Setting up Verkada with Zscaler

Verkada has a secure-by-default architecture. As a part of this, all connectivity from the cameras is outbound-only and leverages TLS 1.2 for connectivity back to our Verkada servers.

Proxies intercept traffic originating from a client and forward this onto the intended destination. They are leveraged for a number of reasons: traffic filtering, auditing, security, and more. Some locations will configure their network to redirect all Internet-bound traffic through a proxy to take advantage of these benefits.

To ensure a man-in-the-middle attack is not occurring, Verkada cameras and Command leverage managed certificates. Depending on the operation of a deployed proxy, if adjustments are made to these certificates (such as with SSL/TLS decryption) the camera will not come up or function properly. Further information can be found in the following article:

https://help.verkada.com/en/articles/4048220-verkada-cameras-with-ssl-decryption.

Proxy users will often utilize bypass rules for technologies that cannot support SSL inspection because of their secure-by-default nature. This specifies certain addresses, FQDNs, or other identifying characteristics to be used to allow traffic to bypass the proxy. This will need to be set up for the Verkada cameras to operate successfully.

Zscaler Example

Zscaler is a cloud-based proxy and firewall solution. Traffic is routed from on-premises to the service where various policies can be applied.

Topology Example

The above topology outlines the desired end goal. All traffic is forwarded to Zscaler based on the original setup. In order to avoid Verkada being subject to any of the Zscaler policies that will cause issues for the cameras establishing a secure connection, exclusion policies will need to be set up to exclude traffic from Verkada cameras from such policies.

Setting up Exemptions

When leveraging SSL inspection with Zscaler, we need to configure an exemption policy. Further information on how to do this can be found at the following URL:

https://help.zscaler.com/zia/skipping-inspection-traffic-specific-urls-or-cloud-apps

Bypassing Zscaler for Camera Traffic Locally

Depending on the setup of the Zscaler service, it may also be possible to not forward Verkada camera traffic to Zscaler at all. For example, if leveraging PBR to only forward client VLAN traffic to Zscaler instead of using a default route to pass the traffic along the GRE/IPSec tunnel to the Zscaler DC, then there is scope to adjust the routing.

Therefore, if the Verkada cameras are on a dedicated VLAN, the network can be configured to forward traffic from this VLAN out to the Internet through normal means, while still having client based VLANs forwarded onto to Zscaler as shown in the below topology:

Topology Example

Additional Zscaler Feature to Consider

Zscaler has a number of additional features that can be leveraged. The following lists those to consider which may impact the operation of the Verkada cameras:

If your Verkada cameras are still not coming online, please read over the steps in this guide.

Did this answer your question?