Install Banyan Access Tier

This section installs and configures the Banyan Access Tier in your environment.

Overview

The Banyan Access Tier is an identity-aware proxy that mediates access between entities on the internet and your internal services. Each Banyan Access Tier has a public IP address that is reachable from the internet and accepts inbound connections, typically on ports 443 (web services), 8443 (infrastructure services) and 50482 (service tunnels).

The core of Banyan’s Access Tier component is the netagent binary - a light-weight identity-aware cloud-managed reverse proxy, written in Golang, that runs on Linux servers. Netagent is designed to be similar in deployment to open-source reverse proxies such as Nginx, but is focused on Zero Trust security functionality.

Network Configuration

The Access Tier requires some minimal network configuration.

  1. The Access Tier server(s) should be located in your Internet-facing DMZ and have a Public IP Address so it can be reached from anywhere on the Internet.

  2. Configure a Public Wildcard DNS Record that follows your corporate domain name convention to map to the Access Tier’s Public IP Address
    • A common pattern is to use *.corp.example.com
    • Then, corporate services can be exposed to your users as website1.corp.example.com, sshserver2.corp.example.com, etc

    If you’re deploying Access Tiers across multiple sites, you can further scope the subdomains into *.east.corp.example.com, *.west.corp.example.com, etc.

  3. Expose the following ports to the Internet for use for inbound connections to the Access Tier:
    • Port 443 (HTTPS)
    • Port 8443 (for non-HTTPS TCP traffic such as SSH or RDP)
  1. Ensure that Access Tier can make an outbound TCP connection to its Shield (Cluster Coordinator) to register with the Command Center, receive Policies, and send Event data. You can find the Shield Address for your Access Tier in the Cluster Settings page.

Shield Address - Infrastructure > Cluster

  1. Ensure that Access Tier can make an outbound HTTPS connection via port 443 to the Command Center. If you use automated bootstrapping to configure the Access Tier, the install script will make an API call to https://{ccname}.console.banyanops.com/api/v1/… to obtain a one-time-key required for installation.

  2. Ensure that Access Tier can make an outbound HTTPS connection via port 443 to the Command Center TrustProvider component. In order to authenticate OIDC JWT tokens used for web access, the Access Tier will need to obtain JSON Web Key Set (JWKS) containing public keys from https://{orgname}.trust.banyanops.com/v2/.well-known/jwks.json.

  3. Ensure your networking policies allow traffic to flow from the Access Tier server to backend machines running the applications and services you need to secure access to.

The netagent binary supports Egress Proxy settings, so the outbound connections from Access Tier can traverse your Egress Proxy as required.

Sections

Last modified: Jul 22, 2021