Register a Service Tunnel

How to configure a Service Tunnel and then publish it to end users so that they have connectivity to private network segments

  • Updated on Jan 08, 2024

Overview

Service Tunnel can be distinguished from standard VPNs in two important ways:

  1. It can connect remote users to specified segments of a private network (rather than connecting remote users to a whole private network)
  2. It enforces device trust.

This guide instructs admins on how to register one or multiple Service Tunnels, so that end users can securely access resources from a private network.

Prerequisites

• End users have been added to your org’s Banyan directory
• End users in your org have the latest version of the Banyan desktop app or mobile app installed on their devices; they will use these devices to access the private network segment via Service Tunnel.

Setup

The diagram below shows your basic setup, based on your org’s deployment model:

  1. A Banyan Access Tier is installed in a network segment which can communicate with the internal subnet you need to connect to. This guide uses an Access Tier named Datacenter-USEast as an example.

  2. Internal resources your end users need to connect to have the IP addresses 10.10.12.12, 10.10.13.13 and 10.10.14.14.

  1. A Banyan Connector is installed in the internal subnet which you need to connect to. This guide uses a Connector named datacenter1 as an example.

The Connector can be installed directly on any Ubuntu or Red Hat server, or via Docker on any machine. The machine on which you choose to install the Connector must have access to your internal network, and it must be capable of making outbound HTTPS (port 443) connections and UDP connections, to reach Banyan’s Global Edge Network (ports in the range of 30000 - 32767).

  1. Internal resources your end users need to connect to have the IP addresses 10.10.12.12, 10.10.13.13 and 10.10.14.14.

Steps

Set up a Service Tunnel to your private network segment in the following four steps.

Step 1. Set your Private Network settings

Update your Access Tier configuration so that Service Tunnel for End Users is enabled and matches your private network.

1.1 Under Networks, navigate to the Access Tiers tab.

1.2 In Edit Access Tiers, enable Service Tunnel for End Users.

1.3 Set UDP Port Number.

  • Ensure inbound UDP traffic can reach the Access Tier on this port. We generally recommend using port 51820.

1.4 Enter the Backend CIDR Ranges that correspond to the IP addresses in your private network(s).

  • As an example in this guide, it is set to 10.10.0.0/16

1.5 Set the Private Domains to any internal domains that can only be resolved on your internal network’s private DNS.

Ensure your Connector configuration matches your private network.

1.1 Enter the Backend CIDR Ranges that correspond to the IP addresses in your private network(s).

  • As an example in this guide, it is set to 10.10.0.0/16

  • The Connector is the component that will enable remote access to your internal network. The CIDR Range determines which parts of your internal network will be exposed to remote users. The default RFC-1918 Addresses encapsulate the entire private address range. If you would like to limit this range, you can choose to set a Custom CIDR. Note that the custom range must be a subset of the RFC-1918 addresses.

Say that we have a private network from 10.0.0.0 to 10.255.255.255, but we would only like to expose 10.0.0.0 to 10.0.0.255. We would set our CIDR range to 10.0.0.0/24.

1.2 Set the Private Domains to any internal domains that can only be resolved on your internal network’s private DNS.

If you have private DNS, enter the domains that will resolve so that end users can continue to access resources via a domain name while accessing this network remotely.

Say for the above network we were able to access devices at device1.mycompany.local, device2.mycompany.local, etc…, we could enter mycompany.local here.

Step 2. Create a Tunnel Policy

Policies can be applied to your Service Tunnel. When applied, these policies enforce authorization rules that specify which clients and what corresponding Trust Level can access protected corporate resources.

By default, your org comes with two policies: AllUsersAndDevices-Tunnel and HighAndMediumTrustedDevices-Tunnel.

  • If you select HighAndMediumTrustedDevices-Tunnel, Banyan will evaluate the device’s Trust Level before allowing any end user access to you Service Tunnel. If the user’s device Trust Level is not Medium or High, the user will be prevented from accessing your internal network.

