Install an Access Tier using DEB/RPM Packages

Install the Access Tier on virtual or physical 64-bit Linux servers, on-prem or cloud

  • Updated on Dec 15, 2022
  • 9 minutes to read
  • Contributors

Note: Netagent v2 has been released, simplifying the process of installing and configuring an Access Tier:
1. Use an API key with the access_tier scope for registration
2. All agent configuration is done via the Command Center API and UI

If you need to install Netagent v1, use the legacy v1 guides.


Install the Access Tier via the following four steps.

Step 1. Register your Access Tier

1.1 Log into the Command Center, and navigate from Networks > Access Tiers.

1.2 Select + Create Access Tier, and configure the required parameters when going through the installation wizard. An existing API key is required; these should appear in the dropdown menu of the API Key field on the Configure tab. If you don’t have an existing API key, navigate from Settings > API Keys and select + Add API Key, then select the access_tier scope.

1.3 If you will be using this Access Tier to secure an existing Service Tunnel, enter the required information to set up Service Tunnels.

1.4 Optional: If you want to enable Private Resource Discovery (to view a summary of commonly accessed private resources accessed by end users via Service Tunnels), then, under Advanced Settings, toggle on Enable Private Resource Discovery.

1.5 Select Continue to proceed to the Install tab.

1.6 Take note of the installation parameters for use in subsequent sections.

Network Reachability
  1. The Access Tier server(s) should be located in your internet-facing DMZ and have a public IP address, so that it can be reached from anywhere on the internet.

  2. Configure a public wildcard DNS record that follows your corporate domain name convention to map to the Access Tier’s public IP address
    • A common pattern is to use * Then, corporate services can be exposed to your users as,, etc.
    • If you’re deploying multiple Access Tiers across multiple locations, you can further scope the subdomains into *, *, etc.
  3. Expose the following ports to the internet so the Access Tier can accept inbound connections from the internet:
Ingress Port Protocol Traffic Used by Cloud Secure Edge Service Type
80 TCP HTTP N/A (will be redirected to HTTPS)
443 TCP HTTPS Hosted Websites
8443 TCP MTLS Infrastructure (SSH, RDP, etc)
51820 UDP WireGuard Service Tunnel
  1. Ensure the Access Tier can make outbound connections to following addresses:

The netagent binary supports HTTPS proxy settings. If an Egress proxy is configured on the host via the HTTPS_PROXY environment variable, outbound connections from the Access Tier will automatically use it.

Egress Address Protocol Purpose
tcp://{shield-location}{shield-port} TCP Connect to its Shield (Cluster Coordinator) to receive Policies and send Event data HTTPS Connect to the Command Center for installation and configuration
https://{orgname} HTTPS Connect Command Center TrustProvider component to authenticate OIDC JWT tokens used for web access
  1. Ensure your networking policies allow traffic to flow from the Access Tier server to backend machines running the applications and services you need to secure access to.
Supported Operating Systems

The netagent binary, which is the core component of a Access Tier, can be installed on virtual or physical 64-bit Linux servers on most Linux distributions.

Officially Supported: the following distros are officially supported:

  • Amazon-Linux-2
  • CentOS 7.x and RHEL 8.x
  • Ubuntu 20.04, 22.04

Support Deprecated: the following Linux distros are no longer supported:

  • CentOS 6.x, RHEL 7.x
  • Ubuntu 12.04, 14.04, 16.04, 18.04

If you’re running a non-standard distro or a custom kernel, contact us for tailored installation instructions.

Note that Amazon-Linux-2 does not include the WireGuard package in its supported package repositories so netagent will fall back to its user-space implementation of WireGuard. To install the WireGuard package on Amazon-Linux-2 you can run:

amazon-linux-extras install -y epel
curl -Lo /etc/yum.repos.d/wireguard.repo
yum install -y wireguard-dkms wireguard-tools

Ensure you have assumed root privileges:

user@host$ sudo su -

Create a folder for DEB/RPM:

mkdir -p /opt/banyan-packages
cd /opt/banyan-packages

On CentOS/RHEL hosts, grab the RPM package:

# add the Banyan RPM repo
yum-config-manager --add-repo
rpm --import

# install it
yum install banyan-netagent2-2.8.8

On Debian/Ubuntu hosts, grab the DEB package:

# add the Banyan DEB repo
curl | apt-key add -
apt-add-repository "deb [arch=amd64] xenial main"

# install it
apt install banyan-netagent2=2.8.8

Then, cd into /opt/banyan-packages directory, extract the Tarball installer that has been placed there, and cd into the directory:

cd /opt/banyan-packages

tar zxf netagent-2.8.8.tar.gz
cd netagent-2.8.8

Before you start the netagent binary you need to enter its registration parameters - obtained in Step 1 - in the config.yaml file.

# edit the `config.yaml` file to specify Access Tier registration parameters
#  command_center_url          # Command Center URL, such as
#  api_key_secret              # API key generated via the Command Center ("access_tier" or "Admin" scope)
#  access_tier_name            # Name of an existing Access Tier in the Command Center
#  access_tier_public_address  # (optional) public address for this Access Tier, such as ""
#  https_proxy                 # (optional) specify to configure HTTPS_PROXY environment variable

vi config.yaml
# double check the configuration params
cat config.yaml

# run the setup script so netagent can be managed using systemctl

# manage using systemctl  
sudo systemctl [start|stop|status] netagent

Once the Access Tier is installed, you can check its logs on the host at /var/log/banyan/netagent.log to ensure it is functioning as expected.

Under Networks > Access Tiers > [Your Access Tier] section of the Command Center, select the Test Connection button to verify that your Access Tier is correctly installed.

Access Tier - Test Connection

Additional Notes

Upgrading Netagent follows a very similar process to installing it.

Step 1: Use upgrade to download the latest Tarball.

For DEB packages, use apt-get upgrade banyan-netagent2. For RPM packages, use yum upgrade banyan-netagent2.

Step 2: Extract the package

For both packages, running upgrade will download the latest tarball file into /opt/banyan-packages. cd into /opt/banyan-packages directory. Extract the Tarball installer that has been placed there, and cd into the directory:

cd /opt/banyan-packages

tar zxf netagent-2.8.8.tar.gz
cd netagent-2.8.8

Step 3: Run the setup script


The setup script will ask the user whether they wish to overwrite /opt/banyan/config.yaml with the installer’s config.yaml. Enter no to proceed.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.