NAE Commissioning Guide

MS-NAE35xx-x, MS-NAE45xx-x, MS-NAE55xx-x, MS-NIE55xx-x, Code No. LIT-1201519

MS-NCE25xx-x, MS-NIE8500-x, MS-NAE8500-x Software Release 9.0
Issued August 2017
Refer to the QuickLIT website for the most up-to-date version of this document.

Document Introduction.............................................................................................................5
Summary of Changes................................................................................................................5
NAE Commissioning Overview................................................................................................6
Network Automation Engines (NAEs)...............................................................................................6
NAE35 Models......................................................................................................................................7
NAE45 Models......................................................................................................................................7
NAE55 Models......................................................................................................................................7
NAE-S Model........................................................................................................................................7
NIE55 Models........................................................................................................................................8
NCE25 Models......................................................................................................................................8
NxE85 Model.........................................................................................................................................8
MS/TP Communications Bus.............................................................................................................8
Metasys Network Sites.......................................................................................................................9
NAE Commissioning.........................................................................................................................11
NAE Configuration............................................................................................................................12
Site Management Portal User Interface..........................................................................................14
Metasys UI.........................................................................................................................................15
Metasys Help Files............................................................................................................................15
Browser Recommendations for Downloading the Launcher.......................................................16
System Configuration Tool..............................................................................................................16
CCT.....................................................................................................................................................17
Archive Databases............................................................................................................................17
NAE Disk Image Updates and Archive Database Upgrades.........................................................17
Site Director.......................................................................................................................................17
NAE Computer Name........................................................................................................................18
NAE Object Name.............................................................................................................................18
Basic Access Operating Mode........................................................................................................19
Login User Names and Passwords.................................................................................................19
NAE Connectivity..............................................................................................................................19
Modems and Dial-Out Features.......................................................................................................20
Time Zone, Date, and Time Management........................................................................................21
Alarms and Events............................................................................................................................22
Serial Printer DDA (Alarm Printer)...................................................................................................23
Recommended Serial Printer..............................................................................................................23
Serial Printer Installation Considerations............................................................................................26
Email Notification..............................................................................................................................26
Pager Notification.............................................................................................................................27
Syslog DDA........................................................................................................................................28
Simple Network Management Protocol (SNMP) Notification........................................................30
RADIUS Overview.............................................................................................................................31
Initial Default NAE Configuration....................................................................................................32
Allow HTTP........................................................................................................................................33
System and User Preferences.........................................................................................................35
Reset Device Command...................................................................................................................35
Detailed Procedures................................................................................................................36

NAE Commissioning Guide 1

 Installing Launcher to Access the NAE..........................................................................................36
Full Launcher Installer.........................................................................................................................37
Single Site Connection........................................................................................................................39
Establishing a Direct Connection to an NAE.................................................................................40
Preparing an NAE for a Network That Supports DHCP and DNS.................................................40
Preparing an NAE for a Network without DHCP and without DNS Support When the NAE Uses
APIPA.................................................................................................................................................42
Preparing an NAE for a Network without DHCP and without DNS Support When the NAE Uses
a Static IP Address...........................................................................................................................43
Preparing an NAE for a Network That Supports DHCP but Not DNS...........................................44
Preparing an NAE for a Network That Supports DNS but Not DHCP...........................................45
Enabling the Serial Printer DDA......................................................................................................45
Preparing NxE85 for Serial Printing....................................................................................................48
Creating Audit Entries for Discarded Events.................................................................................48
Accessing the Site Management Portal UI on an NAE..................................................................48
Establishing Basic NAE Parameters in the Focus Screen............................................................49
Establishing the NAE Network Parameters....................................................................................50
Establishing the NAE Direct-Connect and Modem Parameters...................................................51
Creating Email Alarm and Event Notifications and Destinations.................................................53
Configuring Encrypted Email..........................................................................................................57
Configuring Encrypted Email with No Authentication Required..........................................................57
Configuring Encrypted Email with SMTP Authentication....................................................................57
Configuring Encrypted Email with POP-Before-SMTP Authentication................................................58
Creating Pager Alarm and Event Notifications and Destinations................................................59
Creating NAE SNMP Alarm Notifications and Destinations.........................................................62
Enabling Syslog Reporting..............................................................................................................64
Configuring a RADIUS Server..........................................................................................................66
Adding RADIUS Users......................................................................................................................69
Setting the Time, Date, Time Zone, and Time Synchronization....................................................70
Setting up the NAE Alarm Parameters............................................................................................70
Editing the Existing Alarm Parameters...............................................................................................71
Creating a New Alarm.........................................................................................................................72
Changing Site Director Status of an NAE.......................................................................................73
Changing the Site Director with the SCT............................................................................................75
Removing User Accounts from a Demoted Site Director.............................................................75
Moving Security Database and Clearing It from Demoted Site Director Prior to Release 6.0............75
Moving Security Database and Clearing It from Demoted Site Director Release 6.0 or Later...........75
Establishing a Dial-up Connection to an NAE...............................................................................76
Configuring an NAE to Dial Out to an ADS/ADX/ODS...................................................................76
Printing Information from the NAE Site Management Portal UI...................................................78
Disabling the Windows Firewall on an NAE...................................................................................78
Enabling and Disabling the Warning Banner.................................................................................82
Replacing an NAE.............................................................................................................................82
Troubleshooting.......................................................................................................................83
Common NAE Problems..................................................................................................................83
Corrupted NAE Memory......................................................................................................................83
Login Problems...................................................................................................................................84
RADIUS Errors....................................................................................................................................85
Situations When Metasys System Login Screen Appears for RADIUS Users...................................85
Network Connection Related Problems..............................................................................................87
NAE Reset Related Problems.............................................................................................................87

Commissioning Guide 2
 Troubleshooting Guide........................................................................................................................88
NAE Diagnostic Tools.......................................................................................................................91
NAE LED Status Indicators.................................................................................................................91
NAE35/NAE45 LED Startup Sequence..............................................................................................95
NAE55/NIE55 LED Startup Sequence................................................................................................95
NCE25 LED Startup Sequence...........................................................................................................95
Diagnostic Tab.....................................................................................................................................95
Summary Tab......................................................................................................................................97
Troubleshooting Procedures...........................................................................................................99
Verifying Ethernet Network Communications (Ping)...........................................................................99
Pre-Boot Execution Environment (PXE).............................................................................................99
Determining the NAE IP Address and Device Name for a Network Connection................................99
Determining the NAE IP Address By Using the NCT..........................................................................99
Determining the NAE IP Address and Device Name By Using a Serial Port Monitor.........................99
Setting a Computer to be Compatible with APIPA.......................................................................100
Related Documentation.........................................................................................................101
Technical Specifications.......................................................................................................102
Appendix: Time Zone, Date, and Time Management..........................................................108
Time Zone, Date, and Time Management Introduction................................................................108
Overview of Time Synchronization...............................................................................................108
ADS/ADX/ODS Site Director with Network Engines.........................................................................108
NIE and Child Devices......................................................................................................................109
Time Synchronization Methods.....................................................................................................109
Windows Time Synchronization........................................................................................................109
Multicast Time Synchronization........................................................................................................110
BACnet Time Synchronization..........................................................................................................110
Example Network............................................................................................................................110
Multiple Time Zones........................................................................................................................111
Site Time Server..............................................................................................................................112
Time in Device Object and User Interface Status Bar.................................................................112
Steps for Successful Time Management......................................................................................113
Verifying the Site Director Defined for an Engine/Server..................................................................113
Setting the Time Synchronization Method........................................................................................114
Network Engine as Site Director.......................................................................................................115
ADS/ADX/ODS as Site Director........................................................................................................118
Configuring Additional Multicast Time Synchronization Settings......................................................121
Appendix: Configuring and Maintaining Preferences........................................................123
Configuring and Maintaining Preferences Introduction..............................................................123
Preferences Concepts....................................................................................................................123
System and User Preferences..........................................................................................................123
Managing Preferences......................................................................................................................125
Detailed Procedures.......................................................................................................................126
Configuring Preferences...................................................................................................................126
Restoring Default System Preferences.............................................................................................126
Copying Preferences between Devices............................................................................................126
Restoring Default User Preferences.................................................................................................126
Removing User Preference Files......................................................................................................127
Copying User Preferences to Another User......................................................................................127
Preserving Preferences for a Network Engine Update.....................................................................127
Appendix: Certificate Management......................................................................................128
Certificate Management Introduction...........................................................................................128
Commissioning Guide 3
 Certificate Signing Request (CSR)................................................................................................130
Import Certificate............................................................................................................................130
Export Certificate............................................................................................................................131
Certificate List View........................................................................................................................131
Certificate Tree View.......................................................................................................................132
Download Certificate......................................................................................................................133
Detailed Procedures.......................................................................................................................133
Requesting a Certificate....................................................................................................................133
Importing a Certificate.......................................................................................................................136
Exporting a Certificate.......................................................................................................................138
Downloading a Certificate.................................................................................................................139
Uploading a Certificate......................................................................................................................140
Deleting a Certificate.........................................................................................................................142
Deleting a Certificate Request..........................................................................................................142
Replacing a Self-Signed Certificate..................................................................................................142
Backing Up a Certificate...................................................................................................................143

Commissioning Guide 4
Document Introduction
This document describes how to:
• commission a Network Automation Engine (NAE), Network Integration Engine (NIE), or Network Control Engine
(NCE) for network connectivity in several network scenarios
• access the Metasys® system Site Management Portal UI on an NAE
• configure the basic NAE parameters for initial operation on the network
• troubleshoot an NAE
• configure the NAE Destination Delivery Agents (DDAs) for sending alarm and event messages through email,
pager, and Simple Network Management Protocol (SNMP)
• configure a Syslog DDA for sending events and audits to an external Syslog server
• disable the Microsoft® Windows® firewall on an NCE25, NAE35, or NAE45 for the purpose of improving the
overall performance of these network engine models
This document does not describe how to mount, wire, or power on an NAE. Also, this document does not describe
how to build or download an archive database for a Metasys system site or how to configure an NAE to monitor and
control a building automation system (BAS).
Note: In this document, NAE refers to all NCE25, NAE35, NAE45, NAE45-Lite, NAE55, NIE55, and NxE85 models,
unless noted otherwise.
Also, in addition to this document, refer to the following literature for information specific to your model of NAE:
• Secure NAE-S: refer to the NAE-S Commissioning Guide (LIT-12012269), a confidential Johnson Controls
document
• NxE85 Series: refer to the NxE85 Commissioning Guide (LIT-12011044)
• NCE25 Series: refer to the NCE Technical Bulletin (LIT-12011267)
• NIEx9 Series: refer to the NIEx9 Commissioning Guide (LIT-12011922)

Summary of Changes
The following information is new or revised:
• Updated screens throughout to indicate the new release number.
• Added Windows Server® 2016 as a supported operating system.
• Updated Launcher screen examples throughout the document.
• Updated Figure 71 to include the Time Zone attribute.
• Removed Ready Access Portal option from all network diagrams.
• Added information about enabling encrypted and trusted communication between the Metasys Server and
network engines to Appendix: Certificate Management.
• Modified the steps for preparing an NAE for communication over the building network. The affected sections
include: Preparing an NAE for a Network That Supports DHCP and DNS, Preparing an NAE for a Network without
DHCP and without DNS Support When the NAE Uses APIPA, Preparing an NAE for a Network without DHCP
and without DNS Support When the NAE Uses a Static IP Address, Preparing an NAE for a Network That
Supports DHCP but Not DNS, and Preparing an NAE for a Network That Supports DNS but Not DHCP.
• Added new section called Allow HTTP.

NAE Commissioning Guide 5

NAE Commissioning Overview
Network Automation Engines (NAEs)
NAEs are web-enabled, Ethernet-based, supervisory controllers that connect BAS networks to IP networks and the
web, and allow you to monitor and control BAS field devices from a computer using the Launcher application. You
use the Launcher application to log in to the NAE. If the Launcher is not already installed on your machine, you are
prompted to install it when you attempt to log in using a web browser. To install the Launcher, use either a supported
version of Windows Internet Explorer, Google Chrome, or Apple® Safari® . (Other web browsers may work, but are
not tested or supported.) Refer to the Launcher Installation Instructions (LIT-12011783).
The NAE Series of supervisory controllers is a scalable line of appliance computers with varying network, trunk, and
field device capacities to meet the requirements of different applications.
All NAEs provide scheduling, alarm and event management, trending, energy management, data exchange, dial-out
capability, and password protection. NAEs are factory-loaded with a supported Microsoft® Windows® operating
system and the current release of the Metasys system software.
An NAE set as a Site Director can have its Warning Banner enabled, which forces a special U.S. Department of
Defense (DoD) statement to appear when operators log in to the Site Management Portal of the engine. This banner
is primarily intended for United States military facilities. The banner satisfies the requirements for a mandated DoD
Information Assurance Certification and Accreditation Process (DIACAP). The banner cannot be customized or its
text be changed. For steps on how to enable or disable this banner, see Enabling and Disabling the Warning Banner.
Figure 1: United States DoD Warning Banner

NAE Commissioning Guide 6

NAE35 Models
The NAE35 models:
• support one RS485 field bus or one LONWORKS® network trunk into a Metasys system network. The NAE351x
models integrate one N2 Bus or one BACnet® MS/TP trunk with up to 50 field controllers. The NAE352x models
integrate a single LONWORKS trunk with up to 64 LONWORKS devices.
• monitor and control up to 50 BACnet IP devices over Ethernet at the supervisory level
• serve as a Site Director supervising a maximum of two additional network engines, which can be NAE35 or
NCE25 model engines only
Several NAE35 models provide the Basic Access operating mode as the primary UI. See Basic Access Operating
Mode for more information.

NAE45 Models
The NAE45 models:
• support either one RS485 field bus or one LONWORKS network trunk into a Metasys system network. The NAE451x
models integrate one N2 Bus or one BACnet MS/TP trunk with up to 100 field controllers. The NAE452x models
integrate a single LONWORKS trunk with up to 127 LONWORKS devices.
• monitor and control up to 50 BACnet IP field devices over Ethernet at the supervisory level
• serve as a Site Director supervising a maximum of two additional network engines, which can be NAE35, NAE45,
or NCE25 model engines only
Notes:
• The NAE45-Lite supports the MS/TP bus and BACnet IP communication to third-party devices. The NAE45-Lite
does not support the N2 Bus, N1 integration, VND integration, Xl5K integration, LONWORKS network, or
wireless supervisor (N2).
• The NAE45-Lite must have an ADS-Lite-A as its Site Director, or be stand-alone. The NAE45-Lite cannot
be a Site Director to other engines.

NAE55 Models
The NAE55 models:
• support up to two RS485 field buses into a Metasys system network. The NAE551x models integrate two N2
Buses, two BACnet MS/TP trunks, or one N2 Bus and one BACnet MS/TP trunk. Each bus or trunk may contain
up to 100 field controllers. The NAE552x models can also integrate a LONWORKS network trunk with up to 255
LONWORKS devices. NAE55 models can also monitor and supervise a number of BACnet IP devices; the total
number of BACnet IP devices depends on the number of objects each device supports.
• supervise BACnet/IP field controllers from Johnson Controls, such as the FAC4911 Advanced Application Field
Equipment Controller and the VMA1930 Variable Air Volume Modular Assembly.
• serve as a Site Director supervising a maximum of four other network engines, which can be NAE35, NAE45,
NCE25, NAE55, or NIE55 model engines

NAE-S Model
The NAE-S model:
• supports up to two RS485 field buses into a Metasys system network. The NAE551S model integrates two N2
Buses, two BACnet MS/TP trunks, or one N2 Bus and one BACnet MS/TP trunk. Each bus or trunk may contain
up to 100 field controllers. A LONWORKS network NAE-S model is not offered. The NAE-S can also monitor and

NAE Commissioning Guide 7

 supervise a number of BACnet IP devices; the total number of BACnet IP devices depends on the number of
objects each device supports.
• supervise BACnet/IP field controllers from Johnson Controls, such as the FAC4911 Advanced Application Field
Equipment Controller and the VMA1930 Variable Air Volume Modular Assembly.
• communicates on an encrypted network with other encrypted NAE-S engines or unencrypted network engines.
The NAE-S is a hardened version of the NAE55-series network engine. This network engine has embedded
encryption technology under a securely fastened enclosure to protect and secure the building automation system
at the endpoint.
• serves as a Site Director supervising a maximum of four other NAE-S engines over the encrypted network

NIE55 Models
The NIE55 models:
• migrate N1 networks into a Metasys system network. NIEs do not integrate BACnet networks, N2 trunks, or
LONWORKS networks
• serve as a Site Director supervising a maximum of four other supervisory devices, which can be NAE35, NAE45,
NCE25, NAE55, or NIE55 model engines

NCE25 Models
The NCE25 models:
• support either one field bus or one LONWORKS® network trunk into a Metasys system network, specifically:
- NCE256x-x: one BACnet® MS/TP trunk with up to 32 MS/TP controllers
- NCE251x-x: one N2 Bus with up to 32 N2 controllers
- NCE252x-x: one LONWORKS trunk with up to 32 LONWORKS devices
• monitor and control up to 50 IP BACnet field devices over Ethernet at the supervisory level
• provide an integral MS/TP Field Equipment Controller with 33 Input/Output (I/O) points
• cannot serve as Site Director except in stand-alone applications

NxE85 Model
The NAE85 model:
• migrates large N1 networks into a Metasys system network
• supervise BACnet/IP field controllers from Johnson Controls, such as the FAC4911 Advanced Application Field
Equipment Controller and the VMA1930 Variable Air Volume Modular Assembly.
• serves as a Site Director supervising a maximum of four other supervisory devices, which can be NAE35, NAE45,
NCE25, NAE55, NIE55, or NxE85 model engines
Refer to the NxE85 Commissioning Guide (LIT-12011044) for additional information specific to the NxE85 Series
network engines.

MS/TP Communications Bus

The Master-Slave/Token-Passing (MS/TP) bus is a local or remote network that connects supervisory controllers
and field controllers to point interfaces using BACnet MS/TP protocol. The remote network, called the Remote Field
Bus, requires the addition of a BACnet/IP to BACnet MS/TP Router. The MS/TP bus consists of two types of buses:
the Field Controller (FC) Bus or the Sensor/Actuator (SA) Bus. Each bus has its own set of device addresses. For
details on how to apply the local and remote MS/TP bus, refer to the MS/TP Communications Bus Technical Bulletin
(LIT-12011034).

NAE Commissioning Guide 8

Metasys Network Sites
A remote services connection allows you to connect your Metasys site to cloud-based applications. Figure 2 and
Figure 3 show how a cloud-based application is incorporated into the Metasys network. For more information on
how to connect to cloud-based applications, refer to Remote Services Connection in the Metasys® SMP Help
(LIT-1201793) or the Metasys® SCT Help (LIT-12011964).
A small Metasys network site comprises a single NAE or multiple NAEs with one of the NAEs designated as the Site
Director (Figure 2). See Site Director for additional information on Site Director hierarchy and the number of network
engines a Site Director can supervise.
Figure 2: Metasys Network with NAE55 as Site Director for Multiple NAEs

Larger Metasys network sites can comprise multiple NAEs and one or more Application and Data Servers (ADSs)
or Extended Application and Data Servers (ADXs) with access to multiple remote sites. On any site with one or more
ADSs/ADXs, an ADS/ADX is designated as the Site Director. Figure 3 shows an example of a simple Metasys
network with multiple NAEs and an ADS as the Site Director.

NAE Commissioning Guide 9

 Figure 3: Metasys Network with ADS as Site Director for Multiple NAEs

For customers that require a highly secure system, one or more NAE-S network engines can be part of the Metasys
network. Figure 4 shows a network that features a secure NAE-S network engine with other unencrypted NAE
engines reporting to an ADS/ADX Site Director. For more details, refer to the NAE-S Commissioning Guide
(LIT-12012269).

NAE Commissioning Guide 10

 Figure 4: Example Network with Encrypted and Unencrypted NAEs

NAE Commissioning
NAE commissioning includes preparing the NAE for connectivity, connecting to the NAE, adding the NAE to the
profile list in Launcher, and accessing and logging in to the Site Management Portal UI. To commission the NAE-S,
refer to the NAE-S Commissioning Guide (LIT-12012269) for specific instructions that apply only to this secure NAE
model (confidential Johnson Controls document).
Each Metasys network installation, commissioning, and configuration scenario is unique. In some scenarios, the
NAEs (on a Metasys network) may be commissioned and configured before they are installed and connected to the
network; in other scenarios, the NAEs are mounted and wired to the network before they are commissioned and
configured.
Note: NAE installation includes locating, mounting, wiring, and powering on an NAE. See Related Documentation
for references to NAE installation instructions for the various NAE models.
The commissioning tasks, the task order, and the required attribute values (at commissioning) for an NAE are
determined by the specific Metasys network installation, commissioning, and configuration scenario for the site. The
NAE commissioning procedures presented in this document are the procedures required for most scenarios regardless
of when commissioning occurs.

NAE Commissioning Guide 11

The first task in commissioning an NAE is to establish a connection with the NAE through the Launcher. If the
Launcher is not already installed on your machine, you are prompted to install it when you attempt to log in using
the web browser. The Launcher is a software application installed on each client computer that lets you access any
Metasys server or supervisory engine on the building network, regardless of its software version. For details, refer
to the Launcher Tool Help (LIT-12011742) and the Launcher Installation Instructions (LIT-12011783).
After a connection is established, you can then access the Site Management Portal on the NAE from the Launcher.
See NAE Connectivity for six typical network connection scenarios. See Site Management Portal User Interface and
Accessing the Site Management Portal UI on an NAE for more information on accessing and navigating the Site
Management Portal UI.
After you have accessed the Site Management Portal UI on an NAE, you can configure the NAE:
• object name and basic device parameters
• host name (Computer Name), domain name, and network parameters
• trusted certificates (optional)
• direct-connect and modem parameters
• time and date management parameters
• alarm and event parameters
• SNMP messages and the network management destination
• modem dial-out and dial-up parameters
• Site Director status
• firewall setting (optional to NCEs, NAE35s, and NAE45s only)
After commissioning an NAE, you must configure the NAE at the job site. Figure 5 is a flowchart that provides an
overview of the sequence of steps needed to install, commission, and configure a new NAE.

NAE Configuration
NAE configuration is preparing an NAE in the Site Management Portal UI and the System Configuration Tool (SCT)
to operate on a specific Metasys network site, and communicate with, monitor, and control specific BAS field devices
on that site. Configuration also includes preparing the NAE to compile, generate, and communicate information
about site status, alarms, events, and trends.
You can typically accomplish NAE configuration by downloading a pre-built archive database (from the SCT) that
contains the device objects, object references, attribute values, logic, graphics, user information, and other references
and data required for the NAE to perform its specific tasks on the network.
You can create and edit an archive database online in the Site Management Portal UI, but in almost all cases, you
should create and edit the NAE archive database offline in the SCT. When you download the database, the values
in the archive database overwrite the existing values on the commissioned NAE. Refer to the Metasys® SCT Help
(LIT-12011964) for information on creating and downloading archive databases.
After you configure an NAE with an archive database containing user information, you can set up the email, pager,
Syslog, and SNMP DDAs and create specific alarm and event notifications for delivery to specific email, pager,
Syslog server, and network management destinations.

NAE Commissioning Guide 12

 Figure 5: NAE Commissioning and Configuration Flowchart

NAE Commissioning Guide 13

Site Management Portal User Interface
You can view and edit NAE parameters and the parameters for associated devices in the engine's Site Management
Portal UI. Access the NAE Site Management Portal UI by using the Launcher. See Accessing the Site Management
Portal UI on an NAE. Figure 6 shows an example of the Site Management Portal UI.
In the Display panel on the right side of the window is a series of tabbed screens. Table 2 and Table 1 describe the
information that you can view and edit in each tabbed screen. The navigation panel on the left displays the navigation
tree for the BAS network integrations, field devices, field points, and their associated objects that the NAE is monitoring
and supervising.
Figure 6: NAE Focus Tab in Edit Mode - Advanced

Table 1: NAE Focus Tab Descriptions

Callout Description
1 Previous and next arrows for navigating to viewed screens
2 NAE object: Double-click or drag into display panel to view and edit NAE parameters.
3 Display panel (in Edit view)
4 Editable values: type in or select the appropriate value.
5 Viewable but non-editable values in the displayed screen.
6 Navigation panel
7 Alarm and event indicator

When you view the online NAE Site Management Portal UI, the border around the panels is blue (Figure 6). When
you view the offline SCT UI, the border is black (Figure 7).

NAE Commissioning Guide 14

Table 2: Metasys Site Management Portal UI Tabbed Screens
Screen Tab Purpose Access
Designation Online/Offline
Focus OR Configuration Provides the description and name (label) of the device object, the local time Both
and date, the firmware version, message buffer and alarm, and audit
repository sizes. The Focus tab also identifies the local Site Director and
includes general site information about the ADS/ADX to which the NAE
reports (if applicable).
Communications Establishes communication parameters, including Serial port and internal or Both
external USB modem configuration.
Network Establishes Computer Name (host name) for network identity, LAN, and Both
ADS/ADX dial-up parameters (if applicable).
Email Establishes the NAE email alarm-notifications features common to all email Both
messages and create unique email message destinations.
Pager Establishes the NAE pager alarm-notifications features common to all pager Both
messages and create unique pager message destinations.
SNMP Establishes the NAE Simple Network Management Protocol (SNMP) features Both
common to all SNMP notifications and create unique SNMP message
destinations.
Syslog Provides the NAE Syslog server reporting destination information. Both
Alarm Provides the NAE alarm setup and destination information. Both
Summary Provides network and field device status information and attribute values for Online
supervisory and field devices on the NAE field trunks.
Diagnostic Provides various status reports to aid in troubleshooting the NAE. Online
Trend Monitors and records the changes in the behavior of an NAE over time, Online
assisting with diagnosing various system-wide behavioral characteristics.

Menus, tab screens, attribute lists, values, and units of measure in the Site Management Portal UI are dynamic and
change in the displayed screen according to the item you select from the navigation tree. Refer to the Object and
Feature Tabs section in the Metasys® SMP Help (LIT-1201793) for descriptions of menu items.

Metasys UI
In addition to the Site Management Portal UI, the Metasys UI is installed with Metasys server software. The Metasys
UI is a mobile-optimized software component that consolidates existing Metasys user interface products into a single,
simplified, and easy-to-learn interface. The Metasys UI provides a simple location-based navigation approach to
finding information about the Metasys site, including the ability to search for any location or equipment by name and
to bookmark a location or equipment in a web browser. All data displayed in the Metasys UI is organized in a
dashboard format that gives you the overview of what is happening within a space, equipment, or central plant. You
can also and create and manage graphics and their associations to equipment and spaces. Access the Metasys UI
from any type of client device with any screen size. For more details, refer to the Metasys® UI Technical Bulletin
(LIT-12012115).

Metasys Help Files

The Metasys Help files provide shared system information and individualized mode-dependent information for the
Metasys Site Management Portal (SMP) or the System Configuration Tool (SCT). The Metasys® SMP Help
(LIT-1201793) provides information about alarming, commanding, auditing live data values, and other online features.
The Metasys® SCT Help (LIT-12011964) provides information about offline operations such as managing archives,
creating spaces, simulating systems, and establishing equipment and serving relationships.
In either SMP or SCT mode, the Metasys Help menu provides Help files in PDF format. Refer to the QuickLIT website
for the most up-to-date version of the Metasys Help files.

NAE Commissioning Guide 15

Browser Recommendations for Downloading the Launcher
The Metasys system currently supports Windows Internet Explorer version 11 and Apple Safari versions 8.0 or 9.0
for downloading the Launcher application. Other web browsers may work, but are not tested or supported. After you
install the Launcher, you use the Launcher, not the web browser, to open the Site Management Portal UI.

System Configuration Tool

The SCT is an offline software tool used to create, edit, save, and restore the various archive and security databases
that are used to configure Metasys system networks, ODSs, ADSs/ADXs, NAEs, and supported field devices. The
SCT UI opens in its own window and has a similar look and function to the online Site Management Portal UI (Figure
7). The SCT also manages trusted certificates for network engines. For details, see Appendix: Certificate Management.
The SCT allows commissioning of N2 devices by allowing HVAC PRO software, GX-Tool software, and XTM
Configurator software to access the devices on the N2 Bus of an NAE, and allows commissioning of FECs, VMA16s,
and Input/Output Modules (IOMs) by using the Controller Configuration Tool (CCT) software to access the devices
on the field bus of an NAE.
The SCT provides a Simulation feature that allows you to simulate an online supervisory device and test a database’s
control logic prior to downloading it to an NAE. Using the SCT, you can view and configure multiple sites in one
archive.
Figure 7: SCT UI Screen in Edit Mode

NAE Commissioning Guide 16

CCT
Use the CCT in conjunction with the Metasys system user interface to configure, simulate, and commission Field
Equipment Controllers (FECs), IOMs, and VAV Modular Assembly (VMA) 16s, on an N2 network or MS/TP bus.
You must install CCT on the same computer as SCT software to use the Ethernet Passthru option in SCT. For more
information on CCT, refer to the Controller Tool Help (LIT-12011147).

