Nebula Assigned Domain Name

Options
Zyxel_Claudia
Zyxel_Claudia Posts: 194 image  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector
edited November 14 in Other Topics

To streamline secure remote access, USG FLEX H Series Firewall now supports Nebula-assigned domain names. This feature provides each Nebula-managed firewall with a unique, auto-generated FQDN, making it easier to set up and manage Remote Access VPN connections.

In this article, we’ll explore what the Nebula-assigned domain name is, how it works, and how you can configure binding addresses for different deployment scenarios.

1. What Is a Nebula-Assigned Domain Name?

Each Nebula-managed firewall is automatically assigned a unique domain name (e.g., abc123.zyxelcloud.net) by the Nebula Control Center (NCC). This domain is:

  • Bound to your firewall’s IP address

Used for Remote Access VPN services such as IPSec VPN and SSL VPN

2. Where to Configure It

This setting is only available in Nebula and cannot be modified through the local firewall GUI.

To find the setting:

  • Navigate to Site-wide > Configure > Firewall > Remote access VPN
     image.png

You’ll also see an option to choose or change the binding address - this determines which interface or IP the domain name points to.

3. Binding Address Options

The Binding Address defines which IP address the Nebula-assigned domain name will resolve to. You have several options:

Auto (Default)

  • The domain name resolves to the IP address used to connect to Nebula
  • Ideal for most setups with a single internet-facing interface

Specific Interface (e.g., Ge1, Ge2)

  • You can bind the domain to a specific WAN interface IP
  • Useful when managing multiple WAN connections

Custom IP Address

  • Manually define a public IP address
  • Perfect for setups with static public IPs or multi-WAN scenarios

Example Binding Scenarios:

When clients perform a DNS lookup for the assigned domain (e.g., using nslookup), the returned IP address depends on the binding address configuration:

  • Auto: IP used for Nebula connectivity (usually public)
  • Interface (e.g., GU1): IP of the selected interface (may be private if NAT is involved)
  • Custom: The manually specified public IP

This gives you control over which address is published to DNS for VPN access

4. Certificate Binding for VPN

Importing Nebula Assigned Domain Name Certificate:

  • NebulaRemoteAccessDefaultCert is uploaded to firewall after firewall has successfully onboarded with NCC
  • This certificate is used by Auto certificate validation when VPN Server Address has Nebula Assigned Domain Name selected
    image.png

You may also manually configure the certificate if needed.

Tagged:

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)