Configure and Publish Service Tunnels to Users

How to configure a Service Tunnel and then publish it to end users so that they have connectivity to private network segments

  • Updated on Jun 28, 2022

This article describes features that require Banyan Netagent v1.39.0+ and Banyan Connector v1.4.0+ .
This article describes features that require Banyan Desktop App v2.4.0+ .

Overview

This guide instructs admins on how to configure one or multiple Service Tunnels. It also lays out how to publish one or multiple Service Tunnels so that end users in an org can securely access required resources from a private network.

Prerequisites

• End users have been added to your org’s Banyan directory • End users in your org have the latest version of the Banyan desktop app or mobile app installed on their devices; they will use these devices to access the private network segment via Service Tunnel.

Setup

The diagram below shows your basic setup, based on your org’s deployment model:

  1. A Banyan Access Tier is installed in a network segment which can communicate with the internal subnet you need to connect to. This guide uses an Access Tier named Datacenter-USEast as an example.

  2. Internal resources your end users need to connect to have the IP addresses 10.10.12.12, 10.10.13.13 and 10.10.14.14.

  1. A Banyan Connector is installed in the internal subnet which you need to connect to. This guide uses a Connector named datacenter1 as an example.

  2. Internal resources your end users need to connect to have the IP addresses 10.10.12.12, 10.10.13.13 and 10.10.14.14.

Steps

Set up a Service Tunnel to your private network segment in the following four steps.

Step 1. Set your Private Network settings

Update your Access Tier configuration so that Service Tunnel for End Users is enabled and matches your private network.

1.1 In the Directory, navigate from Infrastructure > Access Tiers.

1.2 In Edit Access Tiers, enable Service Tunnel for End Users.

1.3 Set UDP Port Number.

  • Ensure inbound UDP traffic can reach the Access Tier on this port. We generally recommend using port 51820.

1.4 Enter the Backend CIDR Ranges that correspond to the IP addresses in your private network(s).

  • As an example in this guide, it is set to 10.10.0.0/16

1.5 Set the Private Domains to any internal domains that can only be resolved on your internal network’s private DNS.

Ensure your Connector configuration matches your private network.

1.1 Enter the Backend CIDR Ranges that correspond to the IP addresses in your private network(s).

  • As an example in this guide, it is set to 10.10.0.0/16

1.2 Set the Private Domains to any internal domains that can only be resolved on your internal network’s private DNS.

Step 2. Create a Tunnel Policy

2.1 Navigate from Secure Access > Policies > + Create Policy.

2.2 Select the Tunnel Policy template to create a new policy.

2.3 Name your policy.

2.4 Under Policy Definition, enter policy attributes to determine security controls, including the following inputs:

  • Set the allowed Role(s)
  • Set the allowed TrustLevel
  • Set the allowed Protocols
  • Set the allowed CIDRs
  • Set the allowed Ports

Step 3. Register a Service Tunnel

3.1 Navigate from Manage Services > Service Tunnels, and then select + Register Service.

3.2 Enter the Service Name (e.g., DatacenterTunnel) and Description (e.g., Access to Datacenter).

3.3 Set the service attributes based on your org’s deployment model:

  • Select the relevant Access Tier.

  • Attach the policy that you created in Step 2, and then set the enforcement mode to Enforcing.

If selecting multiple Access Tiers, ensure that there are no overlapping CIDR ranges amongst them. If your Access Tiers’ CIDR ranges overlap, you’ll need to configure two separate Service Tunnels to accommodate your purposes.

  • Select the relevant Connector.

  • Attach the policy that you created in Step 2, and then set the enforcement mode to Enforcing.

If selecting multiple Connectors, ensure that there are no overlapping CIDR ranges amongst them. If your Connectors’ CIDR ranges overlap, you’ll need to configure two separate Service Tunnels to accommodate your purposes.

Step 4. Connect to the Service Tunnel

4.1 Launch the Banyan Desktop App, locate the Service Tunnel from the list of Service Tunnels, and select Connect.

  • Banyan will continuously evaluate your device posture, enforce your security policies, and grant access.

4.2 Access your internal resources.

$ ping 10.10.12.12
PING 10.10.12.12 (10.10.12.12): 56 data bytes
64 bytes from 10.10.12.12: icmp_seq=0 ttl=63 time=53.347 ms
64 bytes from 10.10.12.12: icmp_seq=1 ttl=63 time=43.211 ms
64 bytes from 10.10.12.12: icmp_seq=2 ttl=63 time=38.238 ms
^C
--- 10.10.12.12 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 38.238/44.932/53.347/6.287 ms

Common Errors

1. App throws an error such as: ‘Error: Could not set service tunnel config.’

Check the Banyan App logs for detailed information. It is likely that port 8119 is in use or that your TrustScore does not meet the policy requirements.

Ensure traffic is getting to the Access Tier via the UDP port selected for the tunnel. This can be done via a tcpdump of the UDP port that is open for the tunnel. tcpdump -i eth0 port 51820

Troubleshooting

If there is still an issue connecting to, or accessing a resource via, a Service Tunnel, follow our detailed troubleshooting guide.