How Banyan Works

  • Updated on Jul 18, 2023

A generalized diagram that depicts all the Banyan components is shown below. The Banyan components work in concert to deliver a zero-trust platform across which access control policies can be centrally managed.

Banyan Architecture

Banyan Edge

The Banyan Edge mediates access from your users to their corporate resources. Banyan supports a flexible edge deployment model where you can utilize Banyan’s edge infrastructure and/or use your own. For access to private resources, you need to deploy one of Banyan’s Server Components - Access Tier or Connector - in the De-Militarized Zone (DMZ) of your data centers and cloud environments.

Access Tier

The Banyan Access Tier is an identity-aware proxy and gateway that mediates access between entities on the internet and your internal services. Each Banyan Access Tier has a public IP address that is reachable from the internet and accepts inbound connections, typically on ports 443 (web services), 8443 (infrastructure services) and 50482 (Service Tunnels).

The Access Tier is responsible for:

  • Mediating access between users and internal resources.
  • Enforcing the user’s and the device’s security posture, called a Trust Level, when accessing protected resources.

Global Edge Network & Connector

The Banyan Connector is a dial-out component that establishes a secure tunnel with the Banyan Global Edge Network, which comprises of Access Tiers hosted and managed by Banyan for your organization. We use Google Cloud Platform (GCP) as our edge infrastructure provider, enabling us to use one of GCP’s 25+ global regions to provide fast and reliable connections to users around the world. The Connector can be deployed in any location that has connectivity to your internal services and connects outbound only. Traffic will flow from entities on the internet to a Banyan Access Tier in the Global Edge Network, and then through the Banyan Connector to the internal service.

The Connector is responsible for:

  • Maintaining a connection from to Banyan’s Global Edge Network
  • Mediating access to internal resources

Banyan App

The Banyan app is a cross-platform endpoint client, installed on desktop and mobile devices.

The Banyan app is responsible for:

  • Device Registration for device authentication
  • Device Trust Scoring for device posture checks
  • Providing a services catalog of internal websites, infrastructure, and service tunnels to connect to
  • Enabling Internet Threat Protection policies

Clientless

Banyan also supports clientless access to resources for scenarios where the desktop or mobile app cannot be installed. This is beneficial for third-party vendors and contractors as well as temporary access use cases.

There are three flavors of clientless Banyan supports:

  • User authentication with Layer 7 policies
  • Device registration and compliance checks via validating a device certificate deployed by an endpoint manager
  • Device posture checks and continuous evaluation to websites with a lightweight browser extension

Banyan Cloud Command Center

The Banyan Cloud Command Center is a central management console for IT Administrators and Security teams to manage the Banyan solution. You can interact with the Command Center via the web portal or the RESTful API, to develop and enforce policies based on user/device, configure alerts for security events and visualize real-time connectivity.

The Command Center includes two subcomponents that we sometimes call out explicitly:

  • Banyan Shield is a coordinator, deployed to create logical groups of Access Tiers. Shield manages a Private PKI (Public Key Infrastructure) to distribute cryptographic identities (X.509 Certificates) to clients and services in your organization.
  • Banyan TrustProvider is a federated authentication manager that uses OpenID Connect / OAuth-based workflows to authenticate end users and devices. TrustProvider integrates with your enterprise identity provider to deliver short-lived cryptographic credentials to authenticated end users on approved devices.

The Cloud Command Center is delivered as a Software-As-A-Service (SaaS) offering.


What’s next

Read more about different client-based and client-less options that Banyan provides.