Reference: Installing a Tanium Cloud Access Point
A Tanium Cloud Access Point is an optional component that facilitates communication with Tanium™ Cloud from networks that have restricted access to Tanium Cloud, when it is not possible to use a customer-supplied proxy server. A Tanium Appliance that is configured with the Tanium Cloud Access Point role resides within the restricted network, and Tanium Clients can use it as a proxy to reach the Tanium Cloud. A Tanium Cloud Access Point is not required for unrestricted networks.
Connect endpoints directly to Tanium Cloud when possible, and for restricted networks, use a customer-supplied proxy server when possible. Use a Tanium Cloud Access Point only when security restrictions prevent direct communication from endpoints to Tanium Cloud client edge URLs and a customer-provided connectivity solution is unavailable. For more information about using your own proxy server, see Tanium Client Management User Guide: Connect through an HTTPS forward proxy server.
-
Though the Tanium Cloud Access point is supplied by Tanium, management of the Tanium Cloud Access Point is a customer responsibility, as part of the customer responsibility to provide Tanium Client access to Tanium Cloud. For more information about customer responsibilities in Tanium Cloud, see Tanium Cloud Deployment Guide: Responsibilities.
- Do not connect more than 10,000 endpoints to a Cloud Access Point.
For more information about Tanium Cloud, see the Tanium Cloud Deployment Guide.
Before you begin
Make sure:
- Basic network, host, and user settings are configured.
- For physical Tanium Appliances, see Completing the initial setup (physical Tanium Appliance).
- For virtual Tanium Appliances, see Completing the initial setup (virtual Tanium Appliance).
-
Network firewall rules allow Tanium processes to communicate as follows:
Source Destination Port Protocol Purpose Tanium Clients Tanium Cloud Access Point User-configured in Cloud Access Point TCP Client communication with the Tanium Cloud Access Point Tanium Cloud Access Point Tanium Cloud 17472, 17486 TCP Tanium Cloud Access Point communication to Tanium Cloud Additional requirements depend on your environment and how you provide administrative access to the appliance that you use for the Cloud Access Point. For more information, see In addition, the installation and management of the appliance requires communication over common network service ports. The following table shows the default ports for these services..
Install the Tanium Cloud Access Point role
- Sign in to the appliance as a user with the tanadmin role.
- Enter 1 to go to the Tanium Installation menu.
View screen - Enter 5 to initiate a Cloud Access Point installation.
- When prompted, specify each host name from the Tanium Cloud client edge URLs and the port that you want Tanium Clients to use to communicate with the Cloud Access Point. View screen
You must include the port in the ProxyServers setting of Tanium Client on each endpoint.
What to do next
- Configure any existing Tanium Clients on the restricted network to connect to the Tanium Cloud Access Point. Use the Tanium Client command line interface (CLI) to configure the ProxyServers setting on each endpoint to the FQDN or IP address and port of the Tanium Cloud Access Point.
-
When you deploy any new Tanium Clients, configure the ProxyServers setting to the FQDN or IP address and port of the Tanium Cloud Access Point during deployment.
For more information, see Tanium Client Management User Guide: Configure proxy connections without a PAC file.
Manage the Cloud Access Point service
You can start, stop, restart, enable, and view status details for the Cloud Access Point (squid) service.
-
Sign in to the TanOS console as a user with the tanadmin role.
- Enter 2 to go to the Tanium Operations menu.
- Enter P to go to the Manage Cloud Access Point menu.
-
Enter Sto go to the Service Control menu.
View screen -
Use the menu to select an action to start, stop, restart, enable, or view status details for the service.
-
Follow the prompts to perform the action.
Reconfigure a Tanium Cloud Access Point
You can change the Tanium Cloud server names and Tanium Client listening port for an existing Tanium Cloud Access Point.
- Sign in to the appliance as a user with the tanadmin role.
- Enter 2 to go to the Tanium Operations menu.
- Enter P to go to the Manage Cloud Access Point menu.
- Enter C to configure the Cloud Access Point.
- When prompted, specify each host name from the Tanium Cloud client edge URLs and the port that you want Tanium Clients to use to communicate with the Cloud Access Point. View screen
You must include the port in the ProxyServers setting of Tanium Client on each endpoint.
Review the Cloud Access Point log
The Cloud Access Point log records access information for Tanium Clients that connect to Tanium Cloud through the Cloud Access Point.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter 3 to go to the Tanium Support menu. View screen
- Enter 1 to go to the Logs menu. View screen
- Enter 6 to go to the Cloud Access Point menu.
- Select an item to view the log, follow its growth, delete it, or export it to the /outgoing directory.
When you view a log, you can use commands similar to ex editor commands to search for patterns (keywords).
Last updated: 5/30/2023 3:35 PM | Feedback