Sunteți pe pagina 1din 11

Best Practices Security Center Access Control

Innovative Solutions
Version 2.1

Table of Contents
HID units Recommendations Unit firmware compatibility General versus dedicated inputs VertX Hardware specifications Cable Specifications Mounting Instructions Wiring Instructions RS-485 Connections About access control software and hardware About offline, mixed, and online modes of operation Card and PIN Door with reader configuration Door with two door sensors HID VertX antipassback Elevator Control Offline IO Linking (VertX only) Server configuration Synchronization (Offline Data Synchronization) Known issues Software HID unit known issues 6 8 8 8 8 9 9 10 10 10 10 11 3 3 4 4 4 5 5 5 6 3

genetec.com | Security Center | Best Practices

HID units

Recommendations
The v1000 physical rs-485 port 1 and 2 reside on logical bus 1 (p3), while port 3 and 4 reside on rs-485 logical bus 2 (p4). The termination jumper should be in the "out" position for all v100 series panels except for the last v100 series panel on the rs-485 run. The last v100 series panel must have the termination jumper in the "in" position. The dial on the interface indicates the address of the VertX unit. . Do not duplicate addresses on the same bus. Although up to (any combination of) 32 interfaces is theoretically supported, for best performance it is recommended to limit the number of interfaces to 20 distributed evenly on the two logical buses (eg. 10 units per logical bus) It is recommended to set a Static IP address to the network controller. The discovery process is different for units that have a DHCP-assigned IP address. Discovery for DCHP address through multiple VLAN is not supported. If the host is in a different VLAN than the controller, the unit cannot be set in DCHP. It is recommended to isolate the controller on the network from broadcast traffic or unhandled multicast The maximum number of character for the unit name should be 15 with avoiding spaces and special characters. Set a Here I Am Interval in the VertX controller to 90 sec A VertX V300 dedicated to elevator control should only be used for elevator control and should not be used to trigger non-elevator related outputs The Doors sensor is by default set to NC not supervised, all other input points are defaulted for NO switches and are unsupervised (no EOL resistors). Any input can be configured as NO or NC, as well as unsupervised or supervised. They can be configured for supervisory resistors of 1K 6K Ohm. The setup of supervised inputs should be done during configuration of the VertX devices via the host. The default supervised input configuration is done using two EOL 2k resistors. By default the door will relock on door open, for double door it is recommended to set a minimum action time on the relay to maintain it active during the whole grant access time

Unit firmware compatibility


Security Center is compatible with the unit firmware versions 2.2.7.18 and 2.2.7.39. The more recent firmware versions 2.2.7.49 and 2.2.7.70 (release expected August 17, 2011) are not compatible with Security Center. With 2.2.7.49, an HID patch needs to be applied (2.2.7.49.1). Please refer to the release notes for the latest hardware compatibility list. HID units should have the following Program and EEPROM firmware: V100, V2000 (has a V100 interface board built-in), EdgePlus/EdgeReader : 113/110 V200 : 106/100 V300 : 107/104

genetec.com | Security Center | Best Practices

General versus dedicated inputs


When a unit is used to control a door, some inputs must be used only for their intended purpose (dedicated inputs). For example, if a door has a REX sensor or a door sensor, the units inputs intended for these sensors must be used.
Unit HID units (V100, V2000, and Edge devices) Input REX When used as A REX input signal Required configuration When any unit REX input is used for a REX, you must also set: Automatically grant request to exit in the Door, Properties tab which generates Request to exit events when the input is triggered. Events are logged, and can be used for event-toactions. The input configuration in the Door, Unit tab to program the unit to react to a REX input by releasing the lock. Deselect Automatically grant request to exit in the Door, Properties tab. Configure the input for a zone, interlock, etc. Set this in the input configuration in the Door, Unit tab. NOTE This input cannot be used as a general purpose

Another purpose (a general purpose input)

HID units (V100, V2000, and Edge devices)

Door Monitor

A door position sensor input (door open or door closed)

VertX Hardware specifications


Power Supply : 12-16VDC . It is recommended to use a supervised linear power supply with battery backup, input surge protection, and AC Fail and battery low contact outputs. Maximum Current at 12VDC per unit 1 Amp For Edge product, power can be supplied using Power over Ethernet technology available with PoE (802.3af) enabled network devices. The PoE source should be of class 3 to provide sufficient power. Average operating current at 12VDC o V1000 -210mA o V2000 - 625mA (with two R40 iCLASS Readers) o V100 - 450mA (with two R40 iCLASS Readers) o V200 - 60mA o V300 - 75mA Unpowered, relay contracts are rated for 2A@30VDC E400 is capable of supplying a total of 700 mA to field devices. ER40 is capable of supplying a total of 600mA to field devices Operating temperature range : 32-122F (0-50C) Humidity 5% to 95% non-condensing The E400 and ER40 are for intended for use in indoor environments

