Dynacord PROMATRIX 9000 How to use
PROMATRIX 9000
Public Address and Voice Alarm System
en Release notes
PROMATRIX 9000 Table of contents | en 3
Dynacord Release notes 2022-12 | V1.70 |
Table of contents
1Introduction 5
1.1 Document history 5
1.2 Release history 5
1.3 Scope 5
1.4 Installation and configuration 6
2Supported products 6
2.1 Release 1.70 6
2.2 Release 1.61 6
2.3 Release 1.60 6
2.4 Release 1.50 7
2.5 Release 1.42 7
2.6 Release 1.41 8
2.7 Release 1.40 8
2.8 Release 1.30 9
2.9 Release 1.20 9
3Compliance to voice alarm standards 10
3.1 Release 1.20 10
3.2 Release 1.40 11
3.3 Release 1.41 11
3.4 Release 1.42 11
3.5 Release 1.50 11
3.6 Release 1.61 11
3.7 Release 1.70 11
4Notices 11
4.1 Documentation and software download 11
4.2 Software update 11
4.3 Fault event - Temperature too high 12
4.4 Load measurement 12
4.5 Audio equalizer 12
4.6 Minimum message length 12
4.7 System controller redundancy configuration 12
4.8 Network snapshot 12
4.9 Multi-VLAN 12
4.10 Multiple redundant system controllers 12
4.11 Static IP in fail safe mode 13
4.12 ARNI V8.41 13
5Missing functions 13
5.1 System controller 13
5.2 License for Multi-controller functionality 13
6Known limitations 13
6.1 Firmware upload to call station fails 13
6.2 Dante multicast 13
6.3 Scheduled calls 13
6.4 Load measurement 14
6.5 Firmware upgrade 14
6.6 Enable Network Time Protocol (NTP) 14
6.7 Audio missing on systems with multiple subnets 14
6.8 Dante audio outputs 14
PROMATRIX 9000 Introduction | en 5
Dynacord Release notes 2022-12 | V1.70 |
1 Introduction
1.1 Document history
Release date Documentation version Reason
2020-12 V1.20 1st edition
2021-06 V1.40 Chapters updated for release
1.40
2021-10 V1.41 Chapter updated: 1.1, 1.2,
2.2.
Chapter added: 2.1, 3.3.
2021-12 V1.42 Chapter updated: 1.1, 1.2.
New chapter: 2.1, 3.6.
2022-05 V1.50 Chapters updated: 1.1, 1.2,
2.4, 7.
New chapters: 2.1, 3.5, 4.9,
5.2, 6.10, 6.11.
2022-09 V1.61 Chapter updated: 1.1, 1.2, 4,
4.2, 4.8, 6.8.
New chapters: 2.1, 2.2, 3.8,
4.10, 4.11, 4.12, 6.9, 6.13.
2022-12 V1.70 Chapters updated: 1.1, 1.2, 7.
New chapters: 2.1, 3.7.
1.2 Release history
Release date Released version Reason
2020-12 1.20 Official release.
2021-06 1.40 Official release.
2021-10 1.41 Official release.
2021-12 1.42 Official release.
2022-05 1.50 Official release.
2022-08 1.60 Internal release.
2022-11 1.61 Official release.
2022-12 1.70 Official release.
1.3 Scope
The release notes give an overview of new functionality compared to the previous release. It
reports known limitations and possible workarounds.
6en | Supported products PROMATRIX 9000
2022-12 | V1.70 | Release notes Dynacord
1.4 Installation and configuration
Detailed installation and configuration instructions are provided in the installation manual and
configuration manual of PROMATRIX 9000. Both manuals can be downloaded from
www.dynacord.com in the PROMATRIX 9000 product section.
When a PROMATRIX 9000 system is installed for voice alarm purposes, take notice of the
installation and configuration directions in the checklist for compliance to the EN54‑16 and
EN54‑4 standards. The checklist can be found at the end of the installation manual.
2 Supported products
2.1 Release 1.70
Same list of supported products as
Release 1.20, page 9
,
Release 1.40, page 8
and
Release 1.50, page 7
.
Added functionality:
– Implementation of a SIP/VoIP interface for telephone paging with live speech. A SIP
extension number can be linked to a PROMATRIX 9000 call macro. It is possible to
configure call priority, start and end chimes, and the destination of the call. Besides
telephone paging, the SIP/VoIP function can be used as another interface for audio and
control to PROMATRIX 9000 from 3rd party systems such as intercom, nurse call, and
passenger information systems.
