Cloud Secure Edge Docs
Desktop App Capabilities and Components
Overview
The desktop app allows end users to register their devices with SonicWall Cloud Secure Edge (CSE) and access CSE-secured services.
Desktop app capabilities
Admin Service
In order for the Admin Service to collect your org's user directory, the Registry Key Trust Factor requires the desktop app to launch at least once. Subsequently, the Admin Service does not require the app to be open and running in order to work (i.e., your end users do not need to open their desktop app in order for the Admin Service to function).
The Admin Service (sonicwall-cse-admin; previously banyanapp-admin) accounts for any functionalities in the desktop app that require administrative privileges; it also collects Trust Factors and enables Internet Threat Protection (ITP) policies. It's installed with the app (by the installer) and run as a service on the machine. It functions independently but contains select command line utilities in the case of an emergency.
WireGuard Service
In order for end users to connect to Service Tunnels, the app must install the WireGuard Service which creates and maintains the WireGuard tunnel interface. This one-time installation requires admin privileges and is triggered when an end user connects to their first Service Tunnel. The service runs on port 8119.
When an ITP policy is applied to a device, SonicWall takes over the device’s DNS service. All DNS queries will then be routed to the WireGuard Service on the device, listening on 127.0.0.5 port 53. The WireGuard Service will then route these queries to name servers monitored by SonicWall.
Currently, Linux users must install the WireGuard tools manually via https://www.wireguard.com/install/. We are looking to automate this via the app in an upcoming release.
SonicWall CSE Proxy (Banyan Proxy) Service
In order for end users to access Infrastructure Services, they need to use the banyanproxy (in desktop app versions 4.0.0 or later, the sonicwall-cse-proxy) component of the desktop app. When an admin runs the installer, the desktop app places the banyanproxy or sonicwall-cse-proxy executable in a specific directory. Then, when the desktop app is running, and the user connects, it launches the banyanproxy or sonicwall-cse-proxy executable to set up the connection.
The executable location depends on the Operating System in use:
| Operating System | Executable Location (desktop app versions 3.28.1 or older) | Symbolic Link Location |
|---|---|---|
| macOS | /Applications/Banyan.app /Contents/Resources/bin/banyanproxy | /usr/local/bin/banyanproxy/ |
| Windows | %PROGRAMFILES%\Banyan\resources\bin\banyanproxy.exe | %USERPROFILE%\AppData\Local\Microsoft \WindowsApps\banyanproxy |
| Linux | /opt/Banyan/resources/bin/banyanproxy | N/A |
| Operating System | Executable Location (desktop app versions 4.0.0 or later) | Symbolic Link Location |
|---|---|---|
| macOS | /Applications/SonicWall Cloud Secure Edge.app /Contents/Resources/bin/sonicwall-cse-proxy | /usr/local/bin/sonicwall-cse-proxy/ |
| Windows | %PROGRAMFILES%\SonicWallCSE\resources\bin\sonicwall-cse-proxy.exe | %USERPROFILE%\AppData\Local\Microsoft \WindowsApps\sonicwall-cse-proxy |
| Linux | /opt/SonicWallCSE/resources/bin/sonicwall-cse-proxy | N/A |
The sonicwall-cse-proxy functions as a forward proxy to establish the secure connection, using the TrustCert, between the end user's device and the TCP service, via Netagent.
The sonicwall-cse-proxy has the following capabilities, in order to support any type of TCP client and service:
| Mode | Command for desktop app versions 3.28.1 or older | Description |
|---|---|---|
| SSH | banyanproxy dest_host dest_port | In this mode, banyanproxy connects to a destination host and destination port, and sends and receives data using stdin/stdout instead of using a network connection. Used for OpenSSH client. |
| TCP | banyanproxy -l listen_port dest_host dest_port | Operates similar to SSH Mode, except that banyanproxy is listening for client network connection rather than stdin/stdout. Designed for TCP client/server communication. |
| HTTP_CONNECT_DAISY_CHAIN | banyanproxy -d -l listen_port proxy_host proxy_port | In this mode, banyanproxy forwards the client's HTTP CONNECT request to the given proxy host and port. |
| Mode | Command for desktop app versions 4.0.0 or later | Description |
|---|---|---|
| SSH | sonicwall-cse-proxy dest_host dest_port | In this mode, sonicwall-cse-proxy connects to a destination host and destination port, and sends and receives data using stdin/stdout instead of using a network connection. Used for OpenSSH client. |
| TCP | sonicwall-cse-proxy -l listen_port dest_host dest_port | Operates similar to SSH Mode, except that sonicwall-cse-proxy is listening for client network connection rather than stdin/stdout. Designed for TCP client/server communication. |
| HTTP_CONNECT_DAISY_CHAIN | sonicwall-cse-proxy -d -l listen_port proxy_host proxy_port | In this mode, sonicwall-cse-proxy forwards the client's HTTP CONNECT request to the given proxy host and port. |
One-click SSH access #
Admins can define an SSH service for end users. Now, when end users select Connect in the desktop app to connect to the SSH service, the desktop app will automatically update the device's SSH Config file with the sonicwall-cse-proxy settings needed.
