Security Expert

Security Purpose Controller

Configuration Guide
July 2022
Legal Information
The Schneider Electric brand and any registered trademarks of Schneider Electric Industries
SAS referred to in this manual are the sole property of Schneider Electric SA and its
subsidiaries. They may not be used for any purpose without the owner's permission, given in
writing. This manual and its content are protected, within the meaning of the French intellectual
property code (Code de la propriété intellectuelle français, referred to hereafter as "the Code"),
under the laws of copyright covering texts, drawings and models, as well as by trademark law.
You agree not to reproduce, other than for your own personal, noncommercial use as defined
in the Code, all or part of this manual on any medium whatsoever without Schneider Electric's
permission, given in writing. You also agree not to establish any hypertext links to this manual
or its content. Schneider Electric does not grant any right or license for the personal and
noncommercial use of the manual or its content, except for a non-exclusive license to consult it
on an "as is" basis, at your own risk. All other rights are reserved.
Electrical equipment should be installed, operated, serviced and maintained only by qualified
personnel. No responsibility is assumed by Schneider Electric for any consequences arising
out of the use of this material.
As standards, specifications and designs change from time to time, please ask for confirmation
of the information given in this publication.
Trademarks and registered trademarks are the property of their respective owners.
Security Expert Security Purpose Controller

Contents
Introduction 5
Controller Editions 5
About This Module 5

Configuring a Controller via the Web Interface 7

Logging In for the First Time 7
Creating a Secure Password 8
Configuring the IP Address 8
Setting Up Integrated DDNS 9
Setting Up an HTTPS Connection 10
Connectivity Requirements for HTTPS 10
Third-Party Certificate 12
Self-Signed Certificate 15
Signing In 17
Home Page 17
System Settings 18
System Settings | General 18
System Settings | Adaptor - Onboard Ethernet 19
System Settings | Adaptor - USB Ethernet 20
Operators 21
Password Policy 22
Application Software 23

Configuring a Controller via the Security Expert Software 24

Adding a Controller with Default Records 24
Adding a Controller Based on an Existing Controller 25
Configuring a Controller 27
Controllers | General 27
Controllers | Configuration 28
Controllers | Options 30
Controllers | Time update 31
Controllers | Custom reader format 31
Manual Controller Commands 33
Additional Controller Programming 37
Programming the Onboard Reader 37
Programming Controller Inputs 38
Configuring the Cellular Modem Connection 40
Additional ACX Controller Programming 41
Reader Programming 41
Universal Input Connections 44
Programming Analog Inputs 47
Outputs 49
Reader Outputs 50
Programming Analog Outputs 51

Hardware Configuration 53
Setting the IP Address from a Keypad 53

July 2022 3
Security Expert Security Purpose Controller

Temporarily Defaulting the IP Address 54

Temporarily Defaulting an ACX Controller IP Address 55
Defaulting a Controller 56
Defaulting an ACX Controller 58

Troubleshooting Controller Connectivity 59

Communication Requirements 59
Check that the Services are Running 59
Confirm Controller IP Address 60
Unknown Controller IP Address 60
Confirm Controller Serial Number 60
Duplicate IP Address or Serial Number 60
Confirm the Event Server is Functioning 61
Confirm Event Server IP Address 61
Confirm Ports 61
Check Computer Name 62
Repair Database Compatibility 62
Windows Firewall 62
Multiple Firewalls 63
Encryption 64
Disabling Encryption 64
Telnet 65

July 2022 4
Security Expert Security Purpose Controller Introduction

Introduction
This configuration guide provides programming instructions and system communication and
troubleshooting information for Security Expert controllers. For installation instructions and
technical specifications, see the appropriate controller installation manual.

Controller Editions
This configuration guide includes programming instructions for the following Security Expert
controller models:

Product Code Controller Module

SP-C-IP Security Expert Security Purpose Controller (IP only)

SP-C Security Expert Security Purpose Controller

SP-AC1-IP Security Expert Security Purpose LON Controller (IP only)

SP-AC1 Security Expert Security Purpose LON Controller

SP-ACX Security Expert Security Purpose ACX Controller

SP-ACX-V2 Security Expert Security Purpose ACX-V2 Controller

About This Module

The Security Expert controller is the central processing unit responsible for the control of
security, access control and building automation in the Security Expert system. It
communicates with all system modules, stores all configuration and transaction information,
processes all system communication, and reports alarms and system activity to a monitoring
station or remote computer.
Security Expert is an enterprise level integrated access control, intrusion detection and
building automation solution with a feature set that is easy to operate, simple to integrate and
effortless to extend.
Flexible module network architecture allows large numbers of modules to be connected to the
RS-485 module network, over a distance of up to 900M (3000ft). Further span can be achieved
with the use of a network repeater module.

July 2022 5
Security Expert Security Purpose Controller Introduction

Current Features
The current features of the Security Expert controllers include:

Features SP-C-IP SP-C SP-AC1-IP SP-AC1 SP-ACX-V2 SP-ACX

Internal industry standard
10/100 ethernet

32 Bit RISC processor with 2Gb

total memory

Encrypted module network

using RS-485 communication

NIST Certified AES 128, 192

and 256 Bit encryption

Factory loaded
HTTPS certificate

OSDP configurable RS-485

Reader ports 2 2 2 2 8 8

High security monitored inputs 8 8 8 8 16 16

Open collector outputs 4 4 4 4 2 2

Form C Relay outputs 2 2 2 2 4 4

Bell output

USB Port

Built-in offsite communications

dialer (Contact ID or SIA)

Built-in LON interface

Industry standard DIN rail

mounting

July 2022 6
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

Configuring a Controller via the Web Interface

The controller's built-in web interface allows you to configure specific settings in order to get
the controller online with a Security Expert server. These settings include:
l IP addressing, including IP address, subnet mask, gateway and DNS settings
l Event server connections
l Event, control and download port settings
In addition, you can load security certificates, update the controller firmware and/or the
firmware of connected expander modules from this interface, and control operator access to
the controller.
When the controller is connected to the computer's network, the web interface can be
accessed by entering its current IP address into the address bar of a browser, then logging in
with valid credentials for that controller.

Security Expert controllers come equipped with a factory loaded HTTPS certificate,
ensuring a secure encrypted web connection. This means HTTPS must be used when
accessing the web interface (e.g. https://192.168.1.2). The factory loaded HTTPS certificate
is a self-signed certificate, so when connecting to the controller's web interface a certificate
warning may be displayed, but your connection is still secure.
For older controllers not equipped with a default certificate, HTTP must be used to connect
to the interface.

Logging In for the First Time

When using Safari, ensure that private browsing mode is disabled. This applies to all
versions of Safari: Mac, iPad and iPhone. If private browsing mode is enabled an error
message prompts you to disable it.

To log in to the controller for the first time, open a web browser and enter the default IP
address of 192.168.1.2 with the prefix https:// (e.g. https://192.168.1.2).

If you cannot access the controller with this URL, remove the https:// prefix and try again (e.g.
192.168.1.2).

If you are presented with a security warning when accessing the HTTPS web page, use the
advanced options to proceed to the controller web page.
Once you connect to the controller's web interface you will be prompted to create the admin
operator, which is the default login for accessing the web interface.

Creating the Admin Operator

The controller's factory default settings do not contain a default operator. When a controller is
first connected or has been factory defaulted you will be prompted to Create Admin
Operator. The admin operator must be added before the controller can be accessed and
configured through the web interface.

Earlier versions of the controller firmware have a preconfigured admin operator. If you are
not prompted to create a new operator you can log in using the default username admin with
the password admin.

1. Add a Username for the admin operator. This does not need to be 'admin'.
2. Choose a Password for the admin operator.
The password cannot be blank or 'admin' and must comply with password policy

July 2022 7
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

requirements.
3. Verify Password.
A very secure password is recommended for the admin operator (see Creating a Secure
Password).

Creating a Secure Password

When creating or changing the admin operator password it is highly recommended that you
create a very secure password.
As a guideline, a secure password should include these features:
l Minimum 8 characters in length
l Combination of upper and lower case letters
l Combination of numbers and letters
l Inclusion of special characters
Passwords must comply with password policy requirements.

Configuring the IP Address

The controller must be programmed with a valid IP address to allow communication. By default
this is set to 192.168.1.2 but can be adapted to suit your network requirements and addressing
scheme.
1. Log in to the controller web interface and navigate to the System Settings page.
2. In the Adaptor - Onboard Ethernet tab, enter the required connection settings:
l Enable DHCP: When the option is enabled, the controller will use DHCP to
dynamically allocate an IP address instead of using a static IP address.
To use this feature, there must be a DHCP server on the network you are attempting
to connect to.
l IP Address: This is the IP address that the controller is currently using. By default this
is set to 192.168.1.2.
l Subnet Mask: Used in conjunction with the IP address, a netmask must be configured
to allow access to the appropriate node on the subnet. By default this is set to
255.255.255.0.
l Default Gateway: Used in conjunction with the IP address, the gateway can be
configured to allow access to a router for external communications beyond the subnet
to which the controller is connected. By default this is set to 192.168.1.254.
Set this field to 0.0.0.0 to prevent any external communication.
3. Click Save.
4. Click Restart to restart the controller and implement the changes.
Programming the IP address, subnet mask, and default gateway requires knowledge of the
network and subnet that the system is connected to. You should always consult the network
or system administrator before programming these values.

July 2022 8
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

Setting Up Integrated DDNS

DDNS (Dynamic Domain Name Server) is a method which allows you to create a static
hostname even when the external IP address of the controller is not fixed. The controller
contains an integrated DDNS client which automatically updates the DDNS provider whenever
the IP address changes.
Controllers currently support two DDNS providers: Duck DNS (free provider) and No-IP (free
accounts available, paid plans for further services).

In order to set up DDNS, the controller must be port forwarded so that it is externally
accessible.

Setting Up Duck DNS

Duck DNS can be used for HTTPS certification via third-party certificates.

1. Browse to Duck DNS and create a free account by signing in with Google or another
existing account.
Take note of the Token that is generated when you create your account.
2. Create a new subdomain. The full hostname will have the form [subdomain].duckdns.org.
3. The Current IP field should automatically populate with the external IP address of your
network. Ensure that this is the controller's externally accessible IP address.
4. Access the controller's web interface by typing its IP address into the address bar of a
web browser, then log in with your username and password.
5. Navigate to the System Settings.
6. In the Adaptor - Onboard Ethernet tab, select the Enable DDNS checkbox.
7. Enter the Hostname [subdomain].duckdns.org and DDNS Server duckdns.org.
8. Leave the DDNS Username blank. For the DDNS Password, enter the Token generated
by your Duck DNS account.
9. Save your settings.
10. Confirm that the controller is externally accessible by browsing to the hostname on
another PC.
If the controller's external port is not the default port, you will need to append the port
number to the URL (e.g. controller.duckdns.org:1000).

Setting Up No-IP
The free No-IP Dynamic DNS service does not support third-party certification. This is only
supported with the additional Plus Managed DNS service.

1. Browse to No-IP and create a Dynamic DNS account (free or paid as required).
Free Dynamic DNS hostnames provided by No-IP require confirmation every 30 days,
whereas paid accounts do not.
2. Create a new Hostname and select a Domain.
3. Ensure that the IP Address matches the controller's externally accessible IP address.
4. Access the controller's web interface by typing its IP address into the address bar of a
web browser, then log in with your username and password.
5. Navigate to the System Settings.
6. In the Adaptor - Onboard Ethernet tab, select the Enable DDNS checkbox.
7. Enter the Hostname and DDNS Server.
8. Enter the Username and Password that you used to sign up to No-IP.
9. Save your settings.

July 2022 9
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

10. Confirm that the controller is externally accessible by browsing to the hostname on
another PC.
If the controller's external port is not the default port, you will need to append the port
number to the URL (e.g. controller.ddns.org:1000).

Setting Up an HTTPS Connection

Security Expert controllers have HTTPS connection enabled by default with a pre-loaded
certificate. However, an alternative certificate can be installed if preferred. Installing a third-
party certificate on the controller will remove the security warning which you may see in your
browser when accessing a controller with a factory certificate.
For older controllers not equipped with a default certificate, Schneider Electric strongly
recommends that all live Security Expert sites establish an HTTPS connection between the
controller web interface and the web browser. This is especially important if the controller can
be accessed on-site via a router, or externally via the internet.

If the controller is factory defaulted, any user-created HTTPS certificates are removed and
the default certificate is reloaded. Custom certificates will need to be reinstalled.

Two different connection methods are available, each of which can be configured directly
within the web interface:
l Validating and installing a third-party certificate obtained from a certificate authority.
l Installing a self-signed certificate (recommended for testing only).
For configuration and version requirements refer to AN-314: HTTPS Connection to the
Security Expert Controller.

Connectivity Requirements for HTTPS

To acquire a third-party certificate for HTTPS connection to the controller's web interface, the
controller must be accessible over the internet. This section discusses some of these
requirements so that the system can be properly prepared for HTTPS implementation.

Operating on an active network requires knowledge of the configuration and structure of the
network. Always consult the network or system administrator before you begin.

For detailed networking information, see the Security Expert Network Administrator Guide.

Port Forwarding Requirements

In order for the controller to be accessible externally, port forwarding must be configured at the
router. Port forwarding is a method of mapping an IP address and port on a local subnet to an
external port, so that the networked device is accessible over the internet.
In particular, validating a third-party certificate generally requires the controller to be
accessible via external port 80. This is the default port for HTTP requests. This external port
must be set up to forward traffic to an internal port on the controller that accepts HTTP
requests. By default this is internal port 80; however, if required this can be changed in the
System Settings.