– Implementation of a lock function to protect a call station placed in public against
unauthorized access. To gain access to the call station, the operator must enter a User
number and a Pin code in the LCD. The call station will automatically lock out after the
lock timer expires or when the user presses the logout button.
2.2 Release 1.61
Same list of supported products as
Release 1.20, page 9
,
Release 1.40, page 8
and
Release 1.50, page 7
.
Added functionality:
– Support of static IP address allocation is now available in addition to DHCP and Link
Local address allocation. The Network configurator facilitates the assignment of IP
addresses to either DHCP or static IP mode. It is a separate PC-based software tool and
is available for download from www.dynacord.com.
– It is possible to assign up to 10 standby controllers to one duty controller. All system
controllers must be in the same subnet. This feature is especially convenient for a large
setup with multiple system controllers. If a connection between system controllers fails,
they continue to operate as separate self-sufficient systems, within their locally
connected audio zones and call stations.
– The bug where a keypad extension mismatch of a Call station was not always reported
correctly was fixed.
2.3 Release 1.60
Not published, release for internal purposes only.
PROMATRIX 9000 Supported products | en 7
Dynacord Release notes 2022-12 | V1.70 |
2.4 Release 1.50
Same list of supported products as
Release 1.20, page 9
and
Release 1.40, page 8
. Now,
the OMN-ARNIE and the OMN-ARNIS can also be installed and configured. The Cisco
IE-5000-12S12P-10G switch can be installed as a backbone switch in an EN54-16 compliant
PROMATRIX 9000 network.
Added functionality:
– Support of the multi-controller functionality to allow the installation of a PROMATRIX
9000 system with multiple subsystems, each with its own system controller. Every
additional system controller expands the system scalability. All subsystems are self-
contained as they can operate independent of the other subsystems. The subsystems can
also operate as a single large system under the control of a master or a superordinate
system. In a multi-controller system, it is possible to make calls from the master system
to the subsystems. For emergency purposes, the multi-controller system operates as a
single large system: The emergency state and the fault state are propagated from
subsystem to master and from master to subsystem. This feature complies with
emergency standards, but it is not compliant with DNV-GL Type Approval.
– Support of the licensing mechanism to enable multi-controller systems, as well as other
future functionalities.
– OMNEO platform upgrade to enable multi-VLAN support for PROMATRIX 9000.
PROMATRIX 9000 can now be installed in networks that are divided by a router in
multiple sub networks.
– Support of OMN-ARNIE and OMN-ARNIS supervision. In case of redundant deployment,
both the primary and the secondary devices are supervised. Multi-VLAN installations
require the use of OMN-ARNIE devices to enable device discovery and audio clock
synchronization.
– Switch supervision based on secure SNMP V3: The Cisco IE-5000-12S12P-10G router/
switch and the PRA-ES8P2S (software version 1.01.06 or higher) are part of the network
supervision to be able to detect defective or redundant network connections The
switches are supervised for presence and power supply.
– Support of the single press push-to-talk button (PTT) for a business call station: A call
station in sleep mode is activated with the first press of the PTT button. The call starts
immediately. This feature is especially convenient when no extension keypad is connected
and a handheld microphone is in use.
– The bug fix that a battery leakage fault could not be reset after disconnecting the battery
was resolved.
– High audio level on amplifiers no longer leads to audio interruptions due to false positives
in the 100V line supervision.
Refer to
– Release 1.20, page 9
2.5 Release 1.42
Same (list) of supported products as
Release 1.20, page 9
.
Added functionality:
– A potential weak point in the audio path supervision has been fixed. In rare cases, it could
happen that an Amplifier channel fault (caused by a broken H‑bridge MOSFET) was not
detected.
8en | Supported products PROMATRIX 9000
2022-12 | V1.70 | Release notes Dynacord
– In accordance with the North American standard for Mass Notification Systems, the
software language set of English (UL2572) has been revised and expanded in UL2572
terminology.
– The Call station indicator test has been extended to the LCD display, in cadence with the
microphone LED ring, the display will show the identical colors.
– A bug fix has been implemented to resolve the issue that in some cases a System
controller watchdog reset occurred while making a call on a Zone where volume was
controlled by an Ambient Noise Sensor.
