Enterprise

OnGuard®
Enterprise Setup & Configuration User

Guide
LenelS2 OnGuard® 8.2 Enterprise Setup & Configuration User Guide
Item number DOC-500, revision 13.010, May 2023.
©2023 Carrier. All Rights Reserved. All trademarks are the property of their respective owners.
LenelS2 is a part of Carrier.
Information in this document is subject to change without notice. No part of this document may be reproduced
or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the prior
express written permission of Carrier Fire & Security Americas Corporation (“LenelS2”), which such
permission may have been granted in a separate agreement (i.e., end user license agreement or software
license agreement for the particular application).
Non-English versions of LenelS2 documents are offered as a service to our global audiences. We have
attempted to provide an accurate translation of the text, but the official text is the English text, and any
differences in the translation are not binding and have no legal effect.
The software described in this document is furnished under a separate license agreement and may only be used
in accordance with the terms of that agreement.
SAP® Crystal Reports® is the registered trademark of SAP SE or its affiliates in Germany and in several
other countries.
Integral and FlashPoint are trademarks of Integral Technologies, Inc.
Portions of this product were created using LEADTOOLS ©1991-2011, LEAD Technologies, Inc. ALL
RIGHTS RESERVED.
Active Directory, Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle International Corporation.
Amazon Web Services and the "Powered by AWS" logo are trademarks of Amazon.com, Inc. or its affiliates
in the United States and/or other countries.
Other product names mentioned in this document may be trademarks or registered trademarks of their
respective owners and are hereby acknowledged.
Product Disclaimers and Warnings
THESE PRODUCTS ARE INTENDED FOR SALE TO, AND INSTALLATION BY, AN EXPERIENCED
SECURITY PROFESSIONAL. LENELS2 CANNOT PROVIDE ANY ASSURANCE THAT ANY PERSON
OR ENTITY BUYING ITS PRODUCTS, INCLUDING ANY "AUTHORIZED DEALER", IS PROPERLY
TRAINED OR EXPERIENCED TO CORRECTLY INSTALL SECURITY RELATED PRODUCTS.
LENELS2 DOES NOT REPRESENT THAT SOFTWARE, HARDWARE OR RELATED SERVICES MAY
NOT BE HACKED, COMPROMISED AND/OR CIRCUMVENTED. LENELS2 DOES NOT WARRANT
THAT SOFTWARE, HARDWARE OR RELATED SERVICES WILL WORK PROPERLY IN ALL
ENVIRONMENTS AND APPLICATIONS AND DOES NOT WARRANT ANY SOFTWARE,
HARDWARE OR RELATED SERVICES AGAINST HARMFUL ELECTROMAGNETIC
INTERFERENCE INDUCTION OR RADIATION (EMI, RFI, ETC.) EMITTED FROM EXTERNAL
SOURCES. THE ABILITY OF SOFTWARE, HARDWARE AND RELATED SERVICES TO WORK
PROPERLY DEPENDS ON A NUMBER OF PRODUCTS AND SERVICES MADE AVAILABLE BY
THIRD PARTIES OVER WHICH LENELS2 HAS NO CONTROL INCLUDING, BUT NOT LIMITED TO,
INTERNET, CELLULAR AND LANDLINE CONNECTIVITY; MOBILE DEVICE AND RELATED
OPERATING SYSTEM COMPATABILITY; OR PROPER INSTALLATION, CONFIGURATION AND
MAINTENANCE OF AUTHORIZED HARDWARE AND OTHER SOFTWARE.
LENELS2 MAY MAKE CERTAIN BIOMETRIC CAPABILITIES (E.G., FINGERPRINT, VOICE PRINT,
FACIAL RECOGNITION, ETC.), DATA RECORDING CAPABILITIES (E.G., VOICE RECORDING),
AND/OR DATA/INFORMATION RECOGNITION AND TRANSLATION CAPABILITIES AVAILABLE
IN PRODUCTS LENELS2 MANUFACTURES AND/OR RESELLS. LENELS2 DOES NOT CONTROL
THE CONDITIONS AND METHODS OF USE OF PRODUCTS IT MANUFACTURES AND/OR
RESELLS. THE END-USER AND/OR INSTALLER AND/OR RESELLER/DISTRIBUTOR ACT AS
CONTROLLER OF THE DATA RESULTING FROM USE OF THESE PRODUCTS, INCLUDING ANY
RESULTING PERSONALLY IDENTIFIABLE INFORMATION OR PRIVATE DATA, AND ARE SOLELY
RESPONSIBLE TO ENSURE THAT ANY PARTICULAR INSTALLATION AND USE OF PRODUCTS
COMPLY WITH ALL APPLICABLE PRIVACY AND OTHER LAWS, INCLUDING ANY
REQUIREMENT TO OBTAIN CONSENT. THE CAPABILITY OR USE OF ANY PRODUCTS
MANUFACTURED OR SOLD BY LENELS2 TO RECORD CONSENT SHALL NOT BE SUBSTITUTED
FOR THE CONTROLLER'S OBLIGATION TO INDEPENDENTLY DETERMINE WHETHER CONSENT
IS REQUIRED, NOR SHALL SUCH CAPABILITY OR USE SHIFT ANY OBLIGATION TO OBTAIN
ANY REQUIRED CONSENT TO LENELS2.
For more information on warranty disclaimers and product safety information, please check https://
firesecurityproducts.com/en/policy/product-warning or scan the following code:
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
CHAPTER 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Enterprise Application Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Enterprise System Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Terms to Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Enterprise Replication Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
About this User Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Other Referenced User Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
CHAPTER 2 Before Installing an Enterprise Global or Regional Server . . . . . . . 21

Standards and Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Considerations/Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Database Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Global Database Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Regional Server Database Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Overview of ODBC DSN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
CHAPTER 3 Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Enterprise System Setup Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Enterprise Global Server System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Regional Server System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Distributed ID Management System Setup Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Distributed ID Global Server Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Enterprise Setup & Configuration User Guide 5

Table of Contents
Distributed ID/Mobile Station Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Database Management Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
CHAPTER 4 Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
SQL Server Express Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Installing or Upgrading SQL Server 2019 Express Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Installing or Upgrading SQL Server 2017 Express Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Installing SQL Server Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
SQL Server Standard Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Installation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Upgrade Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Installing or Upgrading SQL Server 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Installing or Upgrading SQL Server 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Using Azure SQL Databases with OnGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Considerations for using Azure SQL with OnGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Create the Azure SQL Server and Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Create OnGuard Reports and Dashboards Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Create Archiving Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Adding Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Migrating an Existing OnGuard Database to SQL Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
OnGuard Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
CHAPTER 5 Installing OnGuard 8.2 Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . 47

OnGuard 8.2 Enterprise Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Installation Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Attach the Hardware Key (License Server Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Install the OnGuard 8.2 Enterprise Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Setup Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Manually Running Security Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Install Your OnGuard License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Log into License Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Changing Administrator Properties for License Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Install a New License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Activate a Software License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Returning an OnGuard Software License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
License Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6 Enterprise Setup & Configuration User Guide

Table of Contents
Run Database Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

Encrypting and Re-encrypting Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configure the OnGuard Logs Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Remotely Hosted Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
CHAPTER 6 Database Authentication for Web Applications . . . . . . . . . . . . . . . . . 67

Windows Authentication with SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Configure Windows Authentication with SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Windows Authentication with Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Create a new Windows user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Add the Windows user to Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Verify the Integrated Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Provide Credentials in the Protected File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Securing Files with the Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Store the lenel User Account Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
CHAPTER 7 Applying Service Releases in Enterprise . . . . . . . . . . . . . . . . . . . . . . 73

How to Properly Apply a Service Release to an Enterprise System . . . . . . . . . . . . . . . . . . . . . . . .73
Step 1: Log out of all LenelS2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Step 2: Run Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Step 3: Stop All OnGuard Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Step 4: Back Up All Databases (if Requested) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Step 5: Apply Service Release to Global Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Step 6: Apply Service Release to Regional Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
CHAPTER 8 Distributed ID Management Systems . . . . . . . . . . . . . . . . . . . . . . . . 75

Distributed ID Global Server Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Distributed ID/Mobile Station Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Distributed ID Global Server Setup Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Distributed ID/Mobile Station Setup Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Configure a Distributed ID Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Configure a Distributed ID Global Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configure a Distributed ID/Mobile Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
CHAPTER 9 Enterprise Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Global Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Global Server Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configure the Global Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Regional Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Configure the Regional Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Configure the Regional Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Perform a Full Download to the Regional Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Schedule Replicator to Run Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Table of Contents
Replicator Settings in the ACS.INI File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Enterprise Ongoing Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
CHAPTER 10 Accounts and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Password Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Change the Database Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Change the System Administrator Password for the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Managing the Login Driver Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Setting Login Driver RabbitMQ Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Upgrading an Enterprise System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
CHAPTER 11 Upgrading to OnGuard 8.2 Enterprise . . . . . . . . . . . . . . . . . . . . . . 103

Upgrading to OnGuard 8.2 Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Verify No Pending Transactions Exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Archive Visits if using Visitor Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Stop All OnGuard Services on All Global and Regional Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Back Up All Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Upgrade the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Upgrade All Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Upgrade the OnGuard Software and Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Proper Sequence for Upgrading an Enterprise System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Manually Update SQL Server Data Sources to use ODBC Driver for SQL Server . . . . . . . . . . . . . . . 107
Start Replication on All Regional Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Confirm that Replication is Working . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Perform a Full Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Run the Universal Time Conversion Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Enterprise System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
CHAPTER 12 Enterprise System Administration . . . . . . . . . . . . . . . . . . . . . . . . . 111

Scheduling Issues for an Enterprise System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Important Administrative Tasks for an Enterprise System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Administrative Tasks for All Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Additional Administrative Tasks for Regional Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
CHAPTER 13 Enterprise Maintenance Procedures . . . . . . . . . . . . . . . . . . . . . . . 115

Global Server Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Table of Contents
Monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Regional Server Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
APPENDIX A Configuration Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

When Configuration Editor Identifies an Issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Launching the Configuration Editor Stand-alone Application . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Standard Fields and Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Database section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
License Server section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Advanced Settings Fields and Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Advanced Database section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Advanced Verbose Logging section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Fixing Synchronization Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
APPENDIX B Custom Installation of OnGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Performing a Custom Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
First Time and Existing OnGuard Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Device Discovery Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
APPENDIX C Configuring the Communication Server . . . . . . . . . . . . . . . . . . . . . 125
APPENDIX D The License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

ACS.INI Settings Related to the License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
License Server Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Running the License Server from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Running the License Server in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Determining if the License Server is Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
APPENDIX E Multi-Region Alarm Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
APPENDIX F Universal Time Conversion Utility . . . . . . . . . . . . . . . . . . . . . . . . . 131

Universal Time Conversion Utility Enterprise Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Run the Universal Time Conversion Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Table of Contents

Introduction
CHAPTER 1 Overview
OnGuard® Enterprise combines independent multiple-site access control, alarm monitoring and ID
badging into a single, distributed, enterprise-wide, security management solution. OnGuard
Enterprise allows security managers to monitor multiple corporate sites worldwide simultaneously
from a single, centralized location. This feature is especially critical for large multi-national
corporations that need to be able to access any facility – whether it’s across the world or across town
– at any given time, using a single ID card. Growing corporations require scalable security systems as
they add new facilities worldwide, and OnGuard Enterprise allows them to monitor new sites from a
central location.
The OnGuard Enterprise advanced system design allows mid- to large-sized multinational
organizations to maintain both a central Enterprise Database Server and multiple autonomous
Regional Database Servers that operate independently of the Central server. Each Regional Server
site has its own access control system. The Central Server is used for analysis and reporting, and has
the ability to view all sites. The cardholder database is global; cardholder records can be shared
among all sites. Cardholders and their badges can be updated anywhere in the system, and the
changes will be distributed to all sites. Information stored on each Regional Server’s database is
synchronized with the Enterprise Server on a predetermined basis, offering consistently updated
personnel information and access control field data for optimum security and access control.
FormsDesigner changes made on an Enterprise system can be distributed to all Regional Server and
Mobile Stations by using the User-defined form download feature in Replicator. FormsDesigner
changes are contained only on the Global Server.
The Replication Administration application provides centralized management and configuration of
Enterprise systems and mobile stations. It is available in both the Enterprise and standard versions of
OnGuard, and the software license determines whether the database can be configured as an
Enterprise system or a mobile station. On an Enterprise system, it is used to manage the Global
Server, Regional Servers, and mobile stations from one location. On a standard system, it is used to
manage all mobile stations.
An example of an Enterprise application is illustrated on the following page.

Overview
Enterprise Application Example
CORPORATE GLOBAL SERVER

HUMAN RESOURCES
DATABASE
AN W
AN
W
ENTERPRISE REGION #1 ENTERPRISE REGION #N
NODE # 1 NODE # N
Field Hardware Field Hardware

Intelligent System Controller Intelligent System Controller
Alarm Panel & Alarms Alarm Panel & Alarms

Enterprise Regional Enterprise Regional
Server #1 Server #2
Readers Readers
System Administration Alarm Monitoring

System Administration Alarm Monitoring
Alarm Monitoring
Alarm Monitoring
Badging
Mobile Badging Badging
Mobile Badging
WAN WAN
Field Hardware REGION # N- 1 Field Hardware REGION # N- 2
ISC ISC
Alarm Alarm
Readers Readers
Regional Server N -1 Regional Server N -2
System Administration Alarm Monitoring System Administration Alarm Monitoring

Alarm Monitoring Alarm Monitoring
Badging Badging
Mobile Badging Mobile Badging

Enterprise System Benefits
Enterprise System Benefits

The OnGuard Enterprise Solution offers numerous benefits to large organizations with multiple
secured facilities, including:
Central Database for Monitoring, Reporting and Investigation. Synchronization of data between
Central and Regional Servers allows for crucial monitoring, reporting, investigative inquiries, and up-
to-date information.
Unlimited Expansion and Scalability. Each Regional Server can configure an unlimited number of
client workstations and card readers. Additionally, the Central Server is capable of connecting an
unlimited number of Regional Servers. These Regional Servers are also capable of connecting an
unlimited number of multi-level Regional Servers.
Central Command with Local Autonomous Control. Regional Servers operate independently, yet
synchronize with the Central Server regularly to maintain a constantly up-to-date database of
worldwide information.
Interface to Third Party Human Resource Systems. Using the DataExchange features in the
FormsDesigner application, cardholder data can be imported into the Central Server, modified, and
distributed to all Regional Servers.
List Builder Entries. Entries in List Builder are capable of being modified on a specific Regional
Server. Using buildings and departments as an example, two Regional Servers representing California
and New York sites would be capable of setting up their own respective buildings and departments at
those particular Regional Servers.
Real-Time Viewing and Alarm Monitoring. OnGuard now provides Multi-Region or Enterprise-
Wide Alarm Monitoring capabilities. Each client workstation can connect and log into any Regional
Server, and with proper permission, can view cardholder information, execute reports, and monitor
alarms in real-time. Within a single instance of Alarm Monitoring, full hardware control and event
monitoring is available.
Terms to Know
Replication Administration. An application that provides centralized management and
configuration of Enterprise systems and mobile stations. It is available in both the Enterprise and
standard versions of OnGuard, and the software license determines whether the database can be
configured as an Enterprise system or a mobile station. On an Enterprise system, it is used to manage
the Global Server, Regional Servers, and mobile stations from one location. On a standard system, it
is used to manage all mobile stations.
Enterprise Global Server. A central repository for cardholder, visitor, asset, and hardware
information. Updates to cardholder, visitor, asset, and hardware made at a Regional Server(s) are
replicated to the Global Server using the Replicator application and the LS Site Publication Server
service. The Global Server may be perceived as the “parent” to all of the Enterprise Servers, and is
now capable of having hardware attached to it. The Global Server must have an SQL Server or Oracle
database.

Overview
Enterprise Regional Server. An “independent” OnGuard access control server that is configured
with an Enterprise Global or Regional Server for the purpose of replicating data to the above
Enterprise Server (or Global) and sharing cardholder updates. There is no limit to the amount or
levels of servers that may be configured to and above or beneath one another. A Regional Server may
be perceived as either a “parent” or “child” of any other Enterprise Server, including the Global. The
Enterprise Server must have an SQL Server or Oracle database.
Distributed ID Global Server. A server that allows Distributed ID/Mobile Badging clients to attach
and exchange cardholder updates. This type of server is NOT used in an Enterprise configuration; it is
described here for completeness.
Distributed ID Station or Mobile Badging Station. A(n) OnGuard system with its own database
whose only purpose is to capture and update cardholder information. It is configured with a
Distributed ID Global Server which coordinates all Distributed ID activity. “Mobile Badging Station”
typically refers to a laptop computer configured with OnGuard and SQL Server Express database
software, and used with a digital camera to remotely capture cardholder photos and information and
upload them to the Global Server. It can be a SQL Server Express or SQL Server database. It doesn’t
even have to be a server, it can be a Windows workstation.

Enterprise Replication Strategy
Enterprise Replication Strategy

Note: Event routing groups must be created on the Regional Server where they are expected to
be used. Event routing groups do not replicate.
In an Enterprise system, configuration data is made up of four different record types, each of which
follows a different set of replication rules:
• Hardware Records consist of configuration data that is set at the Region or child, and replicates
up to the Global or parent. Hardware records are replicated using the Replicator application,
service, and scheduler.
• Enterprise Records consist of configuration data that can be set at the Global, Region, or child,
and replicates both up and down. Enterprise records are replicated using the LS Site Publication
Server.
• System Records consist of configuration data that is set at the Global, and replicates down to the
regions. System records are replicated using the Replicator application, service, and scheduler.
• Log Records consist of transactional- and event-based data, used for reporting, that occurs at the
Region or child. This data replicates up to the Global or parent. Log records are replicated using
the LS Site Publication Server.
The following table lists all types of configuration data, and identifies which record type contains
them:
Enterprise Configuration Data and Record Types
Hardware Enterprise System Log

Configuration Data Records Records Records Records
Access Levels/Elevator Control X

Levels
Access Panels X
Action Groups X
Alarm Acknowledgments X
Alarm Definition (Custom X

Alarms)
Alarm Mask Group X
Alarm Panels - Inputs/Outputs X
Alarm Priority X
Alarm Text and Audio X
Areas (Local and Global) X
Asset and Asset Assignments X
Asset Type, Sub Type, Classes, X

and Groups
Badge Area Location X
Badge Types1 X

Overview

Badge Layouts (BadgeDesigner) X
Card Format X
Cardholder Options X
Cardholders X
Device Groups X
Directories X
Event Routing X
Events X
Global I/O X
Global Output Server (GOS) - X

Recipients
Global Output Server (GOS) - X

SMTP/Pager
Holidays/Timezones X
Last Location Information2
List Builder - Non-system Lists X
List Builder - System Lists3 X
Local I/O X
Maps (MapDesigner) X
Matrix Switcher Type X
Matrix Switchers X
Monitor Stations X
Monitor Zones4 X
Password Policy Setting5 X
Readers X
Reports (Custom) X
Segments - Advanced Options X
Segments and Segment Groups4 X
System Options X
Time Zone/Reader Modes X

About this User Guide

User-designed Forms X
(FormsDesigner)7
User Permission Groups6 X
User Transactions X
Users4 X
Video Archive Servers X
Video Events X
Video Recorders and Cameras X
Workstations X
1
Badge Types are editable at the Global only, and then replicate down. For mobile
credentials, it is possible to modify the configuration at the Region to override the
association of a badge type to a Cumulus bundle. This configuration change is
specific to a region and is not replicated.
2 Last Location data is replicated using the LS Site Publication Server, as is done with
log records. This data is not a Hardware, Enterprise, or System record.
3
System Lists include objects like Badge Status, which must be edited at the Global.
4 These are special objects that replicate both up and down. Exception: SA Delegate
users do not replicate.
5
In an Enterprise system, if user replication is enabled, all nodes (Regions and
Global) use the same password policy setting. A user can edit the password policy
setting in the Global node, but a user cannot edit the password policy setting in the
Region node.
In an Enterprise system, if user replication is not enabled, each node has its own
password policy setting. A user can edit the password policy setting in Regions or in
the Global.
6
Default Users and User Permission Groups do not replicate. Only customer-created
Users and User Permission Groups replicate. Exception: SA Delegate users do not
replicate.
7
User-defined Forms replicate via the UDF Form Download option, rather than via
system records download.
About this User Guide

This user guide includes information on how to set up an Enterprise system, including logging in for
the first time and creating the Enterprise databases for the Global, Regional Servers, and Mobiles. For
information on the Replication Administration application, refer to the Replication Administration
User Guide.
We strongly advise you to read through the entire user guide before proceeding, in order to
understand how the system components and processes interact with one another.

Overview
• WARNING! • DO NOT RESTORE any Global Server, Regional Server, or Distributed ID

database! This will likely corrupt the entire multiple-server Enterprise due to
the interaction between each database. DO NOT RESTORE any database
without first contacting LenelS2 OnGuard Technical Support.
Other Referenced User Guides

This user guide covers installing, configuring, and maintaining your Enterprise system. In addition to
this user guide, you should also consult the following user guides:
Replication Administration User Guide. The Replication Administration User Guide covers all
aspects of the Replication Administration application, which is used to monitor and administrate
Enterprise systems.
Replicator User Guide. The Replicator User Guide describes the Replicator application, which is
used to upload and download information between the various servers in your system.

CHAPTER 2 Before Installing an Enterprise Global or
Regional Server
Before continuing with your Enterprise installation, you should have already:
• Checked the OnGuard compatibility charts, located at https://partner.lenel.com/downloads/
onguard/software for the Windows, Microsoft SQL Server, and Oracle versions.
• Installed Windows on your server and performed all required networking and configuration. The
server should be configured on the network with the computer name, Network Domain or
Workgroup, and user account(s) you will need to run the server in its operating environment.
• Installed Microsoft SQL Server or Oracle.
Standards and Conventions

With multi-level Enterprise implementation, the system can grow rapidly to include multiple
geographically-located sites. The ability to determine object locations based on well-planned
standards and naming conventions is an important consideration in regard to customer satisfaction
and ease of use. As such, a Standards & Conventions Team should be appointed to manage the
creation and enforcement of a Naming Convention as well as hardware and software installation
standards.
Establishing standards and conventions will allow the Enterprise System to function smoothly and
logically, and make future growth painless. When working with multiple integrators and across
international boundaries, it is vital that Standards and Conventions are well-documented and
rigorously enforced.
Considerations/Recommendations
Minimum recommendations should include at least a 2-3 character Global/Regional Server prefix,
followed by a 2-3 character segment prefix, and then followed by a descriptive name for the object.
Other options can include detailed object names for each individual OnGuard object, i.e. ISC, readers,
alarm input, alarm output, access level, etc. This topic is covered in depth in the Professional
Engineering Service’s “Enterprise Planning Session” and you should follow the full implementation
of established guidelines.

