Schneider Electric

Security Expert System Networking

Administrator Guide
SX-SRVR
March 2022
Legal Information
The Schneider Electric brand and any registered trademarks of Schneider Electric Industries
SAS referred to in this manual are the sole property of Schneider Electric SA and its
subsidiaries. They may not be used for any purpose without the owner's permission, given in
writing. This manual and its content are protected, within the meaning of the French intellectual
property code (Code de la propriété intellectuelle français, referred to hereafter as "the Code"),
under the laws of copyright covering texts, drawings and models, as well as by trademark law.
You agree not to reproduce, other than for your own personal, noncommercial use as defined
in the Code, all or part of this manual on any medium whatsoever without Schneider Electric's
permission, given in writing. You also agree not to establish any hypertext links to this manual
or its content. Schneider Electric does not grant any right or license for the personal and
noncommercial use of the manual or its content, except for a non-exclusive license to consult it
on an "as is" basis, at your own risk. All other rights are reserved.
Electrical equipment should be installed, operated, serviced and maintained only by qualified
personnel. No responsibility is assumed by Schneider Electric for any consequences arising
out of the use of this material.
As standards, specifications and designs change from time to time, please ask for confirmation
of the information given in this publication.
Trademarks and registered trademarks are the property of their respective owners.
Security Expert System Networking Administrator Guide

Contents
The Security Expert System 4
Introduction 4
Document Information 4
Software Version 4
Third Party Software Applications 4

Installing Security Expert on Secure Networks 5

Typical Installation of Security Expert 5
General Security Best Practices 5

Security Expert Server Operation 6

Security Expert Data Service 6
Security Expert Event Service 6
Security Expert Download Service 6

System Architecture 7

IP Networking Ports 8
Remote Controller Download Communications 11
Cellular Network Connection 12

March 2022 3
Security Expert System Networking Administrator Guide The Security Expert System

The Security Expert System

Introduction
The Security Expert system is a powerful integrated alarm and access control management
system designed to provide integration with building automation, apartment complex control
and HVAC in one flexible package.
Communication is over a proprietary high speed protocol across an encrypted local area
network and AES encrypted proprietary RS-485 module network. Using modular-based
hardware design, system installers have the flexibility to accommodate any installation, small
or large, residential or commercial.

Document Information
This document outlines the operation of the various networking and communication protocols
used by the Security Expert system.
It is recommended that at a minimum the ports specified in this document are opened for
devices to allow upgrade and effective management of the access control system.

Software Version
This document is independent of the software version that is operating and is based on the
default configuration of the system.

Third Party Software Applications

The Wireshark utility is an excellent diagnostic tool when identifying connectivity issues.
l Wireshark download link: http://www.wireshark.org/download.html

March 2022 4
Security Expert System Networking Administrator Guide Installing Security Expert on Secure Networks

Installing Security Expert on Secure Networks

Typical Installation of Security Expert

General Security Best Practices

We strongly recommend the following industry cybersecurity best practices.
l Locate control and safety system networks and remote devices behind firewalls and
isolate them from the business network.
l Put physical controls in place so no unauthorized person can access the ICS and safety
controllers, peripheral equipment, or the ICS and safety networks.
l Place all controllers inside locked cabinets, secure from unauthorized access.
l Never connect programming software to any network other than the network for the
devices it is intended for.
l Scan all methods of mobile data exchange with the isolated network such as CDs, USB
drives, etc. before use in the terminals or any node connected to these networks.
l Never allow laptops that have connected to any network other than the intended network
to connect to the safety or control networks without proper sanitation.
l Minimize network exposure for all control system devices and systems, and ensure that
they are not accessible from the internet.
l When remote access is required, use secure methods, such as Virtual Private Networks
(VPNs).
Be aware that VPNs may have vulnerabilities and should be updated to the most current
version available. Also, recognize that VPNs are only as secure as the connected
devices.
l Connection to the controller web pages uses a self-signed HTTPS certificate by default.
While this is acceptable for system setup and commissioning, this should be replaced with
a certificate signed by a third-party certificate authority once the site is commissioned and
operational.

March 2022 5
Security Expert System Networking Administrator Guide Security Expert Server Operation

Security Expert Server Operation

The Security Expert system is composed of three services when in the standard configuration.
Each service is designed to perform a number of related tasks as detailed below.

Security Expert Data Service

The Security Expert Data Service receives requests from the client user interface. The service
maintains a connection to SQL Server for programming and editing records and alerts the user
interface when new events or alarms are available.
The service also manages control requests or manual operator commands that result in an
outbound connection to the controllers from the attached client interfaces.

Security Expert Event Service

The Security Expert Event Service uses inbound connections to receive events sent by
controllers. These events are saved to the database. Status updates and messages are also
sent to the event service.

Security Expert Download Service

The Security Expert Download Service transfers programming changes to controllers. It
sequentially checks each controller to determine whether programming changes are required,
and if so downloads the updated configuration to the controller.

March 2022 6
Security Expert System Networking Administrator Guide System Architecture

System Architecture
The following diagram is indicative of the general structure of a Security Expert system when
connected to an IP network. This is a basic overview of the setup and is not intended to include
all connections. You should use this as a reference when opening ports and configuring
routers to allow communications to operate correctly.