Archive Databases
A Metasys archive database contains the configuration information for ADSs/ADXs, NAEs, BAS network integrations,
field devices, and field points that make up a single site or multiple sites on a Metasys system network. Multiple
archive databases, representing multiple sites, can reside on a single ADS/ADX running the SCT. The SCT navigation
panel in Figure 7 provides graphical representation of some of the items that may be in a Metasys archive database.
An NAE archive database, which resides in the NAE internal memory, contains only the specific configuration
information that makes up the network integrations, field devices, and field points that the NAE is supervising. Each
NAE retains only its own archive database. You can also save the NAE database in a Metasys archive database
on an ADS/ADX or another computer using the SCT. A graphical representation of some of the items contained in
an NAE archive database is shown in Figure 6 in the Site Management Portal UI navigation panel.
You can upload an NAE archive database to the SCT where it can be saved to a hard disk or other long-term storage
media. You can also edit an NAE archive database offline in the SCT and download the edited archive database to
the NAE.

NAE Disk Image Updates and Archive Database Upgrades

The NAE operating system, Metasys system software, NAE archive database, and recent NAE operation data reside
on the NAE disk image.
Use the SCT to update the NAE disk image to the latest release version of the Metasys system software. Refer to
the Metasys® SCT Help (LIT-12011964). Alternatively, you can use the NAE/NIE Update Tool to update the NAE
disk image. Refer to the NAE/NIE Update Tool Help (LIT-12011524).
When you update an NAE to a new version of the Metasys system software, you must also upgrade the NAE archive
database to a new release database. For an overview of the upgrade process, refer to the SCT Installation and
Upgrade Instructions (LIT-12012067) or the ODS Installation and Upgrade Instructions Wizard (LIT-12011945).

Site Director
For each Metasys system network site, a single network engine or a Metasys server is designated as the Site
Director. The Site Director UI provides a single point of access to the site and all of the web-enabled devices on the
site; and supports functions such as user login, user administration, user views, time synchronization, and data traffic
management.
On larger Metasys system networks with one or more ADSs, ADXs, or ODSs, an ADS, ADX, or ODS is designated
as the Site Director. On small network sites without an ADS, ADX, or ODS, you must designate one of the NAEs as
the Site Director.
All NAEs are shipped factory-designated as Site Directors. You must demote any NAE that is not the designated
Site Director on a site. See Changing Site Director Status of an NAE for more information.
Note: You can establish or change the login user name and password for the NAE only when the NAE is designated
as a Site Director. Establish these values before demoting an NAE from the Site Director.
If an ADS/ADX is on a site, an NAE cannot be the Site Director. You must demote the NAE to be a child of an
ADS/ADX or ODS. See Changing Site Director Status of an NAE for more information.
Note: The NAE45-Lite cannot be a Site Director to other engines. The NAE45-Lite can only be a child device of an
ADS-Lite-A. You must demote the NAE to be a child of an ADS/ADX or ODS. See Changing Site Director
Status of an NAE for more information.

NAE Commissioning Guide 17

If an NAE85 is the Site Director, it can supervise up to four additional engines on the site: NAE35s, NAE45s, NCE25s,
NAE55s, NIE55s, or NxE85s.
If an NAE55 is the Site Director, it can supervise up to four additional engines on the site: NAE35s, NAE45s, NCE25s,
NAE55s or NIE55s.
If an NAE45 is the Site Director, it can supervise up to two additional engines on the site: NAE35s, NAE45s, or
NCE25s.
If an NAE35 is the Site Director, it can supervise up to two additional NAE35s or NCE25s on the site.
An NCE25 cannot be designated as the Site Director, except in stand-alone applications.
Note: If you attempt to add an NAE to a site and the new NAE exceeds the supervisory device limit for the Site
Director, the Site Director does not accept the additional device. The Site Director records an error message
in the Site Director Audit Trail each time you attempt to add a new device that exceeds the device limit. If
you attempt to add the same device more than once, each attempt fails but no error message is recorded
after the first attempt.

NAE Computer Name

The NAE Computer Name is an editable Network Identification attribute on the NAE Network tab. Devices on the
building network and the Metasys system network use the NAE Computer Name to identify and communicate with
the NAE across the network. Computer Name is synonymous with host name on a network.
Each NAE ships with a unique initial Computer Name value NAExxxxxxxxxxxx, where xxxxxxxxxxxx is the Ethernet
MAC address of the device without the hyphens. For example, if the NAE's MAC address is 00-80-66-05-0F-FC,
the initial computer name is NAE008066050FFC. Changing the Computer Name value initiates a device reset on
the NAE.
The initial computer name is often useful during commissioning for locating and connecting to an NAE before it is
configured with an archive database download from the SCT. In most cases, the archive database download from
the SCT overwrites the initial Computer Name value and determines the NAE Computer Name on the Metasys site.
Changing the NAE Computer Name breaks any existing references between the NAE object and other objects on
the site and may break the existing network connection to other devices on the network.

Important: The NAE/NIE Update Tool places restrictions on the Host Name (Computer Name) values you can
use for NAE35, NAE45, or NCE25 models. Name values must start with a letter, end with either a letter
or a number, and may contain dashes only in the interior of the name. The Host Name must contain a
letter other than or in addition to the letter A and digits. For example, A522446 is not valid, but either
A522446B or AB52446 are valid. B522446 or C522446 are valid Host Names. This restriction is caused
by a known problem with Microsoft Windows® CE. Failure to follow the Host Name restrictions results
in the Computer Name value changing when an NAE35, NAE45, or NCE25 is updated. Refer to the
NAE/NIE Update Tool Help (LIT-12011524) for more information on Host Name restrictions.
Note: Before building the archive database in SCT, you should consult the network administrator or Information
Technology (IT) department to determine if there is an existing protocol for host names (computer names)
on the network.

NAE Object Name

The NAE Object Name is an editable attribute on the NAE Focus tab that the Metasys software uses to identify the
NAE in the Site Management Portal UI and in the SCT. The Object Name is a label only and is not (necessarily) the
same as the Computer Name. Changing the Object Name merely changes the name that you see in the navigation
tree, alarm messages, trend reports, and other screens in the Site Management Portal UI and SCT that refer to the
NAE. Changing the Object Name does not impact the object references or network communication with other
devices on the site. You can change the Object Name at any time. We recommend an intuitive name that clearly
identifies the NAE in the Site Management Portal UI and Metasys site.

NAE Commissioning Guide 18

Basic Access Operating Mode
Basic Access is a mode of operation allowing users with Basic Access user accounts access to a subset of the
standard user interface capabilities based on their assigned permissions. Basic Access user accounts are created
by Metasys system administrators using the Security Administrator system. Basic Access meets the user interface
requirements for most building operators. Basic Access is provided on all of the Metasys system engines and servers
but is the primary user interface in the NAE3514, NAE3515, NAE3524, and NAE3525 controllers.
You cannot commission or configure an NAE35 in Basic Access mode. You must log in to the full Site Management
Portal UI on the NAE35 to commission and configure the device. See Login User Names and Passwords for
information on logging in to NAE35 Basic Access.

Login User Names and Passwords

All NAEs are shipped with the same initial login user name and default password. The initial login user name is
MetasysSysAgent, and it is not case sensitive. For the MetasysSysAgent default password, contact your local
Johnson Controls® representative.
Use the initial user name and password to log in to any NAE the first time you commission the NAE. The Change
Password dialog box then appears and prompts you to change the initial default password before continuing. You
must change the MetasysSysAgent default password when you first log in to a new NAE, or an NAE that was recently
updated with the SCT or the NAE/NIE Update Tool. The process for updating the password may take up to 60
seconds to complete.
Complex passwords are required to access the NAE, or an NAE securely on the site. Complex passwords meet the
following requirements:
• The password must include a minimum of 8 characters and a maximum of 50 characters.
• The password cannot include spaces or include a word or phrase that is in the Blocked Words list.
• The password and the username cannot share the same three consecutive characters.
• The password must meet the four following conditions:
- Include at least one number (0–9)
- Include at least one special character (-, ., @, #, !, ?, $, %)
Note: Only the special characters listed above can be used; all other special characters are invalid.
- Include at least one uppercase character
- Include at least one lowercase character
Note: The NAE login user name and password values can only be changed when an NAE is a Site Director. If you
want to change the NAE login user name or password, you must do so before demoting the NAE from Site
Director status.
The NAE35 models with Basic Access operation mode require an additional login user name and password to enable
and use the Basic Access mode. The initial login user name is BasicSysAgent, and it is not case sensitive. You
are prompted to create your own account password.
Note: When you change (or add) an NAE login user name or password, make sure to record the new user name
and password and store them in a safe location. You cannot access the NAE Site Management Portal UI
without a valid user name and password. Refer to the Security Administrator System Technical Bulletin
(LIT-1201528) for details.

NAE Connectivity
You can establish a connection between a computer and an NAE using one of the following procedures:
• Establishing a Direct Connection to an NAE
• Preparing an NAE for a Network That Supports DHCP and DNS
• Preparing an NAE for a Network without DHCP and without DNS Support When the NAE Uses APIPA

NAE Commissioning Guide 19

• Preparing an NAE for a Network without DHCP and without DNS Support When the NAE Uses a Static IP Address
• Preparing an NAE for a Network That Supports DNS but Not DHCP

Modems and Dial-Out Features

You can set up an NAE with a modem to dial out to an ADS/ADX from a remote location or to be accessible from a
computer remotely. Some NAE models include an optional, factory-installed, internal modem. You can also install
a user-supplied external modem on the NAE. See Table 3 for a list of supported modem combinations for the NxE
models. For example, an NAE55 with an internal modem can have an external USB modem, but not an external
serial modem.
Table 3: Supported Modem Combinations
NxE Model Internal Modem Present? External USB Modem External Serial Modem
Supported? Supported?
NAE55/NIE55 Yes Yes No
No Yes No
NAE35/NAE45/NCE25 Yes Yes No
No Yes Yes - RS232C Port B Only

1 Only one external modem is supported per NAE: USB or Serial.

2 The RS232C A serial port does not support an external modem.
Note: The optional factory-installed, internal modem cannot be added to an NAE in the field.
Each NAE is pre-loaded with the modem drivers for the following (optional and user-supplied) supported external
USB modems:
• Zoom Telephonics, 2985-00-00L modem, V.90 external USB modem
• Multi-Tech Systems, MT5634ZBA - USB 56K, V.90 external USB modem
• U.S. Robotics® USR5637 modem, 56K, external USB modem (requires 4.1.5 image or later)
• Radicom Research V92HU-E2 external USB modem
The Multi-Tech® modem in Metasys system networks requires the 8.27L version or higher of the Multi-Tech Systems
modem firmware installed on the modem.
The Zoom® and Multi-Tech models specified here are discontinued and are no longer available from Johnson Controls,
but may be obtained from other vendors.
The USRobotics® USR5637 modem requires firmware version 1.1.0. Dial-out problems occur if you update the
firmware with a newer version. To obtain firmware version 1.1.0 for this modem, search for Article 33356 on the
Field Support Center Solutions Database (http://support.controls.johnsoncontrols.com/kb), or contact your local
Johnson Controls field representative.
By default, the NAE is not set up to accept incoming dial-up connections through a modem. To enable modem
connections, access the NAE Site Management Portal UI, go to the Communication tab, and set the Allow Incoming
Connections attribute value in the Internal Modem Config or External Modem Config sections to True.
Modems used for Metasys system DDAs must be dedicated for the DDA. For example, a conflict exists if the Launcher
application attempts to use the same modem that is configured for a Pager DDA. To help you understand supported
uses of internal and external modems, see Table 4. For example, an internal modem can be shared for ADS/ADX
dial-out (alarm, event, and audit forwarding) and incoming connection (Launcher) functions, whereas the external
modem is dedicated to the paging function. Also, if you use the same modem for the ADS/ADX dial-out and Launcher
functions, you may need to increase the number of redial attempts and time between redial attempts for that modem.

NAE Commissioning Guide 20

Table 4: Supported Modem Communication Uses
Dial Out Dial In Paging
Type of Modem Internal Internal External
External External Internal

With the presence of two modems, the NAE is capable of communicating over an incoming modem connection and
an outgoing modem connection simultaneously. The supported modem configuration scenarios are summarized in
Table 5. As an example, the NAE’s internal modem can handle communications to an ADS/ADX and accept incoming
connections, while its external modem can send out pages. An example of an unsupported combination is for the
same modem (internal or external) to handle all three communication types: dial-out, dial-in, and paging. Table 6
lists the unsupported modem scenarios.
Table 5: Supported Modem Configuration Scenarios for NAE
Dial Out Dial In Paging
Modem enabled Modem enabled Modem enabled
Use internal modem Use internal modem Use external modem
Modem enabled Modem enabled Modem enabled
Use external modem Use external modem Use internal modem
Modem enabled or disabled Modem enabled or disabled Modem disabled
Use internal or external modem Use internal or external modem No modem in use
Modem disabled Modem disabled Modem enabled
No modem in use No modem in use Use internal or external modem

Table 6: Unsupported Modem Configuration Scenarios for NAE

Dial Out Dial In Paging
Modem enabled Modem enabled Modem enabled
Internal modem Internal modem Internal modem
Modem enabled Modem enabled Modem enabled
External modem External modem External modem
Modem disabled Modem enabled Modem enabled
No modem in use Internal modem Internal modem
Modem disabled Modem enabled Modem enabled
No modem in use External modem External modem
Modem enabled Modem disabled Modem enabled
Internal modem No modem in use Internal modem
Modem enabled Modem disabled Modem enabled
External modem No modem in use External modem

Time Zone, Date, and Time Management

The procedure you use to set the time zone, date, and time on an NAE depends on how the NAE fits into the Metasys
site hierarchy. See Appendix: Time Zone, Date, and Time Management for information and detailed procedures for
setting time zone, date, and time on an NAE and on a Metasys network.

NAE Commissioning Guide 21

Alarms and Events
Each NAE stores alarm and event messages generated by the NAE and the connected field trunk devices. You can
configure an NAE to send alarm and event notifications through the NAE DDAs to email destinations, paging devices,
and SNMP devices.
DDAs are agents that route and deliver alarm and event messages to destinations such as pagers, printers, email
addresses, Syslog servers, and SNMP management systems.
If the site has an ADS/ADX or ODS, each NAE can forward alarm and event information to the ADS/ADX or ODS
for centralized notification and long-term storage.

Important: If the site depends on alarm paging, printing, or emailing alarms, the Metasys system manages the
NAE repositories according to the following criteria to avoid a loss of notification if the repository becomes
full:
• Events forwarded to an ADS or ODS Event Repository are always removed before events that are
not forwarded.
• The lowest priority event with the oldest time stamp and Acknowledge Required flag set to false is
replaced first.
• If the event about to be created is of a higher priority than at least one event in the repository, the
event with the oldest time stamp and the lowest priority is replaced.
• If all events are of the same priority, the event with the oldest time stamp is replaced.
• If the event about to be created is of a lower priority than all other events in the Event Repository,
no event is replaced and the new event is discarded.

A loss of alarm paging, printing, or emailing can result if the NAE is not commissioned with strict
adherence to these criteria. To avoid managing events in this way, move ADS/ADX and the notification
DDAs to the server.
You can designate multiple alarm and event sources in an NAE and in the connected field devices, and then configure
the conditions that trigger those alarms or events. You can also define multiple notification types and multiple
notification destinations for each alarm or event.
The NAE also has several pre-configured internal diagnostic features that are factory set to generate alarms. NAE
device diagnostic features with factory-set default alarm values include those listed in the following table.
Table 7: Default Network Engine Alarm Values
Audit Rate Events Lost
BACnet Broadcast Receive Rate Event Rate
Battery Condition Flash Usage
Board Temperature Memory Usage
COV Rcv Rate Samples Lost
CPU Temperature Sample Rate
CPU Usage Transfer Buffer Full

You can check the status of these diagnostic features on the Diagnostic tab.
Refer to the Introduction to Alarm and Event Management in the Metasys SMP system Help for more information.
Note: After an alarm is generated, anyone who acknowledges the alarm clears that alarm notification for all other
users. If an ADS/ADX or ODS is the Site Director, you can set the ADS/ADX or ODS to deliver alarm and
event notifications to a network printer.

NAE Commissioning Guide 22

Serial Printer DDA (Alarm Printer)
Alarms from supervisory devices can be sent automatically to an alarm printer if one is configured and online. Alarms
can be sent to an NAE55/NIE55 and NxE85. The Serial DDA must be enabled on the Site Director NAE/NIE that is
connected to the serial printer and all NAEs/NIEs from which you want alarms printed. You can print alarms from
all NAEs/NIEs using the serial printer connected to the Site Director (Figure 8). You can also print alarms to a local
printer connected to a single NAE/NIE.

Important: Alarms are sent directly to the printer and are not queued or stored by the supervisory device. Alarms
sent to an alarm printer that is offline, turned off, or out of paper are not printed and cannot be recovered.
Figure 8 and Figure 10 show the possible printer connections to a Site Director NAE/NIE.

Recommended Serial Printer

Table 8 describes the recommended serial printer and accessories.
Table 8: Recommended Serial Printer and Accessories
Item Description ITAS Number
Serial Printer Epson® FX890 9-pin, 680 cps printer C11C524001
Serial Card Serial Card for Epson Dot Matrix printer C12C824431
Serial Printer Cable Serial Null Modem Printer Cable F2J044-06

Table 9 shows the recommended settings for the serial card.

Table 9: Serial Card Setup
Switch Position Description
Switch 1 Setup
SW1-1 On Enable Card
SW1-2 On 8-bit word
SW1-3 Off parity - none
SW1-4 Off parity - none
SW1-5 On 9600 Baud
SW1-6 Off 9600 Baud
Switch 2 Setup
SW2-1 On 9600 Baud
SW2-2 On 9600 Baud
SW2-3 Off Xon/Xoff
SW2-4 On Xon/Xoff
SW2-5 Off RS232
SW2-6 Off RS232
Switch 3 Setup
SW3-1 Off Buffer size
SW3-2 Off Buffer full recovery
SW3-3 Off Buffer full recovery
SW3-4 Off DTR + or -
SW3-5 Off DSR/DCD
SW3-6 Off DTR flag set
SW3-7 Off Self test enable
SW3-8 Off Self test selection

NAE Commissioning Guide 23

Table 9: Serial Card Setup
Switch Position Description
Jumper Setup
J1A On
J1B Off
J2A On
J2B Off
J3 Off
J4 Off
J5 Factory set - Do not change.
J6 Factory set - Do not change.
J7 Factory set - Do not change.
J8 Off

Figure 8 shows a Metasys system with the alarm printer connected to the Site Director NAE/NIE, and alarms for
NAEs/NIEs (2 and 3) are routed to the Site Director NAE/NIE (1) for printing. All alarms from the NAEs/NIEs (1, 2,
and 3) print on the serial printer. The serial printer DDA must be enabled on all NAEs/NIEs (1, 2, and 3).
Figure 8: Metasys System with One Alarm Printer

Figure 9 shows a Metasys system with a local alarm printer (A) connected to an NAE/NIE (3) for printing. Only alarms
from this NAE (3) print on this printer. The alarms from all NAEs/NIEs (1, 2, and 3) are routed to the Site Director
NAE/NIE (1), and all alarms are printed to serial printer B. The serial printer DDA must be enabled on all NAEs (1,
2, and 3).

NAE Commissioning Guide 24

 Figure 9: Metasys System with Local Alarm Printer

Figure 10 shows a Metasys system with one local Alarm Printer. The alarms from only one NAE/NIE (3) print on a
serial printer (A). Only that NAE/NIE(3) has the serial printer DDA enabled. The Site Director NAE/NIE (1) and
NAE/NIE (2) do not have the serial printer DDA enabled.
Figure 10: Metasys System with One Local Alarm Printer

NAE Commissioning Guide 25

Serial Printer Installation Considerations
Follow these guidelines when installing a serial printer:
• You cannot install the serial printer option on an ADS/ADX or ODS computer.
• You can install the serial printer option on an NIE that has an application that is already using the COM ports if
the NIE is not designated as the Site Director. For example, you can install the serial printer option on an XL5000
NIE.
• You must connect the physical connection of the serial printer to COM2.
• You can install the serial printer option on an NxE85. The NxE85 uses COM1 for the physical connection of the
serial printer.
• If your site contains multiple supervisory devices from which alarms are forwarded, you must connect the physical
connection of the serial printer to COM2 of the Site Director and perform the installation sequence on all supervisory
devices from which alarms are forwarded.
• You must install the serial printer option when an NAE/NIE is reloaded or upgraded with the NAE/NIE Update
Tool.
• You cannot filter alarms. All alarms forwarded from the device on which you install the serial printer DDA are
printed.
• You cannot enable the Serial Printer DDA on an NAE35, NAE45, or NCE25.
• The NAE55/NIE55 battery must be in good condition prior to enabling the DDA (the procedure requires you to
remove power from the engine).
• Before enabling the Serial Printer DDA, you must have a computer with the NxE Information and Configuration
Tool (NCT) installed that has network access to each NAE/NIE on which the DDA is to be installed. If you have
access to an NxE85 with a monitor and keyboard, you do not need to use NCT and may perform the procedures
in this document directly on the NxE85 computer.

Important: Use care and follow instructions carefully when using NCT to access an engine or computer. Failure
to follow the steps as written can render your engine or computer inoperable.

Email Notification
You can configure an NAE to generate alarm and event messages by sending email to one or more email destinations
using the email DDA. The steps require you to configure custom email messages and specify email message
destinations in the Email tab of the Site Management Portal UI. The following figure provides an example of an email
message destination that is active Monday through Friday from 7:00 A.M. to 4:00 P.M.

NAE Commissioning Guide 26

 Figure 11: Example of Defining an Email Notification

Pager Notification
You can configure an NAE to generate alarm and event messages using Telelocator Alphanumeric Protocol (TAP)
to one or more pager destinations using the pager DDA. The steps require you to configure custom pager messages
and specify the pager message destinations in the Pager tab of the Site Management Portal UI. (TAP is an
ASCII-based protocol that allows the submission of a numeric or alphanumeric message).
The following figure provides an example of how to define a set of pager destinations that can route a fire alarm to
the same pager over the weekend (4:00 P.M. Friday to 7:00 A.M. Monday). Note that this application requires the
definition of three separate pager destinations.

NAE Commissioning Guide 27

 Figure 12: Examples of Defining a Pager Notification

Syslog DDA
An NAE configured as a Site Director has the optional capability of sending its configured audit log entries and alarm
notifications to the central repository of an external, industry-standard, Syslog server, conforming to Internet published
RFC 3164. After you save the Syslog DDA configuration, all messages are sent immediately to the configured Syslog
server. You can then open a user interface at the Syslog server and use the provided filters to interrogate or apply
forensic analysis on these messages. To assist in reading the log, a vertical bar symbol (|) separates individual fields
of each Metasys message and a single character dash (-) replaces any blank field.
By default, the Syslog option is disabled. Changing the Syslog Reporting Enabled attribute to True on the Syslog
window enables the Syslog function. The prerequisities to the Syslog DDA are as follows:
• The Syslog server must be installed and running on a computer server or virtual machine that is reachable by
the NAE.
• The NAE must be running Release 8.0 software or later.
• No more than three Syslog destinations can be specified.
• The firewall port must be open.
The definition of the Syslog DDA requires:
• label to identify the Syslog server
• IP address of the Syslog server
• port numbers for the UDP send port and UDP receive port (for example, 514 for both)
• event and audit filters to apply against all events and audit messages. Only those events and audit messages
that match the filters are passed to the Syslog server.
The Syslog DDA attribute called Syslog Reporting Enabled appears on the Shared Configuration section of the
Syslog tab of an NAE device object (Figure 13). This attribute has two selections: True or False.

NAE Commissioning Guide 28

When the Syslog Reporting Enabled attribute is set to True, the feature is active and your Metasys messages (events
and audits) are forwarded to your destination Syslog server according to the filtering you specified. When the Syslog
Reporting Enabled attribute is set to False, the feature is inactive and no Metasys messages are forwarded to the
Syslog server. The configuration example in Figure 13 is set to route to the Syslog server all High Warning alarms
that require acknowledgment.
The Syslog DDA implementation is UDP, not TCP. Therefore, any audits/events generated while the Syslog server
is offline are not recorded at the Syslog server, even though the Metasys system, unable to determine the current
status of the Syslog server, continues to send out messages. A gap in time is present between events when the
Syslog server comes back online.
Figure 13: Syslog Tab in Engine's Device Object

Figure 14 shows an example of Metasys system messages as they appear on the Kiwi Syslog® Server Console
user interface. Use the console to filter the messages. If you do not have a tool, open a web browser and type the
following URL:
http://<IP of the server>>:<Port>/Events.aspx
For example:
http://SysLogserver1:8088/Events.aspx
When you browse to this site, type a valid username and password when prompted to gain access to the Syslog
server. A user interface appears with the captured messages.

NAE Commissioning Guide 29

 Figure 14: Syslog User Interface

If you run into any trouble while implementing the Syslog DDA functionality, consult this following table.
Table 10: Syslog Server Troubleshooting
Scenario Behavior
The engine is starting up but the SysLog DDA has not yet All generated audits and events are cached and sent to Syslog
started. DDA once it is started. The maximum size of the cache is 1,000
audits and 1,000 events per hour.
The Syslog server crashes. All generated audits and events that the engine sends to the
Syslog server are lost; nothing is cached.
The Syslog server goes offline or is unreachable. All generated audits and events that the engine sends to the
Syslog server are lost; nothing is cached. No data is sent to the
Syslog server until it comes back online or becomes reachable.
The IP address, name, or port numbers of the Syslog server All generated audits and events that the engine sends to the
as defined in the engine's object are invalid. Syslog server are lost; nothing is cached. No data is sent to the
Syslog server until you correct the invalid parameters in the
Syslog DDA.
The Syslog Reporting Enabled parameter is set to True, but All generated audits and events that the engine sends to the
no Syslog parameters are defined. Syslog server are lost; nothing is cached. No data is sent to the
Syslog server until you specify the parameters that the Syslog
DDA requires.
The UDP Send Port or UDP Receive Port is blocked by a All generated audits and events that the engine sends to the
firewall. Syslog server are lost; nothing is cached. No data is sent to the
Syslog server until the ports on the Syslog server are opened.
A parameter of the Syslog server changes, but the All generated audits and events that the engine sends to the
corresponding parameter in the Syslog DDA of the engine Syslog server are lost; nothing is cached. No data is received
is not likewise changed. at the Syslog server until you correct the invalid parameters in
the Syslog DDA.

Simple Network Management Protocol (SNMP) Notification

SNMP is a protocol governing network management and the monitoring of network devices and their functions. It
is not necessarily limited to TCP/IP networks. SNMP monitoring is typically used for large BAS networks with many
network devices. Alarm and event notifications are sent to and stored on an SNMP management computer that
monitors all devices on the network.
The NAE uses SNMP protocol to deliver network device status and conditions to a designated SNMP management
computer. You must set up SNMP monitoring at the network level, and you must assign an SNMP management
device on the network. (For details, see Creating NAE SNMP Alarm Notifications and Destinations.) If you are
applying a Metasys system to an existing network, consult with the network administrator or IT department that
administers the network to determine if SNMP monitoring is available on the network.

NAE Commissioning Guide 30

Configure custom SNMP messages and specify the SNMP message destinations in the SNMP tab of the Site
Management Portal UI. Perform this configuration to each NAE individually; SNMP configuration cannot be done
on an ADS/ADX.
Enhanced SNMP functionality is available on Metasys systems, including a Metasys system Management Information
Base (MIB) file for configuring third-party SNMP translation applications to request, receive, and translate specified
SNMP trap messages generated by the Metasys SNMP DDA.

RADIUS Overview
You can optionally configure the NAE to authenticate non-local user access through a Remote Authentication Dial-In
User Service (RADIUS) server. RADIUS is used by the NAE to authenticate the identity of authorized non-local
users of the system.
All RADIUS users must have a Metasys system user defined for which Metasys authorization is created and
maintained. The NAE RADIUS implementation adheres to the following Internet RFC documents:
• RFC 2865 - Remote Authentication Dial In User Service
• RFC 2548 - Microsoft Vendor-specific RADIUS Attributes
• RFC 2759 - Microsoft Point-to-Point Protocol (PPP) Challenge Handshake Authentication Protocol (CHAP)
Extensions, Version 2
The Metasys system implementation of RADIUS is as follows:
• Before you add a RADIUS user account to the security system of a network engine, first add the network engine
as a client of the RADIUS server. If you first configure the RADIUS server settings in the network engine before
you perform this prerequisite step, you may get the message Unable to login - Unexpected Error when you
try to log in. If this error appears, reset the network engine from the SMP UI. Then try to log in again. The RADIUS
server authenticates the user and login is successful.
• The Metasys system does not import authorization; all Metasys system users, both local (Metasys) and non-local
(RADIUS), are authorized through user configuration done online in the SMP, then stored in the Metasys Security
Database.
• The user ID must match what is expected to be authenticated by the RADIUS server, with or without the @domain
as defined by the local RADIUS implementation.
• Since the Metasys system performs no local authentication of non-local users, all password functions are
unavailable or ignored when creating and maintaining non-local Metasys user accounts. RADIUS passwords
are never stored in the Metasys Security Database.
• Authorization for a RADIUS user may be configured as Administrator, User, Operator, Maintenance, or any
custom roles created in the Metasys system.
• When a non-local user receives a number of consecutive RADIUS failures to authenticate and the account has
been set up to lock after receiving that many failed login attempts, the Metasys system authorization locks,
prohibiting the user from accessing the Metasys system device until a Metasys system administrator unlocks
the account.
• When a non-local user is authenticated by RADIUS, and the Metasys system schedule prohibits access during
the login time, the user's login attempt fails.
When a user provides a non-local username to the Metasys system for login, after confirming the supplied password
conforms to Metasys complexity rules, the controller passes the credentials, including the username and password,
to the configured RADIUS server for authentication. After the RADIUS server confirms authenticated access,
authorization is permitted as specified in the Metasys Security Database.
Messages reporting errors in RADIUS authentication are intentionally obscure to hinder possible intrusion from
unauthorized users. See RADIUS Errors for some situations that may result in error messages. Descriptive Metasys
system login failure messages are presented to the user only when RADIUS is disabled. When RADIUS is enabled,
local and non-local authentication failure messages are identical and obfuscated.

