This article describes features that are only available in the Banyan Enterprise edition.
1.39.0 (Sep-30-2021)
  • Download v1.39.0
  • Netagent now returns a connection test response when it receives a request from shield with “*” in the site name.
  • The REST API server now reports for all access-tiers in a cluster.
1.38.0 (Sep-02-2021)
  • Download v1.38.0
  • Restored “Netagent Details” for hosted websites and infrastructure
  • Removed enforcement of “Site Domain Names” configuration parameter
1.37.0 (Jul-07-2021)
  • Download v1.37.0
  • Metrics collection using statsd to send metrics to Datadog via Dogstatsd
  • Use Let’s Encrypt certificates for hosted websites
  • Frontend domain with upper case letters
1.36.1 (May-12-2021)
1.36.0 (Apr-28-2021)
  • Download v1.36.0
  • Various improvements to Access events.
    • User and Device info for TCP service connection-level events.
    • Added reported_by field to display the specific Netagent sending the event.
    • For Access events, the correlation_id identifies the TCP connection.
  • Added Headers field under HTTP Settings in the Service Spec.
1.35.0 (Mar-31-2021)
  • Download v1.35.0
  • Optimized standard config parameters down to only four values and updated defaults for many parameters to simplify common Netagent configurations. The following defaults have changed:
    • Shield Connectivity - secure_bootstrap = true
    • Access Tier - access_tier = true, site_domain_names = "*"
    • OIDC Services - code_flow = true, groups_by_userinfo = true, redirect_to_https = true
  • Miscellaneous Access event improvements.
    • Service Name shows Service ID.
    • HTTP_CONNECT mode now indicates backend address.
    • Increased the time interval for periodic events to 1 hour from 10 minutes.
  • (Bug fix) If a request had two Trust cookies – one that is valid and a second one which is not valid – then depending on the order in which they are getting processed by Netagent, the valid one could end up getting deleted, which would make the user have to re-authenticate. Now, in that scenario the valid cookie will not be deleted.
1.34.1 (Mar-12-2021)
  • Download v1.34.1
  • (Bug fix) Netagent v1.34.0 did not properly handle expired cookies, which caused end users’ browsers to get stuck in an endless redirect loop when attempting to access a web service.
1.34.0 (Mar-03-2021)
1.33.0 (Jan-27-2021)
  • Download v1.33.0
  • (Bug Fix) Valid short-lived certificates that were older than 24 hours were rejected. Now, short-lived certificates can be up to 72-hours old.
1.32.0 (Jan-06-2021)
1.31.0 (Oct-02-2020)
1.30.0 (Oct-28-2020)
  • Download v1.30.0
  • OIDC Services - Added ability to exempt specific Source IPs from Policies
1.29.1 (Oct-01-2020)
  • Download v1.29.1
  • OIDC Services - Add ability for Netagent to query TrustProvider’s userinfo endpoint to obtain a user’s group membership. This is especially useful for organizations where the end users belong to a large number of groups, which increases group information included in the TrustCookie and triggers browser limitations on cookie size.
  • (Bug Fix) OIDC Services - the bnn_return cookie logic used to return the end user to the original path they were attempting to access (for example, /foo) now also supports query parameters (such as, foo?bar=123).
1.28.0 (Aug-26-2020)
  • Download v1.28.0
  • Enriched information collected about a Netagent when generating a one-click support bundle. The bundle now collects additional Netagent configuration files and CIDR ranges as well as common commands support staff needs to better understand the Netagent environment.
  • Ability to create allow list of backends and ports (including CIDR ranges) when configuring services.
  • (Bug Fix) OIDC Services - Previously, when configuring CORS, the target parameter only supported a wildcard (*). Now, the target parameter supports actual domains.
1.27.1 (Jul-30-2020)
  • Download v1.27.1
  • Updated a shared-library dependency involving default values for the allow_user_override metadata tag, which (in some scenarios) reset admin-configurations and led to erroneous blocking of end user access.
1.27.0 (Jul-29-2020)
  • Download v1.27.0
  • Added HTTP_CONNECT mode for Backend routing; when set, Netagent will rely on an HTTP Connect request to derive the backend target address (i.e., ipaddress:port or fqdn:port).
  • (Bug Fix) Successful WebSocket closure statuses were returning incorrectly.
  • (Bug Fix) Netagent Service configurations were not properly updating.
1.25.1 (Jun-19-2020)
  • Download v1.25.1
  • (Bug Fix) Netagent v.1.25.0 introduced a regression for Cognito that passed an OAuth “scope” called “groups”, which Cognito does not support.
1.25.0 (Jun-17-2020)
1.23.0 (May-20-2020)
1.22.0 (May-06-2020)
  • Download v1.22.0
  • Fixed cookie logic for WebSockets and Multi-domain Services so that Banyan TrustCookies are removed from HTTP requests that are forwarded to upstream servers.