Before Installing an Enterprise Global or Regional Server
Database Planning
It is important to be able to determine the storage space for both the Global and Regional Server
databases so that the correct server hardware can be purchased.
Global Database Planning

The Global database starts out as a standard database on the Global Server, which is then converted to
an Enterprise database. It stores the transactions that are replicated from the Regional Servers. The
Global Server must be large enough to store the transactions for all Regional Servers. Therefore, the
size of the Global Server depends on the number of Regional Servers and the amount of transactions
that will occur on each server.
Regional Server Database Planning

Just as a Global database does, a Regional Server database also starts out as a standard database,
which is then converted to an Enterprise database. A Regional Server database stores transactions that
will be replicated (copied) to the Global database. Like the Global Database, the size of the Regional
Server Database depends on the number of children servers and the amount of transactions that will
occur on each of its children servers. Transactions include hardware-generated events and user
transactions. Each transaction is approximately 300 bytes.
Overview of ODBC DSN Connections

Before you install a Global or Regional Server, it is good to be familiar with how ODBC DSN
connections function on an Enterprise system. An ODBC DSN will need to exist to access the
database on the Global Server and on all the Regional Servers. An ODBC DSN is created during the
OnGuard software installation. The ODBC is used by Replication Administration to configure the
database as an Enterprise database.
An ODBC DSN will need to be created from each Regional Server to the Global Server. These
ODBC DSNs are created when a database is configured as a Regional Server. Use the “Create New
ODBC Data Source” option when configuring the Regional Server or Distributed ID Mobile Station.
If using Windows or Windows Server with UAC turned on, when you create ODBC data sources you
will be prompted to allow or deny the command. If you are running the application with a Windows
account that does not have administrator permissions you will be prompted for administrator
credentials.
The following is a diagram of how ODBC DSNs work on OnGuard Enterprise systems:

Overview of ODBC DSN Connections
ODBC DSN Connections on an Enterprise System
Enterprise Global Global
Enterprise Region Regional Regional Regional

Server 1 Server 2 Server 3
Distributed ID Global
Distributed ID Mobile Mobile 1 Mobile 2
ODBC DSNs will automatically be created from every workstation running Replication
Administration to each server viewed in Replication Administration. The following diagram
illustrates this:
Replication Administration and ODBC DSN

Connections on an Enterprise System
Replication
Enterprise Global Global
Administration
Enterprise Region Regional Regional Regional

Server 1 Server 2 Server 3
Distributed ID Global
Distributed ID Mobile Mobile 1 Mobile 2
Typically Replication Administration is connected to the Enterprise Global Server, and all Regional
Servers are also shown. You can also connect directly to Regional Servers, where Distributed ID
Mobile Stations will be shown. Why would you do this? There are a number of reasons, including:
• To change a schedule that is specific to a Regional Server
• To log into a mobile unit because you have to actually see the transactions
• To do something simple and specific to a Regional Server, such as view transactions or modify a
transaction
• If you don’t have access to the Global Server

Before Installing an Enterprise Global or Regional Server

CHAPTER 3 Server Configuration Overview
This chapter outlines the process for setting up Enterprise systems and Distributed ID Management
systems.
Enterprise System Setup Overview

An Enterprise system consists of a Global Server and one or more Regional Servers.
Enterprise Global Server System Setup

On the Enterprise Global Server computer:
1. Install Windows. Refer to the release notes for the versions of Windows that are supported. The
release notes are located on the root directory of the OnGuard 8.2 Enterprise installation media.
2. Install and Configure the Database Software.
3. If your installation will use a hardware key for licensing, install the key’s drivers before installing
the OnGuard software.
4. Install the OnGuard 8.2 Enterprise software.
a. Install the OnGuard software on the workstation designated as the server prior to installing
OnGuard on each of the other (client) workstations on the OnGuard network.
For detailed installation instructions, refer to Chapter 5: Installing OnGuard 8.2 Enterprise
on page 47. After OnGuard 8.2 Enterprise has been installed, the Enterprise Global Server
features can be enabled.
b. Attach the hardware key on the OnGuard License Server computer. For more information,
refer to Attach the Hardware Key (License Server Only) on page 48.
c. After OnGuard installs, Setup Assistant runs automatically. Setup Assistant includes the
following:
• Security Utility
• Configuration Editor (if Setup Assistant detects that the database or License Server
configuration is not consistent between the application.config and ACS.INI files, or
Setup Assistant cannot connect to the database or the License Server)

Server Configuration Overview
• System License (License Administration)

• Service Log On
• Database Installation (for new server installations with SQL Express)
• Database Backup (if upgrading an existing installation)
• Database Setup (for server installations)
• Service Startup
For more information, refer to the Setup Assistant section in the Installation Guide.
5. Configure the server to be an Enterprise Global for the OnGuard software. For more information,
refer to Configure the Global Server Database on page 84.
Regional Server System Setup

On each Regional Server computer:
2. Install and Configure the Database Software. For more information, refer to Chapter 4: Microsoft
SQL Server on page 31.
on page 47. After OnGuard 8.2 Enterprise has been installed, the Regional Server features
can be enabled.
b. Make sure that the hardware key is attached to the OnGuard License Server computer, and
that the License Server is running. For more information, refer to Attach the Hardware Key
(License Server Only) on page 48.
following:
• Service Log On
• Service Startup
5. Configure the server to be a Regional Server for the OnGuard software. For more information,
refer to Configure the Regional Server Database on page 87.
6. Download all cardholders to the new Regional Server. For more information, refer to Perform a
Full Download to the Regional Server on page 91.
7. Configure the LS Site Publication Server and LS Replication services to run automatically.

Distributed ID Management System Setup Overview
8. Schedule Replicator actions.
Distributed ID Management System Setup Overview

A Distributed ID Management system consists of a Distributed ID Global Server, and one or more
Distributed ID/Mobile Stations.
Distributed ID Global Server Setup

On the Distributed ID Global Server:
2. Configure the computer for TCP/IP.
on page 47. After OnGuard 8.2 Enterprise has been installed, the Distributed ID Global
Server features can be enabled.
following:
• Service Log On
• Service Startup
6. Configure the server to be a Distributed ID Global Server. For more information, refer to
Configure a Distributed ID Global Server on page 78.
7. Using the System Administration software, define your access control system hardware and
monitoring environment. (For more information, refer to the System Administration and Alarm
Monitoring User Guides.)

Server Configuration Overview
Distributed ID/Mobile Station Setup

On each Distributed ID/Mobile Station:
2. Configure the computer for TCP/IP.
on page 47. After OnGuard 8.2 Enterprise has been installed, the Distributed ID Mobile
client features can be enabled.
following:
• Service Log On
• Service Startup
6. Configure the server to be a Distributed ID Mobile client.

Database Management
Systems
CHAPTER 4 Microsoft SQL Server
Refer to the Compatibility Charts to determine which versions of SQL Server are compatible with
OnGuard 8.2. Compatibility charts list currently supported OnGuard versions and components and
are available on the LenelS2 Web site: https://partner.lenel.com/downloads/onguard/.
To access OnGuard Compatibility Charts from the Web site:
1. Click the Choose product or service drop-down, select OnGuard.
2. Click the Choose version drop-down, select OnGuard 8.2.
3. Click the Choose type of download drop-down, select Compatibility Charts.
There are several editions of SQL Server; refer to the release notes for specific support information.
IMPORTANT: If you have SQL Server Express installed on your system, the database
software will not be automatically upgraded during the OnGuard upgrade. If
you want to upgrade your database software, instructions for upgrading to a
supported version of SQL Server Express are provided in this chapter.
The following sections will show you how to install and upgrade SQL Server.
• SQL Server Express Edition on page 32.
– Installing SQL Server Management Tools on page 32.
• SQL Server Standard Edition on page 32.
Prerequisites
The following prerequisites are required prior to installing SQL Server:
• Microsoft .NET Framework 4.6.1
• Microsoft Windows Installer 4.0 or later
• Microsoft Windows PowerShell
Note: Enable Windows PowerShell on supported operating systems.

Microsoft SQL Server
SQL Server Express Edition

Notes: Some of the procedures in this chapter require the use of SQL Server Management
Studio. Beginning with Supplemental Materials media revision 16, the SQL Server
Management Tools are no longer included. SQL Server Management Tools for
Microsoft SQL Server Express are included with Microsoft SQL Server Management
Studio Express, and are available at www.microsoft.com. If using a full version of SQL
Server, SQL Server Management Studio is included in the full version.
SQL Server Express installers are available on the Supplemental Materials media.
Installing or Upgrading SQL Server 2019 Express Edition

For information on installing SQL Server 2019 Express Edition, refer to https://docs.microsoft.com/
en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-ver15.
For information on upgrading to SQL Server 2019 Express Edition, refer to https://
docs.microsoft.com/en-us/sql/database-engine/install-windows/upgrade-sql-server?view=sql-server-
ver15.
Installing or Upgrading SQL Server 2017 Express Edition

For information on installing SQL Server 2017 Express Edition, refer to https://docs.microsoft.com/
en-us/sql/database-engine/install-windows/installation-for-sql-server?view=sql-server-2017.
For information on upgrading to SQL Server 2017 Express Edition, refer to https://
docs.microsoft.com/en-us/sql/database-engine/install-windows/upgrade-sql-server?view=sql-server-
2017.
Installing SQL Server Management Tools

SQL Server Management Studio is required if the server intends to use Database Authentication or
Windows single sign-on. The SQL Server Management Studio is available at www.microsoft.com.
Note: If using a full version of SQL Server, SQL Server Management Studio is already
installed and should be used instead.
SQL Server Standard Edition

The instructions that follow are for the Standard edition. The installation and upgrade steps for SQL
Server are very similar. Special considerations for upgrades are noted in the appropriate steps. When
performing an upgrade, there should be nothing connected, that is: no clients logged on. There can be
no software connections to the database when the upgrade is performed, so all OnGuard LS and LPS
services including the LS Communication Server must be stopped.
Note: Before upgrading SQL Server, be sure to back up your database.
Installation Steps
To perform the installation, complete the following steps:
1. Installing or Upgrading SQL Server 2019 on page 33.

2. Configuring SQL Server on page 35.

a. Create the Database on page 35.
b. Create a Login on page 36.
c. Set Memory Usage on page 37.
d. Truncate the Log File on page 37.
e. Determine the Database Archive Plan on page 38.
Upgrade Steps
• SQL Server on page 33.
• Set Memory Usage on page 37.
SQL Server
Installing or Upgrading SQL Server 2019

For information on installing SQL Server 2019, refer to https://docs.microsoft.com/en-us/sql/
database-engine/install-windows/install-sql-server?view=sql-server-ver15.
For information on upgrading to SQL Server 2019, refer to https://docs.microsoft.com/en-us/sql/
database-engine/install-windows/upgrade-sql-server?view=sql-server-ver15.

For information on installing SQL Server 2017, refer to https://docs.microsoft.com/en-us/sql/
database-engine/install-windows/installation-for-sql-server?view=sql-server-2017.
For information on upgrading to SQL Server 2017, refer to https://docs.microsoft.com/en-us/sql/
database-engine/install-windows/upgrade-sql-server?view=sql-server-2017.
Note: Before installing or upgrading SQL Server 2016, refer to Prerequisites on page 31. If
you do not have these prerequisites prior to installing or upgrading SQL Server, the
setup will prompt you before installing them.
1. Insert the SQL Server disc.
If the SQL Server Installation Center does not automatically appear, open the Windows Run
dialog and browse for setup.exe on the disc drive. Alternatively, you can run setup.exe from
Windows Explorer.
2. The SQL Server Installation Center is shown. Click Installation from the left pane, then:
• For new installations, click New SQL Server stand-alone installation or add features to
an existing installation.
• For upgrades, click Upgrade from SQL Server.
3. The Product Key window is shown. Enter your product key and click [Next].
4. In the License Terms window:
a. If you agree with the license terms, select I accept the license terms.
b. Click [Next].

5. The Microsoft Update window is shown. Select Use Microsoft Update to check for updates
(recommended), and then click [Next].
6. The Install Setup Files window is displayed. If an error is shown, click [Next]. If no error is
shown, the installation will proceed to the next step automatically.
7. After the setup files have been installed in the Install Setup Files window, the Install Rules/
Upgrade Rules runs again to identify potential issues. You must resolve any failures before setup
can continue. Once the check completes successfully, click [Next].
8. New installations only: The Setup Role step installs the SQL Server Feature configuration. Select
SQL Server Feature Installation, and then click [Next].
9. Upgrade only: In the Select Instance window, select the Instance to upgrade from the drop-
down and click [Next].
10. In the Select Features window, under Instance Features, select Database Engine Services and
Full-Text and Semantic Extractions for Search. Then click [Next].
Notes: For upgrades, these features may already be selected and it might not be possible to
change the selections.
In earlier SQL Server versions, you could install SQL Server Management Studio as
part this installation process. The SQL Server 2016 installation does not include SQL
Server Management Studio. Download and install SQL Server Management Studio
separately from this installation procedure.
11. New installations only: In the Feature Rules window, click [Next] if an error is shown. If no error
is shown, the installation will proceed to the next step automatically.
12. In the Instance Configuration window:
• For new installations, select Default instance, and then click [Next].
• For upgrades, the Named instance should already be selected. Click [Next].
13. The Server Configuration window is displayed.
• For new installations:
1) On the SQL Server Agent, click the drop-down menu under Account Name for the SQL
Server Agent service.
2) Select Browse.
3) Click [Advanced].
4) Click [Find Now].
5) Select SYSTEM from the search results.
6) Click [OK].
7) On the SQL Server Agent, SYSTEM appears in the Object Name field. Click [OK]. You
will see “NT AUTHORITY\SYSTEM” under Account Name.
8) Repeat these steps for the SQL Server Database Engine service.
9) Click [Next].
• For upgrades, click [Next].
14. New installation only: In the Database Engine Configuration window:
a. Select the Mixed Mode radio button.
b. Enter and confirm a password for the SQL Server system administrator account.
c. Click [Add].
d. In the Select Users or Groups window, click [Advanced].

e. Change the From this location field to the local machine by clicking [Locations] and
selecting the local machine from the list.
f. Click [Find Now], then select Administrators from the Search results listing window.
g. Click [OK], then click [OK] again to close the Select Users or Groups window.
h. The BUILTIN\Administrators group should now appear in the Specify SQL Server
administrators listing window. Click [Next].
15. Upgrade only: In the Full-text Upgrade window, select Import, and then click [Next].
16. In the Feature Configuration Rules/Feature Rules window, if any rules do no show a status of
Passed, correct the issue and then click [Re-run]. Once all rules pass, click [Next].
17. In the Ready to Install or Ready to Upgrade window, click [Install] or [Upgrade] to begin the
installation.
18. In the Complete window, click [Close].
19. Close the SQL Server Installation Center.
20. Reboot the computer, even if you are not prompted to do so. This completes the installation of
SQL Server. You can now configure SQL Server. For more information, refer to Configuring
Configuring SQL Server
Create the Database
Note: Unless otherwise indicated, the selections made during database creation are minimal
options necessary for the operation of the OnGuard database. Your IT department might
require that these selections are increased, but it is recommended they not be reduced.
In particular, the SQL Server selection for Recovery Model should be selected based on
the expectation of data recovery in the event of database failure:
Recovery Model Simple - The database can be restored to the point of the last backup.
This provides simple but effective protection.
Recovery Model Full - The database can be restored to last transaction prior to the
failure. This requires more management, but also provides better protection than the
Simple Recovery Model.
1. In Windows, open the SQL Server Management Studio.
2. Select your method of authentication, provide credentials if required, and click [Connect].
Note: If using SQL authentication, use SA.

3. In the Object Explorer pane, expand the Databases folder. Right-click the Databases folder and
select New Database.
4. The New Database window is displayed. On the General page:
a. In the Database name field, type ACCESSCONTROL (this is case-insensitive).
b. Set the Initial Size (MB) of the Data file to 50.
c. Set the Initial Size (MB) of the Log file to 10.
d. Scroll to the right in the Database files listing window and click the browse button in the
Autogrowth/Maxsize column of the log file row.
e. Under Maximum File Size, select the Unlimited radio button.
f. Click [OK].
5. Select the Options page from the Select a page pane.

a. In the Recovery model drop-down, select “Simple”.

b. Verify that the Compatibility level drop-down is set to the proper compatibility level for
your SQL Server version.
c. In the Other options list view, set the Auto Create Statistics, Auto Shrink, Auto Update
Statistics, and Recursive Triggers Enabled drop-downs to “True”.
d. Click [OK].
Create a Login
1. In the Object Explorer pane of the SQL Server Management Studio, expand the Security folder.
2. Right-click the Logins folder and select New Login.
3. In the General page of the Login window:
a. In the Login name field, type LENEL.
Note: By default, the login name for the OnGuard database is “Lenel.” This can now be
customized as needed. If this name is changed, make sure to update or set up a
corresponding user account in your database.
b. Select the SQL Server authentication radio button.
• For Password, type Secur1ty# (default password).
• Retype the password in the text field to confirm it.
Note: The SQL Server password is case-sensitive.

c. Deselect the Enforce password policy, Enforce password expiration, and User must
change password at next login check boxes.
Note: If you choose to select the Enforce password expiration check box, you will be
required by SQL Server to select a new login password at regular intervals. When the
login password is changed by SQL Server, it must also be updated with the Login
Driver. Failure to update the Login driver will cause OnGuard not to function properly.
4. In the Server Roles page of the Login window:
• Most users should select the dbcreator, public, serveradmin, and sysadmin check boxes.
• Advanced users should only select the public check box.
5. In the User Mapping page of the Login window:
a. Select the master and tempdb check boxes.
b. Click [OK].
6. Recommended settings for lenel account user:
Note: For advanced users who do not want the database owned by lenel, proceed to step 7.
a. In the Object Explorer pane of SQL Server Management Studio, right-click on the OnGuard
database and select New Query. A query tab is shown.
b. In the text window, type sp_changedbowner lenel.
c. Press <F5> to execute the command.
d. The message Command(s) completed successfully is shown in the Messages tab.
e. Click the close (“X”) button to close the query tab, then click [No] when prompted if you
want to save the changes.
f. Proceed to Set Memory Usage on page 37.
7. For advanced users, the minimum required lenel user account settings are:

a. In the Object Explorer pane of SQL Server Management Studio, right-click on the OnGuard
database you just created and select New Query. A query tab is shown.
b. In the text window, type:
• CREATE ROLE db_executor
• GRANT EXECUTE TO db_executor
c. Press <F5> to execute the command.
d. The message Command(s) completed successfully is displayed in the Messages tab.
e. Click the close (“X”) button to close the query tab, then click [No] when prompted if you
want to save the changes.
f. Select the Login - New dialog, which should already be open but might be hidden by
another window.
g. Select User Mapping from the Select a page pane, and then select the ACCESSCONTROL
database.
h. Select (check) the following roles:
• public
• db_datareader
• db_datawriter
• db_ddladmin
• db_executor
i. Click [OK].
j. The new login appears in the Logins folder.
Note: At this point the lenel user account provides OnGuard functionality only. Any database
level administration, such as backups and restores, must be performed by a different
user with the appropriate permissions.
Set Memory Usage

1. In the Object Explorer pane of the SQL Server Management Studio, right-click on the database
engine <ServerName> and select Properties.
2. Select the Memory option on the Select a page pane.
3. Set the Maximum server memory (in MB) option to be roughly one half of your system’s
actual memory. This will make sure that the database does not use your entire system’s memory,
which would needlessly slow down your system.
4. Click [OK].
Truncate the Log File

1. In the Object Explorer pane of the SQL Server Management Studio, right-click the OnGuard
database, then select Tasks > Shrink > Files.
2. The Shrink File window is displayed.
a. In the File type drop-down, select “Log”.
b. Select the Release unused space radio button.
c. Click [OK].

Determine the Database Archive Plan

In addition to creating the required Live database, OnGuard provides two options for archiving
Events, Events Video Location, Alarm acknowledgments, User Transactions, Visits Records, and
specific event types from the Live database tables, as a way of keeping the database from growing so
large over time that system performance is affected.
• Archive to text files
• Archive to an Archival database
If you plan to archive the Live database to an Archival database, then create the Archival database by
performing the following steps.
Note: By default, OnGuard replicates all data that can be archived to the Global Server. For
this reason, you might wish to Archive to database on the Global Server only.
1. Perform all of the previous steps to create the Live database.
2. Repeat the Create the Database on page 35 steps again to create the Archival database, changing
the Database name to ACCESSCONTROL_ARCHIVAL.
3. Repeat step 1 from the Create a Login on page 36 procedure again.
4. Double-click on the existing lenel user account.
5. Select the User Mapping page.
6. Repeat steps 6a through 6e, or steps 7a through 7i, from the Create a Login on page 36 procedure
again, depending on how you configured the Live database. The Archival database is now ready
for use.
For detailed information about the Live and Archival databases, refer to the Archives Folder chapter
in the System Administration User Guide.
Create ReportsConfig Database for OnGuard Reporting

Setup Assistant creates the ReportsConfig database automatically. For more information, refer to
OnGuard Reports & Dashboards Database on page 54.
Notes: You must run Setup Assistant whenever you use Configuration Editor or ODBC Data
Source Administrator (32-bit) to change database parameters, or whenever you
change database parameters in the application.config or ACS.ini files. Setup Assistant
will then modify the JReport configuration files (for example, C:\Program
Files\JReport\Server\bin\dbconfig.xml and C:\ProgramData\Lnl\reports.cat.xml)
on the reports host workstation to reflect your database parameter changes.
The naming convention for the ReportsConfig database is <Live OnGuard database
name>_ReportsConfig. Since the default name of the Live OnGuard database is
AccessControl, the default name of the ReportsConfig database is
AccessControl_ReportsConfig. But if you manually changed the name of your Live
OnGuard database to AccCtrl, for example, then your ReportsConfig database must be
named AccCtrl_ReportsConfig.
If you want to configure the reports function in OnGuard manually, you must first create a separate
database to support that function:
1. Create a new SQL database named AccessControl_ReportsConfig. Follow the process
described in Create the Database on page 35 to create this database.
2. Assign a Windows authenticated user as described in Add the Windows user to SQL Server on
page 67.

