Prerequisites

This topic summarizes prerequisites to Tanium Appliance installation.

License

A license is bound to the hostname(s) that you assign to the Tanium Server(s). For HA deployments, both hostnames are used in the license data. Let your technical account manager (TAM) know if the hostnames provisioned for the Tanium Server(s) are changed.

SSL certificates

The connections to the Tanium Console or SOAP and REST APIs, the connections between Tanium Server and Tanium Module Server, and connections to the Module Server are secured with SSL/TLS certificate and key exchanges. The installation process uses self-signed certificates. We recommend that you verify the installation with the self-signed certificates before you replace them with your commercial or enterprise CA certificates. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues.

For more information on SSL certificate requirements, see the Tanium Core Platform Installation Guide.

Network connectivity and firewall

Tanium components use TCP/IP to communicate over IPv4 networks. IPv6 is not supported. You must work with your network administrator to ensure that the Tanium components are provisioned IP addresses and that DNS can be used to resolve hostnames.

The following table summarizes the Tanium processes and default values for ports used in Tanium core platform communication. Network firewalls might need to be configured to allow the specified processes to send/receive TCP via the ports listed. For a detailed explanation, see the Tanium Core Platform Installation Guide.

Table 1:   Network communication ports used by Tanium components
Components Processes Inbound Port Destination Port
Tanium Server taniumserver 443, 8443, 17472 80, 443, 17477
Tanium Module Server taniummoduleserver 17477 80, 443, 8443
Tanium Zone Server taniumzoneserver 17472  
Tanium Zone Server Hub taniumzoneserver   17472
Tanium Client TaniumClient.exe, TaniumClient, taniumclient 17472 17472
Tanium Client Deployment Tool (CDT) TaniumClientDeploy.exe   22, 135, 445
Unmanaged endpoint CDT platform-specific methods (during deployment only) 22, 135, 445  

In addition, the installation and management of the appliance requires communication over common network service ports. The following table shows the default ports for these services.

Table 2:   Appliance network service ports
Services Inbound port Destination port
DNS   53/tcp, 53/udp
ESP (HA cluster) 50/ip 50/ip
IKE (HA cluster) 500/udp, 4500/udp 500/udp, 4500/udp
LDAP (optional)   389/tcp, 636/tcp
NTP   123/udp
SSH, SCP, SFTP 22/tcp 22/tcp
SNMP (optional) 161/tcp  
syslog (optional)   514/udp

Internet access (direct or by proxy)

During both installation and ongoing operations, the Tanium Server must be able to connect to https://content.tanium.com to import updates to Tanium core components and modules. The Tanium Server may need to connect to additional locations, based on the components you import. The following table lists URLs that are accessed by Tanium Server.

Import type Components URLs
Any Any https://content.tanium.com
http://*.digicert.com

Module import fails if the Certificate Revocation List is blocked or inaccessible.

Content Initial Content http://linux-usb.org
Managed Applications http://ardownload.adobe.com/

http://airdownload.adobe.com/

http://download.macromedia.com/

http://dl.google.com/

https://download.mozilla.org/

https://secure-appldnld.apple.com/

Windows Security Patch Management http://download.windowsupdate.com
IR Gatherer https://download.sysinternals.com
Modules IR https://download.sysinternals.com
Patch http://download.windowsupdate.com
IOC Detect https://download.sysinternals.com
Labs Content EMET https://download.microsoft.com
MSERT https://definitionupdates.microsoft.com
Stinger http://downloadcenter.mcafee.com
Symantec https://support.symantec.com

Notes:

  • If a Tanium content pack or solution module is not listed, it means no additional URLs are required for it.
  • Previous Tanium Server versions required access to http://curl.haxx.se. Tanium Server 7.0 and later do not require access to this site.

If your enterprise security policy does not allow Tanium Server to access these locations directly, you can use proxy servers. See the Tanium Core Platform User Guide.

If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations.

If you plan to deploy Tanium into an air-gapped environment, consult with your TAM.

Last updated: 8/13/2018 10:22 AM | Feedback