Deployment Architecture · 03
Multi-tenant commercial retrofit architecture.
A phased migration blueprint for an occupied 4-floor / 6–12 tenant commercial building running 15+ years of overlapping access, surveillance, and intrusion infrastructure. Mixed-generation hardware, legacy cable audit, credential continuity, tenant coordination, and the rollback documentation that decides whether the migration finishes on time or stalls between phases.
01 / Existing-state assessment
What we're inheriting.
A 4-floor commercial building, ~15,000 sq ft, 8 active tenants ranging from professional services to light medical. Continuously occupied through 12+ hours of typical business day. Security infrastructure accreted over 15+ years of overlapping tenant build-outs — no single vendor, no consolidated documentation.
5× doors with 125 kHz prox (3 different reader makes)
3× doors no access control (mechanical key only)
Legacy panel: discontinued model · last firmware 2014
Credentials: ~180 prox cards issued · unknown active count
Existing surveillance:
4× analog NTSC cameras (lobby, 2 corridors, rear entrance)
8-channel coax DVR (only 4 channels in use, others dead)
No recorded retention spec — DVR has unknown disk health
Existing intrusion:
Residential-grade DSC panel · POTS-only monitoring
6 hardwired zones (3 known faulted, panel ignoring them)
Central station: long-time monitoring contract · POTS-line bills
Existing cabling:
Mixed Cat3 / Cat5 / Cat5e
~40% of runs poorly terminated or daisy-chained
Conduit overcrowded in two pathway segments
Some runs not labeled at either end
This is the dominant retrofit pattern in Ottawa commercial real estate — the building works “well enough” until a tenant complains about a missing audit trail, an insurance carrier flags the POTS-only monitoring, or a credential clones during a contractor handoff. Then the property manager calls.
02 / Migration objectives
Preservation goals + upgrade goals.
Retrofit objectives split two ways — what we must preserve through the migration (continuity), and what we're upgrading to (capability).
Preservation (continuity)
- →24/7 building access through every phase. No phase causes a door to fail-secure during business hours.
- →Existing 180 prox cards remain operational until tenant-by-tenant credential reissue completes. Multi-tech readers preserve both legacy and new credentials in parallel.
- →Central station monitoring path uninterrupted. New dual-path communicator commissioned in parallel; legacy POTS line decommissioned only after new path supervised stable.
- →Reuse 50–70% of legacy cable where it passes commercial testing. Saves ~$8-12K vs full re-cabling; failed runs flagged and re-pulled, not depended-on.
Upgrade (capability)
- →10 doors of networked access (5 existing + 3 previously uncontrolled + 2 new vestibule) on Kantech EntraPass Corporate.
- →16-camera IP surveillance — replace 4 analog + add 12 new. NDAA-aware. 30-day retention.
- →DESFire EV3 as primary credential, phasing out cloneable 125 kHz prox. Mobile credential support via HID Origo as optional secondary.
- →Commercial intrusion panel (DSC PowerSeries Neo HS2128) with dual-path LTE+IP communicator — ULC-S304 supervised monitoring spec.
- →Centralized audit trail — every access event timestamped and retained ≥90 days.
03 / Phased migration plan
8 phases · 12 weeks.
Each phase has explicit entry criteria, work scope, exit criteria, and rollback trigger. No phase advances until the prior phase's exit criteria pass.
