i do it that way:
1x small Linux VM or Raspberry PI
1x DynDNS Record
1x or more CNAMEs for my domain
The Linux VM is exposte to the Internet via Portforwarding 80 and 443, software on the linux host is: Docker with traefik. That dit the following it is configured to recvie the requests for your dyndns record and or your cnames with are also has the dyndns records as the desternations. that traefik will get a letsencrypt certifacte for it. and depending on the configuration and the hostnames it will redirect the traffic to the ncs or any other service inside of your network and all this with auto renewd vailid ssl certificates:
so for the understandig the traffic flows this way:
Public Internet -> PublicIP (dyndns or host) -> the linux VM Port 80 and Port 443 -> the ncs port 8100 (no cert needet) for internal access you can split your dns like your.dyndns.org -> your internal traefik IP
For me that works greate. i published the ncs to the internet with default ports. witch are not blocket wherever i am.