Visitor Management can integrate with OnGuard to provision temporary access badges directly from within the VM web application. This knowledge article will walk through the setup process for a VM admin. To see the provisioning process for an end user, click HERE.
Additionally, this knowledge article will walk through various troubleshooting steps that may come up with the integration.
The administrator of this integration will be able to determine:
Which users will have access to use this integration
What Access Levels the user can provision a badge with
What badges are to be made available to be used with this integration
These badges will only be active for the duration that the visitor is onsite and will be deactivated either manually by a user or automatically when the visitor leaves for the day. Every time the visitor signs in, they will need to have a badge provisioned for them.
Any guests that are to have one badge remain active for multiple visits should have that badge provisioned directly within OnGuard.
Integration Setup and Configuration
OnGuard License
This integration requires your OnGuard license to include the OnGuard Subscription Software Modules, listed on your OnGuard license under OpenAccess Application Support, and the Partner Integration (IPC-052-TNGST01), listed under Partner Integrations.
OnGuard Permissions
Within OnGuard, ensure the following permissions are set for the user whose credentials will be used within Visitor Management:
System Permission Groups
Access Level, View/Access
Cardholder Permission Groups
Cardholder: View/Access, Add, Modify
Visitor: View/Access, Add, Modify
Badge: View/Access, Add, Modify
Access Level Assignments
Modify Access Level Assignments
Badge Types: View/Access
Badge Types
Badge types used with Visitor Management should have badge IDs allocated via Manual Entry.
Access Levels
The OnGuard User whose credentials will be used within Visitor Management will need to have access levels assigned.
Field/Page Permissions
It is recommended to allow the user to view/edit all fields related to Cardholders and Visitors, including email. Full view/edit permission for Badges is also recommended.
Connecting OnGuard server to a Visitor Management location
Navigate to the Locations page within your VM account and choose the relevant location.
Select the “Physical Access” Tab.
Click on “Add Provider” and select OnGuard
Select Provider
Enter a server friendly name & a public facing URL. Click Next.
Note: If you are unable to provide your own URL, you can use https://localhost:8080. If you do so, there is an additional step (see section below).
Setup Tunnel
If you provided a public facing URL, click Test Connection to verify that we can connect to your server. Then, click Next.
If you did not provide a public facing URL
If you used the https://localhost:8080 URL rather than your own, download the agent for the reverse SSH tunnel near the bottom of the window.
Extract the downloaded zip folder and run the “install.bat” file as an Administrator on the machine where the OnGuard client is running.
Once the Install batch file has run, return to the “Edit Physical Access Provider” window in Visitor Management and click "Next".
This will use the newly installed secure tunnel to fetch the “directories” from your OnGuard server.
Authenticate User
Fill in the provider settings with username and password of an OnGuard admin and select the directory.
Select Segment
If you have segments enabled, select your segment from the dropdown menu. Ensure you enabled segments for Badges, Cardholders, and Visitors.
Refresh Provider
Any updates to Access Rules need to be manually synced to Visitor Management. To do so, click the arrow to the right of your Physical Access setup within the Locations Page. Then, click Refresh Provider to pull the newest rules from OnGuard.
Security Badges
You will need to add the badges you intend to use with this integration in the Security Badges window.
Click the arrow to the right of your Physical Access setup, then click Security Badges.
Add all the badges with a user friendly name, the unique ID of the badge, and the type of badge.
The Badge Friendly name can be whatever you want it to be. This is so your users, such as front desk staff, can identify the badges without needing to scan them.
Note: The Badge Unique ID only supports numbers. Any letters or symbols will result in a validation error.
Now the configuration between OnGuard and Visitor Management is complete. Next we will assign user groups access to use the integration.
Assigning user access to provision badges
After you've integrated with OnGuard and created your badges, you must now create user groups to determine which users get access to each badge type:
Click on the Gear icon at the top right corner of your account.
Select Users.
Click the Create User Group button to create a new group. Alternately, if you'd like to use an existing group instead, hover your mouse over the group name and click the edit icon.
4. Select the Access Levels you want these users to be able to provision badges with.
Note: the Access levels will show the Location name first followed by the access level that is fetched from the integrated OnGuard server at that location.
5. Once you click Save, the users within that group will now be able to provision badges.
Troubleshooting Instructions
When troubleshooting the OnGuard integration, it will be helpful to use a modern web browser (Chrome, Firefox, etc.) with a “Developer Tools” option, where network requests and responses can be viewed. This information can provide further information on the results of network requests that are being made to our servers. Responses to these requests will contain useful information about issues you may be troubleshooting and can be passed along to OnGuard support so that we can assist you.
The first troubleshooting step for any OnGuard integration issue should be to test the connection between your account and the OnGuard server.
To do this:
1. Navigate to the location page. Select the location with your OnGuard integration.
2. Select the Physical Access tab.
3. Click the actions button to the right of your OnGuard setup. Click Edit.
4. Go to the Setup Tunnel Step (Step 2) and click on Test Connection.
5. Look behind the setup window after clicking on this button to see the response.
If that test fails, please consult the next section Cannot continue beyond the “Setup Tunnel” step.
