Netbox by Lenel•S2

Learn about the Netbox application.

Updated over a week ago

Lenel•S2 develops an array of physical security solutions for large corporations, including access control, video surveillance, event monitoring, digital signage, live Internet-sourced, real-time data and information feeds, mobile applications, and cloud-based services.


  1. You’ll need to be an administrator on your Netbox account to complete this installation. Either become an administrator or ask your admin for help before completing these steps.

  2. The API must be enabled on your Netbox. "System Setup" credentials are needed to authenticate the API requests and are required when using the Netbox endpoints.

    1. Configuration -> Site Settings -> Network Controller -> Data Integration

  3. In order for the app to work and connect to your Netbox instance, please whitelist the following IP addresses for inbound and outbound communication



  4. Ports:

    1. HTTPS - 443

  5. Validate the port for your Netbox instance and confirm the port is whitelisted alongside the IPs above.

How does this application work?

The Envoy + Netbox app streamlines the process of logging and assigning access cards to visitors. When a visitor signs in, Envoy automatically creates an entry for the visitor in your Netbox activity log. Netbox then assigns the visitor an access card with the appropriate expiration date and access level.

If you use Envoy’s block list feature, you can use the Envoy + Netbox app to kick off security measures when an unwanted visitor tries to sign in. When visitors match keywords on your block list, you can choose to trigger an event in Netbox. You can then configure specific actions, like turning on security cameras or alerting your security team.

Enabling the Envoy + Netbox application

Step 1: API

  1. Under Access Control, find S2.

  2. Click “Install.”

In the API step, paste or type your Netbox URL in the Enter your URL field, and click “Next step.”

  1. On-premise NetBox must have an accessible public IP for Envoy to connect.

  2. Note if non-standard ports (http:80 & https:443) are used, this must be accounted for in the setup. 

  3. If your Netbox is configured across multiple partitions, enable "Multi-partition Mode".

Step 2: Access Levels

On the Access Levels step, you'll choose which Envoy visitors sync to Netbox and their permission levels.

  1. The default access level and custom access levels per Envoy visitor type can be defined here.

  2. Setting an Envoy visitor type to "none — disallow" will prevent the visitor type from being recorded as a person record in Netbox.

Step 3: Credentials

On the Credentials step, you'll choose which type of visitors will receive a QR code encoded using Wiegand 26-bit card numbers to be used for entry at an unguarded turnstile

  1. The default setting for Facility code 0 and optional

  2. The minimum and maximum card number can also be set to prevent the QR code from overlapping with an employees' predefined card number

Step 4: Options

On the Options step, you’ll choose where Envoy identifiers are stored and how Envoy visitors that match Block List entries are treated in Netbox, including the ability to trigger an event.

  1. Choose if you’d like to sync 1) all visitor entries or 2) based on Envoy’s block list.

  2. Locate the Choose preferred block list detection dropdown.

  3. Choose if you’d like

    1. to sync Envoy data every time a blocklist keyword is matched OR

    2. only when the block list contact denies a visitor access.

  4. To set up an event trigger when a blocklist entry syncs to Netbox, choose your event trigger from the Trigger an event when blocklist entries sync dropdown. 

  5. If you do not want to set up an event trigger, select "none" and you’re all done.

  1. The "Customize" step allows you to define how Envoy fields are mapped in Netbox, how Signed-out Envoy guests are treated, and more:

    1. Map the "Host's Name" as an optional UDF (User Defined Field).

    2. Map Envoy's QR code as an optional UDF.

    3. Use an Envoy-Generated ID (which addresses a known "wildcard" short coming in Netbox's default numeric person identifier).

    4. Remove the person record in Netbox record upon visitor sign-out from Envoy.

Envoy Workplace + Netbox

Choose your employee access method:

Before using the Envoy Workplace + Netbox application

  • If you haven't yet set up the app, follow the steps from Enabling the Envoy + Netbox application first.

  • You'll also have to ensure that email address and last name match accordingly across Netbox and Envoy, as those are the fields that the app will use to activate and deactivate employee profiles.

  • You'll have to set all employee profiles in Netbox as expired before using Envoy Workplace. Envoy will not be responsible for expiring all employee profiles on your behalf for this app.

Registration & check-in for access

  1. The badge is disabled by default (the badges must start in a disabled state in Netbox).

    1. It is activated once an employee registers and checks in to the workplace via the Envoy dashboard or Envoy mobile app.

Auto check-in with badge swipe.


Health check/Registration questions must be disabled. To disable questions, go here, click advanced settings under the Employee reservation flow, and disable the questionnaire.

Auto-sign out must be enabled in Location Settings. If auto-sign out is disabled, then employees will remain signed in to the workplace and will not be signed in the next day with their badge swipes.

The badge is always active. Swiping the badge signs the employee into the workplace.

