Required Network Settings
Overview of the network settings you'll need to enable to activate Verkada devices
Updated over a week ago

Verkada devices are designed to maintain your network’s security while still offering remote access and easy management of your devices. In most cases, little to no updates to your network settings are required. Depending on your particular case, however, some configuration may be required to get your devices online.

If your network is configured properly as per the instructions below, and you still cannot get your device online, please reach out to Verkada Support and try to use this guide to provide a packet capture to the team so we can best solve your issue.

IP Address/DHCP

Verkada devices must be assigned a routable IP address via DHCP. For network security reasons, static IP addresses are not currently supported. A DHCP reservation is a hassle-free way to ensure the device receives a specific IP address. You need the camera's MAC address to create a reservation. The MAC address of an AC41 can be found on the sticker below the cable management compartment.


DNS

Verkada devices require a DNS server to be able to resolve specific domains in order to communicate with Verkada Command. DNS servers can only be set with DHCP. Verkada devices will always query DNS servers via the standard destination port 53 using UDP. DNS over HTTPS (DoH) is not currently supported.


Firewall Settings

Verkada devices need to communicate with specific domains owned by Verkada to provide you with a full-featured experience. All communication between a Verkada device and the Verkada servers uses HTTPS (TCP/443). Additionally, all devices synchronize their time using NTP (Bi-directional UDP/123).

When Verkada devices communicate with Verkada servers, connections are made outbound from your LAN to our servers over the internet. As per standard IP communication practices, the source port will fall into the ephemeral port range (49152-65535).

Note: If bandwidth is a concern we recommend utilizing both upload and download traffic shapers on the network.

You can use the following links to jump to the relevant sections:

All Devices

All Verkada devices require the following access:

api.control.verkada.com - TCP+UDP/443
relay.control.verkada.com - TCP+UDP/443
index.control.verkada.com - TCP+UDP/443
firmware.control.verkada.com - TCP+UDP/443
update.control.verkada.com - TCP+UDP/443
time.control.verkada.com - UDP/123
user.pyramid.verkada.com - TCP+UDP/443
device.pyramid.verkada.com - TCP+UDP/443
nlb.verkada.com - TCP+UDP/443
device-nlb.verkada.com - TCP+UDP/443
34.216.15.26 - UDP/123

The above can also be shortened as:

*.control.verkada.com - TCP+UDP/443
*.pyramid.verkada.com - TCP+UDP/443
*.verkada.com - TCP+UDP/443
time.control.verkada.com - UDP/123

Note: Most devices will also require additional access, outlined in the below sections

Cameras

The Verkada next-generation video streaming capability requires the following access:

*.kinesisvideo.us-west-2.amazonaws.com - TCP/443
*.kinesisvideo.us-west-2.amazonaws.com - UDP/443
*:4100 - TCP/UDP on LAN (only required for local streaming)

If you are using cloud backup on your cameras, the following is also required:

s3.us-west-2.amazonaws.com - TCP/443
s3.eu-west-1.amazonaws.com - TCP/443
s3.ca-central-1.amazonaws.com - TCP/443
s3.ap-southeast-2.amazonaws.com - TCP/443
s3.us-west-004.backblazeb2.com - TCP/443
s3.eu-central-003.backblazeb2.com - TCP/443

To allow NTS time synchronization:

time.cloudflare.com  - TCP/4460
time.cloudflare.com - UDP/123

Note: NTS will use SSL for secure time synchronization, unlike NTP. It is recommended to exempt these connections from SSL decryption policies.

Access Control

Access control devices require the following additional access:

vcerberus.command.verkada.com - TCP+UDP/443
access.control.verkada.com - TCP+UDP/443

Intercom

In addition to those required for cameras and access control, intercom devices (including TD52 and Desk Station) require the following additional access:

m-555f26aa.kinesisvideo.us-west-2.amazonaws.com - TCP+UDP 443
verkada-erik-sip.sip.twilio.com - TCP+UDP 5060, 5061
verkada-erik-sip.sip.us1.twilio.com - TCP+UDP 5060, 5061
verkada.sip.us1.twilio.com - TCP+UDP 5060, 5061
54.172.60.0/23 - UDP 10000 to 20000
54.244.51.0/24 - UDP 1024 to 65535
34.203.250.0/23 - UDP 10000 to 20000


The Desk Station and Pass app require these additional endpoints if they are set as an Intercom Receiver:

chunderm.gll.twilio.com - TCP/443 
eventgw.twilio.com - TCP/443
ers.twilio.com - TCP/443

