axon fleet network information and configuration guide

Axon Fleet Network Information and Configuration Guide

Document Rev: C Release Date: February 2020


Axon Enterprise, Inc. of 13

Microsoft and Windows are trademarks of Microsoft Corporation registered in the US and other countries.

Wi-Fi is a trademark of the Wi-Fi Alliance.

, AXON, Axon, Axon Evidence (Evidence.com), Axon Fleet, Axon Signal Vehicle, and Axon View XL are trademarks of Axon Enterprise, Inc., some of which are registered in the US and other countries. For more

information, visit www.axon.com/legal. All rights reserved. ©2020 Axon Enterprise, Inc.



Table of Contents

Introduction................................................................................................................................................. 4

Evidence.com Configuration Requirements ........................................................................................... 4

Software and Firmware Updates ............................................................................................................. 4

Axon Fleet Network Information .............................................................................................................. 4

Mobile Data Terminal (MDT)/Mobile Digital Computer (MDC) information ...................................... 4

Fleet Cameras (Front and Back) ............................................................................................................... 5

Wireless Configuration .............................................................................................................................. 6

Vehicle Network Configuration ................................................................................................................. 7

Network Configuration – Wi-Fi Offload Using Wireless Offload Server .............................................. 8

VPN Configuration ...................................................................................................................................... 9

Method 1: Local Network Exemption (Split Tunnel) .............................................................................. 9

Method 2: Application Exemption ......................................................................................................... 10

Wireless Offload Server With VPN ......................................................................................................... 10

APN Considerations .................................................................................................................................. 10

Wireless Offload Server With APN ......................................................................................................... 11

Proxy Considerations ............................................................................................................................... 11

Revision History ........................................................................................................................................ 13



Introduction

This guide provides information about network requirements for Axon Fleet. It outlines the minimum required configurations, and addresses common implementations, such as VPN, APN, and proxy.

Evidence.com Configuration Requirements

Evidence.com offers a graphical configuration UI for fast setup of Fleet vehicle information. New vehicles can be configured with a few clicks and existing configurations can be modified as needed.

When Axon View XL is in contact with Evidence.com, the correct configuration is automatically downloaded. Please review the Axon Fleet Evidence.com Set-Up Guide for more information.

Software and Firmware Updates

Axon View XL automatically downloads the latest software version. If a user is signed in to View XL, they can initiate the update. If no users are signed in to View XL, the application updates automatically.

Axon View XL downloads camera firmware updates as needed. These updates are downloaded automatically and the update is initiated by the user through Axon View XL.

Axon Fleet Network Information

This section includes information about system ports, traffic flows, and configurations. it also discusses how the system deals with updates for Axon Fleet software and firmware.

Mobile Data Terminal (MDT)/Mobile Digital Computer (MDC) information

Inbound traffic ports:

The Axon View XL installation program creates the following Windows Firewall rules during installation.

https://axonenterprise.sharepoint.com/:b:/g/joinforces/Ea0emWLdiv5CnaLlomkfzlkByz2WZdq3vVuhETypS-rTPA?e=CNOwWI



• Inbound Rule: "Fleet GPS"

Program Allowed: %installdir%\axon-agent.exe

Protocol and Port: UDP 10110

Scope: Local subnet

Currently the GPS port configuration can only be overridden using conf.toml file.

• Inbound Rule: "Fleet RTP"

Program Allowed: %installdir%\axon-agent.exe

Protocol and Port: UDP 5004-6004

Scope: Local subnet

Currently RTP (Live View) only uses UDP. The port range can be overridden via conf.toml

• Note that the HUD uses service ports 7777 and 7878 for communication, but these should only be bound to the localhost.

Outbound traffic - all outbound traffic is from non-privileged ports above port 1024:

• To camera ports outlined in the Fleet Cameras section below.

• To Evidence.com, port 443

o Encryption: HTTP/TLS

• To Evidence.com, port 80

o For time synchronization. This is done on an hourly interval using the HTTPDate protocol. Expected volume is 2KB per hour.

o Encryption: none

o Authentication: none

Fleet Cameras (Front and Back)

Open ports:

• TCP 80 (HTTP)



o Provides a webservice API for use by the Axon View XL application.

o The webservice does not respond to plaintext requests and does not provide index pages to reduce discoverability.

o Encryption: Yes for command handling, using Diffie-Hellman with SHA-256 for key exchange and the cipher is AES-256. Note that bulk data endpoints for pulling media, logs, or pinging the camera are not encrypted.

o Authentication: None. Assumes that cameras are Axon Fleet cameras with specific serial numbers.

• TCP 554 (RTSP)

o Provides a streaming server for preview of videos by the Axon View XL application. This endpoint can stream video but cannot issue any commands to the camera.

o Encryption: None.

o Authentication: None.

Outbound traffic:

• The cameras have outbound traffic for offloading video evidence and for live view over the local area network.

Wireless Configuration

Each Fleet vehicle needs to host an 802.11 wireless network using 5 GHz band. The wireless network is required because Fleet cameras are not wired to an Ethernet network.

Requirements:

• 802.11n @ 5GHz with a 20MHz channel width.

• Non-DFS channels are required.

• WPA2-PSK security is required.

• Unique SSID per vehicle, using only 5GHz. SSID may be hidden.

• DHCP service on the wireless network.