Port 80
Router Internet
Controller (External IP HTTP Request
(IP 192.168.1.2) 203.97.123.169)
Port 80

July 2022 10
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

Once this port has been forwarded, the controller will be accessible via the external IP address
of the network. In this example, typing 203.97.123.169 into an external web browser will open
the controller's web interface.
External access via HTTP is only required in order to validate and install your certificate. Once
the certificate has been installed, HTTP access will be disabled because the more secure
HTTPS connection is available. Therefore it will no longer be necessary to forward external
port 80 to the controller.
Port forwarding is configured from the router's utility interface, which can be accessed by
browsing to the router's IP address. Different routers have different interfaces, so it is
recommended that you consult the documentation for your router.

Optional Port Forwarding

After you have installed a certificate and established an HTTPS connection to the controller,
you may wish to continue accessing the controller over the internet. To achieve this, the
controller must be accessible via its HTTPS port. The default HTTPS port is internal port 443,
but this can be changed if necessary in the System Settings (available once Use HTTPS is
enabled).
The easiest method is to configure the router to forward all traffic from external port 443 (the
default HTTPS port) to the controller's internal HTTPS port, as in the image below.

Port 443
Router Internet
Controller (External IP HTTPS Request
(IP 192.168.1.2) 203.97.123.169)
Port 443

In this case, all traffic directed to the external HTTPS IP address will be forwarded to the
controller. The controller's web interface could be accessed by typing https://203.97.123.169
into an external web browser.
However, it is possible to grant external access by forwarding any external port to the
controller's HTTPS port. This is especially useful if external port 443 is not available on your
network.

Port 443
Router Internet
Controller (External IP HTTPS Request
(IP 192.168.1.2) 203.97.123.169)
Port 1000

In this case, any traffic directed to external port 1000 will be forwarded to the controller's
HTTPS port. The controller's web interface can be accessed simply by appending the external
port number onto the end of the URL: e.g. https://203.97.123.169:1000.

Note: If the controller does not have a factory loaded certificate, it will not be accessible via
HTTPS until an HTTPS certificate has been installed, regardless of whether port forwarding
has been configured.

Controller Default Gateway

In order for the controller to send and receive external communications via the router, its
default gateway needs to be set to the router's internal IP address.

July 2022 11
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

1. Log in to the controller's web interface.

2. Navigate to the System Settings | Adaptor - Onboard Ethernet tab.
3. In the Default Gateway field, enter the IP address of the router.
4. Save the configuration and Restart the controller.
Note: The default gateway must be set to the router's internal IP address that identifies it on
the local internal network, not the external IP address used to connect over the internet.

Mapping an IP Address to a Domain

In order to achieve third-party HTTPS certification, it is necessary to map the controller's
externally accessible IP address to a domain. The domain name becomes the hostname for
the controller: a fixed, human readable point of access to the device.
Domain names can be purchased from Domain Name Registrars and assigned to a static IP
address, usually for an annual fee. For example, the IP address 203.97.123.169 could be
assigned the domain name controller.com, and would then be accessible by typing that
domain name into a browser address bar.
However, typically routers are assigned a dynamic IP address. This IP address is not static:
internet service providers may reassign the address whenever the router is reset or even more
frequently. A fixed domain name would have to be constantly monitored and updated, as the
IP address it is mapped to will change unpredictably. If necessary, a static IP address may be
purchased from your internet service provider.
Alternatively, you may use a Dynamic Domain Name Server (DDNS), which allows a
dynamic IP address to be mapped to a static domain name. Generally a DDNS service will
provide a client application which runs on the web server PC and automatically updates the
domain's IP address mapping whenever the external IP address changes. Controllers also
have an integrated DDNS client which supports several free DDNS providers.

Third-Party Certificate
This method uses a certificate generated by a recognized third-party certificate authority (CA)
to encrypt the HTTPS connection. Unlike the self-signed certificate method, third-party
certificates generally require an annual fee; however, they are trusted by web browsers.
The process has five main stages:
1. The installer generates a private/public encryption key pair and certificate signing request
for their domain.
2. The installer submits the certificate signing request to the certificate authority.
3. The certificate authority provides a validation file which is loaded onto the controller.
4. The certificate authority validates the domain and provides the certificate.
5. Finally, the installer converts the certificate format (if necessary) and installs the certificate
onto the controller.

Requirements for Third-Party Certificates

l The controller must be exposed to the internet via external port 80.
l The controller must be externally accessible via a hostname.
Either static IP or DDNS (see page 9) can be used to assign this hostname.
l The operator must renew the certificate whenever it expires.
l Different certificate authorities may have different requirements. For example, some CAs
do not require manual validation of domain names, allowing you to skip the certificate
authentication stage. It is recommended that you carefully note all requirements for your
chosen CA before beginning.
If you need help when obtaining and loading a third-party certificate, consult your IT support.
Schneider Electric Technical Support cannot assist with this process.

July 2022 12
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

Creating a Private Key and Certificate Signing Request

To begin, it is necessary to generate the private/public encryption key pair which will be the
basis for the HTTPS encryption. The public key will be integrated into a certificate signing
request which will be submitted to the CA.
The following instructions will use the free OpenSSL utility. The latest version of OpenSSL for
Windows can be downloaded from this page.
1. Download and install the OpenSSL utility.
2. Navigate to the installation directory, open the bin folder, locate the openssl executable
and run it as an administrator. This will open the OpenSSL command prompt.
3. To generate the key pair, enter the following command, replacing [name] with your
desired filenames:
req -newkey rsa:2048 -keyout [name].key -out [name].csr
This generates a new 2048-bit private key (.key file) and certificate signing request (.csr
file). The files should appear in the current OpenSSL directory.
4. Enter a passphrase for the private key. This is a phrase used to encrypt the private key to
protect it against anyone with access to your local system. It will be required whenever the
private key is used.
Note that passphrase characters will not be displayed in the console. Only alphanumeric
characters are supported for the passphrase.
5. Enter your location and identity information as requested. These details will be
incorporated into your certificate and publicly viewable from the web browser.
Ensure that the Common Name is the same as the Domain Name which is being used
for the controller.
Some details are optional. Confirm with your CA which fields are required.
6. Save both files in a safe, known location, as both are required for the following steps. It is
especially important that the private key is not publicly accessible.

Purchasing a Certificate
Below are very basic instructions for purchasing a third-party certificate from a CA. Every CA
will have different processes and requirements - this is only intended to be a rough guide to
what is required for implementation on a controller.
1. Begin the process of generating a certificate from a recognized CA such as:
l GoDaddy: https://nz.godaddy.com/web-security/ssl-certificate
l Network Solutions: https://www.networksolutions.com/
l RapidSSL: https://www.rapidsslonline.com/
It is important that you select File-Based or HTTP-based Validation (or equivalent)
when asked to choose an authentication/validation method. You will require a .txt file to
upload to the controller.
2. When prompted, upload the text of your Certificate Signing Request (.csr).
3. Follow the CA's instructions to complete the request. You should be prompted to
download a .txt validation file.
DO NOT change the name or contents of this file.

Authenticating the Certificate

The .txt file that you received in the previous steps must be uploaded to a known directory on
your domain (in this case, the controller) so that it can be viewed by the CA. This verifies that
you are the owner of the domain in question.
1. Access the controller's web interface by typing its IP address into the address bar of a
web browser, then log in with your username and password.

July 2022 13
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

2. Navigate to the System Settings.

3. In the General tab, select the Use HTTPS checkbox (if not already enabled).
4. Enter an appropriate HTTPS Port. The default is port 443, which is commonly used for
this purpose. You should retain the default port unless you are required to use another port
by your system administrator.
5. Click Load Validation File and browse to the .txt validation file to load it onto the
controller.
6. Open the Adaptor - Onboard Ethernet tab. Enter the controller's domain name in the
Controller Hostname field.
7. Confirm that the file is publicly accessible by using another machine to navigate to
[domainname]/.wellknown/pki-validation/[filename].txt. You should be able to view the
content of your validation file.
Once the CA has verified that your domain is accessible, you will be sent the signed certificate.
Wait times can vary between providers, but will typically take from one hour to several hours.

Converting the Certificate Format

The controller requires a file with the .pfx extension. Your CA may have provided a different file
type, potentially several files such as a certificate (e.g. .cer, .crt or .pem) and an intermediate
certificate. These must be combined with the private key generated with your certificate
request to create a .pfx file. The following instructions will use the OpenSSL utility installed
above.
1. Navigate to the installation directory, open the bin folder, locate the openssl executable
and run it as an administrator. This will open the OpenSSL command prompt.
2. Export your certificate as a .pfx file using the following command, replacing [name] with
your filenames:
pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -
nomac -out [name].pfx -inkey [name].key -in [name].
[cer/crt/pem]

Replace [cer/crt/pem] with the extension on your certificate file as required.

Note: If you have been provided with an intermediate certificate you must include
intermediate certificates by appending to the end of the command: -certfile
[intermediatename].[cer/crt/pem] as shown below.
pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -
nomac -out [name].pfx -inkey [name].key -in [name].
[cer/crt/pem] -certfile [intermediatename].[cer/crt/pem]

Android devices will fail to connect if intermediate certificates are not included in the
certificate loaded onto the device.
3. Enter the passphrase for the private key (set above) to continue.
Note that passphrase characters will not be displayed in the console.
4. Enter an export password when requested. This will be required when installing the
certificate on the controller.
5. This process will generate a [name].pfx file in the current OpenSSL directory. This is your
third-party certificate. Store this file in a safe, known location.

Installing the Certificate on the Controller

1. Log in to the controller's web interface and navigate to the System Settings.
2. Scroll to the Certificate File section. Click Install Certificate and browse to the .pfx
certificate file to install it on the controller.
3. Enter the export password that you created when generating the certificate file.

July 2022 14
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

4. Click Save, then restart the controller using the button on the top right to implement the
new settings.
Once the restart process is complete, the controller will restart but the web page will not
automatically refresh.
5. Browse to the controller web page by adding the prefix https:// to the beginning of the IP
address or URL.
A lock or similar icon in the browser toolbar should indicate that the connection is secure. Click
on this icon to see details about the certificate, including the information you entered in the
certificate signing request.

Self-Signed Certificate
Self-signed certificates do not require the certificate to be validated by an authority, or for the
controller to be accessible over the internet. They can also be created for free. However, self-
signed certificates are not considered secure by web browsers, which will generate warnings
whenever the web interface is accessed. This method is fine for testing and development but is
not recommended for live sites.

Requirements for Self-Signed Certificates

l There is no requirement for the controller to be externally accessible.
l The operator must manually renew the certificate whenever it expires.

Generating a Self-Signed Certificate with OpenSSL

The following instructions will use the free OpenSSL utility. The latest version of OpenSSL for
Windows can be downloaded from this page.
1. Download and install the OpenSSL utility.
2. Navigate to the installation directory, open the bin folder, locate the openssl executable
and run it as an administrator. This will open the OpenSSL command prompt.
3. To generate your certificate, enter the following command:
req -new -newkey rsa:2048 -x509 -sha256 -subj "/C=[Country
code]/CN=[Common name]" -days 365 -out [name].crt -keyout
[name].key
l Replace [name] with your desired filenames
l The country code is optional, but recommended best practice. You can find your
country code here.
l The common name is typically in the form [hostname].[domain name]. For a self-
signed certificate this does not need to be an externally accessible hostname. For
example, you could use secure.controller.com.
This generates a new key pair (.crt certificate and .key private key) with 2048-bit
encryption that will expire after 365 days. The files should appear in the current OpenSSL
directory.
4. Enter a passphrase for the private key. This is a phrase used to encrypt the private key to
protect it against anyone with access to your local system. It will be required whenever the
private key is used.
Note that passphrase characters will not be displayed in the console. Only alphanumeric
characters are supported for the passphrase.
5. Enter your location and identity information as requested. These details will be
incorporated into your certificate and publicly viewable from the web browser.
Ensure that the Common Name is the same as the Domain Name which is being used
for the controller, if any.

July 2022 15
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

6. To export your certificate, enter the following command, replacing [name] with your
desired filename:
pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -
nomac -out [name].pfx -inkey [name].key -in [name].crt
7. Enter the passphrase assigned above when prompted.
8. Create an export password when prompted. This will be required when installing the
certificate on the controller.
This process will generate a [name].pfx file in the current OpenSSL directory. This is your
self-signed certificate. Store this file in a safe, known location.

Installing the Self-Signed Certificate to the Controller

1. Access the controller's web interface by typing its IP address into the address bar of a
web browser, then log in with your username and password.
2. Navigate to the System Settings.
3. In the General tab, select the Use HTTPS checkbox (if not already enabled).
4. Enter an appropriate HTTPS Port. The default is port 443, which is commonly used for
this purpose. You should retain the default port unless you are required to use another port
by your system administrator.
5. Click Install Certificate and browse to the .pfx certificate file to install it on the controller.
No .txt validation file is required for this method, as the connection is not validated by a
third party.
6. Enter the export password that you created when generating the certificate file.
7. Click Save, then restart the controller using the button on the top right to implement the
new settings.
Once the restart process is complete, the controller will restart but the web page will not
automatically refresh.
8. Browse to the controller web page by adding the prefix https:// to the beginning of the IP
address or URL.
When using a self-signed certificate, you will likely be presented with a security warning if
you attempt to access the HTTPS web page. The connection is still encrypted, but the
browser has flagged the certificate as untrustworthy as it lacks third-party validation.

July 2022 16
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

Signing In
To access the system after the initial setup you need to sign in with a valid operator username
and password.
1. Open a web browser and enter the controller's IP address, with the prefix https:// (e.g.
https://192.168.1.2).
If you cannot access the controller with this URL, remove the https:// prefix (e.g.
192.168.1.2).
2. If you are presented with a security warning when accessing the HTTPS web page, use
the advanced options to proceed to the controller web page.
3. The Sign In window is displayed.
4. Enter your operator Username and Password.
5. Click Sign In.
Repeatedly entering incorrect passwords at the sign in window forces a login stand down.
Three consecutive incorrect attempts will result in the sign in process being locked for 5
seconds. If another three attempts fail, the sign in process is locked for 60 seconds between all
subsequent attempts until a valid login is made. It is not possible to configure the length of time
for the login stand down.