Cannot continue beyond the “Setup Tunnel” step/Cannot fetch OnGuard directories
Before users are allowed to continue beyond the “Setup Tunnel” step in our setup wizard, we verify that the connection is set up properly by attempting to fetch the directories from the OnGuard server.
If this connection is not successful, ensure that the OnGuard server is accessible from the client by visiting the “Server URL” entered in step 1 of the Physical Access Provider from the client machine.
If you are using the reverse SSH tunnel
If you can confirm that the OnGuard server is available from the machine with the guest_connector service running, perform these troubleshooting steps:
Ensure that the guest_connector service is running by going to the Windows start menu, typing “services” and hitting enter. In the list of services, there should be a service called “ngrok” which is running. If so, click on “restart service” and attempt to confirm the connection within Visitor Management once again.
If this does not work, open the config.yaml file that was included with the guest_connector service and ensure that the “addr” field matches that which is entered in Step 1 of the setup wizard. Update this field in the yaml file to match that in the wizard.
If the tunnel appears to be configured properly but you are still unable to confirm the connection, contact Visitor Management customer success for additional assistance.
Cannot successfully fetch Physical Access Rules & Security Badge Types
If you see the error “Could not fetch Access Providers & Security Badge Types”, there is likely a communication error between Visitor Management and OnGuard. Follow the steps for the Cannot continue beyond the “Setup Tunnel” step/Cannot fetch OnGuard directories issue, and if that is not successful, contact Visitor Management Customer Success for further support.
Cannot see Security Badge Types
If you are unable to see a dropdown list of Security Badge Types when creating Security Badges, they will need to be refreshed manually by clicking on the “refresh” icon associated with the OnGuard instance.
If refreshing Physical Access Rules & Security Badge Types is successful but the expected Security Badge Types are not visible still, ensure that Security Badge Types have been created within OnGuard and that the OnGuard user that was entered during the initial setup of the Physical Access Provider has visibility of the necessary Security Badge Types within OnGuard.
If refreshing the Physical Access Rules & Security Badge Types is not successful, refer to the troubleshooting section Cannot continue beyond the “Setup Tunnel” step/Cannot fetch OnGuard directories for further assistance with this issue.
Cannot assign Physical Access Rules (Access Levels) to a User Group
If no dropdown field for Physical Access Rules is visible inside of the Visitor Management User Group dialog or the expected Physical Access Rules are not visible, they will need to be refreshed manually by clicking on the “refresh” icon associated with the OnGuard instance.
If refreshing Physical Access Rules & Security Badge Types is successful, ensure that Physical Access Rules (Access Levels) have been created within OnGuard and that the OnGuard user that was entered during the initial setup of the Physical Access Provider has visibility of the necessary Security Badge Types within OnGuard.
If refreshing the Physical Access Rules & Security Badge Types is not successful, refer to the troubleshooting section Cannot continue beyond the “Setup Tunnel” step/Cannot fetch OnGuard directories for further assistance with this issue.
Cannot see “Provision Badge” button on the Guestbook page
The visibility for this button is gated behind the following expectations:
The logged in user is a part of a User Group that has been given permission to assign at least 1 Physical Access Rule. To do so, refer to the Assigning user access to provision badges section of the setup documentation.
There are Physical Access Rules that are associated with the location of the signin. Refer to the Initial Setup and Configuration section of this document for assistance in setting up a Physical Access Provider for the signin’s location.
The user has the “Provision Badge” permission for signins in an assigned Permission Bundle within Visitor Management. This can be set in the Permission Bundles page within VM and a Permission Bundle can be assigned to an individual VM user under the Users tab within the Preferences page.
If these conditions have been met, but the Provision Badge button is still not visible for a signin, please contact Customer Support for further assistance.
Cannot provision/de-provision a badge
If you are unable to provision/deprovision a badge, there is likely a discrepancy between OnGuard and Visitor Management records for Security Badges. The following checks can be made to ensure that the data between VM and OnGuard is up to date:
Ensure VM has the latest Physical Access Rules and Security Badge Types from OnGuard by visiting the Location page associated with the Signin you are trying to provision a badge for and clicking the “refresh” button for the Physical Access Provider created for OnGuard
Once refreshing Physical Access Rules & Security Badge Types, check (and if necessary, update) the relevant Security Badges to ensure they are associated with current Security Badge Types.
Search for the Badge ID within OnGuard to ensure it is not currently assigned to a cardholder. If it is, remove it and try assigning the badge within VM again
Search for the Visitor within OnGuard to ensure they are not currently already assigned a badge. If they are, remove it and try assigning the badge within VM again
Check the Badge Type within OnGuard to ensure that the Badge ID being assigned to the signin falls within the acceptable range of badge IDs for the specified Security Badge Type
If all of these checks have been confirmed, and any of the above issues persist, please contact Customer Support.
Failure to provision badges
Check the badge type in OnGuard is not set automatically assign ID. It must be set to “Manual Entry” and then there must be a range of allowed Badge IDs.