How to enable HTTPS between Milestone XProtect & Axis Cameras in Bulk
With cyber-security on everyone's mind and corporate security policies becoming more stringent one thing that you should be considering is enabling HTTPS between your cameras and the Milestone XProtect recording server.
By default Milestone XProtect uses HTTP to connect to the camera and cto the video stream. When using HTTP however the credentials are passed between the camera and the recording server in plain text. This means that a bad guy sniffing the network could quite easily identify the camera's credential and use them for nefarious means. HTTPS is a method of securing those credentials from prying eyes. In this case, enabling HTTPS uses SSL to encrypt the credentials sent by the recording server to the camera iinstead of sending it in plain text for all to see.
The majority of enterprise video surveillance deployments do not take securing the credentials into consideration at the time of deployment which is why learning how to do this quickly and in bulk after the fact is very important.
If you are using Axis cameras deploying HTTPS with Axis Device Manger, Milestone XProtect and The Boring Toolbox is rather quick. Below are the steps to take.
Axis Device Manager (ADM)
Axis Device Manager is a tool provided free of charge by Axis which will allow you to fully manage the settings of your entire fleet of Axis cameras in bulk. First step is to enable the certificate authority in Axis Device Manager
To have Axis Device Manager start managing certificates you will need to configure the Certificate Authority in ADM. You can do this by navigating to Configuration > Security > Certificates and under "Certificate authority" header click "Generate..." and be sure to record the password you chose. You will need that when you renew the certificates.
With the CA enabled on ADM it is time to deploy HTTPS to the cameras. Click back over to the "Device Manager" tab and select the camera or group of cameras you want to configure HTTPS on. Once selected, right click, Security > HTTPS > Enable/Update. This will install a new certificate generated by the ADM CA and will ignore any other private certificates on the cameras.
The last step in ADM is to enable both HTTP and HTTPS on the cameras. HTTP is used by Milestone to initialize the communication to the camera. The camera then redirects the recording server to use HTTPS.
To enable both HTTP & HTTPS right click on the cameras you just enabled HTTPS on, select Configure devices > Configure. In the configure pop up search for System.BoaGroupPolicy. Scroll to the bottom and enable HTTP & HTTPS on all three of the below:
Configuration in Milestone
With certificates deployed to the camera you can now enable HTTPS in Milestone. You can do this one by one in Milestone XProtect Management Client but for multiple cameras this can be very time consuming and tedious. So, here you can use The Boring Toolbox to enable HTTPS in bulk.
Open up The Boring Toolbox, go to Hardware, search for and select the cameras you would like to enable HTTPS in Milestone. In the right menu you can click "Enable HTTPS".
This will update the setting in XProtect and in theory you are done here but I prefer to add one more step. I like to disable the re-enable the hardware to make sure that Milestone is forced to re-authenticate using HTTPS and to make sure Milestone is still able to pull video. To assist with this, The Boring Toolbox will keep the cameras you just enabled with HTTPS in Milestone checked so that you can quickly click disable hardware in the right context menu and then afterward enable hardware. This allows you to update HTTPS settings on hundreds of cameras in three to five clicks instead of thousands.