iProtect™ - SimonsVoss VCN

Installation Manual | IM-20230628-AVW-02

iProtect Access / Security | Functionalities | iProtect™ - SimonsVoss VCN

 

1. iProtect Aurora and SimonsVoss VCN

 iProtect Aurora can control SimonsVoss data on card (VCN), by means of using a data on card solution. The VCN system is a data on card system in which the access profiles are distributed via the access cards instead of online card readers. We also refer to this system as “native” or “offline” because the access rights are defined in the iProtect database itself and are distributed to the access card using a iProtect controlled enroll or update reader.

 

1.1 System architecture

 

                                                                                                                                                            

iProtect:                      The security management system from TKH security.

Pluto/Orion:                The network and door controller from TKH security.

RS485 reader:             The online update reader to manage the cards from TKH security.

Card:                           The access control card of the end user.

Smartintego VCN:       The Simons Voss integration tool for programming the locks.

Offline cylinder:          The offline access control lock/cylinder.

1.2 System requirements

At least the specified firmware versions are needed to let the system work properly.

Hardware

Description

Extra information

Versions

iProtect

SMS

-

From: 9.03.02

Recommended from: 10.01.xx

Pluto

Reader manager

-

From 5.00.41

Recommended from: 5.03.23

Hardware control applet

only needed when using iProtect version 9.10.xx and lower

From: 3.00

Orion

Door controller

Bootloader

From: 2.3.0.15

Recommended from: 2.4.2.17

Firmware

From: 1.4.40

Recommended from: 1.5.18.86

Sirius

I Serie

-

From firmware: 1.5.32

Sirius

IX serie

 

From firmware: 2.0.5.a.1

SimonsVoss

SmartIntego VCN

 

Use with iProtect version 09.03.02 and higher

2.1.6411.25403

Use with Smartintego VCN version: 2.1.6411.25403

Access DB Engine Runtime 2007

SmartIntego VCN

 

Use with iProtect version 10.01.xx and higher

From 3.0.7600.18050

SimonsVoss lock firmware

SV SI2 Cylinder

5.4.16

SV SI2 handle

5.6.09

SV AX handle and Cylinder

1.1.519

Card

Mifare DESFire

-

ev1 and ev2

 

2 Installing the SimonsVoss software

Be sure before starting to integrate the solution, that the following software is installed as described in the SimonsVoss manual.

  • SimonsVoss Smartintego VCN

  • SimonsVoss SMART.CD

A new project file should be created in the SimonsVoss Smartintego VCN software, it is also possible to start a new project by opening a template file (see 2.2). The SimonsVoss Smartintego VCN software is necessary to configure all the locks.

 

Please contact your consultant or the TKH service and support department for the “TKH_security_defaultSVVCN_cardconfig_DES.ikt” template file or the KEY information.

2.1 Password handling

Project password: The smartintego tool stores the locking system configuration in a project .ikp file. The project password protects the file access. This password is changeable in the tool itself.

 

Lockingsystem password: The configuration of the locks will be secured with the locking system password. The password will be written into every lock and is not changeable afterwards. With this password it is possible for example to do emergency opening or resets the locks. Keep this password protected!

2.2 Mifare DESFire ev1/ev2 card configuration

From Smartintego VCN version 3.0 the project must be started by opening the “TKH_security_defaultSVVCN_cardconfig_DES.ikt” template file. This template file has the card coding settings so there is no need to create a card configuration in Smartintego VCN. The password is 12345678.

When using Smartintego VCN version 2.1.6411.25403 the standard TKH reader settings which must be set into the SimonsVoss Smartintego VCN software is as described below.

Column name:

TKH setting:

ID

set as default

Name

set as default

AppId:

16064888 (TKH security default)

FileNo1:

0

FileNo2:

1

FileNo3

2

FileSize1

0016

FileSize2

1024

FileSize3

256

FileType1

standard

FileType2

standard

FileType3

backup

Please contact your consultant or the TKH service and support department for the “TKH_security_defaultSVVCN_cardconfig_DES.ikt” template file or the KEY information.

3 Configuring iProtect for update/enrolment

iProtect needs to be configured before a card reader can be used as enrolment or update reader.

  • An enrolment reader is used to create the SimonsVoss application on the card.

  • An update reader is used for updating the access rights and collect transactions.

