Requirements
Review the requirements before you set up and use a Tanium Appliance.
Any modification to the Licensed Software by Customer or any third-party or failure by Customer to implement any Enhancements to the Licensed Software may void Tanium’s obligation to provide Support Services and Tanium’s warranties.
Contact Tanium Support for the official security attestation for Tanium™ Appliance. To contact Tanium Support, sign in to https://support.tanium.com.
Tanium Appliance specifications
Review the Tanium Appliance specifications to ensure support for your environment and to determine appropriate sizing. See Reference: Tanium Appliance specifications.
Tanium Appliance software versions
The TanOS version is the version of the appliance operating system and menus. The appliance operating system software is updated periodically to support new features and to support new Tanium Core Platform features.
The Tanium version is the version of the Tanium Core Platform™ server component installed on an appliance. All components must run the same Tanium version, including the same build version. The TanOS distribution includes installers for supported Tanium Core Platform versions. In Tanium Appliance deployments, support for a Tanium Core Platform release might require a TanOS upgrade. For more information, see the TanOS Release Notes for your release.
Required Tanium version
TanOS 1.8.1 requires Tanium™ Core Platform 7.5.6 or later.
If you are upgrading appliances from a previous version of TanOS, make sure Tanium™ Core Platform servers are on at least this version before you upgrade.
SSL certificates
The connections to the Tanium Console or SOAP and REST APIs, the connections between the Tanium Server and the Tanium Module Server, and connections to the Module Server are secured with SSL/TLS certificate and key exchanges. The installation process uses self-signed certificates. For best results, verify the installation with the self-signed certificates before you replace them with your commercial or enterprise certificates signed by a Certificate Authority. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues.
For more information on SSL certificate requirements, see the Tanium Core Platform Deployment Reference Guide: SSL certificates.
Tanium Appliance Array
An Appliance Array manages the connections and establishes trust between the Tanium Appliances that contain the components of a Tanium deployment. The Appliance Array makes it easy to set up and manage the appliances.
A typical Appliance Array contains the following appliances:
- A primary Tanium Server appliance with an active database
- A secondary Tanium Server appliance with a passive database
- A Tanium Module Server appliance
- An optional standby Tanium Module Server appliance
- One or more Tanium Zone Server appliances
An Appliance Array is required to manage Tanium Servers and Tanium Module Servers in a Tanium Appliance deployment. For instructions on how to install an Appliance Array, see Installing and managing an Appliance Array.
Use the Appliance Array to manage Tanium Zone Servers as well. Install and configure a Zone Server separately from the Appliance Array only if the network in which the Zone Server is installed does not allow SSH communication.
Network connectivity and firewall
Tanium components use TCP/IP to communicate. You must work with your network administrator to ensure that the Tanium components are provisioned IP addresses and that DNS can be used to resolve host names.
The Tanium Server must be able to connect to the Tanium database server and Module Server. In a redundant cluster, the Tanium Servers must be able to connect to each other over a reliable Ethernet connection. These connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.
