Vega Systems IncRedundancyMigration

Milestone Recorder Failover

Ensures basic continuity

Executive Summary

Milestone Recorder Failover, available in XProtect Expert and Corporate editions, provides an active-passive mechanism where a standby recorder takes over in the event of primary failure. Once the primary comes back up, content recorded in the failover is transferred back to the primary to restore consistency.

While this ensures basic service continuity, failover activation can take tens of seconds to minutes, creating unavoidable gaps in both live monitoring and recorded content. The standby node does not hold prior media, leaving pre-failover footage inaccessible in the failed-over state. Automatic backups cannot protect against ransomware since encrypted data is replicated. Efficiency is limited to a one-to-one model, requiring a dedicated standby for each protected recorder. As a result, Milestone Recorder Failover offers coverage for hardware outages but leaves gaps in consistency and cyber resilience.

Milestone XProtect Recording Server Failover

Failover

If the active fails, the passive stack activates. Activation time varies from tens of seconds to minutes. The solution does not provide stream-level failover, where only failed primary streams are started on the standby.

Failover State

Consistency

Although the solution allows for stack-level failover with media backfill to the primary after failback, it lacks consistency in two key areas.

Non-Zero Failover Time Creates Content Gaps

  1. The non-zero failover time inevitably creates gaps in media availability. During this window, live monitoring is interrupted, and recorded streams are incomplete, resulting in blind spots in both real-time situational awareness and post-event investigations. These forensic gaps undermine the reliability of video evidence and can weaken compliance and liability defense when edge recording and restoration are unavailable.

  2. The standby node lacks media database content from the primary stack. Therefore, when the standby is active, content recorded before the standby was activated is not accessible.

Primary stack's media database is unavailable during failover

Cybersecurity

If an attack encrypts the primary server's media database, causing the recorder to stop functioning, the standby server takes over. However, the standby device never gains access to content recorded before it was turned on. Therefore, content recorded before the standby's activation is lost, possibly forever. Additionally, if an automatic media backup solution is used for the primary, it becomes ineffective because the backup is also encrypted.

Cyberattack encrypting the primary's media

Efficiency

Efficiency is 1:1, meaning one standby node can support one primary node failure. Two standbys are required to support two simultaneous primary node failures, and so on.

PreviousActive-Passive Media StacksNextService Clustering + Media Sync

Last updated