Home Page
Controller Status
l Health: Displays the health status of the controller.
l Voltage: Shows the voltage passing through the controller.
l Memory Usage: Shows the current memory usage of the controller, along with a
breakdown of what that memory is being used for.
l Status: Displays the current serial number of the controller.

Operator Details
l Logged on as: Shows the username of the current operator.
l Logged on at: Shows the time and date this operator logged in.

Options
l Display Theme: Switch between the dark (dark background, white text) and light (white
background, dark text) display themes for the web interface.
l Display Color: Select the display color used for the web interface. This selection will
persist whenever this operator logs in to the controller with the same web browser.
l Logout: Log out and return to the login screen.
l Change Password: Change the password used by this operator.

July 2022 17
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

System Settings
This page can be saved or refreshed using the toolbar buttons in the top right. The Restart
button can be used to reboot the controller, which is required to apply any changes to the fields
marked with an asterisk *.

System Settings | General

General
l Name: The controller name is programmed to identify the panel to the operator or system
user. Ideally the name should describe the premises or the building where the controller is
installed. The name is also used within the IP and SMTP mail services to identify the
controller to the email recipient.
l Serial Number: The serial number of the controller.
l HTTP Port*: The TCP/IP port that will be used for HTTP connection to the controller. The
default port is 80. This can be changed to any network port that is not occupied.
IMPORTANT: If this field is set to no value (which is converted to an invalid 0 value), the
controller will no longer be accessible via the web interface and will require defaulting the
IP address in order to connect.

Communications: Event Servers

The event server manages communication from the controller to the Security Expert server.
The event server is configured in Security Expert and the controller settings determine
communication with the event server.
l Event Server 1*: The primary event server connection settings.
l The IP address or DNS name for connection to the event server.
l Primary Adaptor: The controller's adaptor connection to the event server, via either
the Onboard ethernet connection or USB Ethernet port.
l Secondary Adaptor: The controller's backup adaptor connection to the event server
(optional).
l Event Server 2/3*: Alternative paths to the event server (optional).

Communications: Ports
l Event Port*: The default port is 22000. This must match the port defined in Global |
Event server in the Security Expert software.
l Download Port*: The default port is 21000. This must match the port defined in Sites |
Controllers | General in the Security Expert software.
l Control Port*: The default port is 21001. This must match the port defined in Sites |
Controllers | General in the Security Expert software.

HTTPS
Security Expert controllers have HTTPS connection enabled by default with a pre-loaded
certificate. However, an alternative certificate can be installed if preferred.
For older controllers not equipped with a default certificate, Schneider Electric strongly
recommends that all live Security Expert sites establish an HTTPS connection between the
controller web interface and the web browser. This is especially important if the controller can
be accessed onsite via a router, or externally via the internet.

If the controller is factory defaulted, any user-created HTTPS certificates are removed and
the default certificate is reloaded. Custom certificates will need to be reinstalled.

July 2022 18
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

l Use HTTPS: Schneider Electric controllers come preconfigured with a pre-loaded

certificate and HTTPS enabled by default, however an alternate certificate can be installed
if preferred.
l HTTPS Port*: The TCP/IP port that will be used for HTTPS connection to the controller.
The default port is 443. This can be changed to any network port that is not occupied.
l Use HTTPS Certificate: This option will be illuminated when Use HTTPS is selected, to
signify that HTTPS is enabled. The HTTPS certificate can be the default factory certificate,
a third-party certificate obtained from a Certificate Authority, or a self-signed certificate.
l Load Validation File: Click to browse and upload a validation file (.txt format)
provided by the Certificate Authority. This will be used by the CA to validate your
domain name. Validating the domain this way requires your controller to be externally
accessible via a hostname on external port 80.
This step is not required when installing a self-signed certificate.
l Install Certificate: Click to browse and upload an HTTPS certificate in .pfx format. If
the file is secured with an export password you will be prompted to enter it. Restart
the controller to implement or update HTTPS.

System Settings | Adaptor - Onboard Ethernet

Onboard Ethernet
l Enable Onboard Ethernet*: This option configures the controller to communicate via its
onboard ethernet communication link.
This option is enabled by default.

Onboard Ethernet Configuration

l Enable DHCP: When enabled, the controller will use DHCP to dynamically allocate an IP
address instead of using a static IP address.
To use this there must be a DHCP server on the network you are attempting to connect to.
The Dynamic IP address update option must also be enabled for this controller in
Security Expert (Sites | Controllers | General).
When DHCP is enabled, the IP information below will not be updated and will therefore
continue to display the last static IP configuration.
l IP Address*: The controller has a built-in TCP/IP ethernet device and it must be
programmed with a valid TCP/IP address to allow communication. By default the IP
address is set to 192.168.1.2.
l Subnet Mask*: Used in conjunction with the IP address, a netmask must be configured to
allow access to the appropriate node on the subnet. By default this is set to a value of
255.255.255.0.
l Default Gateway*: Used in conjunction with the IP address, the gateway can be
configured to allow access to a router for external communications beyond the subnet to
which the controller is connected. By default this is set to a value of 192.168.1.254. Set
this to 0.0.0.0 to prevent any external communication.
l DNS Server*: The IP address of the DNS server being used by the controller. This is
required if a DNS name is being used for the connection.
Programming the IP address, subnet mask, and default gateway requires knowledge of the
network and subnet that the system is connected to. You should always consult the network
or system administrator before programming these values.

Hostname
l Controller Hostname: If the controller is accessible via an external hostname it can be
entered here.

July 2022 19
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

This is only required if the DDNS or HTTPS options are being used.

Dynamic DNS
l Enable DDNS*: The controller has an in-built DDNS (Dynamic Domain Name Server)
application, which allows it to dynamically connect to an external hostname even if its
external IP address is not static. Enable this option and enter the required details to
activate DDNS.
l DDNS Server: Enter the name of the DDNS server which is being used.
Currently Duck DNS (www.duckdns.org) and No-IP (www.noip.com) are supported
DDNS providers.
l DDNS Username/Password: Enter the required credentials for your DDNS provider.
l Duck DNS: The username should be left blank. The password is the Token
generated by your Duck DNS account.
l No-IP: The username and password are the credentials used to log in to your No-IP
account.

System Settings | Adaptor - USB Ethernet

USB Ethernet
l Enable USB Ethernet*: This option configures the controller to communicate via an
ethernet adaptor connected to its USB port. This is used for connection to the Security
Expert Security Purpose DIN Rail Cellular Modem.

Connection
l Cellular Modem: This option configures the controller to communicate with the Security
Expert Security Purpose DIN Rail Cellular Modem connected to its USB port. This is
currently the only USB Ethernet connection option.
When this option is enabled the details of the cellular connection will be displayed.

For cellular modem information and programming instructions, see the Security Expert
Security Purpose DIN Rail Cellular Modem Installation Manual and Security Expert Security
Purpose DIN Rail Cellular Modem Configuration Guide.

Cellular Network Connection

l Cellular APN*: The APN (Access Point Name) defines the network path for cellular data
connectivity. The APN is specified by the mobile network operator (MNO) and is unique to
that network, so it is important to use the correct APN for the cellular service required.
l Cellular Username*: The username for the cellular network account.
l Cellular Password*: The password for the cellular network account.

Cellular Options
l Enable Debug*: When enabled, debug events are logged to the event log to help
diagnose setup issues with the cellular modem. This would generally be enabled only
during initial configuration or troubleshooting and should be disabled during standard
operation.
l Enable Watchdog*: When enabled, this option will prompt an automatic restart of the
controller in the event that a critical fault is detected with the cellular modem that cannot be
resolved. This option would typically only be enabled during fault finding.

Cellular Information
The cellular information section displays the cellular network connection status and details.
l External Modem Detected: Indicates whether the controller is able to communicate with
the cellular modem connected to its USB port.

July 2022 20
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

l SIM Detected: Indicates whether the controller is able to detect the cellular modem's SIM.
l SIM Provider: Displays the provider of the SIM, if detected.
l Signal Strength: The current strength of the wireless connection.
The signal strength can only be displayed once a connection to a cell tower is
established. When the cellular modem is performing initial configuration, has been
automatically reset, or is initially searching for a network, Signal Not Measured will be
displayed. This does not indicate a problem with the signal.
l Network Registration Status:
l Registered (home): Displayed when the cellular modem is successfully connected to a
network inside the SIM home region.
l Registered (roaming): Displayed when the cellular modem is successfully connected
to a network outside the SIM home region.
l Not registered: Displayed when the cellular modem is detected but no connection has
been established.
l Not registered, seeking: Displayed when the cellular modem is actively seeking a
network to connect to.
l Denied: The network actively refused the connection attempt by the cellular modem.
l Unknown: The cellular modem cannot currently determine network connection status.
l Current Network Provider: The mobile network operator that the cellular modem is
currently connected to.
l Current Technology: The cellular technology that the cellular modem is connected with.
l Internet Connection Status: Identifies whether the cellular modem's internet connection
is valid.
l IP Address: The IP address assigned to the cellular modem by the network provider.
If there is an error with the cellular connection the controller may automatically reset the
modem to attempt to resolve the connection. When this occurs the controller interface will
momentarily display the External Modem Detected disconnected icon. This is expected and
only indicates a problem if it remains disconnected .

Operators
Operators can be created, deleted and saved using the toolbar buttons at the top right. Note
that these are operators for the controller's web interface and do not correspond to operators
in the Security Expert software.
l Name: A name for the operator record in the web interface.
Do not enter more than 40 characters for the operator name. This is the maximum
supported length.

Configuration
l Username/Password: The operator's login credentials for the controller's web interface.
l Change Password: Click this button to change the password of the operator.
It is recommended that you give each operator a secure password. Passwords must
comply with password policy requirements.
l Default Language: Select a default language for the operator. This language will be
displayed when the operator uses the web interface.

Operator Timeout
l Enable Operator Timeout: When this option is enabled, the operator will be
automatically logged out of the web interface after a defined period of inactivity.
l Operator Timeout: Set the length of time in minutes before the operator will be
automatically logged out.

July 2022 21
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

Password Policy
A password policy represents a set of guidelines designed to enforce a higher level of security.
Security Expert systems enable you to define your own password policy that other users of the
system are required to follow.

Configuration
l Minimum Password Length: Defines the character length required for a password.
In the future this will be configurable, but is currently fixed at 8 characters.
l Minimum Number Of Uppercase Characters: This option is reserved for future
development.
l Minimum Number Of Digits: This option is reserved for future development.
l Minimum Number of Special Characters: This option is reserved for future
development.
l Compare Against Username: This option is reserved for future development.

July 2022 22
Security Expert Security Purpose Controller Configuring a Controller via the Web Interface

Application Software
Controller Software
l Current Version: Displays the current firmware version of this controller. Click on this field
to display further version information.

Update Application Software

l BIN File: This section is used to update the firmware of the controller. Click Upload to
browse to the firmware file (.bin format) supplied by Schneider Electric, and open the file to
install the new firmware on the controller.
This process will take approximately 10 minutes and the controller will not be able to
perform its normal functions during this period. It is recommended that firmware updates
are performed when the site is closed for maintenance or at times of low activity.

Update Module Firmware

l Module: This section is used to update the firmware of any module connected to the
controller. Select the connected module that requires a firmware update from the
dropdown.
l BIN File: Click Upload Firmware to browse to the firmware file (.bin format) supplied by
Schneider Electric, and open the file to install the new firmware on the selected module.

Warning: Updating module firmware will put the entire network into maintenance mode,
preventing normal activity for the duration of the update process. Module firmware must
not be updated remotely.

Force Update
In situations where a module becomes stuck in the bootloader mode and the application is not
running, it may become necessary to perform a force update.
This hidden feature in the Update Module Firmware section of the web interface provides the
ability to update module firmware on an inoperable module where it is not possible through the
regular update process.
Clicking Module will expand the hidden section, making the Force Update panel available.
1. Select the Force Update - Module, carefully selecting the module type and model.
2. Select the Force Update - Address, which is the configured Physical Address of the
module.
3. The Skip Verification option will bypass the firmware check and allow firmware that does
not match the module type of the module to be loaded.
This option should only be selected at the direction of Schneider Electric Technical
Support .
4. Click Upload Firmware to browse to the firmware file (.bin format) supplied by Schneider
Electric, and open the file to install the firmware on the selected module.
Note: The maximum address that can be selected for force update is 32. If the module has
an address greater than 32 it cannot be upgraded via this method. You will need to contact
Schneider Electric Technical Support for assistance.

July 2022 23
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Configuring a Controller via the Security Expert

Software
To add a controller to the Security Expert system, navigate to Sites | Controllers and click
Add. Several options are available, allowing you to define which records will be created
alongside your controller.
l Use the controller wizard: The controller wizard allows you to specify the inputs,
outputs, doors and expander modules that are required by your site. Some additional
options can also be configured. The selected default records are automatically added to
the database with the controller.
l Just add a controller: Only the controller record itself is added to the database. All other
records must be programmed separately.
l Add new controller based on an existing controller: The controller record and all
connected programming are duplicated from an existing controller. This includes devices
such as expander modules, inputs, outputs and doors.
It may be convenient to create a 'template' controller record as a base for adding new
controllers.

Once the controller record has been created, bring it online by entering the Serial number, IP
address, Download port, Download server and Control and status request port in the
General tab. If the controller does not come online, you will need to troubleshoot the
connection (see page 59).

Adding a Controller with Default Records

When you select Use the controller wizard, the Add controller configuration window is
displayed. This allows you to automatically add default records (inputs, outputs, expander
modules, doors) alongside the controller. The records have default names and settings, and
can be renamed, edited or deleted as required.