Cable Specifications
Cable Type : RS-485 Length : 4000 feet (1220 m) to host Specification : Using Belden 3105A, 22AWG twisted pair, shielded 100

cable, or equivalent.

genetec.com | Security Center | Best Practices

Cable Type : Wiegand Length : 500 feet (150 m) to reader Specification : ALPHA 1299C, 22AWG, 9-conductor, stranded, overall shield. Fewer conductors needed if all control lines are not used. Cable Type : Ethernet Length : 328 feet (100 m) Specification : Cat5, Cat5E, and Cat6 Relays are dry contact rated for 2Amps @ 30VDC.

Mounting Instructions
The controllers and interface panels should always be mounted in a secure area. Mount using the four mounting screws (provided) or other appropriate fasteners. Place the fasteners in the corner holes of the base. The VertX devices can be stacked with or without the cover. Do not remove the plastic base. Make sure you position the VertX devices in such a way as to provide room for wiring, air-flow and cable runs.

Wiring Instructions
CAUTION: VertX controllers and panels are sensitive to Electrostatic Discharges (ESD). Observe precautions while handling the circuit board assembly by using proper grounding straps and handling precautions at all times. Power and Alarm input connections (All VertX units): Connect power by providing 12VDC to the P7 connector. +12VDC goes to Pin 1 and ground to Pin 2.. Connect the Bat Fail and AC Fail inputs to battery low/failure and AC failure contacts provided on the power supply. Connect the Tamper input to a tamper switch on the enclosure. Note: Connect the data return line to the same ground as the reader power if the reader is not powered by the VertX units 12VDC. The VertX controller should have a separate power supply than the maglock and other devices such as the PIR The relay output should be protected with a diode or suppressor circuit. On a edge powered on Ethernet a non-protected relay could cause the unit to restart, on a VertX v100 or V300 on the long term the relay could stop responding. If in-rush current with maglock exceed the specification, a snubber circuit on the relay output should be added (see HID technote) Configure the tamper input to its proper state (NO/NC) even if it going to be disabled For setup with REX mechanism built-in the door handle, it is recommend to increase the debounce time for the door sensor to avoid false door forced open events

RS-485 Connections
The V1000 has two - RS-485 connectors and uses the 10-pin connector on P3 and P4. Each RS-485 bus can support a maximum of 16 V100-Series panels using one or two ports. Having two ports on each bus provides the option of splitting each RS-485 bus into two physical connections, allowing a total of four physical connections for the two busses. RS-485 busses must be connected in a daisy chain topology and not a star topology. The V1000 termination jumper should be in the Out position if there are no panels attached to the port. If there are downstream panels attached then the termination jumper should be in the In position. CAUTION: The V1000 RS-485 Ports 1 & 2 (P1) are a common bus and therefore cannot have panels with duplicate Interface Addresses assigned. The same is true of the V1000 RS-485, Ports 3 & 4 (P4). For example, two panels, both with Interface Address 0 (factory default), cannot be connected to Ports 1 and/or 2 (P1).

genetec.com | Security Center | Best Practices

It is recommended to wire the RS-485 to the position of the P9 terminal block of the V100-Series panel. This is especially important when the RS-485 communication is in a daisy chain configuration. If the RS -485 is wired Inand Out , and power is lost, or the P9 terminal block is unplugged on a V100-Series panel, RS-485 communications will be lost to downstream V100-Series panels.

About access control software and hardware


Certain access control features may not be available depending on a uni ts mode of operation, the type of unit, the features enabled on the unit, and the keypad reader options selected.

About offline, mixed, and online modes of operation


Mixed mode : The unit makes access control decisions locally based on information downloaded from Security Center/Synergis during unit synchronization. Access events are reported to Security Center/Synergis in realtime Communication with Security Center/Synergis has been lost. The unit makes access control decisions locally, based on information downloaded from Security Center/Synergis during unit synchronization. Access granted and access denied events are logged in the unit and are uploaded to the Security Center/Synergis when the network connection is re-established

Offline :

genetec.com | Security Center | Best Practices

Feature Card and PIN1 Card or PIN1 Elevator control2 Elevator floor tracking People counting for an area2 Antipassback : Hard antipassback (violation event generated and access is denied) Timed antipassback Soft antipassback (violation event generated and access is granted) Interlock5 Lockdown and Interlock Override Readerless door6 (use an IO module for a REX, door state, and door lock only) Extended Grant Times IO linking (Zone) Action: Silence buzzer or Sound buzzer (event- to-action)8 Event-to-action with Trigger output action
4

HID offline mode Varies according to a readers hardware options. SupportedError! Bookmark not defined. Supported Not supported3 Not supported Varies according to antipassback settings enabled with the ConfigTool. Supported Not supported Not supported Supported Supported

Supported7

Supported

Supported Not supported

To ensure mixed mode and offline mode operation, the wiring for a door should be made to one unit (or HID VertX V100 interface module).