NAE Commissioning Guide 31

Initial Default NAE Configuration
NAEs are shipped with standard initial values for many of the editable attributes. The following table lists some
important initial default configuration values for the NAE35, NAE45, and NCE25 models. Table 12 and Table 13
define some important initial default configuration values for the NAE55/NIE55 and NxE85 models.
Table 11: NAE35, NAE45, and NCE25 Initial Configuration Values
Attribute/Field Name NAE35, NAE45, and NCE25 Initial Value
Computer Name NAExxxxxxxxxxxx or NCExxxxxxxxxxxx, where xxxxxxxxxxxx is the Ethernet MAC
address of the device without hyphens. For example, if the Ethernet MAC address is
00-80-66-05-0F-FC, the initial Computer Name is NAE08066050FFC.
DHCP Client Enabled
Windows Firewall Enabled. It can be optionally disabled to increase system performance. See Disabling
the Windows Firewall on an NAE.
Serial Port RS232C A 115,200 baud, 8 bits, no parity, 1 stop bit (115200,8,n,1), Direct Connect IP over
Point-to-Point (PTP).
Serial Port RS232C B 115,200 baud, 8 bits, no parity, 1 stop bit (115200,8,n,1)
Site Director A new NAE35/NAE45 is a Site Director by default. If an NAE is not going to be the
Site Director, it must be demoted and the Computer Name or IP address of the
designated Site Director must be entered here.
Note: An NCE25 should not be designated as a Site Director except in stand-alone
applications.
Initial Login Username MetasysSysAgent (not case sensitive)
Initial Login Password Contact your local Johnson Controls representative.

1 This information does not apply to the NAE45-Lite.

Table 12: NAE55/NIE55 Initial Configuration Values
Attribute/Field Name NAE55/NIE55 Initial Value
Computer Name NAExxxxxxxxxxxx, where xxxxxxxxxxxx is the Ethernet MAC address of the device
without the hyphens. For example, if the Ethernet MAC address is
00-80-66-05-0F-FC, the initial Computer Name is NAE008066050FFC for NAE55s,
NIE55s, or NIE59s.
DHCP Client Enabled
Windows Firewall Enabled. It should not be disabled.
Serial Port A 115,200 baud, 8 bits, no parity, 1 stop bit (115200,8,n,1), Direct Connect IP over
Point-to-Point (PTP).
Serial Port B 9600 baud, 8 bits, no parity, 1 stop bit (9600,8,n,1)
Site Director A new NAE55/NIE55 is a Site Director by default. If an NAE is not a Site Director,
it must be demoted and the Computer Name or IP address of the designated Site
Director is entered here.
Initial Login Username MetasysSysAgent (not case-sensitive)
Initial Login Password Contact your local Johnson Controls representative.
Initial Windows Login ID MetasysSysAgent (not case-sensitive)
Initial Windows Password Contact your local Johnson Controls representative.

1 The Windows operating system login ID and password are used with dial-up and direct connections.

NAE Commissioning Guide 32

Table 13: NxE85 Initial Configuration Values
Attribute/Field Name NxE85 Initial Value
Computer Name NAExxxxxxxxxxxx, where xxxxxxxxxxxx is the Ethernet MAC address of the enabled
Ethernet card without the hyphens. For example, if the Ethernet MAC address is
00-1E-EC-6E-5D-32, the initial Computer Name is NAE001EEC6E5D32.
DHCP Client Enabled
When you commission an NxE85 for an Ethernet LAN that supports Dynamic Host
Configuration Protocol (DHCP) and Domain Name Server (DNS), we recommend that
you configure a DHCP reservation for the NxE85 to ensure it always receives the same
IP address when its lease expires. This practice prevents address bindings between the
NxE85 and other devices from breaking.
Site Director A new NxE85 is shipped as a Site Director. If you do not want the NxE85 to be the Site
Director, you must demote it by entering the ComputerName or IP address of the
designated Site Director in the Site Director attribute field on the Advanced Focus tab of
the NxE85.
Initial Login Username MetasysSysAgent (not case-sensitive)
Initial Login Password Contact your local Johnson Controls representative.
Initial Windows Login ID MetasysSysAgent (not case-sensitive)
Initial Windows Password Contact your local Johnson Controls representative.

1 The Windows operating system (OS) has two administrator level user accounts. For security reasons, we strongly recommend
changing the Windows OS login password for both accounts when you commission the engine. You can disable the
administrator account, but do not disable the MetasysSysAgent account.

Allow HTTP
A network engine at Metasys system Release 8.1 or later has an attribute called Allow Http located under the
Network tab of the engine in the SMP UI. This attribute controls whether the Windows Firewall in the network engine
blocks incoming network traffic over the HTTP port (port 80). By default, the Allow Http attribute is set to True for all
network engines upgraded to Release 8.1 or later. Changing this attribute to False blocks all incoming network traffic
over port 80 at the network engine. Doing so does not interfere with NAE/NIE Update Tool operations.
Figure 15: Allow Http Attribute for Network Engine

NAE Commissioning Guide 33

The Allow Http attribute is set independently on each network engine. A schedule or other control action can modify
the value of this attribute. You can configure a tailored summary to view the value of the Allow Http attribute on all
network engines at the site. You can also use the mass editing capability in SCT to modify the Allow Http attribute
across multiple devices.
To provide the highest level of security, set Allow Http to False for every network engine upgraded to Release 8.1
or later. However, if the network engine is a Site Director and has one or more child engines reporting to it that have
not been upgraded to Release 8.1 or later, set Allow Http to True. For reference, the following table lists which
Metasys tools, utilities, and features depend on Port 80. If the network engine uses one or more of these items that
require Port 80, set Allow http to True.
Table 14: Port 80 Requirements for Tools, Utilities, and Features
Item Requires Port 80? Notes
Advanced Graphics Application (AGA) Yes Uses an older version of Metasys data access services
that requires http.
Advanced Reporting and Energy Yes Uses http for communication with engines.
Essentials
Controller Configuration Tool (CCT) Yes Uses an older version of Metasys data access services
that requires http. However, CCT only requires Port 80 for
upload and download operations.
Dialup NAE No Uses the POP protocol, not http.
Graphic Generation Tool (GGT) Yes Uses older version of Metasys data access services that
requires http.
Launcher No Uses https for communication with engines upgraded to
Release 8.1 or later, but must be set for http to
communicate with engines prior to Release 8.1.
Metasys Export Utility Yes Uses older version of Metasys data access services that
requires http.
Metasys for Validated Environments No Uses https for communication with engines upgraded to
(MVE) Release 8.1 or later.
Metasys UI No Uses https for communication with engines upgraded to
Release 8.1 or later.
NAE Configuration and Information Yes Requires port 80 for sending a file to an engine from the
Tool (NCT) commissioning laptop.
NAE/NIE Update Tool Yes Requires port 80 to successfully perform a code download
to the engine using the HTTP update method. If Allow http
is set to False, the NAE/NIE Update Tool temporarily opens
port 80 for its operations, then closes the port after the
download completes.
P2000 Yes Requires port 80 (inbound) to be open on the Windows
Firewall of the Metasys server.
Ready Access Portal Yes Uses https between the Ready Access Portal server and
the client, but http between the Ready Access Portal server
and the engines.
Site Management Portal (SMP) No Uses https for communication with engines upgraded to
Release 8.1 or later.
System Configuration Tool (SCT) No Uses https for communication with field controllers and
engines upgraded to Release 8.1 or later.

NAE Commissioning Guide 34

System and User Preferences
The Metasys system provides customized preferences for the Site Management Portal UI. The preferences allow
you to configure how the UI behaves, including the sounds and colors, the startup view, and the ability to add links
to external applications that can be accessed from within the UI of the NAE device. See Appendix: Configuring and
Maintaining Preferences for information and detailed procedures on how to customize system and user preferences.

Reset Device Command

The NAE Reset Device command in the Site Management Portal UI initiates an orderly reset that saves recent
changes to the NAE archive database and restarts the NAE operating system. When the NAE requires a reset, the
title bar of the object in the Display panel displays Reset Needed. A reset is required for new settings to take effect
after making changes to the following attributes:
• APDU Retries
• APDU Segment Time-Out
• APDU Time-Out
• BACnet IP Port
• Computer Name
• Contact Person
• Domain Name
• External Modem Config
• Internal Modem Config
• Max APDU Length
• Network Address
• Port Number
• Read/Write Community
• SNMP DDA
• SNMP Management Device
• Serial Port 1 Cable Config
• Time Sync Period (NAE55/NIE55 models only)
• XMS Dial-up Config (NAE55/NIE55 models only)
Note: Changing the NAE Computer Name value forces a device reset.

Important: To avoid losing data, do not push the RE-BOOT SYSTEM switch on the NAE to initiate a device reset.
Pushing the RE-BOOT SYSTEM switch initiates a CPU reset and restart of the NAE, which causes all
unsaved data to be lost, including recent attribute value changes.

NAE Commissioning Guide 35

Detailed Procedures
You need the following items to perform the detailed commissioning procedures for an NAE:
• an NAE with Release 9.0 software
• a laptop or desktop computer with Windows Internet Explorer version 11 or Apple Safari version 10.0 or later
(for downloading the Launcher application)
Note: In some scenarios, the computer must be a DHCP client or must be configured to use a static IP address
appropriate for the network.
• the NAE Ethernet MAC address
You may also need:
• a null modem Serial cable
• an Ethernet crossover cable
• a new, unique IP address for each NAE on the Metasys network if DHCP cannot be used
• a copy of the NAE archive database that configures the NAE for your specific site (The NAE archive database
can be created and stored offline in the SCT.)
• SCT Release 12.0 loaded on the commissioning computer

Installing Launcher to Access the NAE

You use the Launcher application to access an NAE. If the Launcher application is already installed on your computer,
skip to Launcher Screen of Full Launcher Installer. If the Launcher application is not installed, follow these steps:
1. Start the Internet Explorer or Safari web browser.
2. Enter this URL in the address field: http://NAE-computer-name/metasys. The Windows Launcher Download
dialog box appears.
Figure 16: Windows Launcher Download

3. Choose one of the following Launcher options:

NAE Commissioning Guide 36

 Go to Full Launcher Installer if at least one of the following is true:
• you need to access the SMP (NAE) or SCT
• you need to access Metasys servers or engines of different release versions
• you have rights to install new applications on your computer
Go to Single Site Connection if at least one of the following is true:
• you only need to access the SMP (NAE), not SCT
• you only need to access Metasys servers or engines of a specific release version
• you do not have rights to install new applications on your computer

Full Launcher Installer

1. Click Full Launcher Installer. Follow the instructions on the screen to install the Launcher. Refer to the Launcher
Installation Instructions (LIT-12011783) if needed. When the Launcher is installed on your computer, proceed
to Launcher window.
2. Start the Launcher application. The Launcher window appears.
Figure 17: Launcher Window

3. Click Add. The Add New window appears.

NAE Commissioning Guide 37

 Figure 18: Add New

4. Enter the host name (or IP address) of the NAE including the domain name if required, and then click Discover.
The Launcher searches for the device on the building network. When the device is found, the Add New window
refreshes to indicate the found device.
Figure 19: Add New: Found Device

5. Make sure the Add box next to SMP is selected. You can enter a descriptive name for the NAE in the Description
field to make the NAE easier to find in the profile list, or you can keep the default IP address. Click Save. The
NAE is added to the profile list on the SMP tab.
Note: If the device has SCT installed, you can also add its SCT profile (as shown).
6. Select the NAE from the SMP profile list and click Launch. If the device you are adding has not yet been
downloaded and installed on your computer, a Downloading window appears, followed by an Installing window.
The windows close when the download and installation steps are complete.

NAE Commissioning Guide 38

 Figure 20: Downloading and Installing Metasys Version

The system login window appears.

7. Enter the initial Username and Password values for the NAE and click Login. See Login User Names and
Passwords.
8. If necessary, set the time, time zone, and date. See Appendix: Time Zone, Date, and Time Management.

Single Site Connection

1. Click Single Site Connection. Refer to the Launcher Installation Instructions (LIT-12011783) for instructions on
how to download and install the Launcher files.
2. Double-click the Metasys Launcher.exe shortcut on your computer desktop. The Metasys Launcher window
appears.
Figure 21: Metasys Launcher - Single Site Connection

3. Enter the host name (or IP address) of the NAE, including the domain name if required.
4. Click Launch. The system login window appears.
5. Enter the initial Username and Password values for the NAE and click Login. See Login User Names and
Passwords.
6. If necessary, set the time, time zone, and date. See Appendix: Time Zone, Date, and Time Management.

NAE Commissioning Guide 39

Establishing a Direct Connection to an NAE
This scenario is typical for a single NAE that is not attached to a network and can be used to set up an NAE before
it is installed and connected to a site network. The following procedure can also be used when an Ethernet crossover
cable is not available.
Your computer must be set up for dial-up access as described in Metasys® System Extended Architecture Direct
Connection and Dial-Up Connection Application Note (LIT-1201639).
1. Connect the computer Communication (COM) port to the NAE Serial Port A using a null modem cable.
2. Establish the connection to the NAE by double-clicking the Direct Connect icon that was created when the
computer was set up for dial-up access.
If you are using Windows 8.1, Windows Server® 2016, Windows Server 2012, or Windows Server 2012 R2
operating systems, open the charms bar and click Settings, then click the network icon at the bottom of the
Settings pane. Select the network and click Connect.
If you are using Windows 10 or Windows 7 operating systems, the Direct Connect selection is located under the
Network and Sharing Center (select Control Panel > Network and Internet > Network and Sharing Center
> Connect to a Network).
The direct-connect setup is complete. You can access the Metasys system login screen using the Launcher.
See Accessing the Site Management Portal UI on an NAE for information on accessing the NAE UI.

Preparing an NAE for a Network That Supports DHCP and DNS

The following scenario is typical when you install an NAE on an existing building network. Your computer must be
connected to the network. The computer must be a Dynamic Host Configuration Protocol (DHCP) client or configured
to use a static IP address appropriate for the network.
Note: We recommend that you configure a DHCP reservation for the NAE to ensure it always receives the same
IP address when its lease expires. This practice prevents address bindings between the NxE85 and other
devices from breaking.
1. Verify that your network administrator has updated the DNS server and the DHCP server with the NAE Ethernet
MAC address and the NAE host name.
2. With your computer or commissioning laptop connected to the building network, start NCT. This tool listens for
and shows the IP address information of the NAE as it comes online.
3. Connect the NAE to the network with an Ethernet patch cable.
4. Connect 24 VAC supply power to the NAE. Then wait for the NAE to complete the startup and initialization
sequence. The NCT indicates the current IP address of the network engine.
Note: Startup and initialization is complete when the NAE green RUN LED is on steady and the PEER COM
LED is either off or flickering to show activity. The startup and initialization sequence may take up to 10
minutes to complete. If the DHCP server is not online when the NAE is powered on (or if the NAE Ethernet
cable is disconnected and reconnected with no DHCP server online), the NAE assumes a unique IP
address between 169.254.0.1 and 169.254.255.254 and a subnet mask of 255.255.0.0. This is a feature
of Automatic Private Internet Protocol Addressing (APIPA) that applies when DHCP is enabled in the
NAE (factory default).
5. Go to Installing Launcher to Access the NAE, follow all instructions, then return to the next step in this section.
6. After you have completed the steps in Installing Launcher to Access the NAE, including the step for logging in
to the NAE, select the NAE device object in the Navigation panel, and drag it to the Display panel of the Site
Management Portal UI. The Focus tab for the selected NAE appears in the Display panel.

NAE Commissioning Guide 40

 Figure 22: NAE Focus Tab - Basic

7. Go to the Network tab and verify the Computer Name and Domain Name values. Change these values to the
assigned values for your network site. Also verify the Allow http attribute. If trusted certificates are not deployed
to the engine, communication between the engine and its clients occurs over port 80. If you need to close the
network engine's incoming http communication port (port 80), select False for Allow http. Doing so does not
interfere with NAE/NIE Update Tool operations. Otherwise, keep this attribute at its default value (True).
Figure 23: NAE Network Tab - Edit Mode

NAE Commissioning Guide 41

 Important: The NAE/NIE Update Tool places restrictions on the host name (Computer Name) values you can
use for NAE35, NAE45, or NCE25 models. Names must start with a letter, must end with either a
letter or a number, and may contain hyphens only in the interior of the name. Failure to follow the
name restrictions results in the Computer Name changing when an NAE35, NAE45, or NCE25 is
updated. Refer to the NAE/NIE Update Tool Help (LIT-12011524) for more information on host
name restrictions.
Note: Changing the Computer Name forces a device reset on the NAE. (See NAE Computer Name and Reset
Device Command.)
8. Go to the Focus tab and check the NAE Object Name. Change the Object Name to the descriptive label used
to identify the NAE in the Site Management Portal UI and SCT.
Figure 24: NAE Focus Tab - Advanced Edit Mode

Depending on the DNS server configuration, the NAE should be reachable from the subnet on which the NAE resides
or from other subnets.

Preparing an NAE for a Network without DHCP and without DNS Support
When the NAE Uses APIPA
This scenario is typical when you install an NAE on a stand-alone network designated as a building control network
only. Perform these steps from a computer attached to the network. The NAE uses APIPA to automatically assign
an IP address. For this procedure, do not attach an Ethernet crossover cable directly to the NAE. In this scenario,
a direct connection to the NAE may affect the assignment of an IP address.
1. Attach the NAE to the network using an Ethernet patch cable.

NAE Commissioning Guide 42

2. With your computer or commissioning laptop connected to the building network, start NCT. This tool listens for
and shows the IP address information of the NAE as it comes online.
3. Connect supply power to the NAE and wait for the NAE to complete initialization.
Note: Startup and initialization is complete when the NAE green RUN LED is on steady and the PEER COM
LED is either off or flickering to show activity. The startup and initialization sequence may take up to 10
minutes to complete.
4. Verify that the computer is configured to use APIPA or a static IP address and subnet mask that are compatible
with APIPA. If necessary, change the computer’s IP address and subnet mask to be compatible with APIPA.
5. Go to Installing Launcher to Access the NAE, follow all instructions, and then return to the next step in this section.
6. After you have completed the steps in Installing Launcher to Access the NAE, including the step for logging in
to the NAE, demote the NAE from Site Director if the NAE is not going to be the Site Director. See Changing
Site Director Status of an NAE.
7. (This step is optional.) Select the Network tab of the NAE device object. Change the Computer Name value
from the factory default, if desired. See NAE Computer Name and Reset Device Command.
Initial setup is complete. You can now log in to the NAE by starting the Launcher and entering the initial computer
name of the NAE or the computer name you assigned in Step 7.

Preparing an NAE for a Network without DHCP and without DNS Support
When the NAE Uses a Static IP Address
This scenario is typical when you install the NAE on a stand-alone network dedicated to building control only. Do
not use this scenario when the NAE uses APIPA. The steps can be performed from a computer that is attached to
the network or a computer that is connected directly to the NAE with an Ethernet crossover cable. If the computer
is attached to the network, the computer must be connected to the same subnet as the NAE. To connect to the NAE
with this procedure, you may need to know the IP address of the NAE.
1. Check the network IP address and the subnet mask of the computer. If needed, change the IP address and the
subnet mask of the computer so that the computer and the NAE are on the same subnet. The IP address assigned
to the computer must be unique for the subnet.
2. With your computer or commissioning laptop connected to the building network, start NCT. This tool listens for
and shows the IP address information of the NAE as it comes online.
3. Connect supply power to the NAE and wait for the NAE to complete startup and initialization. Startup and
initialization is complete when the NAE green RUN LED is on steady and the PEER COM LED is either off or
flickering to show activity. The startup and initialization sequence may take up to 10 minutes to complete. The
NCT indicates the current IP address of the network engine.
4. Go to Installing Launcher to Access the NAE, follow all instructions, then return to the next step in this section.
5. After you have completed the steps in Installing Launcher to Access the NAE, including the step for logging in
to the NAE, demote the NAE from Site Director if the NAE is not going to be the Site Director.
6. Select the NAE device object from the Navigation panel of the Site Management Portal UI and drag it to the
Display panel. The NAE device object UI opens in the Display panel.
7. Select the Network tab of the NAE device object and click Edit.
8. Change the Computer Name value, if desired. Change DHCP Enabled attribute value to False. This disables
DHCP and APIPA. Specify the IP Address, IP Mask, IP Router Address, and the DNS Server IP Addresses. The
network administrator typically assigns these values. Record the assigned IP address for the NAE for future
reference. Click Save. The NAE automatically logs you out and resets.

NAE Commissioning Guide 43

 Figure 25: Network Tab - Edit Mode

9. Wait for the NAE to complete the startup and initialization sequence.
Note: Startup and initialization is complete when the NAE green RUN LED is on steady and the PEER COM
LED is either off or flickering to show activity. The startup and initialization sequence may take up to 10
minutes to complete.
Initial setup is complete.
Note: If you connected your computer directly to the NAE with an Ethernet crossover cable, disconnect the
crossover cable and connect the NAE to the network with an Ethernet patch cable.
You can log in to the NAE by entering its IP address in Launcher on any subnet of the network.

Preparing an NAE for a Network That Supports DHCP but Not DNS
This scenario is common to many building networks. The NAE should only use DHCP without DNS if you have
configured DHCP to always assign the same IP address after device resets and lease renewals. If this is not the
case, use static IP addresses as described in Preparing an NAE for a Network without DHCP and without DNS
Support When the NAE Uses a Static IP Address.
1. Attach the NAE to the network using an Ethernet patch cable.
2. With your computer or commissioning laptop connected to the building network, start NCT. This tool listens for
and shows the IP address information of the NAE as it comes online.
3. Connect supply power to the NAE and wait for the NAE to complete initialization. The NCT indicates the current
IP address of the network engine.

NAE Commissioning Guide 44

 Startup and initialization is complete when the NAE green RUN LED is on steady and the PEER COM LED is
either off or flickering to show activity. The startup and initialization sequence may take up to 10 minutes to
complete.
4. Go to Installing Launcher to Access the NAE, follow all instructions, then return to the next step in this section.
5. After you have completed the steps in Installing Launcher to Access the NAE, including the step for logging in
to the NAE, update the NAE computer name value on the Network tab. After the computer name is updated, the
Site Management Portal UI automatically logs out, and the NAE automatically resets. Wait for the NAE to complete
the startup and initialization sequence. (Startup and initialization is complete when the NAE green RUN LED is
on steady. This sequence may take up to 10 minutes. See Pre-Boot Execution Environment (PXE) for more
information.)

Preparing an NAE for a Network That Supports DNS but Not DHCP
This scenario is not typical of modern networks. The steps are identical to the steps in the Preparing an NAE for a
Network without DHCP and without DNS Support When the NAE Uses APIPA and Preparing an NAE for a Network
without DHCP and without DNS Support When the NAE Uses a Static IP Address.
Using the NAE Ethernet MAC address (from the NAE label), the network administrator can update the DNS server
and the assigned computer name. If this is done, you can enter dns-name in Launcher on any computer on the
building network.

Enabling the Serial Printer DDA

Important: Follow instructions carefully when using Remote Desktop with the NxE Information and Configuration
Tool (NCT) to access an engine or computer. Failure to follow the steps as written can render your
engine or computer inoperable.
1. To prevent data loss, issue an Archive command to the device from the Site Management Portal UI.
2. If you are enabling the DDA on an NxE85, complete the steps in Preparing NxE85 for Serial Printing.
3. Access the NAE remotely using the NCT.
4. Click Remote Desktop in the NCT. If a Remote Desktop identity message appears, click Yes. The tool logs in
to the NAE, and the Remote Desktop screen with the Command Prompt window appears.
Note: If the Command Prompt window does not appear, press Ctrl+Alt+End to open the Windows Security
screen. Click Task Manager. The Windows Task Manager appears. Click the Applications tab, then
New Task. The Create New Task window appears. In the Open field, type CMD and press Enter. When
the Command Prompt window opens, close the Task Manager.

NAE Commissioning Guide 45

 Figure 26: Command Prompt

5. At the command prompt, type net pause miiidm to pause the Device Manager.
6. At the command prompt, type notepad and press Enter. Microsoft Notepad opens in a new window.

NAE Commissioning Guide 46

 Figure 27: Notepad in Remote Desktop

7. In Notepad, on the File menu, select Open.

8. From the Files of Type drop-down menu, select All Files.
9. Browse to JCI_NAE (C:)\Inetpub\wwwroot\MetasysIII\WS and select Web.config.
10. Click Open. The Web.config file opens in Notepad.
11. In the <EventRouter> section, locate the serial printer DDA line:

12. Delete <!-- at the beginning and --> at the end of the serial printer DDA line (see circled text):

13. On the Notepad File menu, click Save.

Note: If the file is not saved with the original name, including the .txt extension, the DDA is not enabled.
14. If you are enabling printing on an NAE55/NIE55:
a. At the command prompt, enter shutdown -r -t 0, or remove power from the NAE55/NIE55.
b. When the NAE55/NIE55 LEDs are off, reapply power to the NAE55/NIE55.
15. If you are enabling serial printing on an NxE85, restart the computer.

NAE Commissioning Guide 47

The Serial Printer DDA installation is now complete. The Remote Desktop connection closes and the NAE/NIE
restarts.

Preparing NxE85 for Serial Printing

1. Disable COM port 2 in the Windows Device Manager.
2. Configure COM port 1 for 9600-8-N-1-N.
3. Connect the serial printer to COM port 1.
Note: The printer has only one physical port.
4. Install the Epson FX-880 printer driver.
Note: The FX-890 printer driver is not available.
5. Return to Enabling the Serial Printer DDA. If you have access to an NxE85 with a monitor and keyboard, start
with Step 7; otherwise, start with Step 3.

Creating Audit Entries for Discarded Events

By default, discarded events that originate at the NAE are not recorded. You can change this behavior so that an
audit entry is recorded and shown in the Audit Viewer each time an event is discarded.
1. Access the NAE remotely using the NCT.
2. For an NxE55, click Remote Desktop in the NCT, and then start Notepad. For an NxE85 click Remote Desktop
on the NxE85 computer, and then start Notepad. For an NAE35/45 or NCE25, click Start FTP in the NCT.
Note: You can access an NxE85 remotely without using the NCT.
3. Open the following file for editing:
NxE55 or NxE85: C:\Inetpub\wwwroot\MetasysIII\WS\web.config
NAE35/45 or NCE25: ftp://<IP address>/Storage/Metasys/wwwroot/metasysIII/WS/Web.ce.config
4. Find the line for WriteAuditAckDiscard:
<add key="EventRepository.WriteAuditAckDiscard" value="false"/>
5. Change the value from false to true.
6. Save the file.
7. Terminate your remote connection to the NAE.
8. Exit the NCT.

Accessing the Site Management Portal UI on an NAE

After an NAE is set up for connectivity, the Site Management Portal UI can be accessed through the Launcher.
See Site Management Portal User Interface and the Metasys® SMP Help (LIT-1201793) for additional information
about navigating the Site Management Portal UI.
You need to know the Computer Name (or IP address) of the NAE you wish to access. If you do not know the IP
address of the NAE, see Determining the NAE IP Address and Device Name for a Network Connection and
Determining the NAE IP Address and Device Name By Using a Serial Port Monitor.
If the NAE has been added to a building’s DNS server, you can access it by its Computer Name.
To access the Site Management Portal UI on an NAE through the Launcher:
1. Start Launcher.
2. Select the Computer Name (or IP address) of the NAE on the SMP tab of the Launcher, and click Launch. The
Metasys system login window appears.
3. Type the NAE Username and Password, and then click Login or press Enter.

NAE Commissioning Guide 48

4. To view an NAE, select the NAE object from the Navigation panel and drag it to the Display panel. The NAE
object opens with the Focus tab active (Figure 28).

