Netbox by Lenel•S2

Learn about the Netbox application.

Updated over a week ago

Lenel•S2 develops an array of physical security solutions for large corporations, including access control, video surveillance, event monitoring, digital signage, live Internet-sourced, real-time data and information feeds, mobile applications, and cloud-based services.

How does this application work?

The Envoy + Netbox app streamlines the process of logging and assigning access cards to visitors. When a visitor signs in, Envoy automatically creates an entry for the visitor in your Netbox activity log. Netbox then assigns the visitor an access card with the appropriate expiration date and access level.

If you use Envoy’s block list feature, you can use the Envoy + Netbox app to kick off security measures when an unwanted visitor tries to sign in. When visitors match keywords on your block list, you can choose to trigger an event in Netbox. You can then configure specific actions, like turning on security cameras or alerting your security team.

Enabling the Envoy + Netbox application


  1. You’ll need to be an administrator on your Netbox account to complete this installation. Either become an administrator or ask your admin for help before completing these steps.

  2. In order for the app to work and connect to your Netbox instance, please allowlist the following IP addresses for inbound and outbound communication



  3. The on-premise Netbox instance must be routed to a public IP. Please see this article for possible network configurations.

    1. Ensure that Port 443 and any chosen custom port to route traffic through are open to receive inbound traffic from the IPs listed above


  1. The API must be enabled on your Netbox. "System Setup" credentials are needed to authenticate the API requests and are required when using the Netbox endpoints.

    1. Configuration -> Site Settings -> Network Controller -> Data Integration

  2. "Limit session to single IP address" should be set to No.

    1. Configuration > Site settings > Network Controller > Web Site

  3. (Envoy Visitors Only) In order for events to show up in the activity log, there needs to be at least one action created for an event (e.g. Envoy visitor)

    1. Configuration -> Alarms -> Events -> Actions

  4. (Envoy Visitors Only) Also for the activity log, there should be at least one Network Node. The node does not need to be real

    1. Configuration -> Site Settings -> Network Nodes -> Type: MicroNode

Installing Netbox in Envoy

  1. Under Access Control, find S2.

  2. Click “Install.”

Step 1: API

  1. In the API step, paste or type your on-premise and public facing Netbox URL into the Hosted URL field.

    1. On-premise NetBox must have an accessible public IP for Envoy to connect. Please see this article for possible network configurations.

      1. Note the PORT is appended to the end of the URL and the URL includes "https://"

  2. Enter your administer credentials

  3. If your Netbox is configured across multiple partitions, enable "Multi-partition Mode".

  4. Select your timezone

  5. Select your API Version

Step 2: Configuration Options

Select the partition you would like to use.

Envoy Workplace + Netbox

Step 3: Workplace

Envoy offers two different functions for Netbox and Workplace.

1. Registration & check-in for access

With this method, once the employee signs into Envoy, their access is enabled in Netbox.


The email address and last name must match accordingly across Netbox and Envoy, as those are the fields that the app will use to activate and deactivate employee profiles.

Employee profiles in Netbox must be set as expired before using Envoy Workplace.

Envoy will not toggle the status of these employee profiles if they do not start in an expired state.

  1. Select exempt employees (OPTIONAL)

    1. Select which employees you would not like to toggle access when they sign-in to Envoy.

  2. Employee Access Duration

    1. Select how long employees should have access

  3. Toggle Employee Access Level

    1. Select the access level that should be toggled when an employee signs-in to Envoy.

2. Auto check-in with badge swipe.

This method is used for tracking employees who sign in and does not affect employee access. The badge is always active. When an employee swipes their badge, the employee is automatically signed into Envoy.


Health check/Registration questions must be disabled. To disable questions, go here, click Employee reservations & auto check-in, then click advanced settings under the Employee reservation flow, and disable the questionnaire.

Auto sign-out must be enabled in Location Settings. Go to Manage > Location Settings, and scroll down to find auto sign-out settings. Set any time before midnight to sign out any signed in employee.

If auto-sign out is disabled, then employees will remain signed in to the workplace and will not be signed in the next day with their badge swipes.