Using Azure SQL Databases with OnGuard
Note: Configure the User Mapping section as described in step 6, applying those selections to
the new AccessControl_ReportsConfig database.
Configure SQL Server for OnGuard Reporting

To configure SQL Server to support OnGuard Reporting:
1. Open the SQL Server Configuration Manager.
2. Select SQL Server Network Configuration > Protocols for MSSQLSERVER.
3. Change the status of the TCP/IP protocol to Enabled.
Overview
Describe the concept of how OnGuard is used with Azure SQL, and highlight the considerations.
Considerations for using Azure SQL with OnGuard
Cost and sizing

For more information about the costs and sizing of using an Azure SQL database when configuring
an OnGuard installation, refer to the OnGuard Deployment Guide, which can be downloaded from
the LenelS2 Partner Center web site: https://partner.lenel.com/.
Local and regional redundancy

Local and regional redundancy are important considerations when using Azure SQL to ensure high
data availability and protection.
• Local redundancy: Local redundancy can be achieved by using Azure SQL’s automatic backups
and point-in-time restore features. These features ensure that you can restore data to a previous
state if there is accidental data deletion or corruption. You can use options that do not change the
operation of the database from OnGuard’s point of view. You should consider performance
changes that might be caused by the selected options, and follow the Azure SQL guidance on
how these affect database usage.
• Regional redundancy: Regional redundancy can be achieved by using Azure SQL’s geo-
replication feature. This feature creates a secondary copy of the database in a different region,
providing redundancy in the event of a regional outage.
• High availability: High database availability can be achieved by using Azure SQL’s failover
groups feature. This feature allows for automatic fail-over to a secondary database in the event of
a primary database outage. You should evaluate cost and performance on a system-by-system
basis, as these are a specific function of Azure SQL and the selected options.
Networking with Azure SQL

You should consider the network environment when using Azure SQL with OnGuard. The network
environment should be decided by the end-user’s IT department along with the system integrator. As
with any OnGuard environment, connectivity of the systems, services, and clients must be available

and maintained. Virtual Private Cloud, site-to-site VPN, and virtual networks might be required.
LenelS2 does not provide IT services in support of this configuration.
References
Additional information from Microsoft:
• Provision an Azure SQL database to store application data
• Quickstart: Create a single database - Azure SQL Database
Prerequisites
• Using an Azure SQL database assumes that you know how to get to Azure SQL, an d have the
ability to set up and configure a database in that platform
• You have an Azure SQL account
• Content from KB: Installing OnGuard on SQL Azure
Create the Azure SQL Server and Databases

Perform the following steps to create an Azure SQL server and the databases required to support
OnGuard.
Create SQL Database - Basics

Perform the following steps to configure the basics for your Azure SQL server and databases:
Notes: The databases must be in the same region as OnGuard for expected performance.
You will use the same resource group for both the Azure SQL database and for the
OnGuard server.
1. Log into your Microsoft Azure account.

2. Under Azure services, click SQL databases > Create. The Create SQL Database - Basics
page opens.
3. In the Subscription drop-down, select your existing subscription.
4. Beneath the Resource group drop-down, click Create new.
5. Give the new resource group a Name, then click [OK].
6. In the Database name field, type AccessControl.
7. Beneath the Server drop-down, click Create new.
8. On the Create SQL Database Server page, type a name in the Server name field.
9. In the Location drop-down, select the same geographic location you will choose for your
OnGuard server.
10. For Authentication method, select Use both SQL and Azure AD authentication.
11. Beneath Set Azure AD admin, click Set admin.
12. In the Azure Active Directory side panel, select your Azure Active Directory admin, then click
[Select].
13. In the Server admin login field, type SA.
14. In the Password and Confirm password fields, type the administrator’s password.
15. Click [OK].
16. For the Want to use SQL elastic pool? radio buttons, select either Yes or No.

Note: An elastic pool can help you better manage your workload so that the Azure SQL
database can adapt automatically to peak and non-peak usage within your OnGuard
system.
17. For the Workload environment radio buttons, select Production for a live OnGuard system. If
you’re creating an OnGuard system for testing purposes, select Development.
Note: You can select Development when you’re initially configuring and testing your
OnGuard system, then change it to Production when you’re ready to use the system for
actual business.
18. If you selected Yes for using an elastic pool, click Create new beneath Elastic pool, type the
name of your elastic pool in the field, then click [OK].
19. If you selected Yes for using an elastic pool, beneath Compute + storage, click Configure
elastic pool.
20. On the Configure page, in the Service tier drop-down, select General Purpose (Scalable
compute and storage options).
21. Beneath Hardware Configuration, click Change configuration, then select the configuration
required to support your system usage. LenelS2 recommends Standard-series (Gen5). Click
[OK].
22. For the Save money radio buttons, select Yes if you want to use the Azure hybrid model.
Otherwise, select No.
Note: Your choice of Azure SQL Licensing does not affect your OnGuard installation.
Licensing is the responsibility of the end-user.
23. Use the slider to select the number of vCores (virtual cores) your system requires.
24. Use the slider to select the Data max size (GB) your system requires.
25. Under Zone Redundancy, select Yes if you want your OnGuard data to be replicated across
multiple zones within the same region, and then make the appropriate configuration choices.
Otherwise, select No.
26. Click [Apply].
27. Choose one of the Backup storage redundancy options.
• Select Locally-redundant backup storage if you want your OnGuard data to be backed up
on the same server as your active database’s region.
• Select Zone-redundant backup storage if you want your OnGuard data to be backed up in
the same region as your active database’s region.
• Select Geo-redundant backup storage if you want your OnGuard data to be backed up in a
different region than your active database’s region.
28. Click [Next: Networking]. The Create SQL Database - Networking page opens.
Create SQL Database - Networking

Make choices in this section to establish network connectivity to your Azure SQL database according
to your own requirements, and to ensure connectivity with your OnGuard environment.
Create SQL Database - Security

Make choices in this section to secure your Azure SQL database according to your own requirements.
OnGuard does not require any of these security settings to perform normally. Either accept all of the
defaults, or make your own configuration:
1. Under Microsoft Defender for SQL, select Not now.

2. Under Ledger, leave the configuration set to Not configured.

3. Under Identity, leave the configuration set to Not configured.
4. Under Transparent data encryption, leave the configuration set to Service-managed key
selected.
Note: For more information about service-managed keys and customer-managed keys, refer to
“Transparent Data Encryption” in the Advanced Installation Guide, or refer to the
Microsoft article http://msdn.microsoft.com/en-us/library/bb934049.aspx.
5. Click [Next: Additional settings]. The Create SQL Database - Additional settings page opens.
Create SQL Database - Additional settings

Perform these steps to customize additional configuration parameters for your Azure SQL server:
1. Under Data source, select None.
2. Under Database collation, leave the default SQL_Latin1_General_CP1_CI_AS.
3. Under Maintenance window, leave the default System default (5pm to 8am).
4. Click [Next: Tags]. The Create SQL Database - Tags page opens.
Create SQL Database - Tags

Perform these steps to configure how you categorize and view billing information for your Azure
SQL server:
Note: OnGuard has no specific requirements for tagging, but the option is available to help
you organize your installation.
1. Under Name, type a name into the field (for example, Owner).
2. Under Value, type a value into the field (for example, the name of the person in your Billing
department responsible for the cost of your Azure SQL server).
3. Under Resource, use the drop-down to select the appropriate resources (for example, select the
SQL Azure resources for which the named Owner will pay).
4. If you want more categories for billing and reporting purposes, create addition name/value pairs.
5. Click [Next: Review + create]. The Create SQL Database - Review + create page opens.
Create SQL Database - Review + create

Perform these steps to review and create your Azure SQL server:
1. Review the summary of your Azure SQL server and database.
2. If you want to modify a configuration, click [Previous] and make the necessary changes. Then
return to this page.
3. Click [Create].
Note: Deploying the new server and database will take several minutes.
Create OnGuard Reports and Dashboards Database

Repeat the steps above to create the OnGuard Reports and Dashboards database.

Create Archiving Database

Repeat the steps above to create the archiving database.
Adding Clients
• Based on the network by the VAR - see above networking
• In this section, the VAR/IT must be able to provide for access to the Azure SQL database server
for their OnGuard clients
• Potential list of 'clients' for OnGuard
– OnGuard server
– All service
– All installed clients
– OpenAccess
– ODBC connectivity
Migrating an Existing OnGuard Database to SQL Azure

Microsoft provides several option to migrate an existing SQL database into an Azure SQL database.
It is not possible to use your existing MDF files when migrating an existing OnGuard SQL database
into Azure SQL.
Options for migrating an existing database into Azure SQL include:
• Export the database to SQL scripts, and then run the scripts in Azure SQL
• Export the database using Microsoft SQL Management Studio’s built-in Deploy Database to
Windows Azure SQL Database option.
• Export the database using Microsoft Data Migration Assistant.
For more information, refer to:
https://learn.microsoft.com/en-us/azure/azure-sql/migration-guides/database/sql-server-to-sql-
database-guide?view=azuresql


OnGuard Installation and
Configuration
CHAPTER 5 Installing OnGuard 8.2 Enterprise
This chapter describes the prerequisites and procedure for installing OnGuard 8.2 Enterprise.
OnGuard 8.2 Enterprise Installation Prerequisites

Before you install OnGuard you must first install the third-party requirements from the OnGuard
Supplemental Materials media. Windows Service Packs are also required but are not provided on the
Supplemental Materials media. See the OnGuard release notes on the Installation media to see which
service packs are required for your operating system.
1. Insert the OnGuard Supplemental Materials media into a computer running the Windows
operating system.
2. Install Adobe Reader, which is required to read the OnGuard help documentation.
Note: Microsoft .NET Framework 3.5 is installed automatically during the OnGuard
installation.
3. Install your database system.
4. Restart your computer.
Notes: Any workstation that will be configured as a LenelS2 NVR 7.5 video client must have
specific Windows features enabled for 360-degree camera support, depending on the
workstation’s operating system. If running Windows Server, enable Media
Foundation.
Components of the OnGuard system require that Secure Socket Layer (SSL) is enabled,
which is done by default using self-signed certificates that are created during
installation. For more information on how to manage these certificates or to replace
them, refer to refer to Appendix D: OnGuard and the Use of Certificates on page 101.

Installing OnGuard 8.2 Enterprise
Installation Procedures
Attach the Hardware Key (License Server Only)
Note: If you are using a software license you do not need to configure a hardware key. For
more information, refer to Install Your OnGuard License in the Installation Guide.
OnGuard software is protected by a hardware security key. USB hardware keys are available for use
with the OnGuard software. Remember to physically attach the hardware key (“dongle” adapter)
directly to the USB port on the computer that has License Server installed in order for the software to
run properly.
A hardware key is only needed on the server running License Server. Each client computer running
OnGuard 8.2 Enterprise uses a software license instead of a hardware key.
Note: Parallel dongles are no longer supported. If you are using a parallel dongle, contact
LenelS2 OnGuard Technical Support for a replacement USB dongle before installing
Configure a USB Hardware Key

If you are using a hardware key that attaches to the USB port, then you must install a driver in order
for Windows to recognize the device.
IMPORTANT: You must install the driver for the hardware key BEFORE attaching the USB
hardware key to the computer.
To configure a USB hardware key:
1. Install the SafeNet USB hardware key driver by doing the following:
a. Navigate to the SafeNet directory on the Supplemental Materials media and then double-
click the .exe file. This can be found by navigating through the following folders on the
Supplemental Materials media: /License Key Drivers/SafeNet.
b. The InstallShield Wizard starts. Click [Next].
c. The wizard continues, and the License Agreement window opens. Select the I accept the
terms in the license agreement radio button, and then click [Next].
d. The wizard continues, and the Setup Type window opens. Select the Custom radio button,
and then click [Next].
e. The Custom Setup window opens. Make sure only the Parallel Driver and the USB System
Driver get installed. You do not need to install any of the Sentinel Servers or Sentinel
Security Runtime. Click on Sentinel Protection Server, Sentinel Keys Server, and Sentinel
Security Runtime and select, “This feature will not be available.” [Click Next].
f. Click [Install].
g. The wizard completes. Click [Finish] to exit.
2. Install the USB hardware key by doing the following:
a. Attach the USB hardware key to any available USB port.
b. The Found New Hardware wizard starts. Click [Next].
c. The hardware is detected, and the Found New Hardware wizard completes. Click [Finish].
The hardware key is now configured and ready to be used.

3. Depending on your configuration, you may need to restart your computer so that License
Administration recognizes the hardware key. Otherwise, you may receive an error in License
Administration saying that the necessary hardware device was not found.
You are now ready to install the OnGuard software and license.
Install the OnGuard 8.2 Enterprise Software
Note: When planning your OnGuard Enterprise installation, make sure all OnGuard
components installed in your environment are compatible with each other. Check the
compatibility charts to confirm what component versions are necessary to support the
installed version of the OnGuard software. Not using compatible components might
cause unexpected system behavior. Compatibility charts are available on the LenelS2
Web site: https://partner.lenel.com/downloads/onguard/.
Note: When performing a Custom Install of a client, and selecting the "DataConduIT"
option, the installation may be successful but the DataConduIT service will not start,
giving a WMI error. This occurs because the DataConduIT service is dependent on the
same WMI Wrapper that is used by Open Access. (Not selecting the "Open Access"
option causes the WMI error.) To resolve: Select both options "Open Access" and
"DataConduIT" when performing a custom install of DataConduIT.
1. Insert the OnGuard 8.2 installation media into a USB port on a computer running the Windows
operating system.
2. If the computer allows the OnGuard installer to run automatically, then the installer runs.
Otherwise, double-click the setup.exe file.
3. The Microsoft .NET Framework 4.6.1 installation wizard begins. Click [Install] to begin
installation. Microsoft .NET Framework 4.6.1 must be installed for some OnGuard features to
work correctly.
4. When prompted, read the license agreement. If you agree to its terms:
a. Select the I accept the terms in the license agreement radio button.
b. Click [Next].
5. Select the Preferred OnGuard System type you want to install:
• Enterprise
• Standard
Select Enterprise, and then click [Next].
6. Next, you will be prompted to choose the system configuration you want to install:
• Server System
• Client System
• Monitoring Client
• Badging and Credential Client
7. Depending on your System Configuration choice, you will have different system options to
select:
• If you selected Server System, configure the following options:
– Select either Platform Server or Custom Server.
Platform Server: Use the Platform Server option if this will be a complete server that
will install all server features, not including the Application Server. Installations
requiring Application Server support must use the Custom Install option to select that
feature.

Custom Install: Use the Custom Install option if this server will only host certain
server features. If you choose the Custom Install option, you must select the individual
features that you want installed on this server. Installations requiring Application Server
support must use the Custom Install option to select that feature.
– Select the appropriate database option for your installation.
• If you selected Client System, configure the following options:
– Select either Typical System which includes the standard features of the system, or a
Custom System where you can specify server locations and choose the features to
install.
– Select the appropriate database option for your installation.
• If you selected Monitoring Client, configure the database type information options.
• If you selected Badging and Credential Client, configure the database type information
options.
8. Click [Next].
9. The System Location Information window is shown.
• Either accept the default installation directory or click [Change] and specify a different
destination folder.
• Accept the default location of the License Server or click [Browse] and specify a different
location.
• In the Port field, enter the number of the port to be used for access control system
communication. It is recommended that you accept the default value of 8189.
• In the Provide the database login user field, enter the name of the name of the database
login user.
Notes: If you want to use a different port than the default port 8189, use the Configuration
Editor to make this change. For more information, refer to Appendix A: Configuration
Editor on page 119.
By default, the login name for the OnGuard database is “Lenel.” This can now be
customized as needed. If this name is changed, make sure to update or set up a
corresponding user account in your database.
• In the Provide the location of your database field, accept the default location or click
[Browse] and specify a different location.
• Click [Next].
10. If you selected Custom Install in step 7, the Custom Setup window is shown. Select the access
control system features you wish to have installed.
Notes: Click the name of a feature on the left to display its description on the right.
Below the Feature Description, the disk space requirements of the selected feature are
displayed.
a. Click the icon to the left of a feature to display a popup menu of installation choices for that
feature.
b. Click [Next].
11. Click [Install] to begin the installation.
12. After Windows configures OnGuard, the status and progress bar are updated.
13. Once the installation is complete, click [Finish].

14. Depending on the components that you chose to install, you might need to reboot the computer. If
you are prompted to do so, reboot the computer.
15. Setup Assistant launches automatically.
Setup Assistant
To simplify OnGuard installations and upgrades, Setup Assistant helps users with the configuration
steps required before successfully logging into the OnGuard software. Setup Assistant launches
automatically after the OnGuard installer finishes the installation or upgrade process.
Notes: After the OnGuard installation or upgrade is complete, launch Setup Assistant.
Users must be logged into the workstation with Administrator rights to run Setup
Assistant. Users not logged in with Administrator rights are shown a dialog asking them
to enter an Administrator password.
The Setup Assistant dialog consists of three primary sections:

• The status pane on the left side of the window lists the tasks performed by the Setup Assistant.
– A green check indicates that the task was performed successfully.
– A yellow check indicates that the user either chose to skip the task, or there was a warning
that prevented the task from completing. Some Setup Assistant tasks can be skipped by the
user, and then run manually at a later time.
– A red “X” indicates that the task failed, and that errors must be corrected before using the
system.
– A blue arrow indicates that the task is running.
– No icon indicates that the task has not run yet.
• The main pane provides additional data, status, fields, buttons, and so on related to the active
task.
• The description pane provides a brief description of each task’s purpose.
Security Utility
Security Utility functionality is now embedded into Setup Assistant. You should run Security Utility
again whenever a Windows Update or Service Pack is installed on the workstation. For more
information, refer to Manually Running Security Utility on page 55.
IMPORTANT: OnGuard software requires certain security adjustments to the operating

system to function more securely. These security adjustments are listed when
Setup Assistant runs. Click [Release Notes] to review a description of the
changes made by the Security Utility. Upon agreeing to this disclaimer, the
user assumes responsibility for any security issues that might occur due to
these adjustments. The Security Utility then makes the changes automatically.
Configuration Editor
Configuration Editor functionality is now embedded into Setup Assistant. The Configuration Editor
screen shows the current configuration of the:
• Database
• License Server

If there is a configuration issue with any of these items, the Configuration Editor highlights the issue,
making it easy to correct the issue. There are three situations in which the Configuration Editor will
identify an issue that must be resolved:
• The database and license configuration is not consistent between the application.config and
ACS.INI files
• Setup Assistant cannot locate the database
• Setup Assistant cannot locate the License Server
System License
System License (License Administration) is used to install a valid license, or to verify that a valid
license is already installed. This functionality is now embedded into Setup Assistant.
Note: You must have a valid license before Setup Assistant will continue with the OnGuard
configuration process. If License Administration finds a valid license, Setup Assistant
passes the System License step automatically. If License Administration does not find a
valid license, it prompts you to locate a valid license file.
Run License Administration manually whenever you purchase additional licensable OnGuard
features and receive a new license from the factory.
• For information on how to run License Administration manually, refer to Log into License
Administration on page 56.
• For information on how to install a new license, refer to Install a New License on page 58.
Service Log On
Enter the Windows user name and password of the account that will run the OnGuard software. This
Windows user must have database access, and also have read/write access to the OnGuard directory
for writing to the log files.
For more information, refer to Chapter G: Configuring the Application Server on page 111.
Database Installation
For new OnGuard server installations using SQL Express, Setup Assistant provides an easy method
for installing a new ACCESSCONTROL database for the OnGuard software.
1. If you do not want to use the default source database (.MDF) file, click the first [Browse] button
and navigate to the alternate source file.
2. If you do not want the database stored at the default path, click the second [Browse] button and
navigate to the alternate database location.
3. Click [Install database].
Database Installation (Archival)

If the system is configured to archive to a SQL or SQL Express database, then Setup Assistant gives
you the option of backing up the new ACCESSCONTROL database in addition to the Live database.
For more information on the fields and buttons shown on this Setup Assistant form, refer to Database
Backup on page 53.

Database Backup
If updating an existing OnGuard installation, Setup Assistant provides an easy method for backing up
a SQL Server or SQL Server Express database before it is upgraded during Database Setup. It is
strongly recommended that you make a database backup, although you can skip this step if desired.
IMPORTANT: It is possible that encrypting or re-encrypting your database will corrupt the
database. Having a current database backup is the only way of recovering your
data.
To create a database backup
1. Either use the default Backup set name, Backup set description, and Server backup file path,
or modify those defaults.
2. Select the check box to confirm that you have read the warning at the top of the dialog.
3. Click [Backup].
4. If the backup fails for any reason, Setup Assistant shows a backup error. If possible, correct the
error and then click [Backup] again.
Notes: The backup set path is the path on the database server workstation. If running Setup
Assistant on a workstation other than the database server and the default Server backup
file path is C:\Program Files\Microsoft SQL Server\..., this refers to the database
server’s C:\ drive, not the workstation’s C:\ drive.
The backup path cannot be a network drive. It must be a local drive.
The Browse button is available only if Setup Assistant is running on the database server.
Click [Browse] to locate a backup path other than the default path.
If Setup Assistant is running on a workstation other than the database server, the
Browse button is replaced with the Reset Path button. If your manually modified
backup path does not function correctly, click [Reset Path] to return to the default
backup path.
If the system is configured to archive to a SQL or SQL Express database, then Setup
Assistant gives you the option of backing up the Archival database in addition to the
Live database.
This database backup function only allows you to create the database backup. It does not allow you to
restore from the backup. Use the standard SQL tools if you need to restore the database. For more
information, refer to Restoring Databases on page 32.
Database Backup (Archival)

If the system is configured to archive to a SQL or SQL Express database, then Setup Assistant gives
you the option of backing up the Archival database in addition to the Live database. For more
information on the fields and buttons shown on this Setup Assistant form, refer to Database Backup
on page 53.
Database Setup and Encryption

For server installations, Setup Assistant runs Database Setup automatically. The Database Setup
program sets up the database as needed by the current OnGuard version, installs reports as needed,
sets encryption key management and recovery options, updates database field encryption as needed,
and runs Forms Translator.

Note: Form Translator runs automatically at the end of Database Setup, allowing you to use
the OnGuard Web Applications, if desired. For more information, refer to Running
Form Translator on page 112.
For more information, refer to Run Database Setup on page 61.
Database Setup (Archival)

For server installations that are also configured to archive into an Archival database, Setup Assistant
runs Database Setup on the Archival database in addition to the Live database. For more information
about Database Setup, refer to Run Database Setup on page 61.
LS Message Broker Service

Setup Assistant helps resolve issues with the LS Message Broker service configuration. If there is a
configuration error, Setup Assistant suggests what to change for a successful configuration.
OnGuard Reports & Dashboards Database

Setup Assistant creates and populates the reports and dashboards database on the OnGuard database
server (specified in the application.config file). If an alternate host was provided, then this step is not
shown. For more information on using an alternate host, refer to Running OnGuard Reporting and
Dashboards from an Alternate Server on page 111.
IMPORTANT: If the Reporting and Dashboards feature is installed on the server, the
Configuration Editor uses the information contained in the ACS.INI and
application.config files to configure the contents of the C:\Program
Files\JReport\Server\bin\dbconfig.xml file. Editing the ACS.INI or
application.config files manually is not advised. If you manually edit these
files instead of using the Configuration Editor, the dbconfig.xml file might not
be configured correctly, resulting in unexpected system behavior.
OnGuard Reports & Dashboards

Setup Assistant first sets the AccessControl_ReportsConfig database users and tables. Setup
Assistant then populates the required data into those tables, if necessary. If an alternate host was
provided, then this step is not shown.
Note: The naming convention for the ReportsConfig database is <Live OnGuard database
name>_ReportsConfig. Since the default name of the Live OnGuard database is
AccessControl, the default name of the ReportsConfig database is
AccessControl_ReportsConfig. But if you manually changed the name of your Live
OnGuard database to AccCtrl, for example, then your ReportsConfig database would be
named AccCtrl_ReportsConfig.
Service Startup
Setup Assistant then starts all product services configured to start automatically. Setup Assistant lists
all services that will be started, each service’s status, and provides a progress bar.
Login Driver Verification

Setup Assistant then tests that all encryption-related settings are configured correctly. If the test
doesn’t pass, Setup Assistant provides a description of the failure.

