This article outlines the required settings that your Verkada viewing stations need to communicate with Verkada Command and to operate properly.
Requirement: Verkada devices are incompatible with LANs that require the use of proxy servers or that require Secure Socket Layer (SSL)/Transport Layer Security (TLS) inspection. If either are in use, a bypass for all Verkada devices must be implemented for Verkada devices to communicate with Command.
IP address
Viewing stations need an IPv4 address to communicate to Command through the internet. Viewing stations use Dynamic Host Configuration Protocol (DHCP), User Datagram Protocol (UDP) ports 67 and 68, to obtain their IP addresses and network configurations—on a wired or wireless internet connection.
If you want to have a specific IP address on your viewing station, set a DHCP reservation using the device’s Media Access Control (MAC) address (found on the device's label).
Domain Name System
Viewing stations use the Domain Name System (DNS) server to resolve Verkada’s fully qualified domain names (FQDN) to IP addresses to communicate with them. Your DHCP server tells the viewing station where the DNS server is on the network and the viewing station communicates using UDP port 53.
Note: DNS over HTTPS (DoH) is currently not supported.
Firewall settings
Verkada devices require access to many endpoints to have the full-featured experience. Many customers may want to restrict devices to only communicate with the specific required endpoints.
These are the general domains to allow, applicable for all organization-regions:
*.verkada.com - UDP/123 + TCP+UDP/443
34.216.15.26 - UDP/123
*.apple.com - TCP/80
*.apple.com - TCP/443
*.apple.com - TCP/2197
*.apple.com - TCP/5223
*.apple.com - UDP/123
*.mzstatic.com - TCP/80
*.mzstatic.com - TCP/443
crl.entrust.net - TCP/80
crl3.digicert.com - TCP/80
crl4.digicert.com - TCP/80
ocsp.digicert.com - TCP/80
ocsp.entrust.net - TCP/80
firebaselogging-pa.googleapis.com - TCP+UDP/443
browser-intake-datadoghq.com - TCP+UDP/443
If your firewall does not allow wildcard masking, or you prefer to have the entire FQDN of the endpoint in your firewall rules, these are the domains to allowlist, by region:
Region: United States
Note: Your region is selected when you create an organization in Command.
api.global-prod.control.verkada.com - TCP+UDP/443
relay.global-prod.control.verkada.com - TCP+UDP/443
vconductor.global-prod.command.verkada.com - TCP+UDP/443
api.control.verkada.com - TCP+UDP/443
relay.control.verkada.com - TCP+UDP/443
index.control.verkada.com - TCP+UDP/443
firmware.control.verkada.com - TCP+UDP/443
update.control.verkada.com - TCP+UDP/443
time.control.verkada.com - UDP/123
user.pyramid.verkada.com - TCP+UDP/443
device.pyramid.verkada.com - TCP+UDP/443
nlb.verkada.com - TCP+UDP/443
device-nlb.verkada.com - TCP+UDP/443
34.216.15.26 - UDP/123
vecho.command.verkada.com - TCP+UDP/443
vmdm.command.verkada.com - TCP+UDP/443
vprovision.command.verkada.com - TCP+UDP/443
vvx.command.verkada.com - TCP+UDP/443
vlocaldns.command.verkada.com - TCP+UDP/443
vstream.command.verkada.com - TCP+UDP/443
vsensor.command.verkada.com - TCP+UDP/443
vsubmit.command.verkada.com - TCP+UDP/443
*.apple.com - TCP/80
*.apple.com - TCP/443
*.apple.com - TCP/2197
*.apple.com - TCP/5223
*.apple.com - UDP/123
*.mzstatic.com - TCP/80
*.mzstatic.com - TCP/443
crl.entrust.net - TCP/80
crl3.digicert.com - TCP/80
crl4.digicert.com - TCP/80
ocsp.digicert.com - TCP/80
ocsp.entrust.net - TCP/80
firebaselogging-pa.googleapis.com - TCP+UDP/443
browser-intake-datadoghq.com - TCP+UDP/443
Region: Europe
Note: Your region is selected when you create an organization in Command.
api.global-prod.control.verkada.com - TCP+UDP/443
relay.global-prod.control.verkada.com - TCP+UDP/443
vconductor.global-prod.command.verkada.com - TCP+UDP/443
api.prod2.control.verkada.com - TCP+UDP/443
relay.prod2.control.verkada.com - TCP+UDP/443
index.prod2.control.verkada.com - TCP+UDP/443
update.control.verkada.com - TCP+UDP/443
vconductor.prod2.command.verkada.com - TCP+UDP/443
time.control.verkada.com - UDP/123
vconductor.global-prod.command.verkada.com - TCP+UDP/443
vecho.prod2.verkada.com - TCP+UDP/443
vmdm.prod2.verkada.com - TCP+UDP/443
vprovision.prod2.verkada.com - TCP+UDP/443
vvx.prod2.verkada.com - TCP+UDP/443
vlocaldns.prod2.verkada.com - TCP+UDP/443
vstream.prod2.verkada.com - TCP+UDP/443
vsensor.prod2.verkada.com - TCP+UDP/443
vsubmit.prod2.verkada.com - TCP+UDP/443
vfilter.prod2.verkada.com - TCP+UDP/443
*.apple.com - TCP/80
*.apple.com - TCP/443
*.apple.com - TCP/2197
*.apple.com - TCP/5223
*.apple.com - UDP/123
*.mzstatic.com - TCP/80
*.mzstatic.com - TCP/443
crl.entrust.net - TCP/80
crl3.digicert.com - TCP/80
crl4.digicert.com - TCP/80
ocsp.digicert.com - TCP/80
ocsp.entrust.net - TCP/80
firebaselogging-pa.googleapis.com - TCP+UDP/443
browser-intake-datadoghq.com - TCP+UDP/443
Related resources
Video Security Network Settings (Cameras)
Workplace Network Settings (Guest, Mailroom)
Visit the Verkada Training Center for bite-sized video tutorials on how to accomplish role-based tasks in Command.
Need more help? Contact Verkada Support