Access Control Server Guide

Access Control Server Guide 

Wish you a very Happy New Year 2024.

Electronic access control systems need to be managed. The 'server' though can range across:-

• Panel based / 'serverless' systems
• Combo workstation / server systems
• Dedicated servers
• Virtual servers

We explain, compare and contrast each one, including with a review of manufacturer minimum server specifications.

Server Specs Determined by System Size, Version

Typically the biggest factor when choosing an access platform version is sizing based on the overall number of doors, cardholders, schedules, or system integrations required. The smaller and less complex an access system is, the fewer servers resources required, with options ranging from 'serverless' small systems to multisite, multiple server 'enterprise' systems controlling thousands of doors.

For example, take a look at how specification varies for the platforms below:

• Lenel goEntry (now Honeywell) vs. OnGuard: goEntry / truPortal is serverless and panel based, while OnGuard uses dedicated servers.
• Software House SiteServer vs. Enterprise: The SiteServer appliance manages a fraction of the doors and users possible with Enterprise.
• RS2: Offerings ranging from workstation based 
• DSX: While dedicated server dependent for even small systems, DSX supports virtualization (other access platforms do too) proving options on how many and how strong system servers should be.
• S2: A differentiation of S2's offerings are that they are completely 'serverless' designs, instead hosting all software inside controller panels.

In the sections below, we examine the four basic system architectures and which type of servers are required for each option.

Panel Based Systems

Some access systems are 'serverless' because the system controllers or panels themselves contain the hardware for administering the system. No external or additional server is needed for production use.

This architecture is most common in small or highly dispersed access systems, where installing and maintaining multiple servers would be very costly.

Examples of panel based architecture include:

• Axis Entry Manager
• HID Edge SOLO
• Vanderbilt BrightBlue
• Honeywell NetAXS-123
• Interlogic truPortal (formerly Lenel goEntry now Honeywell portal)
• S2

While being panel based defrays the cost of additional servers, performance can be quite sluggish and storage limited compared to server based alternatives. Integration with panel based systems is also very limited, with almost no examples of externally reference shared databases or video surveillance integration in the market.

Enterprise class serverless platforms are available, with offerings like S2's Netbox or Linear's Emerge being familiar examples.

Combo Workstation/Server Systems

The next tier are 'combination' servers, where the parent management application is light enough it can be installed as a concurrent service running on multi-tasked workstations. The size of systems using this server option are still small, although multiple servers can typically be combined in a central management platform. Outside integrations with other systems are possible

Often, these types of software are bundled in non-enterprise versions running on appliances:

• Genetec's SV16
• Milestone Husky
• SoftwareHouse C*CURE 9000 Site Server

While 'software-only' versions feature installations where server and clients placed on the same workstation:

• RS2 AccessIt Lite
• Infinias  Intelli-M
• Keyscan System VII

In general, workstations for these types are modest dual core, 8GB RAM, Windows OS personal computers that can be used in general office duty while serving as access server.

Dedicated Server Systems

At the enterprise level, system management and databases can grow to be so large and expansive, dedicated server hardware is required. In many cases, cardholder database and access permission rules can be tens of thousands of records, and drawing from general corporate SQL databases is mandatory to control management costs.

Also at this level, integration with other systems like payroll, visitor management, and even accounting systems are commonly required. Features like fail-over, data mirroring, LDAP/Active Directory support, and cross-domain networking of access devices are routinely needed. For these complex implementations, dedicated servers (and even multiple servers) are typically required.

Incumbent brands like Lenel, Software House and other enterprise platforms use dedicated servers. The below details a C*CURE 9000 Enterprise system:

Usually dedicated servers in this class are specified as multiple cores, Server OS, rack mount units designed for enterprise management and use.

Virtual Machines

Unlike Video Management Platforms where virtualization is often discouraged, using virtual servers to host physical access software is common and even officially supported by many vendors. The specific requirements, limitations, and virtualization platform support vary according to access control system. The below details DSX's requirements:

Minimum Server Specifications

Choosing the exact computer needed for an access install is spelling out in minimum requirement specifications like the ones below:

• Lenel OnGuard ES (min Xeon E5-1607 v2, Quad Core, 3.0GHz, 16GB RAM) 
• SoftwareHouse (min Intel 3.4 GHz with 64-bit CPU, 8GB RAM)
• RS2  (min Pentium Dual Core or AMD Athlon II 2.00GHz, 8GB RAM for 64bit OS)
• Keyscan (min Pentium Dual Core 2.20GHz, 8GB RAM)
• Paxton (min Pentium Dual-Core 2.00GHz, 8 GB RAM)

However, additional roles can impact the minimum build needed. Other factors include:

Additional Functions Impacting Server Size

On occasion, certain functions are run on the access control management server, such as:

• Main Operator Interface: If the access server also hosts the main interface client, especially if video surveillance is integrated, the overall build of the server (especially video card performance) may need to increase.
• Visitor Managment Kiosk: Another common add to access platform servers are Visitor Management Systems.
• Enrollment Station / Badge Printing:  Access platforms typically onboard new cardholders and generate credentials through separate applications. In many cases, these can be combined with base access management software, but may impact hardware requirements.

Database Integration

The most common connection between an access management system and a network environment is the database. In the interest of maintaining the minimum number of datasets and creating records once, the access system often ties into a master roster kept in enterprise grade databases.

Integrating to these platforms often requires a hardware overhead of its own, and licensing an access server to access these records can drive additional resources.

Access Control Standards Revolution Now In Progress

Access Control Standards Revolution Now In Progress 

Access control provides the ability to control, monitor and restrict the movement of people, assets or vehicles, in, out and round a building.