Establishing Basic NAE Parameters in the Focus Screen

1. In the Site Management Portal UI, display the NAE device object and click the Focus tab.
2. Click Edit. Edit the NAE Object Name and Description values as required.
Figure 28: NAE Focus Tab (Basic)

3. Click Save.
4. Select the Advanced option and click Edit.

NAE Commissioning Guide 49

 Figure 29: NAE Focus Tab - Advanced Edit Mode

5. Edit the advanced attribute values as needed. (Refer to the NAE Device Object Help and Audit Trails Help in
the Metasys® SMP Help (LIT-1201793) for guidance.) If the NAE is on a site with an ADS/ADX, enter the
ADS/ADX’s IP address in Local Site Director field in the Site section of this screen so the NAE can find the
ADS/ADX.

Establishing the NAE Network Parameters

The NAE Computer Name and Domain Name on the Network tab identify the NAE on the network so it can be found
by other computers. In many commissioning scenarios, you can use the initial Computer Name to commission the
NAE. See NAE Computer Name for more information.
In most site configuration scenarios, you configure many of the Metasys network values in the NAE UI by downloading
a pre-built archive database from the SCT to the commissioned NAE. The download from SCT overwrites the initial
Computer Name with the new value for the Metasys network.
Note: If you are building the NAE database online, you must establish the production network NAE Computer Name
value before you establish references to objects on the NAE. After creating object references, changing the
Computer Name value breaks all object references to local objects on the site.

NAE Commissioning Guide 50

Important: The NAE/NIE Update Tool places restrictions on the host name (Computer Name) values you can use
for NAE35, NAE45, or NCE25 models. Names must start with a letter, must end with either a letter or
a number, and may contain hyphens only in the interior of the name. Failure to follow the name
restrictions results in the Computer Name changing when an NAE35, NAE45, or NCE25 is updated.
Refer to the NAE/NIE Update Tool Help (LIT-12011524) for more information on host name restrictions.
1. In the Site Management Portal UI, display the NAE device object, click the Network tab, and then click Edit.
Figure 30: NAE Network Tab - Edit Mode

2. In the Network Identification section, type the Computer Name value.

3. Enter the Network Identification and LAN attribute values as needed and click Save.
Note: If you are setting up an NAE to dial out to an ADS/ADX, see Configuring an NAE to Dial Out to an
ADS/ADX/ODS.

Establishing the NAE Direct-Connect and Modem Parameters

On the NAE Communications tab, you can set the NAE to communicate through a direct connection to Serial Port
A (NAE55/NIE55 models), an optional internal modem, or a user-supplied external modem (Figure 31).
Note: On NAE35/NAE45 models, Serial Port A is labeled RS232C A.
Use Serial Port A for direct connections. Set up Serial Port A in the Serial Port Cable Config section of the
Communications tab.

NAE Commissioning Guide 51

Configure an optional internal modem on the NAE for dial-up connection in the Internal Modem Config section of
the Communications tab.
Note: You can order specified NAE models with the optional internal modem. An internal modem cannot be added
to an NAE in the field.
Configure a user-supplied external modem on a USB port in the External Modem Config section of the
Communications tab.
See Modems and Dial-Out Features for the external modems and drivers supported on Metasys system networks.
Note: To enable modem connections, set the value for the Allow Incoming Connections attribute (in the Internal
Modem Config or External Modem Config sections) on the Communications tab to True.
NCE25/NAE55/NIE55 serial ports do not support external serial modems. Use only external USB modems
with the NCE25/NAE55/NIE55 models.
Each NAE supports the concurrent use of one internal modem and one external modem. For example, you
can configure the internal modem for dial-out communication and configure the external modem for dial-up
communication (or vice versa). But you should not configure the internal modem and the external modem
for the same purpose; for example, both modems should not be configured for paging use.
1. In the Site Management Portal UI, display the NAE device object, click the Communications tab, and then click
Edit.
Figure 31: NAE Communications Configuration Tab - Edit Mode

2. To establish a serial port connection to the RS232C A Serial port on NAE35/NAE45 models or Serial Port A on
NAE55/NIE55 models, edit the attribute values in the Serial Port Cable Config section.

NAE Commissioning Guide 52

 Note: Direct connections cannot be made to Serial Port B on NAE55/NIE55 models or to the RS232C B Serial
port on NAE35/NAE45 models.
You can connect a user-supplied, external serial modem (such as Zoom models 2949 or 3049) to the
RS232C B Serial port only on NAE35/NAE45 models that do not have an internal modem. To establish
a connection to the external serial modem, you must edit the Internal Modem Config section on the
Communications tab.
To establish an internal modem connection, edit the attribute values in the Internal Modem Config section.
To establish an external modem connection through a USB port, edit the attribute values in the External Modem
Config section. (See the Modems and Dial-Out Features section in this document for more information on external
modems.)
Note: On NAE55 and NIE55 models, the Enabled attribute value is False (in the External Modem Config
section) and an external modem cannot be configured in the NAE UI until the external modem is connected
to the NAE and the Communication tab is refreshed in the UI. The refresh may take up to 30 seconds,
after which the Enabled attribute value is True and the external modem can be configured in the UI.
3. Click Save.

Creating Email Alarm and Event Notifications and Destinations

An NAE can be set up to generate custom alarm and event email messages and send the messages to one or more
specified email destinations.
Note: In most scenarios, we recommend that you set up the Email DDA and configure the email notifications and
the notification destinations after the NAE is configured with an archive database that includes the user
database.
1. In the Site Management Portal UI, display the NAE device object, click the Email tab, and then click Edit. (See
the top half of the Display panel in Figure 32.)
2. Enter the Shared Configuration values according to Table 15. These fields establish values for attributes that
are common to all email alarm notifications generated from this NAE. Refer to Alarm and Event Management
in Metasys® SMP Help (LIT-1201793) for additional information on setting the attribute values for alarm and
event notifications.
3. Scroll down to the Destinations section of the Email tab.
4. Click New. The Email Destinations Configuration edit section appears.

NAE Commissioning Guide 53

 Figure 32: NAE Email Configuration - Edit Mode

5. Enter the Destination values according to Table 15. (Refer to the Alarm and Events Management section in the
Metasys® SMP Help (LIT-1201793) for additional information on setting the attribute values for alarm and event
notifications.)
Table 15: Shared Attributes for All Email Destinations
Attribute Description (Value Requirement/Range) Initial Value
SMTP Server Host Specifies the server name that handles outgoing email. (Required Value) Fully qualified host
name
SMTP Port Specifies the TCP port that the server uses to deliver email message. 25
(Required Value/1 to 25)
Authentication Type Specifies the Authentication Type the NAE uses to log in to the outgoing None
email server. Select SMTP, Post Office Protocol (POP) before SMTP, or
None.
SMTP User Name Specifies the user name the NAE uses to log in to the SMTP server that –
handles outgoing email messages. (Required only if SMTP is selected
for Authentication Type.)
SMTP Password Specifies the password the NAE uses to log in to the SMTP server that –
handles outgoing email messages. (Required only if SMTP is selected
for Authentication Type.)
POP Server Hostname Specifies the POP server name for incoming email messages. (Required –
only if the email server requires POP before SMTP, before it accepts
email messages from client. If this field is left blank, POP before SMTP
is disabled.)
POP User name Specifies the POP user name. (Required only if POP Authentication is Maximum 20
required and there is a value specified for POP server host.) characters

NAE Commissioning Guide 54

 Table 15: Shared Attributes for All Email Destinations
Attribute Description (Value Requirement/Range) Initial Value
POP Password Specifies the POP Password. (Required only if POP Authentication is Maximum 20
required and there is a value specified for POP server host.) characters
From Email Address Specifies a valid email address that is recognized and exists on the SMTP Email address
Server. (Required Value)
SSL Email Enabled When True, emails are sent over an SSL-encrypted connection if the False
server supports encryption with StartTLS. When this parameter is set to
True, emails are not sent if they cannot be encrypted, regardless of the
SSL Email Ignoring Errors attribute setting.
SSL Email Ignoring When True, the email is sent even if the email server certificate appears False
Errors to be invalid. When False, the email is sent only if the operating system
can verify that the server sent a valid SSL certificate. This feature is only
enabled if SSL Email Enabled is True.
Email Diagnostics Displays diagnostic information regarding the communication between –
the Email DDA (SMTP Client) and the SMTP Server. This attribute displays
both successful and unsuccessful email message deliveries.

Table 16: Attributes for Specific Email Destinations and Notifications

Attribute Description (Value Requirement/Range) Initial Value
Label Specifies a name for the email destination (for example, John Doe). –
Email Address Specifies the destination email addresses (for example, john.doe@jci.com). –
(Required Value)
Priority Specifies the email message priority (High, low, or normal). Normal
Subject Contains the body text of the email message. (Maximum of 256 characters.) –
Retries Specifies the number of attempts at sending the email message. (0–10 3
Retries)
Enabled Enables or disables Email Destination. (True, False) True
Filters Enables you to specify the rules that filter alarm and event notifications. –
Each filter has an Item, Operator, and Value.
Format Enables some predefined format characteristics of the notifications that –
are sent to a destination. Predefined format characteristics include:
• Notification Priority
• Notification Message (content)
• Value
• Site Name
• Item Description
• Item Fully Qualified Reference
• Item Category
• Acknowledge Required
• Previous Status
(Enable a format by selecting the check box next to the format.)

6. Click New to the right of Destination Email Addresses. The Email Import dialog box appears. Import user names
and the associated email addresses from the list of user names for the site. (Refer to the Metasys® SMP Help
(LIT-1201793) for more information.)

NAE Commissioning Guide 55

 Figure 33: Import Email Addresses Dialog Box

7. To filter the email messages that are sent to a destination, click New next to the Filters section of the Email
Destination Configuration tab. The Add Filter dialog box appears.
Figure 34: Add Filter Dialog Box

8. Select the Item, Operator, and Value (from the drop-down lists) for the condition that you want to trigger the
email notification. (Refer to Event Message Routing, Filtering, and Destinations in the Metasys® SMP Help
(LIT-1201793) for additional information on filters.)
9. Click OK.
10. Enable the Format characteristics for email notifications sent to the specified destinations by selecting the check
boxes next to the Format characteristic.
11. Add additional email destinations with filters and formats as required.
12. Click Save.

NAE Commissioning Guide 56

Configuring Encrypted Email
By default, Metasys software encrypts your user name and password as they are entered into the SMP UI, but the
software does not automatically encrypt email messages. This feature allows embedded and server machines to
send email to email servers over a secure channel (secure socket layer [SSL]). The entire email payload is encrypted,
and allows our software to communicate to email servers that require SSL connections.
Consider these points when using email encryption:
• The SMTP port is different when using secure socket layer connections. This port is typically 465.
• Server-class machines and embedded devices do not have the same list of trusted Certificate Authorities. An
embedded device may not trust a certificate that is trusted on a server-class machine. To increase the chances
of an embedded device trusting a certificate used by a server-class machine, have the certificate signed by a
major authority.
• To maximize efficiency when using this feature, set up mailing groups instead of individual users in the destination
field to minimize the number of users to which the machine has to send email. This setup allows you to create
different email groups and customize the type of messages that each user receives.
• To increase the chance of an embedded device or an ADS/ADX trusting the certificate the mail server uses,
ensure the signed certificate is obtained by a major certificate authority.
• If you are using an embedded device as your site director, no option is available to update the Trusted Certificate
Authority list at this time.
• To ensure you have the latest list of Trusted Certificate Authorities installed on your ADS/ADX, install any available
certificate updates from Microsoft Windows Update.
You can configure encrypted email in three ways:
• Configuring Encrypted Email with No Authentication Required
• Configuring Encrypted Email with SMTP Authentication
• Configuring Encrypted Email with POP-Before-SMTP Authentication

Configuring Encrypted Email with No Authentication Required

Note: Encrypted Email with No Authentication Required functions only when Anonymous Authentication is enabled
on the mail server.
1. View an Engine or device.
2. Click the Email tab.
3. Click Edit.
4. Edit the Attributes in the Shared Configuration as shown in Table 17.
Table 17: Attributes for No Authentication Required
Attribute Selection
SMTP Server Host mail.yourdomain.com or yourdomain.com
SMTP Port 465
Authentication Type None
SSL Email Enabled True
SSL Email Ignoring Errors False

5. Verify that the email was sent correctly.

Configuring Encrypted Email with SMTP Authentication

1. View an Engine or device.
2. Click the Email tab.
3. Click Edit.
4. Edit the Attributes in the Shared Configuration as shown in Table 18.

NAE Commissioning Guide 57

 Table 18: Attributes for SMTP Authentication
Attribute Selection
SMTP Server Host mail.yourdomain.com or yourdomain.com
SMTP Port 465
Authentication Type SMTP
SSL Email Enabled True
SSL Email Ignoring Errors False

5. Verify that the email was sent correctly.

Configuring Encrypted Email with POP-Before-SMTP Authentication

Note: When SSL Email is enabled and you use POP-before-SMTP Authentication, the Metasys system uses port
995 to communicate to the mail server. Ensure that the mail server you are connecting to uses port 995 for
secure socket layer connections for POP3 access.
When SSL Email is not enabled and you use POP-before-SMTP Authentication, the Metasys system uses
port 110 to communicate to the mail server. Ensure that the mail server you are connecting to uses port 110
for non-encrypted POP3 access.
1. View an Engine or device.
2. Click the Email tab.
3. Click Edit.
4. Edit the Attributes in the Shared Configuration as shown in Table 19.
Table 19: Attributes for POP-Before-SMTP Authentication
Attribute Selection
SMTP Server Host mail.yourdomain.com or yourdomain.com
SMTP Port 465
Authentication Type POP-before-SMTP
POP Server Hostname yourdomain.com or pop.yourdomain.com
SSL Email Enabled True
SSL Email Ignoring Errors False

5. Verify that the email was sent successfully.

NAE Commissioning Guide 58

Creating Pager Alarm and Event Notifications and Destinations
You can set up an NAE to generate custom alarm and event pager messages and send the messages to one or
more specified pager destinations.
Note: In most scenarios, we recommend that you set up the Pager DDA and configure the pager notifications and
destinations after an NAE is configured with an archive database that includes the user database.
1. In the Site Management Portal UI, display the NAE device object and click the Pager tab.
2. Click Edit. The Shared Configuration section of Pager Edit tab appears.
Figure 35: NAE Pager Configuration Edit Mode

3. Enter the Shared Configuration values using Table 20 and Table 21 as references. (These fields establish
values for attributes that are common to all pager alarm notifications generated from this NAE. Refer to Alarm
and Event Management in the Metasys® SMP Help (LIT-1201793) for additional information on setting the
attribute values for alarm and event notifications.)
Table 20: Shared Attributes for All Pager Destinations
Attribute Description (Value Requirement/Range)
Connect Using Specifies the connection type: Internal Modem, External Modem.
Access Number Specifies the service or modem phone number that the NAE uses to access phone
service. (This is not a pager destination phone number.)
Redial Attempts Specifies the number of attempts the NAE makes to connect with the destination
pager before stopping.
Time Between Redial Attempts Specifies the time-delay interval between subsequent attempts to connect with a
destination pager.
Idle Time Before Hanging Up Specifies the amount of idle time allowed on the connection before disconnecting.
Redial If Line Is Dropped Specifies whether to redial if connection with destination pager is broken.

NAE Commissioning Guide 59

 Table 20: Shared Attributes for All Pager Destinations
Attribute Description (Value Requirement/Range)
Password Specifies a 6-digit alphanumeric code used as a password. This attribute appears
when you select External Modem. Enter a password only if required by the pager
company. An empty/blank password is the default value.
Pager Diagnostics Displays the diagnostic information regarding communication between the Pager
DDA, modem, and customer's paging Service. It displays both successful and
unsuccessful attempts to send a page.

Table 21: Attributes for Specific Pager Destinations and Notifications

Attribute Description (Value Requirement/Range)
Label Specifies a functional name for the destination pager (for example, John Doe). (Maximum
20 characters)
Pager Phone Number Specifies the complete telephone number of the destination pager. (Maximum 20
characters)
Max Characters Specifies the maximum number of characters allowed (by the service provider) in the text
string that is sent to the pager. (This field cannot have a value of zero.)
Retries Specifies the number of redial attempts that can be made.
Enabled Enables or disables the Pager Destination.
Filters Enables you to specify the rules that filter alarm and event notifications. Each filter has
an Item, Operator, and Value.
Format Enables some predefined format characteristics of the notifications that are sent to a
destination. Predefined format characteristics include:
• Notification Priority
• Notification Message (content)
• Value
• Site Name
• Item Description
• Item Fully Qualified Reference
• Item Category
• Acknowledge Required
• Previous Status
(Enable a format by selecting the check box next to the format.)

4. In the Destination section (Figure 35), click New. The Destinations Configuration edit fields appear (Figure 36).

NAE Commissioning Guide 60

 Figure 36: NAE Pager Destination Tab - Edit Mode

Note: The Max Characters field defines the length of the text string that is sent to the pager. This field cannot
have a value of zero (Figure 36).
5. Enter the appropriate values for the specified pager message destination.
Note: These fields establish values for attributes that are specific to the pager destination and message for
specified alarm notifications generated from this NAE. Refer to Alarm and Event Management in the
Metasys SMP Help for additional information on setting the attribute values for alarm and event
notifications.
6. To filter the conditions that trigger a pager notification, click New next to the filters section of the Pager Destination
Configuration tab (Figure 36). The Add Filter dialog box appears (Figure 37).
Figure 37: Add Filter Dialog Box

7. Select the item, operator, and value of the condition that you want to trigger a pager notification. (Refer to Event
Message Routing, Filtering, and Destinations in the Metasys SMP Help for additional information on adding
filters.)
8. Add additional pager destinations and filters as desired.
9. Click OK.
10. Click Save (Figure 36).

NAE Commissioning Guide 61

Creating NAE SNMP Alarm Notifications and Destinations
You can set up an NAE to generate and deliver alarm and event messages on a network using SNMP network
monitoring.
You can typically use SNMP monitoring for large BAS networks with many network devices. Alarm notifications are
sent to and stored on an SNMP management computer that monitors all devices on the network.
You must set up SNMP monitoring at the network level and an SNMP management device must be assigned on
the network. If you are applying a Metasys system to any existing network, consult with the network administrator
or IT department that administers the building network to determine if SNMP monitoring is available on the network.
Note: In most scenarios, we recommend that you set up the SNMP DDA and configure the SNMP notifications and
the notification destinations after an NAE is configured with an archive database that includes the user
database.
1. In the Site Management Portal UI, display the NAE device object and click the SNMP tab.
2. Click Edit. The SNMP Configuration Edit screen appears (Figure 38).
Figure 38: NAE SNMP Configuration Tab - Edit Mode

3. In the Shared Configuration section, set SNMP Enabled value to True if your network application uses SNMP
monitoring.
4. Type the IP address or host name values of the SNMP Management device (computer).
5. In the Read Only Community and Read/Write Community fields, enter the community string used by the
Enterprise/Network Management Systems (E/NMS) to retrieve data from objects maintained by managed devices
(Table 22).
Table 22: Share Attributes for SNMP Destination
Attribute Description (Value Requirement/Range) Initial Value
SNMP Enabled Enables or disables SNMP DDA on the NAE. (True, False) False
SNMP Trap Version Specifies the version of SNMP used on the network on which the NAE SNMP Version 1
resides. (Not required if SNMP Enabled is set to False)

NAE Commissioning Guide 62

 Table 22: Share Attributes for SNMP Destination
Attribute Description (Value Requirement/Range) Initial Value
SNMP Management Device Specifies the IP address or host name of the SNMP Management device –
on the network on which the NAE resides. The direction of
communication is from the SNMP Management device to the NAE.
Currently, this function is not supported on the NAE85. (Not required if
SNMP Enabled is set to False)
SNMP Request Port Specifies the port on the SNMP server where SNMP notifications are 161
sent. (Not required if SNMP Enabled is set to False)
Contact Person Specifies the contact person for the SNMP notifications. (Not required –
if SNMP Enabled is set to False)
Public Community Name Specifies the community name used by the NMS to modify data in objects public
maintained by managed devices. (Not required if SNMP Enabled is set
to False)
SNMP Trap Message Specifies the format used to generate SNMP notifications. Change to String Based
Format MIB Based when SNMP management application uses the Metasys
MIB file to translate SNMP notifications. (Not required if SNMP Enabled
is set to False)

6. Click New in the Destinations section. The Destination Configuration edit screen appears (Figure 39).
Figure 39: SNMP Destination Configuration Tab - Edit Mode

7. Enter the Destination information for the SNMP trap (Table 23).

NAE Commissioning Guide 63

 Table 23: Attributes for Specific SNMP Notifications
Attribute Description (Value Requirement/Range) Initial Value
Label Specifies a functional name for the destination SNMP server. (Maximum Destination #
20 characters)
Trap Community Name Specifies the SNMP Community Name used by the Network Management Public
System (NMS) group to listen to the traps. (Maximum 20 characters)
IP Address Specifies the IP Address of the NMS system that receives the trap 0.0.0.0
messages.
Destination Port Specifies the port on the SNMP Management device that receives messages 162
Number from the NAE (typically Port Number 162). The direction of communication
is from the NAE to the SNMP Management device.
Enabled Enables or disables the SNMP destination. True
Filters Enables you to specify the rules that filter alarm and event notifications. –
Each filter has an item, operator, and value.
Format Allows you to enable some predefined format characteristics of the –
notifications that are sent to a destination. Predefined format characteristics
include:
• Notification Priority
• Notification Message (content)
• Value
• Site Name
• Item Description
• Item Fully Qualified Reference
• Item Category
• Acknowledge Required
• Previous Status
(Enable a format by selecting the check box next to the format.)

8. Click Save when finished.

Enabling Syslog Reporting

An NAE can be set up to generate custom alarm and event email messages and send the messages to one or more
specified email destinations.
1. In the Site Management Portal UI, display the NAE device object and click the Syslog tab.
2. Click Edit. The Shared Configuration section of the Syslog tab appears.

NAE Commissioning Guide 64

 Figure 40: NAE Syslog Configuration - Edit Mode

3. Click the down arrow for the Syslog Reporting Enabled attribute and select True.
4. In the Destinations section, click New. The Destination Configuration edit fields appear.
5. Enter the Destination Configuration values according to the following table.
Table 24: Attributes for Specific Syslog Destinations
Attribute Description (Value Requirement/Range)
Label Specifies a name for the Syslog server (for example,
Syslog1).
Syslog Server Specifies the IP address or resolvable host name of the
Syslog server that is configured to receive events and audits
from the NAE.
UDP Send Port Specifies the Syslog port that is used to send messages to
an NAE.
UDP Receive Port Specifies the Syslog port that is used to receive messages
from an NAE.
Event Filters Specifies the rules for filtering the alarms and events that are
sent to the Syslog server. Each filter has an Item, Operator,
and Value.
Audit Filters Specifies the rules for filtering the audit messages that are
sent to the Syslog server. Each filter has an Item, Operator,
and Value.

6. In the Event Filters section, click New. The Add Filter dialog box appears.

NAE Commissioning Guide 65

 Figure 41: Add Filter Dialog Box: Events

7. Select the item, operator, and value of the condition that you want to trigger a message to the Syslog server.
8. Add any additional event filters as desired.
9. In the Event Filters section, click New. The Add Filter dialog box appears.
Figure 42: Add Filter Dialog Box: Audits

10. Select the item, operator, and value of the condition that you want to trigger a message to the Syslog server.
11. Add any additional audit filters as desired.
12. Add additional Syslog destinations and filters as desired.
13. Click OK.
14. Click Save.

Configuring a RADIUS Server

To configure a RADIUS account, use the Security Administrator system.
1. Using Metasys Launcher, start and log in to the SMP with any Metasys system administrator account.
2. On the SMP UI screen, select Tools > Administrator. The Security Administrator window appears.
3. In the Security Administration menu, click RADIUS. The Configure RADIUS screen appears.

NAE Commissioning Guide 66

 Figure 43: RADIUS Configure Option

NAE Commissioning Guide 67

 Figure 44: RADIUS Configuration Screen

4. Select the Enable RADIUS Authentication check box to enable the fields on the Configure RADIUS screen.
5. Fill in the fields of the Configure RADIUS screen using the information in the following table.
Table 25: RADIUS Configuration Fields
Field Value Description
Enable RADIUS Authentication Checked or unchecked Check box to configure and enable
RADIUS server authentication. The
check box defaults to unchecked. If it is
not checked, all fields in the RADIUS
Configuration screen are not editable.
RADIUS Server IPv4 address or a DNS name IPv4 address of the RADIUS server.
RADIUS Server Port 0 - 65535 Port on the RADIUS server to which
Metasys directs messages.
RADIUS Client Port 0 - 65535 Port on the network engine that is used
to send requests to and receive
responses from the RADIUS server.
Note: The default port for RADIUS is
1812.
Shared Secret Text string A secret that is used to verify the validity
of messages sent by the RADIUS server
to the client. Knowing the Shared Secret
does not grant access to a RADIUS
server.

NAE Commissioning Guide 68

 Table 25: RADIUS Configuration Fields
Field Value Description
NAS Identifier Text string A RADIUS attribute that the client uses
to identify itself to a RADIUS server.
Authentication Mechanism MS-CHAPv2 Mechanism used for server
authentication.

6. Click Save.
Note: At any time, RADIUS may be disabled by clearing the Enable Radius Authentication check box and
applying or saving the configuration. While RADIUS is disabled, only local users can authenticate. Login
errors display when a user attempts to log in with a RADIUS account.

Adding RADIUS Users

To provide access to the Metasys system for users that are authenticated by a RADIUS server:
1. Using Metasys Launcher, start and log in to the SMP with any Metasys system administrator account.
2. On the SMP UI screen, select Tools > Administrator. The Security Administration window appears.
Figure 45: Security Administration Window

3. Add a new RADIUS user in one of two ways:

NAE Commissioning Guide 69

 a. In the Insert Menu, click Insert RADIUS User.
Figure 46: Adding a New User through the Menu Bar

b. Right-click the RADIUS Users folder. Select Insert.

4. The User Properties dialog box appears. Enter the User Name.
Notes:
• Spell out the User Name the same as defined and expected by the RADIUS server.
• Many fields appear dimmed when you add a RADIUS user account because they are controlled by a RADIUS
server. These fields include: Password, Verify Password, View Blocked Words List, View Password Policy,
Min Password Length, Max Password Length, User Must Change Password at Next Logon, and User Cannot
Change Password.
5. Review the selections in the remaining tabs to ensure that the appropriate Metasys authorization is assigned to
the user. Then click OK. Once you add a new RADIUS user, the new user account is opened to the Access
Permissions page.
Note: The Maximum Password Age and Password Uniqueness fields on the Account Policy tab do not apply
to RADIUS users because those features are handled by the RADIUS server.

Setting the Time, Date, Time Zone, and Time Synchronization

How you set the time zone, date, and time on an NAE depends on how the NAE fits into the Metasys site hierarchy.
See Appendix: Time Zone, Date, and Time Management for information and detailed procedures on setting time
zone, date, and time on an NAE and on a Metasys network.

Setting up the NAE Alarm Parameters

NAEs ship from the factory with several pre-configured default diagnostic alarms that monitor the NAE hardware.
You can edit these default alarm settings or create new alarms for the NAE hardware.
You can also create new alarms and edit existing alarms for supported field devices on the NAE field trunks.

NAE Commissioning Guide 70

Editing the Existing Alarm Parameters
1. In the Site Management Portal UI, select and drag the desired NAE object or field device object from the Navigation
panel and drop it in the Display panel. The NAE or field device Focus screen opens.
2. Click the Alarm tab. The Alarm Configuration screen opens (Figure 47).
Figure 47: NAE Alarm Configuration Tab

3. Select items in the Select Item(s) list to edit existing alarms. (To create new alarms, see Creating a New Alarm.)
4. Click Edit. The NAE Alarm edit screen appears (Figure 48).

NAE Commissioning Guide 71

 Figure 48: NAE Alarms Tab Edit Mode

5. Edit the desired Attributes for the NAE or field device, and click Save to save the edited alarm settings.

Creating a New Alarm

You can create new alarms for the NAE or any of the supported field devices on the field trunks attached to the NAE.
1. Select and drag the desired NAE or field device object from the Navigation panel into the Display panel. The
NAE or field device object Focus screen opens.
2. Select the Alarm tab and the device’s Alarm screen opens. Click New and the Insert Alarm Wizard opens (Figure
49).

NAE Commissioning Guide 72

 Figure 49: Insert Alarm Wizard

3. Select the device Attribute for which you want to create an alarm.
4. Follow the Wizard instructions and create or edit the values for the Attribute for which you want to create an
alarm.
5. Click Save when you have finished creating the desired alarm parameters for the device Attribute.

Changing Site Director Status of an NAE

All NAEs ship from the factory with a Site object and therefore are Site Directors by default. To designate the Site
Director on a new site, you must demote all the NAEs on the site that are not designated as the Site Director. You
must reset an NAE when it is demoted.
In many Metasys network site commissioning and configuration scenarios, the Site Director status of the NAEs on
the site is built into the archive database for the site. The status of these devices is established on the NAEs when
the archive database is downloaded from the SCT to the site devices. The SCT database download overwrites the
existing values in the NAEs.
Note: If an ADS/ADX/ODS is on a site, an NAE cannot be the Site Director. If an NAE55 is the Site Director, it can
supervise up to four additional supervisory devices on the site (NAE35s, NAE45s, NCE25s, or NAE55s only).
If an NAE45 is the Site Director, it can supervise up to two additional supervisory devices on the site (NAE35s,
NAE45s, or NCE25s only). If an NAE35 is the Site Director, it can supervise up to two additional NAE35s or
NCE25s on the site. NCE25s cannot supervise other network engines and should only be designated as the
Site Director in stand-alone applications.
Designating an NAE as Site Director is typically done offline in the SCT but can be done online in the NAE UI. The
procedure in this section describes how to designate an NAE as the Site Director online in the NAE UI. To do so
with the SCT, go to the Changing the Site Director with the SCT section.

