Install Banyan Access Tier with Netagent v1 using Docker

Install the Access Tier on a server running Docker

Updated on Sep 04, 2024

Network Reachability Checklist
Pre-install Checklist
Configure
Install
Verify Installation

Network Reachability Checklist

The Access Tier server(s) should be located in your internet-facing DMZ and have a Public IP Address so it can be reached from anywhere on the internet.
Configure a Public Wildcard DNS Record that follows your corporate domain name convention to map to the Access Tier’s Public IP Address
- A common pattern is to use *.corp.example.com. Then, corporate services can be exposed to your users as website1.corp.example.com, sshserver2.corp.example.com, etc.
- If you’re deploying multiple Access Tiers across multiple locations, you can further scope the subdomains into *.east.corp.example.com, *.west.corp.example.com, etc.
Expose the following ports to the internet so the Access Tier can accept inbound connections from the internet:

Ingress Port	Protocol	Traffic	Used by Banyan Service Type
`80`	tcp	HTTP	n/a (will be redirected to HTTPS)
`443`	tcp	HTTPS	Hosted Websites
`8443`	tcp	MTLS	Infrastructure (SSH, RDP, etc)
`51820`	udp	WireGuard	Service Tunnel

Ensure the Access Tier can make outbound connections to following addresses:

The netagent binary supports HTTP Proxy settings. If an Egress Proxy is configured on the host via the HTTP_PROXY environment variable, outbound connections from the Access Tier will automatically use it.

Egress Address	Protocol	Purpose
`tcp://{shield-address}:{shield-port}`	tcp	connect to its Shield (Cluster Coordinator) to receive Policies and send Event data (you can find the Shield Address for your Access Tier in the Cluster Settings page)
`https://net.banyanops.com/api/v1/…`	https	connect to the Command Center for installation and configuration
`https://{orgname}.trust.banyanops.com/v2/...`	https	connect Command Center TrustProvider component to authenticate OIDC JWT tokens used for web access

Shield Address - Infrastructure > Cluster

Ensure your networking policies allow traffic to flow from the Access Tier server to backend machines running the applications and services you need to secure access to.

Pre-install Checklist

Ensure you have an Organization set up in Banyan and that you have admin access via the Command Center.
In the Banyan Command Center, navigate to Networks > Clusters and ensure you have a Cluster with a running Shield that the Netagent or Access Tier can connect to. The Clusters section of the Web Console lists all cluster parameters such as Cluster Name, Shield Address, etc.
In the Command Center, navigate to the My Profile tab by selecting your user name (in the bottom left corner of the Command Center). Ensure that you have generated a Refresh Token. You will need your Refresh Token if/when you use the automated bootstrap scripts to install Netagent or Access Tier.

Refresh Token - My Profile

Configure

Before you start the Netagent docker container you need to specify its configurations. Set the environment variables on the Linux server on which you’ll be installing the container.

Note: Instead of using a Refresh Token, you can now create an API key using an Access Tier scope. For more detailed instructions on how to authenticate with an API key, refer to our API documentation.

# set env vars to connect to your Command Center account
export BANYAN_API=        # API path to Command Center, such as https://net.banyanops.com/api/v1
export REFRESH_TOKEN=     # provided under Settings in your Command Center; Note: API keys can be used instead
export CLUSTER_NAME=      # specify the Cluster to register with
# set env vars to specify Access Tier parameters
export SITE_NAME=         # display name of Site secured by Access Tier
export SITE_ADDRESS=      # canonical domain name of the Site,
                          # ex: "corp-dns-cname.example.com"

Install

docker run --privileged --cap-add=NET_ADMIN \
     -v /dev:/dev -v /lib/modules:/lib/modules \
     -e REFRESH_TOKEN -e CLUSTER_NAME -e BANYAN_API -e SITE_NAME -e SITE_ADDRESS \
     -p 80:80/tcp -p 443:443/tcp -p 8443:8443/tcp -p 51820:51820/udp \
     -d gcr.io/banyan-pub/netagent:1.49.2

If your server needs root privilege to run docker via the sudo command, remember to add -E so your environment variables get passed through. Your command will then look like sudo -E docker run ...

Banyan’s Netagent binary leverages Linux kernel networking, including IPTables, and WireGuard. The Docker container needs to be run in privileged mode with the NET_ADMIN capability to configure networking correctly.

Verify Installation

Once the Access Tier is installed, you can check its logs using docker logs to ensure it is functioning as expected.

You can check the Networks > Access Tiers section of the Banyan Command Center to see the list of all the registered Access Tiers.

Infrastructure - Sites

Can’t find what you’re looking for?

We’re happy to help. Contact our team.