Install Banyan Access Tier

This section installs and configures the Banyan Access Tier in your environment.

  • Updated on Apr 04, 2022

This article describes features that are only available in the Banyan Enterprise edition.


The Banyan Access Tier is an identity-aware proxy that mediates access between entities on the internet and your internal services. Each Banyan Access Tier has a public IP address that is reachable from the internet and accepts inbound connections on the following ports: TCP 80 and TCP 443 (web services), TCP 8443 (infrastructure services), and UDP 51820 (service tunnels).

The core of Banyan’s Access Tier component is the netagent binary - a light-weight identity-aware cloud-managed reverse proxy, written in Golang, that runs on Linux servers. Netagent is designed to be similar in deployment to open-source reverse proxies such as Nginx, but is focused on Zero Trust security functionality.

Network Configuration

The Access Tier requires some minimal network configuration.

  1. The Access Tier server(s) should be located in your internet-facing DMZ and have a Public IP Address so it can be reached from anywhere on the internet.

  2. Configure a Public Wildcard DNS Record that follows your corporate domain name convention to map to the Access Tier’s Public IP Address
    • A common pattern is to use * Then, corporate services can be exposed to your users as,, etc.
    • If you’re deploying multiple Access Tiers across multiple locations, you can further scope the subdomains into *, *, etc.
  3. Expose the following ports to the internet so the Access Tier can accept inbound connections from the internet:
Ingress Port Protocol Traffic Used by Banyan Service Type
80 tcp HTTP n/a (will be redirected to HTTPS)
443 tcp HTTPS Hosted Websites
8443 tcp MTLS Infrastructure (SSH, RDP, etc)
51820 udp WireGuard Service Tunnel
  1. Ensure the Access Tier can make outbound connections to following addresses:

The netagent binary supports HTTP Proxy settings. If an Egress Proxy is configured on the host via the HTTP_PROXY environment variable, outbound connections from the Access Tier will automatically use it.

Egress Address Protocol Purpose
tcp://{shield-address}:{shield-port} tcp connect to its Shield (Cluster Coordinator) to receive Policies and send Event data (you can find the Shield Address for your Access Tier in the Cluster Settings page)… https connect to the Command Center for installation and configuration
https://{orgname} https connect Command Center TrustProvider component to authenticate OIDC JWT tokens used for web access

Shield Address - Infrastructure > Cluster

  1. Ensure your networking policies allow traffic to flow from the Access Tier server to backend machines running the applications and services you need to secure access to.