─────────────────────────────────────────────────────────────────────
00-01 Phase 0: Survey + documentation
• Cable test every run (Fluke / Klein tester)
• Reader / panel / camera firmware audit
• Tenant headcount + active-prox-card audit
• Failure-mode mapping for legacy DSC panel
• Cable label + as-built drawing produced
02-03 Phase 1: Head-end rack build
• New 24U rack installed in MDF closet
• Cisco CBS350-24FP PoE+ switch
• Hanwha XRN-1620SB NVR (RAID-6)
• LifeSafety FPO150 access power
• DSC HS2128 + TL880LE communicator (offline)
• APC SRT 3000VA online UPS · battery testing
03-04 Phase 2: Cable audit + new pulls
• Failed Cat3/Cat5 runs identified · re-pull schedule
• Conduit clearance verified for new pulls
• PoE+ load test on each surviving run
• Surge protection added at outdoor cable entries
04-06 Phase 3: Camera commissioning (floor-by-floor)
• Replace 4 analog cameras with IP equivalents
• Add 12 new IP cameras (assigned per floor)
• NVR commissioned per-floor, 7-day soak each
• Analog DVR remains live during transition (parallel)
05-07 Phase 4: Access control multi-tech rollout
• Install HID R40 multi-tech readers (prox + DESFire)
• Re-use existing wiring where rated for the load
• New 5 doors brought live · 3 new doors physically installed
• Old panel + new controller run in parallel
06-07 Phase 5: Alarm panel parallel run
• DSC HS2128 commissioned · TL880LE active to central
• Old DSC residential panel maintains POTS path
• 7-day parallel monitoring window
• Central station confirms supervised polling on new path
07-09 Phase 6: Credential reissue (per tenant)
• Tenant-by-tenant DESFire issuance · 2-week parallel use
• Old prox decommissioned at the controller level per tenant
• Spare credentials issued · audit trail begins
09-10 Phase 7: Legacy decommissioning
• Old DVR exported · drives wiped per data-policy
• Old panel powered down · POTS line cancelled
• Legacy reader heads removed · openings remediated
10-12 Phase 8: Soak + sign-off
• 30-day stability soak
• Insurance + tenant acceptance signatures
• As-built documentation handed to property manager
• Warranty registration · service contract activation
04 / Cable reuse & infrastructure realities
Test every run. Trust no labels.
Existing cable is the single biggest variable in retrofit cost. Getting this wrong adds $10-20K of re-pull work mid-project. Discipline:
Test patterns we use
- →Continuity + wiremap per run (every pair). Identifies miswired or split pairs.
- →Length verification (TDR). Runs longer than 90m fail Gigabit PoE+ outright.
- →NEXT / Return loss at Cat6 spec. Cat5e runs that pass continuity often fail this — and fail under sustained PoE+ heat 6 months later.
- →PoE+ thermal load test — run rated power for 30 minutes, then re-test. Marginal cables degrade under heat; bench-bare cable lies.
Reject patterns
- →Daisy-chained runs (legacy data) — re-pull.
- →Cat3 (legacy phone) — not suitable for PoE; re-pull.
- →Untested terminations > 5 years old — re-terminate at minimum.
- →Runs through unrated plenum — fire-code reject.
Practical hit rate on this scenario: ~55-65% of legacy runs reusable for IP cameras at PoE+ load. The rest get re-pulled during Phase 2. See PoE Switch Sizing Guide for the per-camera power calculations driving the reject thresholds.
05 / Credential continuity strategy
Multi-tech readers + parallel issue window.
The single most common retrofit failure: telling tenants “your card stops working on Monday” and watching the IT helpdesk light up at 7am Monday morning. The migration design eliminates the flag-day cutover entirely.
Multi-tech readers accept both
HID iCLASS SE R40 multi-tech readers accept legacy 125 kHz prox AND new 13.56 MHz DESFire EV3 credentials simultaneously. From the user's perspective, the door "just works" with whichever card they have. The new controller logs which credential type granted entry — giving the property manager visibility into who's still on legacy prox.
Per-tenant issue window
─────────────────────────────────────────────
Day -7 Tenant notified · headcount confirmed
Day -3 New DESFire cards delivered to tenant admin
Day 0 Tenant distributes new cards · old prox still active
Day +7 Mid-window check · tenant reports any access issues
Day +14 Old prox decommissioned at controller for this tenant only
Other tenants continue on their own schedules — no global cutover.
“Dual issue” carry-over allowed for known-needed users (after-hours staff,
contractors with sporadic visits). Documented per case.
Reader-level decommissioning
Old prox cards aren't banned at the reader hardware — they're removed from the tenant's credential set on the controller. This means the operator can re-enable a specific user's old prox in < 30 seconds during the transition if their new DESFire fails or is lost. After all tenants complete, prox card formats are removed at the reader-firmware level. See Credential Selection Guide.
06 / Tenant coordination
The non-technical work that makes phases land.
Retrofit failures aren't usually technical — they're communication failures. Standard tenant-coordination protocol:
- →30-day notice before any work that touches a tenant's door, ceiling, or wall. Building manager + tenant principal both copied. Email + posted notice at the door.
- →After-hours scheduling for cable work in occupied tenant space. Most pulls finish during 6pm-10pm weekday windows; door re-strikes and reader swaps need next-morning verification.
- →Per-tenant primary contact identified up front. One name, one phone, one email. Migration team escalates via this contact, not the building manager (who isn't available at 8pm on a Tuesday).