Vehicle Network Configuration

Within the vehicle, the MDT needs connectivity to the cameras on the local network, and Evidence.com.

Requirements:

• DHCP service for the cameras. The cameras query for an IP address at startup. The MDT/MDC running Axon View XL can hold a static IP.

o Axon Fleet is designed to integrate with Axon body cameras, so the DHCP pool should contain a minimum of 3 camera IP addresses (two Fleet and one body camera).

• Layer 3 reachability between the Axon View XL app and the cameras. The devices don't rely on broadcasts in layer 2, so they can be placed in different VLANs, provided that the subnets can route between each other.

• GPS Setup: Axon View XL listens for GPS on port 10110 UDP (NMEA or TAIP).

o Recommended GPS reporting interval is 1 second.



• For full tunnel VPNs, exceptions should be made for local traffic to the cameras.

Network Configuration – Wi-Fi Offload Using Wireless Offload Server

For qualified customers, Axon offers an optional offload method with an on-premises server. When a vehicle’s router connects to a pre-configured wireless offload infrastructure, Axon View XL establishes a connection to the offload server. Video is copied to the offload server from the in-car environment. Videos on the offload server are then uploaded to Axon Evidence (Evidence.com).

IMPORTANT: Before completing this section, please complete the previous Vehicle Network Configuration section.



Requirements:

In addition to the network requirements outlined in the previous Network Configuration section, Wi-Fi offload using a Wireless Offload Server requires additional changes to be made.

• An active Wireless Offload Server and qualified wireless infrastructure are required – please contact your Axon Sales Engineer for more information.

• Wi-Fi as WAN connection from the in-car router to wireless offload infrastructure.

o A dedicated radio for video offload is recommended.

• Complete network path from View XL to the Wireless Offload Server.

• Avoid network IP conflicts between the onsite wireless infrastructure and the in-car network.

• If using VPN or APN, traffic bound for the Wireless Offload Server must be exempt from the tunnel.

o Warning: failure to exempt this traffic from the tunnel may result in offload to the Wireless Offload Server over the LTE connection.

VPN Configuration

Dependent on the specific agency configurations, a VPN may force all IP-based traffic to travel through its tunnel to a remote network. To allow software residing on the Mobile Data Computer (MDC or MDT) to communicate locally to the cameras installed in the car, the traffic must be exempt from the tunnel.

It is required that a VPN administrator be available during the Axon Fleet installation period.

Method 1: Local Network Exemption (Split Tunnel)

One method for enabling local network communication between the MDT and cameras is using a split tunnel to exempt local network traffic. Refer to your VPN provider documentation for instructions on configuring this exemption.

• Example: If the local in-car network is 192.168.0.0/24, a rule would be implemented to exempt traffic bound for this network, which would allow View XL to communicate with the cameras.



Method 2: Application Exemption

Video data may be quite large. To prevent offload traffic from being steered through a remote network, an exemption should be added for the Fleet application, Axon View XL. Adding this exemption would prevent View XL traffic from traversing the tunnel, mitigating potential bandwidth congestion.

Exemptions should be added for the following:

• %installdir%\axon-agent.exe

o Responsible for communication with cameras, general communication with Evidence.com, and evidence offload.

• %installdir%\Axon Fleet.exe

o Note: the space in “Axon Fleet” is intentional

o Handles user authentication against Evidence.com, including optional Single Sign On.

Wireless Offload Server With VPN

When implementing a Wireless Offload Server, the network architecture should be designed to prevent reachability from outside the local network. Traffic destined for the Wireless Offload Server should not traverse a VPN tunnel. A rule must be added to exempt traffic to the Wireless Offload Server. Failure to exempt this traffic from the tunnel may result in upload to the Wireless Offload Server over the LTE connection.

APN Considerations

Some agencies may use a private network through their cellular carrier. Similar to a VPN, some traffic may need to be exempt or split from the APN traffic rules.

• If traversing an APN, Evidence.com must be accessible from the MDT. Refer to Axon’s Support article for a list of Evidence.com IP addresses in your region:

https://help.axon.com/hc/en-us/articles/360012107134-Managing-Network-Whitelisting-with-Axon-Cloud-Services





Wireless Offload Server With APN

When implementing a Wireless Offload Server, the network architecture should be designed to prevent reachability from outside the local network. Traffic destined for the Wireless Offload Server should not traverse an APN. A rule must be added to prevent traffic to the Wireless Offload Server through the APN. Failure to exempt this traffic from the APN may result in upload to the Wireless Offload Server over the LTE connection.

Proxy Considerations

Agencies that require use of an internet proxy will need to implement configurations in Windows Environment Variables to facilitate Axon View XL’s communication with Evidence.com.

1. Open the Start menu, search for Edit system environment variables, and click the link.

2. Click Environment Variables.



• Under System Variables, click New.

• Add the Variable name (HTTPS_Proxy) and Variable value (proxy address) to allow Axon View XL to use proxy. Click OK.

• If using a Wireless Offload Server, add another new System Variable for the server.



Revision History

This section summarizes the changes to this guide, per each version of the guide. The revision table lists the versions in reverse order, so that you can more easily see the most recent changes to the guide.

Release Name and Document Revision

Revision description

Rev C February 2020

Updated for configuration changes.

Rev B December 2017

Corrected some steps in the Cradlepoint GPS Configuration procedure.

Rev A June 2017

Initial Version

axon fleet network information and configuration guide

Documents