The difference is made in the interpretation. In total there are three different interpretation needed in a system:

  • DESFire default interpretation (for regular readers)

  • Enrolment interpretation (for enrolment readers)

  • Update interpretation (for update readers, and VCN locks)

 From iProtect 10.04, the Update card data interpretation must be used instead of the Enrollment interpretation at the Enrollment readers.

3.1 Configuring the card presentation

           

Click in iProtect™ Aurora on the menu item Access | settings | card coding | card number presentation

Right-click in the browse window and press on “Wizard card number presentation”

  • Enter the following data:

    • Name: Specify a logical name

    • Default card data interpretation: “SV VCN TKH Desfire compatible”

Press on “ok”

Click on the created interpretation and go to “system code”.

  • Enter the following data:

    • Start: 5

    • Length: 6

    • Code: the DESFire system code

Click on the created interpretation and go to “facility”.

  • Enter the following data:

    • Start: 21

    • Length: 4

    • Code: The from TKH security received code

Click on the created interpretation and go to “interpretation selection”.

  • Enter the following data:

    • Start: 25

    • Length: 2

    • Code: 2

Click on the created interpretation and go to “offline validity”.

  • Enter the following data:

    • Validity period: enter the desired validity, advised is 24:00 (max 8766:00)

    • Update period before expiring: enter the desired time before expiry when a new update can be done.

Save the data

 

From iProtect version 10.00.xx also a provisioner group must be chosen:

  • When using iProtect 10.00.xx and lower select: Pluto Simon Voss update (system default)

  • When using iProtect 10.01.xx with Smartintego VCN version 2.1 or version 3.0 with the SmartIntego II card configuration select: Pluto SV VCN SI2 update (system default)

  • When using iProtect 10.01.xx with Smartintego VCN version 3.0 and the SmartIntego AX card configuration select: Pluto SV VCN AX update (system default)

The default added interpretation will be used for update readers

When the validity period time is higher than 480:00, offline transactions uploaded by access card will have a wrong timestamp  

3.1.1 Card interpretation for enrolment

Click in iProtect™ Aurora on the menu item Access | settings | card coding | card data interpretation

Right-click in the browse window on the presentation made in 3.1 and press on “Add card data interpretation”

select as “default card data interpretation” “TKH Desfire”

  • Enter the following data:

    • Name: Specify a logical name

    • Format Data length: 14

Click on the created interpretation and go to “interpretation selection”.

  • Enter the following data:

    • Reader start: 13

    • Reader length: 2

    • Reader code: 2

Click on the created interpretation and go to “offline validity”.

  • Enter the following data:

    • Validity period: enter the desired validity (max 8766 hours)

    • Update period before expiring: enter the desired time before expiry when a new update can be done.

Save the data

 

From iProtect version 10.00.xx also a provisioner group must be chosen:

  • When using iProtect 10.00.xx and lower select: Pluto Simon Voss enroll (system default)

  • When using iProtect 10.01.xx with Smartintego VCN version 2.1 or version 3.0 with the SmartIntego II card configuration select: Pluto SV VCN SI2 enroll (system default)

  • When using iProtect 10.01.xx with Smartintego VCN version 3.0 and the SmartIntego AX card configuration select: Pluto SV VCN AX enroll (system default)

3.1.2 Card interpretation for TKH DESFire

Click in iProtect™ Aurora on the menu item Access | settings | card coding | card data interpretation

Right-click in the browse window on the presentation made in 3.1 and press on “Add card data interpretation”

Select as “default card data interpretation” “TKH Desfire”

  •  Enter the following data:

    • Name: Specify a logical name

    • Format Data length: 12

Click on the created interpretation and go to “system code”.

  • Enter the following data:

    • Start: 1

    • Code: “the DESFire system code”

Save the data

From iProtect version 10.00.xx also a provisioner group must be chosen, select: Pluto Sirius MifareSec 8 digits and Desfire 12 Digits (system default)

3.2 Configuring the Pluto

  

  • Make sure all connections are in accordance with the technical drawing and connect the Pluto to the network.

  • Open the Explorer and browse to the following address: https://192.168.1.195. The login screen appears.

  • Enter “controller” as username. The default password is “Pluto”.

  • On the maintenance page select “Network settings” and enter the desired information like IP address and IP address gateway.

  • Select “Hardware” and activate “Diagnostics”. Diagnostics enables automatic detection of devices connected to the Pluto and testing of it. Deactivate diagnostics after successful test.

  • Select “Tools” and verify the connection with iProtect™ by entering the IP address of the iProtect™ server together with port number 20100 at Netcat and press the “Test” button.