Manually Running Security Utility
Finished
Setup Assistant notifies users when it is finished. When appropriate, the Finished page lists:
• Tasks that were skipped.
• Warnings encountered during a task.
• Errors that were found.
If no tasks were skipped, warning were encountered, or errors were found, then the Finished page
shows only that Setup Assistant is complete, and the software is ready for normal operations.
Setup Assistant notifies users upgrading a server with versions of OnGuard earlier than 6.3 that they
should run the Universal Time Conversion Utility. To run the utility, click [Launch Universal Time
Conversion Utility].
This utility converts local times stored in the database to Coordinated Universal Time for multi-time
zone compatibility, and ensures accurate historical data reporting. The utility does not interfere with
normal system operation, although the conversion can take a significant amount of time for large
databases.
For more information, refer to the Universal Time Conversion Utility appendix in the Upgrade Guide
or the Enterprise Setup & Configuration User Guide.
Manually Running Security Utility

You should run Security Utility again whenever a Windows Update or Service Pack is installed on the
workstation.
To run the Security Utility manually:
1. Launch the OnGuard Security Utility.
2. Click [More Info] to review the Security Utility release notes.
3. Click [Agree] if you agree with the disclaimer notice.
4. Follow the on-screen instructions and click [Apply] when ready.
Install Your OnGuard License

You must have a license to run the OnGuard software. The license comes to you from the factory, and
has the extension *.xml, *.lic, or *.lic.xml. Licenses only need to be installed one per system and are
usually installed on the server. To use License Administration, you may need to update your Internet
browser security settings to allow pop-ups and add the License Server to the list of trusted sites.
Information regarding your dongle or software license ID, referred to as your System ID, can be
found in the Help > About section of the OnGuard applications.
Below are listed several license elements that should be noted.
Software Licenses: OnGuard now utilizes a software license, which works without the need for a
hardware dongle. When using a software license you are able to use License Administration to
activate, return, or repair your license.
IMPORTANT: Software licenses can only be used on a physical computer or in a VMware

ESX virtual environment. In a VMware ESX virtual environment, only the

License Server is supported. The License Server must be used with a software-
based license and not with a dongle-based license. For more information, refer
to the OnGuard compatibility charts, located at
https://partner.lenel.com/downloads/onguard/software. Once there, select
Compatibility Charts from the Choose type of download menu.
Note: When accessing the Downloads section at https://partner.lenel.com, make sure to select
the version of OnGuard that is currently installed.
It is important that access to licensing.lenel.com is allowed through your proxy if you wish to be able
to activate and deactivate licenses. If it is not you will have to use activate by phone.
IMPORTANT: TCP Port 8888 is required for online activation and deactivation. While it does
not need to be added as a firewall exception it should not be restricted or
filtered.
Licenses for Hardware: Hardware licenses are based on the number of controllers for a given panel
class. For example, instead of having different licenses for different types of panels in the same class
(such as fire) a single license covers all the different panels that are in the same class.
Note: If you are installing non-LenelS2 HID access panels you must purchase a separate
license. LenelS2-branded HID access panels, however, come with a built-in license.
You can add any combination of HID access panels and other types of access panels up
to the maximum capacity of your OnGuard system.
Expired Licenses: An alarm is generated when the system license is set to expire. This alarm is
dependent on Linkage Server being configured and running on a host workstation. Although not
required, it is advised that this alarm be configured to be emailed to the system administrator to
ensure proper notification. For more information, see the Acknowledge Alarms chapter in the Alarm
Monitoring User Guide.
IMPORTANT: In order for the alarm to be reported to monitoring stations there must be at
least one panel configured and marked online. The panel does not need to exist
or actually be online in Alarm Monitoring, it simply needs to exist in the
System Status view.
Log into License Administration

1. Make sure that the License Server is running. The License Server must run on the server
specified in the Configuration Editor.
2. Launch License Administration. If your browser has JavaScript support enabled, a new window
will open with the License Administration application in it. Otherwise, follow the directions in
the browser’s window and click the hyperlink to continue. The License Administration
application will then open in the same browser window. You must have cookie support enabled
for this to work.
Notes: The URL for License Administration is: https://LICENSESERVERHOST:9999/.

Replace LICENSESERVERHOST with the name of the machine the License Server is
running on. For example, if the machine running the License Server is named alpha, the
License Administration URL will be: https://alpha:9999/.
The License Server host name should match the Fully Qualified Domain Name (FQDN)
of the machine. The certificates used by the License Server are the same as the
certificates used by other OnGuard services (for example, the OpenAccess service). If

the License Server host name and the certificate common name do not match, then
License Administration and Setup Assistant might not function correctly.
If the License Server does not start, OnGuard may have been installed directly on a non-
default drive (X). If this is the case, the following setting needs to be added to the
ACS.ini file so the License Server can locate the JRE:
[LicenseServer]
JAVA_HOME=<X>:\OnGuard\JRE
For example, if installing on E drive:

[LicenseServer]
JAVA_HOME=E:\OnGuard\JRE
3. In the Username field, type a valid username. Usernames must contain at least eight characters.
Note: License Administration requires creation of an Administrator account to operate. Before

creating an Administrator account (with associated username and password), License
Administration will be in Maintenance Mode. While in Maintenance Mode, users can
only access License Administration from the Local Machine, and all license requests are
ignored. Once the Administrator account is created (typically during Setup Assistant),
License Administration will operate as expected.
4. In the Password field, type a valid password that corresponds to the username entered.
Passwords:
• Are at least eight characters long
• Are case sensitive
• Contain at least two of the following three attributes: upper-case characters, lower-case
characters, special characters
• Do not expire
5. Click [Save]. The License Administration options will be displayed.
Changing Administrator Properties for License Administration

To change the user name and password, do the following:
1. Log into License Administration.
2. Click [Administrator Properties]. The administrator properties are shown in the right half of the
window.
3. You can change the user name, password, or both.
4. To change the user name, enter a new value in the Username field.
5. To change the password, enter a new value in the Password field.
6. If you are changing the password, you must reenter the password in the Confirm Password
field.
7. Click [Update]. A message will be displayed that indicates whether the administrator properties
were successfully updated.

Install a New License
Note: All customers upgrading to OnGuard 7.5 and later from earlier versions must return
their Software License prior to installing the upgrade. The Software License can then be
re-activated after installation.
1. Obtain a new license file from the factory. Be sure that you know where the license file is saved,
as you will need to know the location to successfully install the license.
2. Make sure that the License Server is running.
3. Log into License Administration.
4. Click [Install New License].
5. Under Main License File and/or Subscription License File, click [Choose File] to locate the
license file, and then double-click to select the file.
6. Click [Next].
7. View the license to verify that the software license is active, and confirm that it is the correct
license.
8. Scroll down to the bottom of the window and click [Next], or if it is incorrect, click [Back] and
select another license file.
9. Read the terms of the license agreement and select the Yes radio button if you agree with the
terms of the license. If you disagree, then you will not be able to install the license.
10. If the license file is already activated, click [Finish].
If the license file is not active yet, you must activate it. For more information, refer to Activate a
Software License on page 58.
The license installs and an entry is displayed in the Installed Licenses drop-down list box indicating
the name of the product that the license controls.
Activate a Software License

You must activate the software license to have a functioning system.
Note: All customers upgrading to OnGuard 7.5 and later from earlier versions must return
their Software License prior to installing the upgrade. The Software License can then be
re-activated after installation. The OnGuard subscription software license does not
require activation, but is associated to the OnGuard license activation through the
System ID.
There are three ways to activate a license:
• Online (which requires an Internet connection)
• Text message (SMS)
• Phone
To activate, you will need the System ID and the Activation Code. The System ID is the 5- or 6-digit
ID associated to the license being activated, and the Activation Code is a 24-digit alphanumeric code.
Online Activation
Your Internet browser must allow the URL https://www.lenels2.com to activate and return licenses. In
addition, port 8888 is required for online activation and revocation.
1. In License Administration, view the license you have installed.
2. Click Activate.

3. Choose the Online activation.

4. Click [Activate].
5. Click [Close] once the license has activated.
Text Message (SMS) Activation

2. Click Activate.
3. Choose Phone activation.
4. Click [Activate].
5. Send a text message to 585-673-7750. EMEA customers should text +44 7937 947945. Use the
following format in your text message: [System ID][required space][Activation Code].
Note: Activation Codes are case-sensitive. For additional assistance, text the word HOWTO.
6. You will receive a confirmation code in seconds. Enter the confirmation code in License
Administration. The license will activate.
Phone Activation
2. Click Activate.
3. Choose Phone activation.
4. Before calling, have your System ID and Activation Code ready.
5. Call 1-866-788-5095 option (5), or email [email protected] with the System ID and Activation
Code. EMEA customers should call +48 5832 62240, or email [email protected].
Returning an OnGuard Software License

There are three ways to return an activated license before moving it to another server:
• Online (which requires an Internet connection)
• Text message (SMS)
• Phone
To return, you will need the System ID and the Return Code. The System ID is the 5- or 6-digit ID
associated to the license being returned, and the Return Code is a 24-digit alphanumeric code.
Online Returning
Your Internet browser must allow the URL https://www.lenels2.com to activate and return licenses. In
addition, port 8888 is required for online activation and revocation.
2. Click Return.
3. Choose the Online revocation.
4. Click [Return].
5. Click [Close] once the license is returned.

Text Message (SMS) Returning

2. Click Return.
3. Choose the Phone method.
4. Click [Return].
5. Send a text message to 585-673-7750. EMEA customers should text +44 7937 947945. Use the
following format in your text message: [System ID][required space][Return Code].
Note: Return Codes are case-sensitive. For additional assistance, text the word HOWTO.
6. You will receive a confirmation code in seconds. Enter the confirmation code in License
Administration.
Phone Returning
2. Click Return.
3. Choose the Phone method.
4. Before calling, have your System ID and Return Code ready.
5. Call 1-866-788-5095 option (5), or email [email protected] with the System ID and Return Code.
EMEA customers should call +48 5832 62240, or email [email protected].
License Troubleshooting
Symptom: Activation Code is blank.

Resolution:
1) Stop LS License Server and FLEXnet Licensing Service.
2) Browse to the following location: C:\ProgramData\FLEXnet.
3) Delete all of the existing files in that location.
4) Start the FLEXnet Licensing Service and LS License Service. You should now see a
Activation Code.
If the above process does not work, do the following:
1) Open the command prompt on the License Server workstation.
2) Change directories until you are at the root of the OnGuard directory (typically
C:\Program Files\OnGuard for 32-bit systems and C:\Program Files(x86)\OnGuard
for 64-bit systems).
3) Type the following and then press [Enter]:
appactutil.exe -shortcode OnGuard.asr -return SCASR_FID_1_OnGuard
4) A code is provided. Give that code to Tech Support or SIG. Tech Support or SIG will
then provide you with a Return Code that will allow your software license to be
returned.
5) Once the license is returned, you can activate it on a new machine online or over the
phone.

Run Database Setup
Run Database Setup

The Database Setup program sets up the database and installs the reports needed. This only needs to
be run on a server. This is also part of the Setup Assistant. For more information, refer to Setup
Assistant on page 51.
When using Crystal Reports, the database name can begin only with a letter. The rest of the name can
contain only numbers, letters, and underscores.
IMPORTANT: The installation and upgrade process assumes your OnGuard database is called
“AccessControl.” If this is not the case, use the Configuration Editor to modify
the application.config file to correct this. For more information, refer to
Database section on page 120.
1. Launch Database Setup.
2. If upgrading the database, the Choose Task window opens. Select the action you would like to
perform. Click [Continue]. The choices include:
• Live or Archival - If upgrading a database, these allow you to choose if you want to upgrade
the Live database or the Archival database (if database archiving is enabled; for more
information, refer to the Archives Folder chapter in the System Administration User Guide).
Note: The ACS.INI and application.config files must always point to the Live database, not
the Archival database.
• Add/remove missing system data for current build - If you feel that you are missing
system data, selecting this will add information back into the build.
• Compare database schema [no data] - Checks to see if the schema has changed. This does
not compare data. This would be useful to run before upgrading to see if any schema
changes have occurred, though it is not necessary.
• Upgrade database - Select to upgrade your database.
• Re-encrypt database with a new key - Select to re-encrypt a database that was already
encrypted with a new encryption key. For more information, refer to Encrypting and Re-
encrypting Databases on page 62.
3. For new installations, the Database Setup Progress window opens telling you that you are about
to create a new database. Click [Execute].
If upgrading a database, a warning message appears reminding you to back up your database. For
more information, refer to Chapter 4: Database Backup and Restoration on page 29. If your
database is backed up, click [Yes].
4. The database installs. If upgrading the database, the system will be checked for anomalies.
Anomalies are database features that are unknown to OnGuard and can include custom tables,
triggers, stored procedures, and so on. Not all users will encounter anomalies. When prompted to
take action on anomalies, the items listed should be familiar to the person performing the
upgrade. Select all items that you know should exist and click [Continue]. Failure to select
known anomalies may result in the failure of custom functionality.
Note: Form Translator runs automatically, allowing you to use the OnGuard Web
Applications, if desired. This occurs only after Database Setup runs on the Live
database. Form Translator does not run on the Archival database.
5. The database is encrypted using the encryption key stored in the Login Driver.
Note: It is important that you do not interrupt the database encryption process before it
completes. If this occurs, unexpected system behavior will result. For information on

troubleshooting database encryption errors, refer to Database Encryption Errors on

page 86.
Encrypting and Re-encrypting Databases

When running Database Setup for the first time after a fresh installation of OnGuard, or when
upgrading from OnGuard 8.0 or earlier, or when upgrading an existing database that was already
encrypted and selecting the Re-encrypt database with a new key option in the Choose Task
window, the Encryption key entry dialog opens. Perform the following procedure:
Note: Since encrypting or re-encrypting the database involves generating the encryption key,
you must perform this procedure on the workstation with the LS Login Driver installed.
After running Setup Assistant, the LS Login Driver service on this workstation will be
active, and will respond to clients and other services.
1. Choose whether you want Database Setup to either:
• Generate a key from a passphrase - You provide a passphrase that is used to generate the
encryption key, or
• Generate a random key - Database Setup will generate a random encryption key
automatically.
• Import a key from a file - You import a *.og key file that was exported during an earlier
OnGuard installation.
2. If you selected Generate a key from a passphrase, type your passphrase into the fields. The
length of your passphrase must be from 10 to 36 characters. If you want to see the passphrase you
typed, select Show passphrase.
3. LenelS2 recommends that you export your encryption key to a file to support restoration of the
key, if necessary. Select Export key to a file, and then click [Browse] to identify the directory
into which the file will be written. You must export your encryption key to a file if you selected
Generate a random key above.
IMPORTANT: The exported key file is required to allow access to encrypted data if
the system must be reinstalled due to disaster recovery or other loss. Consider
this file a tightly-controlled cryptographic resource that you would provide to
the end-user for secure storage and key management.
4. Click [OK].
Blocking All Connections to the Database

With OnGuard 8.1 and above, re-encryption of the database is performed automatically when
performing a new installation of OnGuard, or when upgrading to these OnGuard versions for the first
time. Once the customer specifies a system-specific encryption key, the re-encryption process does
not need to be done again, unless the encryption key used has been lost or compromised.
IMPORTANT: It is very important to block other connections to the OnGuard database before
re-encrypting the database.

Run Database Setup
When using the Microsoft SQL database engine, OnGuard blocks all connections automatically. This
does not happen automatically if using an Oracle database. Because the Oracle database engine does
not have a “Single user mode” administrative mode, you must block other database connections
manually:
1. Disconnect the Oracle database server from the local network, or
Limit access to the Oracle database server to only allow client applications from the Oracle
server workstation:
1) Edit the SQLNET.ORA file. This file can be found in the $ORACLE_HOME/
network/admin directory. Add this line to the file:
tcp.validnode_checking = yes
2) Supply a list of nodes to allow, including localhost:
tcp.invited_nodes = (localhost,<yourOracleServerHostName>)
For example:
tcp.invited_nodes = (localhost, OracleHost)
3) Restart the Oracle server workstation to close existing database connections from other
client workstations.
2. Stop every OnGuard service or application except LS License Server, LS Message Broker, and
LS Login Driver.
3. Start the re-encryption procedure either with Setup Assistant while upgrading to OnGuard 8.1 or
later, or with Database Setup when re-enrolling the database encryption key.
4. When the re-encryption procedure finishes, re-enable the connections to the Oracle OnGuard
database. Depending on the method used to block the database connections, either:
• Re-connect the Oracle server to the local network, or
• Edit the sqlnet.ora file and remove the lines added above. Then restart the Oracle server to
apply this change.
For more information about Oracle databases, refer to the Advanced Installation Guide.
Encryption Key Troubleshooting
The encryption key was not generated using Setup Assistant because the
OnGuard installer was first run on a workstation that didn't have the Login Driver
installed, or this was not the Message Broker host. Setup Assistant never forced
the user to configure the encryption options.
Perform the following procedure to correct this issue:
1) Confirm this situation applies to your system by viewing the
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Lenel\
OnGuard\LD registry entry on the workstation running the Login Driver, and that is
also the Message Broker host.
2) If that registry entry is empty, run Database Setup on that same workstation.
3) When prompted, provide the encryption key configuration details in the Encryption
key entry dialog.
When starting any OnGuard thick-client application, the following error is shown:
Login Driver is not connected to the message broker. Confirm that the Login Driver service is
started and available for DSN <workstation name>.
This error message can be caused for several reasons. Perform the following procedure to
troubleshoot this error message:

1) If the Login Driver service is running, stop it and then run the Login Driver as an
application. You might have to wait until the process stops running, or close it manually
using Task Manager.
2) Check to see if the Login Driver application shows any errors.
Refer to Encryption key set up for this Login Driver does not match the database in use
on page 64 if you see that Login Driver error message.
Refer to Encryption key loading failed...The data is invalid on page 64 if you see that
Login Driver error message.
Refer to Encryption key loading failed...Login failed for user on page 64 if you see that
Login Driver error message.
Refer to Login Driver is not connected to the Message Broker because you must set the
RabbitMQ LD credentials on page 65 if you see that Login Driver error message.
Encryption key set up for this Login Driver does not match the database in use
When running the Login Driver as an application, the following error is shown:
Encryption key set up for this Login Driver is not in match with the database in use. Login
Driver will not function properly until proper encryption key is provided.
Perform the following procedure to troubleshoot this error message:
1) If you see this error, open the Login Driver using the encryption key that corresponds
with your database. To do so, open the Login Driver as an application, then select Edit >
Set Encryption Key. An ODBC dialog might open. If it does, enter the database
credentials to establish the database connection. Then enter the encryption key
passphrase, or set the encryption key using a *.og file.
2) If the encryption key provided is correct, the system will show a success message.
Encryption key loading failed...The data is invalid

Encryption key loading failed. Login driver will not function properly. Error: The data is
invalid.
1) Configure the Login Driver with the same encryption key used with your database.
Open the Login Driver as an application, then select Edit > Set Encryption Key.
2) An ODBC dialog might open. If it does, enter the database credentials to establish the
database connection.
3) Enter the encryption key passphrase, or set the encryption key using a *.og file.
4) If the encryption key provided is correct, the system will show success message.
Encryption key loading failed...Login failed for user

Encryption key loading failed. Login driver will not function properly. Error: Login failed for
user ‘<user name>’
1) Select Edit > Change Database Password and update the password to match your
LENEL password.
2) The Login Driver dialog opens, indicating that the database and Login Driver passwords
are not synchronized. Click [Yes] to open the Change Password dialog.
3) Provide the correct database password in the dialog, then click [OK].

Configure the OnGuard Logs Folder
Login Driver is not connected to the Message Broker because you must set the
RabbitMQ LD credentials
Login Driver is not connected to the message broker. Confirm that the Login Driver service is
started and available for DSN <workstation name>.
1) Since there is no connection to the Message Broker, the Login Driver cannot confirm
that the encryption key is correct. To fix this issue, you must provide the encryption key
and connect to the database using the ODBC dialog.
2) When this is done, the Login Driver automatically tries to connect to the Message
Broker, and will force you to provide the correct username and password in the Set
RabbitMQ LD credentials dialog.
Configure the OnGuard Logs Folder

Some OnGuard applications use the files located in the logs folder and if a user does not have the
appropriate Windows permissions to access these files they may encounter errors.
1. Navigate to the OnGuard logs folder. Its default location is C:\ProgramData\Lnl\logs.
2. Right-click the folder and select Properties.
3. Select the Security tab.
4. In the Groups or user names listing window, select the group or user name that will be using the
OnGuard software.
5. Select the Allow check boxes for the permissions: Read, Write, and List Folder Contents.
6. Click [OK].
Remotely Hosted Databases

If you are using Windows Authentication in your application.config file and your Live database is
hosted remotely from your server, the LS Site Publication Server (if Enterprise or Distributed ID)
might need to be configured to log on as a specific user with NT authentication access to the database.
You will know that this configuration is required if this service refuses to start, and the error log
shows unable to connect to database errors.
To configure a service to log on as a specific user:
1. Click [Start], and then select Control Panel > Administrative Tools.
2. Double-click on Services.
3. Double-click on the service you wish to configure.
4. Select the Log On tab, and then select This account.
5. Enter the username and password. The best method for this is to click [Browse], type the
username and then confirm it by clicking [Check Names]. Then enter the user’s password.
6. Click [OK] to close the Select User dialog.
7. Click [OK] to close the service’s Properties dialog.
8. Restart the service.
9. Close the Services window.

This will start the service so that it is logged on as the user you specified. The service will then have
the same network permissions as that user.

