AXIS Device Manager Extend

About

AXIS Device Manager Extend solution provides system administrators with an interface for discovering, configuring, and operating Axis devices on their organization’s networks.

The AXIS Device Manager Extend desktop app

The desktop app is a software utility program that can be used as an on-demand, or always available user interface for managing the system. It can be run on a dedicated machine together with a locally installed edge host, or separately from the edge host on a remotely connected laptop. The client presents the user with the overall status of the system and readily available management actions.

The edge host

The edge host component in AXIS Device Manager Extend is an always available, on-premise management service that is responsible for maintaining local devices, such as cameras. The AXIS Device Manager Extend edge host also acts as a link to the Axis remote management service, where the same API functionality supports remote administration of sites via the Axis service platform.

Solution overview

AXIS Device Manager Extend with local and remote access
  1. Axis
  2. IAM (My Axis)
  3. Organization data
  4. Local client
  5. Edge host
  6. Devices
  7. VMS
  8. TURN
  9. Signaling
  10. Remote client
  11. Remote Access WebRTC Servers
  12. Site 1
ConnectionURL and IPPortProtocolComment
Aprod.adm.connect.axis.com (52.224.128.152 or 40.127.155.231)443HTTPSRequired
BHTTP Discovery (from client to edge hosts)
Data transfer (between client and edge hosts)
Multicast Discovery (from client to edge hosts)
Multicast Discovery (from edge hosts to client)
37080
37443
6801
6801
HTTP
HTTPS
UDP
UDP
Needed to provision the site. Optional after provision.
CData transfer (between edge host and devices)
Unicast discovery
Multicast discovery
HTTP discovery
80 / custom port, 443
1900
1900, 5353
80,443
HTTP, HTTPS

SSDP, Bonjour
Required
Dsignaling.prod.webrtc.connect.axis.com
*.turn.prod.webrtc.connect.axis.com
443
443, 5349
HTTPS
HTTPS, DTLS (UDP and TCP)
Based on WebRTC standard
Optional and set to off by default
EPeer to Peer (P2P)49152–65535DTLS (UDP and TCP)
AXIS Device Manager Extend with a multi-site setup using local and remote access
  1. Axis
  2. IAM (My Axis)
  3. Organization data
  4. Local client
  5. Edge host
  6. Devices
  7. VMS
  8. TURN
  9. Signaling
  10. Remote client
  11. Remote Access WebRTC Servers
  12. Site 1
  13. Site 2
  14. Site 3
ConnectionURL and IPPortProtocolComment
Aprod.adm.connect.axis.com (52.224.128.152 or 40.127.155.231)443HTTPSRequired
BHTTP Discovery (from client to edge hosts)
Data transfer (between client and edge hosts)
Multicast Discovery (from client to edge hosts)
Multicast Discovery (from edge hosts to client)
37080
37443
6801
6801
HTTP
HTTPS
UDP
UDP
Needed to provision the site. Optional after provision.
CData transfer (between edge host and devices)
Unicast discovery
Multicast discovery
HTTP discovery
80 / custom port, 443
1900
1900, 5353
80,443
HTTP, HTTPS

SSDP, Bonjour
Required
Dsignaling.prod.webrtc.connect.axis.com
*.turn.prod.webrtc.connect.axis.com
443
443, 5349
HTTPS
HTTPS, DTLS (UDP and TCP)
Based on WebRTC standard
Optional and set to off by default
EPeer to Peer (P2P)49152–65535DTLS (UDP and TCP)
AXIS Device Manager Extend with local access and remote access using a VPN connection
  1. Axis
  2. IAM (My Axis)
  3. Organization data
  4. Local client
  5. Edge host
  6. Devices
  7. VMS
  8. TURN
  9. Signaling
  10. Remote client
  11. Remote Access WebRTC Servers
  12. Site 1
  13. Site 2
  14. Site 3
ConnectionURL and IPPortProtocolComment
Aprod.adm.connect.axis.com (52.224.128.152 or 40.127.155.231)443HTTPSRequired
BHTTP Discovery (from client to edge hosts)
Data transfer (between client and edge hosts)
Multicast Discovery (from client to edge hosts)
Multicast Discovery (from edge hosts to client)
37080
37443
6801
6801
HTTP
HTTPS
UDP
UDP
Needed to provision the site. Optional after provision.
CData transfer (between edge host and devices)
Unicast discovery
Multicast discovery
HTTP discovery
80 / custom port, 443
1900
1900, 5353
80,443
HTTP, HTTPS