NAE Commissioning Guide 73

Note: If you do the site promotion or demotion online, you may lose any navigation trees built for the site. If User
Views (navigation trees) have already been built, upload them to the SCT, establish the Site Director, and
then download the navigation trees back to the source devices. The Site Director and NAE Computer Name
values in the NAE UI must match the values in the SCT archive database.
To designate an NAE as a Site Director:
1. On the Navigation panel, select the NAE that you wish to demote from Site Director.
2. Drag the NAE into the Display panel to open the Focus tab.
3. Select the Advanced option.
4. Click Edit. The NAE Focus edit screen appears (Figure 50).
5. Scroll down to the Site attributes and select the Local Site Director field.
Figure 50: Designating the Site Director

6. Type the host name or IP address of the NAE or ADS/ADX that you want to designate as the local Site Director.
7. Click Save. A confirmation message box appears (Figure 51).
Figure 51: Confirmation for Demoting Site Director

NAE Commissioning Guide 74

8. If you wish to proceed, click OK to this confirmation message; otherwise, click Cancel. If you click OK, the NAE
logs you out and resets.
Note: To see the Site Director changes just made, wait several minutes for the NAE to reset, then log in again.
The navigation tree shows the NAE is no longer the Site Director.

Changing the Site Director with the SCT

Note: If you have already changed the Site Director and downloaded the site, go to Moving Security Database and
Clearing It from Demoted Site Director Prior to Release 6.0 or Moving Security Database and Clearing It
from Demoted Site Director Release 6.0 or Later.
1. Start the SCT, open the archive database for the site, and choose the new Site Director in the Site object.
2. Download the database so that every device recognizes the new Site Director.

Removing User Accounts from a Demoted Site Director

If you demote a supervisory controller or ADS/ADX from a Site Director to a child device on the site, all user accounts
that you added to the device while it was a Site Director remain in the security database. If you determine that user
accounts on the demoted site should be removed after the demotion has occurred, you must move the security
database and clear it from the demoted Site Director. If your demoted Site Director is at a Metasys release prior to
6.0, follow the instructions in Moving Security Database and Clearing It from Demoted Site Director Prior to Release
6.0. If your demoted Site Director is at Release 6.0 or later, follow the instructions in Moving Security Database and
Clearing It from Demoted Site Director Release 6.0 or Later.

Moving Security Database and Clearing It from Demoted Site Director Prior to Release 6.0
1. Create a backup of the Security database of the demoted device, but only if you are using the same set of users
on the new or existing Site Director.
2. Create a backup of the Security database from one of the devices (NAE/NIE/ADS/ADX) on the site that has
never been a Site Director and has never had a Site Director’s Security database restored to it (in other words,
has a clean Security database with only the default user accounts).
3. Restore the clean copy of the Security database that you created in Step 2 to the device that was demoted from
the Site Director.
4. If you are using the Security database of the demoted device on the new Site Director, restore the Security
database that you backed up in Step 1 to the new or existing Site Director.
5. Create a backup of the Security database from the device that was demoted and restored with a clean database
in Step 3.
This step ensures that the device Security database in the SCT matches the clean Security you restored to the
device in Step 3.

Moving Security Database and Clearing It from Demoted Site Director Release 6.0 or Later
Note: Starting at Release 6.0, the security database backup is performed as part of the SCT upload, regardless of
whether or not the supervisory controller or ADS/ADX is a Site Director.
1. In the SCT, go to Tools > Security Copy to verify that a security database exists for the demoted supervisory
controller. This database is the security backup that was originally used by the Site Director.
Note: If the security database does not exist, it means the controller has never been accessed from the Site
Management Portal and uploaded to the SCT.
If the security database does not exist, go to Step 2. If the security database does exist, go to Step 5.
2. Log in to the demoted controller from the Site Management Portal.
3. Change your password when prompted at the login.
Note: Changing your password creates the security database automatically the next time the SCT database is
uploaded.

NAE Commissioning Guide 75

4. Perform an SCT upload. Once the upload is complete, click Tools > Security Copy in the SCT.
5. In the Security Copy Wizard, do one or both of the following:
•If the Security database of the demoted Supervisory device is required on the new Site Director, perform a
security copy to the Site Director by selecting the Supervisory device that contains the correct security
database.
• If you do not want to use the Site Director Security database on the demoted Supervisory device, perform a
security copy by selecting a Supervisory device that has never had users added to the Security database
and copy to the demoted Supervisory device.
6. Perform an SCT upload for all Supervisory devices that have had their Security databases changed. This upload
ensures that the security database backup is synchronized with the Supervisory device.

Establishing a Dial-up Connection to an NAE

A dial-up connection configuration is typical for a single NAE at a remote location that does not have an Ethernet
connection to a LAN.
The NAE you are dialing out to and the NAE modem must be configured properly for dial-up connections. See the
Modems and Dial-Out Features section for additional information on setting up an NAE and modem for dial-up.
Note: Do not use a dial-up connection for the initial setup of an NAE. Use a direct connection or stable network
connection to commission a new NAE.
The initial default baud rate for dial-up connections is 115,200 baud.
You can use the Launcher application for dial-up connections. Launcher removes the dependency on the public
Java Runtime Engine (JRE) for the Site Management Portal (SMP) user interface by placing a private edition of the
JRE on the client computer. Refer to the Launcher Installation Instructions (LIT-12011783) and the Launcher Tool
Help (LIT-12011742) for information on installing and using the Launcher tool.
To connect to an NAE through a dial-up connection:
1. Start the computer and initiate a dial-up connection to the NAE.
2. Start Launcher.
3. Select the NAE from the SMP profile list of the Launcher, and click Launch.

Configuring an NAE to Dial Out to an ADS/ADX/ODS

An NAE can be configured to dial out through a modem to an ADS/ADX or ODS (on a different site) to deliver trend
data, alarms, and other information to the ADS/ADX or ODS for storage and analysis.
You can use a direct connection from a computer to an NAE to configure the NAE and modem for dial-out. You can
also connect the computer to the NAE with an Ethernet crossover cable to configure the NAE and modem.
Note: The dial-out capability is intended for small networks with a single NAE or only a few NAEs. Each NAE
requires its own modem and phone line connection to dial out to an ADS/ADX or ODS. NAEs without a
modem cannot dial out to an ADS/ADX or ODS through the Site Director’s modem.
1. In the Site Management Portal UI, display the NAE device object.
2. On the View menu, click Selected Item; the NAE Focus window appears in the Display panel. Select the
Advanced option and then click Edit. The NAE Focus edit screen appears. Scroll down to the Site attributes.

NAE Commissioning Guide 76

 Figure 52: Configuring NAE to Dial Out to an ADS/ADX or ODS - Focus Tab

3. Make sure that the ADS/ADX or ODS Connection Type value is Dial (Figure 52).
4. Verify that the ADS/ADX or ODS Repository attribute is the first IP address in the range specified when configuring
the ADS/ADX to accept incoming connections. (Refer to the ADS/ADX Commissioning Guide (LIT-1201645)
or the ODS Commissioning Guide (LIT-12011944) for more information.)
5. Edit the other ADS/ADX or ODS attributes as needed.
6. Click Save.
7. Select the Network tab and click Edit. The Network edit screen appears. Scroll down to the ADS Dial-up section
(Figure 53).

NAE Commissioning Guide 77

 Figure 53: Configuring ADS/ADX or ODS Dial-up on the NAE - Network Tab

8. In the Connect Using drop-down box, select Internal modem or External modem.
9. Type in the Access Number value, which is the complete telephone number of the ADS/ADX, the ODS, or the
Internet service provider (ISP) to which the NAE is dialing.
10. Verify that the ADS/ADX or ODS Dial-up ISP Username and ISP Password values match either the account
(user name and password) selected for incoming messages to the ADS/ADX or ODS or the user name and
password assigned by the ISP.
Note: The user name and password values need not match the Metasys system account values because these
values are used for establishing dial-up connections only.
11. In the Enable DCHP drop-down box, select True or False. If you select False, specify the static IP Address of
the ADS/ADX or ODS computer.
12. Click Save.

Printing Information from the NAE Site Management Portal UI

You can print the NAE information in the panels of the Site Management Portal UI. You must select the information
before you can print it.
1. Select an NAE object in the Navigation panel and drag it to the Display panel of the Site Management Portal UI.
The Focus tab for the selected NAE appears in the Display panel.
Note: You can preview the print output by selecting Print Preview.
2. Select the Item > Print menu option.
3. Select from the available printers and click OK.

Disabling the Windows Firewall on an NAE

This procedure only applies to an NCE25, NAE35, or NAE45 for the purpose of improving the overall performance
of these network engine models. However, for a higher level of security, we recommend that you keep the firewall
enabled at all times. For all other network engines (for example, NAE55s and NAE85s), the firewall setting does not
affect engine performance, so always keep the firewall enabled.

NAE Commissioning Guide 78

Note: This procedure does not in any way affect the image or the database running in the network engine. Also,
the SMP does not indicate whether the firewall is enabled or disabled.
1. Start the NCT in Advanced Mode and connect to the NCE25, NAE35, or NAE45.
2. Click Remote Display to open the Windows desktop.
Figure 54: Windows Desktop for Network Engine

3. Double-click My Device. The folder contents of My Device appears.

NAE Commissioning Guide 79

 Figure 55: Windows Folder

4. Double-click Windows. The folder contents of Windows appears.

5. Locate the application file called SetFirewall.exe.
Figure 56: SetFirewall Tool Icon

6. Double-click SetFirewall.exe. The Set Firewall tool runs.

7. Type Y to the prompt for disabling the Windows firewall (case sensitive) and press Enter. A Success response
appears to indicate that the appropriate change to the Windows registry was made.

NAE Commissioning Guide 80

 Figure 57: Disabling Windows Firewall with Set Firewall Tool

8. Press Enter to exit and close the NCT. Disconnect the network engine from the NCT.
9. Log in to the Metasys SMP of the NCE25, NAE35, or NAE45. To apply this change, you need to restart the
network engine from the SMP. Issue a Reset Device command. After a few minutes, the network engine comes
back online with the Windows firewall disabled.
Figure 58: Issuing Reset Device Command

10. To re-enable the firewall, perform Step 1 to Step 9, and answer Y to the prompt:
Firewall is disabled. Do you want to enable it? Y/N

NAE Commissioning Guide 81

Enabling and Disabling the Warning Banner
Note: To enable the warning banner to appear, the NAE must be a Site Director.
1. In the Site Management Portal UI, display the NAE Site object, click the Site View tab, and then click Edit.
2. Scroll to the bottom of the window to locate the Warning Banner attribute.
Figure 59: Enabling the Warning Banner

3. Select True for the U.S. Department of Defense (DoD) Banner attribute.
4. Click Save. The setting takes from 3 to 5 minutes to become effective at the network engine.
If you want to disable the Warning Banner in the future, select False and click Save.

Replacing an NAE
To replace an NAE on a network site, update the site registration to ensure that devices on the site communicate
with the new (replacement) NAE; otherwise, devices may attempt to communicate with the NAE that was removed
from the site.
If you do not remove an NAE from a site correctly, the Site Director may attempt to send messages to the old NAE,
creating unnecessary network traffic.
If the NAE’s trend data is stored in an ADS repository, forward the data prior to beginning the upgrade by following
these steps for each engine:
1. Select a supervisory engine in the Navigation tree.
2. Select Action > Commands. A list of available commands appears.
3. Select Archive, then click Send. The archived trend data is sent to the ADS/ADX.
To replace an NAE:
1. Using the SCT, upload the current copy of the NAE database.
2. Physically replace the old NAE with the new NAE, connect the new NAE to the network, and power on the new
NAE.
3. Do one of the following:

NAE Commissioning Guide 82

 • Configure the NAE with the same host name and IP address of the old NAE from the Site Management
Portal.
Note: This configuration lets you download the database with SCT without using the Device Change option.
• Verify that the SCT can communicate with the NAE, then select the Device Change option when downloading
the database with SCT to identify the Site Director and host name of the new NAE.
4. Download the existing NAE archive database to the new NAE.

Troubleshooting
This section describes the most common problems you may encounter when you set up and operate NAEs. Use
the general solution guidelines and procedure references in this section to avoid or resolve these problems. Table
26 provides a list of common NAE problems and their solutions. To troubleshoot the NAE-S, also refer to the NAE-S
Commissioning Guide (LIT-12012269) for specific information that applies only to this secure NAE model.
This section is not a troubleshooting guide for Metasys system networks, customer networks, BAS networks, or the
field devices connected to the NAE.
Field device troubleshooting is covered in the field device documentation. Refer to the appropriate field device
documentation for additional information.
Note: To effectively troubleshoot an NAE, it may be necessary to isolate the NAE from the Ethernet network and
the associated field trunks and field devices, and then direct-connect to the NAE with a computer to browse
the Site Management Portal UI.

Common NAE Problems

See the following sections and Table 26 when you encounter a problem with an NAE.

Corrupted NAE Memory

Corruption of nonvolatile NAE flash memory may render an NAE inoperable. Flash memory may become corrupted
for a variety of reasons and is one of the most common NAE problems encountered when commissioning, configuring,
updating, and operating the NAE.
A typical method to recover from corrupted NAE flash memory includes reloading the NAE disk image and downloading
the NAE archive database with a compatible version of the SCT. Refer to the NAE/NIE Update Tool Help
(LIT-12011524) for information on installing the NAE disk image. Refer to the Metasys® SCT Help (LIT-12011964)
for information on upgrading NAE archive databases.

NAE Disk Image Update and Archive Download Related Problems

NAE flash memory commonly becomes corrupted when an NAE disk image update or archive download is interrupted.
To avoid memory corruption and data loss, follow the procedure for disk image updates and archive downloads
carefully, and allow the NAE to complete the update and download without interruption.

Update and upgrade related problems may also occur when the SCT software, NAE software, and the NAE archive
databases are of incompatible versions. When you update the NAE disk image, you must update the NAE archive
database to match the new software version. The SCT application used to configure a Metasys or NAE must also
be of the same software version as the NAE software.
Refer to the NAE/NIE Update Tool Help (LIT-12011524) and see the Related Documentation section of this document
for additional information on disk image updates and archive upgrades and downloads.

Data Protection Battery Related Problems

Improper shipping, handling, installing, charging, or disconnecting of the NAE data protection battery may also result
in flash memory corruption and data loss.

NAE Commissioning Guide 83

To avoid problems related to the data protection battery, refer to the Setup and Adjustment sections in the
NAE35/NAE45 Installation Instructions (Part No. 24-10050-6), the NCE25 Installation Instructions (Part No.
24-10143-63), and the NAE55/NIE55 Installation Instructions (Part No. 24-10051-43) for proper procedures for
connecting, charging, and disconnecting the data protection battery before you connect supply power to the NAE.

Data Protection Battery Testing Procedure

Use this procedure to test the integrity of the battery in the NxE55 network engine. The life expectancy of the 12
VDC battery installed in the NxE55 is 3 to 5 years. The battery monitoring circuit of the NxE55 does not load test
the battery. If the battery fails to maintain a proper voltage level during a power loss, the NxE55 may not be able to
complete a normal shutdown and unarchived data could be lost. Therefore, periodically field test each battery or
replace a battery that is well beyond its life expectancy, even if a battery fault condition does not exist. As a best
practice, establish a regular maintenance schedule to check the batteries of all NxE55s currently in service.
Follow these steps to test the sealed 12 VDC battery used on NxE55s. (This procedure does not apply to the
N40-class network engines, including the NAE35, NAE45, and NCE25.) To perform the test, you need to remove
the battery from the network engine and assemble the parts listed here. Test leads are required to connect the 7.5
ohm resistor to the battery.
Parts required:
• 7.5 ohm, 25 watt resistor (Ohmite® part number D25K7R5) or equivalent
• Jumper wire test leads (22 or 24 gauge)
• DC voltmeter
• Stopwatch or other time source
Follow these steps:
1. Verify the battery you want to test is fully charged.
2. Connect the 7.5 ohm load across the battery.
3. Wait 60 seconds, then record the voltage across the battery terminals (not across the load resistor).
4. Wait another 60 seconds and again record the voltage across the battery terminals.
5. Remove the load from the battery.
6. Subtract the voltage reading taken in Step 4 from the voltage reading taken in Step 3. This is your difference
reading.
• If the difference reading is less than or equal to 0.25 VDC, the battery is good. Reinstall the battery.
• If the difference reading is greater than 0.25 volts, the battery is no longer effective. Replace the battery.

Login Problems
Login problems may occur when the user name or password is incorrectly entered at login. If the default user name
and password fail, the initial values may have been changed by an administrator-level user. You need the designated
user name and password to log in to an NAE.
Whenever you change the Security System database for an N40-class network engine with Release 8.0 or later
(NxE35, NxE45, or NxE25), you must issue the Reset Device command to ensure that the security database is
archived to non-volatile memory. This step is not required for N50-class engines (NxE55s). If you do not perform
this step for a network engine that has a poor or dead battery, and that engine loses power, the latest changes to
the Security System database are lost.
As a last resort, you can also reload the NAE with the NAE/NIE Update Tool, but that process deletes the archive
database. For details, refer to the NAE/NIE Update Tool Help (LIT-12011524).

NAE Commissioning Guide 84

RADIUS Errors
This section describes some situations that may result in error messages after enabling RADIUS to authenticate
user login credentials. When the NAEs are not configured for RADIUS authentication, the standard Metasys login
error messages appear. When the NAEs are configured for RADIUS authentication, RADIUS errors are intentionally
obscured to hinder possible intrusion from unauthorized users. If you encounter these errors and cannot resolve
them, contact your local network administrator. The two figures in this section are examples of the general RADIUS
error messages.
The RADIUS error message in Figure 60 appears in any of the following scenarios:
• The RADIUS server is not online or available when the non-local (RADIUS) user tries to log in to the Metasys
system.
• The server or network engine is configured to communicate with a RADIUS server, but the RADIUS server is
unavailable and therefore does not respond to a login request from the non-local user.
• The non-local user's account is disabled, either in the Metasys system or in the RADIUS server.
• The non-local user's account password has expired.
• The non-local user's account password does not meet the Metasys system password complexity requirements.
• The RADIUS server is enabled, but the Metasys local user account the operator is using is disabled, locked
out, or cannot log in because the user's timesheet does not permit login at this time.
• The RADIUS server is enabled, but the Metasys local user account the operator is using is entered incorrectly.
Figure 60: Login RADIUS Failure Message

The RADIUS error message in Figure 61 appears if you try to log in to an NAE with a non-complex password and
RADIUS is not enabled.
Figure 61: Non-Complex Password Error - RADIUS Disabled

Situations When Metasys System Login Screen Appears for RADIUS Users
The following situations produce the Metasys system login screen for RADIUS users.

NAE Commissioning Guide 85

• when you log out of the Metasys Site Management Portal UI (either manually or when a user session ends)
• if RADIUS user authentication fails for any reason
• when you are logged in to the Windows operating system (OS) with a RADIUS user account that is not privileged
within the Metasys system
• if the RADIUS server is unavailable
• when you are logged in to the Windows OS using a local Windows account and not a RADIUS user account
• when access to RADIUS server is restricted at login time through a RADIUS user time sheet (known as Logon
Hours) or access is restricted to the Metasys system through the Metasys time sheet. RADIUS server Logon
Hours takes precedence, so if you are restricted from operating system access, but not restricted by a Metasys
time sheet, access to the Metasys system as a RADIUS user is not granted.
• if your RADIUS user account is enabled, but overridden to disabled with the Metasys Access Suspended property
within Metasys Security Administration User Properties
• if you log in to a Metasys device such as an ADS, ADX, ODS, SCT, NAE, or NCE
• if Metasys authorization fails for any reason, such as when a user without System Configuration Tool permissions
attempts to log in to SCT
When the Metasys Site Management Portal UI login window appears, and the site has RADIUS authentication
enabled, RADIUS appears in the Login to field.
Figure 62: Metasys Login Screen with RADIUS Server Domain List

NAE Commissioning Guide 86

From this screen, you have the following options:
• Enter a RADIUS username and password, and click RADIUS in the drop-down list.
• Enter a RADIUS username in the form of domain\username and a RADIUS password. (The Login to drop-down
list becomes disabled.)
Note: Usernames are obscured at login for RADIUS accounts. After login, usernames are partially obscured (for
example, JSmith appears as JSm***).
The user credentials are strongly encrypted before being transmitted over the network for authentication. These
credentials are active for the entire Metasys Site Management Portal UI session until you log out (or the user session
terminates).
If the Metasys Device Manager has not fully started, and you try to log in to the network engine, a runtime status
error occurs and the Metasys login screen appears. In this case, the Metasys login screen does not display the
RADIUS server domain drop-down list and you are not able to log in as a RADIUS user.
To log in as a RADIUS user, you must close the login screen, wait a few moments for the Metasys Device Manager
to fully start, then navigate again to the network engine. If you remain at the login screen following the startup error
and do not close it, then log in with a Metasys local user account. All RADIUS menu options and functions are
unavailable. To restore RADIUS options and functions, you must close the browser and navigate to the network
engine again, then specify your RADIUS user credentials.

Network Connection Related Problems

Many network connection and communication problems result from incorrect device names, incorrect IP addresses,
or other attribute value errors entered into the Site Management Portal UI or into the UI of the associated network
devices. If the NAE attribute values do not match the values entered in the devices connected to the NAE, the NAE
and associated devices may not establish network connections or communications.
Check the device names, IP addresses, gateway, subnet masks, ports, baud rates, and other network parameters
in the Site Management Portal UI. Also check the servers, computers, and field devices connected to the NAE, and
ensure that the attribute values are correct for each computer or device.
For example, communication between a Site Director and an NAE could be lost after downloading the network
engine with SCT. This may occur on a network where device name resolution is not implemented. To resolve this
communication issue, log in to the NAE after the download and change the Local Site Director field back to the IP
address of the Site Director. Within minutes after you save this change, the engine comes back online to the Site
Director.
See Determining the NAE IP Address and Device Name for a Network Connection, Determining the NAE IP Address
and Device Name By Using a Serial Port Monitor, and Verifying Ethernet Network Communications (Ping).

NAE Reset Related Problems

Certain setting changes initiated in the Site Management Portal UI do not take effect until the NAE is reset. Reset
the NAE whenever you are prompted, and allow the NAE to complete the reset sequence. See Reset Device
Command.

NAE Commissioning Guide 87

Troubleshooting Guide
Table 26 provides information for troubleshooting an NAE.
Table 26: Troubleshooting the NAE
Problem Solution
The NAE does not operate when powered Corrupted flash memory or data loss are the most common causes of this problem.
on (and the POWER LED is on). To resolve this problem:
1. Ensure that the data protection battery is connected and charged. (Refer to
the unit's Installation Instructions for more information on handling, installing,
and charging the data protection battery.)
2. Ensure that the database does not exceed the NAE flash memory capacity.
3. Reload the disk image and download the archive database to the NAE while
the NAE is disconnected from the network.
NAE does not operate after updating the Corrupted flash memory and data loss are the most common causes of this
disk image, downloading an archive problem. To resolve this problem:
database, or installing a patch. 1. Ensure that the database does not exceed the NAE flash memory capacity.
2. Reload the disk image and download the archive database to the NAE while
the NAE is disconnected from the network.
NAE does not communicate with any other Check to make sure that 24 VAC power is connected correctly and that the 24
device. VAC and POWER LEDs are on.
Check to make sure that communication terminal blocks and other communication
connectors are firmly in place.
Check that the wiring is the correct size (18 AWG minimum for power, 18 AWG
for N2 Bus, 26 AWG for Ethernet communication).
Check that you have set the correct baud rate on each connected device.
Check the integrity of the wires and cables.
Check that N2 end-of-line (EOL) switches are correct. Refer to the Setting
Terminations section of the N2 Communications Bus Technical Bulletin
(LIT-636018) for details on N2 EOL terminations.
No N2 communication (on devices that Check that the N2 wires are connected properly and are not loose in the termination
support the N2 Bus protocol) block.
Check that the N2 LEDs indicate communication.
Check that the N2 EOL switches are correctly set. Refer to the Setting Terminations
section of the N2 Communications Bus Technical Bulletin (LIT-636018) for details
on N2 terminations.
Check the entire N2 Bus. Refer to the N2 Communications Bus Technical Bulletin
(LIT-636018).

NAE Commissioning Guide 88

Table 26: Troubleshooting the NAE
Problem Solution
No LONWORKS communication (on devices Check that the LONWORKS network wires are connected properly and are not loose
that support the LONWORKS protocol) in the termination block.
Connect the Metasys system Connectivity to LONWORKS network Tool, the
COM.PRO Tool, or a third-party LONWORKS network configuration tool to the
LONWORKS network. Verify that it is possible to communicate with the devices on
the network including the NAE. If communication is good, verify that the NAE
database has been generated correctly and that the LONWORKS enabled device
data corresponds to the devices installed. If the NAE does not respond, verify that
the NAE has been correctly installed in the LONWORKS network database and that
the network configuration image has been sent to the NAE. If the NAE cannot be
installed, replace the NAE. Refer to the LONWORKS® Network Integration with NAE
and LCS Technical Bulletin (LIT-1201668) for NAE database generation
information.
Check the entire LONWORKS network. Refer to the LONMARK Guidelines - Physical
Layer for details (http://www.lonmark.org).
No Ethernet communication Verify that you are using a patch cable for a hub or switch and a crossover cable
for a single computer connection.
Check the port and cable integrity. Make sure that either the 10/Link, 100/Link, or
100/1000 Link LED is green or yellow (indicating an established Ethernet
connection; 1000 Mbps Ethernet connection is yellow). Check that the hub or
switch into which the LAN connector is plugged works and is connected correctly.
No modem communication Check the port connector and cable for integrity and make sure you have the right
driver installed and configured if you are using an external modem. Three modem
drivers are pre-installed on the NAE:
• USRobotics USR5637 modem, 56K, external USB modem (firmware version
1.1.0 only)
• Zoom® Telephonics 2985 modem driver
• Multi-Tech Systems MT5634ZBA-USB modem driver
Refer to the N1 Migration with the NIE Technical Bulletin (LIT-1201535).
The USR 5637 modem connects, but To correct this issue, manually set the serial port settings. Check with your paging
garbled characters appear and eventually service provider to verify the correct number of bits and parity. In this example,
communication drops. the Nortel® service uses 7 data bits and even parity. To enter the serial port
settings:
1. On the NAE Communications tab, click Edit.
2. In the External Modem Config section, set the Extra Initialization Commands
to S13=7S19=2, where S13= the number of data bits (S13=7)S19= the required
parity: 0=no parity, 1=odd parity, 2=even parity (S19=2)
3. Reset the NAE.

NAE Commissioning Guide 89

Table 26: Troubleshooting the NAE
Problem Solution
The NAE does not dial in or dial out. Check that you have the right modem configuration string and dialing parameters.
Refer to the N1 Migration with the NIE Technical Bulletin (LIT-1201535), or the
Metasys System Extended Architecture Direct Connection and Dial-Up Connection
Application Note (LIT-1201639).
Check that the modem is set to the correct baud rate. Refer to the N1 Migration
with the NIE Technical Bulletin (LIT-1201535).
Check that the phone line is plugged into the modem port and is active. To check
the phone line, disconnect the NAE modem and use an analog phone to check
that the line is active.
Check that the modem is set up properly for the application in use. For example,
a pager DDA must use a dedicated modem and the Allow Incoming Connections
attribute for this modem must be set to False. Additionally, the MRA feature and
ADS/ADX audit forwarding should not be configured to use the same modem as
the pager. For more details, see Modems and Dial-Out Features.
The NAE loses data. Check to make sure the battery is installed and that the BATT FAULT LED is not
lit. Replace, if necessary, with appropriate replacement battery.
Periodically load-test the battery. The battery protection circuit in the network
engine does not load test the battery, so data loss can occur even if the battery
fault LED is not illuminated.
Do not unnecessarily press the system RE-BOOT switch.
The NAE runs slowly. The amount of data you are trying to process is too much for the NAE to handle.
A value of 50% or less for the CPU Usage attribute of the NAE is considered
acceptable, although other performance indicators should also be assessed. Refer
to the Metasys® SCT Help (LIT-12011964) or Metasys® SMP Help (LIT-1201793)
system for more information. Reduce the size of the database.
The NAE is generating high CPU alarms. Programming objects (LCT, Signal Select, Global Data) referencing analog objects
with small COV values (0.5%) are the most common cause of this problem. To
determine the source of the high CPU usage, follow these steps:
1. Add a Trend extension to the Last Idle Sample of the NAE. This attribute is
the inverted instantaneous CPU Usage. For example, if this number is low
(5%), then the CPU usage is high (95%). The CPU usage is an average over
a 15–30 minute period.
2. Locate programming objects (Control System objects [LCT] or Signal Select)
that reference objects with small COV increments and disable them one at a
time. Monitor the Last Idle Sample value after disabling the object. Within 30
seconds, the Last Idle Sample should significantly increase if that object was
a contributing factor to the high CPU usage.
3. When the problem object is determined, then either manually or with Mass
Edit Live, update the COV increment to a larger value before re-enabling the
programming object.
All communication is disrupted. Check for possible external interference. To reduce RF interference, do not use
cell phones or handheld transceivers within 3 meters (10 feet) of the NAE.
Check that the power transformer secondary is not shared with another load.