2.6 Release 1.41
Same list of supported products as
Release 1.20, page 9
but now the PRA-CSBK is part of
the set that can be installed and configured.
Added functionality:
– A bug fix has been implemented to resolve the issue that under certain conditions an
“Amplifier channel fault” with “Severity: High” got the status “resolved” when on the
same amplifier channel a fault occurred with “Severity: low” priority.
– For compliance to the Chinese GB16806 standard the translation of “EOL fault” into
Simplified Chinese language was changed to a translation in standard-compliant
terminology.
– A bug fix has been implemented to solve an issue that appeared when Background music
was muted. When automatic volume control was configured in combination with BGM
there was a possibility that when BGM was muted, amplifiers started to disconnect/
connect to the system.
– A bug was fixed that in rare cases a high priority call stopped all running calls that were
playing a message in the start chime phase.
2.7 Release 1.40
Same list of supported products as
Release 1.20, page 9
, but now the PRA-ANS is part of
the set that can be installed and configured.
Added functionality:
– Support for the new PRA-ANS Ambient noise sensor. The unit monitors changing ambient
noise levels for automatic adjustment of announcement or background music levels (AVC
- Automatic Volume Control). This insures the public address audio is set at a
configurable level above the ambient noise in order to guarantee intelligibility of
announcements, yet at a comfortable level. Upon failure or disconnection of the device,
the announcement volume of the subscribing amplifier channels is automatically set to its
maximum within the applicable control range.
– Support for the PRA-CSBK Call station kit, basic, which will be available by November
2021. The Call station kit, basic is an open frame call station to create dedicated, fully
customized control panels with a CAN bus interface.
– Make announcement with zone selection is now available as an additional function for
extension buttons. This function can be assigned to buttons and is similar to the Make
announcement function, but without the pre-configured zone / zone groups selection.
Using the Make announcement with zone selection function, a pre-recorded message,
based on a call definition, can be started aborted/stopped in one or more manual
selected zones / zone groups.
PROMATRIX 9000 Supported products | en 9
Dynacord Release notes 2022-12 | V1.70 |
– Zones and zone groups can now be configured to the call station’s Push‑To‑Talk button to
make live announcements without connecting to a call station extension. It simplifies the
handling of basic calls that are always going to the same zone or zone group. Zone
selection from a Call station extension can be done in parallel.
– Traditional Chinese is available and added to the language selection for the Graphic user
interface of the PM9-CSLx.
– Functionality is added in preparation for certification to the North American standard for
mass notification systems:
– English (UL2572) is available for language selection. This language selection is used
for mass notification systems and will set Configuration software and Graphic user
interface of the PM9-CSLx to a specific English, that complies to UL terminology.
– For each device a check box is added to General setting, which is set to Emergency
relevant on default. Troubles (faults) that occur on devices that have assigned
Emergency relevant will reported as Mass notification system faults.
– Class Mass notification is a new option in General settings of PM9-CSLx. Class Mass
notification let the Call station act as a First responder panel for Mass Notification
Systems (MNS). Emergency group is a new set of functionality, that allows multiple
first responders (fire fighters) to control the evacuation of a building from multiple
locations in which each has, one or more, First responder panel(s) (FRP’s) in use.
– Transfer of control is a new function, that is only available when Class: Mass
notification and Emergency group are set. In order to avoid confusion among the first
responders (fire fighters), actions are only possible on one First responder panel at
the time. That First responder panel is then 'in control'. It is possible to force the 'in
control' state and to grant or deny a request.
Refer to
– Release 1.20, page 9
2.8 Release 1.30
Not published, release for internal purposes only.
2.9 Release 1.20
The following PROMATRIX 9000 products can be installed and configured:
PM9-SCL System controller, large
PM9-AD604 Amplifier, 600W 4‑channel
PM9-AD608 Amplifier, 600W 8‑channel
PM9-EOL End‑of‑line device
PM9-MPS3 Multifunction power supply, large
PM9-CSLD Desktop LCD call station
PM9-CSLW Wallmount LCD call station
PM9-CSE Call station extension
PRA-ES8P2S Ethernet switch, 8xPoE, 2xSFP
PRA-SFPSX Fiber transceiver, multimode
PRA-SFPLX Fiber transceiver, single mode
10 en | Compliance to voice alarm standards PROMATRIX 9000
2022-12 | V1.70 | Release notes Dynacord
The following products can be used without need for configuration:
PRA-PSM24 Power supply module 24V
PRA-PSM48 Power supply module 48V
The following products are already described in the installation manual and/or the
configuration manual, but are not yet available:
PM9-SCM System controller, medium
PM9-SCS System controller, small
Added functionality:
– UL amplifier mode is added to system settings. When the amplifiers run in this mode,
they comply to the requirements of UL with regards to temperature limitations.