CHAPTER 6 Database Authentication for Web
Applications
The following situations require the configuration of a method of authentication:

• Systems with Oracle databases. For Oracle installation instructions, refer to the Advanced
Installation Topics guide.
• Systems using browser-based OnGuard applications.
There are two methods of authentication available:
1. Authenticate Windows with the database.
• Refer to Configure Windows Authentication with SQL Server on page 67, or
• Windows Authentication with Oracle on page 68.
2. Provide Credentials in the Protected File on page 70
Note: When used in this chapter, Windows authentication refers to the use of a single log on to
gain access to both Windows and the database.
Windows Authentication with SQL Server

SQL requires authentication configuration for browser-based applications to run successfully.
Configure Windows Authentication with SQL Server

The following process will take you through the process of configuring Windows authentication.
Create a new Windows user

Create a new Windows user to run the LS Application Server according to your IT policy (if the
optional Application Server was installed). You may also choose to utilize an existing Windows user
for authentication.
Add the Windows user to SQL Server

1. Launch the SQL Server Management Studio.

Database Authentication for Web Applications
2. In the Object Explorer pane of the SQL Server Management Studio, expand the Security folder.
3. Right-click the Logins folder and select New Login.
4. In the General page of the Login window:
a. In the Login name field, type <server-name>\<username>, where <server-name> is the
name of the server and <username> is the name of the Windows user.
b. Select the Windows authentication radio button.
5. Click [Search] to launch the Select User or Group dialog. This dialog is used to verify that the
Login name is correct.
a. In the Enter the object name to select text box, enter the user name.
b. Click [Check Names]. If the user is found it will appear underlined.
c. Click [OK].
6. Select User Mapping from the Select a page pane.
a. Select (check) the <Server Name>lenel database from the Users mapped to this login
list.
b. In the Database role membership for <Server Name>lenel, the recommended settings
are (check):
• db_owner
• public
For advanced users who do not want the db_owner role assigned to the user, the minimum
required settings are:
• public
• db_datareader
• db_datawriter
• db_ddladmin
• db_executor
Note: If the db_executor role does not already exist, refer to step 7a through step 7e in the
procedure, Create a Login on page 36.
c. Click [OK].
The new login will appear in the Logins folder.
Verify the Integrated Security Setting

Use the Configuration Editor to verify that the application.config file is configured for Windows
authentication. For more information, refer to Advanced Database section on page 121.
Windows Authentication with Oracle

Oracle requires authentication configuration for Database Setup and the browser-based applications
to run successfully.
Create a new Windows user

Create a new Windows user to run the LS Application Server according to your IT policy (if the
optional Application Server was installed). You may also choose to utilize an existing Windows user
for authentication.

Windows Authentication with Oracle
Add the Windows user to Oracle

To configure Windows authentication with Oracle, a new Oracle user must be created with Windows
authentication credentials.
1. Launch SQLPlus.
2. Log in using the system account. Enter SYSTEM@<SID> for the username and password.
IMPORTANT: You must be logged in as SYSTEM to run the script.

3. Verify Oracle connects properly. You should see "Connected to" in the console.
IMPORTANT: We do not recommend granting the DBA role to a Windows Authenticated

user. To restrict the users’ roles and system privileges, refer to step 4. If
restricting the Windows Authenticated user, then the user provides OnGuard
functionality only. Any database level administration, such as backups ad
restores, must be performed by a different user with higher database roles and
system privileges.
4. To create the Windows Authenticated user with the desired level of roles and system privileges,
at the SQL prompt, run the following command(s):
IMPORTANT: If you are not using the LENEL_DATA and LENEL_TEMP data spaces, you
must change the LENEL_DATA and LENEL_TEMP references in the
CREATE USER line to the desired table spaces you want to use. Contact your
database adminstrator for details. Update both references to
OPS$DOMAIN\DOMAINUSER with the actual domain and user name of the
Windows User you are creating.
a. @@<Path to OnGuard Installation Directory>\program
files\OnGuard\DBSetup\New\WindowsUser_Authentication.ora or
b. If the LENEL_RESTRICTEDUSER_ROLE has not been created, then enter commands
described in “Create a Restricted User Role” in the Advanced Installation Topics guide.
Then run the following commands, replacing both occurrences of
"<OPS$DOMAIN>\<DOMAINUSER>" with the actual domain name and user.
CREATE USER "<OPS$DOMAIN>\<DOMAINUSER>" PROFILE "DEFAULT"
IDENTIFIED EXTERNALLY DEFAULT TABLESPACE "LENEL_DATA"
TEMPORARY TABLESPACE "LENEL_TEMP" ACCOUNT UNLOCK;
GRANT CONNECT, RESOURCE, LENEL_RESTRICTEDUSER_ROLE TO
"OPS$DOMAIN\DOMAINUSER";
COMMIT;
5. Verify there were no errors. You should see output similar to:
“User created.”
“Grant succeeded.”
“Commit complete.”
6. Exit SQL Plus.
7. Navigate to the sqlnet.ora file located at $ORACLE_HOME\Network\Admin and edit it to
verify authentication is set to “NTS” on the following line:
SQLNET.AUTHENTICATION_SERVICES=(NTS)

Verify the Integrated Security Setting

Use the Configuration Editor to verify that the application.config file is configured for Windows
authentication. For more information, refer to Advanced Database section on page 121.
Provide Credentials in the Protected File

Windows authentication with the non-embedded Application Server is the recommended method of
configuration (if the optional Application Server was installed). Another method is to store the
authentication information in the application.config file. When this method is used, additional steps
are necessary to secure the file with Access Control Lists (ACL). When ACL is used the information
within the file is very secure.
This authentication method requires advanced knowledge of Windows security and is not
recommended.
IMPORTANT: When providing credentials in a protected file, the ODBC authentication

method must not be set to Windows authentication.
Securing Files with the Access Control List

The Access Control List (ACL) is a highly secure method of protecting information stored within a
file. OnGuard can be configured to store user credentials within a file which must be secured to
protect the information. This configuration can be performed on the Security tab of the file properties
dialog. Right-click on the file and select Properties.
The account that administers the system should have read and write access any file containing user
credentials so that they can maintain the file information. In addition, certain other accounts must
have access to the files.
• The application.config file is used by the services and applications to determine where the
database is and how to authenticate (by indicating integrated authentication or providing
credentials):
– LS Application Service
– LS Site Publication Server
– Database Setup
– Form Translator
– Setup Assistant
– Universal Time Conversion Utility
– Configuration Editor
– and more
Application.config
The application.config file can be used to store the lenel user account credentials for access to the
database when Windows authentication is not used. This is not the recommended configuration,
however, with ACL the login credentials can be secured. The user account that runs the LS
Application Server service must have read permission for the file (if the optional Application Server
was installed).

Provide Credentials in the Protected File
Store the lenel User Account Credentials

You can use the Configuration Editor to store the lenel user account credentials in the
application.config file for authentication with the database. For more information, refer to Advanced
Database section on page 121.
Note: For information on storing lenel user account credentials for Crystal Reports, see
Browser-based Reports on page 116.
Oracle Users
Oracle users must also edit the sqlnet.ora file to specify the authentication method.
1. Navigate to \oracle\product\10.1.0\Db_1\NETWORK\ADMIN and edit the sqlnet.ora file.
2. Verify that authentication is set to “None” in the following line:
SQLNET.AUTHENTICATION_SERVICES=(None)


CHAPTER 7 Applying Service Releases in Enterprise
How to Properly Apply a Service Release to an Enterprise

System
A Service Release refers in general to updates made to OnGuard in the form of service packs or hot
fixes.
– A service pack is a cumulative package with guided installation that resolves customer
issues. A service pack may also include support for a technology refresh and new features.
– A hot fix is a cumulative package with guided installation that resolves critical customer
issues. A hot fix may contain more than one fix.
Step 1: Log out of all LenelS2 Applications

Ensure that all users are logged out of all LenelS2 applications before proceeding.
Step 2: Run Replication

1. Run the Replicator application. Refer to Configure and Run a Replicator Session in the
Replicator User Guide.
2. Use the System Diagnostic Tool in Replication Administration to confirm that there are no
pending transactions. Refer to System Diagnostic Tool Form Procedures in the Replication
Administration User Guide.
Step 3: Stop All OnGuard Services

Stop all OnGuard services on the Global and Regional Servers.
Step 4: Back Up All Databases (if Requested)

1. If the release note instructions or installation procedure for the service release prompts you to
back up your database, proceed to do so to both prevent data loss and verify the integrity of the
backup. Refer to “Database Backup and Restoration” in the Installation Guide for more
information.

Applying Service Releases in Enterprise
2. Be sure that everyone is off the system. It is especially important that no cardholder operations
are taking place.
Step 5: Apply Service Release to Global Server

1. Run the Service Release Installer on the Global Server.
2. Verify that the LS License Server and LS Login Driver services are started.
3. Run Database Setup on the Global Server to update the database (unless not required, per the
specifications of the Service Release notes).
4. Start up the OnGuard services on the Global Server.
Step 6: Apply Service Release to Regional Servers

1. Run the Service Release Installer on the Regional Servers.
2. Verify that the LS License Server and LS Login Driver services are started.
3. Run Database Setup on the Regional Servers to update the databases (unless not required, per the
specifications of the Service Release notes).
4. Start up the OnGuard services on the Regional Servers.

CHAPTER 8 Distributed ID Management Systems
Distributed ID Management allows secondary databases to be used for credential data, which are then
uploaded to a global database. Uploads and downloads can be run automatically using the LS Site
Publication Server service. For more information, refer to Run Replication as a Windows Service in
the Replicator User Guide.
Downloads may be full (everything) or incremental (only the changes since the last download). The
new LS Site Publication Server service must be running on both the global and target servers when
performing a Full Download or UDF download.
Note: The Site Publication Server service requires that Secure Socket Layer (SSL) is enabled.
A Distributed ID Management consists of a Distributed ID Global Server, as well as one or more
Distributed ID/Mobile Stations. In this configuration if access control is being used, it is contained in
the Distributed ID Global database. Distributed ID/Mobile Stations are used only for adding,
modifying, and deleting cardholder information (cardholders, badges, access level assignments, and
multimedia capture). They can optionally print badges as well.
The following diagram illustrates a typical Distributed ID Management configuration:
Distributed ID Management System
Distributed ID Global Server
Database Global Server Database

Database
Mobile Station 1 Mobile Station 2
Key:
Upload/Download, Wired or Wireless Network Connections

Distributed ID Management Systems
Distributed ID Global Server Description

The Distributed ID Global Server acts as the Global Server for the Mobile and Distributed ID Servers.
Its characteristics include:
• Maintains any controls needed for allocating IDs for distributing ID activities
• Receives uploads and provides downloads required for all Mobile/Distributed ID Stations
associated with the Distributed ID Global Server.
• Allows editing of all types of records.
• Can only have Distributed ID/Mobile Stations attached to it — it CANNOT manage Enterprise
Regional Servers.
Distributed ID/Mobile Station Description

A Distributed ID/Mobile Station only allows remote ID management, only. It can be a “Mobile
Station” or a “Distributed ID Station”. A “Mobile Station” is considered a portable laptop computer,
whereas a “Distributed ID Station” is considered a large-scale server that has a semi-permanent
network connection available. Both of these servers act the same in a Distributed ID Management
system. That is, they both upload and download the same information. Distributed ID/Mobile Station
characteristics include:
• Must use ID controls to prevent duplicate IDs with the Distributed ID Global Server and all other
Distributed ID/Mobile Stations.
• Performs uploads and receives downloads for all Distributed ID/Mobile Stations associated with
this Distributed ID/Mobile Station.
• Only allows editing of cardholder-related records for ID management.
Distributed ID Global Server Setup Overview

release notes are located on the root of the OnGuard Enterprise installation media.
4. Install the OnGuard Enterprise software.
OnGuard on each of the other (client) workstations on the OnGuard network. OnGuard
Enterprise is installed with the “Standard” settings. For detailed installation instructions,
refer to Chapter 5: Installing OnGuard 8.2 Enterprise on page 47. After OnGuard Enterprise
has been installed, the Distributed ID Global Server features can be enabled.
following:

Distributed ID/Mobile Station Setup Overview
• Service Log On
• Service Startup
5. Configure the server to be a Distributed ID Global Server. For more information, refer to
Configure a Distributed ID Global Server on page 78.
Distributed ID/Mobile Station Setup Overview

release notes are located on the root of the OnGuard Enterprise installation media.
2. Install and configure the database software. For more information, refer to Chapter 4: Microsoft
4. Install the OnGuard Enterprise software.
OnGuard Enterprise is installed with the “Standard” settings. For detailed installation
instructions, refer to Chapter 5: Installing OnGuard 8.2 Enterprise on page 47. After
OnGuard Enterprise has been installed, the Distributed ID Mobile client features can be
enabled.
following:
• Service Log On

• Service Startup
5. Configure the Distributed ID/Mobile Station database and perform the initial configuration and
synchronization. This includes designating the server as a Distributed ID/Mobile Station using
Replication Administration, and pre-allocating a set number of Cardholder IDs and Badge IDs (if
using automatic badge ID generation) for the Distributed ID/Mobile Station to use. The
Distributed ID Global Server keeps track of which range(s) were allocated to each Distributed
ID/Mobile Station, so that they can be validated before uploads occur. For more information,
refer to Configure a Distributed ID/Mobile Station on page 79.
Configure a Distributed ID Management System

To configure a Distributed ID Management system you must:
1. Set up the Distributed ID Mobile Global Server by completing all steps in Distributed ID Global
Server Setup Overview on page 76.
2. Set up Distributed ID/Mobile Stations by completing all steps in Distributed ID/Mobile Station
Setup Overview on page 77 on each Distributed ID/Mobile Station.
Configure a Distributed ID Global Server

1. Start and log into Replication Administration on the Distributed ID Global Server.
2. When you log into Replication Administration for the first time, it will detect that you have a
standard database. A message will prompt you to decide whether you want to make the system a
Distributed ID Global Server. Click [Yes].
3. The Distributed ID Settings form is displayed. In the This System’s Distributed ID Setting
drop-down list, select “Distributed ID Global Server.”
4. Type the server’s display name into the Enterprise server display name field.
5. Specify the Workstation name where ID Allocation service is running.
6. Specify the Workstation name where replication services are running.
7. Click [OK].
8. The following message is displayed. Click [Yes].
Replication Administration
You are changing a setting that DRASTICALLY changes the fundamental operation of the system. ONCE
YOU CONFIRM THIS SEETING, IT IS PERMANENT! THERE IS NOT GOING BACK! Are you absolutely
certain you understand all the ramifications of setting this computer system as a [Distributed ID Global Server]
system?
9. The recommended naming scheme for new databases is “<Server name>Lenel.” If the name of
the database you are configuring follows this naming scheme, no warning message is displayed
and you can skip ahead to step 10. If the database you are configuring is not named according to
this naming scheme and you wish to proceed using the current database name, click [Yes].
Otherwise, click [No] and create a new database that follows the recommended naming scheme.

10. If your database does not contain any data, skip ahead to step 11. If the following message is
displayed, then your database already has data in it. Click [Yes] to remove all existing data.
11. The following message is displayed. Click [OK].
The next step is to configure the Distributed ID/Mobile Station.
Configure a Distributed ID/Mobile Station

1. Run the OnGuard setup on the Distributed ID/Mobile Station. Choose a “Server installation”.
When selecting components, check only the following options:
• ID CredentialCenter
• License System Server
• Login Driver
• Replicator
• Replication Administration
• Universal Time Conversion Utility
• Application Server
• Documentation
2. After the installation is complete and the computer has been rebooted, open the ID
CredentialCenter program. Configuring a Distributed ID/Mobile Station requires that no
cardholder data exists, so you must delete the default record in the database. To do this:
a. Select the Cardholders option from the Administration menu.
b. Click [Search], then [OK]. There should be only one sample record. If this is not true,
something is wrong with your installation.
c. Click [Delete], then [OK].
3. Start and log into Replication Administration on the Distributed ID/Mobile Station.
4. When you log into Replication Administration for the first time, it will detect that you have a
standard database. A message will prompt you to decide whether you want to make the system a
Distributed ID Global Server. Click [Yes].

5. The System Settings form is shown.
a. Create a new ODBC DSN that points to the Distributed ID Global Server:
1) Click [Create New ODBC Data Source].
2) If using Windows with UAC turned on, the Create ODBC Data Source dialog will be
displayed. Click the [Create ODBC Data Source] button. You will be prompted to allow
or deny the command. If you are running the application with a Windows account that
does not have Administrator permissions you will be prompted for administrator
credentials.
3) For ODBC Data Source Name, type a name for the DSN.
Note: It is recommended to include the name of the Global or Regional OnGuard Server as
part of the DSN within an OnGuard Enterprise System.
4) Select the correct Database Type for the Global Database Server. If it’s SQL Server,
type the computer name of the server, or click [Browse] to select a server.
5) Click [OK].
b. In the This System’s Distributed ID Setting drop-down, select “Distributed ID/Mobile
Station.”
c. Specify the Enterprise server display name.
d. Select the ODBC Data Source to parent server.
e. Specify the Workstation name where the Login Driver is running.
f. Specify the Workstation name where replication services are running.
g. In the Virtual server name configuration section, select whether the station uses a virtual
server name (also known as the failover name). This setting only pertains to systems using a
fault tolerance/disaster recovery solution such as NEC ExpressCluster or Microsoft
Clustering.
• By default the This server uses a virtual server name checkbox is deselected, which
indicates that the station name specified is the actual machine name of the station.
• If you specified a failover name for the station in the fault tolerance/disaster recovery
solution, then you will need to select the This server uses a virtual server name

checkbox and enter the failover name used to identify the station in the fault tolerance/
disaster recovery system rather than the actual machine name.
Note: You can modify this value after the station has been created on the Enterprise Server
Configuration form. The Enterprise Server Configuration form is displayed by clicking
it beneath the station in the System Tree.
h. It is also recommended you set the Database selection for this workstation’s login to
“Allow User to Select.”
i. Click [OK].
6. Authentication to the Global Server is required when creating a new Distributed ID/Mobile
Station. Log on to the Global Server using the SA user account or an SA delegate user account,
or the single sign-on account linked to the SA account. Click [OK].
10. The Pre-Allocated ID Ranges form is displayed. This allows you to adjust the amount of pre-
allocated IDs for each record type that you wish to “grab” for the region initially. You can also
adjust the “Low Water Mark”, which is the amount of remaining IDs below which new IDs will
automatically be “grabbed” again. There is normally no need to change these default settings;
however you may wish to adjust the number of Cardholder and Badge IDs you wish to allocate
depending on how many new Cardholders/Badges you expect to be added at the Distributed ID/
Mobile Station over time. New pre-allocated IDs may be obtained at ANY time after the
Distributed ID/Mobile Station is configured.

11. Click [Allocate New IDs Now] when you are ready to continue.
Your computer is now configured to perform mobile badging. However, if you want to download all
existing cardholder information from the Distributed ID Global Server, you must do so by using the
Replicator application and performing a Full Download of the cardholder records. Once you run a
Full Download of cardholder records for the first time, you can use the LS Site Publication Server
service to keep the cardholder records synchronized on the servers. For more information, refer to
Run Replication as a Windows Service in the Replicator User Guide.
Note: The new LS Site Publication Server service must be running on both the Global and
target servers when performing a Full Download or UDF download.
Use the Replicator application for synchronizing hardware data.

CHAPTER 9 Enterprise Configuration
Global Server Configuration Overview

When OnGuard Enterprise installs, it installs a standard database. To configure a standard database to
become an Enterprise Global Server database, you must use the Replication Administration
application. The database cannot contain any cardholders, hardware, or card formats; if it does, they
will be deleted when the standard database is converted to an Enterprise database.
The Enterprise Global Server database is automatically segmented. The default segment will be
named that of the server network name. The Global Server will have its own segments along with two
dynamic segments.
Dynamic recursive segments allow the system to be constantly updated when additional segments are
added. There are two dynamic segment types, recursive and non-recursive. The dynamic recursive
segment includes all segments on the owning server and all child server's segments inclusively. The
dynamic non-recursive segment includes all segments on the owning server.
Enterprise Segmentation Example
Global Segment 1
Server
Segment 2 Segment 3
Regional Regional
Server 1 Server 2
Regional Regional Regional Regional

Server 1-1 Server 1-2 Server 2-1 Server 2-2
Segment 4 Segment 5

Enterprise Configuration
Global Server Login

You may log into the Global Server in either of the following ways:
• <All Segments - [global display name] - Recursive>: If you log in as an All Segment Recursive,
you will have access to all the Global Server Segments as well as all the Regional Server
segments.
• <All Segments - [global display name]>: If you log in as an All Segment , you will have access to
all segments in the Global Server only.
• Single Segment: If you log into a single segment, whether it is the Global Server or an Regional
Server, you will see only the information for that particular segment.
• Segment Group: If you log into a segment group, you will see only the information for the
segments that make up that particular segment group.
Configure the Global Server Database

Before you can configure the Global Server database, you must do the following on the Global Server
computer:
OnGuard 8.2 Enterprise is installed with the “Standard” settings. For detailed installation
OnGuard 8.2 Enterprise has been installed, the Enterprise Global Server features can be
enabled.
b. Attach the hardware key on the OnGuard License Server computer. For more information,
refer to Attach the Hardware Key (License Server Only) on page 48.
following:
• Service Log On
• Service Startup
You are now ready to configure the Global Server database. To do this:

Configure the Global Server Database
1. Start and log into Replication Administration on the Global Server.

2. When you log into Replication Administration for the first time, it detects that you have a
standard database. The following message is displayed. Click [Yes].
3. The System Settings form is displayed. On the System Settings form:
a. In the This System’s Enterprise Setting drop-down list, select “Enterprise Global Server.”
b. In the Enterprise server display name field, you may specify a user-friendly name for the
server.
c. In the Workstation name where ID Allocation Service is running field, specify the
workstation that this server will connect to retrieve its IDs.
Note: Each Enterprise system must have one instance of the ID Allocation Service running. It
is highly recommended to run the ID Allocation Service on a Global Server, Distributed
ID Global Server, or Global Server-level client. The ID Allocation Service will only
function if the ACS.INI file on the computer running the service is pointed to the
Global Server.
d. In the Workstation name where replication services are running field, specify the
workstation that is running the LS Site Publication Server service.
e. In the Virtual server name configuration section, select whether the Global Server uses a
virtual server name (also known as the failover name). This setting only pertains to systems
using a fault tolerance/disaster recovery solution such as NEC ExpressCluster or Microsoft
Clustering.
indicates that the server name specified is the actual machine name of the Global Server.
• If you specified a failover name for the Global Server in the fault tolerance/disaster
recovery solution, then you will need to select the This server uses a virtual server

name checkbox and enter the failover name used to identify the Global Server in the
fault tolerance/disaster recovery system rather than the actual machine name.
Note: You can modify this value after the Global has been created by clicking “Enterprise
Server Configuration” in Available Views after selecting the Global Server in the
System Tree.
f. Click [OK].
Replication Administration
You are changing a setting that DRASTICALLY changes the fundamental operation of the system. ONCE
YOU CONFIRM THIS SEETING, IT IS PERMANENT! THERE IS NOT GOING BACK! Are you absolutely
certain you understand all the ramifications of setting this computer system as a [Distributed ID Global Server]
system?
Congratulations, you created an Enterprise database on the Global Server. You may now log into
Replication Administration and see the Global Server, or proceed to setting up your Regional
Servers.
Regional Server Configuration Overview

When OnGuard Enterprise installs, it installs a standard database. To configure a standard database to
become a Regional Server database, you must use the Replication Administration application. The

Configure the Regional Server Database
database cannot contain any cardholders, hardware, or card formats; if it does, they will be deleted
when the standard database is converted to an Enterprise database.
The Regional Server database that is created will be segmented. The default segment will be named
that of the server network name. Each Regional Server will have its own initial segment and can be
further segmented.
Hardware can be added not only on a Regional Server database, but may also be added to a Global
Server database. To save time when configuring numerous access panels or readers, use the wizards
in System Administration.
• If you want to configure (add) several access panels, use the Configure Access Panels Wizard
which is available by selecting Wizards from the Application menu in System Administration.
The wizard provides detailed instructions to guide you through the configuration process.
• If you want to configure (add) several readers, use the Configure Readers Wizard which is
available by selecting Wizards from the Application menu in System Administration. The wizard
provides detailed instructions to guide you through the configuration process. The wizard cannot
be used to add biometric or wireless readers.
Each Enterprise system must have one instance of the ID Allocation Service running. It is highly
recommended to run the ID Allocation Service on a Global Server, Distributed ID Global Server, or
Global Server-level client. The ID Allocation Service will only function if the ACS.INI file on the
computer running the service is pointed to the Global Server.