General
l Name: The name of the controller in the Security Expert software.
l Count: The number of controllers that will be added with the same default records. If more
than one controller is added the subsequent controllers will be assigned default names
that can be edited later.
l Prepend controller name to added records: When this option is enabled, all new
records generated by the wizard will include the controller name at the start of the record
name. For example, if the controller is named Office, the first output on the controller will
have the name Office CP1 Bell 1.

Controller
l Type: The model code of the controller that is being added to the system. This is displayed
on the upper right of the controller face.
l Inputs: The number of onboard inputs that will be created for the controller. This is set
automatically based on the Type of controller selected.
Not all controller inputs may be required if the onboard reader expander is being used,
as the inputs can be assigned to the reader expander record.
l Outputs: The number of onboard outputs that will be created for the controller. This is set
automatically based on the Type of controller selected.

July 2022 24
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

This number includes only the bell and relay outputs (outputs 1, 3 and 4). Reader outputs
are assigned to the onboard reader expander record (even if not used for connected
readers).
Controller output 2 only exists on legacy hardware. This address is skipped when the
wizard automatically adds the default records.
l Add trouble inputs: Enable this option to automatically add the trouble inputs associated
with the controller.

Keypads, Input expanders, Reader expanders, Output expanders and Analog

expanders
Enter the Type and number of each expander module that should be added to this controller.
The number of inputs and outputs required should be set automatically. Enable Add trouble
inputs to include the trouble inputs for each module.

If the controller's onboard reader expander is being used it should be included in the number
of reader expanders so that the relevant programming can be created.

Options
l Create "Installer" menu group: Creates a menu group with every menu enabled for use
by site installers.
l Create floor plan: Creates a floor plan including all inputs and outputs on the controller.
This is useful for small sites with only a few inputs and outputs. For larger sites it is
generally better to create the floor plans manually.
l CID report map: The Contact ID report map that will be used for assigning the Reporting
ID to each input. The options are:
l Standard: Suitable for small burglary and access control installations.
l Large: Suitable for intrusion detection installations with a large number of input
expanders.
l SIMS II: A variant of the Contact ID format which can send a much larger number of
inputs. For this mapping to function correctly the service must also be configured for
SIMS II by setting the Cid mapping option for a Contact ID service, or the CID map
settings option for a Report IP service.
For more information, see Application Note 316: Contact ID Reporting in Security Expert
and SP-C-WEB.

Doors
l Doors: Automatically creates the defined number of door records. Typically this should be
2 doors per reader expander.
l Assign to reader expanders: Automatically assigns the doors to reader expander ports,
in order of creation.
l Add door trouble inputs: Creates the relevant trouble inputs for each door record.
l Assign reader lock output to door configuration: Automatically sets the Lock output
for each door to the relay output on the associated reader expander.
l Assign reader beeper to door alarm configuration: Automatically sets the Pre alarm
output, Left open alarm output and Door forced output for each door to the beeper
output on the associated reader expander.

Adding a Controller Based on an Existing Controller

When you select Copy an existing controller, the Copy controller configuration window is
displayed. This allows you to select the controller to copy, and configure some options.
The copied records include inputs, outputs, doors, areas and groups associated with that
controller.

July 2022 25
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

The new controller record will have a blank Serial number, IP address and Download
server.

l Site (copy from): Defines the site that the programming will be copied from.
l Controller (copy from): Defines the controller that the programming will be copied from.
l New controller name: The name of the new controller in the Security Expert software.
l Name (second language): The name of the new controller in the second language.
l Prepend controller name to all record names: When this option is enabled, all new
records generated by the copy process will include the new controller's name at the start of
the record name. This means all new records will have the same name as those on the
original controller, with the new controller's name added.
If the original records included the controller's name, this name will still be included in the
new records (i.e. will not be replaced by the new name).
l Copy access levels: When this option is enabled the access levels of the original
controller are copied for the new controller. The new access levels are assigned the
equivalent doors, areas and other records from the new controller, but are not assigned to
any users.
l Copy global records: When this option is enabled, site-wide records such as schedules
and function codes will be copied for use with the new controller.

July 2022 26
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Configuring a Controller
Once added, the controller needs to be configured to define settings including the serial
number and communication parameters.

Controllers | General
General
l Name: The name of the record in English. This name is used everywhere the record
appears in the English version of the software.
l Name (second language): The name of the record in the second language (as installed
with the software). This name is used everywhere the record appears in the second
language version of the software. Alternatively, additional information about the record
may be included in this field.
l Record group: The record group this item belongs to. This allows records to be organized
by categories such as building, branch or company. Using roles and security levels, you
can restrict operator access so that operators can only see or control the records in
specific record groups.
Some record types, such as outputs, inputs, trouble inputs and expander modules,
inherit the record group assigned to the controller.

Communications
l Serial number: The serial number of the controller. This can be obtained from the
configuration page of the built-in web interface, or the label on the side of the controller.
l IP address: The IP address of the controller. The default IP address is 192.168.1.2, which
can be changed via the built-in web interface.
In general the IP address should be the same here and in the controller web interface.
Alternatively, if the controller is external to the server network you may need to enter the
external IP address of the router which is forwarding traffic to the controller.
Programming the IP address, subnet mask, and default gateway requires knowledge of
the network and subnet that the system is connected to. You should always consult the
network or system administrator before programming these values.
l Dynamic IP address update: When this option is enabled the software automatically
detects the IP address of the controller from incoming messages and updates the IP
address field automatically. Use this for situations where the controller's IP address may
change unexpectedly, or when the controller is configured to use DHCP.
l Username / Password: If the single record download service is in use, you must enter a
username and password for the controller so that the service can make a connection.
These must match an operator in the controller's web interface.
Ensure that the Username is entered in all lowercase letters, otherwise the connection
will fail.

These fields are not required when the single record download service is not in use.
l Download port: The TCP/IP port that is used by the download service to send
programming downloads to the controller. By default, this is port 21000.
l Single record download port: The TCP/IP port that will be used by the single record
download service (if in use) to send programming downloads to the controller. This should
match the HTTPS Port of the controller. By default, this is port 443.
l Download server: Defines the download server which will send downloads to the
controller. If this field is <not set> the controller will not receive any downloads.

July 2022 27
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

l Control and status request port: This field specifies the port that will be used to send
manual commands and status requests to the controller over TCP/IP. By default, this is
port 21001.
l Last known IP address: Shows the last IP address that the controller used to
communicate with the server (read only).
l Last downloaded: Shows the date and time of the last download to the controller (read
only).

Display
l Panel name: The name used to identify the controller to IP reporting services.

Diagnostic windows
l Open download server diagnostic window: Opens a window listing transactions
between the controller and the download server. This can be useful for checking whether
recent programming changes have been downloaded successfully.
l Open event server diagnostic window: Opens a window showing the current status of
the event server. This can be useful for diagnosing controller connection issues.

Commands
l This field is used to send programming commands to the device. It should only be used
when specifically advised by Schneider Electric documentation or technical support.

Download binary blob

l Set the download binary blob from a file: This feature allows you to select a binary blob
file and download it to the controller. This is required for some specific transitions and
integrations.
Do not use this feature unless specifically advised by Schneider Electric.
l Database data length (bytes): The size of the file that has been selected for download.

Record history
Each record displays its programming history, including the time and date it was created, the
time and date it was last modified and the operator who last modified it.

Controllers | Configuration
Configuration
l Test report time (HH:MM): The controller periodically tests the reporting service by
opening the predefined Service Report Test trouble input. This field sets the time of day
the trouble input will be opened.
When the Test report time is periodic option is enabled in the Options tab, the time
programmed will be used as a period between reports in hours and minutes. Otherwise it
is treated as a time of day.
l Automatic offline time: This is a legacy option that has no effect.
l AC restore delay time: This is a legacy option that has no effect.
l AC fail time: This is a legacy option that has no effect.
l Module UDP port: Some modules, such as the Security Expert Security Purpose
COMMS Expander, can communicate with the controller over an ethernet connection
using the UDP protocol. This field defines the UDP port that will be used for these
communications. The default port is 9450. If this port is changed at the controller it must
also be updated at all relevant modules.

July 2022 28
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

From controller firmware version 2.08.886 module UDP/TCP communications are

disabled by default. You can re-enable communications by entering the following
commands in the Commands field (General tab): EnableModuleUDP = true and
EnableModuleTCP = true.
l Modem country: This option affects the number of dial attempts made by phone line
reporting services, and may override the Dial attempts setting in the reporting service. It
is recommended to test the number of dial attempts to ensure that you comply with
regional requirements.
This setting is only supported by controller models with onboard modem dialers.
l Modem backup phone number: If ethernet communication fails, the controller's onboard
modem will dial this number to report events. The Module backup if IP fails option must
be enabled (Options tab).
This setting is only supported by controller models with onboard modem dialers.
l Default language: The default language displayed on the keypad for users who have no
language selected and for any events generated by a serial printer service (see
Programming | Services | Serial printer).
l Download retry delay: This field allows you to set a minimum delay period (in seconds)
between downloads to this controller. After the download server has completed a
download it will not attempt to download to this controller again until the delay has elapsed,
except in the following circumstances where the download server will send the download
as soon as possible without waiting for the delay period:
l When a Force download command is sent
l When changes are made to hardware devices that are hosted by the controller (e.g.
expanders, inputs, outputs)
l When the single record download service triggers a full download
The minimum retry delay is 10 seconds.
l Register as reader expander: The module address assigned to the controller's onboard
reader expander. You can program the onboard reader expander by creating a record with
the same address in Expanders | Reader expanders.
This address must not be the same as that of any physical reader expander.
l Onboard reader lock outputs: This option determines which outputs on the controller
are mapped to the onboard reader expander's lock outputs. This should generally be set to
Controller relay 3/4 outputs, which maps controller outputs 3 and 4 to reader expander
outputs 1 and 2. If the controller is not being used for door control this option may be set to
None.
l Touch screen UDP port: This is a legacy option that has no effect.
l Maximum packet size: The maximum packet size that can be downloaded to the
controller.
l Controller offline grace time: If a controller drops offline there is a fixed grace period of 1
minute before Security Expert begins indicating that the controller is offline. This option
allows you to extend this grace period by a number of minutes. This should be used in
situations where the controller periodically drops offline and comes online again, allowing
you to avoid unnecessary alerts.

Encryption
l Initialize controller encryption: Enables encryption of the messages sent between the
controller and the Security Expert server. Selecting this option initiates a one-off process
that randomly generates a 256 bit AES encryption key. Using an RSA algorithm, this key is
exchanged and stored in both the controller and the Security Expert database.

July 2022 29
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

l Disable controller encryption: Instructs the software to stop using encryption. To

prevent encryption from being disabled accidentally or maliciously, this option will not
change the encryption setting in the controller itself. You must hardware default the
controller to fully disable encryption and allow communications.
l Encryption enabled: Read only field that indicates whether encryption is enabled.

HTTPS public key

l HTTPS public key: If the single record download service is in use this field displays the
public key of the controller's HTTPS certificate. This is automatically populated when the
single record download service connects to the controller for the first time. If the certificate
is changed or the controller is defaulted you must delete the information in this field to
allow the single record download service to reconnect.

Version 3 settings
This is a legacy section that does not require configuration.

Controllers | Options
Options
l Test report time is periodic: When this option is enabled the Test report time set in the
Configuration tab will be treated as a frequency rather than a time of day. For example, a
Test Report Time of 12:00 AM will cause the Service Report Test trouble input to be
opened every 12 hours if this option is enabled, or every day at 12AM if this option is
disabled.
l Weekly test report: When this option is enabled the test report is sent once a week based
on the day of the week selected. The Service Report Test trouble input will be opened at
the time specified in the Test report time field in the Configuration tab. When this option
is disabled the trouble input will be opened once a day.
l Day of the week: Defines the day of the week that the weekly test report is sent.
l Troubles require acknowledge: System troubles are displayed in the trouble view menu
of the keypad ([Menu] [5] [2]). Normally if the trouble condition ends (i.e. the trouble input
closes) the trouble is no longer included in this list; however, with this option enabled the
trouble condition remains in the list until it is acknowledged by an authorized user.
Users must have Acknowledge system troubles enabled in Users | Users | Options
and access to the View (5) menu from their menu group.
l Generate input restore on test report input: When this option is enabled the controller
will generate a restore event for the Service Report Test trouble input closing after the
regular test report. This occurs one minute after the Service Report Test trouble input has
been activated.
l Report short duration module communication failure: When this option is enabled the
controller will always generate trouble events for any module communications failure,
without allowing any grace period for the module to come back online.
l Advance UL operation: When this option is enabled the Security Expert system runs in
UL compliance mode.
This setting has the following effects:
l Adds a 10 second grace period following a failed poll before a module is reported as
offline.
Each module sends a poll message to the controller every 250 seconds. The module
will be reported as offline if no poll has been received for the duration of this poll time
plus the 10 second grace period.
l Suppresses reporting of all alarms and/or reportable events to a monitoring station
within the first two minutes of the controller powering up. The system will continue to
send poll messages as usual.

July 2022 30
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

l Reports 'Input Tamper' events as 'Input Open' events when the area that the input is
assigned to is armed. If the area is disarmed an 'Input Tamper' message will be sent.
l Limits the Dial attempts for reporting services to a maximum of 8.
This setting must be used in conjunction with the other configuration requirements in the
controller installation manual.
l Duplex inputs: With this option enabled the controller can support twice the number of
inputs, wired in duplex configuration. For more information, see the relevant controller
installation manual.

Misc options
l Enable automatic offline download: This is a legacy option that has no effect.
l Modem backup if IP fails: When this option is enabled the controller will dial out through
the onboard modem if it cannot connect to the software via ethernet to report events. The
Modem backup phone number must be set in the Configuration tab.
This setting is only supported by controller models with onboard modem dialers.
l Backup only alarm events: With this option enabled, when the controller has lost
ethernet connection it will only report alarms and other reportable events over the phone
line. All stored events will be reported when the ethernet link is restored.
This setting is only supported by controller models with onboard modem dialers.
l Invert controller tamper input: This is a legacy option that has no effect.
l Log all access level events: This is a legacy option that has no effect.
l Do not wait for dial tone when modem dials out: When this option is enabled, modem
dialing occurs even when no dial tone is detected.
This setting is only supported by controller models with onboard modem dialers.

