Verkada devices are designed to maintain your network’s security while still offering remote access and easy management of your devices. In most cases, little to no updates to your network settings are required. Depending on your particular case, however, some configuration may be required to get your devices online.
If your network is configured properly as per the instructions below, and you still cannot get your device online, please reach out to Verkada Support and try to use this guide to provide a packet capture to the team so we can best solve your issue.
IP Address/DHCP
Verkada devices must be assigned a routable IP address via DHCP. For network security reasons, static IP addresses are not currently supported. A DHCP reservation is a hassle-free way to ensure the device receives a specific IP address. You need the camera's MAC address to create a reservation. The MAC address of an AC41 can be found on the sticker below the cable management compartment.
DNS
Verkada devices require a DNS server to be able to resolve specific domains in order to communicate with Verkada Command. DNS servers can only be set with DHCP. Verkada devices will always query DNS servers via the standard destination port 53 using UDP. DNS over HTTPS (DoH) is not currently supported.
Firewall Settings
Verkada devices need to communicate with specific domains owned by Verkada to provide you with a full-featured experience. All communication between a Verkada device and the Verkada servers uses HTTPS (TCP/443). Additionally, all devices synchronize their time using NTP (Bi-directional UDP/123).
When Verkada devices communicate with Verkada servers, connections are made outbound from your LAN to our servers over the internet. As per standard IP communication practices, the source port will fall into the ephemeral port range (49152-65535).
Note: If bandwidth is a concern we recommend utilizing both upload and download traffic shapers on the network.
You can use the following links to jump to the relevant sections:
All Devices
All Verkada devices require the following access:
api.control.verkada.com - TCP+UDP/443
relay.control.verkada.com - TCP+UDP/443
index.control.verkada.com - TCP+UDP/443
firmware.control.verkada.com - TCP+UDP/443
update.control.verkada.com - TCP+UDP/443
time.control.verkada.com - UDP/123
user.pyramid.verkada.com - TCP+UDP/443
device.pyramid.verkada.com - TCP+UDP/443
nlb.verkada.com - TCP+UDP/443
device-nlb.verkada.com - TCP+UDP/443
34.216.15.26 - UDP/123
The above can also be shortened as:
*.control.verkada.com - TCP+UDP/443
*.pyramid.verkada.com - TCP+UDP/443
*.verkada.com - TCP+UDP/443
time.control.verkada.com - UDP/123
Note: Most devices will also require additional access, outlined in the below sections
Cameras
The Verkada next-generation video streaming capability requires the following access:
*.kinesisvideo.us-west-2.amazonaws.com - TCP/443
*.kinesisvideo.us-west-2.amazonaws.com - UDP/443
*:4100 - TCP/UDP on LAN (only required for local streaming)
If you are using cloud backup on your cameras, the following is also required:
s3.us-west-2.amazonaws.com - TCP/443
s3.eu-west-1.amazonaws.com - TCP/443
s3.ca-central-1.amazonaws.com - TCP/443
s3.ap-southeast-2.amazonaws.com - TCP/443
s3.us-west-004.backblazeb2.com - TCP/443
s3.eu-central-003.backblazeb2.com - TCP/443
To allow NTS time synchronization:
time.cloudflare.com - TCP/4460
time.cloudflare.com - UDP/123
Note: NTS will use SSL for secure time synchronization, unlike NTP. It is recommended to exempt these connections from SSL decryption policies.