Auto Check-in and Desk Reservation

A badge swipe signs a user into Envoy whether or not they are scheduled for the day so long as their badge is active.

If there is an existing desk reservation, the employee is checked into their desk. If there are multiple desks reservations, the employee will be checked into the first desk reservation of the day.

If the account is set to automatically assign desks with employee registration [Desks > Settings], Envoy will automatically create a desk reservation and check the employee into that desk. If this setting is turned off, Envoy will sign the employee into the workspace, but they will have no desk.

Configuration for Employee check-in:

If your company has Envoy Workplace enabled, they can edit their existing application, click on Step 2 Access Levels and click the checkbox to enable the "Envoy Workplace" option. After they do that, they go ahead and re-save the application.

  1. Find the Access Levels step, and you will find a section to enable Workplace

  2. [Required] Enable Workplace by checking the box in the screenshot

  3. [Optional] Choose an employee access level to dynamically add and remove from the person record as an employee signs in and out through Workplace

  4. [Optional] Choose the length of time the employee access duration should remain for their person record to expire

Envoy now seamlessly integrates with Employee badge activity. We offer options for badge activity tracking and automatic check-in to the workplace when swiping the badge.

After enabling Badge Event Data, please select your access method:

  1. Registration & check-in for access

    1. The badge is disabled by default. It is activated once an employee registers and checks in to the workplace via the Envoy dashboard or Envoy mobile app.

  2. Auto check-in with badge swipe

    1. The badge is always active. Swiping the badge signs the employee into the workplace.

Netbox required configuration

If you are using an on-premise NetBox, the following configurations must be followed.

  • Ensure the Netbox API feature is enabled on your Lenel•S2 Netbox. The “Enabled” checkbox should be checked in the “API” section, which you can find in your Netbox under the following menus, Configuration -> Site Settings -> Network Controller -> Data Integration.

  • In order for events to show up in the activity log, they need to have at least one action (Configuration -> Alarms -> Events -> Actions) created for an Event (E.g. Envoy visitor) 

  • In order for the activity log to function, there should be at least one Network Node. The node does not need to be real (Configuration -> Site Settings -> Network Nodes -> Type: MicroNode)

  • If entries are not manually signed out, they expire in 24 to 48 hours depending on the timezone. The entries use local machine time, not GMT time and they are not reported via the API.

  • Note: Since there are two static IP addresses that would potentially connect to the NetBox, "No" should be selected for "Limit Session to single IP address" to ensure that Netbox doesn't block one of the two static IP addresses.

  • In the "Data Integration" tab, the "Enabled" box should be checked.

How Envoy Visitors entries look in Netbox

In the example below, the company Second Street Labs created an Netbox event called Envoy Block list Visitor Registered. They configured the application to sync all visitor entries. Additionally, they want to trigger the new event they created when a block list visitor is denied access.

  • Visitor Sophia Fitzroy signed in at 17:28. Her entry appears in the activity log as a record, but there are no additional triggered events.

  • Visitor Grey Ryer signed in at 18:12. His entry also appears in the activity log as a record, but, additionally, the Envoy Block list Visitor Registered event triggered since he was denied access.

How to view people created in Netbox through the sign in event

In the example below, the visitor Sarah Smith has signed in with Envoy and is now accessible as a Person record.

  • Locate the visitor through Administration -> People Search

Note: If you want to automatically set access levels for visitors through Envoy, you will need to assign “Events” in Access Levels (Configuration -> Access Control -> Access Levels)

How access cards are assigned to Envoy Visitors in Netbox

Assigning access cards to visitors currently requires a few easy steps. Once visitors are signed out, their card will be unassigned in Netbox. Please follow the instructions below to assign a card to your visitors:

  1. Log in to your NetBox admin panel.

    1. Visit the URL defined in step 4 of “Enabling the Envoy + Netbox application”.

    2. Login using the credentials defined in step 5 of “Enabling the Envoy + Netbox application”.

  2. Select “People Search” under the “Administration” menu in the NetBox admin panel.

  3. Search the “Find People” page using the first or last name fields based on the visitor’s information and click “Search”.

  4. The new visitor can be selected by clicking the corresponding name in the “Name” column in the “People Search” results.

    1. It is recommended to find the visitor by both “Name” and “Modified” columns to ensure the most recent entry for this visitor is selected.

  5. The “People Information” page for this visitor allows a card to be assigned. Click the “Read” button under “Read Credential”.

    1. If the card profile has already been configured, then the identifier on the back of the card can simply be entered, instead of reading.

    2. After clicking “read”, scan the visitors unassigned card on a reader. This will assign the physical un-assigned card to the Envoy visitor’s entry in Netbox.

    3. Please refer to Netbox documentation if Card Formats have not yet been assigned.

    4. Please refer to Netbox documentation if Access Levels have not yet been defined.

Ready to sign up?

Get started in minutes. No credit card required. See plans and pricing →

Did this answer your question?