The desktop app uses an SSH config location depending on the Operating System of the device:
| Operating System | SSH Config Location |
|---|---|
| macOS | $HOME/.ssh/ |
| Windows | %USERPROFILE%\.ssh\ |
| Linux | $HOME/.ssh/ |
When an end user connects to an SSH service, the app places CSE's SSH configurations in a file called bnn.config in the SSH config location. The app also adds the SSH Include command to the .config file to incorporate Cloud Secure Edge's SSH configurations.
Prior to Desktop app v3.0.0, the app would place CSE's SSH configurations in a file called banyan.config. In desktop app versions 3.0.0 and later, the app places CSE’s SSH configurations in a file called bnn.config.
If the SSH Config directory or file doesn't exist, the desktop app will automatically create it. However, if the SSH Config file or directory is not writable, end users will see an error message when they try to connect to an SSH service.
One-click Kubernetes access #
Admins can define a Kubernetes service for end users. Once completed, and end users connect to the Kubernetes API service, the desktop app will automatically create the Kube Config file with the sonicwall-cse-proxy and token settings needed.
The Kubernetes config location depends on the Operating System of the device:
| Operating System | Kube Config Location |
|---|---|
| macOS | $HOME/.kube/ |
| Windows | %USERPROFILE%\.kube\ |
| Linux | $HOME/.kube/ |
When an end user connects to a Kubernetes service, the app creates a Kube config file, banyan, in the Kube Config location. To make the Kubernetes Service the default method to access their cluster, end users can set the KUBECONFIG env variable and then use the config use-context commands as detailed in the kubectl docs.
This feature uses the proxy-url capability available in kubectl v1.19+. If end users are using an older version of kubectl, they will need to add https_proxy env var in front of their kubectl commands.
Desktop app components
Browser-based authentication flow
Cloud Secure Edge's desktop app listens on a local port at localhost:8118 to facilitate user authentication via a browser-based standards-compliant OpenID Connect flow. However, if the device has another application running on port 8118, the desktop app will raise an error. In this scenario, the end user must stop the application that is using port 8118 before the desktop app authentication flow can proceed.
Short-lived certificates #
When an end user logs in via the desktop app, a cryptographic key-pair is generated and two short-lived certificates are obtained for use in authenticating the user and device. The X.509 format TrustCert is used for Mutually-authenticated TLS. The SSH format SSHCert is used for SSH certificate authentication.
In addition to short-lived certificates, Cloud Secure Edge (CSE) requires a valid device certificate in order to access protected services. Upon registering a device, CSE issues a trusted device certificate to the device and places it in the device’s keychain or certificate manager.
| Cert Nickname | Format | Subject CN / KeyID | Cert Filename | Private Key Filename |
|---|---|---|---|---|
| TrustCert | X.509 | Banyan Client ... | login-cert.pem | login-key.pem |
| SSHCert | SSH | ssh-rsa-cert ... user | login-key.pem-cert.pub | login-key.pem |
Both the short-lived X.509 certificate login-cert.pem and the short-lived SSH certificate login-key.pem-cert.pub use the same private key login-key.pem.
The desktop app places the certs and key files in a specific directory depending on your Operating System. Since these certificates are short-lived, they can be stored safely in the file system (instead of your device certificate manager).
| Operating System | Short-lived Certificate Location for desktop app v 3.28.1 or older |
|---|---|
| macOS | $HOME/Library/Application Support/banyanapp/ |
| Windows | %USERPROFILE%\AppData\Roaming\banyanapp |
| Linux | $HOME/.config/banyanapp |
| Operating System | Short-lived Certificate Location for desktop app v 4.0.0 or later |
|---|---|
| macOS | $HOME/Library/Application Support/sonicwallcse/ |
| Windows | %USERPROFILE%\AppData\Roaming\sonicwallcse |
| Linux | $HOME/.config/sonicwallcse |
Admins can use standard openssl and ssh-keygen commands to examine the short-lived certificates.
$> openssl x509 -in login-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:dd:b3:7c:3a:aa:71:42:90:1d:a7:ab:43:db:2d:df:69:fc:52:3d
Signature Algorithm: sha512WithRSAEncryption
Issuer: O = novpntest, OU = Certificate Authority, CN = testorg Banyan Private Root CA
Validity
Not Before: Jul 2 04:57:00 2020 GMT
Not After : Jul 3 03:57:00 2020 GMT
Subject: OU = "Banyan Client carly@banyanops.com", CN = Banyan Client carly@banyanops.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:10:a7:8d:9f:18:06:f3:4e:1f:4b:20:f6:27:
...
$> ssh-keygen -L -f login-key.pem-cert.pub
login-key.pem-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com user certificate
Public key: RSA-CERT SHA256:yv/nypkONDQF+rS8pJd5pJvItB7Y7wol1KjJfIxhMdE
Signing CA: RSA SHA256:LGvtbCthk48jqxuggCJKAw6stao7VDIvd2OuRipczcs
Key ID: "carly@banyanops.com ABCD8BL00KH"
Serial: 0
Valid: from 2020-07-01T22:02:21 to 2020-07-02T21:02:21
Principals:
ANY
new-role
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