– In a system with System controller redundancy, the Dante audio routing for inputs and/
or outputs is synchronized with the redundant System controller. The Dante audio routing
is configured for the duty System controller. As soon as the backup System controller
takes over the Dante audio routing is automatically recreated.
– Fixes have been applied to the following security vulnerabilities of the configuration web
interface. These changes only affect the web interface which is only used during
configuration of the system:
– In the web configuration of the System controller a Cross‑Site Request Forgery
(CSRF) vulnerability has been found. This has been solved by adding verification data
to the web pages.
– In the web configuration of the System controller a Cross‑site Scripting (XSS)
vulnerability has been found. This has been solved by sanitizing the data that is
received from the web pages better to avoid that script data is fed back to the
browser.
– Additional HTTP headers are added to the web pages giving instructions to the
browser in helping to avoid cross‑site attacks.
3 Compliance to voice alarm standards
3.1 Release 1.20
This software release in combination with the following products is certified for compliance to
EN54‑16 and EN54‑4. See 0560-CPR-202190028 and Declaration of Performance
GO002947v0.
PM9-SCL System controller, large
PM9-AD604 Amplifier, 600W 4‑channel
PM9-AD608 Amplifier, 600W 8‑channel
PM9-EOL End‑of‑line device
PM9-MPS3 Multifunction power supply, large
PM9-CSLD Desktop LCD call station
PM9-CSLW Wallmount LCD call station
PROMATRIX 9000 Notices | en 11
Dynacord Release notes 2022-12 | V1.70 |
PM9-CSE Call station extension
PRA-ES8P2S Ethernet switch, 8xPoE, 2xSFP
PRA-SFPSX Fiber transceiver, multimode
PRA-SFPLX Fiber transceiver, single mode
3.2 Release 1.40
Same compliances as
Release 1.20, page 10
.
Now also added to EN54‑16 and to ISO7240‑169:
PRA-ANS Ambient noise sensor.
3.3 Release 1.41
Same compliances as
Release 1.20, page 10
No new changes and/or additions.
Refer to
– Release 1.20, page 10
3.4 Release 1.42
Same compliances as
Release 1.20, page 10
.
No new changes and/or additions.
3.5 Release 1.50
Same compliances as
Release 1.20, page 10
.
For release 1.50, the PROMATRIX 9000 system has also been certified for EN54‑16 and
ISO7240‑169.
i
Notice!
In combination with the PROMATRIX 9000 system, the OMN-ARNIE, the OMN-ARNIS and the
Cisco IE-5000-12S12P-10G switch are not certified with DNV-GL Type Approval.
3.6 Release 1.61
Same compliances as
Release 1.20, page 10
and
Release 1.50, page 11
.
3.7 Release 1.70
Same compliances as
Release 1.20, page 10
and
Release 1.50, page 11
.
4 Notices
System characteristics that are normal and intended, but possibly not expected.
4.1 Documentation and software download
PROMATRIX 9000 product documentation and software is available from www.dynacord.com
> PROMATRIX 9000 product section.
4.2 Software update
If an updated configuration was created with a newer software version, it should not be used
on an older software version.
Always store and keep backups of the current configuration before upgrading.
12 en | Notices PROMATRIX 9000
2022-12 | V1.70 | Release notes Dynacord
4.3 Fault event - Temperature too high
If the amplifier detects temperature higher than +90 °C, the output level is attenuated by -3 dB
in order to counteract this. The -3 dB attenuation is removed after the fault is acknowledged
and reset. Before the fault can be cleared the temperature needs to drop below +80 °C.
4.4 Load measurement
The amplifier loudspeaker load measurement is part of the configuration (Diagnose > Amplifier
loads). It is an essential step in the system configuration to do a load measurement to check
whether the amplifier channels and the amplifier are not overloaded. Without this check, the
amplifier channel volume is automatically set to -12dB to protect the amplifier from
unexpected overload conditions in case of an alarm situation.