NAE Commissioning Guide 90

Table 26: Troubleshooting the NAE
Problem Solution
The NAE overheats. When the internal temperature reaches the high limit, the NAE issues an alarm
and lights the GENL FAULT or FAULT LED, allowing you a chance to intervene
before heat-related damage results.
Check that the unit has been installed according to the installation instructions
and that the mounting orientation is correct.
Make sure cables are not blocking the ventilation of the unit.
Clean out the dust in the unit with canned air (pressurized air used to clean
computers and other sensitive devices).
The internal modem no longer functions. Use the USB port and connect an external modem or replace unit. (Refer to the
modem literature for more information on using external modems with the NAE.)
The unit has been damaged or all external Replace the NAE.
causes of failure have been checked.

NAE Diagnostic Tools

The NAE hardware and UI provide tools for diagnosing and troubleshooting hardware and software problems with
the NAE.
The primary NAE diagnostic tools include:
• the NAE LED Status Indicators
• the Diagnostic Tab
• the Summary Tab
• a serial point monitor (see Determining the NAE IP Address and Device Name By Using a Serial Port Monitor.)
Other tools are also available, such as the SNMP Trap Browser and the ping command for determining the NAE IP
address and the ability to communicate on the TCP/IP network. See Determining the NAE IP Address and Device
Name for a Network Connection and Troubleshooting Procedures for information on using the Trap Browser and
the ping command.

NAE LED Status Indicators

Figure 63, Figure 64, and Figure 65 show the location and designation of the NAE35, NAE45, NAE55, and NIE55
LEDs that indicate the status of the engines. Some models do not have all the LEDs shown in these figures. Table
27 describes their Normal Status and Function. See Figure 66 and refer to the NCE25 Installation Instructions (Part
No. 24-10143-63) for information on the NCE25 LED status indicators.

NAE Commissioning Guide 91

 Figure 63: NAE35/NAE45 LED Status Indicators

Figure 64: NAE55 LED Status Indicators

Figure 65: NIE55 LED Status Indicators

NAE Commissioning Guide 92

 Figure 66: NCE25 LED Status Indicators

Table 27: NAE LED Status Indicators

LED Label NAE Series Normal Descriptions/Other Conditions
(Color) Status
POWER (Green) NAE35/45 NAE55 On Steady On Steady = Unit is getting power from either the battery or 24 VAC
NIE55 NCE25 power. Also see the 24 VAC LED. Off Steady = Unit is shut down.
ETHERNET NAE35/45 NAE55 Flicker Flicker = Data is transferring on the Ethernet connection. Ethernet
(Green) NIE55 NCE25 traffic is general traffic (may not be for the NAE).
Off Steady = No Ethernet traffic, probably indicates a dead Ethernet
network or bad Ethernet connection.
10/LINK (Green) NAE35/45 NAE55 On Steady On Steady = Ethernet connection is established at 10 Mb/s.
NIE55 NCE25
100/LINK (Green) NAE35/45 NCE25 On Steady On Steady = Ethernet connection is established at 100 Mb/s
100/1000 Link NAE55 NIE55 On Steady On Steady (Green) = Ethernet connection is established at 100
(Green/Yellow) Mb/s.
On Steady (Yellow) = Ethernet connection is established at 1,000
Mb/s.
FCA (Green) NAE55 Flicker On Steady = Controllers are defined to FC A (Trunk 1) in the NAE55,
but none are communicating. (NAE55 transmitting only)
Flicker = Normal communications; FC A port is transmitting and
receiving data. Flickers are generally in sync with data transmission
but should not be used to indicate specific transmission times.
Off Steady = No controllers are defined to FC A (FC Bus 1 or N2
Trunk 1) in the NAE55.
FCB (Green) NAE55 Flicker On Steady = Controllers are defined to FC B (Trunk 2) in the NAE55,
but none are communicating. (NAE55 transmitting only)
Flicker = Normal communications; FC B port is transmitting and
receiving data. Flickers are generally in sync with data transmission
but should not be used to indicate specific transmission times.
Off Steady = No controllers are defined to FC B (FC Bus 2 or N2
Trunk 2) in the NAE55.

NAE Commissioning Guide 93

Table 27: NAE LED Status Indicators
LED Label NAE Series Normal Descriptions/Other Conditions
(Color) Status
1 NAE35/45 NCE25 Flicker = N2 controllers are defined to FC BUS in the NAE35/45,
FC BUS or LON
but none are communicating. (NAE35/45 transmitting only)
Fast Flicker (may appear Steady on) = Normal communications; FC
BUS port is transmitting and receiving data. Flickers are generally
in sync with data transmission but do not indicate specific
transmission times.
Off Steady = No field controllers are defined to FC BUS in the
NAE35/45.
SA BUS (Green) NCE25 Blinking Blinking - 5 Hz = Data Transmission (normal communication) Off
Steady = No Data Transmission On Steady = Communication lost,
waiting to join communication ring
PEER COMM NAE35/45 NAE55 Varies (see Flicker = Data traffic between NAE devices. For an NAE that is not
(Green) NIE55 NCE25 next column) a Site Director, this LED indicates regular heartbeat communications
with the Site Director. For a Site Director NAE, flashes are more
frequent and indicate heartbeat communications from all other NAE
devices on the site. For a single NAE on a network without an
ADS/ADX, there is no flicker.
RUN (Green) NAE35/45 NAE55 On Steady On Steady = NAE software is running.
NIE55 NCE25
On 1 second, Off 1 second = NAE software is in startup mode.
On 0.5 seconds, Off 0.5 seconds = NAE software is shutting down.
Off Steady = Operating system is shutting down or software is not
running.
24 VAC (Green) NAE55 NIE55 On Steady On Steady = 24 VAC power present
Off Steady = Loss of 24 VAC power. In the Off Steady condition,
the NAE may be running on battery power. Also see the POWER
LED.
2 NAE35/45 NCE25 Flicker Flicker indicates modem is connected and receiving data.
MODEM RX
2 NAE35/45 NCE25 Flicker Flicker indicates modem is connected and transmitting data.
MODEM TX
BATT FAULT (Red) NAE35/45 NAE55 Off Steady On Steady = Battery fault. Replace the battery. Battery not connected
NIE55 NCE25 or cannot be charged. The BATT FAULT LED may remain On for
up to 24 hours after initially powering on the NAE. If the BATT
FAULT LED remains on longer than 48 hours after initially powering
on the NAE, check the battery connection or replace the battery.
GENL FAULT or NAE35/45 NAE55 Off Steady On Steady = General Fault. Fault conditions are user configured in
FAULT (Red) NIE55 NCE25 software. Pre-configured fault conditions include excessive use,
flash or memory use, excessive CPU or printed wire board (PWB)
temperature, or battery fault. In normal operation, the GENL FAULT
LED stays on steady for the first half of the startup sequence.
Note: On NAE35/45 and NCE25 models, the GENL FAULT LED
label designation is FAULT.

1 LED labeled FC BUS on models that support MS/TP Bus or N2 Bus and labeled LON on models that support LONWORKS
network.
2 Modem LEDs are only on NCE25 models with internal modems.

NAE Commissioning Guide 94

NAE35/NAE45 LED Startup Sequence
During startup, the NAE35/NAE45 automatically initiates an LED test to verify the operational status of the LEDs.
Immediately after connecting supply power, the following LED lighting sequence occurs:
1. The POWER, FAULT, RUN, and PEER COM LEDs turn on, indicating that the OS is starting up. (After 2 seconds,
the LEDs may change states depending on site-specific network activity.)
2. The PEER COM and FAULT LEDs shut off. The RUN LED flashes to indicate that the NAE35/NAE45 software
is loading.
3. The LEDs display the operational status of the NAE35/NAE45. When the RUN LED goes on steady, startup is
complete and the NAE35/NAE45 is operational.
The total time to start up the NAE35/NAE45 depends on the size of the database and may take several minutes.

NAE55/NIE55 LED Startup Sequence

During startup, the NAE55/NIE55 automatically initiates an LED test to verify the operational status of the LEDs.
Immediately after connecting supply power, the following LED lighting sequence occurs:
1. The POWER, PEER COM, RUN, and GENL FAULT LEDs turn on, indicating that the OS is starting up. For the
NAE55, the N2A and N2B LEDs also turn on.
2. The FCA, FCB, PEER COM, and GENL FAULT LEDs shut off. The RUN LED flashes to indicate that the
NAE55/NIE55 software is loading.
3. The LEDs display the operational status of the NAE55/NIE55. When the RUN LED goes on steady, the application
is running and the NAE55/NIE55 is ready.
The total time to start up the NAE55/NIE55 depends on the size of the database and may take up to 15 minutes.
Note: The NIE55 does not have FCA and FCB LEDs.

NCE25 LED Startup Sequence

During startup, the NCE25 automatically initiates an LED test to verify the operational status of the LEDs. Immediately
after connecting supply power, the following LED lighting sequence occurs:
1. The POWER, BATT FAULT, 10 LINK, FAULT, RUN, and PEER COM LEDs turn on, indicating that the OS is
starting up. (After 2 seconds, the LEDs may change states depending on site-specific network activity.)
2. The BATT FAULT, PEER COM, and FAULT LEDs shut off. The RUN LED flashes to indicate that the NCE
software is loading.
3. The LEDs display the operational status of the NCE. When the RUN LED goes on steady, startup is complete
and the NCE is operational.
The total time to start up the NCE25 depends on the size of the database and can take several minutes.

Diagnostic Tab
The Diagnostic tab displays NAE hardware status information that may aid troubleshooting.
With the NAE object selected, click the Diagnostic tab to view current information about the NAE hardware status.
Figure 67 shows an example.

NAE Commissioning Guide 95

 Figure 67: NAE Diagnostic Tab

You can also select and drag Network Protocol objects into the Display panel and click the Diagnostic tab to view
information for the selected Network protocol (Figure 68).

NAE Commissioning Guide 96

 Figure 68: BACnet Protocol Diagnostic Tab

Summary Tab
The Summary tab (Figure 69) in the Site Management Portal UI provides a quick view of the status of the objects
and items currently in your site.
Select, drag, and drop an object from the Navigation panel in the Display panel, and click the Summary tab. When
you first click the Summary tab, the NAE requests the status of the items in the Display panel (Figure 69). This
request may take a few minutes.
For additional information and explanations of the attributes found in the Summary and Diagnostic tabs, refer to the
Object Help in the Metasys® SCT Help (LIT-12011964) or the Metasys® SMP Help (LIT-1201793).

NAE Commissioning Guide 97

 Figure 69: NAE Summary Tab

NAE Commissioning Guide 98

Troubleshooting Procedures

Verifying Ethernet Network Communications (Ping)

You can use the ping command to verify that computers on the Ethernet network can communicate with other
computers on the network.
To use the ping command, you must have a computer configured to use the TCP/IP protocol and at least one other
computer connected to the network.
To verify the computers can communicate on the network using the ping command:
1. Go to Start > Run. Type cmd, then click OK to display the Command Prompt window. (If you are using Windows
8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, type Command
Prompt from the Start screen, then select Command Prompt from the Apps results.)
2. Type the ping command. Use the format ping <address>, where <address> is the IP address or domain name
of the computer you want to ping. (For example: 198.81.196.2, www.jci.com, or NAE008066050FFC.)
3. Press Enter.
If you receive a reply, the computers are communicating on the network.
If you do not receive a reply, try pinging your own computer address.
• If you can ping your own address but not any other addresses, the problem is with the network. Check the Link
light on the network card.
• If you cannot get a reply from your own address, the problem is probably with the network card in your computer
or with the TCP/IP properties. Check the network card in your computer, and verify the TCP/IP properties.

Pre-Boot Execution Environment (PXE)

The NAE implements a PXE client. If your network uses a PXE server, exclude the NAE MAC address from the PXE
server. If you do not exclude the NAE MAC address, the NAE may not start properly.
Note: Consult with the system administrator or IT department to determine if the network has a PXE server.

Determining the NAE IP Address and Device Name for a Network Connection
The IP address determined by this procedure is the IP address used on a building network connection, not serial or
dial connections.

Determining the NAE IP Address By Using the NCT

You can use the Network Engine (NxE) Information and Configuration Tool (NCT) to discover the NAE. To determine
the IP address of an NxE by using the NCT to discover the device, start the NCT, click Discover, and look for the
NxE in the Discovered Devices list. The NxEs must be connected to the same subnet as the NCT computer for the
NCT to detect them. For more information, refer to the NxE Information and Configuration Tool Technical Bulletin
(LIT-1201990).

Determining the NAE IP Address and Device Name By Using a Serial Port Monitor
When an NAE35, NAE45, NAE55, NIE55, or NCE25 is powered on, it sends a text string to its serial port that contains
helpful information, such as its current IP address and device name. For the NAE35 or NAE45, this data stream is
sent to the RS232C A Serial Port. For the NAE55 or NIE55, this data stream is sent to Serial Port B; for the NCE25,
the data is sent to the RS232C port. Table 28 and Table 29 provide examples of the data that is sent.
Table 28: Example NAE35, NAE45, NCE25 Startup Data Stream
Device Information Example Output
Host Name NAE-1
DHCP Enabled Yes

NAE Commissioning Guide 99

Table 28: Example NAE35, NAE45, NCE25 Startup Data Stream
Device Information Example Output
IP Address 159.222.8.206
Subnet Mask 255.255.252.0
Default Gateway 159.222.8.2
DHCP Server 159.222.8.9
MAC Address 00-80-66-05-0F-FC
Neuron® ID 00-00-00-00-00-00
Model Number MS-NAE4511-1
RAM Memory 108 Mb
NAND Memory 101 Mb
OS Type Windows CE
COM1 115200, 8, –1
Internal Modem 115200, 8, –1
USB Modem 115200, 8, –1
Battery Status Good

Table 29: Example NAE55 or NIE55 Startup Data Stream

Device Information Example Output
Host Name NAE-1
DHCP Enabled Yes
IP Address 159.222.8.206
Subnet Mask 255.255.252.0
Default Gateway 159.222.8.2
DHCP Server 159.222.8.9
MAC Address 00-80-66-05-0F-FC
Neuron ID 00-06-10-25-03-00
Model Name
MS-NAE5501

Note: The IP address and device name are internal to the NAE and change if the NAE is attached to a network
using DHCP, unless the DHCP server is configured to assign a static IP address. Also, if the NAE has an IP
address and is then disconnected from the network, a VT100 terminal emulator sees zeros as the IP address
until the NAE is restarted.
To determine the NAE IP address and device name, attach an RS232 DB9 cable between the serial ports of the
computer and the NAE, then connect a computer monitor. Install a VT100 terminal emulator program on the computer
that connects to the device. Check with your IT department (or technical support team) for a recommended VT100
terminal emulator program to use with your Windows operating system. (In the terminal emulator program, use these
settings: baud rate=115200 bps; data length=8 bit; no parity; one stop bit.)

Setting a Computer to be Compatible with APIPA

If you are configuring an NAE for use on an Ethernet network without DHCP or DNS support, the computer’s IP
address must be compatible with automatic private IP addressing (APIPA).
1. View the local area connection properties of the active network connection as follows:

NAE Commissioning Guide 100

 a. In Control Panel, select Network and Internet > Network and Sharing Center > Change adapter settings.
The Network Connections window appears.
b. Right-click Local Area Connection and select Properties. The Local Area Connection Properties window
appears.
2. Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
3. Make sure the option Obtain an IP address automatically is selected.

Related Documentation
Table 30: NAE Related Documentation
For Information On See Document
Overview of the Metasys System Network Features and Functions Metasys® System Configuration Guide (LIT-12011832)
Definition of Terms, Concepts, and Acronyms Commonly Used to Metasys System Extended Architecture Glossary
Describe the Metasys System Technical Bulletin (LIT-1201612)
General Network and Information Technology Definitions and Network and IT Guidance Technical Bulletin
Concepts, and Creating a Printer DDA for an NAE (LIT-12011279)
Daily Operation of the Metasys System Network, Navigating the SMP Metasys® SMP Help (LIT-1201793)
UI or SCT UI, Monitoring and Controlling BAS Networks, and
Metasys® SCT Help (LIT-12011964)
Connecting to Cloud-Based Applications
Installation Considerations and Guidelines, Mounting, Wiring, and NAE35/NAE45 Installation Instructions (Part No.
Starting up an NAE35 or NAE45 24-10050-6)
Installation Considerations and Guidelines, Mounting, Wiring, and NAE55/NIE55 Installation Instructions (Part No.
Starting up an NAE55 or NIE55 24-10051-43)
Installation Considerations and Guidelines, Mounting, Wiring, and NAE55-S Installation Instructions (Part No.
Starting up an NAE-S 24-10051-108)
Installation Considerations and Guidelines, Mounting, Wiring, and NCE25 Installation Instructions (Part No. 24-10143-63)
Starting up an NCE25
Additional Guidelines for Commissioning and Configuring and NCE Technical Bulletin (LIT-12011267)
NCE25 Network Engines
Additional Guidelines for Commissioning NxE85 Network Engines NxE85 Commissioning Guide (LIT-12011044)
Additional Guidelines for Commissioning NxE89 Network Engines NIE89 Commissioning Guide (LIT-12011920)
Commissioning NIEx9 Network Engines NIEx9 Commissioning Guide (LIT-12011922)
Updating the NAE/NIE Disk Image to New Software Release Versions NAE/NIE Update Tool Help (LIT-12011524)
Installing the ADS and ADX Software Metasys Server Installation and Upgrade Instructions
Wizard (LIT-12012162)
Installing the ADS-Lite Software Metasys Server Lite Installation and Upgrade
Instructions Wizard (LIT-12012258)
Installing the ODS Software ODS Installation and Upgrade Instructions Wizard
(LIT-12011945)
Installing the SCT Software SCT Installation and Upgrade Instructions Wizard
(LIT-12012067)
Creating, Editing, and Loading Archive Databases with the SCT Metasys® SCT Help (LIT-12011964)
Managing Trusted Certificates Created for Network Engines Metasys® SCT Help (LIT-12011964)
Integrating N2 Devices into the Metasys System Network N2 Integration with the NAE Technical Bulletin
(LIT-1201683)
How to Install the CCT Software CCT Installation Instructions (LIT-12011529)
Using the Controller Configuration Tool Controller Tool Help (LIT-12011147)

NAE Commissioning Guide 101

Table 30: NAE Related Documentation
For Information On See Document
NAE/NCE BACnet® Protocol Conformance NAE/NCE Protocol Implementation Conformance
Statement (LIT-1201532)
How to Set Up a Local or Remote MS/TP Communications Bus MS/TP Communications Bus Technical Bulletin
(LIT-12011034)
Enabling NAEs to Communicate with MS/TP Controllers over ZFR1800 Series Wireless Field Bus System Technical
Wireless Mesh Networks Bulletin (LIT-12011295)
Integrating LonWorks Devices into the Metasys System Network LONWORKS® Network Integration with NAE and LCS
Technical Bulletin (LIT-1201668)
Migrating N1 Networks to the Metasys System Network N1 Migration with the NIE Technical Bulletin
(LIT-1201535)
Integrating Local and Remote BACnet® MS/TP and BACnet IP BACnet® Controller Integration with NAE/NCE/ODS
Devices into the Metasys System Network Technical Bulletin (LIT-1201531)
Security Issues, Including Adding Users and Roles to the System Security Administrator System Technical Bulletin
and Configuring Standard and Basic Access Modes (LIT-1201528)
Installing the Launcher Application Launcher Installation Instructions (LIT-12011783)
Using the Launcher, Accessing a Metasys System Network through Launcher Tool Help (LIT-12011742)
Dial-up Connections
Dialing into a Metasys System Network from a Computer Metasys System Direct Connection and Dial-Up
Connection Application Note (LIT-1201639)

1 This LIT number represents a printer-friendly version of the Help.

2 Use the wizard to generate instructions specific to your system.

Technical Specifications
Table 31: NCE25
Power Requirement Dedicated nominal 24 VAC, Class 2 power supply (North America), safety extra-low voltage
(SELV) power supply (Europe), at 50/60 Hz (20 VAC minimum to 30 VAC maximum)
Power Consumption 25 VA maximum for NCE25 only
Note: The 25 VA rating does not include any power supplied by the NCE to devices connected
at the NCE binary outputs (BOs). BO devices connected to and powered by an NCE
can require an additional 125 VA (maximum).
Ambient Operating Conditions 0 to 50°C (32 to 122°F), 10 to 90% RH, 30°C (86°F) maximum dew point
Ambient Storage Conditions -40 to 70°C (-40 to 158°F), 5 to 95% RH, 30°C (86°F) maximum dew point
Data Protection Battery Supports data protection on power failure. Rechargeable NiMH battery: 3.6 VDC 500 mAh,
with a typical life of 5 to 7 years at 21°C (70°F); Product Code Number: MS-BAT1020-0
Processors Supervisory Controller: 192 MHz Renesas® SH4 7760 RISC processor
Field Controller: 20 MHz Renesas H8S2398 processor
Memory Supervisory Controller: 128 MB flash nonvolatile memory for operating system, configuration
data, and operations data storage and backup and 128 MB synchronous dynamic random
access memory (SDRAM) for operations data dynamic memory
Field Controller: 1 MB flash memory and 1 MB RAM
Operating System Microsoft Windows CE embedded 6.0

NAE Commissioning Guide 102

Table 31: NCE25
Network and Serial Interfaces One Ethernet port; 10/100 Mbps; 8-pin RJ-45 connector
(Depending on NCE model.) One optically isolated RS-485 SA Bus port; with a pluggable and keyed 4-position terminal
block (on all NCE25 models)
One optically isolated RS-485 port; with a pluggable and keyed 4-position terminal block (only
on NCE25 models that support an N2 Bus or MS/TP bus trunk)
One LONWORKS port; FTT10 78 Kbps; pluggable, keyed 3-position terminal block (only on
NCE25 models that support a LONWORKS Network trunk)
One RS-232-C serial port with standard 9-pin sub-D connector that supports standard baud
rates
One USB serial port with standard USB connector
Option: One 6-pin modular jack for connecting to internal modem; up to 56 Kbps
Analog Input/Analog Output Analog Input Points: 16-bit resolution
Point Resolution
Analog Output Points: 16-bit resolution and ±200 mV accuracy on 0-10 VDC applications
Input/Output Capabilities 10-Universal Inputs: Defined as 0–10 VDC, 4–20mA, 0–600k ohm, or Binary Dry Contact
8-Binary Inputs: Defined as Dry Contact Maintained or Pulse/Accumulator Mode
4-Analog Outputs: Defined as 0–10 VDC or 4–20mA
7-Binary Outputs: Defined as 24 VAC Triac (selectable internal or external source power)
4-Configurable Outputs: Defined as 0–10 VDC or 24 VAC Triac BO
Dimensions 155 x 270 x 64 mm (6.1 x 10.6 x 2.5 in.), minimum mounting space required: 250 x 370 x 110
mm (9.8 x 14.6 x 4.3 in.)
(Height x Width x Depth)
Housing Plastic housing
Plastic material: ABS and polycarbonate
Protection: IP20 (IEC60529)
Mounting On flat surface with screws, on three mounting clips, or a single 35 mm DIN rail
Shipping Weight 1.2 kg (2.7 lb)
Compliance United States: UL Listed, File E107041, CCN PAZX, UL 916, Energy Management Equipment
FCC Compliant to CFR47, Part 15, Subpart B, Class A
Canada: UL Listed, File E107041, CCN PAZX7, CAN/CSA C22.2 No. 205, Signal Equipment
Industry Canada Compliant, ICES-003
Europe: CE Mark - Johnson Controls declares that this product is in compliance with the
essential requirements and other relevant provisions of the EMC Directive.
Australia and New Zealand: RCM Mark, Australia/NZ Emissions Compliant

BACnet International: BACnet Testing Laboratories™ (BTL) 135-2010 Listed BACnet Building
Controller (B-BC)

Table 32: NAE35 and NAE45

Power Requirement Dedicated nominal 24 VAC, Class 2 power supply (North America), SELV power supply (Europe), at
50/60 Hz (20 VAC minimum to 30 VAC maximum)
Power Consumption 25 VA maximum
Ambient Operating 0 to 50°C (32 to 122°F); 10 to 90% RH, 30°C (86°F) maximum dew point
Conditions
Ambient Storage -40 to 70°C (-40 to 158°F); 5 to 95% RH, 30°C (86°F) maximum dew point
Conditions

NAE Commissioning Guide 103

Table 32: NAE35 and NAE45
Data Protection Battery Supports data protection on power failure. Rechargeable NiMH battery: 3.6 VDC 500 mAh, with a
typical life of 5 to 7 years at 21°C (70°F); Product Code Number: MS-BAT1020-0
Processor 192 MHz Renesas SH4 7760 RISC processor
Memory 128 MB flash nonvolatile memory for operating system, configuration data, and operations data storage
and backup
128 MB SDRAM for operations data dynamic memory
Operating System Microsoft Windows Embedded CE 6.0
Network and Serial One Ethernet port; connects at 10 or 100 Mbps; 8-pin RJ-45 connector
Interfaces
One optically isolated RS-485 port; 9.6k, 19.2k, 38.4k, or 76.8k baud (depending on protocol); with a
pluggable and keyed 4-position terminal block (FC Bus available on NAE351x and NAE451x models
only)
One LONWORKS port; FTT10 78 Kbps; pluggable, keyed 3-position terminal block (LONWORKS port
available on NAE352x-x and NAE452x models only)
One RS-232-C serial port with standard 9-pin sub-D connector that supports standard baud rates.
A second serial port, on models without an internal modem, that supports an optional, user-supplied
external modem.
One USB serial port with standard USB connector that supports an optional, user-supplied external
modem.
Option: One telephone port for internal modem; up to 56 Kbps; 6-pin modular connector (NAE models
with an optional internal modem have one RS-232-C serial port only.)
Housing Plastic housing material: ABS polycarbonate
UL94-5VB Protection: IP20 (IEC 60529)
Mounting On flat surface with screws on three mounting clips or a single 35 mm DIN rail
Dimensions (Height x 131 x 270 x 62 mm (5-3/16 x 10-5/8 x 2-1/2 in.)
Width x Depth) Minimum space for mounting NAE35 and NAE45: 210 x 350 x 110 mm (8-3/16 x 13-13/16 x 4.-5/16
in.)
Shipping Weight 1.2 kg (2.7 lb)
Compliance United States: UL Listed, File E107041, CCN PAZX, UL 916, Energy Management Equipment, UL
Listed, FIle S4977, UUKL 864 - 9th Edition, Smoke Control Equipment(MS-NAE35x0-2U and
MS-NAE45x0-2U models only) FCC Compliant to CFR47, Part 15, Subpart B, Class A
Canada: UL Listed, File E107041, CCN PAZX7, CAN/CSA C22.2 No. 205, Signal Equipment; Industry
Canada Compliant, ICES-003
Australia and New Zealand: RCM Mark, Australia/NZ Emissions Compliant
Europe: CE Mark – Johnson Controls declares that this product is in compliance with the essential
requirements and other relevant provisions of the EMC Directive.
BACnet International: BACnet Testing Laboratories™ (BTL) 135-2010 Listed BACnet Building
Controller (B-BC)

Table 33: NAE55xx-3 and NIE55xx-3

Power Requirement Dedicated nominal 24 VAC, Class 2 power supply (North America), SELV power supply (Europe), at
50/60 Hz (20 VAC minimum to 30 VAC maximum)
Power Consumption 50 VA maximum
Ambient Operating 0 to 50°C (32 to 122°F); 10 to 90% RH, 30°C (86°F) maximum dew point
Conditions
Ambient Storage -40 to 70°C (-40 to 158°F); 5 to 95% RH, 30°C (86°F) maximum dew point
Conditions

