Install Banyan Access Tier

This section installs and configures the Banyan Access Tier in your environment.

  • Updated on Apr 04, 2022

This article describes features that are only available in the Banyan Enterprise edition.


The Banyan Access Tier is an identity-aware proxy that mediates access between entities on the internet and your internal services. Each Banyan Access Tier has a public IP address that is reachable from the internet and accepts inbound connections on the following ports: TCP 80 and TCP 443 (web services), TCP 8443 (infrastructure services), and UDP 51820 (service tunnels).

The core of Banyan’s Access Tier component is the netagent binary - a light-weight identity-aware cloud-managed reverse proxy, written in Golang, that runs on Linux servers. Netagent is designed to be similar in deployment to open-source reverse proxies such as Nginx, but is focused on Zero Trust security functionality.

Network Configuration

The Access Tier requires some minimal network configuration.

  1. The Access Tier server(s) should be located in your internet-facing DMZ and have a Public IP Address so it can be reached from anywhere on the internet.

  2. Configure a Public Wildcard DNS Record that follows your corporate domain name convention to map to the Access Tier’s Public IP Address
    • A common pattern is to use *
    • Then, corporate services can be exposed to your users as,, etc.

    If you’re deploying Access Tiers across multiple sites, you can further scope the subdomains into *, *, etc.

  3. Expose the following ports to the internet for use in inbound connections to the Access Tier:

    • Port 80 (HTTP)

      • Port 443 (HTTPS)

      • Port 8443 (for non-HTTPS TCP traffic such as SSH or RDP)

    • Port 51820 (for WireGuard service tunnel traffic over UDP)

  1. Ensure that Access Tier can make an outbound TCP connection to its Shield (Cluster Coordinator) to register with the Command Center, receive Policies, and send Event data. You can find the Shield Address for your Access Tier in the Cluster Settings page.

Shield Address - Infrastructure > Cluster

  1. Ensure that Access Tier can make an outbound HTTPS connection via Port 443 to the Command Center. If you use automated bootstrapping to configure the Access Tier, the install script will make an API call to https://{ccname}… to obtain a one-time-key required for installation.

  2. Ensure that Access Tier can make an outbound HTTPS connection via Port 443 to the Command Center TrustProvider component. In order to authenticate OIDC JWT tokens used for web access, the Access Tier will need to obtain JSON Web Key Set (JWKS) containing public keys from https://{orgname}

  3. Ensure your networking policies allow traffic to flow from the Access Tier server to backend machines running the applications and services you need to secure access to.

The netagent binary supports Egress Proxy settings, so the outbound connections from Access Tier can traverse your Egress Proxy as required.