Before you can configure the Regional Server database(s), you must do the following on each
Regional Server:
OnGuard 8.2 Enterprise is installed with the “Standard” settings. For detailed installation
OnGuard 8.2 Enterprise has been installed, the Regional Server features can be enabled.
following:

• Service Log On
• Service Startup
You are now ready to configure the Regional Server database. To do this:
1. Start and log into Replication Administration on a Regional Server.
2. When you log into Replication Administration for the first time, it detects that you have a
standard database. The following message is displayed. Click [Yes].
3. The Enterprise Settings form is displayed.
a. In the This System’s Enterprise Setting drop-down list, select “Regional Server.”
b. In the Enterprise Server Display Name field, you may specify a user-friendly name for the
server.
c. In the Workstation name where replication services are running field, specify the name
of the workstation that will be running the replication and LS Site Publication Server
services.
Notes: This setting allows the Replication Administration application to communicate with
each Regional Server. There should be one instance of the replication and LS Site
Publication Server services running per Global and Regional Server.
If this field is blank when upgrading an Enterprise Global Server, the workstation
identified in the Workstation name where ID Allocation Service is running field is

populated into the Workstation name where replication services are running field by
default. This workstation name can be changed at any time.
d. In the Virtual server name configuration section, select whether the Regional Server uses a
virtual server name (also known as a failover name). This setting only pertains to systems
using a fault tolerance/disaster recovery solution such as NEC ExpressCluster or Microsoft
Clustering.
indicates that the server name specified is the actual machine name of the Regional
Server.
• If you specified a failover name for the Regional Server in the fault tolerance/disaster
recovery system, then you will need to select the This server uses a virtual server
name checkbox and enter the failover name used to identify the Regional Server in the
fault tolerance/disaster recovery system rather than the actual machine name.
Note: You can modify this value after the Regional Server has been created by clicking
“Enterprise Server Configuration” in Available Views after selecting the Regional
Server in the System Tree.
e. In the Parent database server name field, specify the name of the Regional Server to
which this server is a child.
Note: When the parent server is running an Oracle database, the Parent database server
name field must be set to the Oracle Service Name (SID Service Name).
f. In the ODBC Data Source to parent server field, specify the ODBC Data Source. This will
be used by Replicator application to move data between servers.
g. In the Workstation name where the Login Driver is running field, specify the name of the
server that contains the Login Driver.
h. Click [OK].
5. Authentication to the GLobal Server is required when creating a new Regional Server. Log on to
the Global Server using the SA account or the single sign-on account linked to the SA account.
Click [OK].

8. The Pre-Allocated ID Ranges form is displayed. This allows you to adjust the amount of pre-
allocated IDs for each record type that you wish to “grab” for the Regional Server initially. You
can also adjust the “Low Water Mark”, which is the amount of remaining IDs below which new
IDs will automatically be “grabbed” again. There is normally no need to change these default
settings; however you may wish to adjust the number of Cardholder and Badge IDs you wish to
allocate depending on how many new Cardholders/Badges you expect to be added at the
Regional Server over time. New pre-allocated IDs may be obtained at ANY time after the
Regional Server is configured.
9. Click [Allocate New IDs Now] when you are ready to continue.
Configure the Regional Server

After the Regional Server database has been created, you must:

Configure the Regional Server
1. Perform a Full Download to the Regional Server. For more information, refer to Perform a Full
Download to the Regional Server on page 91.
2. Perform a Transfer Hardware Records upload from the Regional Server. For more information,
refer to Configure and Run a Replicator Session in the Replicator User Guide.
3. Schedule Replication to run automatically. For more information, refer to Schedule Replicator to
Run Automatically on page 92.
4. Synchronize the Login Driver connection after the installation is complete:
a. On each Regional Server, the administrator must log into Replication Administration.
b. Right-click on the region in the System Tree, then select Synchronize Login Driver
Connection.
c. Provide credentials to the highlighted ODBC connection. The connection information will
synchronize.
d. You might also be asked to provide credentials for additional enterprise nodes. Proceed until
all regions are synchronized.
5. Make sure to perform all necessary maintenance on a regular basis. For more information, refer
to Chapter 12: Enterprise System Administration on page 111.
Perform a Full Download to the Regional Server

Your next step for configuring the Regional Server involves doing your initial Cardholder download
using the Replicator application.
From the main window of Replicator, use the Full download check box to configure a download of
cardholder and asset records, from the Enterprise Global Server to the new Regional Server.
In many installations it is desirable to automatically assign default access levels to all new badges
which are added to a Regional Server, including the initial download. The recommended strategy for
this makes use of the “Default Access Group” assignment for Badge Types. This allows you to assign
default access levels on a per Badge Type basis for badges that are manually entered at the Regional
Server as well as for badges which are added elsewhere in the Enterprise system and downloaded
using the Replicator application.
If you wish to automatically assign access levels when downloading new badges (see the appropriate
manuals or help files for more information on how to perform these tasks):
1. On the Regional Server, log into the System Administration application. Add all Access Levels
you will need on the Access Levels tab. You do NOT need the reader or timezone assignments
for these levels at this time. You only need to enter the names that you will use for these Access
Levels. As you modify these levels later by adding reader and timezone assignments, badges
with those levels assigned will automatically receive that access.
2. On the Access Groups page, add groups which group the levels you need to assign to each Badge
Type. It is recommended that you use segment-wide (“<All Segments - [global display name] -
Recursive>”) groups for this purpose, which will serve you better should you decide to further
segment the system at a Regional Server.
3. On the Badge Type page, modify each Badge Type and select the Default Access Group that you
want to automatically assign to the Badge Type.
When you are ready to download all cardholders to your Regional Server:
1. Exit any LenelS2 applications that you currently have running.
2. Start the Replicator application.
For more information, refer to “Using OnGuard on Supported Operating Systems” in the

Installation Guide. See the Replicator User Guide or online help for more information on this
application.
3. Log into the Regional Server database.
4. Check the Full download check box.
5. If you have default access groups for badge types and wish to automatically assign them at this
time, make sure the Add default access group when a badge is added is checked.
6. Click [Execute]. Answer all prompts accordingly to begin your download, and verify that the
process completes successfully.
Schedule Replicator to Run Automatically

It is extremely desirable to have Replicator run unattended and automatically at scheduled intervals.
Clearly, it is vital to have someone check the log on a regular basis and deal with errors, but the actual
execution of Replicator should be automated. Replicator can be run either in its interactive
application mode (by starting it from the menu), or as a Windows service. By running it as a service,
you can automate Replicator’s execution.
Replicator can also be scheduled to run using the Scheduler in System Administration. For more
information, refer to “Schedule Replication” in the Replicator Schedule Form chapter of the
Replication Administration User Guide.
Replicator Settings in the ACS.INI File
IMPORTANT: Administrator permission may be required to make changes to the ACS.ini file
and save it in the windows directory.
The ACS.INI file is a control file that sits on each computer that runs ANY OnGuard software. This
can be a client or a server. The ACS.INI file is located within the Windows directory on a computer.
In Microsoft Windows, this directory is often [Drive]:\\WINDOWS. Substitute the letter of the hard
drive that Windows is installed on for [Drive].
There are many sections within the ACS.INI file. Each section is denoted within the file by the
following syntax:
[Section]
The settings that relate to the Replicator are found within the Distributed Exchange section in the
ACS.INI file. They are:
Component (key)
name Default value Description
CheckInterval 180 How often the Replicator Service checks the

schedule to see if a task needs to be executed
LastChecked <Date Set by Last time this INI file was checked
Replicator>
Enterprise Ongoing Administration

For information pertaining to ongoing administration tasks for an Enterprise system, refer to Chapter
12: Enterprise System Administration on page 111.

CHAPTER 10 Accounts and Passwords
Accounts
The System Administrator should create a unique account for each user of the applications. The
System Administrator can also, for each user, create a list of permissions, which specifies precisely
what the user can access.
An SA Delegate user account can be created by the default system account (SA) user and assigned all
permissions. Then the SA Delegate user can disable the default system account (SA) to increase the
security of the system by having no default user accounts.
During initial installation of the application, default accounts are created. These include:
User name Password Type
SA SA system account
admin sample
user sample
badge sample
These are provided as samples. You may change the passwords and use the accounts, or remove them.
The exception to this is the system account, SA. By definition this account has permission to do
anything in the system. A user with system access has unlimited access to the application.
The first time you log into OnGuard to configure the application, use SA as the user name and the
password. Change the password according to the policies and standards described in Passwords on
page 94.
Security recommendation: After logging into OnGuard, create an SA Delegate user with all
permissions and as the SA Delegate user, disable the default system account user.

Accounts and Passwords
The following table summarizes the OnGuard default accounts and passwords:
OnGuard Default Accounts and Passwords
User How to change the

Description name Password password
Default system administrator account. SA SA For more information, refer

This is the account that is used initially to Change the System
to log into the main OnGuard Administrator Password for
applications, such as System the Database on page 97.
Administration.
Note: Upon initial login, OnGuard

requires that the default
password be changed.
Security
recommendation:
After logging into OnGuard,
create an SA Delegate user
with all permissions and as the
SA Delegate user, disable the
default system account user.
OnGuard database. This is the actual LENEL Secur1ty# For more information, refer
OnGuard SQL Server Desktop Engine, to Change the Database
SQL Server, or Oracle database. Password on page 96.
By default, the login name for the
OnGuard database is “Lenel.” This can
now be customized as needed. If the
name is changed, make sure to update
or create a corresponding user account
in your database.
License Administration account. This is No No default For more information, refer

the account that is used initially to log default password to Install Your OnGuard
into the License Administration user License on page 55.
application. name
Passwords
OnGuard checks the user’s password against password standards. This functionality is designed to
enhance password security if single sign-on is not used. If single sign-on is used (automatic or
manual), OnGuard does not enforce password standards. For more information on single sign-on,
refer to Single Sign-On on page 71.
Password Policies
OnGuard Enterprise supports the configuration of password policies:
• A minimum password length
• Complex passwords (for example, a mix of uppercase alphabetic, lowercase alphabetic, numeric,
and non-alphanumeric characters)

Passwords
• Case-sensitivity of passwords
• Password expiration
– Expiration after specified number of days
– Warning to the user to change the password after a specified number of days
– Force a change of password on next login
• Rejection of passwords that match entries on the list of prohibited keywords
• Rejection of re-using prior passwords based on a specified number of prior passwords
• Inactivity timeout after a specified amount of elapsed idle time
• Invalid login lockout after a specified number of failed attempts
Notes: When an OnGuard system is upgraded, current user passwords are supported until the
configurations listed above require the passwords to be changed.
OnGuard also checks the OnGuard database user’s password to ensure that it is not
blank, it is not the same as the username, and it is not the same as an entry on the list of
prohibited keywords. Database passwords conform to the rules of the specific database
being used. For example, passwords in SQL Server and Oracle 12c are case-sensitive.
Database user passwords apply to SQL Server Desktop Engine, SQL Server, and
Oracle. For information on changing your database password refer to Change the
Database Password on page 96.
Password Standards
When creating a strong password keep the following guidelines in mind:
• Passwords cannot be blank
• Passwords cannot be the same as the user name (for example, SA, SA)
• Passwords cannot be on the list of prohibited keywords.
• Depending on the configured password policies, it may be required that your password contain
numbers, letters, and symbols. Spaces are also acceptable. (for example, August 18, 1967)
• OnGuard user passwords are case-sensitive.
• The maximum value for a strong password is 127 characters. The minimum value is 1. The
default is 8.
Notes: Password policies can be configured to accept passwords that have a minimum value of
1 character and a maximum value of 127 characters. By default, the password length is
set to 8 characters. To change system-wide password requirements, use the OnGuard
Users browser-based client application. For more information, refer to the
Administration Guide for OnGuard Browser-based Client Applications (DOC-6015-
EN-US).
Database passwords conform to the rules of the specific database being used; passwords
in SQL Server and Oracle 12 c are case-sensitive.
For Oracle databases the following account username and passwords are not allowed to
be used together:
System and Manager
Internal and Oracle
Sys and Change_On_Install

Database Passwords on an Enterprise System

All regions start out with the same database password (Secur1ty#). It is highly
recommended that you change the database password. If the database password is
changed on one region (Region 1) in an Enterprise system, it is still possible to log into
another region (Region 2) from Region 1. This is because a login driver location is
stored for each Enterprise Server (each DSN). Multiple registry entries are stored in
“HKEY_CURRENT_USER\Software\Lenel”. All entries begin with the prefix
“LoginDrvLoc_” and are followed by their DSN.
The OnGuard software checks the license server workstation and then the database server for the
Login Driver. Once the Login Driver is found and the password is retrieved, if you can’t be logged
into the database you will be prompted to enter the Login Driver location for the DSN that is currently
specified in the Configuration Editor. If the Login Driver Location window is displayed:
1. Enter the Login driver location.
2. Click [OK]. The registry will then be updated with the specified Login Driver location, and the
software will attempt to open the database again using the password from this new login driver. If
this is successful, you will be allowed to log in. Otherwise, an error message will be displayed.
Change the Database Password

In addition to user accounts and passwords, your OnGuard system has a database password. During
installation, this password is set to Secur1ty#. When you log on, the application checks your /
database server (SQL Server, Oracle, or SQL Server Desktop Engine) for this password before
allowing you to use the database.
It is highly recommended to change this password. Although all the machines in an Enterprise or
Distributed ID system start out using the same database password (Secur1ty#), the database
password does not need to be the same on all machines. The procedure for changing the database
password varies depending on whether the Login Driver is running on the same computer that the
database is located on, and which options you choose to use. The SQL Server, Oracle, or SQL Server
Desktop Engine password and the password in the Login Driver must be the same or you will not be
able to log into any OnGuard applications.
• If the Login Driver and the database are on different computers, you have two options:
– Change the database password, and change the password in the Login Driver manually later
– Change both the database password and the Login Driver password at once. If you choose
this option, the password will be sent over the network as plain text.
Change the Lenel Account Password

1. To change the Lenel account password using the Login Driver:
a. Stop the LS Login Driver service, and then run it as an application.
b. The icon appears in the system tray. Right-click the icon, then select Open.
c. The Login Driver window opens. From the Edit menu, select Change Password.
2. If the password is considered weak, the database server Account Passwords window is displayed.
Refer to Password Standards on page 95 to determine a secure password.
3. Click [Continue]. If you wish to change the password for a database server account now, that is,
“LENEL”, select the account from the list, then click [Change Password].
a. The Change Password window is displayed. In the Old password field, type your current
password. For security reasons, your password is not displayed as you type it.
b. In the New password field, type the new password.

Passwords
c. In the Confirm password field, type the new password again. Because the password can’t
be seen while you type, this gives you an extra assurance that you typed it correctly.
d. When the password is changed, it must be changed in the Login Driver and on the database
server. If the Login Driver and the database server are running on the same machine, proceed
to step e.
If the Login Driver and the database server are not running on the same machine, the When
I change this password on the Login Driver, do not change the password on the
database server. I will change the password manually on the database server. check box
appears in the Change Password window. (If they are on the same machine, this check box
does not appear.)
• If the check box is not selected (default), the password will be changed in both places.
However, the password is sent as plain text over the network. This is the only case
where the password is passed across the network in plain text when changing the
password.
Note: A connection to the Login Driver is required to connect successfully to the database.
The Login Driver can be run on either the database server or the license server.
• If the check box is selected, the password in the Login Driver will be changed, but you
will need to change the password manually on the database server. For more
information, refer to Change the Lenel Account Password on page 96.
e. Click [OK] to save the new password.
4. Exit the LS Login Driver application and restart the service.
Change the System Administrator Password for the Database

It is very important that you have a secure password for your database administrator account. For
SQL Server Desktop Engine and SQL Server databases, this account is “SA.” Oracle has several
default administrator accounts, including INTERNAL, SYS, and SYSTEM. These passwords must
be changed to a secure password if strong password enforcement is enabled. Two steps are required to
change the system administration password:
Change the SYSTEM Account Password Using Database Setup

To change the SYSTEM account password using Login Driver, follow the same instructions listed in
Change the Lenel Account Password on page 96, with the following exception: in step 3 of Change
the Lenel Account Password on page 96, select the system account from the list (“SA” by default),
then click [Change Password].
Key Points for System Account Password Change

• The system account (SA) and password should be carefully safeguarded and stored in a secure
location.
• In the event that further assistance is needed, contact LenelS2 OnGuard Technical Support.
• It is intended to be used during system commissioning and is not intended for daily system
operations.
• Integrator and End-User should have a defined process for awareness of any password changes
and access to the password when necessary.
• Creation of SA Delegate user accounts assigned to specific users is recommended after
commissioning.

Managing the Login Driver Encryption Key

The Login Driver holds the encryption key for the entire OnGuard system. This key is then used to
encrypt the OnGuard database, and is distributed to all OnGuard clients in the system. A client cannot
function if it does not have the encryption key that matches the key on the OnGuard server.
Note: In a clustered environment with the Login Driver residing on a clustered server, you
must also update the encryption key (using the same passphrase, or import the same .og
file) on the other node.
1. To set the OnGuard system encryption key using the Login Driver:
c. The Login Driver window opens. From the Edit menu, select Manage Encryption Key. The
Manage encryption key dialog opens.
d. In the Key entry options drop-down, you can select either:
• Set with the passphrase - Type the passphrase in the field. If you want to see the
passphrase, select Show Passphrase.
• Set with the file - Click [Browse] to navigate to the file containing the encryption key.
e. Click [Apply].
2. To change your encryption key recovery preferences:
a. From the Login Driver window, select Edit > Manage Encryption Key. The Manage
encryption key dialog opens.
b. Select the Emergency Key Recovery option so that the OnGuard System software provider
can help you recover the encryption key if there is a system failure. This process will create
and securely store a Key Recovery String for the system that can be provided to support the
recovery process. The Key Recovery String will be updated each time the Encryption Key is
changed for the system.
c. Click [Apply].
Setting Login Driver RabbitMQ Credentials

The Login Driver holds the RabbitMQ credentials.
Note: Before changing the RabbitMQ credentials for the Login Driver, you must also update
the password using the RabbitMQ console tool as described in Restore Microsoft SQL
Server Database Onto a Different Server on page 33.
1. To configure the RabbitMQ credentials using the Login Driver:
c. The Login Driver window opens. From the Edit menu, select Set RabbitMQ LD credentials.
The Set RabbitMQ LD credentials dialog opens.
2. Type the RabbitMQ Username and Password into the text fields. If you want to see the
password, select Show Password.
3. To test the workstation’s connection to the RabbitMQ server, click [Test Connection].
4. Select Allow users to re-establish connection for offline clients if you want users to reconnect
to the RabbitMQ server on their own.

Passwords
5. If you only want workstations to re-connect to the RabbitMQ server without user interaction for
a limited time, select Prevent silent client reconnection after, and then fill in the date and time
you want that permission to expire.
6. Click [Apply].
Note: In a clustered environment with the Login Driver residing on a clustered server, you
must also update the RabbitMQ credentials for the Login Driver on the other node.
7. Re-synchronize the Login Driver connection after the upgrade is complete:
a. Log into Replication Administration.
b. Right-click on the current server in the System Tree and select Synchronize Login Driver
Connection.
re-synchronize.


Upgrading an Enterprise
System
CHAPTER 11 Upgrading to OnGuard 8.2 Enterprise
This section describes how to upgrade your Enterprise system. The general approach that must be
followed to upgrade an Enterprise system to OnGuard 8.2 Enterprise is:
IMPORTANT: For information on hardware and data that must be decommissioned from the
system prior to upgrading OnGuard, refer to “End of Life Hardware and Data
Considerations” in the Upgrade Guide. We also recommend backing up the
database before the decommissioning but after pending transactions are
resolved, and then backing up again after decommissioning and pending
transactions are resolved.
1. Make sure that all pending transactions have been processed.
2. If you are not using Visitor Management, please proceed to step 3. As an upgrade requirement for
Enterprise customers using Visitor Management, all signed-out visits at each Regional Server
and the Global Server must be archived prior to performing the upgrade. Failure to do so will
cause all historic visits to lose their date/time information upon a full replication/download.
3. Stop all OnGuard services on the Global and Regional Servers.
4. Back up all databases.
5. Make sure that the Global and Regional Servers have the latest approved Windows service pack
and Windows updates (see the release notes for specifics). Upgrade any machines that do not.
Refer to the release notes for the versions of Windows that are supported. The release notes are
located on the root directory of the OnGuard 8.2 Enterprise installation media.
6. Make sure that the Global and Regional Servers had an approved database edition, service pack
and/or patch set for the version of OnGuard you are upgrading to. For more information, refer to
the OnGuard release notes and the compatibility charts on the LenelS2 web site at:
https://partner.lenel.com/downloads/onguard/software. Once there, select Compatibility Charts
from the Choose type of download menu.
Note: When accessing the Downloads section at https://partner.lenel.com, make sure to select
the version of OnGuard that is currently installed.
7. Upgrade the OnGuard software and databases in the following manner:
a. On the Enterprise Global Server, upgrade to OnGuard 8.2 Enterprise.
b. On the Enterprise Global Server, upgrade the OnGuard database.
c. On all Regional Servers, upgrade to OnGuard 8.2 Enterprise.

Upgrading to OnGuard 8.2 Enterprise
d. On all Regional Servers, upgrade the OnGuard database.

e. On all Mobile Stations, upgrade the OnGuard database.
Notes: The host computer that will run the LS Message Broker is identified automatically when
upgrading from earlier versions of the OnGuard software.
The workstation that will run the LS Site Publication Server service is also identified
automatically during the upgrade. If you wish to change the workstation that will run the
LS Site Publication Server service, refer to Configure the Global Server Database on
page 84. The Site Publication Server service requires that Secure Socket Layer (SSL) is
enabled.
8. When the Global Server and all Regional Servers have the same database version, set the LS
Replicator and LS Site Publication Server services to start automatically on all Regional Servers.
Also set the LS Site Publication Server service to start automatically on the Global Server.
9. Confirm that Replication is working using Replication Administration. For more information,
refer to the Replication Administration User Guide.
10. Perform a full download if upgrading a region from the OnGuard release before version 6.0 to a
version 6.0 or later. Otherwise a full download is not required.
11. Run the Universal Time Conversion Utility. For more information, refer to Appendix F:
Universal Time Conversion Utility on page 131.