  • Alternatively, select AllUsersAndDevices-Tunnel if you don’t need to evaluate the device’s security posture before granting access to your network.

2.1 Navigate from Private Access > Access Policies > + Create Policy.

2.2 Select the Tunnel Policy template to create a new policy.

2.3 Name your policy.

2.4 Under Policy Definition, enter policy attributes to determine security controls, including the following inputs:

  • Set the allowed Role(s)
  • Set the allowed TrustLevel
  • Set the allowed Protocols
  • Set the allowed CIDRs
  • Set the allowed Ports

Step 3. Register a Service Tunnel

3.1 Navigate from Private Access > Service Tunnels, and then select + Add Service Tunnel.

3.2 Under the Configuration tab, enter the Service Name (e.g., DatacenterTunnel) and Description (e.g., Access to Datacenter).

3.3 Optional: Toggle on Autorun if you want this Service Tunnel to automatically start when users in your org log into the Banyan app.

Note: Autorun settings are only evaluated during device registration. End users can manually adjust Autorun settings from their desktop app after registration, and these changes will not be reflected in the Command Center UI.

Note: Only one Service Tunnel can have Autorun enabled at a time. If more than one Service Tunnel has Autorun enabled, then Autorun will not be turned on for any Service Tunnel.

3.4 Select + Add Network and choose an Access Tier to use for this Service Tunnel.

Note: If selecting multiple Access Tiers, ensure that there are no overlapping CIDR ranges amongst them. If your Access Tiers’ CIDR ranges overlap, you’ll need to configure two separate Service Tunnels to accommodate your purposes.

3.5 Select Next.

3.6 Optional: Under the Public Applications tab, enter which public apps you want routed through this Service Tunnel, and enter which public apps you want excluded from this Service Tunnel.

3.6 Optional: Under the Public Domains tab, enter which public domains you want your Service Tunnel to route to, and enter which domains you want to exclude from Service Tunnel’s reach. For more detailed instructions on how to register a Service Tunnel that routes to public domains, see our Register a Service Tunnel for Public Domains doc.

3.7 Optional: Under the Public IP Ranges tab, enter which IP ranges you want your Service Tunnel to route to, and enter which IP ranges you want to be excluded from routing through the Service Tunnel.

3.8 Determine who will have access to this Service Tunnel by selecting a Tunnel Policy from the Attach a Policy menu. Instructions on how to create a Tunnel Policy are detailed in Step 2.

Step 4. Connect to the Service Tunnel

4.1 Launch the Banyan desktop app, locate the Service Tunnel from the list of Service Tunnels, and select Connect.

  • Banyan will continuously evaluate your device posture, enforce your security policies, and grant access.

4.2 Access your internal resources.

$ ping 10.10.12.12
PING 10.10.12.12 (10.10.12.12): 56 data bytes
64 bytes from 10.10.12.12: icmp_seq=0 ttl=63 time=53.347 ms
64 bytes from 10.10.12.12: icmp_seq=1 ttl=63 time=43.211 ms
64 bytes from 10.10.12.12: icmp_seq=2 ttl=63 time=38.238 ms
^C
--- 10.10.12.12 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 38.238/44.932/53.347/6.287 ms

Common Errors

1. App throws an error such as: ‘Error: Could not set service tunnel config.’

Check the Banyan app logs for detailed information. It is likely that port 8119 is in use or that your Trust Level does not meet the policy requirements.

Ensure traffic is getting to the Access Tier via the UDP port selected for the tunnel. This can be done via a tcpdump of the UDP port that is open for the tunnel. tcpdump -i eth0 port 51820

Troubleshooting

If there is still an issue connecting to, or accessing a resource via, a Service Tunnel, follow our detailed troubleshooting guide.


Can’t find what you’re looking for?

We’re happy to help. Contact our team.