As a part of Verkada's secure-by-default architecture, all connectivity from the cameras is outbound-only and leverages TLS 1.2 for connectivity back to our Verkada servers.
Proxies intercept traffic that originates from a client and forwards it to the intended destination. They are leveraged for a number of reasons: traffic filtering, auditing, security, and more. Some locations configure their network to redirect all internet-bound traffic through a proxy to take advantage of these benefits.
Manage certificates via Command
To prevent man-in-the-middle attacks, Verkada cameras and Verkada Command leverage managed certificates. Depending on the operation of a deployed proxy, if adjustments are made to these certificates (such as with SSL/TLS decryption), the camera does not come up or function properly. Learn more about Verkada Cameras with SSL Decryption.
Set up SSL inspection
Proxy users often utilize bypass rules for technologies that cannot support SSL inspection. This specifies certain addresses, FQDNs, or other identifying characteristics to be used to allow traffic to bypass the proxy.
We recommend to set this up for Verkada cameras to operate successfully.
Examples
Zscaler example
Zscaler is a cloud-based proxy and firewall solution. Traffic is routed from on-premises to the service where various policies can be applied.
Topology example
This topology outlines the desired end goal. All traffic is forwarded to Zscaler based on the original setup.
To avoid Verkada being subject to any of the Zscaler policies that can cause issues for the cameras establishing a secure connection, exclusion policies need to be set up to exclude traffic from Verkada cameras from such policies.
Set up exemptions
When leveraging SSL inspection with Zscaler, you need to configure an exemption policy. Learn more on how to do this.
Bypass Zscaler for camera traffic locally
Depending on the setup of the Zscaler service, it may also be possible to not forward Verkada camera traffic to Zscaler at all. For example, if you leverage PBR to only forward client VLAN traffic to Zscaler, instead of using a default route to pass the traffic along the GRE/IPSec tunnel to the Zscaler DC, then there is scope to adjust the routing.
This means that if the Verkada cameras are on a dedicated VLAN, you can configure the network to forward traffic from this VLAN out to the internet through normal means while still having client-based VLANs forwarded on to to Zscaler, as shown below
Topology example
Zscaler features to consider
Zscaler has a number of additional features that you can leverage. Read about bandwidth control to consider what can impact the operation of the Verkada camera.
If your Verkada cameras are still not coming online, read New Camera Won't Come Online.
Need more help? Contact Verkada Support.