Verkada Required Network Settings

Required Network Settings

This is an overview of the network settings you'll need to enable to activate Verkada devices.

Verkada devices are designed to maintain your network’s security while still offering remote access and easy management of your devices. In most cases, little to no updates to your network settings are required. Depending on your particular case, however, some configuration may be required to get your devices online.

If your network is configured properly as per the instructions below, and you still cannot get your device online, please reach out to Verkada Support and try to use this guide to provide a packet capture to the team so we can best solve your issue.

 

IP Address/DHCP

Verkada devices must be assigned a routable IP address via DHCP. For network security reasons, static IP addresses are not currently supported. A DHCP reservation is a hassle-free way to ensure the device receives a specific IP address. You need the camera's MAC address to create a reservation. The MAC address of an AC41 can be found on the sticker below the cable management compartment.

 

 

DNS

Verkada devices require a DNS server to be able to resolve specific domains in order to communicate with Verkada Command. DNS servers can only be set with DHCP. Verkada devices will always query DNS servers via the standard destination port 53 using UDP. DNS over HTTPS (DoH) is not currently supported.

 

 

Firewall Settings

Verkada devices need to communicate with specific domains owned by Verkada to provide you with a full-featured experience. All communication between a Verkada device and the Verkada servers uses HTTPS (TCP/443). Additionally, all devices synchronize their time using NTP (UDP/123)

 

Note: When Verkada devices communicate with Verkada servers, connections are made outbound from your LAN to our servers over the internet. As per standard IP communication practices, the source port will fall into the ephemeral port range (49152-65535).

 

All Devices

All Verkada devices require the following access:

api.control.verkada.com - TCP/443
relay.control.verkada.com - TCP/443
index.control.verkada.com - TCP/443
firmware.control.verkada.com - TCP/443
update.control.verkada.com - TCP/443
time.control.verkada.com - UDP/123
34.216.15.26 - UDP/123

The above can also be shortened as:

*.control.verkada.com - TCP/443
time.control.verkada.com - UDP/123

Note: Most devices will also require additional access, outlined in the below sections

 

Cameras

The Verkada next-generation video streaming capability requires the following access:

*.kinesisvideo.us-west-2.amazonaws.com - TCP/443
*.kinesisvideo.us-west-2.amazonaws.com - UDP/443

If you are using cloud backup on your cameras, the following is also required:

s3.us-west-2.amazonaws.com - TCP/443
s3.us-west-004.backblazeb2.com - TCP/443
s3.eu-central-003.backblazeb2.com - TCP/443

 

Access Control

Access control devices require the following additional access:

vcerberus.command.verkada.com - TCP/443
access.control.verkada.com - TCP/443

 

Alarms

Alarms devices require the following additional access:

api.control.verkada.com - TCP/443
valarm.command.verkada.com - TCP/443
vconductor.command.verkada.com - TCP/443
vmdm.command.verkada.com - TCP/443
global.turn.twilio.com - TCP/443
*.appcenter.ms - TCP/443

 

Alarm Consoles (BC51) require the following additional access:

global.stun.twilio.com - UDP/3478
global.turn.twilio.com - UDP/3478

Note: Alarm consoles also require access to Apple servers, please refer to the Apple section

 

Sensors

Sensor devices require the following additional access:

vsensor.command.verkada.com - TCP/443
vconductor.command.verkada.com - TCP/443

 

Viewing Stations

Viewing stations require the following additional access:

vecho.command.verkada.com - TCP/443
vmdm.command.verkada.com - TCP/443
vprovision.command.verkada.com - TCP/443
vvx.command.verkada.com - TCP/443
vlocaldns.command.verkada.com - TCP/443
vstream.command.verkada.com - TCP/443
vsensor.command.verkada.com - TCP/443
vsubmit.command.verkada.com - TCP/443

Note: Viewing stations also require access to Apple servers, please refer to the Apple section

 

Apple Hardware

The alarm console (BC51) and viewing stations (VX51 and VX52) all run on Apple hardware, and therefore require the following access:

*.apple.com - TCP/80
*.apple.com - TCP/443
*.apple.com - TCP/2197
*.apple.com - TCP/5223
*.apple.com - UDP/123
*.mzstatic.com - TCP/80
*.mzstatic.com - TCP/448
crl.entrust.net - TCP/80
crl3.digicert.com - TCP/80
crl4.digicert.com - TCP/80
ocsp.digicert.com - TCP/80
ocsp.entrust.net - TCP/80

 

Email Server

In order to ensure reliable delivery of Verkada emails (including event notifications, password reset emails, and magic links) the following email domains should be whitelisted on your mail server.

@verkada.com
@command.verkada.com

 

SSL/TLS Inspection & Proxy Servers

Verkada devices are incompatible with LANs that require the use of proxy servers or that require SSL/TLS inspection. If either are in use, a bypass for all Verkada devices must be put in place in order for Verkada devices to communicate with Verkada Command.