Server
21000 TCP Controller Programming

21001 TCP Manual Control Download Service

Controller 1 22000 TCP Events

Event Service
8000 TCP System Programming
Computer
Client
8010 TCP System Events
Data Service
443 TCP Controller Programming
9470 TCP
Cross Controller Operation 8000 TCP 8010 TCP
API Control API Events

SOAP Service HTTP 8030 or HTTPS 8040 API Third Party

Single Record Web Client
(may be installed remotely)
Download Service (SOAP)
Controller 2
HTTP 8030 or
HTTPS 8040 API

Web Client
(may be installed remotely)

Computer
HTTP 8050 or Web Browser
HTTPS 8060

Mobile App

March 2022 7
Security Expert System Networking Administrator Guide IP Networking Ports

IP Networking Ports
The following ports may need to be forwarded or approved in your firewall.

Outbound Inbound
From To Protocol Description
Port Port
Download Controller
Any Controller 21000 TCP
Service programming.

Download Manual control

Any Controller 21001 TCP
Service commands.

Store system
events and
Controller Any Event Service 22000 TCP status updates
in SQL
database.

Store system
Client Any Data Service 8000 TCP programming in
SQL database.

Display system
Client Any Data Service 8010 TCP
events.

Store system
SOAP Service Any Data Service 8000 TCP programming in
SQL database.

Display system
SOAP Service Any Data Service 8010 TCP
events.

Single Record
Controller
Download Any Controller 443 TCP
programming.
Service

Module
communication.
Modules 9450 Controller 9450 UDP Programming,
control and
status.

Touchscreen
Modules 9460 Controller 9460 UDP
communication.

Module
communication.
Controller 9450 Modules 9450 UDP Programming,
control and
status.

Touchscreen
Controller 9460 Modules 9460 UDP
communication.

Programming,
Entry Station Any Controller 9450 TCP control and
status.

Cross controller
Controller 9470 Controller 9470 TCP
operation.

March 2022 8
Security Expert System Networking Administrator Guide IP Networking Ports

Outbound Inbound
From To Protocol Description
Port Port
Offsite IP
Monitoring
(equivalent to
ContactID alarm
Central monitoring).
Controller Custom Monitoring Custom TCP Ports should be
Station agreed between
the installation
company and
monitoring
company.

API for
controlling and
HTTP
Web Client Any SOAP Service 8030 programming
TCP
Security Expert
systems.

API for
Third Party controlling and
HTTP
Web Client Any SOAP Service 8030 programming
SOAP
(SOAP) Security Expert
systems.

API for
controlling and
HTTPS
Web Client Any SOAP Service 8040 programming
TCP
Security Expert
systems.

API for
Third Party controlling and
HTTPS
Web Client Any SOAP Service 8040 programming
SOAP
(SOAP) Security Expert
systems.

Web based
interface for
HTTP
Web Browser Any Web Client 8050 controlling
TCP
Security Expert
systems.

Web based
interface for
HTTP
Mobile App Any Web Client 8050 controlling
TCP
Security Expert
systems.

Web based
interface for
HTTPS
Web Browser Any Web Client 8060 controlling
TCP
Security Expert
systems.

March 2022 9
Security Expert System Networking Administrator Guide IP Networking Ports

Outbound Inbound
From To Protocol Description
Port Port
Web based
interface for
HTTPS
Mobile App Any Web Client 8060 controlling
TCP
Security Expert
systems.

Store
programming in
SQL database.
Data Service Any SQL Server 1433* TCP
Transfer
programming to
controllers.

Store system
events and
Event Service Any SQL Server 1433* TCP
status update in
SQL database.

Store
programming in
Download SQL database.
Any SQL Server 1433* TCP
Service Transfer
programming to
controllers.

Store
programming in
Single Record
SQL database.
Download Any SQL Server 1433* TCP
Transfer
Service
programming to
controllers.

*The SQL Server connection port is configurable. 1433 is the default. The following .NET
Framework Data Provider for SQL Server connection string can be used for connections to
SQL Server 2019, 2017, 2016, 2014, 2012 and 2008. See the Connection Strings website for
more information.
Server=myServerName,myPortNumber;Database=myDataBase;
Some of the above ports can be changed if required. Contact Schneider Electric for further
information on port customization.
Additional ports may be required for integration to third party systems, such as HLI integrations
with elevator systems, and DVR integrations. Refer to the relevant documentation for specific
integration requirements.

March 2022 10
Security Expert System Networking Administrator Guide Remote Controller Download Communications

Remote Controller Download Communications

Remote IP Network

Router Router
Internet
Client Controller

Local IP Network

Networked NVR/DVR

Client
Controller
Server

Security Expert Remote Controller Download Communications

During a download, a communication connection is initiated at the server and sent to the
controller.
When the controller is on a remote IP network, the key to getting the controller online and
communicating is to set up the correct port translation at points X and Y (see image above).
The download service requires port forwarding configuration at point X. The event service
requires port forwarding to be configured at point Y.

March 2022 11
Security Expert System Networking Administrator Guide Remote Controller Download Communications

Cellular Network Connection

Local IP Network

Client Controller
Server

Router
Cellular Network
Remote Controller Cellular Modem

Security Expert controllers can also use the Security Expert Security Purpose DIN Rail Cellular
Modem to communicate with the server via the 4G cellular network. This allows you to connect
controllers to the Security Expert system even when they are located outside of wired
networks .
The SIM card network provider for the cellular modem must allow both inbound and outbound
connections, and you must enable dynamic IP address updates for this controller if the cellular
modem does not have a fixed IP address. For more information and configuration instructions,
see the Security Expert Security Purpose DIN Rail Cellular Modem Configuration Guide.

March 2022 12
Schneider Electric
www.schneider-electric.com
© 2022 Schneider Electric. All rights reserved.
March 2022