NAE Commissioning Guide 104

Table 33: NAE55xx-3 and NIE55xx-3
Data Protection Battery Supports data protection on power failure. Rechargeable gel cell battery: 12 V, 1.2 Ah, with a typical
life of 3 to 5 years at 21°C (70°F); Product Code Number: MS-BAT1010-0
Clock Battery Maintains real-time clock through a power failure. Onboard cell; typical life 10 years at 21°C (70°F)
Processor 1.46 GHz Intel® Atom® Bay Trail E3815 processor for MS-NAE55xx-3 models
Memory 16 GB flash nonvolatile memory for operating system, configuration data, and operations data storage
and backup for MS-NAE55xx-3 models.
2 GB DDR3 SDRAM for operations data dynamic memory for all models
Operating System Johnson Controls OEM Version of Microsoft Windows Embedded Standard 7 with SP1 (WES7)
Network and Serial One Ethernet port; 10/100/1,000 Mbps; 8-pin RJ-45 connector
Interfaces
Two optically isolated RS-485 ports; 9,600, 19.2k, 38.4k, or 76.8k baud; pluggable and keyed 4 position
terminal blocks (RS-485 terminal blocks available on NAE55 models only)
Two RS-232-C serial ports, with standard 9-pin sub-D connectors, that support all standard baud rates
Two USB 2.0 serial ports; standard USB connectors support an optional, user-supplied external modem
Options: One telephone port for internal modem; up to 56 kbps; 6-pin RJ-12 connector
One LONWORKS port; FTT10 78 Kbps; pluggable, keyed 3-position terminal block (LONWORKS port
available on NAE552x-x models only)
Housing Plastic housing with internal metal shield
Plastic material: ABS + polycarbonate; Protection: IP20 (IEC 60529)
Mounting On flat surface with screws on four mounting feet or on dual 35 mm DIN rail
Dimensions (Height x 226 x 332 x 96.5 mm (8.9 x 13.1 x 3.8 in.) including mounting feet
Width x Depth)
Minimum space for mounting: 303 x 408 x 148 mm (12.0 x 16.1 x 5.8 in.)
Shipping Weight 2.9 kg (6.4 lb)
Compliance United States: UL Listed, File E107041, CCN PAZX, UL 916, Energy Management Equipment, FCC
Compliant to CFR47, Part 15, Subpart B, Class A
Canada: UL Listed, File E107041, CCN PAZX7, CAN/CSA C22.2 No. 205, Signal Equipment, Industry
Canada Compliant, ICES-003
Europe: CE Mark - Johnson Controls declares that this product is in compliance with the essential
requirements and other relevant provisions of the EMC Directive.
Australia and New Zealand: RCM Mark, Australia/NZ Emissions Compliant
BACnet International: BACnet Testing Laboratories™ (BTL) 135-2010 Listed BACnet Building
Controller (B-BC)

Table 34: NAE-S Technical Specifications (North America and Canada Only)
Power Requirements NAE551S-2 Engine:
Dedicated nominal 24 VAC, Class 2 power supply (North America), at 50/60 Hz (20 VAC minimum to
30 VAC maximum)
Internal Module with Embedded Encryption Technology:
Input: Dedicated nominal 100–240 VAC, Class 1 power supply (North America), at 50/60 Hz (85 VAC
minimum to 264 VAC maximum)
Output: 24 VDC (22 VDC minimum to 26 VDC maximum)
Power Consumption 50 VA maximum
Power Specifications Dedicated nominal 24 VDC, input voltage range 85–264 VAC (120–375 VDC), output current 2.0A
for Encryption Board
Ambient Operating 32 to 122°F (0 to 50°C); 10 to 90% RH, 86°F (30°C) maximum dew point
Conditions

NAE Commissioning Guide 105

Table 34: NAE-S Technical Specifications (North America and Canada Only)
Ambient Storage -40 to 158°F (-40 to 70°C); 5 to 95% RH, 86°F (30°C) maximum dew point
Conditions
Data Protection Battery Supports data protection on power failure. Rechargeable gel cell battery: 12 V, 1.2 Ah, with a typical
life of 3 to 5 years at 70°F (21°C); Product Code Number: MS-BAT1010-0
Clock Battery Maintains real-time clock through a power failure. Onboard cell; typical life 10 years at 70°F (21°C)
Processor 1.6 GHz Intel® Atom® processor
Memory 4 GB flash nonvolatile memory for operating system, configuration data, and operations data storage
and backu
1 GB SDRAM for operations data dynamic memory for all models
Network and Serial One Ethernet port; 10/100/1000 Mbps; 8-pin RJ-45 connector
Interfaces
Two optically isolated RS-485 ports; 9600, 19.2k, 38.4k, or 76.8k baud; pluggable and keyed 4 position
terminal blocks (RS-485 terminal blocks available)
Housing Plastic housing with internal metal shield
Plastic material: ABS + polycarbonate; Protection: IP20 (IEC 60529)
Mounting Must be mounted in a locked, secure panel using four mounting feet or dual 35 mm DIN rails.
Dimensions (Height x 8.9 x 13.1 x 3.8 in. (226 x 332 x 96.5 mm) including mounting feet
Width x Depth)
Minimum space for mounting: 12.0 x 16.1 x 5.8 in. (303 x 408 x 148 mm)
Shipping Weight 10.4 lb (3.88 kg )
Shipping Restriction The Bureau of Industry and Security of the U.S. Department of Commerce has regulated this shipment
under 740.17(b)(2) of the EAR and restricted the shipment of this product to the following countries:
Cuba, Iran, North Korea, Sudan, and Syria.
Compliance United States: UL 508A and CCN NITW Industrial Control Panel Listed, FCC Compliant to CFR47,
Part 15, Subpart B, Class A
Canada: cUL CSA-C22.2 No. 14, CCN NITW7, Industrial Control Equipment; IC Compliant to ICES-003
Class A
BACnet International: BACnet Testing Laboratories™ (BTL) 135-2010 Listed BACnet Building
Controller (B-BC)

Table 35: NxE85 Model

Computer Type Dell® PowerEdge® R420 or latest equivalent
Power Requirement 120–240 VAC 50/60 Hz
Power Supply 480 W
Ambient Operating Conditions 10 to 35°C (50 to 95°F); 20 to 80% RH (noncondensing twmax = 29°C)
Ambient Storage Conditions -40 to 65°C (-40 to 149°F); 5 to 95% RH (noncondensing twmax = 38°C)
Data Protection Recommended Uninterruptible Power Supply (UPS): American Power Conversion
(APC®) Smart-UPS SC 450VA, 280 W, 120 VAC input/output, NEMA 5-15R output
connections, OEM Part No. SC450RM1U
Processor Intel® Xeon® E5506, 2+ GHz, 4 MB Cache2 or comparable (subject to availability)
Memory 2 GB or more, 1066 MHz or higher, 2 x 1 GB, single ranked UDIMMs for 1 processor
Hard Disk 2 total (providing ample storage space, size subject to availability) 7.2K RPM Serial
Advanced Technology Attachment (SATA), 8.9 cm (3.5 in.) cabled
3 Gbps, RAID 1 configuration with add-in SAS6/iR (SATA/SAS Controller) or higher
Internal Optical Drive DVD ROM, SATA
Operating System Windows Server® 2012 R2 Standard
Antivirus Software Symantec® Endpoint Protection, Small Business Edition (latest version)

NAE Commissioning Guide 106

Table 35: NxE85 Model
Network and Serial Interfaces 2 RJ45 1 Gbps Ethernet Ports, Port 2 is disabled.
2 video ports (1 front, 1 back)
1 9-pin Serial port
4 USB ports (2 front, 2 back)
Dimensions (Height x Width x Depth) 4.3 x 43.4 x 62.7 cm (1.7 x 17.1 x 24.7 in.)
Mounting Mount in an EIA-310D compatible server cabinet
Shipping Weight 15.9 kg (35 lb)
Compliance Europe: CE Mark (Record Holder: http://www.dell.com/regulatory_compliance)

The performance specifications are nominal and conform to acceptable industry standard. For application at conditions
beyond these specifications, consult the local Johnson Controls office. Johnson Controls shall not be liable for
damages resulting from misapplication or misuse of its products.

NAE Commissioning Guide 107

Appendix: Time Zone, Date, and Time Management
Time Zone, Date, and Time Management Introduction
The time zone, date, and time used by all devices connected to a Metasys site are synchronized automatically,
preventing errors from manual time entry and clocks that become inaccurate over time. Network-wide time
management ensures that scheduling, trending, audit trailing, data collecting, time-stamping of alarms, and other
functions that require accurate time management use the same time zone, date, and time consistently for all system
operations.
Time synchronization occurs on the Metasys network when an engine or server sends an IAmLive message to the
Site Director. If the IAmLive message fails, the engine or server sends another message to retrieve the time from
the Site Director. When the time is synchronized between the devices, a second IAmLive message is successful.
For network-wide time synchronization, the network engine designated as Site Director is the device time server
because it provides the time zone, date, and time for all other engines/servers on the site. All other devices are
considered time clients because they receive the time zone, date, and time from the Site Director. Beginning at
Release 8.0, multiple time zone support was made available for upgraded network engines. The network engine
designated as Site Director remains the device time server, but for network engines at Release 8.0 or later, the time
synchronization occurs in UTC time, not in the time zone of the Site Director. For more details, see Multiple Time
Zones.
To set the date and time in the Site Director (and therefore the entire site), you can set the time manually or select
a time server for the Site Director. The time server for the Site Director is referred to as the site time server and
should be a reliable source that is not on the Metasys network. Regardless of how you set the date and time, you
must set the time zone in the Site Director.
Note: Beginning at Release 8.0, the Metasys System supports Release 8.0 (or later) network engines set in different
time zones.

Important: Edit the Device Time Servers attribute or Time Sync Period attribute in the Site object only.
Note: To ensure that the correct time appears on the Site Management Portal user interface accessed from a client
computer, apply the most recent Daylight Saving Time (DST) patch for the operating system on all clients
that access the Site Director. The latest DST patch is available from Microsoft Corporation.

Overview of Time Synchronization

This section contains a summary of how time synchronizes on a site with various system components. Table 36
summarizes the time sources for various system items. All time is Universal Time Coordinated (UTC) and all system
devices handle DST.
Table 36: Time Sources
Item Time Source
NAE/NIE Trend Data NAE/NIE
NAE/NIE Events NAE/NIE
NAE/NIE Commands NAE/NIE
Annotations ADS/ADX/ODS
Event Acknowledgements ADS/ADX/ODS

ADS/ADX/ODS Site Director with Network Engines

On a site with an ADS/ADX/ODS Site Director and network engines, the following time synchronization steps occur:
1. ADS/ADX/ODS Site Director comes online.
2. Network engines come online and check in with the Site Director.
3. Every 15 seconds, the network engines check for ADS/ADX/ODS online/offline conditions. If the ADS/ADX/ODS
is offline, the network engines send an IAmLive message to the ADS/ADX/ODS every 20 seconds.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 108
4. When the ADS/ADX/ODS receives the IAmLive message, it attempts to validate the security credentials of the
network engines. If the time in the network engines is different than the time in the ADS/ADX/ODS by 5 or more
minutes (also taking into account the time zone of each network engine), the engine security credentials are
invalidated.
5. Network engines come online and check in with the Site Director.
6. Every 15 seconds, the network engines check for ADS/ADX/ODS online/offline conditions. If the ADS/ADX/ODS
is offline, the network engines send an IAmLive message to the ADS/ADX/ODS every 20 seconds.
7. When the network engine receives back an invalidated credential, the network engines request the current time
from the ADS/ADX/ODS and update the engine time to match (also taking into account the time zone of each
network engine).
Note: Time between an ADS/ADX/ODS and network engines synchronizes only if the time differs between the
ADS/ADX/ODS and network engines by 5 or more minutes. In the worst case scenario, one network
engine could be 4 minutes and 59 seconds ahead of the ADS/ADX/ODS, and another network engine
could be 4 minutes and 59 seconds behind the ADS/ADX/ODS.
8. After time is synchronized and the ADS/ADX/ODS is online, the network engines send IAmLive messages to
the ADS/ADX/ODS every 5 minutes (instead of every 20 seconds).
Note: Time synchronization is affected if you change the network engine's Site Director from an ADS/ADX/ODS
in one time zone to an ADS/ADX/ODS in a different time zone. If you make this change online, as an
interim step, promote the network engine to be its own Site Director, wait several minutes, then assign
to the network engine the ADS/ADX/ODS Site Director in the new time zone. This interim step ensures
proper time sychronization.

NIE and Child Devices

Important: We recommend that time be synchronized carefully between the NIE and the N1 network, preferably
using a common external time server. All N1 network data collected by the NIE is time stamped at the
NIE (no N1 network time stamps persist in the data collected by the NIE).
While the NIE can push time to the NCM, the preferred method of synchronization for the NIE and N1
network is to have both synchronize with an external time server.
On a site with an NIE and child devices (NCMs, for example), the following time synchronization steps occur:
1. The NIE comes online and is mapped to NCMs.
2. When the time changes in the NIE (as a result of synchronization with an ADS/ADX/ODS, for example), the NIE
pushes the time change down to the NCM. This time push requires that the Synchronize Time attribute of the
NIE N1 Integration object is enabled.

Time Synchronization Methods

Three methods for network time synchronization are available in the Metasys system, including Windows Simple
Network Time Protocol (SNTP) time synchronization, Multicast, and BACnet® time synchronization.
You can use the Microsoft Windows and Multicast methods when an SNTP master time server is available. If the
Site Director has no access to SNTP time servers, you can use the BACnet synchronization method.
To enable a time synchronization method, modify the Time Sync Method attribute for the Site. See the Steps for
Successful Time Management and Setting the Time Synchronization Method sections.

Windows Time Synchronization

The Windows time synchronization is Microsoft Corporation’s implementation of the standard Windows SNTP
w32time. This method is also referred to as unicast synchronization. With this form of time synchronization, all routers
can route User Datagram Protocol (UDP) traffic. Windows time synchronization may have a larger time interval in
which devices are out of sync with the SNTP master time server due to skewing and convergence.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 109
If you use Windows time synchronization, you must define a device time server in the Site Director using the Device
Time Servers attribute.
Note: If you implement an intentional time change for your site, in less than 5 minutes, all other devices on the site
update with the new time with Windows time synchronization.

Multicast Time Synchronization

The Multicast time synchronization is the Johnson Controls implementation of SNTP w32time with Multicast capabilities
and RFC-2030 compliance. This method delivers the same features as the Windows method, but also provides
Multicast functionality. The Multicast method provides improved Metasys time synchronization between the Site
Director and supervisory devices. A time server provides the master time to the Site Director, and the Site Director
in turn multicasts the time to all supervisory devices on the Metasys network.
When a supervisory device first signs up with the Site Director, it polls the Site Director for the current time and
matches its time with the Site Director time. By default, every 5 minutes the Site Director broadcasts the current time
to all supervisory devices. If a particular device time differs 1.5 seconds or more from the Site Director time, the
device adjusts its time to match. Additionally, if the Site Director time changes by more than 1 to 1.5 seconds, it
sends out a Multicast time message to all devices within 2 seconds of the change.
This form of time synchronization requires that all routers on the site support Multicast routing (Internet Group
Multicast Protocol [IGMP]) because the Multicast time message crosses routers. The Johnson Controls SNTP time
synchronization reduces the time interval in which devices are out of sync with the SNTP master time server.

BACnet Time Synchronization

BACnet time synchronization uses BACnet protocol to synchronize with BACnet devices such as the network engine.
Use this method when the Site Director has access to a BACnet time server. This method is not available on the
ADS/ADX/ODS.

Example Network
Figure 70 shows an example system with a common time zone, date, and time management setup. This example
is representative of the Multicast and Windows time synchronization methods.
The ADS/ADX/ODS Site Director is configured to receive the date and time from an intranet time server. The date
and time originates at an Internet time server (such as the Naval atomic clock). Using Simple Network Time Protocol
(SNTP), the intranet time server requests the time from the Internet time server. The Site Director requests the time
from the intranet time server. Then, using the Metasys system automatic time synchronization, and the manually
configured time zone, the Site Director automatically provides the time zone, date, and time to the other engines/server
on the Metasys network.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 110
 Figure 70: Time Management Sample System

Multiple Time Zones

The time zone of the Site Director defaults to (GMT-06:00) Central Time (US & Canada). If your site is not in the
Central time zone, set the time zone for your location. When you set the time zone in the Site Director, it propagates
the current time to all the engines/servers on the site. You must set the time zone in the Site Director even if you
select a site time server. In addition, you must set the time zone in all non-Site Director ADS/ADX/ODS devices after
ADS/ADX/ODS software installation.
Starting at Release 8.0, multiple time zones across a site are supported. This new capability is accomplished with
a new attribute on the network engine's Site object called Default Time Zone. This attribute has a drop-down list of
all available world time zones to identify the local time zone where the engine is located. Selecting a time zone
means that the operator is no longer required to apply time zone math when working with Schedule objects defined
at the engine. The time zone you select is also applied to Schedule objects you define at the engine.
By default, each updated network engine continues to time-sync with the Site Director, but the time sync occurs in
UTC time. For example, a Site Director in the central time zone (UTC-06:00) that syncs with an engine in the mountain
time zone (UTC-07:00) does not change the engine to the central time zone. The local time and date attributes of
the Site Director show its local time and date as does the network engine. Also, consider the following:
• Scheduling: schedules at each network engine execute relative to the local time zone of the engine, allowing
you to schedule based on the local time zone, rather than the Site Director's time zone. Prior to Release 8.0,
you had to take into account the local time zone of the engine, then mentally convert the time based on the time
zone of the Site Director. These time zone calculations are no longer required.
• Historical data: alarms, audits, and trended values from engines that are viewed on the Site Director report in
local UTC time. However, alarms, audits, and trended values from engines that are viewed on the engine itself
report in local time.
• Other features: items such as Archive Date and ADS Delivery Time report in the local time of the engine.
The ADS/ADX/ODS Site Director and the network engines must be at Release 8.0 or later to take advantage of the
multi-time zone features. If a site has a mixture of engines at different Metasys releases, the older engines do not
exhibit this new feature. For example, as Table 37 indicates, the local time of an NAE at Release 7.0 uses the Site
Director's time, whereas an NAE at Release 8.0 or later uses a time specified by its Default Time Zone attribute.
Table 37: Time Zone Examples
Device Release Time Zone Time Zone Used
ADS/ODS 8.0 or later Central Central Standard Time
NAE 6.5 Mountain Site Director's time zone (Central)

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 111
Table 37: Time Zone Examples
Device Release Time Zone Time Zone Used
NAE 7.0 Central Site Director's time zone (Central)
NAE 8.0 or later Pacific Pacific Standard Time
NAE 8.0 or later Eastern Eastern Standard Time

Note: If your system consists of a network engine Site Director with multiple child network engines, make sure you
use the Default Time Zone attribute of the Site object, not the Time Zone attribute in the engine, or undesirable
behavior may occur.

Site Time Server

As an alternative to setting date and time manually for a device, you can select a site time server. A site time server
sets the date and time in the Site Director. Site time servers can be on your intranet, such as a Domain
Controller/Server; or on the Internet, such as the U.S. Naval Observatory Master Clock.
For a list of Navy master clocks, go to http://tycho.usno.navy.mil/.
See the Selecting a Site Time Server for the Site Director Network Engine or Selecting a Site Time Server for the
Site Director ADS/ADX/ODS (Windows Method Only) sections.

Time in Device Object and User Interface Status Bar

The date, time, and time zone in the Status Bar of the SMP user interface indicates the local date, time, and time
zone for that device. The date, time, and time zone in the device object to which you are browsing are the same
time; however, there may sometimes seem to be a discrepancy or delay between the two. This is normal operation.
See Figure 71.
Figure 71: Local Time and Date Shown in User Interface

For a network engine at Release 8.0 or later, the local time and date shown on the device object's focus window is
based on the default time zone set for the device. If the engine is located in a different time zone than the Site
Director, the current time and date shown for each differs.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 112
In the ADS/ADX/ODS Site Director, the time zone, date, and time in the device object of the device are set by you
or by the designated site time server. In a non-Site Director network engine, the time zone, date, and time in the
device object come from the Site Director. The device object then passes the time zone, date, and time along to the
Status Bar for display. If the device is busy, it may take a few minutes for the time zone, date, and time to update
correctly in the Status Bar.

Steps for Successful Time Management

For successful time management, do the following:
1. Verify that each non-supervisory engine/server on the Metasys network has the correct Site Director defined.
See the Verifying the Site Director Defined for an Engine/Server section.
2. Set the time synchronization method for the site.
See the Setting the Time Synchronization Method section.
3. Set the default time zone of the Site object for each network engine that has Metasys software at Release 8.0
or later.
4. Set the time zone and then set the date and time or select a site time server for the site.
See the Network Engine as Site Director or ADS/ADX/ODS as Site Director section.
If you have a network engine as the Site Director, the time zone, date, and time are set in the engine's Site object.
See the Network Engine as Site Director section. If you have non-Site Director ADSs/ADXs on the site, you must
set the time zone for these servers.
If you have an ADS/ADX/ODS as the Site Director, the time zone, date, and time are set in the Windows operating
system of the computer where the ADS/ADX/ODS resides. See the ADS/ADX/ODS as Site Director section. If
you have non-Site Director ADS/ADX/ODS devices on the site, you must set the time zone for these servers.
5. For Multicast time synchronization only, configure the SNTP Multicast attributes for the site.
See the Configuring Additional Multicast Time Synchronization Settings section.
6. If a P2000 Security Management System (SMS) is integrated to the ADS/ADX/ODS server, both the P2000 and
ADS/ADX/ODS servers should reference the same network time server. If the two systems use different time
servers, the P2000 and ADS/ADX/ODS servers are not clock synchronized, which results in intermittent or no
communication between the two systems.

Verifying the Site Director Defined for an Engine/Server

For time synchronization to work properly, all engines/servers on a site must have the correct name for the Site
Director in the Local Site Director attribute. If an engine/server has the wrong device defined as Site Director, time
synchronization may not work properly on your Metasys site.
1. Log in to the engine/server.
2. Drag and drop the engine/server object to the Display frame.
3. Select Advanced.
4. Scroll to the Site section and verify that the Local Site Director attribute contains the correct device (Figure 72).
In this example, the Site Director is a network engine (NxE-THREE).

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 113
 Notes:
• The Local Site Director may be entered as an IP address or host name. If entered as a host name, the name
is case-sensitive (for example, NxE-THREE is not the same as nxe-three).
Figure 72: Site Director Field

• If the Site Director field contains the wrong device or is empty, click Edit. Edit the Site Director entry and click
Save.
5. Go to Setting the Time Synchronization Method.

Setting the Time Synchronization Method

See the Time Synchronization Methods section for descriptions of the methods.
1. Log in to the Site Director engine/server.
2. Drag the Site object to the Display frame.
3. Click Edit.
4. Select Advanced.
5. In the Time section, in the Time Sync Method drop-down box, select the desired time synchronization method
(Windows or Multicast).
Figure 73: Time Sync Method Field

6. If you select Windows time, enter a device time server in the Device Time Servers attribute. A device time server
is required for Windows time synchronization.
7. Click Save.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 114
 Important: When the Time Sync Method is set to Multicast and the ADS/ADX/ODS computer is synchronized
with a time source other than itself, the Site Time Server must be an SNTP Time Server to allow
the ADS/ADX/ODS to perform time synchronization. Time synchronization occurs when a change
is detected in the ADS/ADX/ODS computer local clock, or at the Site configured Time Sync Period.
Enabling Multicast time synchronization terminates the Windows win32time service, but changing
the Time Sync Method back to Windows does not re-enable the service. If you change the Time
Sync Method back to Windows, you must manually start the win32time service, or restart the Site
Director.
Note: When the Time Sync Method is set to Windows, also set the Internet Time Server in the Windows operating
system of the Site Director to match the IP Address specified for the Site Time Server. In Control Panel
of the Site Director, search for Date and Time. On the Date and Time dialog box, click the Internet Time
tab. Click Change Settings and enter in the Server field the same IP address that you defined in the Site
Time Server attribute. Click OK to apply the change.
8. Go to Network Engine as Site Director or ADS/ADX/ODS as Site Director.

Network Engine as Site Director

If a network engine is the Site Director, you must set the time zone first, then either set the date and time or select
a time server for the Site Director network engine.
Note: See the Verifying the Site Director Defined for an Engine/Server and Setting the Time Synchronization Method
sections before following the steps in this section.

Setting the Default Time Zone in the Site Director Network Engine
1. Log in to the Site Director network engine.
2. Drag the Site object to the Display frame.
3. Click Edit.
4. In the Time section, in the Default Time Zone drop-down box, select the correct time zone for the device (Figure
74).
Figure 74: Default Time Zone in the Site Object

5. Click Save.
Note: The Site object's focus window is updated immediately to indicate the current time and selected time
zone, but the blue status bar in the lower right corner does not update until you log off, then log in to the
network engine again.
If you are also manually setting the date and time in the Site Director network engine, go to Setting the Date and
Time in the Site Director Network Engine.
If you are selecting a time server for the Site Director network engine, go to Selecting a Site Time Server for the
Site Director Network Engine.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 115
Setting the Date and Time in the Site Director Network Engine
Before you manually set the date and time in the Site Director network engine, follow the steps in Setting the Default
Time Zone in the Site Director Network Engine.
1. In the navigation tree, right-click the Site object and select Command. The Command dialog box appears.
2. Click Set Time and enter a value in the text box (Figure 75).
Figure 75: Time in a Site Director Network Engine

3. Click Send.
Note: If you have a site time server selected, do not attempt to set the time manually. If you have one or more
site time servers defined, sending this command generates an error.
4. In the navigation tree, right-click the Site object and select Command. The Command dialog box appears.
5. Click Set Date and select a date from the calendar (Figure 76).

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 116
 Figure 76: Date in a Site Director Network Engine

6. Click Send.
Note: If you have one or more site time servers defined, sending this command produces an error. If you have
a site time server defined, do not attempt to set the time manually.
The Site Director time zone, date, and time are now set and propagate to all other engines on the site.

Selecting a Site Time Server for the Site Director Network Engine
Before you select a site time server for the Site Director network engine, follow the steps in Setting the Default Time
Zone in the Site Director Network Engine.
1. Reset the network engine for the time zone change to take effect.
2. Log in to the network engine.
3. Drag the Site object to the Display frame.
4. Click Edit.
5. In the Time section, in the Site Time Servers field, click the browse button.
Note: The Device Time Servers field should be blank unless you are using Windows time synchronization. Do
not change the value for the Time Sync Period attribute.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 117
 Figure 77: Site Time Servers in the Site Object

6. In the screen that appears, click Add (Figure 77).

7. Enter the IP address of the SNTP server from which the Site Director receives its time (Figure 78).
Note: Specify a host name only if a DNS server is available to the Site Director.
If you add more than one address, the Site Director network engine tries to contact the first address. If
that fails, the network engine contacts the second one, and so on. The network engine use only the first
address in the list.
Figure 78: Add Site Time Server

8. Click OK.
9. Click Save. The Site Director now requests the date and time from the selected time server and propagates it
to all other engines on the site.
10. Go to Configuring Additional Multicast Time Synchronization Settings, if needed.

ADS/ADX/ODS as Site Director

Set the time zone first, then either set the date and time or select a time server for the Site Director ADS/ADX/ODS.
Notes:
• See the Verifying the Site Director Defined for an Engine/Server and Setting the Time Synchronization Method
sections before following the steps in this section.
• If you select a site time server for your Site Director ADS/ADX/ODS, and you also set the time manually in the
ADS/ADX/ODS, the manual time is overridden at the end of the time specified in the Time Sync Period attribute
(default is 1 hour).

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 118
Setting the Time Zone in the Site Director ADS/ADX/ODS
1. In the lower-right corner of the ADS/ADX/ODS computer screen, click the time. The Date and Time Properties
box appears (Figure 79). The appearance of this screen varies depending on the operating system.
Figure 79: Time and Date on a Site Director ADS/ADX/ODS

2. Click Change date and time settings, then click Change time zone. The Time Zone Settings box appears
(Figure 80).
Figure 80: Time Zone on a Site Director ADS/ADX/ODS

3. Select a time zone from the drop-down list box.

4. Select Automatically adjust clock for Daylight Saving Time, if present.
5. If you have non-Site Director ADS/ADX devices on your site, set the time zone in those servers following the
instructions in this section.
If you are also manually setting the date and time in the Site Director ADS/ADX, go to the Setting the Date and
Time in the Site Director ADS/ADX/ODS section.
If you are selecting a time server for the Site Director ADS/ADX, click OK and go to the Selecting a Site Time
Server for the Site Director ADS/ADX/ODS (Windows Method Only) or Selecting a Site Time Server for the Site
Director ADS/ADX/ODS (Multicast Method Only) section.
NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 119
Setting the Date and Time in the Site Director ADS/ADX/ODS
Before manually setting the date and time in the Site Director ADS/ADX/ODS, follow the steps in the Setting the
Time Zone in the Site Director ADS/ADX/ODS section.
1. Click the time in the lower-right corner of the screen. Click Change date and time settings.
2. Set the time and date.
3. Click OK.
The Site Director time zone, date, and time are now set and propagate to all other engines/servers on the site.

Selecting a Site Time Server for the Site Director ADS/ADX/ODS (Windows Method Only)
If you set up a site time server for your Site Director, you can set the date and time manually in the ADS/ADX/ODS,
but the manual settings are overridden at the end of the Time Sync Period.
Before selecting a site time server for the Site Director ADS/ADX/ODS, follow the steps in the Setting the Time Zone
in the Site Director ADS/ADX/ODS section.
1. On the ADS/ADX/ODS computer, press the Windows key + R. The Run dialog box appears (Figure 81).
Figure 81: Run Dialog Box

2. Type Net time /setsntp:"10.10.16.1 10.10.16.2 ...", where 10.10.16.1 and 10.10.16.2 are example IP addresses
of time servers.
Note: The IT department should provide the address of a suitable time server.
Be sure that the quotation marks are included (especially when listing multiple time servers).
3. Click OK.
The Site Director now requests the date and time from the selected time server and propagates it to all other
engines/servers on the site.