Controllers | Time update

When using a time server the time provided is always in UTC (Coordinated Universal Time),
which has no time zone and is not subject to any daylight saving time rules. This means that
you must correctly configure the time server, the time zone that the controller is operating in,
and the daylight savings settings for the time to be synchronized correctly. Failure to
configure any of these will result in the time being inaccurate.
Daylight savings settings can be configured in Programming | Daylight savings.

l Automatically synchronize with an internet time server: Select this option to

automatically synchronize the controller's internal clock with an internet time server.
l Primary SNTP time server: The IP address of the primary SNTP time server that the
controller will use to update its time.
l Secondary SNTP time server: The IP address of the secondary (backup) SNTP time
server that the controller will use to update its time. This time server will be used if the
controller cannot connect to the primary server.
l Time zone: The current time zone that the controller is stationed in. Each time zone is
described via its offset from GMT and relevant regions.

Controllers | Custom reader format

This tab allows you to define a custom reader format (Wiegand or Magnetic) which is available
for use by reader expanders connected to the controller. To use this format, set the Reader
format (Expanders | Reader expanders | Reader 1/2) to Custom format.

See Sites | Credential types for alternative options for configuring custom credentials.

July 2022 31
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Custom reader configuration

l Custom reader type: Defines the reader type. The data can be output as Wiegand (D0
and D1) or Magnetic (Clock and Data).
l Bit length: The total number of bits that are sent by the card reader for each credential.
l Site code start: The index where the site/facility code data starts in the transmitted
credential data. The count starts at zero.
l Site code end: The index where the site/facility code data ends in the transmitted
credential data. The count starts at zero.
l Card number start: The index where the card number data starts in the transmitted
credential data. The count starts at zero.
l Card number end: The index where the card number data ends in the transmitted
credential data. The count starts at zero.
l Data format: This field describes how to handle the site/facility code and card number
received from the reader. If the size of the site/facility code is smaller than 16 bits and the
size of the card number is smaller than 16 bits, set the data format to 16 Bit Data.
Otherwise use 32 Bit Data.

Parity 1-4 options

There can be up to 4 blocks of parity calculated over the received data.

All parity options that are not in use must be set to 255.

l Parity type 1-4: The method of calculating the parity for the block. This is either even or
odd parity.
l Parity location 1-4: The position of the parity bit in the received data. The count starts at
zero.
l Parity start 1-4: The index where the parity block starts in the received data. The count
starts at zero.
l Parity end 1-4: The index where the parity block ends in the received data. The count
starts at zero.

Bit options
All bit options that are not in use must be set to 255.

l Set bit 1-4: The index of a set bit (a logical '1') in the received data. The count starts at
zero.
l Clear bit 1-4: The index of a clear bit (a logical '0') in the received data. The count starts at
zero.

Card data options

l Card data AES encryption key: Salto SALLIS and Aperio cards can be encoded with
site/card information via the Schneider Electric Encoder Client. This field defines the
decryption key so that Security Expert can decrypt data from these cards.
For more information, see Application Note 147: Security Expert Aperio Integration or
Application Note 148: Security Expert Salto SALLIS Integration.

This field sets the card data AES encryption key for all reader ports associated with this
controller.

July 2022 32
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Manual Controller Commands

Right clicking on a controller record (Sites | Controllers) displays a menu with manual
commands for that controller.

Set controller date time

If you are not using a time update server to synchronize the controller time (see Sites |
Controllers | Time update) you can update the time and date manually using this command.
To manually update the time on a controller:
1. Right click on the controller record in Sites | Controllers.
2. The Time field displays the current date and time at the server. If you need to change
these, enter new values in the field or click on the clock icon to use the time and date
picker.
3. Click Set controller date time to send the entered time to the controller.

Update modules
Programming changes that alter the way hardware will operate require a module update to
download the hardware-specific settings. A module update command causes the module to
restart.
Use this option to perform a module update on the controller and all connected modules.

Warning: Sending this command will cause the controller and every connected module to
temporarily go offline as they restart. This option should not be used in an active system.

To update only a specific module (such as a keypad or reader expander), right click on the
specific record in the Expanders programming and click Update module.

Force download
In normal operation the download service checks each controller for changes in order by
Database ID. If any changes are detected the services downloads the changes to that
controller, then continues on to the next controller.
An operator can use the Force download command to increase the priority of a specific
controller, so that it will be next in line after the previous controller has been completed. The
Download retry delay period will be ignored so that the download is sent as soon as possible.
In addition, the download service will download to the controller even if no changes are
detected.

Get health status

The Get health status function sends a command to the controller to retrieve its current
health status. The health status window will open, displaying any notices or issues relating to
the controller or its module network.
The Clear button can be used to clear some notices which do not require action (e.g. 'The
Controller has been restarted').

The health status window is static. Resolving or clearing notices will not cause the status to
update until the Get health status command is sent again.

Module addressing
The Module addressing command is used to view the hardware that is connected to the
system network, and to set the addresses of modules. Selecting this option opens a window
showing the details of all modules that are currently connected, as well as those that have
registered previously but are currently offline.

July 2022 33
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

By default, Security Expert modules are shipped from the factory with an address of 254. This
is outside the range that the controller will accept, so the address must be set by the installer.
For some modules, such as keypads, the network address can be set in the module itself (see
the relevant installation manual). For most Security Expert modules the address is set in the
Module addressing window.

The address of the controller's onboard reader expander is set by the Register as reader
expander setting in Sites | Controllers | Configuration.

Setting Module Network Addresses

1. Ensure the controller is correctly powered and is communicating with the Security Expert
software.
2. Connect the module(s) that require addressing to the module network. Make sure the
power light on each module is on and that the status indicator begins flashing rapidly.
3. Allow some time for the module(s) to attempt to register with the controller.
l If the module has the default address of 254 or has the same address as another
module the fault indicator will begin flashing an error code.
l If the module has been previously addressed and is not a duplicate then it will succeed
in registering and the status indicator will begin flashing at 1 second intervals.
4. Once all modules have completed the registration process (successful or not), open the
Security Expert software and navigate to Sites | Controllers.
5. Right click on the controller record and select Module addressing to open the module
addressing window. This window displays all of the modules that are connected to the
controller with the following information:
l The module type (e.g. controller, keypad, etc.)
l The serial number
l Current firmware version and build number
l The current module address
l Whether the module address can be changed (for example, the controller's address
cannot be changed)
l Whether the module has successfully registered with the controller
l Whether the module is currently online
The controller's onboard reader expander will appear on this list as a reader expander
with the same serial number as the controller. The address of this reader expander must
be set in the Register as reader expander field (Configuration tab).
6. Before assigning addresses to modules you may need to identify specific physical
modules:
l For DIN rail modules, click the Find button to activate identification mode for the
specified length of time. In identification mode the status and fault indicators flash in
an alternating pattern, allowing you to identify the specific module.
l For all modules, compare the Serial column with the serial number of each module
(found on the module label).
7. For each module set the network address in the Address column. The new addresses will
be displayed in bold, indicating that they have not yet been updated in the modules.
8. Push the addresses to the modules either by clicking Update for each individual module or
by clicking Update all. Allow approximately 5 seconds for the module to re-register with
the controller at the new address.
9. Click Refresh. The new addresses should change from bold to normal font and the newly
addressed modules should be online.
l If the address has not changed, check that the module has finished attempting to
register with the controller.

July 2022 34
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

l If the address has changed but the module is not registered or online, check the
address is in the valid address range and that it is not a duplicate of another module
address.
Once all modules are online and registered with the desired addresses the addressing process
is complete.

Legacy Security Expert PCB modules cannot be addressed by this process. They must be
addressed using DIP switches as described in the relevant installation manual.

Maximum Module Addresses

The Security Expert controller has a set limit on the number of modules of each type that it can
support. This applies to both physical and virtual modules. The maximum addresses available
for each type of module are outlined in the table below:

Module Type Maximum Address

Keypad 200

Input Expander 248

Reader Expander 64

Output Expander 32

Analog Expander 32

Smart Reader 248

Any module with an address higher than these limits will not come online to the controller. A
message will be generated in the controller's health status.

xP Module Connection

ACX controllers can support two xP modules.

Note: These modules must only be connected or disconnected while the power is removed.

Connected modules are auto detected by the ACX controller, so no addressing is required.

AC POWER
AC POWER 24 VAC
24 VAC 90 VA
90 VA 50/60 HZ
50/60 HZ 1
1

2N -
2N -
3 L +
3 L + DC POWER
DC POWER 12-28 VDC
12-28 VDC 25W
25W

DIGITAL OUTPUTS
DIGITAL OUTPUTS
SVC PORT
SVC PORT

CPU
CPU

OFF AUTO ON
OFF AUTO ON 1 86
1 86 10/100
10/100
ETHERNET 85
ETHERNET 85 PORT
PORT 84
84
OFF AUTO ON
OFF AUTO ON 2 83
2 83 RX
RX
4 + 82
4 + 82
5 - RS-485 81
5 - RS-485 81
6 SHLD OFF AUTO ON 80
6 SHLD OFF AUTO ON 80 3
3 TAMPER TX 79
TAMPER TX 79 R
7 IN
7 IN R E 78
E 78 S
S 8 RTN T
8 RTN T A OFF AUTO ON 77
A OFF AUTO ON 77 R 4
4 9 IN7
9 IN7 R
10 IN1
T 76
10 IN1
T 76
11 IN8
11 IN8 75
75 12 IN2
UNIVERSAL INPUTS

12 IN2 13 RTN
UNIVERSAL INPUTS

13 RTN 14 RTN
0-5.0 VDC

14 RTN 15 IN9
0-5.0 VDC

15 IN9 16 IN3
16 IN3 17 IN10
17 IN10 18 IN4
18 IN4 19 RTN
19 RTN 20 RTN
20 RTN 21 IN11
21 IN11 22 IN5
22 IN5 23 IN12
23 IN12 24 IN6
24 IN6 25 RTN
25 RTN 26 RTN
26 RTN

3 5
3 5 1 7
1 27 PWR
7 74 28
27 PWR
73
74
PWR
28 PWR 73 29 GND 72
29 GND 72 30 GND 71
30 GND 71 31 DATA1 70
31 DATA1 70 32 DATA1 69
32 DATA1 69 33 CLK0 68
33 CLK0 68 34 CLK0 67
34 CLK0 67 35 LED1 66
35 LED1 66 36 LED1 65
36 LED1 65 37 LED2 64
37 LED2 64 38 LED2 63
38 LED2 63 39 PWR 62
39 PWR 62 40 PWR 61
40 PWR 61 41 GND 60
41 GND 60 42 GND 59
42 GND 59 43 DATA1 58
43 DATA1 58 44 DATA1 57
44 DATA1 57 CLK0
45 CLK0
CARD 56 46
45
CARD CLK0 55
56

46 CLK0 55 LED1
47 LED1
READERS 54 48
47
READERS LED1 53
54

48 LED1 53 49 LED2 52
49 LED2 52 POWER RATING
POWER RATING 50 LED2 51
50 LED2 51 4 5V, 120mA 6
4 5V, 120mA 6 2 8
2 OR
8 24VDC OR
24VDC 360mA 12V, 180mA
360mA 12V, 180mA EXP PORT PWR
EXP PORTPWR

July 2022 35
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Update firmware
Use the Update firmware option to update the firmware of one or more controllers.

Controllers do not support defaulting and firmware upgrade at the same time. Before you
upgrade the controller firmware, ensure that the wire link used to default the controller is not
connected.

1. Click on the ellipsis [...] button and browse to the .bin firmware file. Click Open.
2. Check the boxes of the controller(s) that you wish to update.
3. Click Update.
This process will take approximately 10 minutes per controller and it is recommended that
firmware updates are performed when the site is closed for maintenance or at times of low
activity. The controller will not be able to perform its normal function while firmware is being
updated.

A popup message may appear in the user interface with the message 'Update Interrupted'.
This is expected behavior for some firmware versions and does not indicate that the update
has failed.

July 2022 36
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Additional Controller Programming

This section outlines additional controller programming requirements and options.

Programming the Onboard Reader

The onboard reader is programmed in exactly the same way as any other reader module. It
can be thought of as if it were a normal reader expander module on a separate circuit board.
By default the onboard reader is disabled. To enable it, configure the address at which you
want it to register using the Security Expert user interface. Note that any physical reader
expander module that is connected with the same address will be treated as a duplicate and
will fail to register, so care should be taken to ensure the address is unique.

Enabling the Onboard Reader Expander

To enable the controller's onboard reader expander, complete the following steps:
1. Navigate to Sites | Controllers and select the controller.
2. In the Configuration tab, set the Register as reader expander field to any address that
is not currently being used by a reader expander.
3. Click Save.
4. Navigate to Expanders | Reader expanders. Select the relevant Controller in the
toolbar.
5. Add a new reader expander and set the Physical address to the address selected
above.
6. Click Save.
7. In the Module configuration window, review the settings to create the inputs, outputs,
trouble inputs and doors associated with the onboard reader expander.
8. Click Add now.
The onboard reader can use inputs 1-4 and 5-8 as its door contact, REX, bond sense and REN
inputs respectively.
The default settings are shown in the following table:

Input Access Control Function Default Setting

Input 1 Door Contact, Port 1 Door Contact, Port 1

Input 2 REX Input, Port 1 REX Input, Port 1

Input 3 Bond Sense, Port 1 General Purpose Input

Input 4 REN Input, Port 1 General Purpose Input

Input 5 Door Contact, Port 2 Door Contact, Port 2

Input 6 REX input, Port 2 REX Input, Port 2

Input 7 Bond Sense, Port 2 General Purpose Input

Input 8 REN Input, Port 2 General Purpose Input

Any inputs that are not configured for use with the onboard reader may be used as general
purpose inputs. If you wish to use an access control input as a general input, you will need to
disable the associated function input in the door programming section of the Security Expert
user interface.