IMPORTANT: For information on hardware and data that must be decommissioned from the
system prior to upgrading OnGuard, refer to “End of Life Hardware and Data
Considerations” in the Upgrade Guide. We also recommend backing up the
database before the decommissioning but after pending transactions are
resolved, and then backing up again after decommissioning and pending
transactions are resolved.
Once you upgrade OnGuard you are prompted to update your SQL Server data sources to use ODBC
Driver for SQL Server. If you choose not to update your data sources automatically you will have to
do so manually before your system will function.
Notes: Starting with OnGuard 7.2, the Last Location replication process is performed by the
Site Publication Server and the Message Bus to enhance overall performance. By
default, Last Location transactions replicate through the system. However, you can
configure a scheduled window for when replication occurs. On upgrade, if no action or
schedule was configured for Last Location replication, then the default will be that the
replication is disabled.
Mobile workstations cannot add, modify, or delete reports. Reports that were added to a
Mobile workstation before the upgrade will be pushed onto the parent workstation and
will become the parent’s report.
If replication of user permissions is enabled after the upgrade, OnGuard will show a
warning if there are duplicate group names. Once these duplicates are resolved,
OnGuard will replicate the permission groups.
To upgrade OnGuard 8.2 Enterprise, perform these steps in the order listed.

Verify No Pending Transactions Exist

Verify that all pending transactions have been processed before proceeding.
Archive Visits if using Visitor Management

All signed-out visits at each Regional Server and the Global Server must be archived prior to
performing the upgrade. Failure to do so will cause all historic visits to lose their date/time
information upon a full replication/download when using Visitor Management.
Stop All OnGuard Services on All Global and Regional Servers

1. Use the System Diagnostic Tool in Replication Administration to confirm that there are no
pending transactions. Refer to System Diagnostic Tool Form Procedures in the Replication
Administration User Guide.
2. Stop all OnGuard services on the Global and Regional Servers.
IMPORTANT: OnGuard services should be shut down on all computers. These services must
not be restarted until the upgrade is complete. For those services that are
configured for automatic start up, temporarily change them to manual start up,
except for the LS License Server and the LS ID Allocation service on the
Global, and the LS License Server and the LS Replicator service on the
region(s). These services must remain set to automatic. All services with the
prefix LS and LPS should be shut down. Be sure all OnGuard applications are
closed on all workstations. Users should not run any OnGuard applications
during the installation process.
Back Up All Databases

1. Back up every database before proceeding, and verify the integrity of the backup. Refer to
“Database Backup and Restoration” in the Installation Guide for more information
Be sure that everyone is off the system. It is especially important that no cardholder operations are
taking place.
Upgrade the Operating System

Upgrade the operating system on the Global and Regional Servers. To run OnGuard 8.2 Enterprise,
the latest approved Windows service pack and Windows updates (see release notes) are required!
Refer to the release notes for the versions of Windows that are supported. The release notes are
located on the root directory of the OnGuard 8.2 Enterprise installation media.
Upgrade All Databases

On the Global and Regional Servers, upgrade all databases to a supported version of SQL Server with
the latest supported service pack as indicated in the release notes.
Upgrade the OnGuard Software and Databases
IMPORTANT: When upgrading to OnGuard 7.6 and later, after Setup Assistant runs
on the Global Server and on the Regional Server, you must perform hardware
replication on each Regional Server. Setup Assistant modifies the LS Message

Broker settings, which must be replicated throughout the enterprise. If you do

not complete this replication successfully and in the proper sequence, critical
OnGuard functions will fail. For more information, refer to Proper Sequence
for Upgrading an Enterprise System on page 106.
Notes: In order to run OnGuard 8.2 Enterprise, the latest approved Windows service pack and
Windows updates (see release notes) are required.
Your upgrade procedure might vary slightly depending on what build of OnGuard you
have installed.
The cardholder, visitor and asset forms have been expanded and improved to
accommodate simplified localization, improved readability and expanded contents on
each tab. If you have a custom form, you may need to make some cosmetic adjustments
to your forms using FormsDesigner after upgrading to take advantage of the new
expansion. Note that the horizontal divider bar can now be slightly lowered in
FormsDesigner to make more room for controls that are viewable on all pages.
If you are using any custom .dll files you must back these up prior to upgrading the
OnGuard software. Back up the custom .dll files now.
Perform the following procedures first on the Global Server, then on all Regional Servers, and finally
on all Mobile Stations:
1. Install (upgrade) to the latest OnGuard build.
2. Install the software license.
3. Run Database Setup.
Refer to the detailed instructions that follow.
Proper Sequence for Upgrading an Enterprise System

The best way to explain the proper sequence for upgrading an Enterprise system is with an example.
Consider a system configured like this:
Global
Region 1 Region 2
Region 3 Region 4
The proper sequence for upgrading this system is shown below:

1. Upgrade the Global.
2. Upgrade Region 1.

3. Open Replicator on Region 1, run Hardware Transfer, then restart the appropriate OnGuard
services on the region you’re working on and all upstream nodes. Refer to the notes below for
more information on restarting OnGuard services.
5. Open Replicator on Region 3 and run Hardware Transfer, open Replicator and run Hardware
Transfer on Region 1, then restart the appropriate OnGuard services on the region you’re
working on and all upstream nodes. Refer to the notes below for more information on restarting
OnGuard services.
7. Open Replicator on Region 4 and run Hardware Transfer, open Replicator and run Hardware
Transfer on Region 1, then restart the appropriate OnGuard services on the region you’re
working on and all upstream nodes. Refer to the notes below for more information on restarting
OnGuard services.
9. Open Replicator on Region 2 and run Hardware Transfer, then restart the appropriate OnGuard
services on the region you’re working on and all upstream nodes. Refer to the notes below for
more information on restarting OnGuard services.
Notes: Regions in different branches will automatically synchronize using the normal
replication schedule.
You must restart the required OnGuard services on the Global and all regions after
replication completes:
• In all instances, you must restart the LS Site Publication Server on the region and
all upstream nodes.
• If your Enterprise system uses Multi-Region Alarm Monitoring: You must also
restart the following services on the region and all upstream nodes: LS
Communication Server, LS DataConduIT Service, LS Linkage Server, and LS
OpenAccess. You must also restart all Alarm Monitoring applications on the region
and all upstream nodes.
10. If upgrading from OnGuard 8.0 or earlier to OnGuard 8.1 or later, you must also synchronize the
Login Driver connection after the upgrade is complete:
a. On each Region server, the administrator must log into Replication Administration.
b. Right-click on the region in the System Tree, then select Synchronize Login Driver
Connection.
re-synchronize.
Manually Update SQL Server Data Sources to use ODBC Driver for SQL
Server
This is an optional step that only needs to be performed if you did not automatically update the data
sources at the end of the OnGuard upgrade. To manually update the SQL Server data sources you
need to delete the data sources and re-add them using the ODBC Driver for SQL Server. To do this:
1. In the Administrative Tools section of Control Panel, open Data Sources (ODBC).
2. On the User DSN, System DSN, or File DSN tab select any SQL Server data source used by
OnGuard and click [Configure].

3. Make note of the name, description, and server configurations of the data source. Click [Cancel].
4. Delete the data source by selecting it and clicking [Remove].
5. Click [Add]. The Create New Data Source window opens.
6. Select the ODBC Driver for SQL Server and click [Finish].
7. Enter the name, description, and server as it was entered in the data source you deleted and that
you made note of in step 3. The name must be entered exactly as it was or the data source will not
work properly. Click [Next].
8. Finish entering the configurations for the data source. When complete, click [Finish].
9. A summary of the data source will appear. Click [OK] to complete the creation of the data
source.
10. Repeat steps 1-9 for each SQL Server data source used by OnGuard on the User DSN, System
DSN, and File DSN tabs.
Start Replication on All Regional Servers

1. Verify that the Global Server and all Regional Servers have the same database version.
2. Verify that the LS Site Publication Server service is running on the Global Server.
3. Configure the LS Replicator and LS Site Publication Server services to start automatically on all
Regional Servers. For more information, refer to Run Replication as a Windows Service in the
Replicator User Guide.
4. Start Replicator on all Regional Servers.
Installation Guide.
Confirm that Replication is Working

Test the functionality and confirm that replication is working in Replication Administration. You can
confirm that replication is in place by simply adding a dummy access panel at each Regional Server
(mark it offline) and then wait for replication to move the bogus panel up to the Global. Once you
have confirmed that the bogus panel appears on the Global Server, you may delete it from the
Regional Server (which will automatically remove it from the Global during replication).
Test a cardholder as well. Do this by adding a dummy cardholder at each Regional Server and then
wait for replication to move the bogus cardholder up to the Global. Once you have confirmed that the
bogus cardholder appears on the Global Server, you may delete it from the Regional Server (which
will automatically remove it from the Global during replication).
Perform a Full Download

Perform a full download if upgrading a region from the OnGuard release before version 6.0 to a
version 6.0 or later. Otherwise a full download is not required. For more information on performing a
full download see the Replicator User Guide.
Run the Universal Time Conversion Utility

For more information, refer to Appendix F: Universal Time Conversion Utility on page 131.

Enterprise System
Administration
CHAPTER 12 Enterprise System Administration
Scheduling Issues for an Enterprise System

OnGuard Enterprise is a powerful system that allows for distributed access control management in
many different Regional Servers, including Regional Servers located around the world. There are
several automated tasks involving the Regional Servers and the Enterprise Global Server that must be
scheduled with care in order to provide the desired functionality with appropriate load balancing. The
main scheduled tasks of concern are:
1. The Replicator application upload and download tasks.
The Replicator application provides the distribution of Enterprise information (such as hardware
events) throughout all Regional Servers and the Global. These tasks are run on the Regional
Server.
2. Backup of the servers.
It is imperative that the SQL Server database on all servers be backed up on a regular basis to be
used for disaster recovery. Backup must be run on both the Global and all Regional Servers.
• WARNING! • Do not restore any Global, Regional Server, or Distributed ID database.

This will likely corrupt the entire multiple server Enterprise due to the
interaction between each database. Do not restore any database without first
contacting LenelS2 OnGuard Technical Support.
The administrator of the system must decide how often and at which time(s) each of these tasks are
performed. Some general points to keep in mind when making these decisions are:
Backups should be done on a server when there is minimal activity on the database. Running a
backup on a database can significantly decrease the performance of applications attached to the
database. Therefore, backups on a server should not be scheduled to run at the same time as another
task is running or during normal or peak activity. A backup on a Regional Server should not be
scheduled to conflict with the replication task nor during normal business hours. Ideally, the backup
of the Global database should not conflict with any of the Regional Servers’ replication tasks.
Implementing an Enterprise system of OnGuard requires careful planning of how these tasks will be
scheduled on all Regional Servers throughout the system. The administrators of the system should be
aware of these issues and the overall scheduling strategy of your organization. A planned schedule
must be drawn up based on estimates of how long each task will take, bearing in mind that network

Enterprise System Administration
bandwidth may vary from Server to Server so that task duration will vary in kind. These estimates
must then be verified on a regular basis against the live system to ensure reasonable accuracy.
A well-balanced schedule does not have multiple scheduled tasks that involve the Global database
occur simultaneously. This results in the best performance for the task. Most importantly, there are no
tasks scheduled that occur while the Global database is being backed up.
Note: The main impedance to performance on Regional Servers or the Global Server is the
database backup. This is the only task that ideally should be run when no or very little
activity is happening on the database.
Important Administrative Tasks for an Enterprise System

Compared to the rich features provided by an Enterprise system of OnGuard, the administrative tasks
are relatively simple. However, it is imperative that these tasks be done on a regular basis as
documented here to ensure the ongoing robustness and smooth operation of the system.
Administrative Tasks for All Servers

1. Configure alert thresholds for the Global Server and Regional Servers, and configure the email or
page recipients for the alerts. For more information, refer to System Alert Configuration Form in
the Replication Administration User Guide.
2. Check the results of backups. The results of your backup process should be verified on a daily
basis to ensure there is a current backup to use for disaster recovery.
3. Check the Integrity of SQL Server database(s). On at least a weekly basis, basic maintenance of
the SQL Server database(s) should be performed:
• Using the SQL Server Enterprise Manager, expand the Regional Server’s database by
clicking the “+” next to its name in the Server Manager tree.
• Expand the databases.
• Right-click on the <ServerName>Lenel database, and then select New Query.
• In the query editor type the following command:
dbcc checkdb
• Press <F5> to execute the query.
• You will see various outputs in the Messages display; search for any reported errors. For
more information on the dbcc command, see SQL Server Books Online.
4. Check the size of the SQL Server database(s). On at least a weekly basis, the size of the database
should be monitored:
• Using the SQL Server Enterprise Manager, expand the Regional Server’s server by clicking
the “+” next to its name in the Server Manager tree.
• Expand the databases and select the <ServerName>Lenel database. Information about the
database is displayed at the right of the tree list.
• Click on the Space Allocated hotlink menu item at the top of the right window containing
database information.
• Verify that both the database and the transaction logs are not growing to unusual sizes. If
these values are growing larger than you expect, this might indicate that replication is
failing, or some other serious problem might be occurring.

Important Administrative Tasks for an Enterprise System
Note: The size of the log files can also be viewed on the Enterprise System Diagnostic Tool
form in Replication Administration, which is displayed by selecting the Enterprise
System Diagnostic Tool option from the Administration menu.
• If the <ServerName>Lenel database is getting full, this is probably just an indication that
you are storing a large number of events. This should be verified. If the Transaction Log
Space is getting full, the “Truncate Log on Checkpoint” option might not be turned on, or the
LogReader agent might be failing (Regional Servers only).
On a Regional Server, repeat the above steps for the “distribution” database. If the
“distribution” database is getting full, the database might not be big enough for your system
OR the replication Push Agent might be failing.
5. Maintenance of failed replication transactions. On a Regional Server, all cardholder, asset, and
visitor changes generate a transaction that is later uploaded to the Global database. On the Global
database, cardholder, asset, and visitor transactions are stored for every Regional Server for
download. After these transactions are processed by a Regional Server’s replication services,
they are marked as either Successful or Failed. System administrators must determine why any
Failed transactions have failed and periodically purge “Successful” to clear space in the table.
For more information, refer to Additional Administrative Tasks for Regional Servers on
page 113. To view and manage a cardholder:
a. Run the Replication Administration program and log into the desired database.
b. Beneath Global in the Enterprise Tree, click Enterprise Transactions.
Additional Administrative Tasks for Regional Servers

1. On a daily basis, check the results of replication execution on the Regional Servers.
a. Run the Replication Administration program.
b. Select the desired Regional Server in the Enterprise Tree, and then click Enterprise
Transactions under Available Views.
c. The Enterprise Transactions form opens. This screen provides various tools to view, filter,
and sort transactions. Be sure to look for failed transactions and determine the cause of the
failure.
d. Once you have addressed the failure, retry the transaction so that it becomes a “To do”
transaction and gets processed the next time replication runs.
• WARNING! • It is imperative that this task be done on a daily basis. If this task is neglected
for even a week, failed transactions could build up and cause the Enterprise
system’s performance to deteriorate.
Note: If you notice old transactions in <To do - Awaiting Processing> status while there are
later transactions that processed successfully, retry the <To do - Awaiting Processing>
transactions. Refer to the “Retry Transactions” section in the Replication
Administration User Guide for more information.
2. Check the results of replication execution on the Global. On a daily basis, perform the steps
described in step 1. On a daily basis, the results of any replication runs should be verified.
Perform the above steps on the Global Server as well, checking for failed Cardholder and Asset
transactions.
Details about transactions downloaded to Regional Servers can be viewed by logging into the
Global database and following the procedure described in step 1.
3. On Regional Servers you should also check to make sure Hardware as well as log-related data
(for example, events) are being processed.

Enterprise System Administration
a. Run the Replication Administration program and log into the Regional Server’s database.
b. Select the Regional Server in the Enterprise Tree, and then click Hardware Transactions in
Available Views.
• Make sure the timestamp of the next transaction for the Log Record Transaction is not
unusually old.
• Make sure the timestamp of the next transaction for the Hardware is not much older
than the last time the Replicator application executed the “Upload Events, User” task.
(This date is usually about the same as or after the date the Replicator application last
executed. You can check the last time the Replicator application executed the task by
selecting the Replicator Schedule tab.)
c. Select the Regional Server in the Enterprise Tree, and then click Log Transactions in
Available Views.
• Check the Failed log transactions listing window for failed transactions, determine why
the transactions failed, and then click [Retry Failed] so that the LS Site Publication
Server can try those transactions again.
4. If you need information or details about what has occurred during Enterprise operations, you can
view the information in the following four text file logs:
Note: These log files are used by the Replicator application and LS Replicator service. The LS
Site Publication Server service does not use these log files.
Log name Description
Replicator.log General operations for the entire process
ReplicatorSys.log System download
ReplicatorUpDown.log Incremental upload and download of Cardholder and Asset

transactions
5. When everything is running correctly, the above log files will continue to grow to an infinitely
large size. Purge these files periodically to prevent them from occupying too much space on your
hard drive. After the files have been purged, they will automatically be recreated.

CHAPTER 13 Enterprise Maintenance Procedures
Global Server Maintenance
Daily
• Perform routine backups of databases
• Monitor disk and database utilization
• Monitor CPU and bandwidth utilization
• Repair and maintain all failed transactions in a timely manner
Monthly
• Perform routine event archive and backup of events
• Perform routine database maintenance (i.e. SQL Database Maintenance Plan)
• Check all text file log sizes under the installation directory logs folder and purge as necessary
Regional Server Maintenance
Daily
• Perform routine backups of databases
• Monitor disk and database utilization
• Monitor CPU and bandwidth utilization
• Monitor replication
– Use Replication Administration’s System Diagnostic Tool as a way of spotting count and
timing abnormalities
– Under Replication Schedule, check the start, end, and next start times to make sure that
Replicator is running normally

Enterprise Maintenance Procedures
– Under Hardware, check to make sure that the hardware, user, and event are being updated
every time Replicator runs
– Under Enterprise, check all failed transactions and make sure that the To-Do’s are being
replicated
– Repair and maintain all failed transactions in a timely manner
Monthly
• Perform routine event archive and backup of events
• Perform routine database maintenance (for example, SQL Database Maintenance Plan)
• Purge completed transactions
• Check all text file log sizes under the installation directory logs folder and purge as necessary

Appendices
APPENDIX A Configuration Editor
OnGuard database connection and License Server configuration information is stored in two files:
• ACS.INI
• application.config
The Configuration Editor provides a user interface that makes configuration and maintenance of these
files fast and easy.
IMPORTANT: If the Reporting and Dashboards feature is installed on the server, the
Configuration Editor uses the information contained in the ACS.INI and
application.config files to configure the contents of the C:\Program
Files\JReport\Server\bin\dbconfig.xml file. Editing the ACS.INI or
application.config files manually is not advised. If you manually edit these
files instead of using the Configuration Editor, the dbconfig.xml file might not
be configured correctly, resulting in unexpected system behavior.
The stand-alone Configuration Editor application also provides advanced functions, such as Windows
authentication, verbose logging, and browser-based client reporting configuration.
The Setup Assistant contains a Configuration Editor module that provides database and License
Server connection information, but does not allow the advanced configuration options found in the
stand-alone application.
When Configuration Editor Identifies an Issue

There are three situations in which the Configuration Editor will identify an issue that must be
resolved:
• The database and license configuration is not consistent between the application.config and
ACS.INI files (stand-alone version of Configuration Editor and Setup Assistant module)
• Setup Assistant cannot locate the database (Setup Assistant module only)
• Setup Assistant cannot locate the License Server (Setup Assistant module only)

The ACS.INI and application.config files must always point to the Live database, not the Archival
database. For more information, refer to the Archives Folder chapter in the System Administration
User Guide.
Launching the Configuration Editor Stand-alone Application

Launch the OnGuard Configuration Editor.
Notes: To use the Configuration Editor, you must have write access to the registry, ACS.INI
file, application.config file, and the Lnl.OG.WebService directory. If you installed the
optional Application Server and do not have this level of access, the Configuration
Editor identifies which files or directory require this access change.
The ACS.INI file is located in the C:\Windows\ directory.
The application.config file is located in the C:\Users\<user
name>OnGuard\CommonAppData\Lnl\ directory.
For Windows 11 and later, the application.config file is located in the C:\Program
Data\Lnl directory. By default, the Program Data directory is hidden in Windows.
The Lnl.OG.WebService directory is located in the C:\Inetpub\wwwroot\ directory.
The Configuration Editor application opens, and then checks the configuration of the ACS.INI and
application.config files. If there is a configuration issue, the Configuration Editor highlights the
discrepancy.
Standard Fields and Buttons

The following sections describe the standard Configuration Editor fields and buttons.
Save Changes
Click [Save Changes] to save and synchronize your changes across the affected OnGuard
configuration files.
Note: [Save Changes] only becomes active after the user completes all of the Database and
License information, and provides a valid DSN name.
Revert
Click [Revert] to return your changes to their previous values.
Show advanced settings

Select Show advanced settings to show the advanced sections of the Configuration Editor
user interface. For more information, refer to Advanced Settings Fields and Buttons on
page 121.
Database section
Database type
Identifies if the database type is SQL Server or Oracle. This information is view only.

Advanced Settings Fields and Buttons
DSN name
The Lenel Data Source Name, as defined in the ODBC configuration.
Server name
The name of the server hosting the database.
Database name
The name of the database (default for a SQL Server database is AccessControl).
License Server section
Server name
The name of the server hosting the License Server.
Server port
The port the server is using to host the License Server.
Advanced Settings Fields and Buttons

The following sections describe the advanced Configuration Editor fields and buttons.
Advanced Database section
Windows authentication
When selected, the application.config uses the user’s Windows user name and password when
connecting to the database. This check box is selected by default.
When deselected, the Configuration Editor provides the User name and Password fields into
which you can enter the credential information required when connecting to the database.
Select Show password if you want the password to be readable within the Configuration
Editor user interface.
Notes: When the Windows authentication check box is deselected, the credential information
is saved as plain text in the application.config file. Make sure the application.config file
is secured. For more information, refer to Provide Credentials in the Protected File on
page 70.
The ACS.INI file requires the LS Login Driver, and requires this credential
information.
Advanced Verbose Logging section

Use the following check boxes to enable enhanced logging when troubleshooting OnGuard issues.
Setup Assistant
Enables verbose logging for Setup Assistant. Selecting this check box automatically selects
the Form Translator and Database Setup check boxes because they are also Setup Assistant
modules.

Form Translator
Enables verbose logging for Form Translator.
Database Setup
Enables verbose logging for Database Setup. This check box is only available if Database
Setup is installed.
LS DataConduIT Service
Enables verbose logging for DataConduIT. You must restart the LS DataConduIT service after
selecting this check box. This check box is only available if DataConduIt is installed.
LS Site Publication Server

Enables verbose logging for the Site Publication Server. You must restart the LS Site
Publication Server service after selecting this check box. This check box is only available if
the Site Publication Server is installed.
LS OpenAccess
Enables verbose logging for OpenAccess.
Fixing Synchronization Issues

If the Configuration Editor detects a synchronization issue between the application.config and
ACS.INI files, it highlights the issue.
1. Use the Correct file drop-down menu to select which file is correct.
2. If necessary, click [Select] to select the correct DSN name.
3. Click [Save Changes] to synchronize the application.config and ACS.INI files.

