This topic summarizes requirements for a Tanium Appliance installation.
Obtain a valid license from your Tanium technical account manager (TAM). The same license file is used to activate all of the Tanium appliances in your deployment. Your TAM must know the fully qualified domain names (FQDN) for each of them in order to generate your license file.
The connections to the Tanium Console or SOAP and REST APIs, the connections between Tanium Server and Tanium Module Server, and connections to the Module Server are secured with SSL/TLS certificate and key exchanges. The installation process uses self-signed certificates. We recommend that you verify the installation with the self-signed certificates before you replace them with your commercial or enterprise CA certificates. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues.
For more information on SSL certificate requirements, see the Tanium Core Platform Installation Guide: SSL certificates.
Tanium components use TCP/IP to communicate over IPv4 networks. IPv6 is not supported. You must work with your network administrator to ensure that the Tanium components are provisioned IP addresses and that DNS can be used to resolve hostnames.
The following table summarizes the Tanium processes and default values for ports used in Tanium core platform communication. Network firewalls might need to be configured to allow the specified processes to send/receive TCP via the ports listed. For a detailed explanation, see the Tanium Core Platform Installation Guide: Network ports. For a summary that includes solution module ports, see the Tanium Support Knowledge Base article (login required).
In addition, the installation and management of the appliance requires communication over common network service ports. The following table shows the default ports for these services.
|Services||Inbound port||Destination port|
|ESP (HA cluster)||50/ip||50/ip|
|IKE (HA cluster)||500/udp, 4500/udp||500/udp, 4500/udp|
|LDAP (optional)||389/tcp, 636/tcp|
|SSH, SCP, SFTP||22/tcp||22/tcp|
|iDRAC (recommended)||443/tcp*, 5900/tcp*|
|* These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different from the TanOS network interfaces. See Configure the iDRAC interface|
During both installation and ongoing operations, the Tanium Server must be able to connect to https://content.tanium.com to import updates to Tanium core components and modules. The Tanium Server may need to connect to additional locations, based on the components you import. The following table lists URLs that are accessed by Tanium Server.
(Both the Tanium Server and the browser used to access the Tanium Console must connect to these URLs.)
Module import fails if the Certificate Revocation List is blocked or inaccessible.
|Windows Security Patch Management||http://download.windowsupdate.com|
If your enterprise security policy does not allow Tanium Server to access these locations directly, you can use proxy servers. See the Tanium Core Platform User Guide.
If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations.
If you plan to deploy Tanium into an air-gapped environment, consult with your TAM.
Last updated: 2/5/2019 11:52 AM | Feedback