Specifying a Custom Domain
•Checking the Configured Domain
Introduction
Your Ivanti Neurons for Zero Trust Access (nZTA) tenant subscription is deployed, by default, as a unique Fully Qualified Domain Name (FQDN) provided by Ivanti - typically at pulsezta.net. Enrollment and sign-in endpoints are configured at this FQDN through user authentication policies and provided to end-users in a welcome email. To learn more about user authentication, see Defining User Authentication.
A FQDN is reserved for a specific tenant and remains deployed for the duration of the subscription.
Should you require it, you can provision a custom domain to be used in place of the Ivanti-provided domain. In this scenario, you set up the custom domain within your own DNS infrastructure, pointing to the IP address of your standard Ivanti tenant domain. Through this mechanism, you can advertise the FQDN of your nZTA service as appearing to originate within your own organizational network. For example, where your company domain might be www.example.com, you can configure nZTA at zta.example.com.
With an active custom domain:
- All end-users see your nZTA service as originating at the new domain (such as zta.example.com), and enroll or sign-in their devices at endpoints based on that URL.
- When you add Gateways, their hostnames also reside in this domain. The Controller automatically manages DNS and certificates for all Gateways configured in your nZTA service.
- Tenant admins use the Admin Portal based at the custom domain. However, as an emergency backup, access to the standard domain at pulsezta.net remains available.
- Custom domain support is a change to the server-side hostnames and certificates used by the Controller and your Gateways. Your end-user client certificates are unaffected.
IMPORTANT: It is essential to determine whether a custom domain is required at the outset of your subscription, and particularly before you have deployed any Gateways or enrolled any users.
Custom domain usage is contingent on the following restrictions:
- Once configured, a custom domain cannot be removed from a tenant subscription. Consider carefully if you want to enable this feature.
- If you want to add a custom domain to a subscription that uses (or plans to use) an enterprise-provided Public Key Infrastructure (PKI) (see Using an Existing Enterprise PKI), you must configure all enterprise-provided certificates before you configure the custom domain. Failure to follow this order of configuration can result in the Controller becoming unresponsive.
- In this scenario, enterprise PKI configured tenant subscriptions can not be reconfigured to become non-PKI subscriptions.
- Custom domains require at least one server certificate. If you later need to delete the certificate, make sure you have a replacement ready to upload.
You configure a custom domain during the Onboarding Wizard, or at a later time through the Tenant Admin portal.
For more details concerning the Onboarding Wizard, see Working with the Onboarding Wizard.
Configuring a Custom Domain
A custom domain is configured through any of the following routes:
- From a link in the Onboarding Wizard.
- Through the Create Custom Domain workflow, accessed through the Workflows menu icon in the title bar.
- Through the Administration > Enterprise Integrations > Custom Domains page.
Typically, a custom domain is configured at the point a new nZTA subscription starts, through the Onboarding Wizard. The link provided in the wizard triggers the Create Custom Domain workflow, which is described here. The Create Custom Domain workflow enables you to define the custom domain for your nZTA service, together with uploading the necessary server certificates for that domain.
Before you begin, make sure you have the full public TLS server certificate chain and private key files, in PEM or PKCS#12 format, for your proposed domain.
To configure a custom domain, perform the following steps:
-
Select the Workflows icon, then select Create Custom Domain:
This starts step 1 of the Create Custom Domain workflow.
-
Enter the domain name you want to use in the field provided:
After you enter your domain, nZTA populates the mTLS domain field automatically. This domain is predetermined based on your entered domain name and is read-only. For example, if you enter "zta.example.com" as your custom domain, the mTLS domain automatically becomes "e.zta.example.com".
To continue, select Next.
-
In this step, you import the TLS server certificate chain applicable to your domain (or certificate chains, where TLS and mTLS domains use separate certificates):
For Certificate Type, choose one of the following options:
- Custom Domain with embedded private key: Use this option to upload a certificate file that includes an embedded private key.
- Custom Domain with separate private key: Use this option to upload a separate certificate file and private key file.
For encrypted certificates, enter your Password in the field provided. Then, add your Certificate File (and Private Key File where applicable) (in PEM or PKCS#12 format) into the fields provided. To upload your files, select Import Certificate.
Uploaded certificate files are presented in the table for verification:
Repeat this step for every certificate you want to upload. Then, select Next to continue.
-
Verify the details you have provided:
To continue, select Next.
-
Activate the domain:
Using the Create Custom Domain workflow - step 4 Select Finish to complete the configuration and activate your custom domain. Through this action, your new domain becomes active, and the original Ivanti-provisioned domain is marked inactive.
Checking the Configured Domain
To view the currently configured domain details for your subscription, use the Administration > Enterprise Integrations > Custom Domain menu. This presents the Custom Domain page:
Viewing the Domains for your Subscription
Through this page, you can:
- View the currently active and inactive domains.
- Add a custom domain, where one is not currently defined. To learn more about the process of adding a custom domain, see Configuring a Custom Domain.
- Select the arrow icon adjacent to a domain to view the TLS and mTLS domains defined for that entry, including the server certificate expiry details if applicable.
- Select the name of a custom domain to view or modify the applied server certificates.
When you select a domain, a detail page is presented showing the current status and certificate usage for the domain:
Viewing the Settings for a Domain
For currently applied certificates, select a Certificate Subject CN entry to view a dialog containing the certificate parameters.
To add a server certificate, use the Certificate Type field. Choose one of the following options:
- Custom Domain with embedded private key: Use this option to upload a certificate file that includes an embedded private key.
- Custom Domain with separate private key: Use this option to upload a separate certificate file and private key file.
Make sure you are adding the full public TLS server certificate chain and private key applicable to your custom domain.
Then, add your Certificate File (and Private Key File where applicable) (in PEM or PKCS#12 format) into the fields provided. To upload your files, select Import Certificate.
For encrypted certificates, enter your Password in the field provided.
To remove a certificate, select a checkbox adjacent to an uploaded certificate in the table, then select Delete Certificate.
To save your changes, select Update.