2 All units used for this feature must be assigned to the same AccessManager. 3 Event reporting is unavailable. Events are not regenerated when the unit returns to mixed mode or online mode. 4 Not supported with an area set to interlock. 5 If a perimeter door of an interlock is open, when an authorized cardholder accesses a second perimeter door of the same interlock, Synergis may generate an ACCESS GRANTED event for the second door even though the second door does not unlock. 6 A readerless door does not generate a DOOR FORCED OPEN event. A readerless door does not support the buzzer feature. 7 There are no door activity reports while the unit is in this mode. 8 Not available with a readerless door.

genetec.com | Security Center | Best Practices

Card and PIN


Card and PIN operation depends on the type of unit and the keypad reader installed. For both HID iCLASS and Prox readers, the Keypad configuration setting option is selected at the time of purchase. Supported options include the following: Option 00: Keypad configuration setting option of 00 = Buffer one key, no parity, 4 -bit message. Option 14: Keypad configuration setting option of 14 = Buffer one to five keys (Standard 26 -bit output). This reader option is also known as Galaxy Mode. Unit type HID: V1000 with V100 V2000 EdgePlus E400 HID keypad reader option Keypad configuration setting option of 14 Keypad configuration setting option of 00 Mixed mode Card or PIN. Offline mode Card or PIN. Observation The keypad readers can be used to enroll PINs.

. Card or PIN. Card and PIN on schedule. When off- schedule, operation reverts to card only

An unknown PIN will not generate the Access denied: Unknown credential event in Security Center. The reader cannot be used to enroll PINs for credential creation

PINs cannot have more than 5 digits when used with a VertX controller. One limitation with Card and PIN (VertX) is that when the Card and PIN mode is on schedule, the reader reverts to card OR pin out of schedule. This may be a security limitation as cardholders can use their PIN only to enter a door out of schedule as opposed to using their card. Recommendation is that card and PIN mode be set on a 24/7 schedule (always). When Card and PIN is enabled, card only or PIN only operations are not supported.

Door with reader configuration


A door with a reader assigned to a V2000, V100, or an Edge device, must have all inputs (for example door contact, REX) and outputs (for example door lock) associated to that same device. Inputs and outputs must not be distributed across several devices.

Door with two door sensors


It is not recommended to configure a door with two door sensors (or door contacts) without physically wiring the sensors together. Simply stated, two sensors wired together would be seen as a single sensor. In the Security Center, only a single door sensor should be configured per door.

HID VertX antipassback


The antipassback feature works best once the access control system has been configured and the system is operational and relatively static. It is recommended to enable antipassback once the following entities have been properly configured and are not expected to change on a daily basis:

Unit time zones Doors and associated readers Areas (groups of doors) Elevators and associated floors (including unlocking schedules) Cardholder groups Schedules (including card and PIN schedules) Access rules

genetec.com | Security Center | Best Practices

The following section provides guidelines for configuring, enabling, and managing the antipassback with HID VertX controllers (units):

You must use either the V1000 or V2000 for antipassback.


o o V2000: Antipassback is only supported for an area with a single door having both entry and exit readers. V1000: Antipassback is supported for multiple areas, with each area supporting multiple doors with entry and exit readers. Limitation in the number of doors is based on the number of V100 modules installed.

Antipassback is not recommended with the Edge product line for the following reasons:
o o Only a single reader can be specified for either entry or exit (not both) while antipassback typically requires both entry and exit readers. Peer-to-peer communication between Edge devices is not supported by Security Center.

An area with antipassback must be configured for readers wired to, and doors managed by, the same unit

(V1000 or V2000) because


o o Antipassback functions are handled by the unit (V1000 or V2000). The Security Center does not support peer-to-peer communication between either VertX V1000 or V2000 devices.

Interlock and Antipassback are mutually exclusive. Both cannot be enabled at the same time in a given area.