APPENDIX B Custom Installation of OnGuard
Performing a custom installation allows you to install as few or as many OnGuard features and
applications as you wish.
Performing a Custom Installation
First Time and Existing OnGuard Installation

1. Begin installing the OnGuard software.
2. During the installation you are prompted to choose the system type. Select Custom Install.
3. You will be prompted with the custom setup screen. Choose which features to install.
4. Continue with the installation by following the installation steps.
Application Server
Installations requiring Application Server support must use the Custom Install option to select that
feature.
Additional steps are required for the configuration of the Application Server. For more information,
refer to Appendix G: Configuring the Application Server on page 111.
Device Discovery Console

This feature enables the discovery and maintenance of devices on a network or system.

Custom Installation of OnGuard

APPENDIX C Configuring the Communication Server
The OnGuard Communication Server program, which was installed if you chose the Communication
Server installation component, is the software driver for the access panels. The Communication
Server controls all access panels on a workstation.
The Communication Server can be run as either a program or as a service, but not as both (see
Warning #2 that follows). Running it as a program means that you will manually start the driver
whenever you need it. Running it as a service means that the driver will be started whenever you start
Windows.
There are two ways that the Communication Server can be run on a server running Windows:
To run the Communication Server as a regular application in windows:
1. Launch the Communication Server.
Installation Guide.
2. The Communication Server will start. There is no visual indication that the Communication
Server is running, but the Lnlcomsrvr.exe process will be listed in the Task Manager on the
Processes tab.
To run the Communication Server as a service:
1. In Windows, open the Control Panel.
Installation Guide.
2. In the Control Panel window, double-click on Administrative Tools.
3. In the Administrative Tools window, double-click on Component Services.
4. In the Services listing window, select the LS Communication Server entry.
5. Right-click on the LS Communication Server entry and select the Properties option from the
right-click menu.
6. On the General tab in the Startup type drop-down list, select Automatic.
7. Click [Start].
8. Click [OK]
• WARNING! • Running the Communication Server as a Windows service has some

advantages in that the service is started automatically upon computer boot-up.

Configuring the Communication Server
For the Communication Server, there MUST be a SYSTEM DSN named

LENEL that points to the access control database. This should occur
automatically during OnGuard installation. If for some reason it doesn’t, an
error message will be displayed. WITHOUT A LENEL SYSTEM DSN, THE
SERVICE WILL NOT BE ABLE TO USE THE DATABASE. THIS MEANS
THAT THE ACCESS CONTROL SERVER WILL NOT BE ABLE TO
PERFORM A FULL DATABASE DOWNLOAD TO THE ACCESS PANELS
IN THE EVENT OF A POWER OR ACCESS PANEL FAILURE.
The Communication Server can be run only as a Service OR a program, but not as both
simultaneously. If you are running the Communication Server as a Windows service, DO NOT also
run it as a program. If you are running the Communication Server as a Windows service, you can run
it as a program temporarily by highlighting the “LS Communication Server” entry in the Services
window and clicking [Stop].

APPENDIX D The License Server
The License Server has two main functions: it eliminates the hardware dongle on all client computers
and it allows for concurrent licensing of the OnGuard software. The License Server is installed only
on the server, not on client machines.
A hardware dongle is only needed on the server. Each client computer running OnGuard uses a
software license instead of a hardware dongle.
Concurrent licensing allows you more flexibility of where OnGuard applications are run. Each
OnGuard application has a separate concurrent license count. The software license is based on the
number of computers you wish to run each separate OnGuard application at the same time. For
example, a ten-user concurrent license for Alarm Monitoring will allow Alarm Monitoring to run on
ten computers at the same time, although Alarm Monitoring may be installed on more than ten
computers.
IMPORTANT: The License Server must be run under an administrator account. It must be
running whenever any OnGuard applications are running, as well as when you
wish to use the License Administration web application. If the License Server
is not running, OnGuard applications and the License Administration
application will not run.
There are two ways that the License Server can run on a Windows server: as a regular application, or
as a Windows service.
• The License Server is installed as a service by default when the OnGuard applications are
installed on a server running Windows. The License Server automatically starts when the server
is running.
• The License Server can also run as a regular application. This means that the License Server
must be started on the server manually, as you would any other application.
ACS.INI Settings Related to the License Server

Entries for the Host and Port are automatically entered into the ACS.INI file when OnGuard is
installed. You should not open the ACS.INI file to adjust these settings. However, if you change the

The License Server
computer that the License Server is running on, you might need to change the Host and/or Port
settings. For more information, refer to Appendix A: Configuration Editor on page 119.
License Server Procedures
Running the License Server from the Command Line

1. In Windows, open a Command Prompt.
Installation Guide.
2. Change to the directory that contains the License Server executable. This is the directory where
you installed OnGuard, which is C:\Program Files\OnGuard by default.
3. Run the command LicenseServer -interactive. This will start the License Server.
4. To stop the License Server, press <CTRL>+<C>.
Running the License Server in Windows

1. Start the License Server.
Installation Guide.
2. The License Server starts. There is no visual indication that the License Server is running, but the
LicenseServer.exe process will be listed in the Task Manager on the Processes tab.
Determining if the License Server is Running

1. In Windows, hold down <Ctrl>+<Alt>+<Delete> so that they are all pressed at the same time.
2. The Windows Security window will open. Click [Task Manager…].
3. The Windows Task Manager window will open.
4. Click the Processes tab.
5. If the LicenseServer.exe process is listed in the window, then the License Server is running. If
LicenseServer.exe is not listed, then it is not running.

APPENDIX E Multi-Region Alarm Monitoring
Multi-Region Alarm monitoring in OnGuard 8.2 Enterprise allows for full hardware control and
event monitoring under a single instance of alarm monitoring. See the diagram and accompanying
text below for further explanation.
Region A
(Parent)
Region B Region C
(Child) (Child)
To monitor hardware and events from both Region B and Region C, you would log into the parent
Region for both (Region A). This process is the same for any number of levels; the login is to the
mutual parent of all of the Regions that you wish to monitor.
Since the Global Server can now host hardware, logging into the Global Server will now allow you to
monitor all Regions within a single Alarm Monitoring instance. The old “Multi-Region Alarm
Monitoring” option allowed multiple instances of Alarm Monitoring to be run on a single computer.
This feature will still exist for those who want to use this method of monitoring multiple connections
but the name has been updated to better reflect functionality.
Additional useful notes:

Multi-Region Alarm Monitoring
• ODBC connections between all points are not required.

• Name resolution to all communication servers utilized in the Regional Server(s) you wish to
monitor is required. This should exist by default, provided the system is within a single domain.
– If branches of hardware are appearing offline, name resolution to that hardware’s
communication(s) server would be the first troubleshooting step.
– If you lose connectivity to the communication server once an alarm is received, you will not
be able to acknowledge it until the communication is restored.
• Alarm Replication
– Default alarms do not replicate.
– User defined (“custom”) default alarms (no specific hardware defined) are not replicated
throughout the Enterprise. For example, customize “Door Forced Open” for a priority of =
60, will not replicate.
– Device specific custom alarms (associated with hardware) are replicated throughout the
Enterprise.
• For example, “Door Forced Open AT THE FRONT DOOR” for a priority of = 255, will replicate.
• Alarm Acknowledgment Actions configured for a Region will trigger at that Region, regardless
of where the alarm is acknowledged
• For example, “Configure Door Forced Open at the front door” to activate a siren at the door. Even
if this alarm is acknowledged at a different Region, the siren at the correct door will activate.
– The icon indicating associated Alarm Acknowledgment Actions has been removed due to
system performance considerations.
– During the acknowledgment process, the user will still receive a pop up notification of what
actions will occur prior to acknowledgment.
• Monitor Zones will replicate bi-directionally throughout the entire Enterprise
– Monitor Zones can only be edited on the ‘owning’ Region and its parent. The logged in user
must also have the necessary segment permissions to edit the monitoring zone.
– To create a Monitor Zone that includes devices from multiple Regions, log into the mutual
parent server to create the zone.
– If you log into a Monitor Zone at a lower level than where it was created, you will only see
hardware in the Monitor Zone contained at that level and down.
• For example, Monitor Zone is created at Region A which includes hardware from Region A, B, &
C.
• Monitor Zone replicates to all Regions.
• If I log into the Monitor Zone at Region C, you will only see hardware in the Zone for Region C.
If Region C has children whose devices were also included in the Monitor Zone, you would also
see those.
In conclusion, when you log into a Monitor Zone, you only see hardware that your Regional
Server is aware of. Since hardware does not replicate “down”, you would never see hardware
from a level above yours or from a Regional Server which would need to replicate to you through
a top-level server.
• Video associations and viewing does not change; it is based on hardware permission rights.

APPENDIX F Universal Time Conversion Utility
Note: The purpose of the Universal Time Conversion (UTC) Utility is to collect non-UTC
dates and times that are contained in reports and convert them to use the new standard
UTC time. If necessary, Setup Assistant notifies users to run the Universal Time
Conversion Utility when upgrading their server.
Before running the Universal Time Conversion Utility you should create a backup of your database.
For more information, refer to Chapter 4: Database Backup and Restoration in the Upgrade Guide.
IMPORTANT: Due to limitations regarding data collected during Daylight Saving Time, the
Universal Time Conversion Utility cannot be guaranteed to be 100% accurate
for those dates that fall within Daylight Saving Time. Any inaccuracies,
however, should not cause any problems for your system.
Converting reports to use UTC Time allows users in multiple time zones to see the same data but in
their local time.
The conversion process should be the last step in the upgrade process. If you do not run the utility
then data collected in prior versions of OnGuard will not display the correct time until the conversion
is completed.
The setup process for the UTC Utility occurs after your system and database has been completely
upgraded and after any replication has been completed.
If you restore any archive prior to when the UTC Utility was first run, you will have to run the utility
again.
Universal Time Conversion Utility Enterprise Considerations

Before running the Universal Time Conversion Utility on an Enterprise system you must:
• Complete all replication.
• Make sure that all of your Regional Server information has been uploaded to the Global Server.
Once replication is complete you must run the UTC utility on the Global Server and then perform a
system download to the Regional Servers.

Universal Time Conversion Utility
On the Regional Servers you can configure the Linkage Server and default system time zone after the
system download is complete. If user replication is enabled, all user time zone data must be collected
at the Global Server and downloaded to the Regional Servers. If user replication is not enabled, you
can configure the user time zones on the Regional Servers as well.

1. Start the OnGuard Universal Time Conversion Utility.
Installation Guide.
2. Enter your System Administrator login credentials used to access the OnGuard software.
3. On the Welcome screen, read the warning regarding database backups and select a radio button
for your response. If you have created a backup, click [Next]. To begin the conversion process.
4. On the System screen, use the drop-down to select the World Time Zone that will be used as the
default time zone in the system. Click [Next].
5. If you have a Linkage Server host configured, then, on the Linkage Server screen, select the
World Time Zone that will be used by the items associated with the Linkage Server and click
[Next]. You will only see the Linkage Server screen if your system has the Linkage Server host
configured. Click [Next].
6. If you have segmented system then, on the Segments screen, choose the World Time Zone that
will be used for the segments.
7. On the Workstations screen, select the World Time Zone that will be used for each of the
system’s workstations. The options are:
• Use the system world time zone for all workstations - sets the World Time Zone on all
workstations to match the one set as the default System World Time Zone.
• Use the associated segment world time zone for all workstations - sets the World Time Zone
on all workstations to match the one set on the segment.
Click [Next].
8. On the Controllers screen, select the World Time Zone that you intend to associate with each of
the system’s controllers. You may be asked to restart the Communication Server before the
changes take effect. Click [Next].
9. If you have a segmented system then proceed to step 10. If you do not have a segmented system
then proceed to step 12.
10. On the Multi-segmented Users screen, select the World Time Zone to associate with multi-
segmented system users. Optionally you can use the Find User field to search for a specific
system user to change. You can also use the check box to assign the system world time zone to all
users. Click [Next].
11. On the Single Segment Users screen, select the World Time Zone that you intend to associate
with each of the single-segmented system users. These include the administrator, badge operator,
system account, and user. You can also use the check boxes to assign the system or segment
world time zone to all users.
Optionally you can use the Find User field to search for a specific system user to change. You
can also use the segment drop-down
to associate users with the time zone associated with a specific segment. Click [Next].
12. (For non-segmented systems only) On the Users screen, select the World Time Zone that you
intend to associate each of the system’s users with. These include the administrator, badge

operator, system account, and user. You can also use the check box to assign the system World
Time Zone to all users.
Optionally you can use the Find User field to search for a specific system user to change. Click
[Next].
13. On the Save screen, the collected data is saved to the database. Select whether you would like to
run the conversion process now or at a later time. If you choose to run the conversion process
immediately, click [Next]. Otherwise, click [Close].
Optionally, you can generate a report of the collected World Time Zone data by clicking
[Generate Report]. This report is exported as a Comma Separated Value (CSV) file which is best
opened in Microsoft Excel.
14. On the Conversion screen, click [Close] once the conversion process has completed.

Universal Time Conversion Utility

Index
A B
About accounts...................................................97 Backup all databases ....................................... 105
About this user guide ........................................ 19 Before installing an Enterprise Global
Accounts or Regional Server ...................................... 21
about ........................................................... 97 Benefits of an Enterprise system .................... 15
Lenel ........................................................... 94
SA ............................................................... 94 C
table of accounts ....................................... 94 Change
ACS.INI file database password ................................... 96
License Server settings.......................... 127 Lenel account password .......................... 96
Replicator settings.................................... 92 SYSTEM account password using
Activation Code ..................................... 58, 59, 60 Database Setup ................................... 97
Administrative tasks for servers system administrator password for
globals and regions ................................ 112 the database ........................................ 97
check backups .................................. 112 CheckInterval ACS.INI file setting ................ 92
check SQL Server database ........... 112 Checklists
maintain Replicator transactions ... 113 region system setup ................................. 88
regions ...................................................... 113 Command line - running License
check the results of Server from ................................................ 128
Replicator execution on the Communication Server - configure .............. 125
global ........................................... 113 Concurrent licensing ....................................... 127
check the results of the Configure
Replicator execution on all Communication Server ......................... 125
regions ......................................... 113 Distributed ID/Mobile Badging
ensure Hardware transaction System ................................................. 75
and log related data are Mobile Badging Station .......................... 79
being processed ......................... 113 server to be a Distributed ID
Application.config Global .................................................. 78
file settings .............................................. 120 Confirm that Replication is working ............ 108
modifying ................................................ 120 Create
Archival database .............................................. 61 database ..................................................... 35
Attach login ........................................................... 36
hardware key ............................................. 48 Create the Lenel user account
Azure SQL databases ........................................ 39 SQL Server ................................................ 36
Custom installation.......................................... 123

Index
Device Discovery Console ................... 123 OnGuard on a non-default drive............ 57
D L
Daily maintenance LastChecked ACS.INI file setting .................. 92
Global Server .......................................... 115 Lenel account password
Database authentication for the Web change ........................................................ 96
applications .................................................. 67 License ................................................................ 55
Database Setup License Administration
change SYSTEM account password ..... 97 logging into ............................................... 56
Default accounts and passwords table ........... 94 License Server
Determining if the License Server is ACS.INI settings .................................... 127
running ........................................................ 128 attach the hardware key .......................... 48
Device Discovery Console determine if running .............................. 128
custom installation ................................. 123 overview .................................................. 127
Dongle ......................................................... 48, 127 procedures ............................................... 128
parallel port ............................................... 48 running from the command line .......... 128
USB ............................................................ 48 running in Windows .............................. 128
Download all cardholders to the new Live database .............................................. 61, 120
Enterprise region ......................................... 91 Log files
DSN connections ............................................... 22 Replicator.log.......................................... 114
ReplicatorSys.log ................................... 114
E ReplicatorUpDown.log ......................... 114
Emergency Key Recovery................................ 98 Logging into License Administration ............ 56
encryption key Login Driver ....................................................... 97
managing ................................................... 98 login driver
Enterprise encryption key management .................. 98
application example ................................. 14 Login for SQL Server ....................................... 36
maintenance procedures ........................ 115
region ongoing administration ............... 92 M
system administration............................ 111 Main License File .............................................. 58
system benefits ......................................... 15 Maintenance
daily for Global Server ......................... 115
G monthly for Global Server.................... 115
Global Server monthly for Region Server ................... 116
installation prerequisites ......................... 21 manage encryption key ..................................... 98
maintenance Mobile Badging Station
daily ................................................... 115 configuring ................................................ 79
monthly.............................................. 115 definition ................................................... 16
Monthly ..................................................... 115, 116
H
Hardware key ..................................................... 48 N
parallel ....................................................... 48 New Query - running ........................................ 37
USB ............................................................ 48
O
I ODBC DSN connections.................................. 22
Install OnGuard .............................................................. 94
OnGuard Enterprise for a Global install .......................................................... 49
Server ............................................. 73, 83 new install ................................................. 47
OnGuard Enterprise for a Region Overview of Enterprise .................................... 13
Server ................................................... 87 Overview of ODBC DSN connections .......... 22
OnGuard software .............................. 47, 49
SQL Server (new installations) P
configuring SQL Server ................... 35 Parallel port dongle ........................................... 48
Installation Passwords
custom ...................................................... 123 case sensitivity.......................................... 95
Installing change database password ...................... 93
license ........................................................ 55 change Lenel account password ............ 96

Index
change the database password ............... 96 Replicator on all regions ....................... 108
change the SYSTEM account Stop
password using Database Setup ...... 97 Replicator on all Global and
change the system administrator Gegional Servers ............................. 105
password for the database ................ 97 Replicator on all regions ......................... 73
Login Driver ............................................. 97 Strong password enforcement ......................... 96
maximum length....................................... 95 Subscription License File ................................. 58
minimum length ....................................... 95 SYSTEM account password - change............ 97
standards .................................................... 95 System ID ......................................... 55, 58, 59, 60
strong password enforcement ................ 96 System setup checklist
table of default passwords ......................94 Region Server ........................................... 88
R T
Region Server Terms to know.................................................... 15
administrative tasks ............................... 113
installation prerequisites ......................... 21 U
maintenance Universal Time Conversion Utility ........ 55, 131
daily ................................................... 115 Upgrade
monthly.............................................. 116 all SQL Server databases ...................... 105
system setup checklist ............................. 88 operating system .................................... 105
Replicator USB devices
scheduling.................................................. 92 hardware key............................................. 48
settings in the ACS.INI file .................... 92
transaction maintenance ........................ 113 V
upload and download tasks .................. 111
Verify no pending transactions exist ............ 105
Replicator settings in the ACS.INI
VMware .............................................................. 55
file .................................................................. 92
Replicator.log file ............................................ 114
ReplicatorSys.log file...................................... 114
ReplicatorUpDown.log file ............................ 114
Return Code .................................................. 59, 60
Run
License Server from the
command line ................................... 128
License Server in Windows .................. 128
New Query ................................................ 37
S
SA Delegate
account ....................................................... 93
does not replicate ..................................... 19
SA Delegate user
account ....................................................... 97
Schedule
Replicator to run automatically ............. 92
Scheduling issues for an Enterprise
system.......................................................... 111
Security Utility ...................................................55
Software license ........................................... 13, 15
activate ....................................................... 58
Software Licenses .............................................. 55
SQL Server
configure SQL Server .............................. 35
create database .......................................... 35
create login ................................................ 36
create the Lenel user account ................. 36
Start

1212 Pittsford-Victor Road
Pittsford, New York 14534 USA
Tel 866.788.5095 Fax 585.248.9185
www.LenelS2.com

Enterprise

Uploaded by

Copyright:

Available Formats

Enterprise

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise

Uploaded by

Copyright:

Available Formats

OnGuard®

Enterprise Setup & Configuration User

CHAPTER 2 Before Installing an Enterprise Global or Regional Server . . . . . . . 21

CHAPTER 3 Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Enterprise Setup & Configuration User Guide 5

Distributed ID/Mobile Station Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Database Management Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

CHAPTER 4 Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

OnGuard Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

CHAPTER 5 Installing OnGuard 8.2 Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6 Enterprise Setup & Configuration User Guide

Run Database Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

CHAPTER 6 Database Authentication for Web Applications . . . . . . . . . . . . . . . . . 67

CHAPTER 7 Applying Service Releases in Enterprise . . . . . . . . . . . . . . . . . . . . . . 73

CHAPTER 8 Distributed ID Management Systems . . . . . . . . . . . . . . . . . . . . . . . . 75

CHAPTER 9 Enterprise Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Enterprise Setup & Configuration User Guide 7

Replicator Settings in the ACS.INI File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

CHAPTER 10 Accounts and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Upgrading an Enterprise System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

CHAPTER 11 Upgrading to OnGuard 8.2 Enterprise . . . . . . . . . . . . . . . . . . . . . . 103

Enterprise System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

CHAPTER 12 Enterprise System Administration . . . . . . . . . . . . . . . . . . . . . . . . . 111

CHAPTER 13 Enterprise Maintenance Procedures . . . . . . . . . . . . . . . . . . . . . . . 115

8 Enterprise Setup & Configuration User Guide

APPENDIX A Configuration Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

APPENDIX B Custom Installation of OnGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

APPENDIX C Configuring the Communication Server . . . . . . . . . . . . . . . . . . . . . 125

APPENDIX D The License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

APPENDIX E Multi-Region Alarm Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

APPENDIX F Universal Time Conversion Utility . . . . . . . . . . . . . . . . . . . . . . . . . 131

Enterprise Setup & Configuration User Guide 9

10 Enterprise Setup & Configuration User Guide

Enterprise Setup & Configuration User Guide 13

Enterprise Application Example

CORPORATE GLOBAL SERVER

ENTERPRISE REGION #1 ENTERPRISE REGION #N

Field Hardware Field Hardware

Alarm Panel & Alarms Alarm Panel & Alarms

System Administration Alarm Monitoring

Field Hardware REGION # N- 1 Field Hardware REGION # N- 2

System Administration Alarm Monitoring System Administration Alarm Monitoring

14 Enterprise Setup & Configuration User Guide

Enterprise System Benefits

Enterprise Setup & Configuration User Guide 15

16 Enterprise Setup & Configuration User Guide

Enterprise Replication Strategy

Enterprise Configuration Data and Record Types

Hardware Enterprise System Log

Access Levels/Elevator Control X

Alarm Definition (Custom X

Alarm Mask Group X

Alarm Panels - Inputs/Outputs X

Alarm Text and Audio X

Areas (Local and Global) X

Asset and Asset Assignments X

Asset Type, Sub Type, Classes, X

Badge Area Location X

Enterprise Setup & Configuration User Guide 17

Enterprise Configuration Data and Record Types