My church is completing the remodel of its new building. Being a retired moocher having nothing better to do, I got sucked into the design sub-committees working on Audio, Lighting, and Networking (including phones). In our current building, we issued keys to trusted congregants that allowed them to open the building to support scheduled activities like choir rehearsal, meetings, and the Sunday program. We kept a key under a rock (well, a figurative rock) having a button lock. Over the years members had come and gone but the key combination remained unchanged. In our new home, we wanted to avoid physical keys and their management so we opted for an access control system. This article describes what we found and did.
- Revised to add firmware upgrade notes
- Revised to add management notes
An Industry ripe for Disruption
Access control systems are complex mystical things sold by local system integrators for prices approaching those of a fifth of unicorn tears. The systems proposed are needlessly complex, usually come with a monitoring contract and a big price tag, These systems were islands of proprietary equipment that separated visitor screening, visitor communications, and door control. Could we save some money by taking an integrated approach? It turned out that we could by combining door access control, the door intercom, and the door camera system. And having former system integrators in the congregation, we could do it ourselves with professional help from our locksmiths, low voltage electrician, and our networking contractor.
What we elected to do
The church design committee recognized that we could save several thousand dollars by being our own system integrators for the network plant, phone system, and access control control system. The design committee sought quotes and received proposals that we judged to offer poor value. By choosing disruptive products from clever manufacturers, we could greatly reduce cost and complexity of the finished system.
The phone system
We elected to use a PBX as a service offering from OnSip. They offered the best value for our use case which required phones for our paid employees and a number of house phones. The OnSip pay as you go plan allowed us to configure the 4 employee phones, the house phone, and the ATA serving the elevator, fire system supervisor, and sprinkler system supervisor with measured service and a base capability charge that covered the PBX virtual environment, E911 monitoring, and our phone numbers (you rent them for $2/month). Internal calling is free. Calling to POTS (home or cell) was less than $0.02 per minute.
The system allowed us to configure an auto attendant to answer the phone and play announcements for services times, etc. We could configure a ring group that bypassed the auto attendant for visitors to request entry to the building. The phone system sends DTMF tone signals to the phone telling it to unlock the door.
The Door Phone
We elected to use Grandstream GDS 3710 door phones. These inexpensive devices looked good, could call the church staff to announce visitors, could control the door strike release, and could respond to RFID keys. These devices for about $220 through our PBX service replaced the following components
- $150 door camera
- $300 door intercom
- $500 door controller
- $100 HID RFID reader
The only downside to the device is that the door strike release logic is located outside the protected area. But we’re trying to keep the local bored teens out. Determined thieves will smash a door or window. We’re not a nuclear power plant or a Navy SCIF, just a not very big house of worship having little that is theft-worthy that is easily taken.
How it works
The visitor pushes the call button. The phone calls a ring-group of 4 video phones (one for each paid employee). An employee or congregant answers the phone. The camera image appears on its display. The employee identifies the visitor and can unlock the door by sending a DTMF code to the door controller. This closes the relay releasing the strike. The door phone stores an image of the caller and makes a log entry.
Members having RFID keys present them to the door controller allowing them to bypass the check-in process. We can also issue RFID keys to wedding caterers and such that would function for the hall rental period. The GDS3710 accepts RS485 serial readers and Wiegand readers in addition to the internal reader.
When the building is unoccupied, we expect to lock the door using a normal dead bolt. This gives a level of back up to the rim strike and panic device.
Installing the phone
The GDS3710 being an access and surveillance product takes some pains with the administrator password. Normal Grandstream phones use admin admin as the initial administrative password. The security products have unique initial passwords on stickers affixed to the device in a location that is not visible when the device is completely installed. In the case of the GDS3710, the sticker is on the back of the case mounted toward the building. Once you have found this knowledge and managed to read the sticker, access to the device administrative pages is by web server. Grandstream gives these key facts only in the Quick Installation Guide.
Electrical Connection Summary
The phone receives power over Ethernet and will negotiate the proper power from compatible switches. The Ethernet cable connects to a cable terminal block that plugs into the back of the phone. This terminal block receives the following cables.
- Optional 12 volt power for the phone
- Strike relay power control by form C contact
- Form A alarm output contact
- Egress unlock request contact input (dry circuit)
In our application our doors have rim strikes and emergency exit push bars so we were not required to connect an exit request button. (Unless the fire inspector has a different opinion).
One of our doors has handicapped assist actuators for our wheel chair congregants. The door phone signals the door as if an internal exit demand had happened. This release the power operated dead bolt and strike before triggering the door opener. When the building is locked, a switch on the door operator disables power opening to protect the opener from running against the locked dead bolt.
The recent versions of GDS firmware no longer support self-sufficient upgrading over the public Internet or from a local upgrade server running HTTP or TFTP. Firmware from 22.214.171.124 on requires use of GDS Firmware Updater, a MS Windows application, to update firmware. The reference gives the operating procedures. Most sites have a Windows machine that can be used for this purpose but many small businesses, especially creative businesses may be MacOS only. As far as I know, the upgrade tool will run in a Parallels virtual machine. At any event, the upgrade host needs to be within the lifelines rather than in a VM at Digital Ocean.
Managing Fobs, Viewing Logs, Etc
Early versions of the GDS 3710 firmware supported management of FOBS, log viewing, etc by web browser. Reviewing the current web interface it appears Grandstream is moving this functionality into a Windows application. A USB RFID reader is available so RFID tokens can be added at deskside rather than at the door using the built in reader.