- →Signage protocol — every door touched receives same-day signage showing what work was done, when, and who to call if something doesn't work. Eliminates the "is this door broken or just being upgraded?" helpdesk call.
- →On-call after every phase — 24-hour window where any access failure escalates direct to the lead technician via cell, not voicemail. Eliminates Tuesday-morning helpdesk fires.
- →Per-phase exit-criteria sign-off from the building manager. Phases don't advance without it. Eliminates the "we thought you were done" conversation 3 months later.
07 / Risk & rollback considerations
What can fail · what we do about it.
Documented rollback paths for the five risks that have historically slipped retrofit timelines. Each has a pre-committed mitigation that doesn't require an architectural redesign mid-project.
// Risk · Cable failure under load
Tested cable passes bench but fails under sustained PoE+
Cable passes Fluke verification but degrades under PoE+ thermal load 30-60 days after install. Camera intermittently power-cycles; PoE switch logs sporadic port-faults.
Rollback: 30-minute PoE+ thermal-load test mandatory in Phase 2 before commissioning. Marginal runs flagged for re-pull. Hold 10% Phase 2 budget in reserve for late re-pulls during soak.
// Risk · Tenant credential rollout delay
Tenant doesn't distribute new cards on time
Tenant principal travels; new DESFire cards sit in their office unopened. Day 14 arrives; we're scheduled to decommission their prox; they call asking why their staff is locked out.
Rollback: Multi-tech readers already accept both formats. We extend the parallel-issue window for that specific tenant — no global schedule slip. Per-tenant decommissioning is a controller-side operation, not a hardware change.
// Risk · Legacy panel won't cleanly disarm
Old DSC residential panel needs physical access to decommission
Phase 7 plan was a remote disarm + power-down. Reality: tenant key for the old panel enclosure is lost; central station can't accept remote disarm because the panel hasn't reported in 6 months.
Rollback: Site visit budgeted in Phase 7. Locksmith on call for enclosure access if key is missing. POTS-line cancellation contingent on physical disconnect verified, not central-station confirmation.
// Risk · Reader firmware mismatch
DESFire reader firmware update changes credential acceptance
Manufacturer pushes a security update during Phase 4. Reader stops accepting a specific DESFire card format that was working the prior day; tenants report intermittent "denied" events.
Rollback: Lock all reader firmware to known-good revision at Phase 4 entry. Defer non-security firmware updates until Phase 8 soak completes. Document tested revision in as-built file.
// Risk · Tenant locks out own staff
Tenant principal mishandles credential reissue
Tenant admin assigns the wrong floor permissions on the new credentials. Day-0 of their reissue, their staff can't enter their own office floor.
Rollback: On-call technician with EntraPass remote-admin access during 6am-9am of every tenant reissue day. Manual override + permission fix in < 5 minutes. Documented per case.
08 / Recommended product stack
Bill of materials.
Same field-verified pairings used across our published architectures — selected here for multi-tech credential compatibility, cable-tolerant PoE behavior, and ULC-S304 commercial-intrusion path.
Access Control · 10 doors
- 3× Kantech KT-400 4-door controller
- 10× HID R40 multi-tech reader (prox + DESFire)
- 1× DESFire EV3 200-card initial issue
- 6× Securitron M62 maglock
- 4× HES 1006 strike
- 10× Bosch DS150i REX motion
Cameras · 16 channels
- 4× XNV-9082R 4K AI turret
- 4× XNV-6081Z outdoor vandal dome
- 4× XND-6080R indoor IR dome
- 4× XNO-6080R outdoor IR bullet
- 1× XRN-1620SB 16-channel NVR
Networking + Power
- 1× Cisco CBS350-24FP 24-port PoE+
- 1× Tripp Lite SR42UB 42U rack
- 1× LSP FPO150 modular access power
- 1× APC SRT 3000VA online rack UPS
- 4× APC PNET1GB surge protection
Intrusion · DSC commercial migration
- 1× DSC HS2128 commercial panel
- 1× DSC TL880LE dual-path LTE/IP
- 1× DSC HS2LCDPRO commercial keypad
- 2× Bosch TriTech motion
- 2× Bosch DS1108i glassbreak
Retrofit Migration Review
Planning a multi-tenant retrofit?
Send the existing infrastructure scope, tenant count, and target migration window. We come back with a sized 8-phase plan, cable-audit pre-flight, credential continuity strategy, and tenant coordination protocol scaled to the deployment.