July 2022 37
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Programming Controller Inputs

DIN rail controllers have 8 onboard inputs for monitoring the state of devices such as magnetic
contacts and motion detectors.

Any inputs that are not configured for use with the onboard reader may be used as general
purpose inputs. If you wish to use an access control input as a general input, you will need to
disable the associated function input in the door programming section of the Security Expert
user interface.

Input Duplexing
Input duplexing allows the controller to support twice the number of inputs, wired in duplex
configuration using 1K and 2K4 resistors. For more information about the wiring requirements,
see the relevant installation manual.
1. To enable this feature, check the Duplex inputs option in Sites | Controllers | Options.
2. In addition, you will need to manually add the additional input records in Programming |
Inputs with the correct addresses as outlined below.
Enabling duplex inputs will not change the programming of any existing inputs. These must
be reprogrammed to match the new addressing scheme.

The following table indicates the position and resistor configuration corresponding to each
input address:

Input Address Position Resistor

1 Z1 1K

2 Z1 2K4

3 Z2 1K

4 Z2 2K4

5 Z3 1K

6 Z3 2K4

7 Z4 1K

8 Z4 2K4

9 Z5 1K

10 Z5 2K4

11 Z6 1K

12 Z6 2K4

13 Z7 1K

14 Z7 2K4

15 Z8 1K

16 Z8 2K4

July 2022 38
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Trouble Inputs
Trouble inputs are used to monitor the status of the controller and in most cases are not
physically connected to an external input. These can then be used to report a message to a
monitoring station, remote computer, keypad or siren.
The following table details the trouble inputs that are configured in the controller and the
trouble type and group that they activate.

Input Number Description Type Group

CP001:01 Reserved - -

CP001:02 12V Supply Failure Power Fault General

CP001:03 Reserved - -

CP001:04 Real Time Clock Not Set RTC/Clock Loss General

CP001:05 Service Report Test - -

CP001:06 Service Report Failure to Communicate Reporting Failure General

CP001:07 Phone Line Fault (modem model only) Phone Line Lost General

CP001:08 Auxiliary Failure Power Fault General

CP001:09 Bell Cut/Tamper Bell/Output Fault General

CP001:10 Reserved - -

CP001:11 Bell Current Overload Bell/Output Fault General

CP001:12 Reserved - -

CP001:13 Module Communication Module Loss System

CP001:14 Module Network Security Module Security System

CP001:15 Reserved - -

CP001:16 Reserved - -

CP001:17 Reserved - -

CP001:18 Reserved - -

CP001:19 Reserved - -

CP001:20 Ethernet Link Lost Hardware Fault System

CP001:21 Reserved - -

CP001:22 ModBUS Communication Fault Hardware Fault System

CP001:23 Security Expert System Remote Access Hardware Fault System

CP001:24 Installer Logged In Hardware Fault System

CP001:25 Reserved - -

CP001:26 Reserved - -

CP001:27 Reserved - -

CP001:28 Reserved - -

CP001:29 System restarted Hardware Fault System

CP001:30 Reserved - -

July 2022 39
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Input Number Description Type Group

CP001:31 Reserved - -

CP001:32 Reserved - -

CP001:33 Controller Group Link Lost Hardware Fault System

|||| || | |

CP001:64 Reserved - -

Configuring the Cellular Modem Connection

Cellular modem connection requires the controller to be operating firmware version
2.08.1271 or higher.

1. Log in to the controller web interface and navigate to the System Settings page.
2. In the Adaptor - USB Ethernet tab, check Enable USB Ethernet to configure the
controller to look for an ethernet adaptor connected to its USB port.
3. If not automatically enabled, set the Connection to Cellular Modem to configure the
controller to communicate with the cellular modem connected to its USB port.
When this option is enabled the details of the cellular connection will be displayed.
4. Configure the Cellular Network Connection:
l Cellular APN: The APN is specified by the mobile network operator (MNO) and is
unique to that network. It is important to use the correct APN for the cellular service
required.
l Cellular Username: The username for the cellular network account.
l Cellular Password: The password for the cellular network account.
5. Click Save.
6. Restart the controller.

Establishing the Connection

After the controller restarts it will automatically detect the modem and connect to the cellular
network. The connection status and details will be updated in the Cellular Information section.
It can take a minute or two for the modem to connect to the cellular network and obtain an IP
address, and the page may display 'Not registered' while the modem is initially starting up.

For cellular modem information and programming instructions, see the Security Expert
Security Purpose DIN Rail Cellular Modem Installation Manual and Security Expert Security
Purpose DIN Rail Cellular Modem Configuration Guide.

July 2022 40
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Additional ACX Controller Programming

This section outlines the additional programming requirements and options specific to
ACX controllers.

Reader Programming
Some programming is required within the Security Expert software to use the controller's
onboard reader ports.
l For SP-ACX controllers the reader ports must be configured for Wiegand reader
connection (see next page). SP-ACX controllers do not support RS-485 connections.
l For SP-ACX-V2 controllers both Wiegand (see next page) and RS-485 (see page 43)
reader connections can be configured, with different programming requirements for each.

Reader Port Configuration

The controller's reader ports must be configured in the Security Expert software by linking
them to reader expander records. These reader expanders do not exist as physical expander
modules, but rather the records represent the onboard reader ports of the controller, and are
required to link the readers to the door programming.

Reader Expander Records for Wiegand Readers

l In order to use the controller's reader ports for Wiegand readers, a reader expander record
with address 1 is required to represent the controller's 'onboard reader expander'.
The 8 Wiegand readers must be programmed as smart reader records linked to Port 1 of
the onboard reader expander.

Reader Expander Records for RS-485 Readers

l In order to use the controller's reader ports for RS-485 readers, four reader expander
records addressed from 2-5 must be programmed, and the RS-485 readers must be linked
to the ports of those reader expanders records.

After completing RS-485 reader expander programming, you must perform a module
update on each individual reader expander by right clicking on each expander record
and selecting Update module. Performing a full module update on the system from the
controller record does not send the initial reader format configuration to the expander,
and connected readers will return a 'Read Control Error'.

For SP-ACX-V2 controllers, a combination of Wiegand and RS-485 readers may be

configured on the controller, using the required reader expander programming outlined above.

It is recommended that, even if not using all of the SP-ACX-V2 reader ports for RS-485
readers, you create the relevant reader expander records and name them as 'Reserved' for
the controller. This prevents the controller from receiving programming intended for another
module. Any unused reader ports should have their Port 1/2 network type set to Wiegand
mode (in Expanders | Reader expanders | General tab).

July 2022 41
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Programming Wiegand Readers

Each required Wiegand reader must be programmed as a smart reader connected to Port 1 of
the controller's onboard reader expander.
To configure Wiegand readers connected to the controller, the following must be programmed:
l The controller must have its onboard reader expander configured. The address of the
onboard reader expander must be set to 1. This can be configured under Sites |
Controllers | Configuration tab with the Register as reader expander option.
l Under Expanders | Reader expanders, there must be a reader expander record with
Physical address 1, corresponding to the controller programming.
In the General tab, the Port 1 network type must be set to Schneider Electric RS485.
Even though Wiegand readers are connected, the Reader 1 port must be set to RS-485
mode so that smart readers can be programmed in that port.
l One smart reader record must be added in Expanders | Smart readers for each
Wiegand reader connected to the controller.
l The Expander address must be set to the address of the controller's onboard reader
expander (1).
l The Expander port must be set to Port 1.
l The Configured address must correspond to the physical port to which the Wiegand
reader is connected, as indicated in the table below.
l Further options may be configured in the Reader tab, including selecting the Location
(entry or exit) of the reader.
The mapping for Wiegand readers is shown in the table below:

ACX Smart
Onboard Reader Onboard Reader
Reader Reader Direction
Expander Address Expander Port
Port Address
1 1 1 1 Entry or Exit

2 1 1 2 Entry or Exit

3 1 1 3 Entry or Exit

4 1 1 4 Entry or Exit

5 1 1 5 Entry or Exit

6 1 1 6 Entry or Exit

7 1 1 7 Entry or Exit

8 1 1 8 Entry or Exit

July 2022 42
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Programming RS-485 Readers

RS-485 readers connected to the controller's reader ports can be programmed much like
normal readers associated with the reader expander records 2-5. These readers will function
identically to physically separate reader expanders connected via the module network.
To configure RS-485 readers connected to the controller, the following must be programmed:
l Reader expander records with addresses of 2-5 (as shown below) must exist in
Expanders | Reader expanders. These correspond to the ACX reader ports being used
for RS-485 readers, as indicated in the table below.
l Each reader expander port being used for RS-485 readers must have the Port 1/2
network type set to Schneider Electric RS485. This will switch the hardware into RS-485
mode.
l After completing RS-485 reader expander programming a module update must be
performed on each reader expander record, in Expanders | Reader expanders, to send
the reader format configuration to the expander.
The mapping for RS-485 readers is shown in the table below:

ACX Reader Reader Expander Reader Expander

Direction
Port Address Port
Entry
1 2 1
Exit

Entry
2 2 2
Exit

Entry
3 3 1
Exit

Entry
4 3 2
Exit

Entry
5 4 1
Exit

Entry
6 4 2
Exit

Entry
7 5 1
Exit

Entry
8 5 2
Exit

July 2022 43
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Universal Input Connections

The ACX controller has 12 onboard inputs which can be operated as either a supervised
(digital) or general purpose analog input.
Additional inputs are supported through the use of two xP expansion modules and are mapped
as if they are on the controller itself. Inputs CP001:13 to CP001:20 represent the first module
and CP001:21 to CP001:28 represent the second module.
l xP modules with analog inputs (xPUI4, xPBA4, xPBD4) can be configured to treat the
inputs as digital or supervised inputs.
l xP modules with digital inputs (xPDI8) can only be configured to treat the inputs as digital
(no EOL) inputs.
For more information on xP module input configuration and supported modules, see
Application Note N-310: xP Module Configuration in Security Expert.

Module Inputs
The following table defines the Module input value required for mapping each Security Expert
input record to its corresponding physical input.

Module Input Physical Input Location

1 Input 1 on the controller

2 Input 2 on the controller

... ...

12 Input 12 on the controller

13 Input 1 on the first xP module

14 Input 2 on the first xP module

... ...

20 Input 8 on the first xP module

21 Input 1 on the second xP module

22 Input 2 on the second xP module

... ...

28 Input 8 on the second xP module

Advanced Resistor Value Options

Some advanced custom resistor value configuration is possible for inputs connected to
ACX controllers, which require specific programming in Security Expert.
In order to use 10K series, parallel or series-parallel resistor configurations they must be
configured in the software using commands. These commands will override the normal input
programming for Input end of line (EOL) and Contact type.

July 2022 44
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

If you are using one of these EOL configurations, in the Security Expert software navigate to
Programming | Inputs | General and enter the following in the Commands field:

Command Description
EOL = NO-S 10K normally open series

EOL = NO-P 10K normally open parallel

EOL = NO-SP 10K normally open series-parallel

EOL = NC-S 10K normally closed series

EOL = NC-P 10K normally closed parallel

EOL = NC-SP 10K normally closed series-parallel

These commands apply to inputs on the ACX controllers but are not supported on all
Security Expert field modules.

Trouble Inputs
Each controller can monitor up to 64 local trouble inputs. Trouble inputs are used to monitor
the status of the controller and in most cases are not physically connected to an external input.
These can then be used to report a message to a monitoring station, remote computer, keypad
or siren.
The following table details the trouble inputs that are configured in the controller. The trouble
type and group define the trouble that is generated by the trouble input when it is activated.

Input Number Description Type Group

CP001:01 Tamper Hardware Fault System

CP001:02 12V supply failure Power Fault General

CP001:03 Reserved - -

CP001:04 Real Time Clock Not Set RTC/Clock Loss General

CP001:05 Service Report Test - -

CP001:06 Reserved - -

CP001:07 Reserved - -

CP001:08 Reserved - -

CP001:09 Reserved - -

CP001:10 Reserved - -

CP001:11 Reserved - -

CP001:12 Reserved - -

CP001:13 Module Communication Module Loss System

CP001:14 Module Network Security Module Security System

CP001:15 Reserved - -

CP001:16 Reserved - -

CP001:17 Reserved - -

CP001:18 Reserved - -

July 2022 45
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Input Number Description Type Group

CP001:19 Reserved - -

CP001:20 Ethernet Link Lost Hardware Fault System

CP001:21 Reserved - -

CP001:22 ModBUS Communication Fault Hardware Fault System

CP001:23 Security Expert System Remote Access Hardware Fault System

CP001:24 Installer Logged In Hardware Fault System

CP001:25 Reserved - -

CP001:26 Reserved - -

CP001:27 Reserved - -

CP001:28 Reserved - -

CP001:29 System restarted Hardware Fault System

CP001:30 Reserved - -

CP001:31 Reserved - -

CP001:32 Reserved - -

CP001:33 Controller Group Link Lost Hardware Fault System

|||| || | |

CP001:64 Reserved - -

July 2022 46
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Programming Analog Inputs

Additional analog inputs can be provided by xP modules connected to ACX controllers. Each
analog input is mapped to a data value in Security Expert, which can be displayed on a floor
plan or status page, or used in programmable functions.