3.3 Configuring the line

  • Click in iProtect™ Aurora on the menu item Installation | Hardware | Line.

  • Right-click in the browse window and select “Add line‟. The detail window opens.

  • Enter the following data:

    • Name: “specify a logical name”

    • Type: “network device”

    • Provisioner group: “Pluto”

    • Active: (check)

    • Active with node: (check)

    • Function of the line “Keyprocessor”

    • IP address: “enter the IP address of the Pluto”

  •        Click on the “Save” button.

  •        Press the button “Send new Keystore”.

When having the connection between iProtect™ and the Pluto in place, automatically the latest software update will be installed on the Pluto. This may take a few minutes. When finished, the “Current status” will be “Idle”.

  •  Click on the “read in” button. The Pluto will automatically detect and configure connected nodes.

  •   Activate connected reader by presenting twice an access card. The reader LED should be blinking.

3.3.1 Configuring the enrollment reader

  • Click in iProtect™ Aurora on the menu item Installation | Hardware | Reader.

  • Click on the “Search” button and select the Reader that is planned for card enrolment.

  • Enter the following data:

    • Name: Specify a logical name

    • Card data interpretation: Enter the enrolment card data interpretation which is made in chapter 3.1.1

Save the data.

Before a card can be enrolled, an offline access profile bust be created. For more information of the availability see chapter 6.2.3.

 3.3.2 Configuring the update reader

  • Click in iProtect™ Aurora on the menu item Installation | Hardware | Reader.

  • Click on the “Search” button and select the Reader that is planned for card update.

  • Enter the following data:

    • Name: Specify a logical name

    • Card data interpretation: Enter the Update card data interpretation which is made in chapter 3.1

Save the data.

4 Configuring iProtect for SimonsVoss

4.1 Configuration SimonsVoss line

  • Open menu Installation | Hardware | Line

  • Right-click to “add a new line”

  • Enter the following data:

    • Name: specify a logical name

    • Type: “Server”

    • Active: (check)

    • active with nodes: (check)

    • Modus: “Virtual line”

Save the data.

4.1.1 Configuring SimonsVoss node

  • Click in iProtect Aurora on the Virtual line which is created in 4.1

  • Right-click in the browse window and select “Add node‟. The detail window opens.

  • Enter the following data:

    • Name: Specify a logical name

    • Active: (check)

    • Node type: “SimonsVoss VCN”

Save the data.

4.1.2 Configuring offline reader

  • Click in iProtect Aurora on the menu item Installation | Hardware | Reader.

  • Right-click in the browse window and select “Add Reader‟. The detail window opens.

  • Enter the following data:

    • Name: Specify a logical name

    • Card data interpretation: the card data interpretation made at chapter 3.1

    • (Time Anti): The area where the reader belongs to

    • Modus: standard

    • Buzzer enabled: (check)

Save the data.

4.1.3 Configuring offline reader groups

  • Click in iProtect Aurora on the menu item Access | Settings | Reader group.

  • Right-click in the browse window and select “Add Reader group‟. The detail window opens.

  • Enter the following data:

    • Name: Specify a logical name

    • Group type: Offline reader

    • Node: “The name of the SimonsVoss VCN node created at chapter 4.1.1

Save the data.

Add the desired VCN locks to the reader list. If needed more reader groups can be created in the same way. Use a “admittance” to create a complete access profile.

5 Exchanging the configurations

To configure the locks with the in iProtect configured settings, an export is needed once.

5.1 iProtect to VCN

  • Click in iProtect Aurora on the menu item Installation | Hardware | Node.

  • Select at “Export” all if the whole configuration needs to be exported, or Non synchronized if only the changed readers need to be exported.

  • Click on “Export” and save the .XML file.

  • Go to the SimonsVoss VCN tool and open the project made at chapter 2.

  • Go to File | import | VCN configuration and select the saved .XML file.

  • Execute the tasks and save the project.

5.2 VCN to iProtect

If all desired tasks are executed, the configuration can be exported.

  • Click on VCN configuration at the SimonsVoss VCN tool at file | export

  • Save the .XML file

  • Click in iProtect Aurora on the menu item Installation | Hardware | Node

  • Click on “upload” and select the saved .XML file

  • Click on “Import”

All readers are now synchronized with the latest available information.

6 Supported features

This chapter will describe the supported functionalities and features.

6.1 Offline door features

The following features and settings can be used on the offline doors.