This table explains how the above ports are used for your reference:

UDP 123 (time)
TCP 443 (https traffic)
TCP+UDP 4100 (local streaming)
TCP+UDP 5060 (unencrypted SIP)
TCP+UDP 5061 (encrypted SIP)
UDP 1024 - 65535 (voice RTP)

Alarms

Alarms devices require the following additional access:

api.control.verkada.com - TCP+UDP/443
valarm.command.verkada.com - TCP+UDP/443
vconductor.command.verkada.com - TCP+UDP/443
vmdm.command.verkada.com - TCP+UDP/443
global.turn.twilio.com - TCP/443
*.appcenter.ms - TCP/443

Alarm Consoles (BC51) require the following additional access:

global.stun.twilio.com - UDP/3478
global.turn.twilio.com - UDP/3478

Note: Alarm consoles also require access to Apple servers, please refer to the Apple section


Air Quality Sensors

Sensor devices require the following additional access:

vsensor.command.verkada.com - TCP+UDP/443
vconductor.command.verkada.com - TCP+UDP/443

Viewing Stations

Viewing stations require the following additional access:

vecho.command.verkada.com - TCP+UDP/443
vmdm.command.verkada.com - TCP+UDP/443
vprovision.command.verkada.com - TCP+UDP/443
vvx.command.verkada.com - TCP+UDP/443
vlocaldns.command.verkada.com - TCP+UDP/443
vstream.command.verkada.com - TCP+UDP/443
vsensor.command.verkada.com - TCP+UDP/443
vsubmit.command.verkada.com - TCP+UDP/443

Note: Viewing stations also require access to Apple servers, please refer to the Apple section

Guest

Guest apps/iPads might require the following additional access:

Your Intranet

Allowed destinations

Secure Media (ICE/STUN/SRTP) Edge Locations

Protocol

Source

IP

Source Port †

Destination

IP Ranges

Destination Port Range

sydney (au1)

UDP

ANY

ANY

54.252.254.64 - 54.252.254.127

and

3.104.90.0 - 3.104.90.255

10,000 - 20,000

sao-paulo (br1)

UDP

ANY

ANY

177.71.206.192 - 177.71.206.255

and

18.228.249.0 - 18.228.249.255

10,000 - 20,000

dublin (ie1)

UDP

ANY

ANY

54.171.127.192 - 54.171.127.255

and

52.215.127.0 - 52.215.127.255

10,000 - 20,000

frankfurt (de1)

UDP

ANY

ANY

35.156.191.128 - 35.156.191.255

and

3.122.181.0 - 3.122.181.255

10,000 - 20,000

tokyo (jp1)

UDP

ANY

ANY

54.65.63.192 - 54.65.63.255

and

3.112.80.0 - 3.112.80.255

10,000 - 20,000

singapore (sg1)

UDP

ANY

ANY

54.169.127.128 - 54.169.127.191

and

3.1.77.0 - 3.1.77.255

10,000 - 20,000

ashburn (us1)

UDP

ANY

ANY

54.172.60.0 - 54.172.61.255

and

34.203.250.0 - 34.203.251.255

10,000 - 20,000

umatilla (us2)

UDP

ANY

ANY

54.244.51.0 - 54.244.51.255

(54.244.51.0/24)

1,024 - 65,535

roaming (gll)

UDP

ANY

ANY

All IP addresses listed above

1,024 - 65,535

Apple Hardware

The alarm console (BC51) and viewing stations (VX51 and VX52) all run on Apple hardware, and therefore require the following access:

*.apple.com - TCP/80
*.apple.com - TCP/443
*.apple.com - TCP/2197
*.apple.com - TCP/5223
*.apple.com - UDP/123
*.mzstatic.com - TCP/80
*.mzstatic.com - TCP/443
crl.entrust.net - TCP/80
crl3.digicert.com - TCP/80
crl4.digicert.com - TCP/80
ocsp.digicert.com - TCP/80
ocsp.entrust.net - TCP/80

Email Server

In order to ensure reliable delivery of Verkada emails (including event notifications, password reset emails, and magic links) the following email domains should be whitelisted on your mail server.

@verkada.com
@command.verkada.com

SSL/TLS Inspection & Proxy Servers

Verkada devices are incompatible with LANs that require the use of proxy servers or that require SSL/TLS inspection. If either are in use, a bypass for all Verkada devices must be put in place in order for Verkada devices to communicate with Verkada Command.


Visit Training Center for bite-sized video tutorials on how to accomplish role-based tasks in Command.

Did this answer your question?