Selecting a Site Time Server for the Site Director ADS/ADX/ODS (Multicast Method Only)
Before selecting a site time server for the Site Director ADS/ADX/ODS, follow the steps in the Setting the Time Zone
in the Site Director ADS/ADX/ODS section.
1. Log in to ADS/ADX/ODS.
2. Drag and drop the Site object to the Display frame.
3. Click Edit.
4. In the Time section, in the Site Time Servers field, click the browse button (Figure 82).

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 120
 Note: Leave the Device Time Servers field blank. Do not change the value for the Time Sync Period attribute.
Figure 82: Site Time Servers in the Site Object

5. In the screen that appears (Figure 83), click Add.

Figure 83: Add Site Time Server

6. Enter the IP address of the SNTP server from which the Site Director receives its time.
Note: Specify a host name only if a DNS server is available to the Site Director. Leave the Device Time Servers
field blank.
For Multicast time synchronization, if you add more than one address, the Site Director ADS/ADX/ODS
tries to contact only the first address.
7. Click OK.
8. Click Save. The Site Director now requests the date and time from the selected time server and propagates it
to all other engines/servers on the site.
9. Go to Configuring Additional Multicast Time Synchronization Settings.

Configuring Additional Multicast Time Synchronization Settings

In addition to selecting the Multicast time synchronization method (Setting the Time Synchronization Method), you
must define other Multicast attributes.
To configure additional Multicast time synchronization settings:
1. Log in to the Site Director engine/server.
2. Drag the Site object to the Display frame.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 121
3. Click Edit.
4. Select Advanced.
5. In the Time section, modify the attributes listed in Table 38 (Figure 84).
Figure 84: Multicast Time Synchronization Fields

Table 38: Multicast Time Synchronization Fields

Attribute Description
Multicast Group Address Specifies the IP address used to multicast the SNTP message. This address identifies the
group of devices to receive the SNTP message. The RFC-2030 defined standard address
is 224.0.1.1. The address is configurable to allow site-specific use.
Multicast UDP Port Specifies the UDP port on which Multicast time synchronization polls and listens for
messages. The RFC-2030 defined standard port is 123.The UDP port defined here must
match the Time Server’s UDP port for successful polling to occur.
Multicast TTL Specifies the Time-to-Live (TTL) for a Multicast message. The value indicates the number
of router hops allowed (number of routers to pass through) before the message is not sent.
Routers must be configured to pass Multicast messages to allow the time sync message to
pass.
Note: A default value of 1 typically stops the Multicast message from leaving the IP subnet
of the Site Director. Most routers decrease the existing TTL upon arrival of a packet,
and drop the packet instead of rerouting it when the TTL reaches 0.
Multicast Heartbeat Interval Specifies the number of minutes between forcing a Multicast time synchronization message
from the Site Director to participating devices.

6. Click Save.

NAE Commissioning Guide: Appendix: Time Zone, Date, and Time Management 122
Appendix: Configuring and Maintaining Preferences
Configuring and Maintaining Preferences Introduction
The Metasys system provides customized preferences for the user interface. The preferences allow authorized users
to configure how the user interface behaves, including the sounds and colors, the startup view, and the ability to
add links to external applications that can be accessed from within the user interface of the ADS/ADX/ODS/SCT/NAE
device.
Some steps in the following sections involve certain file operations, such as copying files and navigating to specific
folders. The tool used for these operations is Windows File Explorer (ADS/ADX/ODS, SCT, NAE55, NIE55, or
NxE85), Windows Internet Explorer®, or the Apple® Safari® web browser (NAE35, NAE45, or NCE25). For an
NAE55/NIE55, log in to the device remotely using the NxE Information and Configuration Tool (NCT), then use the
Remote Desktop function in the NCT. Type explorer at the command prompt. For an NAE35/NAE45/NCE25, use
the Start FTP function in the NCT. Access the NAE contents with Internet Explorer or Safari and type ftp://<NAE IP
Address> in the Address line. For information on the NCT, refer to the NxE Information and Configuration Tool
Technical Bulletin (LIT-1201990).

Preferences Concepts

System and User Preferences

Preferences are divided into two categories: System Preferences and User Preferences.

System Preferences
System preferences apply to all users who log in to the site or device. System preferences affect the performance
and operation of the system. Only the MetasysSysAgent user and the BasicSysAgent user have authorization to
configure system preferences. An audible alarm notification change is an example of a system preference. The SCT
supports a subset of system preferences. If the SCT is installed on an ADS/ADX/ODS, the preferences are shared
by the SMP user interface and the SCT.
Before you make system preference changes, the preferences are read from the DefaultSystemPreferences.xml
file. Once you make system preference changes, a new file called SystemPreferences.xml is created (Figure 85).
Both of these files are located in the directory on the Metasys system device as indicated in Table 39.
Table 39: Location of Preferences Files
Metasys System File Locations
Device
NAE55/NIE55 C:\Documents and Settings\All Users\Application Data\Johnson Controls\MetasysIII\Preferences
C:\Program Files (x86)\Johnson Controls\MetasysIII\UI\audio
NAE85/NIE85 C:\ProgramData\Johnson Controls\MetasysIII\Preferences
C:\Program Files (x86)\Johnson Controls\MetasysIII\UI\audio
NAE35/NAE45/NCE25 \Storage\Metasys\Preferences
\Storage\Metasys\wwwroot\metasysIII\UI\audio

The procedure to synchronize system preferences within a site or to reuse the system preferences on another site
is a manual copy and paste process. Use the process to copy system preferences to other devices on the site or to
other sites. See Copying Preferences between Devices.

NAE Commissioning Guide: Configuring and Maintaining Preferences 123

 Figure 85: System Preference Files

As highlighted in Figure 85:

• DefaultSystemPreferences.xml: This is the default system preferences file. It is installed as part of the standard
installation for all Metasys system devices.
• SystemPreferences.xml: This file stores the configured system preferences. If you have not yet configured
system preferences, this file does not appear in the directory.

User Preferences
User preferences apply to a specific Metasys system user. User preferences define how the information is displayed
in the user interface and do not affect the operation of the system. The colors and marker styles of a trend display
are examples of user preferences. Each user is authorized to view and edit their own user preferences.
The system automatically assigns a numbered user preference file name for each user called
UserPreferences-userID.xml, where userID is the identification number of the user. Using an identification number,
rather than using the actual user name, serves two purposes. First, it avoids any conflicts that might arise if the user
name contains special characters. Second, it allows the user to be renamed without breaking the connection to the
user preferences file.
To view user identification numbers, open the Security Administrator screen and select User Preference File Names
under the View menu (this option is available only to the MetasysSysAgent user). The user preference file names
appear in the Roles and Users pane (Figure 86) and correspond to files on the Metasys device in the directory as
indicated in Table 39. As shown by two callouts in Figure 86:
• 1: User preference file name as seen in the Security Administration in the user interface.
• 2: User preference file as seen when accessing a network engine using Remote Desktop in the NCT.
The procedure to synchronize user preferences within a site or to reuse the user preferences on another site is a
manual copy and paste process. Use the manual process to copy user preferences to other devices on the site or
to other sites. See Copying Preferences between Devices.

NAE Commissioning Guide: Configuring and Maintaining Preferences 124

 Figure 86: User Preference File

Managing Preferences
System and user preferences stored in a network engine are not saved in the archive database by SCT, and they
are not part of the archive upload/download process. Additionally, preferences are not saved during a security backup
when you upgrade. You must manage preferences manually.
For information on managing preferences for each preference type, see the following sections:
• System Preferences
• User Preferences

NAE Commissioning Guide: Configuring and Maintaining Preferences 125

Detailed Procedures

Configuring Preferences
Note: To configure the preferences of a specific user, you must log in as that user or as a user with Administrator
rights.
1. On the Tools menu of the user interface, click Configure Preferences. The Metasys Preferences dialog box
appears.
2. Set the preferences according to the Preferences section of the Metasys® SMP Help (LIT-1201793).
If you specified Level 1-4 Sound Files on the Alarm Settings tab, place the alarm sound files into the audio folder
on the Metasys system device. The audio folder is located in the following directory:
For NAE55/NIE55/NAE85/NIE85:
C:\Program Files (x86)\Johnson Controls\MetasysIII\UI\audio
For NAE35/NAE45/NCE25:
\Storage\Metasys\wwwroot\metasysIII\UI\audio
Note: If a sound file is missing from the folder, the Metasys system uses the default system beep for that alarm
priority.

Restoring Default System Preferences

1. Access the Metasys system device on which you want to restore the default system preferences. (For example,
if this is an NAE55, use the Remote Desktop option available in the NCT.)
2. Navigate to the Preferences directory for the device as shown in Table 39.
3. Delete the SystemPreferences.xml file.

Copying Preferences between Devices

1. Access the source Metasys system device; that is, the one that contains the preferences you want to copy. (For
example, if this is an NAE55, use the Remote Desktop option available in the NCT. The local hard drive of your
computer is automatically mapped to the NAE through the remote desktop function.)
2. Navigate to the Preferences directory for the device as shown in Table 39.
3. Copy SystemPreferences.xml (system preference) or UserPreferences-userID.xml (user preference), where
userID is the identification number that appears in the Security Administration tool.
4. Paste the file onto the desktop of your computer.
5. If you are accessing the Metasys system device remotely, log out.
6. Access the destination Metasys system device (where you want to copy the preferences) as the MetasysSysAgent
user and navigate to the Preferences directory for the device as shown in Table 39.
7. Paste the SystemPreferences.xml file or UserPreferences-userID.xml file that you copied to your computer
desktop with Step 4.

Restoring Default User Preferences

1. Log in to the SMP user interface as the MetasysSysAgent user.
2. On the Tools menu of the user interface, select Administrator. The Security Administration tool appears.
3. On the View menu, select User Preference File Names. The user preference file names appear in the Roles
and Users pane of the Security Administration tool.
4. Record the file name of the user whose preferences you want to restore.
Note: If the user has been removed from the system, there is no record of the user preference file name in the
Security Administration tool. In this case, remove user preference files from the Metasys device that do
not have a corresponding user preference file name in the Security Administration tool.

NAE Commissioning Guide: Configuring and Maintaining Preferences 126

5. Close the Security Administration tool and continue with Removing User Preference Files.

Removing User Preference Files

1. Access the Metasys device from which you want to remove the user preference files and navigate to the
Preferences directory for the device as shown in Table 39.
2. Delete files named UserPreferences-userID.xml, where userID is the identification number that appears in the
Security Administration tool.
Note: Do not delete DefaultUserPreferences.xml.

Copying User Preferences to Another User

1. Log in to the SMP user interface as the MetasysSysAgent user.
2. On the Tools menu of the user interface, select Administrator. The Security Administration tool appears.
3. On the View menu, select User Preference File Names. The user preference file names appear in the Roles
and Users pane of the Security Administration tool.
4. Record the file name of the user whose preferences you want to copy (Source User) and the file name of the
user whom you want to share those preferences (Destination User).
5. Close the Security Administration tool.
6. Access the Metasys device and navigate to the Preferences directory for the device as shown in Table 39.
7. Delete the preference file (if it exists) of the Destination User that you recorded in Step 4.
8. Copy and paste the user preference file of the Source User you recorded in Step 4. If using Windows File Explorer,
the file appears in the folder with Copy of appended to the front of the file name.
9. Rename the copied file to the original name of the Destination User preference file name.

Preserving Preferences for a Network Engine Update

Preferences do not persist after an engine update unless you take manual steps to save the settings before you
begin a system upgrade.
1. Before you begin the engine update process, access the Metasys engine that contains the preferences and
custom files you want to copy. (For example, for a network engine, use the Remote Desktop option available
with NCT. The local hard drive of your computer is automatically mapped to the network engine through remote
desktop.)
2. Navigate to the Preferences directory for the device as shown in Table 39.
3. Copy SystemPreferences.xml (system preference) or UserPreferences-userID.xml (user preference), where
userID is the identification number for each specific user with customized preferences. If you are saving preferences
for multiple users, be sure to copy all files. Also, copy any special files, such as customized sound .wav files,
from the location shown in Table 39.
4. Paste these files in a safe location on your computer or network drive, or store them on other media.
5. Update the network engine according to the Metasys® Server Installation and Upgrade Instructions Wizard
(LIT-12012162).
6. Copy the files that you copied in Step 3 back to the appropriate location as listed in Table 39.

NAE Commissioning Guide: Configuring and Maintaining Preferences 127

Appendix: Certificate Management
Certificate Management Introduction
Certificate Management is an option in SCT that you use to manage trusted certificates that are stored in network
engines. Enhancements at Metasys Release 8.1 provided for improved security by enabling encrypted communication
between Metasys servers and network engines. These enhancements included the option to configure encrypted
and trusted communication for network engines. New at Release 9.0, encrypted and trusted communication is
available between the Metasys server and network engines. The Site Security Level attribute in the Site object
controls this capability. For details, refer to the ADS/ADX Commissioning Guide (LIT-1201645).
When you install or upgrade a Metasys site to Release 8.1 or later, self-signed certificates are installed for the
ADS/ADX/ODS and network engines by default. Self-signed certificates for network engines have three-year durations.
Once devices are installed or upgraded, Metasys system communication is encrypted. If a customer is satisfied with
encrypted communications, no Certificate Management steps are required. System components come online and
communicate as they would at any Metasys software release.
Optionally, if trusted communications is desired, the customer's IT department can generate trusted certificates or
obtain trusted certificates from a Certificate Authority (CA) for the Metasys server and network engines. You use the
Certificate Management option in SCT to manage trusted certificates for network engines.
Note: If you are implementing certificate management on an existing Metasys system, keep in mind that adding
a trusted certificate may require you to add a domain name to the original host name of a server or engine.
This action requires you to rename all data in the Metasys historical databases. You can perform the renaming
operation within SCT, but be aware that this procedure requires intensive database operations that significantly
prolong a system upgrade. Therefore, be sure to allocate extra time if you are renaming historical data as
part of an upgrade to Metasys Release 9.0. For details about renaming a network engine, refer to the Download
section in Metasys® SCT Help (LIT-12011964).
The connection status currently active on the computer is indicated by a security shield icon that appears on the
Metasys SMP and SCT login windows, and SMP and SCT UI main screens. If the engine is using trusted certificates,
a green shield icon with a checkmark ( ) appears. If the engine is using self-signed certificates, an orange shield
icon with an exclamation mark ( ) appears. And finally, if the certificate chain to the engine is broken, the certificate
is misnamed, or the certificate has expired, a red shield icon with an X ( ) appears. The Metasys UI login screen
does not indicate the active connection status.
To help you remember when server certificates installed on network engines expire, the Site object has an attribute
called Certificate Renewal Reminder. This attribute regulates when certificate expiration reminders begin. It specifies
the number of days prior to security certificate expiration before operators are notified daily that an engine certificate
is about to expire. For example, if you use the default period of 60 days, and a server certificate on a network engine
expires on January 1, beginning on November 1, an event requiring acknowledgement is sent to operators once a
day or until the self-signed certificate is renewed or a new trusted certificate is installed.
The sections that follow describe how to manage security certificates for network engines with SCT 12.0, including
how to request, upload, and download certificates. You also use Certificate Management to add each Metasys server
certificate so that SCT can push the server's root certificate to network engines. Without the root certificate, network
engine communication to the Metasys server works, but it is untrusted. For setting up root, intermediate, and server
certificates on an Metasys server (ADS, ADX, ODS, or NxE85), refer to the appropriate document: Metasys® Server
Installation and Upgrade Instructions Wizard (LIT-12012162), ODS Installation and Upgrade Instructions Wizard
(LIT-12011945), or NxE85 Installation and Upgrade Instructions (LIT-12011530).
Figure 87 shows an example of the Certificate Management window in SCT. Open it by clicking Tools > Certificate
Management. The window has a Certificates tab that includes details about each certificate in the archive. From
this window, you can request, export, or delete a certificate. You can also replace an existing certificate with a
self-signed certificate.

NAE Commissioning Guide: Appendix: Certificate Management 128

 Figure 87: Certificate Management Main Screen

The following table explains each column in the Certificates window. Click inside a column header to sort the column.
Table 40: Description of Certificates Table
Column Name Description
Status A security shield icon that indicates the connection status afforded by the certificate.

: encrypted and trusted

: encrypted and self-signed

: encrypted, but either the certificate chain to the site or engine is broken, the certificate has a
name mismatch, or the certificate has expired.
Checkbox Icon A check box to select the device that you want to work with.
Issued To The name of the device to which the certificate is issued.
Type The type of certificate: root, intermediate, or server.
Device The device to which the certificate is bound (single or multiple for intermediate and root certificates).
Expiration The date on which the certificate expires. The certificate management tool highlights all certificates
that will expire within the number of days specified by the Certificate Renewal Period attribute of
the Site object (or have already expired). Also, the Certificate Renewal Period attribute in the Site
object controls when certificate expiration reminders begin. It specifies the number of days prior to
security certificate expiration before the operator is notified daily that a certificate is about to expire.
This attribute is synchronized to all child devices. Certificate Renewal Period applies only to devices
at Release 8.1 or later.
Details A clickable arrow that opens an expanded panel with more detailed information about the certificate.

NAE Commissioning Guide: Appendix: Certificate Management 129

Certificate Signing Request (CSR)
SCT can generate a certificate signing request (CSR) on behalf of a network engine. However, SCT cannot act as
a certificate authority (CA) for signing certificates. Requesting a certificate is a multi-step process that involves
specifying the following information:
• common name
• email address
• name of organization
• name of organizational unit
• city
• state or province
• name of country
Summary of Steps for Network Engine:
1. Verify that the device name in the SCT archive and the subject common name for the device match.
2. Use SCT to create a CSR and an associated private key for each network engine. See Requesting a Certificate.
3. Send the CSR for each engine to the internal IT department or CA for signing. The internal IT department or CA
returns the signed certificate files.
4. Import the signed certificate files for each network engine into the SCT archive. See Importing a Certificate.
Note: You need to import the root certificate, the server certificate, and an intermediate certificate file (if provided).
The combination of one root certificate, one or more intermediate certificates, and one server certificate
is known as a certificate chain. The certificate chain must be complete for both the server and each
network engine to successfully configure a site.
The CSR is complete and SCT removes the certificate request from the Requests table. The private key that
SCT previously created is paired with the imported certificate.
5. Export all certificate files and store them in a safe and secure location in case you need to re-import them. See
Exporting a Certificate.
Note: You cannot request a CSR for a device if an existing CSR is still pending. You must delete the existing CSR
first.

Important: The private key that is generated when the CSR is created can be associated with the new certificate
only if the device name in the SCT archive and the subject common name for the device match.
Therefore, before requesting a device CSR, verify that the device name is correct. If not, the newly
purchased certificate could be worthless because of the device name mismatch. A common mistake
is to forget to include the company domain name with the CSR. No workaround is available that can
recover the use of the new certificate.

Import Certificate
Use SCT to import certificates and private keys from the local file system. Three file formats are supported: *.pem,
*.cer, and *.crt. Typically, each device has two or three certificate files to import: one root, one intermediate, and
one server certificate. Some devices may have more than one intermediate certificate. Whatever the case, always
import every certificate file that the customer's IT department or CA provides from the CSR you sent them.
SCT supports the import of only one certificate at a time. For example, if the root and intermediate certificate
information comes in a single file, you need to split it into two different files, one for the root and the other for the
intermediate certificate.
When you import a server certificate, SCT pairs the imported server certificate with the private key from the associated
CSR. If a server certificate is imported that contains an identical Issued To Common Name (CN) as an existing
certificate, the imported certificate replaces the existing certificate, but the private key is retained; it is not replaced.

NAE Commissioning Guide: Appendix: Certificate Management 130

Export Certificate
Use SCT to export certificates and private keys to the local file system. Exporting certificates is an optional
precautionary measure that allows you to export and store certificates to a computer or removable media for
safekeeping. Keep in mind that certificates with private keys are sensitive information that you should treat as highly
confidential files.
Three file formats are supported: *.pem, *.cer, and *.crt. Typically, each device has two or three certificate files to
export: one root, one intermediate, and one server certificate. Some devices may have more than one intermediate
certificate. Whatever the case, always export every certificate file that the customer's IT department or CA provides
from the CSR you sent them.

Certificate List View

Use the certificate list view to determine if all certificates required by each device reside in the archive. The certificate
list view provides these features:
• Indication of an expired certificate.
• Indication of whether a certificate is required in one or more certificate chains used by a device in the archive.
The list view also makes clear which certificates are not needed and may be deleted.
• Information about the certificate, including: Issued To, Type, Device Name (server certificates), Expiration Date,
Details (for example, SHA1 Thumbprint).
• Clickable column headers that sort the rows by the data in that column.
• Options for importing, exporting, and deleting root, intermediate, or server certificates.
Figure 88: Viewing Certificate Details

NAE Commissioning Guide: Appendix: Certificate Management 131

Certificate Tree View
Use the certificate tree view to verify the certificate chain, which is the combination of root, intermediate, and server
certificates required by the device. This information is important because the certificate chain must be complete to
successfully configure a site. The certificate tree view displays the following:
• Root certificate: the highest level certificate; only one for each device.
• Intermediate certificate: one level for each intermediate; there may be none, one, or multiple.
• Server certificate: the lowest level certificate; only one for each device.
The certificate tree view indicates if the certificate chain is missing or incomplete for any device. For each certificate,
the following data is shown:
• Issued To: the common name (CN) field. For server certificates, the common name must exactly match the
device’s computer name (hostname).
• Expiration: date when the certificate is set to expire.
• Details: drop-down box that contains the SHA1 Thumbprint to distinguish certificates with the same common
name.
Figure 89: Certificate Chain View

The following example shows the certificate chain view when a certificate is missing.

NAE Commissioning Guide: Appendix: Certificate Management 132

 Figure 90: Missing Certificate Example

Download Certificate
Use the Download Certificate option to download server certificates independently from other actions. This method
is much faster than if you were to download the full database with the Download To Device option under Manage
Archive.
When you download certificates to a site device, SCT determines the correct set of certificates required by that
device for successful site configuration. If any certificates are missing, SCT includes the set of certificates that it
recognizes during the download, but the missing certificates need to be imported before trusted connections can be
established. Also, no certificates are downloaded if the server certificate and private key for that device are not
present in the SCT archive.

Detailed Procedures
Follow these procedures to manage certificates in a network engine.

Requesting a Certificate
To request a certificate for a network engine in an archive database:
1. Open the archive database.
2. Verify that the network device name in the archive matches the subject common name of the online network
engine. If not, change the network device name in the archive to match the online network engine name.
3. On the Tools menu, select Certificate Management. The Certificate Management screen appears.
4. Click the Devices tab. The Devices screen appears.

NAE Commissioning Guide: Appendix: Certificate Management 133

 Figure 91: Request Certificate - Devices Tab

5. Click the network engine for which you want to request a certificate. Click Request Certificate(s). The Request
Certificate(s) form appears.

NAE Commissioning Guide: Appendix: Certificate Management 134

 Figure 92: Request Certificate(s) Form

6. Complete all the fields on the form. Click Save CSR Details. An Export CSR(s) confirmation window appears.
Figure 93: Export CSR(s) Confirmation

7. Click Yes to continue. The Export CSR(s) - Select Folder window appears.

NAE Commissioning Guide: Appendix: Certificate Management 135

 Figure 94: Export CSR(s) - Select Folder

8. Browse to a folder where you want to save the CSR file and click Export. The certificate request file with a .PEM
extension is exported to the selected folder. For example, the certificate request file for a network engine called
NAE-1 on a computer called ADX-1 would be ADX-1_NAE-1_CSR.PEM for a network engine with a fully qualified
name of ADX-1:NAE-1.
9. Send the certificate request file to the IT department to obtain your trusted certificate. When you receive the file,
go to Importing a Certificate to import the certificate into SCT for the network engine.

Importing a Certificate
To import a certificate for a network engine in an archive database:
1. Open the archive database.
2. On the Tools menu, select Certificate Management. The Certificate Management screen appears.
3. Click Import Certificates. The Import Certificates dialog box appears.

NAE Commissioning Guide: Appendix: Certificate Management 136

 Figure 95: Request Certificate Screen

4. Select the certificate file. The file has a .crt, .cer, or .pem extension. Click Import. The certificate for the network
engine is imported.
Figure 96: Import Certificates Screen

5. Click the Certificates tab to view the newly imported certificate.

NAE Commissioning Guide: Appendix: Certificate Management 137

 Figure 97: Newly Imported Certificate

Exporting a Certificate
To export a certificate for a network engine in an archive database:
1. Open the archive database.
2. On the Tools menu, select Certificate Management. The Certificate Management screen appears.
3. Click the Devices tab. A table of devices with certificates appears. Select the device whose certificate you want
to export.
Figure 98: Exporting a Certificate

4. Click Export Certificate(s). The Export Certificates dialog box appears.

NAE Commissioning Guide: Appendix: Certificate Management 138

 Figure 99: Export Certificate(s) - Select Folder Screen

5. Click Export Certificate(s). The certificate file is exported to the selected folder location. For example, if the
name of the NAE is NAE-1, the certificate file would be called NAE-1.pem.

Downloading a Certificate
To download a certificate to a network engine from an archive database:
1. Open the archive database.
2. On the Tools menu, select Certificate Management. The Certificate Management screen appears.
Figure 100: Downloading a Certificate

3. Select the device that has the certificate you want to download. (If you need to download the certificates of
multiple engines, you can select more than one from the devices table.) Click Download. The Certificate Download
Wizard appears.

NAE Commissioning Guide: Appendix: Certificate Management 139

 Figure 101: Certificate Download Wizard

4. Specify the username and password of the network engine (or click Communicate via Site Director to use the
Site Director's credentials). Click Test Login. When the login is confirmed, click Next to complete the remaining
steps in the Certificate Download Wizard. The ActionQ window appears to indicate the progress of the download.
A completion status of OK indicates that the certificate download process was successful.
5. Close the ActionQ window.

Uploading a Certificate
To upload a certificate from a network engine to an archive database:
1. Open the archive database.
2. On the Tools menu, select Certificate Management. The Certificate Management screen appears.
3. Click the Devices tab. A table of devices with certificates appears. Select the device that has a certificate you
want to upload. (If you need to upload the certificates of multiple engines, you can select more than one from
the devices table.)

NAE Commissioning Guide: Appendix: Certificate Management 140

 Figure 102: Uploading a Certificate

4. Click Upload. The Certificate Upload Wizard appears.

Figure 103: Certificate Upload Wizard

NAE Commissioning Guide: Appendix: Certificate Management 141

5. Specify the username and password of the network engine (or click Communicate via Site Director to use the
Site Director's credentials). Click Test Login. When the login is confirmed, click Next to complete the remaining
steps in the Certificate Upload Wizard. The ActionQ window appears to indicate the progress of the upload. A
completion status of OK indicates that the certificate upload process was successful.
6. Close the ActionQ window.

Deleting a Certificate
To delete a network engine certificate from an archive database:
1. Open the archive database.
2. On the Tools menu, select Certificate Management. The Certificate Management screen appears.
3. Select the device whose certificate you want to delete. Click Delete. A confirmation message appears.
4. Click OK to delete the certificate. The certificates list refreshes indicating that the certificate is removed.

Deleting a Certificate Request

Follow these steps to delete a network engine certificate request from an archive database.
1. Open the archive database.
2. On the Tools menu, select Certificate Management. The Certificate Management screen appears.
3. Select the device whose certificate request you want to delete. Click Delete. A confirmation message appears.
Figure 104: Delete CSR Confirmation Message

4. Click OK to delete the certificate request. The certificate requests list refreshes indicating that the certificate
request has been removed.

Replacing a Self-Signed Certificate

Follow these steps to replace an existing certificate with a new self-signed certificate for a network engine in the
archive database. This procedure is useful if you need to replace an expired or compromised trusted certificate with
a self-signed certificate.
1. Open the archive database.
2. On the Tools menu, select Certificate Management. The Certificate Management screen appears.
3. Click the Devices tab. A table of all devices with certificates appears.

NAE Commissioning Guide: Appendix: Certificate Management 142

 Figure 105: Devices Tab in Certificate Management

4. Select the device and click Replace Self-sign.

Backing Up a Certificate
To back up a certificate for a network engine, create a backup of the archive database using the traditional method
in SCT (Tools > Database > Create Backup). In addition to backing up the archive database, this process also
backs up the network engine certificates. You can also back up and store certificates for safekeeping by exporting
each certificate file to a computer or removable media. Lastly, certificates are also backed up and stored when you
export the archive database. For details on these operations, refer to Metasys® SCT Help (LIT-12011964).

Important: As an important restriction for creating and restoring database archive backups that contain network
engine certificates, you must use the same SCT computer for both operations. Do not restore the
archive using a different SCT computer, or the certificate data is deleted. This is a security precaution
that protects against certificate theft.

Building Technologies & Solutions

507 E. Michigan Street, Milwaukee, WI 53202
Metasys® and Johnson Controls® are registered trademarks of Johnson Controls.
All other marks herein are the marks of their respective owners.© 2017 Johnson Controls

Published in U.S.A. www.johnsoncontrols.com

NAE Commissioning Guide: Appendix: Certificate Management 143