6.1.1 Name

Logical name of the card reader.

Type: Text

  • Default: empty

  • The name is mandatory.

  • Max value: 32 characters

6.1.2 Transaction storage enabled

Setting if the offline events must be stored in the reader or not.

Type: Checkbox

  • If selected.

    • Offline transactions will be stored in the lock as long as possible based on first in first out.

  • If not selected

    • Offline transactions will be not stored in the lock.

6.1.3 Status

Fields with information gained from the offline lock:

Type: information.

 Offline synchronization status:

  • Reader is not synchronized

  • Reader is programmed (ok)

  • Reader is in error

  • Reader is deactivated

  • Retrieving access list from reader

  • Emergency open

Version:

  • Lock: firmware in the lock, presented as X.X.XX

  • Reader: firmware in the reader, presented as X.XX.XX

6.1.4      Unlock time

Default door open time used when a valid card is presented.

Type: Time setting

  • Step size: 1 second.

  • Max value: 25

  • Default value: 3

6.1.5 Alternate door unlock time

Depending on card settings an alternate door <unlock time> can be used.

Commonly used for logistic employees, persons with disabilities or other persons who needs more time to pass a door.

Type: Time setting

  • Step size: 1 second.

  • Max value: 25

  • Default value: 5

6.1.6 Offline reader modus

Setting which determine if a lock can be set in office mode or not.

Type: Selection box

  • Standard:

    • Reader cannot be set in office mode.

  • Office:

    • Reader can be set in office mode.

6.1.7 Buzzer enabled

Setting if the buzzer is enabled or not.

Type: checkbox

  • If selected

    • Reader buzzer is enabled

  • If not selected

    • Reader buzzer is disabled

6.1.8 Create lock tasks

It is possible to create lock specific tasks by pressing on the task buttons.

  • Replace:

    • This function will copy/past all the settings into a new lock. This can be used for replacing a new lock for a (broken) lock.

  • Read access list:

    • This function makes it possible to collect the access transactions from the specific lock. The lock transactions uploaded to iProtect by the XML file will be stored as “offline reader information” transactions.

  • Emergency open:

    • This function makes it possible to open the door from iProtect with the Smart.CD.

 Tasks can be executed from the SimonsVoss VCN software by importing the XML file, use the steps described in chapters 5.1 and 5.2.

6.2 Card features

This chapter describes the features which concerns the offline locks.

6.2.1 Transaction and event storage

The following transactions and events will be stored on the card:

Amount

Type

Description

10

Access transaction

Regular access transaction

2

Access denied transaction

Regular access denied transaction with reason why the access is denied.

10

Prio events

Event for lock information and battery statuses.

10

Status events

Event with status information for e.g. hotlist and other operations

6.2.2 Expiration date

Shows the offline expiration date.

Type: information

 6.2.3 Status

Shows the status of the offline access profile.

  • Normal:                      

    • card does not need an update

  • Update available:       

    • offline access profile is available and the card can be update

6.2.4 Alternate door unlatch time

This function determines if the normal, or alternate door unlock time will be used.

Type: checkbox

  • If selected

    • Alternate unlock time will be used

  • If not selected

    • Normal unlock time will be used

6.2.5 Activate office mode

This function determines if the card may use the office mode functionality or not

Type: checkbox

  • If selected

    • Office mode can be used

  • If not selected

    • Office mode cannot be used

6.2.6 blocklist

This function will block the affected card and this information will be spread to all locks with the cards which are in use for the offline locks.

Type: checkbox

  • If selected.

    • Card is block-listed.

  • If not selected

    • Card is not block-listed or removed from blocklist.

 

Things to know about blocklist:

  • This function is specifically designed for stolen and lost cards.

  • A block listed card is deactivated for use on offline locks when presented at the first offline lock that “knows” the card is block listed.

  • When a block listed card is removed from the blocklist it needs an update before it can work again

  • If a card is removed from the blocklist it cannot remove itself from the blocklist of a lock (that will only deactivate the card again for use on offline locks) only another card can remove a block listed card.

  • A maximum of 10 block listed cards can be programmed on an access card.

  • A maximum of 500 block listed cards can be programmed on an offline lock.

  • To prevent that the maximum amount is reached on a card or on a lock a block listed card will have an end of blocklist time. That is the Expiration date of the card plus a week.