4.5 Audio equalizer
The DSP audio equalizers have an internal headroom of 18dB. Do not use audio equalizer
settings with an accumulated gain of more than 18dB at any frequency, as this will cause
audio clipping for full scale input signals. It is good practice to do most of the frequency
response corrections by attenuation of prominent frequency bands.
4.6 Minimum message length
The minimum message length for repeating messages is 500ms.
4.7 System controller redundancy configuration
When a second System controller is added to a system for redundancy, the second System
controller must be reset to factory default.
4.8 Network snapshot
A new network snapshot is required after a device is added, removed or replaced.
A system with redundant cabling and network supervision enabled requires a new network
snapshot after a device is added, removed or replaced.
As long as a new network snapshot is not taken, a fault in the new device will not be reported.
4.9 Multi-VLAN
In systems with VLANs in combination with the OMN-ARNIE and the OMN-ARNIS, the lifeline
between an amplifier and an PM9-MPS3 only works if both devices are part of the same
subsystem.
4.10 Multiple redundant system controllers
Each standby system controller can take up to five minutes to synchronize with the duty
controller. The synchronization is sequential, one standby system controller after the other.
When the recorded message storage of the duty system is at full capacity, the maximum time
per standby system controller is five minutes.
Do not disturb the network during the period of synchronization. Make sure the duty
controller remains operational until all standby controllers have finished synchronizing. If local
conditions allow, check the Link LEDs of all standby controllers:
– Yellow: the standby controller is not yet synchronized.
– Blue: the synchronization is over and the controller is ready.
PROMATRIX 9000 Missing functions | en 13
Dynacord Release notes 2022-12 | V1.70 |
4.11 Static IP in fail safe mode
When a system controller or a power amplifier switches to fail-safe mode, its static IP-address
is set to a DHCP or a link-local address.
If necessary, use the PRAESENSA Network Configurator to check the network mode and return
it to a static IP.
4.12 ARNI V8.41
In a life safety system, version 1.61 of PROMATRIX 9000 cannot be used in combination with
an 8.41 or early versions of the OMN-ARNIE/OMN-ARNIS devices.
5 Missing functions
System functions that are mentioned in the documentation, but have been postponed.
5.1 System controller
The PM9-SCS System controller small and PM9-SCM System controller medium are postponed
to a later release. The PM9-SCL System controller large performs effectively equal or better
than the smaller versions.
5.2 License for Multi-controller functionality
One PRA-LSPRA License for PRAESENSA subsystems is required per subsystem. Contact
Bosch to request the license.
6 Known limitations
System functions that are implemented but with limitations. In some cases workarounds are
given.
6.1 Firmware upload to call station fails
The MTU (Maximum Transmission Unit) of the call stations is 1468. When the MTU of the PC
network adapter that is used is set to a lower value than 1472 (1468 + 4), the data packets are
split across different frames; the FWUT (Firmware Upload Tool) cannot handle this and will
disconnect.
Check the actual MTU value of the network adapter by opening a cmd‑window (with
administrator rights) and enter:
netsh interface ipv4 show subinterface
If the MTU value is too low, it can be increased temporarily to a higher value by entering:
netsh interface ipv4 set subinterface
"<name of interface>"
mtu=1500
store=persistent
Then try again.
6.2 Dante multicast
Only use Dante unicast streams between a Dante device and the system controller to prevent
multicast addressing conflicts, that can result in audio distortion or not being able to setup a
call.
6.3 Scheduled calls
If a scheduled call is activated by a button of a call station extension, the scheduled time
intervals are ignored and the call starts immediately. Scheduled calls can only be started from
a control input.
14 en | Known limitations PROMATRIX 9000
2022-12 | V1.70 | Release notes Dynacord
6.4 Load measurement
When a load measurement on an amplifier channel is done with a shorted loudspeaker line,
the web page will indicate: “Not measured”. Remove the short circuit and redo the load
measurement.
6.5 Firmware upgrade
Before using the firmware upgrade tool, make sure the released PROMATRIX 9000 firmware
files have been installed also.
In some rare cases the upgrade of a device will not be successful in the first attempt. If this
occurs please retry for the device for which it failed.