Access control is essential for all businesses to protect people and assets and has the added benefit of being expanded from controlling, for example, a single entrance door, to a large integrated security network. There are also huge potentials in terms of integrating other systems, such as Time and Attendance, Visitor Management, ANPR, Fire, Intruder and CCTV.

Few specifications are seen more commonly in access control than UL 294. However, aside from seeing it in print, very few understand what it means. In this note, we break apart and define this spec, describing why it is a vital part of many Access RFPs.

A Standard Defined

The scope of UL 294 covers three aspects of Access Control systems: 

• Construction (Installation)
• Performance
• Operation

Essentially, the heart of UL 294 is a safety standard, where testing proves that system components can be assembled and operate reliably without hazard. In the case of access control, this is a step beyond just validating devices will not catch fire or spark - it attests that the system will not harm the safety or impede egress of those using the system.

In practical terms, this means doors will not accidentally stay locked and keep people in harm's way even during a malfunction. The UL standard subjects each labeled device to a range of testing designed to show the equipment meet relevant code expectations from:

• NEC (NFPA 99): Requirements that each component will not create a hazard either during (recommended) install or use (Sparking, Grounding)
• NFPA 72: Fire Code compliance, assures that controllers include interfaces with fire alarm/suppression systems 
• NFPA 101: System devices 

A UL 294 mark is a 'extra step' the vendor has taken to 'prove' their equipment is safe, and it stands as a 'mark of assurance' when included in buying specifications that dubious equipment will not be purchased.

The Mark

While Underwriter's Laboratories offer a range of 'UL Symbols' that can be interpreted to signify different standards. In the case of UL 294, the mark looks like this:

The UL 'Security Mark' applies only to products such as intrusion detectors, burglar alarms, access control, safes, and vaults.

Performance Tests

UL 294 includes several tests that evaluate how well devices withstand damaging environments. Devices are subjected to atypical electrical, environmental, and brute force situations, including:

• Variable Voltage
• Variable Ambients (Environment)
• Humidity
• Endurance (Ruggedness)
• Transients
• Corrosion
• Standby Power (Battery backup)
• Physical Attack Toughness

Tests are performed individually and are not 'layered' or 'stacked' simultaneously as might occur in the field. The exact methodology for each test depends on the device being tested, but the resulting grade is given in four levels of security performance with Level I (lowest level security equipment) to Level IV (highest level security equipment). 

Exclusions

However, not all parts and features of an Access platform fall under the scope of UL 294. Two areas excluded from the scope include:

• Headend Server/Database: The scope reads "The accuracy of logged data is not evaluated by this standard", and also "This standard does not apply to supplementary computer equipment that is not necessary for operation of the access control system..."
• Intrusion Detection: Again, the scope details "Where an access control equipment and/or system incorporates the features and functions of a burglar alarm control unit, the requirements of the Standard for Proprietary Burglar Alarm Units and Systems, UL 1076, shall also apply"

This is important to note when careless specs are written that "All Access Equipment shall be UL 294 Certified", because this is inherently not possible. There will be major functional aspects outside the scope of the standard.

Large System Adoption

Especially for larger systems, UL 294 is common, including devices from: Mercury Security, C*Cure, S2, Maxxess, Sargent, etc.

However, certification is done on a component basis, and there may be gaps in a brand's portfolio. If UL 294 compliance is required in a system, every hardware component must be checked for conformity, as there is no 'system' certification.

Systems and platform intended for smaller deployments (<100 doors) typically forego the certification, because it simply is not a purchasing driver for many non-enterprise customers.

Prime Use

Regardless of the 'safety' overtures, like UL certification for surveillance equipment, 294 is primarily used to exclude non-compliant systems from specifications. UL 294 evaluation is not mandatory for Access Equipment, and many vendors forego the cost of certification especially when their offerings are not well suited for larger government, institutional, and hospital verticals where 294 is commonly cited. 

Likewise, while the mark's testing 'proves' that devices are safe, the onus remains on the field technician to install them in the correct fashion to indeed live up to the certification.

Remember once UL certification has void OEM is not responsible for any health & safety incident of your premises. UL certification void due to repairing through unauthorized service provider....etc.

NFPA 101

While NFPA 101 is comprehensive, the most relevant passages for access control include:

• NFPA 101: 'Electrically Controlled Egress Doors' (2012: 7.2.1.5.6; 2009: 7.2.1.5.5)
• NFPA 101: 'Releasing Devices' ( 2012: 7.2.1.5.10-12; 2009, 2006, 2003: 7.2.1.5.9 -7.2.1.5.11)
• NFPA 101: 'Access Controlled Egress Doors' (7.2.1.6.2)

Specifically, requirements like Access Control Request to Exit (RTE), Exit Devices, and Delayed Egress foundationally conform to NFPA 101.

NFPA 72

In general, this code is the foundation of requirements that doors must release when fire alarms or smoke detectors go into alarm.

NFPA 80

Specifically, this code examines Fire Doors and how they are properly used for protection in a building. In many cases, these door types are also slated to become access-controlled openings, and the 'Locks or Latches (6.4.4)' section describes which modifications are permitted for access use without voiding their fire door ratings.

IBC: International Building Code

The IBC, published by the International Code Council, is essentially a guidebook for designing and engineering safe buildings.

If not observed directly as the authority, then whatever resulting codes that do have authority take guidance from the source.

• ·     IBC: 'Door Operations' (2012, 2009: 1008.1.9; 2006, 2003: 1008.1.8)
• ·       IBC: 'Sensor Release of Electrically Locked Egress Doors' (2012: 1008.1.9.8; 2009: 1008.1.4.4; 2006, 2003: 1008.1.3.4)
• ·       IBC: 'Electromagnetically Locked Egress Doors' (2012: 1008.1.9.9; 2009: 1008.1.9.8)