Register a Hosted Website to Users

How to create a Hosted Web Service so end users can access a web app located in your private network

  • Updated on Jan 08, 2024

This article describes features that are only available in the Banyan Enterprise edition and Banyan Unlimited edition.

Overview

Banyan authenticates your end users so that they can securely access select websites via their web browsers. Registering a hosted web service allows you to enforce a zero-trust policy when users try to access your internal website or web application.

The assumption is that your end users have been added to your Banyan directory and that they have the latest Banyan desktop app or mobile app installed on their devices (from which they will access the web application).

  1. End user requests access to the internal web app. User’s request is routed to Banyan.
  2. Banyan runs a device trust check via user’s org’s device manager, which is integrated with the Banyan app.
  3. Once verified, the device is then authenticated via their org’s identity provider.
  4. Once authenticated, user’s device is issued a Trust Cert. Banyanproxy adds the Trust Cert to the user’s request.
  5. User’s request is passed to the self-hosted Access Tier inside the org’s private network, and then sent to the internal web app.
  1. End user requests access to internal web app. User’s request is routed to Banyan.
  2. Banyan runs a device trust check via user’s org’s device manager, which is integrated with the Banyan app.
  3. Once verified, the device is then authenticated via their org’s identity provider.
  4. Once authenticated, user’s device is issued a Trust Cert. Banyanproxy adds the Trust Cert to the user’s request.
  5. User’s request is passed to the Global Edge Network, relayed to the Connector inside the org’s private network, and then sent to the internal web app.

Steps

Securely expose your web application by completing the following three steps:

1.1 Navigate from Private Access > Access Policies > + Create Policy, and select the Web Policy template.

1.2 Name the Policy.

2.1 Navigate from Private Access > Hosted Websites, and then select + Add Hosted Website.

Configuration

2.2 Enter a Service Name and optionally a description (this is the description displayed in the Banyan app for end users).

2.3 Configure your backend access details. Select the private network that will protect your web service. If you’re on a private edge deployment model, you’ll select an Access Tier; if you’re on the global edge deployment model, you’ll select a Connector.

2.4 Enter (i) the private hostname or IP and (ii) the port of the backend server (i.e., the web service) you’re protecting access to.

2.5 Select a front end domain to use. Banyan recommends using a registered domain, since these are validated by Banyan.

2.6 If you select a registered domain, choose whether you want to use a Let’s Encrypt certificate. Banyan can secure your website with either Let’s Encrypt certificates or by using Banyan PKI.

2.7 Configure a public URL for your service. This is the URL end users will type in the browser to access the web service.

2.8 Review your Summary to ensure that you have the correct public URL, private hostname, and private network configured. Select Next.

Access Permissions

2.9 Attach your Policy (that you created in Step 1), and set the enforcement mode (i.e., Enforcing or Permissive).

2.10 Optional: If programmatic access is required, Enable Service Account Access. If enabled, you’ll need to specify how Service Account credentials are sent by selecting an option from the dropdown menu. See the Service Accounts doc for more detailed information on how Service Accounts work.

2.11 Optional: Configure exemptions to access permissions to your web service. Exemptions can include source CIDRs, target domains, paths, request methods, and request headers. See the Exemptions doc for more detailed information on how Exemptions work in Banyan.

2.12 Select Next.

Advanced

2.13 Optional: Under Banyan App Settings, configure how the web service will appear on end users’ desktop apps.

2.14 Optional: Under Additional Configurations, enter custom HTTP headers (enter a key in the first field and enter a value in the adjacent field).

2.15 Optional: Determine whether you want to suppress Device Trust Verification by toggling this option on or off. Note that if you suppress Device Trust Verification, devices without certificates installed will have no alternative way to be verified for device trust. Mobile devices, for example, will not be able to access your hosted web service.

2.16 Optional: If your Hosted Website is published on a domain that resolves over Service Tunnel, and you wish to disable Private DNS so that it resolves instead through the Access Tier, enable the Disable Private DNS toggle (this will turn off the default setting for this specific domain name).

Note: The Disable Private DNS toggle allows admins to resolve a specific domain name via the Access Tier. Admins can then manually set up DNS entries to ensure that such domain names resolve properly. This functionality may be useful in cases where an admin is using a wildcard domain name in their service spec, and they want only some domain names within this subset to resolve over Service Tunnel while others resolve to private addresses over the Access Tier.

2.16 Select Save & Validate.

3.1 From your registered device, use a browser to navigate to the website you just created: https://jenkins.corp.example.com

3.2 You will be prompted to confirm your Device Certificate and then to log in via your Identity Provider. Once device and user trust have been established, the user will be allowed to access the Jenkins application.

In the event that you cannot access the published service, leverage the test connection functionality to diagnose any connection issues.

In the Command Center, navigate from Private Access > Hosted Websites, then select a Service Name. In your service, select Test Connection (the check icon in the upper right corner of the page). This will show you the status of your connection, detailing whether your domain name or hostname are resolvable and whether the Access Tier and backend port are reachable.


Can’t find what you’re looking for?

We’re happy to help. Contact our team.