Nebula [Information] - How Devices Communicate with NCC & Ports used for NETCONF

This article will show how Nebula devices communicate with Nebula Control Center and which Ports are used [NETCONF Information], Nebula Cloud Control TCP ports, Call home process, what Nebula servers are used for NETCONF, NCC, NTP, Zero Touch Provisioning, USG FLEX service, Monitor service for USG FLEX, also the Access point (AP) onboarding process enhancement for 6.50 and how APs come online in Nebula.

Introduction

A lot of customer inquiries we receive are regarding connectivity issues between Nebula devices and the Nebula Control Center. In order to shed some light on this topic, we decided to create this knowledge base to let you know at least the way these devices intercommunicate with the Cloud. 

Ports needed for devices to come online in NCC

There are the following ports currently being used for communicating between NCC and the Nebula devices.

  • Port 443 and 6667 are used in TCP for Nebula Cloud Management
  • Since firmware version 5.50 is on the Access points, also port 4335 is being used - as the future passes by, eventually be implemented onto other units(NETCONF_CALL_HOME)
  • Port 123 is used in UDP for Network Time Protocol(NTP).

Ports information can be also obtained on NCC > Help > Firewall Information.

ServiceFQDNIP AddressPortProtocol
Nebula Cloud Management (NETCONF)d.nebula.zyxel.com3.250.41.21, 34.243.116.158, 34.245.88.134, 34.246.20.161, 52.210.12.1, 52.210.229.217, 52.210.60.147, 52.48.115.44, 54.154.22.135, 54.216.81.7, 54.73.103.137, 54.76.217.223, 63.32.141.172, 63.35.107.1144335/ 6667TCP
Nebula Cloud Management*.nebula.zyxel.comDynamic443TCP
Network Time Protocol*.pool.ntp.orgDynamic123UDP
Nebula Cloud Management (Zero Touch Provisioning)d-a.nebula.zyxel.comDynamic443TCP
Nebula Cloud Management (Configure related service for USG FLEX series)d-cp.nebula.zyxel.com18.202.218.135, 34.242.51.157, 34.242.68.126, 34.243.111.168, 34.245.202.2054335TCP
Nebula Cloud Management (monitor-related service for USG FLEX series)d-mp.nebula.zyxel.com52.18.204.70, 54.220.154.85, 63.34.155.16443TCP
Nebula Cloud Management (NETCONF for USG FLEX H series)d2.nebula.zyxel.com54.217.198.2234335TCP

Communication Process (Call Home)

Communication between Nebula devices and NCC is named Call Home and comprised of 4 steps as below:

Get IP address/ DNS Server from local DHCP Server
By default, Nebula devices are DHCP clients. When they are powered on, they will try to get IP address and DNS Server information from the local DHCP Server.

NETCONF over TLS
Next, they will proceed TCP Handshake to Nebula Control Center and then Nebula Control Center will establish TLS (Transport Layer Security) Handshake to the devices. This phase is called NETCONF over TLS

Synchronization Time
They will be provisioned by Nebula Control Center with an NTP set to synchronize time.

Configure and Monitor
In the last phase, by sending get and edit-config requests from Nebula Control Center to Nebula devices, users can configure settings and monitor the status of the devices on the Nebula Control Center web GUI platform. The above two steps are the Cloud Connection between Nebula devices and Nebula Control Center.

 

 

AP Onboarding Enhancement (from 6.50)

In the old communication process, the Access point (AP) needed to apply the cloud mode default settings to successfully go online in Nebula. Additional process are then required to reset the device information, which takes about 90 seconds as seen below: 

mceclip0.png

In firmware 6.50 and forward, the AP can now skip the process to show "up to date" status in Nebula much faster. This applies only when the device has: 

  • Default (factory) setting
  • Changed Management IP (Interface) or;
  • Admin password

mceclip3.png

In our internal testing, we can see that the process now takes around 6-8 minutes before the device has gone online and shown "up-to-date":

mceclip5.png

Articles in this section

Was this article helpful?
2 out of 5 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.