6.6 Enable Network Time Protocol (NTP)
NTP is configured on the “Time settings” page. Enable “Set time automatically (NTP)” and
press submit. Wait for the reboot system page; this will take a few seconds. Press “System
reboot” to activate NTP. If you navigate away to another configuration page too early and don’t
wait for the reboot system page, a non-responsive web page will show "Loading" and NTP will
remain disabled.
6.7 Audio missing on systems with multiple subnets
In systems with multiple subnets, live paging from a Call station is possible without chimes,
recorded messages and Dante audio channels from the system controller.
To solve the problem of missing audio signals, update the system to software version 1.50 and
perform a factory reset of the system controller, in that order.
Before doing a factory reset of the system controller hardware, make sure you do a backup so
that your configuration can be restored afterwards.
Note that recorded messages are not part of the backup configuration .tar.gz file. Make sure to
save them so that they can be uploaded again after restoring the configuration file.
6.8 Dante audio outputs
A system with System controller redundancy does not support secure Dante 4‑digit PIN
(Personal Identification Number) on the Dante audio outputs.
You might want to use Dante audio outputs to interface with 3rd party devices like amplifiers or
devices for recording purposes. When control is switched from duty system controller to
redundant System controller, the transmit of the Dante output channels of the duty system
controller is moved to the redundant System controller in order to make the Dante audio
outputs redundant.
The persistent Dante audio channels cannot be authenticated and not encrypted, so they form
a security risk, as no precautions are taken against malicious or accidental attacks via their
network interfaces. For highest security, these Dante output channels in combination with
System controller redundancy must not be used as part of the PROMATRIX 9000 system.
6.9 Multiple redundant System controllers
Release 1.20 is tested with one duty and one redundant System controller. There is no built‑in
limit, and it is possible to add multiple redundant System controllers. A system setup with
more than one redundant System controller was not tested and proper operation cannot be
confirmed.
PROMATRIX 9000 Security precautions | en 15
Dynacord Release notes 2022-12 | V1.70 |
6.10 DHCP server
When the DHCP server is not available when the system starts it can happen that some
devices do not receive an DHCP IP‑address and will remain in link‑local. The consequence is
that these devices do not connect to the System Controller. If the System Controller does not
receive a DHCP IP‑address it cannot connect to the system devices. It is strongly
recommended to have the DHCP server available when the system starts.
6.11 Sticky faults
Sticky faults might occur in a system with a Cisco IE-5000-12S12P-10G switch. Take a new
network snapshot to solve it.
This might happen after a restart of an ARNI device or of the Cisco switch itself.
6.12 Multi-subnet
Before using a PROMATRIX 9000 system on multiple VLAN, contact Bosch support.
6.13 Firmware upload of CST and PRA-ANS with static IP-addresses
A firmware upload of the PM9-CSLx Call stations and PRA-ANS Ambient noise sensors
produced with firmware prior to V1.60 will fail if the devices are set to static IP.
For every firmware upload of these devices, you must:
1. Change the static IP-addresses of the devices to a DHCP- or link-local address.
2. Update the devices to the new software version.
– You can now change the DHCP-addresses to static IP-addresses.
7 Security precautions
PROMATRIX 9000 is an IP‑connected, networked Public Address and Voice Alarm system. In
order to ensure that the intended functions of the system are not compromised, special
attention and measures are required during installation and operation to avoid tampering of
the system. Many of such measures are provided in the PROMATRIX 9000 configuration
manual and installation manual, related to the products and the activities described. This
section provides an overview of precautions to be taken, related to network security and
access to the system.
– Follow the installation instructions with respect to the location of equipment and the
permitted access levels. Refer to Location of racks and enclosures. Make sure that
critical* call stations and operator panels that are configured for alarm functions only
have restricted access using a special procedure, such as being mounted in an enclosure
with lockable door or by configuration of user authentication on the device**.
* Call stations, that address very large areas, are considered as critical.
** Availability of the user authentication function is to be announced.
– It is highly recommended to operate PROMATRIX 9000 on its own dedicated network, not
mixed with other equipment for other purposes. Other equipment may be accessible by
unauthorized people, causing a security risk. This is especially true if the network is
connected to the Internet.
