Verkada devices are designed to maintain your network’s security while still offering remote access and easy management of your devices. In most cases, little to no updates to your network settings are required. Depending on your particular case, however, some configuration may be required to get your devices online.

If your network is configured properly as per the instructions below, and you still cannot get your device online, please reach out to Verkada Support and try to use this guide to provide a packet capture to the team so we can best solve your issue.

IP Address

Verkada devices must be assigned a routable IP address via DHCP. For network security reasons, static IP addresses are not currently supported. A DHCP reservation is a hassle-free way to ensure the device receives a specific IP address. You need the camera's MAC address to create a reservation. The MAC address of an AC41 can be found on the sticker below the cable management compartment.

DNS

Verkada devices require a DNS server to be able to resolve specific domains in order to communicate with Verkada Command. DNS servers can only be set with DHCP. Verkada devices will always query DNS servers via the standard destination port 53 using UDP. DNS over HTTPS (DoH) is not currently supported.

Firewall

Verkada devices need to communicate with specific domains owned by Verkada to provide you with a full-featured experience. All communication between a Verkada device and Verkada Command is over HTTPS using port TCP 443. Devices also use NTP to synchronize time over UDP port 123.

Note: When Verkada devices communicate with Verkada Command, connections are made outbound from your LAN to our servers on the Internet. While the source port from which the Verkada device uses to communicate with Command varies per standard IP communication practices, the standard range of ephemeral ports is used (49152-65535).

Depending on your firewall rules, you may need to whitelist the Verkada server subdomain, control.verkada.com over TCP port 443:

*.control.verkada.com

If you prefer to whitelist specific domains use these FQDNs over TCP port 443:

api.control.verkada.com
relay.control.verkada.com
index.control.verkada.com
firmware.control.verkada.com
update.control.verkada.com

The Verkada next-generation video streaming capability uses the following FQDN over TCP 443 and UDP 443:

*.kinesisvideo.us-west-2.amazonaws.com

For the devices to perform NTP time synchronization, whitelist communication over UDP port 123 to the below FQDN and IP address:

time.control.verkada.com
34.216.15.26

Note: 34.216.15.26 will be used as the fallback if time.control.verkada.com cannot be resolved.

Access control devices require additional domains whitelisted over TCP port 443:

vcerberus.command.verkada.com
access.control.verkada.com

Alarms devices require these additional domains whitelisted over TCP port 443:

api.control.verkada.com
valarm.command.verkada.com
vconductor.command.verkada.com
vmdm.command.verkada.com
global.turn.twilio.com
*.appcenter.ms

Alarm Consoles also require these domains whitelisted over UDP port 3478:

global.stun.twilio.com
global.turn.twilio.com

Sensor devices require the additional domain whitelisted over TCP port 443:

vsensor.command.verkada.com
vconductor.command.verkada.com

Viewing Stations require whitelisting the subdomain command.verkada.com over TCP port 443:

*.command.verkada.com

If you prefer to whitelist specific domains use these FQDNs over TCP port 443:

vecho.command.verkada.com
vmdm.command.verkada.com
vprovision.command.verkada.com
vvx.command.verkada.com
vlocaldns.command.verkada.com
vstream.command.verkada.com
vsensor.command.verkada.com
vsubmit.command.verkada.com

BC51, VX51, and VX52s require the following endpoints in addition to those required for their platform:

TCP 80

appldnld.apple.com
updates-http.cdn-apple.com
crl.apple.com
crl.entrust.net
crl3.digicert.com
crl4.digicert.com
ocsp.apple.com
ocsp.digicert.com
ocsp.entrust.net

TCP 443

ns.itunes.apple.com
updates.cdn-apple.com
xp.apple.com
ppq.apple.com
ocsp2.apple.com
valid.apple.com
albert.apple.com

TCP 80 & TCP 443

gg.apple.com
gs.apple.com
mesu.apple.com
*.itunes.apple.com
*.apps.apple.com
*.mzstatic.com
itunes.apple.com
certs.apple.com

UDP 123

time-ios.apple.com
time.apple.com

Email Server

In order to ensure reliable delivery of Verkada emails (including event notifications, password reset emails, and magic links) the following email domains should be whitelisted on your mail server.

@verkada.com
@command.verkada.com

SSL/TLS Inspection & Proxy Servers

Verkada devices are incompatible with LANs that require the use of proxy servers or that require SSL/TLS inspection. If either are in use, a bypass for all Verkada devices must be put in place in order for Verkada devices to communicate with Verkada Command.

Did this answer your question?