SSDP, Bonjour
Required
Dsignaling.prod.webrtc.connect.axis.com
*.turn.prod.webrtc.connect.axis.com
443
443, 5349
HTTPS
HTTPS, DTLS (UDP and TCP)
Based on WebRTC standard
Optional and set to off by default
EPeer to Peer (P2P)49152–65535DTLS (UDP and TCP)
  • An additional requirement is a Public DNS such as Google DNS: 8.8.8.8 / 8.8.4.4 or Cloudflare DNS: 1.1.1.1

  • Both A and C connections are needed to support full functionality of the AXIS Device Manager Extend system.

  • We are in ongoing development of the application, and we therefore advise you to allow firewall access to outgoing network connections for the AXIS Device Manager Extend desktop app and any edge host.

Prerequisites

Compatible operating systems:

  • Windows 10 Pro, Enterprise, Server 2016 and 2019 (x64-based system).

  • System Administrator privilege required for installation and configuration changes.

Minimum system recommendation:

  • CPU: Intel Core i5

  • RAM: 4 GB

  • Network: 100 Mbps

Internet connectivity

Note

The AXIS Device Manager Extend application requires internet connectivity to be provisioned with certificates identifying it as belonging to the organization created and associated with the My Axis account used in the installation. However, to benefit from certain features such as warranty information and multisite support you need an internet connection. In addition, the client and/or site controller only automatically updates in the online mode.

Synchronized time and date

Note

Ensure all the system components are synchronized, otherwise certificate authentication between the edge host and the client or back end could fail. It is recommended that all host machines are synchronized to a common Network Time Server to avoid any potential issues.

Open network ports:

For secure connections from the AXIS Device Manager Extend desktop app to the edge host, edge host discovery and Axis Remote Service.

  1. Axis Service Platform
  2. AXIS Device Manager Extend desktop app
  3. Edge host
  4. Devices
  5. HTTPS (port 443)
  6. HTTPS (port 443)
  7. HTTPS (port 37443), UDP Multicast discovery (port 6801), HTTP discovery (port 37080)
  8. UDP Multicast discovery (port 6801)
  9. HTTPS and HTTP (port 443 and 80), Multicast discovery —SSDP (port 1900) — Bonjour (port 5353), Unicast discovery (port 1900), HTTP discovery (port 80 and 443)

Outgoing network access

We are in ongoing development of the application, and we therefore advise you to allow firewall access to outgoing network connections for the AXIS Device Manager Extend desktop app and any edge host.

Get started

Register a My Axis account

Register a My Axis account at axis.com/my-axis/login.

You can make your My Axis account more secure by activating multi-factor authentication (MFA). MFA is a security system that adds another layer of verification to ensure the user’s identity.

  1. Activate MFA:
  2. Log in with your My Axis credentials.

  3. Go to and select Account settings.

  4. Click Security settings

  5. Turn on 2–Step verification.

  6. You are redirected to a login page.
  7. Log in with your My Axis credentials.

  8. MFA is now active.
  1. Log in when MFA is active:
  2. Log in to your My Axis account.

  3. An email is sent to you.
  4. Open the email and click Authenticate.

  5. If you didn’t receive an email, check if it’s in your spam folder. If it’s not there, contact IT support.

Install the client and activate your account

Go to the product page on axis.com and download the AXIS Device Manager Extend desktop app installer

  1. Locate where you downloaded the application and click to install.

  2. Select client and click Install.

  3. Sign in to your My Axis account.

  4. Confirm your e-mail address to complete the activation.

  5. Create or join an existing organization.

Install the edge host

The edge host and the desktop client are included in the AXIS Device Manager Extend installer. We recommend you install the site controller on a server as close to your devices as possible.

  1. Choose a server where you want to install the edge host.

  2. Run the installer on the server and only select to install the edge host.

Claim the edge host

To create a secure connection to your devices from the AXIS Device Manager Extend desktop app, you must first claim an edge host to your organization.