6.2.7 Technical monitoring

To monitor the technical status of a lock, an analogue input is automatically created for the lock battery status. The battery status is updated to the iProtect system by the access cards using the update reader(s)

Battery status:

Input name

Available levels

 

 

Battery status

OK

Replace battery (30 days left)

Alarm (20 days left)

No status available

 6.3 Online reader features

This chapter describes the features of the online enrollment and update reader.

6.3.1 Enrolment reader

The enrolment reader is able to create the SimonsVoss VCN application at the Mifare DESFire card. After creating the application, the application will be updated with the offline access rights.

The enrolment process contains the following steps:

  1. Present card

  2. Reader LED changes from RED to BLUE

  3. Create SV VCN application at the card

  4. Update SV VCN application at the card

  5. Enrollment finished. LED changes from BLUE to GREEN

 

Error feedback from the reader:

 

Feedback

Meaning

LED blinks GREEN/RED

Card has no valid access profile on the enrollment reader

Beeps twice

Error beep. Card update fails

 Please notice that during an error, a transaction is created in iProtect. This transaction contains more detailed information.

 6.3.2 Update reader

The update reader is able to update the access rights, validity or retrieving transactions.

  1. Present card

  2. Reader LED changes from RED to BLUE

  3. Update SV VCN application at the card and retrieve transactions

  4. Update finished. LED changes from BLUE to GREEN

Error feedback from the reader:

Feedback

Meaning

LED blinks GREEN/RED

Card has no valid access profile on the update  reader

Beeps twice

Error beep. Card update fails

Please notice that during an error, a transaction is created in iProtect. This transaction contains more detailed information.

7 Update iProtect and Smartintego

7.1 Update iProtect

In basis a iProtect update can be performed using the iProtect update manual, In most cases no extra preparation and steps are needed. However when updating from a iProtect version prior to 10.01.xx to iProtect version 10.01.xx or higher extra care is needed.

Because of an improved time handling system, it is necessary to reprogram the locks. When this action is not performed there will be time difference in access to a lock and transactions of a lock.

It is understandable that more time is needed to reprogram all the locks, and no problem with access is desired In that case it is possible to grant cards 24/7 access to the lock(s). Access will than work, offline transactions will than not have the correct time stamp. Before this action is performed we advise to discuss this with the person responsible for security.

7.2 Update Smartintego VCN version, 2.6 to 3.0

From iProtect version 10.01.xx Smartintego version 3.0 can be used. Smartintego 3.0 uses however another key set to communicate with the card, AX locks will only work with this key set. For this reason, a migration is needed when Smartintego is updated from version 2.6. to 3.0. This chapter describes the migration steps.

7.2.1 Migrate the existing cards to the new AX config.

To achieve this a “update migration” reader script is needed to migrate the existing (Smartintego II) config to the new (Smartintego AX) config. This script is by default added as a reader provisioner group in iProtect version from 10.01.xx and can be selected at an individual card reader or at the card data interpretation. The new AX card configuration is compatible with the old configuration, so migrated cards will still work on locks that are not migrated.

  1. Select at the update reader (for individual) or at the update reader card data interpretation (for all) the “Pluto SV VCN AX migration update (system default)” provisioner group. This will activate the migration for cards on the update reader(s)

  2. Select at the enroll reader (for individual) or at the enroll reader card data interpretation (for all) the "Pluto SV VCN AX enroll (system default)" provisioner group. This will activate the AX enroll reader script to enroll new cards with the new AX config.

7.2.2 Migrate Smartintego VCN and the locks

When all accesscards are migrated (chapter 7.1) the VCN software can be updated.

  1. Update or new install Smartintego VCN version 3.0 and open the existing project (.ikp) file.

  2. The software will detect that it is a “old” project and will automatically open it with the “old” Smartintego II card configuration. The system can still be used with the Smartintego II card configuration, AX locks will however not work.

  3. Make a backup of the project to ensure a roll-back possibility.

  4. In the Smartintego VCN software at card configuration press the “Migration to AX” button and read/ confirm the questions that follow.

  5. Setup the Smartintego AX card setup, change the next settings:

    1. Application ID: 16064888 (TKH security default)

    2. Lock Gateway Key: The read /write key, please contact your consultant or the TKH service and support department for the key information.

    3. Lock Gateway Key No: 3

  6. Save the project

 From this moment the Smartintego II card configuration cannot be used anymore, every lock that is (re)programmed will receive the new AX key set. Because the accesskey is compatible with Smartintego II and Smartintego AX the system will still work normally. It is however advised to migrate all locks to AX, this can be done by reprogramming the locks.