The following screen appears:

  4. Select AMS Lite.

  5. When Enabled is checked on the Database Master server, the server will listen to and collect Access Events from remote node servers in real time. The fields that follow: Host Name, Port, and Protocol - specify the address that remote nodes are reporting to. Generally this is the same IP address of the main server, or the server’s external IP that is visible to remote nodes. This feature allows the Database Master Server to work as a centralized Log Events repository.

  6. Check the View Monitor box to have the Monitor navigation tab appear at the top of the screen.

  7. Check the Display Video box to enable the video display panel on the right hand side of the monitor tab.

  8. Click Save.

Video Performance Optimization Considerations

Should there be performance issues due to the number of live streams, the default course of action will be to install the video services on a remote dedicated machine to manage the DVRs. 

The Freedom application will be able to stream to 16 IP cameras.  The first course of action if performance on the desktop is an issue is to look at adjusting the frame rate for streaming live video. Often this can be decreased, and will use less memory on the CPU.

Badge Printer Setup

Facility Friend is an easy-to-use, web-based, Enterprise class, visitor and parcel management system. A receptionist, concierge, or security officer can register and sign in visitors to track who, and where they are visiting within a facility.

Facility Friend now ships as a Freedom module; Facility Friend logins sync with Freedom. Hosts are integrated from Freedom into Facility Friend to sync cardholder database as your list of hosts with Site Support. You can sync Visitors within Facility Friend to a Default Access Group within Freedom.

Currently Supported Printers:

  • HID Fargo DTC4500

  • HID Fargo DTC4500e

  • Evolis Tattoo

  • Evolis  Pebble

Badge Printer Service Setup

Freedom Setup with Facility Friend

The Freedom system must have some basic configuration completed before you can use the Facility Friend module. Please refer to Appendix A – Basic Freedom Setup with Facility Friend to ensure you have set up the Freedom system for using Facility Friend.

Printer Setup

Some printer and driver configuration must be done before you can proceed with printing Facility Friend Badge Cards. However, no special licensing is required.

To download the Facility Friend Print Utility installer:

  1. Log into Freedom.

  2. Click on the System navigation tab.

  3. On the left, click the Utilities link.

  4. Click the Download sub link.

  5. You will find the Print Utility installer (PrintUtilSetup92b.exe) under Downloads. If not there please contact technical support. Save it to a Windows folder such as c:\tmp.

Note that the following instructions use Windows 10; the instructions should be very similar if you are currently running Windows 8.1 or slightly different in Windows 7. Windows XP and Windows Vista are no longer supported.

6. Download the printer driver from the Internet for the printer you’ll be using to print your badges. E.g. for the HID Fargo DTC 4500 or 4500e  go to http://www.hidglobal.com/drivers) and install the driver.

After installing the driver install the printer:

  1. Click on the Search button at the bottom left of your computer and look for “Printers & Scanners”.

  2. Click on Add Printers & Scanners.

  3. Choose Add a local printer or network printer with manual settings

  4. Select Create a new port and select DTC… in the Type of port dropdown box. Click Next.

  5. Enter the TCP/IP Printer Port address of the printer you will be using to print the badge cards and click Next.

  6. Click Next again.

  7. Click Finish.

  8. If you installed the printer driver successfully it will be listed under Manufacturer.
    Note: If installing a DTC4500 choose Fargo (not HID) and the desired printer model. In this case DTC4500e. Click Next.

  9. Select Use the driver that is currently installed (recommended) and click Next.

  10. Enter a name for the printer or keep the default. Make a note of the printer name – you will need to add this name to the Facility Friend Printer Utility later. Click Next.

  11. Select Share this printer so that others on your network can find and use it and enter its Share name. Click Next.

  12. Go back to folder where you downloaded the Facility Friend Print Utility installer (ffPrintUtilSetup.exe), e.g. c:\tmp, and double click on it.

  13. Click on Next when you see the Welcome screen.

  14. Choose an installation folder or stay with the program files default and click Next.

  15. Click Install.

  16. Once you see the final screen click Finish.

  17. Click on the Show Hidden Icon that is located in the bottom right hand corner of your screen. It looks something like this:

  18. Right click on taskbar and click Taskbar settings and click on Select Which Icons appear on the taskbar.


  19. Locate the (Viscount) ffPrintUtil.exe print utility and toggle the radio button to ON

  20. Its icon will now appear on the bottom right where the other notification icons are displayed.

  21. Right click on it and choose Open.

  22. In the Select Printer dropdown box, select the name of the printer you entered in Step 10 of these instructions.

  23. Click on the Configuration tab and note the port number (1024 is the default).

  24. Click the white x to close the Facility Friend Print Utility.

Freedom Badging

Freedom Badging Configuration

Please make sure that you have completed the basic Freedom configuration as outlined in Appendix A so that you have a Freedom device, a controlled area, a schedule, two user access groups and two user categories called 0050C2CC37F2, ControlArea1, 24x7, HostUAG and VisitorUAG, and Visitors and Hosts respectively.