Access Control
Access control devices require the following additional access:
vcerberus.command.verkada.com - TCP+UDP/443
access.control.verkada.com - TCP+UDP/443
Intercom
In addition to those required for cameras and access control, intercom devices (including TD52 and Desk Station) require the following additional access:
m-555f26aa.kinesisvideo.us-west-2.amazonaws.com - TCP+UDP 443
verkada-erik-sip.sip.twilio.com - TCP+UDP 5060, 5061
verkada-erik-sip.sip.us1.twilio.com - TCP+UDP 5060, 5061
verkada.sip.us1.twilio.com - TCP+UDP 5060, 5061
54.172.60.0/23 - UDP 10000 to 20000
54.244.51.0/24 - UDP 1024 to 65535
34.203.250.0/23 - UDP 10000 to 20000
The Desk Station and Pass app require these additional endpoints if they are set as an Intercom Receiver:
chunderm.gll.twilio.com - TCP/443
eventgw.twilio.com - TCP/443
ers.twilio.com - TCP/443
This table explains how the above ports are used for your reference:
UDP 123 (time)
TCP 443 (https traffic)
TCP+UDP 4100 (local streaming)
TCP+UDP 5060 (unencrypted SIP)
TCP+UDP 5061 (encrypted SIP)
UDP 1024 - 65535 (voice RTP)
Alarms
Alarms devices require the following additional access:
api.control.verkada.com - TCP+UDP/443
valarm.command.verkada.com - TCP+UDP/443
vconductor.command.verkada.com - TCP+UDP/443
vmdm.command.verkada.com - TCP+UDP/443
global.turn.twilio.com - TCP/443
*.appcenter.ms - TCP/443
Alarm Consoles (BC51) require the following additional access:
global.stun.twilio.com - UDP/3478
global.turn.twilio.com - UDP/3478
Note: Alarm consoles also require access to Apple servers, please refer to the Apple section
Air Quality Sensors
Sensor devices require the following additional access:
vsensor.command.verkada.com - TCP+UDP/443
vconductor.command.verkada.com - TCP+UDP/443
Viewing Stations
Viewing stations require the following additional access:
vecho.command.verkada.com - TCP+UDP/443
vmdm.command.verkada.com - TCP+UDP/443
vprovision.command.verkada.com - TCP+UDP/443
vvx.command.verkada.com - TCP+UDP/443
vlocaldns.command.verkada.com - TCP+UDP/443
vstream.command.verkada.com - TCP+UDP/443
vsensor.command.verkada.com - TCP+UDP/443
vsubmit.command.verkada.com - TCP+UDP/443
Note: Viewing stations also require access to Apple servers, please refer to the Apple section
Guest
Guest apps/iPads might require the following additional access:
|
|
|
| Your Intranet | Allowed destinations |
Secure Media (ICE/STUN/SRTP) Edge Locations | Protocol | Source IP | Source Port † | Destination IP Ranges | Destination Port Range |
| UDP | ANY | ANY |
and
| 10,000 - 20,000 |
| UDP | ANY | ANY |
and
| 10,000 - 20,000 |
| UDP | ANY | ANY |
and
| 10,000 - 20,000 |
| UDP | ANY | ANY |
and
| 10,000 - 20,000 |
| UDP | ANY | ANY |
and
| 10,000 - 20,000 |
| UDP | ANY | ANY |
and
| 10,000 - 20,000 |
| UDP | ANY | ANY |
and
| 10,000 - 20,000 |
| UDP | ANY | ANY |
| 1,024 - 65,535 |
| UDP | ANY | ANY | All IP addresses listed above | 1,024 - 65,535 |
Apple Hardware
The alarm console (BC51) and viewing stations (VX51 and VX52) all run on Apple hardware, and therefore require the following access:
*.apple.com - TCP/80
*.apple.com - TCP/443
*.apple.com - TCP/2197
*.apple.com - TCP/5223
*.apple.com - UDP/123
*.mzstatic.com - TCP/80
*.mzstatic.com - TCP/443
crl.entrust.net - TCP/80
crl3.digicert.com - TCP/80
crl4.digicert.com - TCP/80
ocsp.digicert.com - TCP/80
ocsp.entrust.net - TCP/80
Email Server
In order to ensure reliable delivery of Verkada emails (including event notifications, password reset emails, and magic links) the following email domains should be whitelisted on your mail server.
@verkada.com
@command.verkada.com
SSL/TLS Inspection & Proxy Servers
Verkada devices are incompatible with LANs that require the use of proxy servers or that require SSL/TLS inspection. If either are in use, a bypass for all Verkada devices must be put in place in order for Verkada devices to communicate with Verkada Command.
Visit Training Center for bite-sized video tutorials on how to accomplish role-based tasks in Command.