Publish a Service Tunnel to Users

This guide details how to publish a Service Tunnel via the Banyan Access Tier so an end user can conveniently yet securely set up encrypted network connectivity to network segments

This article describes features - Service Tunnel - that are currently in early preview. Contact your account team to enable these features for your organization and for further assistance.
This article describes features that require Banyan Netagent v1.39.0+.
This article describes features that require Banyan Desktop App v2.3.0+


For this quick start guide we have a setup as in the diagram below:

  1. A Banyan Access Tier is installed in the same network segment as the private network to which we need connectivity. This guide uses an Access Tier named product-team.

  2. The Banyan User Directory should be configured to integrate with your Identity Provider.

  3. The latest Banyan Desktop or Mobile App is installed and registered on devices from which users will access the internal resources in the private network.


We will now set up a service tunnel to the private network segment in three steps.

Step 1. Create a Policy

1.1 Log in to the Banyan Command Center and navigate to Secure Access > Policies > Create New Policy.

1.2 Create a new Policy using the template TCP Policy.

1.3 Enter a Policy Name (such as, hosted-service) and a Description.

1.4 Configure the Policy Attributes:

  • Only allow access from the following role: ANY (or a role according to your organization’s requirements)
  • Only allow users and devices with the following Trust Levels: No Trust Level - ignore TrustScore (or a Trust Level according to your organization’s security requirements)

Step 2. Register a Service Tunnel

2.1 Navigate to Manage Services > Service Tunnels and then click + Register Tunnel.

2.2 Select the template Standard Tunnel.

2.3 Enter the Service Name (such as, AWS Prod VPC) and Description (such as Access to AWS Production VPC).

2.4 Select the cluster where the applicable Access Tier is located.

2.5 Attach the policy we had previously created in Step 1.4, and then set enforcement mode to Enforcing.

2.6 Click Register Tunnel.

Step 3. As an End User, launch the Banyan Desktop App and enable the Tunnel

3.1 Launch the Banyan Desktop App, locate the service tunnel (for example, AWS Prod VPC) from the list of Service Tunnels, and then click Connect.

Behind the scenes, Banyan evaluates your device posture, enforces your security policies, and grants access accordingly.

3.2 Now you can connect to your internal resources.


And, that’s it! You have created a Zero Trust policy for a service tunnel and accessed your internal resources securely.

Last modified: Aug 19, 2021