  1. Click an edge host with the status Unclaimed

    1. Click Add new edge host if there is no edge host in the list

    2. Type the IP address of where the edge host is located

  2. Type the name of your edge host

  3. Add an optional description (recommended)

  4. Click Claim edge host

Manage devices

Add discovered devices to your edge host

  1. Go to Edge hosts.

  2. Select a claimed edge host in the list you want to add devices to.

  3. Go to Devices > Discovered.

  4. Select the devices you would like to add, or select all of the devices by checking the box at the top of the selection column.

  5. Click Add devices to edge host .

The devices are now listed in the Managed tab, and their status can be reviewed in Edge host overview.

Add devices from IP addresses

Add devices that are not automatically discovered from subnets, individual IP addresses or an IP range.

Add devices from IP range

  1. Go to an edge host claimed by your organization.

  2. Go to Settings > Device discovery.

  3. Click Add by IP

  4. Select Manual entry

  5. Type the IP range

  6. Click Add IP addresses

  7. Go to Devices > Discovered

  8. Select the devices you would like to add, or select all of the devices by checking the box at the top of the selection column.

  9. Click Add devices.

Add devices from a file

  1. Go to a edge host claimed by your organization.

  2. Go to Settings > Device discovery.

  3. ClickAdd by IP

  4. Select Import from file.

  5. Select the comma separated (.CSV) file with the IP addresses

  6. Click Import

  7. Go to Devices > Discovered devices

  8. Select the devices you would like to add, or select all of the devices by checking the box at the top of the selection column.

  9. Click Add devices .

Note

The file should have:
A header for the column of IP addresses.
A single column.
A maximum of 25,600 IP addresses.

Remove devices

Remove devices from an edge host
  1. Click Edge host

  2. Select an edge host.

  3. Go to Devices

  4. Select the devices you would like to remove, or select all of the devices by checking the box at the top of the selection column.

  5. Click the Remove devices from edge host icon in the action menu.

  6. Click Remove.

The removed devices can be found in Devices >Discovered.

Log in to your devices

  1. Click Edge hosts

  2. Select an edge host.

  3. Go to Devices > Managed

  4. Select the devices you want to access, or select all of the devices by checking the box at the top of the selection column.

  5. Click Log in to automatically log in to multiple devices.

  6. Type the username and password.

  7. Click Log in

Note

If the username and password are correct, the Status will show Reachable

Configuration

Activating remote access

If your firewall settings block outbound connections, you may have to enter a proxy connection to access the site remotely.

  1. Select the edge host you want to activate remote access to.

  2. Go to Settings >Edge hosts connections.

  3. Activate Allow remote access to edge host.

  4. If you need to enter a proxy address to access the internet, type an address under Proxy address.

You will be notified once the connection is active.

Note

To support the connection to edge hosts on other networks, you may have to add the following configuration to your corporate network firewall's "allow list": Endpoint Port Protocol signaling.prod.webrtc.connect.axis.com 443 HTTPS *.turn.prod.webrtc.connect.axis.com 443 HTTPS webRTC (Turn and P2P) 5349, 49152 - 65535 DTLS (UDP and TCP)

Remove a site

Before you remove an edge host from your organization, you need to Remove devices belonging to the edge host. The devices can then be found in Devices > Discovered.

  1. Click Edge hosts.

  2. Select the edge host with the arrow keys or hover over it with the mouse pointer.

  3. Click ... and select Remove edge host from the drop-down menu.

  4. Check I’m aware of the risks.

  5. Click Remove.

Add users to your organization

  1. Select the organization where you would like configure user settings.

  2. Go to Users.

  3. Click Invite to organization.

  4. Type the email address of the user you’d like to invite to your organization.

  5. Click Send invite.

Note

The user will receive an invitation email that they can use to sign in to AXIS Device Manager Extend. The default user role is Viewer. If they don’t have a My Axis account, they must use that email to sign up in order to access the organization. Invites can be revoked while pending acceptance.

Elevate user role

  1. Select the organization where you would like configure user settings.

  2. Go to Users.

  3. Go to Role of the user you’d like to elevate

  4. Click the drop down menu to select the new role

Note

The role changes immediately once selected. For security reasons, invites are limited to the viewer role.

Remove users

  1. Select the organization where you would like configure user settings.

  2. Go to Users.

  3. Hover the mouse pointer over the user you would like to remove to show a new options menu: ...

  4. Click ... and select Remove user in the drop down menu.

Firmware management

With AXIS Device Manager Extend you can manage firmware of multiple devices in each organization.