Badging Template

The Freedom Badging tool is similar to other Vector drawing tools such as Illustrator and CorelDraw.

To create a Badging Template:

  1. Log into Freedom.

  2. Click on the Users tab.

  3. On the left, click on the Badging link.

  4. In the Actions bar, click the Add Badging Template.

  5. Enter the Name MainBadgeTemplate and the Description as Double sided template.

  6. Click on Save.

  7. A default template is created with the site name (Main is the default), first name, last name and card expiry date, all of which are defined when creating a user. Click on Edit Badge. The following screen is displayed:

It is recommended that you use a full screen in your browser while editing a badging template.

8. Just like other vector drawing tools, in order to edit the template you must first click on one of the icons on the left and then execute the desired action. I.e. To enter text, click on the A icon on the left of the screen, click anywhere on the template you are editing and add the text:

9. In the same manner you can add a standard Freedom user data field. To enter a data field click on the A icon again, click anywhere on the template you are editing and select a data field from its drop down near the top of the screen:

The following data fields are supported:

  • First Name

  • Last Name

  • Freedom Site (the default site is Main)

  • Photograph

  • User Category

  • Telephone

  • Start Date

  • Expiry Date

E.g. you can add a user’s telephone number:

…as well as the category and an image (Import Image):

10. Click on the save icon at the top:

11. Click the Save button:

The following screen is displayed. Note how the preview changed with the enhancements made while editing the badge.

 12. Click on the Badging link and then the Add Badging Template button to create another template for the back of the double sided card i.e. BackTemplate. Click Save.

13. Click on Edit Badge and enter the information for the back of the badge card. E.g.:

 14. Click on the save icon at the top: 

 15. Click the Save button. The following screen is displayed. Note again how the preview changes with the enhancements made to this second template.

16. Click on the Badging link to display the two templates that you have created.

17. Click on the MainBadgeTemplate and select the second template, BackTemplate, from the Back Side dropdown box to create a double sided badge template.

18. Click Save.

Adding and Printing Badges for Users

We will now create a Host user with some of the data fields used to create the badges we defined.

  1. Click on the Users link from within the Users tab.

  2. In the Actions bar, click Add User.

  3. Enter the Name of the user, as well as a Wiegand Card Number and a Telephone number.

  4. Click the HostUAG  User Access Group to move it to selected.
    Note how Badge lists the templates (MainBadgetemplate and BackTemplate) we created before.

5. Click Save.

6. Stay on the same screen and note how its title has changed to View/Edit. Confirm that the Badge is set to MainBadgeTemplate and the Category is set to (the previously created) Hosts (see Appendix A for more details on Categories.)

7. Click on Upload Photo to upload a photograph of the user.

8. Enter an Expire Date.

9. Click Save.

10. The options at the bottom of the screen change when the badge is saved. Click on Print Badge.

A preview is shown of the front (MainBadgetemplate) and back (BackTemplate) of the card with the actual user data fields completed.

 11. Click on the Config button. The following screen is displayed:

12. Enter the IP Address of your Windows workstation (not the one for the printer unless they are the same) where you installed the Facility Friend Print Utility.

 13. Enter the Port number used by the printer whose name you noted during configuration of the Facility Friend Print Utility (Step 23 in Printer Setup).

14. Click on the Test button.


If you don’t get a Connection Test Successful! message, double check the IP address and the port number and make sure that you can access the Windows workstation from the Freedom Linux server or from another computer. If you believe that the IP address and the port number are correct and the Test button fails, double-check the Firewall on your Windows workstation.

 15. If the Test above is successful click on Save.

16. Click on Back.

17. Click on Print Badge.

18. Go back to your Windows workstation and you will notice a blinking print utility icon and two consecutive message bubbles: 

19. If you click on the blinking (yellow) print utility icon you will see a preview of the information sent to the printer.

Even though the default ribbon type on your printer driver is Full Color/Resin Black/Overlay it might print green on one side and black on the other as opposed to green on both sides as expected above.