Programming the Virtual Analog Expander

First it is necessary to create a virtual analog expander record, which will allow the controller to
support up to four analog inputs.
1. Navigate to Expanders | Analog expanders and select the Controller you are
configuring.
2. Add a new analog expander.
l Enable the Virtual module option.
l Set the Physical address to an unused address (e.g. 32).
The maximum physical address available for analog expander modules is 32.
l Click Save.
3. In the Configure module window, set the following:
l Type: SP-PSU-4A
l Inputs: 0
l Outputs: 0
l Add trouble inputs: Disabled
l Prepend controller name to added records: Disabled
Click Add now.
4. In the Channel 1 tab, check Enable channel.
5. Locate Channel 1 data value and click the ellipsis [...] on the right to open the data value
programming.
6. Add a new data value with a Name that describes the function of this analog input and
click Save.
Record the Database ID of the data value record, then close the breakout window.
You may need to change the Controller selection to <All> for the new data value to
appear in the list.
7. Set the Channel 1 data value to the new data value.
8. Repeat the above steps in the Channel 2-4 tabs.
9. Click Save. Wait for the programming to be downloaded to the controller, then right click
on the analog expander and click Update module.
10. If more than four analog inputs are required, create additional virtual analog expanders
and configure them as above.

Configuring the Controller

A specific command must be entered in the controller programming to map the inputs to the
data values created above.
1. Navigate to Sites | Controllers.
2. Expand the Commands section and enter the following command:
AINxx = DVy
Where xx is the two digit mapping index of a controller or xP module input and y is the
database ID of the configured data value that will record the input data.
For example: AIN02 = DV123 would map the second analog input on the controller to
the data value with database ID 123.

July 2022 47
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

For information on analog input mapping indexes, see Analog Input Mapping (see
below).
3. Add a command (on a new line) for each input to be configured as an analog input.
4. Click Save.

Input Data Values

The input voltage is read in 5mV increments, meaning that the voltage range 0-5V maps to
values 0 - 1000 in a data value. 5mV maps to a value of 1, 100mV maps to 20, etc.

Analog Input Mapping

The table below defines the analog input mapping index corresponding to each physical input.

Input Mapping Physical Input Location

AIN01 Analog input 1 on the controller main board

AIN02 Analog input 2 on the controller main board

... ...

AIN12 Analog input 12 on the controller main board

AIN13 Analog input 1 on the first xP module

AIN14 Analog input 2 on the first xP module

AIN15 Analog input 3 on the first xP module

AIN16 Analog input 4 on the first xP module

AIN17 Analog input 1 on the second xP module

AIN18 Analog input 2 on the second xP module

AIN19 Analog input 3 on the second xP module

AIN20 Analog input 4 on the second xP module

July 2022 48
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Outputs
The controller has 20 onboard outputs. There are four relays for door lock control and 16 LED
outputs for the 8 readers.
Outputs can be programmed using the Security Expert software. Outputs CP001:01 to
CP001:04 represent the controller's onboard outputs. The 16 reader LEDs are mapped as
outputs. If readers are not attached to the reader ports then the Reader 1 - 8 L1 and L2 outputs
can be used as general purpose outputs. Outputs CP001:20 to CP001:35 represent the 16
reader LED outputs.
Additional outputs are supported through the use of two xP expansion modules and are
mapped as if they are on the controller itself. Outputs CP001:05 to CP001:08 represent the
first module and CP001:09 to CP001:12 represent the second module.
l For modules that support digital outputs (xPDO2, xPDO4, xPBD4) the outputs can be
configured as general purpose outputs.
l The voltage at the outputs of xP modules that support analog output (xPAO2, xPAO4,
xPBA4) can be mapped to data values in the Security Expert system, monitored and
controlled from a floor plan, and used in programmable functions.
For more information on xP module output configuration and supported modules, see
Application Note-310: xP Module Configuration in Security Expert.

Module Outputs
The following table defines the Module output value required for mapping each Security
Expert output record to its corresponding physical output.

Module Output Physical Output Location

1 Output 1 on the controller

2 Output 2 on the controller

3 Output 3 on the controller

4 Output 4 on the controller

5 Output 1 on the first xP module

6 Output 2 on the first xP module

7 Output 3 on the first xP module

8 Output 4 on the first xP module

9 Output 1 on the second xP module

10 Output 2 on the second xP module

11 Output 3 on the second xP module

12 Output 4 on the second xP module

July 2022 49
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Reader Outputs
The 16 reader LEDs are mapped as outputs. If readers are not attached to the reader ports
then the Reader 1 - 8 L1 and L2 outputs can be used as general purpose outputs. These can
be controlled by assigning the respective controller output (CP001:20 to CP001:35) to a
programmable function, etc.

Reader LED Module Outputs

The following table defines the Module output value required for mapping each Security
Expert output record to its corresponding LED output.

Module Output Physical Output Location

20 LED 1 on Reader 1

21 LED 2 on Reader 1

22 LED 1 on Reader 2

23 LED 2 on Reader 2

24 LED 1 on Reader 3

25 LED 2 on Reader 3

26 LED 1 on Reader 4

27 LED 2 on Reader 4

28 LED 1 on Reader 5

29 LED 2 on Reader 5

30 LED 1 on Reader 6

31 LED 2 on Reader 6

32 LED 1 on Reader 7

33 LED 2 on Reader 7

34 LED 1 on Reader 8

35 LED 2 on Reader 8

July 2022 50
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

Programming Analog Outputs

If an xP module with analog outputs is connected to an ACX controller it is possible to
configure some available outputs as analog outputs. Each analog output is mapped to a data
value in Security Expert, which can be displayed and changed manually on a floor plan or
controlled automatically by a programmable function.

Programming the Virtual Analog Expander

First it is necessary to create a virtual analog expander record, which will allow the controller to
support up to four analog outputs.
1. Navigate to Expanders | Analog expanders and select the Controller you are
configuring.
2. Add a new analog expander.
l Enable the Virtual module option.
l Set the Physical address to an unused address (e.g. 32).
The maximum physical address available for analog expander modules is 32.
l Click Save.
3. In the Configure module window, set the following:
l Type: SP-PSU-4A
l Inputs: 0
l Outputs: 0
l Add trouble inputs: Disabled
l Prepend controller name to added records: Disabled
Click Add now.
4. In the Channel 1 tab, check Enable channel.
5. Locate Channel 1 data value and click the ellipsis [...] on the right to open the data value
programming.
6. Add a new data value with a Name that describes the function of this analog output and
click Save.
Record the Database ID of the data value record, then close the breakout window.
You may need to change the Controller selection to <All> for the new data value to
appear in the list.
7. Set the Channel 1 data value to the new data value.
8. Repeat the above steps in the Channel 2-4 tabs.
9. Click Save. Wait for the programming to be downloaded to the controller, then right click
on the analog expander and click Update module.
10. If more than four analog outputs are required, create additional virtual analog expanders
and configure them as above.

Configuring the Controller

A specific command must be entered in the controller programming to map the outputs to the
data values created above.
1. Navigate to Sites | Controllers.
2. Expand the Commands window and enter the following command:
AOPxx = DVy
Where xx is the two digit mapping index of an xP module output (as defined in the table
below), and y is the database ID of a configured data value record.
For example: AOP06 = DV123 would map the data value with database ID 123 to the
second analog output on the first xP module.

July 2022 51
Security Expert Security Purpose Controller Configuring a Controller via the Security Expert Software

For information on analog output mapping indexes, see Analog Output Mapping (see
below).
3. Add a command (on a new line) for each output to be configured as an analog output.
4. Click Save.
To view and manually control the value set for each output, you can assign the respective data
values to variables then display the variables on a floor plan. Data values can also be
controlled from programmable functions, allowing for further automation.

Data Values
The output voltage is written in 100mV increments, meaning that the voltage range 0-20V
maps to values 0 - 200 in a data value. 100mV maps to a value of 1, 2V maps to 20, etc.

Analog Output Mapping

The table below defines the analog output mapping index corresponding to each physical
output.

Output Mapping Physical Output Location

AOP05 Analog output 1 on the first xP module

AOP06 Analog output 2 on the first xP module

AOP07 Analog output 3 on the first xP module

AOP08 Analog output 4 on the first xP module

AOP09 Analog output 1 on the second xP module

AOP10 Analog output 2 on the second xP module

AOP11 Analog output 3 on the second xP module

AOP12 Analog output 4 on the second xP module

July 2022 52
Security Expert Security Purpose Controller Hardware Configuration

Hardware Configuration
Setting the IP Address from a Keypad
If the current IP address of the controller is not known it can be viewed and changed using a
Security Expert keypad.
1. Connect the keypad to the module network.
2. Log in to the keypad using any valid installer code. The default installer code is 000000.
If the default code has been overridden and you do not know the new codes you will need
to default the controller (see Defaulting the Controller in this document) to reset the code.
Note that this will erase all existing programming as well as setting up the default
installer code.
3. Once logged in select Menu 4 (Install Menu) then Menu 2 (IP Menu) and view or edit the
IP address, network mask, and gateway as required.
Once the settings have been changed you must save the settings by pressing the [Arm] key.
You will be prompted to confirm the changes by pressing [Enter]. You must then restart the
controller, either through the menu [4], [2], [2] or by cycling the power, for the settings to
take effect.

July 2022 53
Security Expert Security Purpose Controller Hardware Configuration

Temporarily Defaulting the IP Address

If the currently configured IP address is unknown it can be temporarily set to 192.168.111.222
so that you can connect to the web interface to view and/or change it.

This defaults the IP address for as long as power is applied, but does not save the change
permanently. Once the link is removed and power is cycled to the unit the configured IP
address is used.

1. Remove power to the controller by disconnecting the 12V DC input.

2. Wait until the power indicator is off.
3. Connect a wire link between Reader 1 D0 input and Reader 1 L1 output.

D1/ D0/
BZ L1
NB NA
READER 1

4. Power up the controller. Wait for the status indicator to begin flashing steadily.

Accessing the Controller

5. When the controller starts up it will use the following temporary settings:
l IP address : 192.168.111.222
l Subnet Mask : 255.255.255.0
l Gateway : 192.168.111.254
l DHCP : disabled
6. Connect to the controller by entering https://192.168.111.222 into the address bar of your
web browser, and view or change the IP address as required.
Remember to change the subnet of your PC or laptop to match the subnet of the
controller.
7. Remove the wire link(s) and power cycle the controller again.
You can now connect to the controller using the configured IP address.

July 2022 54
Security Expert Security Purpose Controller Hardware Configuration

Temporarily Defaulting an ACX Controller IP Address

If the currently configured IP address is unknown it can be temporarily set to 192.168.111.222
so that you can connect to the web interface to view and/or change it.

This defaults the IP address for as long as power is applied, but does not save the change
permanently. Once the link is removed and power is cycled to the unit the configured IP
address is used.

1. Remove power from the controller by disconnecting the 12V DC

input.
2. Connect a wire link between Reader 1 0-CLK input and Reader 1
LED1 output.
3. Power up the controller.

Accessing the Controller

1. When the controller starts up it will use the following temporary settings:
l IP address : 192.168.111.222
l Subnet Mask : 255.255.255.0
l Gateway : 192.168.111.254
l DHCP : disabled
2. Connect to the controller by entering https://192.168.111.222 into the address bar of your
web browser, and view or change the IP address as required.
Remember to change the subnet of your PC or laptop to match the subnet of the
controller.
3. Remove the wire link(s) and power cycle the controller again.
You can now connect to the controller using the configured IP address.

July 2022 55
Security Expert Security Purpose Controller Hardware Configuration

Defaulting a Controller
The controller can be factory defaulted, which resets all internal data and event information.
This allows you to remove all programming and start afresh.

Defaulting the controller resets the IP address to the factory default IP of 192.168.1.2

1. Remove power to the controller by disconnecting the 12V DC input.

2. Wait until the power indicator is off.
3. Connect a wire link between the Reader 2 D0 input and the Reader 2 L1 output.

D1/ D0/
BZ L1
NB NA
READER 2

4. Power up the controller. Wait for the status indicator to begin flashing steadily.
5. Remove the wire link before making any changes to the controller's configuration.
The system will now be defaulted with all programming and System Settings returned to
factory configuration, including resetting the IP address and all network configuration, and
removing all operator records.
l Defaulting the controller resets the IP address to the factory default IP of 192.168.1.2.
Earlier versions of the controller firmware do not reset the IP address. If the controller is
not available on 192.168.1.2 you will be able to connect to it via its previous IP address.
l Any configured system settings (e.g. Default Gateway, Event Server) are reset to their
default values.
l Any custom HTTPS certificates are removed and the default certificate is reinstalled.
Earlier versions of the controller do not have a default HTTPS certificate installed. If the
controller is not available via HTTPS, connect to it via HTTP.
l All operator records are removed and the admin operator must be recreated.
l All other programming is removed.

After Defaulting a Controller

Before making any changes to the controller's configuration or upgrading the firmware,
remove the wire link used to default the controller.

After defaulting a controller a number of essential steps will need to be performed to resume
normal operation. Not all of the following steps will necessarily be required, depending on your
site configuration:
1. Connect to the controller's web interface using HTTPS, unless it is an older controller with
no default certificate loaded, then it will connect using HTTP.
2. Recreate the admin operator and log in to the controller's web interface.
If you are not prompted to create the admin operator, the default username is admin with
the password admin.
3. Reset the controller's IP address to its previous value.
4. Reconfigure any additional network settings.

July 2022 56
Security Expert Security Purpose Controller Hardware Configuration

5. Reinstall previously installed custom HTTPS certificates.

6. Restore any other system settings as required by your site configuration.

July 2022 57
Security Expert Security Purpose Controller Hardware Configuration

Defaulting an ACX Controller

The controller can be factory defaulted, which resets all internal data and event information.
This allows you to remove all programming and start afresh.