  1. Select exempt employees (OPTIONAL)

    1. Select employees that will not be signed in when their badge is swiped.

  2. Enabled Readers (REQUIRED)

    1. Select which readers you would like to track badge sign-ins at

Auto Check-in and Desk Reservation

A badge swipe signs a user into Envoy whether or not they are scheduled for the day so long as their badge is active.

If there is an existing desk reservation, the employee is checked into their desk. If there are multiple desks reservations, the employee will be checked into the first desk reservation of the day.

If the account is set to automatically assign desks with employee registration [Desks > Settings], Envoy will automatically create a desk reservation and check the employee into that desk. If this setting is turned off, Envoy will sign the employee into the workspace, but they will have no desk.​

Envoy Visitors + Netbox

Grant your visitors credentials when they sign-in or are invited with Envoy.

Step 4: Visitors

  1. Default access level for synced visitors

    1. Choose which level is the default for any Envoy Visitor type.

  2. Visitor types to Access Levels (OPTIONAL)

    1. Select a visitor type to match to a specific Access Level

    2. Setting an Envoy visitor type to "none — disallow" will prevent the visitor type from being recorded as a person record in Netbox.

  3. Visitor Access Duration

    1. Set the amount of time the Visitor has active credentials

  4. Advance Access

    1. Enabling this allows for invited visitors to have access 24 hours in advance of their visit.

  5. Card Configuration

    1. Choose whether to disable card generation, enabled for invited visitor only, or enable for walk-ins and for invited visitors

    2. Add optional text to the QR code email

    3. Add min and max card number range, plus format

  6. Options

    1. Envoy requires a field to store our Visitor identifier. You can change the default of UDF1.

    2. Choose which entries to sync to the S2 log

    3. Choose preferred block list detection

      1. Anytime a blocklist key word is detected

      2. Only when the blocklist denies a visitor access.

      3. None

  7. Customization

    1. Choose a field to store the Host's name

    2. Option to add the prefix "envoy-" to any Envoy generated person ID within S2

    3. Option to remove the user record upon sign out.

How Envoy Visitors entries look in Netbox

In the example below, the company Second Street Labs created an Netbox event called Envoy Block list Visitor Registered. They configured the application to sync all visitor entries. Additionally, they want to trigger the new event they created when a block list visitor is denied access.

  • Visitor Sophia Fitzroy signed in at 17:28. Her entry appears in the activity log as a record, but there are no additional triggered events.

  • Visitor Grey Ryer signed in at 18:12. His entry also appears in the activity log as a record, but, additionally, the Envoy Block list Visitor Registered event triggered since he was denied access.

How to view people created in Netbox through the sign-in event

In the example below, the visitor Sarah Smith has signed in with Envoy and is now accessible as a Person record.

  • Locate the visitor through Administration > People Search

How access cards are assigned to Envoy Visitors in Netbox

Assigning access cards to visitors currently requires a few easy steps. Once visitors are signed out, their card will be unassigned in Netbox. Please follow the instructions below to assign a card to your visitors:

  1. Log in to your NetBox admin panel.

  2. Select “People Search” under the “Administration” menu in the NetBox admin panel.

  3. Search the “Find People” page using the first or last name fields based on the visitor’s information and click “Search”.

  4. The new visitor can be selected by clicking the corresponding name in the “Name” column in the “People Search” results.

    1. We recommend finding the visitor by both “Name” and “Modified” columns to ensure the most recent entry for this visitor is selected.

  5. The “People Information” page for this visitor allows a card to be assigned. Click the “Read” button under “Read Credential”.

    1. If the card profile has already been configured, then the identifier on the back of the card can simply be entered, instead of scanning the card.

    2. After clicking “read”, scan the visitors unassigned card on a reader. This will assign the physical card to the Envoy visitor’s entry in Netbox.

    3. Please refer to Netbox documentation if Card Formats have not yet been assigned.

    4. Please refer to Netbox documentation if Access Levels have not yet been defined.

Ready to sign up?

Get started in minutes. No credit card required. See plans and pricing →

Did this answer your question?