Elevator Control
Since the Edge devices have 2 outputs, you can use a dedicated Edge device to control access to a maximum of 2 floors The Edge devices can support floor tracking for up to 2 floors Since the V2000 has 4 outputs, you can use a dedicated V2000 to control access to a maximum of 4 floors For control of more than 4 floors, you need to go to a V1000 A V1000 only supports a single elevator cab and requires a dedicated V100, one or more dedicated V200s and V300s. V2000 can support floor tracking for up to 4 floors A V2000 used for elevator control becomes dedicated to elevator control. Unused inputs and outputs cannot be used anywhere else in Synergis, zone monitoring or IO linking

Offline IO Linking (VertX only)


Offline IO linking is only possible with Zone entities. When using IO linking with the VertX in offline mode, timing may be inaccurate unless the output behavior (pulse pattern) is properly configured. It is strongly recommended that there should be at least 5 seconds between two state changes, e.g. states changes from 0 to 1, wait minimum 5 seconds, state changes from 1 to 0.

genetec.com | Security Center | Best Practices

Server configuration

56000 inputs/outputs per AccessManager Refer to the table below for numbers of chardolders supported by network controller and numbers of readers per AccessManager

Unit EdgeReader EdgePlus VertX V2000 VertX V1000/V100

# of readers per AccessManager 210 210 425 425

Max. Cardholders Base memory 22,000 22,000 22,000 22,000

Max. Cardholders Memory add-on N/A N/A 125,000 125,000

Offline Event Storage 5,000 5,000 5,000 5,000

Synchronization (Offline Data Synchronization)


Max. 150 seconds to compute programming data for VertX (64 readers and 10,000 cardholders) Fewer cardholders and/or readers reduce the computation time. Less than 10 seconds to download data to a VertX (V1000, V2000, EdgeReader) Can load between 25 and 50 VertX units (V1000, V2000, EdgeReader) in parallel During the initial setup of a site or during an add-on, it is recommended to segment the access rule so that existing doors dont get affected by synchronization. Adding a single cardholder does not requiere a unit synchronization, however change to a schedule would result in some task restart in the network controller which might affect temporarly the other doors on the same controller.

Known issues

Please refer to the release notes for the latest list of known issues.

Software
An excessive number (in the thousands) of active alarms may considerably slow down the Security Desk running the Alarm monitoring task When installing a system with multiple Integration Services (IS), only the first IS is started after the installation completes. Workaround: The remaining IS must be started from Microsoft Management Console Services Reports in the Security Desk are limited to 2000 results for events and 65536 results for configuration

genetec.com | Security Center | Best Practices

10

HID unit known issues


Unit discovery does not show the new name you give to a unit (in the unit Identities tab) until the unit is rebooted or its power is cycled. An HID VertX unit sometimes may not report an access decision during unit synchronization. When a Door unlock schedule override is removed, there can be a delay of 40 seconds before the doors unit is fully re-programmed. Setting a value for the REX unlock time in the Configuration GUI does not affect the actual time a REX unlocks a door. The actual unlock time is the Grant Access Time value or the Minimum Time value (for an output relay), whichever value is greater. V200/V300: Periodic output behavior does not always toggle properly. Recommendation: Set output transitions for a minimum duration of 5 seconds or more. Elevator/IO - Unused outputs are all activated when an access rule is applied to an elevator. Elevator control Configuring an exception to unlock schedule (controlled access) on a floor without a corresponding unlock schedule (free access) may cause the VertX controller to temporarily stop sending events to the Access Manager AC fail inputs If the VertX V1000 AC Fail input is used to monitor AC, then the AC Fail inputs on all interface modules (V100, V200, V300) controlled by the V1000 can only be used for monitoring AC. Similarly, if the V1000 AC Fail is used as a general purpose input, the AC Fail interface modules can also only be used for general purpose inputs. Battery fail inputs If the VertX V1000 Battery Fail input is used to monitor battery failure, then the Battery Fail inputs on all interface modules (V100, V200, V300) controlled by the V1000 can only be used for monitoring battery failure. Similarly, if the V1000 Battery Fail is used as a general purpose input, the Battery Fail interface modules can also only be used for general purpose inputs. VertX V1000 inputs and outputs cannot be used for the following purposes: o A door REX, door sensor, door lock o Elevator control or floor tracking o Interlock, including the override or lockdown functions o Readerless door o IO linking (Zone) o Door buzzer The HID Edge device (EdgeReader or EdgePlus) can only be used to control a single door. You cannot use two HID Edge devices to configure a door with two readers. The supported configuration for an Edge device is a card-in /REX-out door The timer for Door Held can be set to a maximum of 27 minutes The clock on the controller could drift; a patch was issued by HID for firmware version 2.2.7.39. Firmware version 2.2.7.49.1 has the fix embedded.

genetec.com | Security Center | Best Practices

11