The following table summarizes the Tanium processes and default values for ports used in Tanium core platform communication. You might need to configure network firewalls to allow the specified processes to send/receive TCP packets through the ports listed. For a detailed explanation, see Tanium Core Platform Deployment Reference Guide: Network ports.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| All Tanium Appliances | content.tanium.com download.tanium.com *.digicert.com |
443 | TCP | Tanium Server (TaniumReceiver.exe) or Module Server (TaniumModuleServer.exe) communication with content.tanium.com to import updates to Tanium Core Platform components and modules; communication from all Tanium Appliances to download TanOS upgrades |
| All Tanium Appliances | NTP servers | 123 | UDP | NTP time synchronization |
| All Tanium Appliances | Syslog servers | 514 | TCP, UDP | (Optional) Syslog monitoring |
| Console/API users | content.tanium.com update.microsoft.com *.digicert.com |
443 | TCP | Download and install solutions to the Tanium Core Platform |
| Console/API users | Tanium Servers | 443 |
TCP | Tanium Console/API user workstation (browser) communication with Tanium Servers |
| Module Servers | Module Servers | 500, 4500 | UDP | IPsec IKE for setting up a secure channel during Module Server synchronization |
| Module Servers | Module Servers | Not applicable | IPsec ESP2 |
Protocol for data confidentiality and authentication during Module Server synchronization |
| Module Servers | Tanium Servers | 443 |
TCP | Module Server communication with Tanium Servers |
| Module Servers | Zone Servers1 | 17487 | TCP | Used by Zone Servers for Module Server connections using Direct Connect. The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy. |
| SNMP servers | All Tanium Appliances | 161 | UDP | (Optional) SNMP monitoring |
| Tanium Clients | Tanium Clients Tanium Servers Zone Servers |
17472 | TCP | Communication between Tanium Clients (TaniumClient.exe), communication between the clients and the Tanium Servers or Zone Servers |
| Tanium Clients (external) | Zone Servers1 | 17486 | TCP | Used by Zone Servers for endpoint connections to external clients using Direct Connect. The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy. |
| Tanium Clients (internal) | Module Servers | 17475 | TCP | Used by the Module Server for endpoint connections to internal clients using Direct Connect. |
| Tanium Servers | All Tanium Appliances | 22 | TCP | SSH, SCP, SFTP communication for Appliance Array management |
| Tanium Servers | LDAP servers | 389, 636 | TCP | (Optional) External LDAP communications for Tanium authentication |
| Tanium Servers | Module Servers | 17477 | TCP | Tanium Server communication with Module Servers |
| Tanium Servers | Tanium database | 1433, 5432 | TCP | Tanium Server communication with the Tanium database: SQL server (Sqlservr.exe) or PostgreSQL server (postgres.exe) |
| Tanium Servers | Tanium Servers | 443, 17472 | TCP | Communication between active-active Tanium Servers |
|
Tanium Servers |
Tanium Servers | 500, 4500 | UDP | IPsec IKE for setting up a secure channel in Tanium Server cluster communications |
|
Tanium Servers |
Tanium Servers | Not applicable | IPsec ESP2 | Protocol for data confidentiality and authentication in Tanium Server cluster communications |
|
Tanium Servers |
DNS servers | 53 | UDP, TCP | DNS resolution for Tanium Servers and Module Servers |
| TanOS administrator workstations | All Tanium Appliances | 22 | TCP | SSH, SCP, SFTP communication for appliance management |
| TanOS administrator workstations | All Tanium Appliances | 443, 5900 | TCP | (Physical appliances only) iDRAC communications3 |
| Zone Server Hub | Zone Servers1 | 17472 | TCP | Zone Server Hub (TaniumZoneServer.exe) communication with Zone Servers (TaniumZoneServer.exe) |
|
1 These ports are required only when you use a Zone Server. 2 IPSec ESP is not a port. For Appliance Array traffic to properly work, you must add custom exceptions to your firewall rules. 3 These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different from the TanOS network interfaces. See |
||||
Do not allow a Tanium Server, a Module Server, or a Zone Server Hub to accept inbound connections from the internet. On a Zone Server, allow only the Tanium Client port to accept inbound connections from the internet.
The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Appliance infrastructure.
Tanium™ Direct Connect uses additional ports for communication between Tanium Clients and the Module Server. See Tanium Direct Connect User Guide: Host and network security requirements.
For more information about the port requirements of other Tanium modules and shared services, see
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Internet access (direct or by proxy)
During both installation and ongoing operations, the Tanium Server must be able to access specific Internet URLs to import updates to Tanium core components and modules. For a list of URLs, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.
Proxies
If your enterprise network environment requires outbound Internet connections to traverse a proxy server, you can configure settings used to traverse the proxy server. For guidelines on proxy settings, see Tanium Core Platform Deployment Reference Guide: Proxy server settings.
Air gap
If you plan to deploy Tanium into an air-gapped environment, see Working with appliances in an air-gapped environment.
Last updated: 9/18/2023 5:19 PM | Feedback