The Banyan TrustCookie still can be forwarded by setting the forward_trust_cookie parameter to true. Banyan TrustCookie removal is performed both with and without the domain parameter to avoid a browser redirect loop scenario.

1.21.1 (Apr-22-2020)
  • Download v1.21.1
  • Added a configuration option redirect_to_https to redirect traffic from Port 80 (HTTP) to Port 443 (HTTPS).
  • Added a configuration option https_proxy to use an HTTP Connect Proxy to make outbound connections to Shield and TrustProvider
  • Added a configuration option forward_trust_cookie to not strip out the bnn_trust cookie before sending an HTTP request to the backend application
  • (Bug Fix) OIDC Services - Strip out the bnn_ cookies, that are used in OIDC authentication flows, before sending an HTTP request to the backend application. This enables Netagent to proxy traffic to applications that cannot tolerate additional cookies due to their max-http-header-size parameter.
1.20.0 (Apr-08-2020)
  • Download v1.20.0
  • Service configuration details are now reported from Netagent and displayed in the Banyan Command Center.
  • The service spec has a new exempted_paths field which allows specifying a list of HTTP paths that will be accessible without OpenID Connect authentication.
  • In the Service Spec, the oidc_settings.service_domain_name URL value can include a wildcard (*) in the first component of the domain name. Including the wildcard enables one Banyan service to permit a dynamic, non-fixed set of OpenID Connect redirect URLs. Please note: The OpenID Connect standard does not support wildcard redirect URLs, and so this feature should be used with care.
  • Added a configuration option code_flow for opt-in support for OpenID Connect Authorization Code flow. The default mechanism for OIDC authentication remains OpenID Connect Implicit Code flow.
  • Changed wildcard support in site_domain_names parameter in the config.yaml settings file, used when Netagent is run in Access Tier mode. Now, the wildcard (*) will match any prefix, not just the first component, of the SNI name. Previously, "*.example.com" in the service_domain_names parameter would match SNI “www.example.com” but not “alpha.beta.example.com”; now, it will match both.
1.19.0 (Mar-25-2020)
  • Download v1.19.0
  • (Bug Fix) OIDC Services - Fixed a race condition at the token validation stage that was causing sporadic hanging of connections to applications.
  • (Bug Fix) Fixed issue where Netagent stopped working if the underlying host was upgraded.
1.18.0 (Mar-12-2020)
  • Download v1.18.0
  • Performance and stability improvements.
  • Disconnect existing TCP connections (SSH, RDP, etc.) automatically if the device’s TrustScore drops below the level specified in the Policy condition.
1.17.0 (Feb-26-2020)
  • Download v1.17.0
  • Added name_delimiter field to backend target in Service spec
  • Performance and stability improvements
1.16.0 (Feb-12-2020)
  • Download v1.16.0
  • Configuration guardrails - Require site name, site address, or site domain name
  • (Bug Fix) Proxy WebSocket - Passing all headers for WebSocket request
1.15.0 (Jan-29-2020)
1.13.0 (Dec-18-2019)
  • Download v1.13.0
  • (Bug Fix) Workload identification - Improved handling when process or parent process has exited
  • (Bug Fix) Workload identification - Client cert issued to Unidentified container even if it has no roles
  • (Bug Fix) OIDC Services - robust deep-linking
1.11.1 (Nov-25-2019)
  • Download v1.11.1
  • Support for Services with mixed (user and workload) client types
  • OIDC Services - Trust cookie is a session cookie (auto-removed on browser shutdown)
  • (Bug Fix) OIDC Services - Obey Source IP Exceptions as long as Service is non-SNI
  • (Bug Fix) Workload Roles - Affix Roles even if workload is “Unidentified”
1.9.0 (Oct-23-2019)
  • Download v1.9.0
  • Inactivity & max session timeouts
  • “BadActor” module for DoS prevention
  • Connection IDs in events & log files for easier troubleshooting
  • OIDC Services - deep-linking, HTTP Strict Transport Security (HSTS)
1.7.0 (Sep-25-2019)
  • Download v1.7.0
  • Support for proxying Websocket
  • Send complete cert chain on TLS handshake
  • Uninstall script
1.5.0 (Jul-19-2019)
0.7.1 (Feb-04-2019)
  • Download v0.7.1
  • Service definition via Web Console
  • CIDRs automatically installed from Service definition
  • OIDC workflows
  • HTTP authorization policies
0.6.13 (Sep-10-2018)


Last modified: Sep 30, 2021