API Gateway requirements

Review the requirements before you install and use API Gateway.

Tanium dependencies

Component Requirement
Tanium™ Core Platform 7.5.2 or later1
Tanium™ Console UI 3.0 or later1
Tanium content API Gateway uses sensors that are included in the Core Content and Core AD Query content packs.
Tanium solutions If you selected Tanium Recommended Installation when you installed API Gateway, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the solutions that API Gateway requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Tanium solutions at the following minimum versions are required:

  • Tanium Interact 2.9.83
  • Tanium System User 1.0.40

The following solutions are optional, but API Gateway requires the specified minimum versions to work with them:

  • Tanium Blob 1.0.6
  • Tanium Direct Connect 1.10.39
  • Tanium Deploy 2.9.123
  • Tanium Performance 1.10.57
License The license entitlement for the Tanium Core Platform includes the API Gateway.

1 The API Gateway workbench requires Tanium Console 3.0 or later, which also requires Tanium Core Platform 7.5 or later. Users with older versions of the Tanium Console on Tanium Core Platform 7.4.4 or later can still install and use API Gateway for API-only interactions.

Tanium™ Module Server

API Gateway is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

API Gateway does not directly deploy packages to endpoints. However, you can use API Gateway to deploy packages through Tanium Deploy. For Tanium Deploy endpoint requirements, see Tanium Deploy User Guide: Endpoints.

For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Host and network security requirements

Specific ports and processes are needed to run API Gateway.

Ports

The following ports are required for API Gateway communication.

Source Destination Port Protocol Purpose
Module Server Tanium as a Service Module Server (loopback) 17600 TCP Internal purposes, not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium as a Service ports, see Tanium as a Service Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

API Gateway security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\gateway-service\TaniumGatewayService.exe

User role requirements

The following tables list the role permissions required to use API Gateway. For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

API Gateway user role permissions
Permission API Gateway User1

Gateway Api

Access API Gateway



EXECUTE

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements.

API Gateway user role permissions
Permission API Gateway User1 Gateway Service Account Gateway Service Account - All Content Sets

Gateway Api

Access API Gateway



EXECUTE
   

Gateway Service Account

Provides access for the API Gateway service.

 

EXECUTE
 

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements.


Provided API Gateway administration and platform content permissions
Permission Permission Type API Gateway User
Token - Use Administration
SPECIAL
Plugin Platform Content
EXECUTE1
READ1

1 Grants access to content in the Interact content set.

Provided API Gateway administration and platform content permissions
Permission Permission Type API Gateway User Gateway Service Account Gateway Service Account - All Content Sets
Action Group Administration  
READ
WRITE
 
Computer Group Administration  
READ
 
Global Settings Administration  
READ
 
Sensor Platform Content    
READ1
Token - Use Administration
SPECIAL
   
Plugin Platform Content
EXECUTE2
READ2
   

1 This permission applies to all content sets.

2 This permission applies to the Interact content set.