For a list of firmware updates that are available for every device in your organization grouped by model, go to Home > Firmware inventory. For a list of firmware updates that are available on a specific edge host, select the edge host and go to Firmware inventory.

Manage firmware based on device model

To manage firmware by device model across you organization:

  1. Go to Home > Firmware inventory

  2. Check the model you’d like to manage.

  3. Click on the Upgrade to drop-down menu to see what is available. The latest firmware will be preselected.

  4. Click on Upgrade.

Manage device firmware on an edge host.

To manage the firmware of some or all of the devices on an edge host:

  1. Go to Edge hosts

  2. Click on the edge host you want to access.

  3. Go to Devices

  4. Select all or just the devices you’d like to manage.

  5. Click the Firmware icon in the action menu

  6. Check all or some of the models in the list.

  7. If you’d like to change the selected firmware, click on the suggested firmware to see what is available for each device. The latest firmware will be preselected.

  8. Click Upgrade.

View ongoing and completed firmware upgrades

  1. To view a list of completed and ongoing firmware upgrades in your organization. While in Home:
  2. Click Tasks.

To view ongoing firmware upgrades of devices connected to a specific edge host:

  1. Click Edge hosts

  2. Click on the edge host you want to access.

  3. Go to Tasks

  4. To see ongoing firmware upgrades:
  5. Go to Tasks > Ongoing tasks

Policies

Policies manage your devices automatically. Create policies to maintain cyber security across your site. You can also set a policy to automatically install and update apps on your devices.

Create and apply a security policy

In this example use case, we create and apply a basic security policy to a select number of devices connected to an edge host.

Create a basic security policy:

  1. Go to Edge hosts

  2. Click on the edge host you want to access.

  3. Go to Devices

  4. Click on + icon next to Policies

  5. Select Basic security and click Continue

  6. Name your policy

  7. Select the settings that fits your security needs. For the recommended security level, keep the default settings.

    • To change the root password for selected devices, click Device root password and type the new root password.

  8. Click Create .

Apply the policy:

  1. Select the devices you would like the policy to be applied to.

  2. Click the Policy options icon in the action menu.

  3. Select the security policy and click Save.

Create and apply an app policy

In this example use case, we create and apply an app policy to a select number of devices connected to an edge host.

  1. Go to Edge hosts

  2. Click on the edge host you want to access.

  3. Go to Devices

  4. Click on + icon next to Policies

  5. Select Apps and click Continue

  6. Name your policy

  7. Select the apps you want to be installed and updated on your devices.

  8. Select the update window in the drop-down menu.

  9. Click Create .

Apply the policy:

  1. Select the devices you would like the policy to be applied to.

  2. Click the Policy options icon in the action menu.

  3. Select the app policy you want to apply.

  4. Click Save.

Note

The selected apps will be automatically reinstalled if removed.

Edit a policy

  1. To edit an existing policy:
  2. Go to Edge hosts

  3. Click on the edge host you want to access.

  4. Go to Devices

  5. Click ... next to the policy you want to edit and select Edit policy from the drop-down menu.

  6. Edit the policy settings to suit your needs.

  7. Click Save

Delete a policy

  • To delete an existing policy:
  • Go to Edge hosts

  • Click on the edge host you want to access.

  • Go to Devices

  • Click ... next to the policy you want to edit and select Delete policy from the drop-down menu.

  • Click Delete

Note

Any devices with that policy applied to them will keep the policy settings, but the settings will no longer be persistent.

Troubleshooting

How to configure firewall settings

In order for AXIS Device Manager Extend client and edge host to communicate with the Axis service the following IP addresses and/or domain names should be added to the allowlist of the organization’s firewall:

The URL prod.adm.connect.axis.com  is a simple A DNS entry which resolves to IP address 52.224.128.152 or 40.127.155.231. These IP addresses host a single application gateway that forwards the requests to the appropriate (depending on the incoming request path) back-end host.

AXIS Device Manager Extend client and the edge host use the domain name for all requests.

For this to work, the network will need to use a public DNS (or for example cache the domain name in a local DNS). Therefore, in addition to the application gateway IP address, some public DNS server IP should also be added to the allowlist.

For example: Google’s public DNS which is available at IPs: 8.8.8.8 and 8.8.4.4.