 

We will now create a Visitor User:

  1. Click on the Users link.

  2. In the Actions bar, click on Add User.

  3. Enter a Name for the user as well as Wiegand Card Number and a Telephone number.

  4. Select MainBadgeTemplate in the Badge dropdown box.

  5. Select VisitorUAG as its User Access Group.

  6. Click Save.

  7. Edit the User and select Visitor from the Category dropdown box.

  8. Set the Expire date to 2018.

  9. Click Save.

  10. Click on the Users link. Note how we’ve created two users each with different card #s and different access groups

Facility Friend with Freedom - Configuration

Overview of Integration

Freedom is not integrated to pass Visitor information into freedom so that it may be used for a single site as a visitor management system.  The freedom server will connect to the Facility Friend system and sync.  Allowing the following:

  • Freedom will be able to push the existing card holders into Freedom as “Hosts”

  • Freedom will be able to push the visitors into the freedom system to belong to a default Visitor Access Group, and will allow them access to that controlled area to the length that they are visiting a facility.

Setup of Freedom For Facility Friend Integration

The Freedom system must have some basic configuration completed before you can use the Facility Friend module. Configure your Freedom system from right to left starting with the System tab as follows:

  1. Log in to Freedom.

  2. Click on the System tab and then on the Devices link on the left and make sure you have at least one device configured.

  3. Click on the Schedules tab and make sure you have at least one schedule configured.

  4. Click on the Controlled Areas tab and make sure you have at least one control area representing a door configured:

  5. Click on the controlled area displayed in Step 4 (ControlArea1) and make sure it uses the device you configured at the beginning of this appendix.

  6. Click on the Access tab and create two User Access Groups: HostUAG and VisitorUAG

  7. Select each Access Group and make sure that they are both using an existing controlled area and schedule.


    and… 

8. Click on the Users tab and select the User Categories link. Add a Visitors category and click the + add button to add another category for Hosts:

So that your two categories are displayed as follows:

Your Freedom setup for Facility Friend is complete.

Setup Of Facility Friend For Sync To Freedom

You can use the Facility Friend Import tool to import users from Freedom into Facility Friend.

  1. Log in to Facility Friend. The main screen is displayed.

  2. Make sure the Freedom server you are trying to connect to in order to import its users is accessible. In this example both the Freedom and the Facility Friend servers are running on a server with IP 10.0.2.225, so they are accessed by typing 10.0.2.225:9000 or http://10.0.2.225:9000 into the browser. The following screen is displayed:

    If this screen does not appear, make sure your Linux Freedom server is configured to have the API module running and its firewall allows access to port 9000 from the outside.

  3. Go back to Facility Friend and click on Account Settings (top right) and Freedom Servers.

  4. Click on Add a Freedom Server (top right).

  5. Enter a Name for the Freedom server you are connecting to and add the required fields and click on Save.

  6.  Wait a few minutes and click on Account Settings (top right) and Freedom Servers again.

If the connection is successful you will see Online displayed in the Host line.

7. Click on the IP address (e.g. 10.0.2.225) and you will see its User Access Groups displayed (HostUAG and VisitorUAG were configured in Appendix A). Choose VisitorUAG as a Visitor Access Group and HostUAG as a Host Access group and click on Save at the bottom.

The default site (Main) from the Freedom server we are configuring will be displayed.

8. Click on the Visitor tab. The user ‘Willy Visitor’ was imported from Freedom because it belongs to the VisitorUAG access group.

9. Click on Add a new visitor in the top right.

10. Enter a First Name and a Last Name. This will create a local user that exists only in Facility Friend.

 11. Click on Continue. You can see two types of visitor users: the one imported from Freedom and the one created locally.

Normally it’s considered best practice to import users from Freedom so that they don’t have to be created twice and they can be kept synchronized.

 12. Click on the Hosts tab.

13. Click on Add a new host (as in person, not as in computer server) in the top right and enter a First and Last name. This will create a local user that exists only in Facility Friend.

14. Click on Continue. You can see two types of host users: the one imported from Freedom and the one created locally.

Normally it’s considered best practice to import users from Freedom so that they don’t have to be created twice and they can be kept synchronized.

Alert Levels

Alert Level Management

Alert Levels allow the Freedom server to adjust its access control behaviour globally. Controlled Area Schedules and Access Groups can be restricted by alert levels. As a security level escalates, the Freedom server can restrict access accordingly. For example, a front entrance of a building is open during office hours. However, when the alert level is escalated to HIGH, the system can automatically lockdown the front entrance by overriding the open schedule.

Alerts Levels

When enabled in the license file Freedom Admin, the current alert level is always shown at the top of the page.

In this example, Access Groups Standard Employees have no access when the alert level is “High” or “Severe”.

Controlled Area Configuration of Alert Levels

In this example, the Controlled Area is set to open during office hours only when alert level is Low or Guarded. To configure alert levels for controlled areas, go to the Unlock Schedule tab in the View/Edit Controlled Area page.

Please refer to Chapter Controlled Areas for more information. 

Change of Alert Level

Freedom Administrators can set the current Alert Level by going to the System tab under Administration and clicking Risk Level.

  • No labels