Defaulting the controller resets the IP address to the factory default IP of 192.168.1.2

1. Remove power from the controller.

2. Press and hold the reset button.
3. Reapply power to the controller.
4. Continue to hold the button down until the CPU LED is green and flashing.
The system will now be defaulted with all programming and System Settings returned to
factory configuration, including resetting the IP address and all network configuration, and
removing all operator records.
l Defaulting the controller resets the IP address to the factory default IP of 192.168.1.2.
Earlier versions of the controller firmware do not reset the IP address. If the controller is
not available on 192.168.1.2 you will be able to connect to it via its previous IP address.
l Any configured system settings (e.g. Default Gateway, Event Server) are reset to their
default values.
l Any custom HTTPS certificates are removed and the default certificate is reinstalled.
Earlier versions of the controller do not have a default HTTPS certificate installed. If the
controller is not available via HTTPS, connect to it via HTTP.
l All operator records are removed and the admin operator must be recreated.
l All other programming is removed.

After Defaulting a Controller

Before making any changes to the controller's configuration or upgrading the firmware,
remove the wire link used to default the controller.

After defaulting a controller a number of essential steps will need to be performed to resume
normal operation. Not all of the following steps will necessarily be required, depending on your
site configuration:
1. Connect to the controller's web interface using HTTPS, unless it is an older controller with
no default certificate loaded, then it will connect using HTTP.
2. Recreate the admin operator and log in to the controller's web interface.
If you are not prompted to create the admin operator, the default username is admin with
the password admin.
3. Reset the controller's IP address to its previous value.
4. Reconfigure any additional network settings.
5. Reinstall previously installed custom HTTPS certificates.
6. Restore any other system settings as required by your site configuration.

July 2022 58
Security Expert Security Purpose Controller Troubleshooting Controller Connectivity

Troubleshooting Controller Connectivity

The following section provides useful troubleshooting steps for situations where the controller
and server are not communicating.

Communication Requirements
For the server and controller to communicate, the following are required:
1. The controller must be physically networked to the server, or connected over the web.
2. The Security Expert services must be running.
3. The server must have the correct IP address for the controller.
4. The server must have the correct controller serial number to properly identify incoming
messages from it.
5. The controller must have the event server IP address and port set correctly (port 22000 by
default).
6. The controller must be contactable on the download and control ports (ports 21000 and
21001 by default).
7. Security Expert must have the correct computer name configured for the download and
event servers.
8. The Security Expert software and databases must have the same database version.
9. Encryption must either be disabled at both ends or enabled at both ends with the correct
encryption key.

Check that the Services are Running

The simplest and first thing to check is that the Security Expert services are running.
1. Open the Services snap-in by:
l Pressing the Windows + R keys
l Typing services.msc into the search bar and pressing Enter
2. Scroll down to the Security Expert services. Ensure that the following services are running:
l Security Expert Data Service
l Security Expert Download Service
l Security Expert Event Service
l Security Expert Update Service
3. If any service is not running, right click on it and click Start.
If any services will not start there may be another issue with your installation. For example,
the database version may be incompatible (see page 62).

July 2022 59
Security Expert Security Purpose Controller Troubleshooting Controller Connectivity

Confirm Controller IP Address

For the server to be able to contact the controller it must have the correct IP address
programmed and be able to reach that IP address.
1. In Security Expert, navigate to Sites | Controllers.
2. In the General tab, highlight and copy (CTRL + C) the IP address.
3. Paste (CTRL +V) the IP address into the address bar of a web browser on the server, with
the prefix https:// (e.g. https://192.168.1.2).
You may be presented with a certificate security warning on connection.
4. If you cannot connect, remove the https:// prefix and try again (e.g. 192.168.1.2) as your
controller may not be configured for HTTPS.
5. If the controller is reachable using this IP address you should be presented with a simple
login screen.
6. Log in to the controller using admin credentials.
If you are unable to web browse to the controller you may not have the correct IP address. If
the IP address is unknown you will need to view/change it from a keypad or default the
controller's IP address (see below).
If you do have the correct IP address then it is likely that you have a network problem. Ensure
that the server and controller are on the same subnet, or have correct port forwarding
configured at the router.

From firmware version 2.08.911 controller ping is disabled by default. If the controller is
receiving downloads you can allow ping by adding the command EnablePing = true in
the controller commands.

Unknown Controller IP Address

If the currently configured IP address is unknown:
l It can be viewed and/or changed using a Security Expert keypad. For more information,
see Setting the IP Address from a Keypad (page 53).
l It can be temporarily set to 192.168.111.222 so that you can connect to the web interface
to view and/or change it. For more information, see Temporarily Defaulting the IP Address
(page 54).

Confirm Controller Serial Number

Incoming messages from the controller to the server are identified by the controller's serial
number.
1. In the controller web interface, navigate to the Settings page.
2. Highlight and copy the Serial number.
3. In Security Expert, navigate to Sites | Controllers | General.
4. Paste into the Serial number field.

Duplicate IP Address or Serial Number

Although the software warns you, it is possible to save two controllers with the same IP or
serial number. In this case, the controller created first takes priority.
l Confirm you haven't created a controller with a duplicate IP address or serial number.
Check all of your sites.
l If you have created a site for templates, these should be left with zero IP addresses and
serial numbers.

July 2022 60
Security Expert Security Purpose Controller Troubleshooting Controller Connectivity

If you have two controllers with the same IP address or serial number anywhere on your
server, there will be communication problems with at least one of them.

Confirm the Event Server is Functioning

To confirm the event server is functioning and listening on the correct port for incoming events,
open the event server diagnostic window.
1. In Security Expert, navigate to Sites | Controllers | General and expand the Diagnostic
windows section.
2. Select Open event server diagnostic window. You should see a message that reads
'Listening on Port : 22000'.
The default event server port is 22000, but this can be changed in Global | Event
servers.
3. If the event server diagnostic window shows messages about an unknown serial number,
events are being received from a controller with the serial number listed in the message.
This also means the event server is accepting incoming events.
4. In the controller web interface, ensure that the Event Port matches the port set in Security
Expert.
5. If you change the event port you must save and restart the controller using the icons in
the upper right before your changes will take effect.
If the event server diagnostic window contains no text there is a problem with the configuration
of the event server. This means the event server is not accepting incoming events. This can
sometimes be resolved by restarting the Security Expert Event Service:
1. Open the Services snap-in by:
l Pressing the Windows + R keys
l Typing services.msc into the search bar and pressing Enter
2. Locate the Security Expert Event Service. Right click on the service and select Restart.

Confirm Event Server IP Address

For messages to get from the controller to the server, the controller must have the correct IP
address for the event server.
1. On the server computer, open a command prompt. Enter the command ipconfig and
press [Enter].
2. You will be presented with the status and details of the server on various sub networks.
Locate and copy the IPv4 Address for the sub network that the controller is connected to.
For more complex networks it may be preferable to open a command prompt on a
machine the controller is directly connected to and use the ping command to ascertain
the external IP address of the server.
3. In the controller web interface, on the System Settings page, check that Event Server 1
has the correct IP address. Paste in the address located above if it does not match.
There are three spaces for entering the event server IP. This is for situations where
controllers have multiple paths to the server. In most cases the second and third event
server IP addresses should be left as all zeros or all 255s.

Confirm Ports
Next, ensure that the download and control ports set on the server match those set in the
controller interface.

July 2022 61
Security Expert Security Purpose Controller Troubleshooting Controller Connectivity

1. In Security Expert, navigate to Sites | Controllers | General and check these values:
l Download port (default 21000)
l Control and status request port (default 21001)
2. In the controller web interface, on the System Settings page, ensure that the Download
Port and Control Port match those defined in the software.
3. If you have changed any settings on the controller, save your changes and restart the
controller for the changes to take effect.

Check Computer Name

The download and event servers must have a correct computer name that matches the server
machine. This usually only changes when you have restored a database from a different PC.

IMPORTANT: The computer name must be no longer than 15 characters, or downloads

will fail.

1. On the server computer, open Control Panel > All Control Panel Items > System to
view computer information.
2. Copy the Computer Name.
3. In Security Expert, navigate to Global | Download server and check that the Computer
name matches the name of the server machine. If not, paste in the name copied earlier.
4. Navigate to Global | Event server and again check and correct the Computer name.
5. If you have changed the computer name for either server, you must restart the
corresponding service.
1. Open the Services snap-in by:
l Pressing the Windows + R keys
l Typing services.msc into the search bar and pressing Enter
6. Locate the Security Expert services. Right click on the download service and/or event
service and click Restart.

Repair Database Compatibility

If you have restored a database from an older version of Security Expert, there may be a
mismatch between the software and database versions. In this case the Security Expert Data
Service will fail to start, the download and event server diagnostic windows will both remain
blank, and no downloads will be passed to the controller.
To resolve this issue you must uninstall and reinstall Security Expert. This will prompt a
database upgrade.

A backup taken from a newer version of Security Expert cannot be restored to an older
version.

Windows Firewall
When the controller and server are on the same local network the only place a firewall can be
blocking messages is on the server machine itself. This is called the Windows Firewall.

July 2022 62
Security Expert Security Purpose Controller Troubleshooting Controller Connectivity

Server

Switch
Firewall (Events on
Download Controller
port 22000)
Server

Event
Server

1. Open the Windows Firewall settings at Control Panel > All Control Panel Items >
Windows Firewall. If the firewall is on, it is shown in green.
2. To eliminate the Windows Firewall as a cause of communication problems, turn it off
temporarily by clicking Turn Windows Defender on or off at the left of the screen.
Disable the firewall for each network location.
Check whether this resolves the issue. If so, you can turn the Firewall back on and allow
the Security Expert services through the Firewall.
3. Click the Allow an app or feature through Windows Defender Firewall link on the left
of the screen.
Third-party antivirus or firewall software may prevent modification of Windows Firewall
rules. If this is the case, refer to the third-party manufacturer for details on allowing
programs through the firewall.
4. Select Allow another app... to add a program as an exception.
5. Click Browse..., then navigate to the Security Expert installation directory.
The default installation directory is C:\Program Files (x86)\Schneider Electric\Security
Expert.
6. Select (double click or select and Open) the executable that you want to allow, then click
Add.
Add the following Security Expert executables, one by one:
l SecurityExpertSV.exe
l SecurityExpertSV2.exe
l SecurityExpertSV3.exe
l SecurityExpert.exe
l SecurityExpertEvtSvr.exe
l SecurityExpertDVR1.exe
l SecurityExpertDVR2.exe
This allows the necessary Security Expert services access through the Windows firewall.
The above process will only allow access through your primary network connection.
If you have multiple networks connected you will need to manually allow access (tick
the checkbox in the network column) for each additional network that the Security
Expert executable requires access through.

Multiple Firewalls
On corporate networks there can be multiple firewalls.

July 2022 63
Security Expert Security Purpose Controller Troubleshooting Controller Connectivity

Server
Status, control + downloads
on ports 21000 + 21001

Download Firewall Firewall

Events on
Server Controller
port 22000

Event
Server

To ensure these are configured correctly, provide the Security Expert Network Administrators
Guide to the appropriate IT staff member.

Encryption
Both Server and Controller Encryption Enabled
Encryption relies on a shared key that both the sender and receiver of a message know. The
message is encrypted using the key, then decrypted by the receiver using the same key. If the
message is intercepted, it will make no sense to anyone without the encryption key.

Server Enabled, Controller Disabled

If for some reason the receiver loses the key, it is unable to decrypt incoming messages. In this
case, the message is rejected.

Server Disabled, Controller Enabled

If the sender loses the key, the message is sent in plain text. The receiver, expecting to receive
encrypted events, will also reject the message as it may be of a malicious nature.

Server and Controller with Different Encryption Keys

If the sender and receiver have different keys, the message can still not be decrypted by the
receiver. This also results in the receiver rejecting incoming messages.
Each time encryption is enabled at the server, a new encryption key is generated. Each
controller has a unique key, independent from all other controllers. If encryption for a controller
is disabled then enabled again, the key is changed. If encryption for a controller is disabled at
the server, the controller must be defaulted. It is not possible to re-enable encryption without
first defaulting the controller.

Both Server and Controller Encryption Disabled

If encryption is disabled at both the sender and receiver, received messages are accepted.
The downside with this scenario is that anyone 'listening' between the sender and receiver can
also receive the messages.

Disabling Encryption
Defaulting the controller is the only way to remove the encryption key. This is by design and
intended as a security feature. It means that physical access to the controller must be gained
before encryption can be disabled.
If you are unsure of the state of encryption of either the server or controller, disable encryption
at the server, then default the controller. This ensures that neither is encrypted and rules this
out as a cause of communications problems. Encryption should then be re-enabled once
communications are established.

July 2022 64
Security Expert Security Purpose Controller Troubleshooting Controller Connectivity

1. Disable encryption at the server.

Navigate to Sites | Controllers | Configuration tab and click Disable controller
encryption.
The software warns you prior to disabling encryption.
2. Default the controller (see Defaulting a Controller).

Telnet
To confirm a network path exists from the server to the controller and the correct ports are
open, you can telnet to the controller on the download port (by default port 21000).
1. If the Telnet feature is not turned on, open the Control Panel > All Control Panel Items
> Programs and Features.
2. Click Turn Windows features on or off. Locate the Telnet Client, check the box next to
it and click OK.
3. Open a command prompt and attempt to telnet to the controller.
For example, enter the command telnet 192.168.1.2 21000
l If the controller can accept the connection, a clear screen appears with a cursor
blinking in the top left corner.
l If there is no connection, a message will advise there is still a problem between the
server and controller. If you can web browse to the controller, it is likely a firewall is
blocking the connection somewhere.
Finally, to confirm the event server is able to accept connections, configure a laptop with the
same IP settings as the controller.
1. Remove the ethernet plug from the controller and plug into your laptop.
2. Try to telnet to the server IP address on the event server port (22000 by default):
telnet 192.168.1.100 22000
l If the server is able to accept connections, the clear screen and blinking cursor
appear.
l If the server is not reachable, a message will advise there is still a problem, indicating
a firewall is blocking port 22000 to the server.

July 2022 65
Schneider Electric
www.schneider-electric.com
© 2022 Schneider Electric. All rights reserved.
July 2022