– It is highly recommended that unused ports of network switches are locked or disabled to
avoid the possibility that equipment is connected that may compromise the system. This
is also the case for PROMATRIX 9000 call stations that are connected via a single network
cable. Make sure that the connector cover of the device is in place and properly fixed, to
16 en | Security precautions PROMATRIX 9000
2022-12 | V1.70 | Release notes Dynacord
avoid that the second network socket is accessible. Other PROMATRIX 9000 equipment
should be installed in an area that is only accessible by authorized people to avoid
tampering.
– Use an Intrusion Protection System (IPS) with port security where possible to monitor
the network for malicious activity or policy violations.
– PROMATRIX 9000 uses secure OMNEO for its network connections. All control and audio
data exchange use encryption and authentication, but the system controller allows the
configuration of unsecure Dante or AES67 audio connections as an extension of the
system, both as inputs and as outputs. These Dante/AES67 connections are not
authenticated and not encrypted. They form a security risk, as no precautions are taken
against malicious or accidental attacks through their network interfaces. For highest
security, these Dante/AES67 devices should not be used as part of the PROMATRIX 9000
system. If such inputs or outputs are needed, use unicast connections.
– For security reasons, by default the PRA-ES8P2S Ethernet switch is not accessible from
the Internet. When the default (special link‑local) IP‑address is changed to an address
outside the link‑local range (169.254.x.x/16), then also the default (published) password
must be changed. But even for applications on a closed local network, for highest security
the password may still be changed. Refer to Installation.
– To enable SNMP, for example to use the Dynacord Network analysis tool OMN‑DOCENT,
use SNMPv3. SNMPv3 provides much better security with authentication and privacy.
Select the authentication level SHA and encryption via AES. To configure the switch
accordingly, refer to Installation.
– From PROMATRIX 9000 software version 1.50 onwards, the PRA-ES8P2S switches and
the CISCOIE-5000 series switches report their power fault and network connection
status directly to the PROMATRIX 9000 system controller through SNMP. The switches
can be daisy-chained without an OMNEO device between them for connection
supervision. The PRA-ES8P2S is preconfigured for this purpose from custom firmware
version 1.01.05 onwards.
– The system controller webserver uses secure HTTPS with SSL. The web server in the
system controller uses a self‑signed security certificate. When you access the server via
https, you will see a Secure Connection Failed error or warning dialog indicating that the
certificate was signed by an unknown authority. This is expected and to avoid this
message in the future you have to create an exception in the browser.
– Make sure that new user accounts for system configuration access use sufficiently long
and complex passwords. The user name must have between 5 and 64 characters. The
password must have between 4 and 64 characters.
– The PROMATRIX 9000 system controller provides an Open Interface for external control.
Access via this interface requires the same user accounts as for system configuration
access. In addition, the system controller generates a certificate to setup the TLS
(secure) connection between the system controller and the Open Interface client.
Download the certificate and open/install/save the crt‑file. Activate the certificate on the
client PC. Refer to System security in the PROMATRIX 9000 configuration manual.
– System access to the devices of this system is secured via the OMNEO security user name
and passphrase of the system. The system uses a self-generated user name and long
passphrase. This can be changed in the configuration. The user name must have between
5 and 32 characters and the passphrase must have 8 to 64 characters. To update the
firmware of the devices, the firmware upload tool requires this security user name and
passphrase to get access.
PROMATRIX 9000 Security precautions | en 17
Dynacord Release notes 2022-12 | V1.70 |
– In case a PC for event logs is used (PROMATRIX 9000 logging server and viewer), make
sure that the PC is not accessible by unauthorized persons.
– Do not leave unprotected call stations that can address a wide area on public accessible
places. Use a locked cabinet or configure the call station with user authentication. Use
secure VoIP protocols (SIPS) whenever possible, including verification through VoIP
server certificate. Only use non-secure protocols when the SIP server (PBX) does not
support secure VoIP. Only use VoIP audio in the protected sections of the network,
because the VoIP audio is not encrypted.
– Anyone with the ability to dial one of the extensions of the system controller can make an
announcement in the PRAESENSA system. Do not allow external numbers to dial the
system controller extensions.
18 | Security precautions PROMATRIX 9000
2022-12 | V1.70 | Release notes Dynacord
Bosch Sicherheitssysteme GmbH
Robert-Bosch-Ring 5
85630 Grasbrunn
Germany
www.dynacord.com
© Bosch Sicherheitssysteme GmbH, 2022
202212191647
Table of contents
