Requirements

Review the requirements before you set up and use a Tanium Appliance.

Any modification to the Licensed Software by Customer or any third-party or failure by Customer to implement any Enhancements to the Licensed Software may void Tanium’s obligation to provide Support Services and Tanium’s warranties.

Tanium Appliance specifications

Review the Tanium Appliance specifications to ensure support with your environment. For more information, see Reference: Tanium Appliance specifications.

Tanium Appliance software versions

The TanOS version is the version of the appliance operating system and menus. The appliance operating system is updated periodically to support new features and to support new Tanium Core Platform features.

The Tanium Core Platform version is the version of the platform server component. All components must run the same build version. The TanOS distribution includes installers for supported Tanium Core Platform versions. In Tanium Appliance deployments, support for a Tanium Core Platform release might require a TanOS upgrade.

Tanium Core Platform TanOS version required
7.4 1.5.5 or later
7.3 1.3.4 or later
Tanium Core Platform TanOS version required
7.3 or later 1.6.1 or later

SSL certificates

The connections to the Tanium Console or SOAP and REST APIs, the connections between the Tanium Server and the Tanium Module Server, and connections to the Module Server are secured with SSL/TLS certificate and key exchanges. The installation process uses self-signed certificates. For best results, verify the installation with the self-signed certificates before you replace them with your commercial or enterprise certificates signed by a Certificate Authority. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues.

For more information on SSL certificate requirements, see the Tanium Core Platform Deployment Reference Guide: SSL certificates.

Network connectivity and firewall

Tanium components use TCP/IP to communicate. You must work with your network administrator to ensure that the Tanium components are provisioned IP addresses and that DNS can be used to resolve host names.

The Tanium Server must be able to connect to the Tanium database server and Module Server. In a redundant cluster, the Tanium Servers must be able to connect to each other over a reliable Ethernet connection. All of these connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

The following table summarizes the Tanium processes and default values for ports used in Tanium core platform communication. You might need to configure network firewalls to allow the specified processes to send/receive TCP packets through the ports listed. For a detailed explanation, see Tanium Core Platform Deployment Reference Guide: Network ports.

Network communication ports used by Tanium components
Source Destination Port Protocol Purpose
Tanium Clients Tanium Server 17472 TCP Client communication with the Tanium Server
Tanium Server Tanium Server 17472 TCP Tanium Server cluster communication
Console users Tanium Server 443, 8443 TCP Tanium Console communication with the Tanium Server
Tanium Server Tanium Module Server 17477 TCP Tanium Module Server communication from Tanium Server
Tanium Zone Server Hub Tanium Zone Server 17472 TCP Tanium Zone Server Hub communication with the Tanium Zone Servers
Tanium Server,
Module Server
External servers 443, 80 TCP Tanium Server or Module Server communication with external servers such as content.tanium.com

In addition, the installation and management of the appliance requires communication over common network service ports. The following table shows the default ports for these services.

Appliance network service ports
Source Destination Port Protocol Purpose

Tanium Servers

Tanium Module Servers

DNS servers 53 UDP, TCP DNS resolution for Tanium Servers and Tanium Module Servers

Tanium Servers

Tanium Servers 50 IP IPSEC ESP for Tanium Server cluster communications
Tanium Module Servers Tanium Module Servers 50 IP

IPSEC ESP for Tanium Module Server synchronization

Tanium Servers

Tanium Servers 500, 4500 UDP IPSEC IKE for Tanium Server cluster communications
Tanium Module Servers Tanium Module Servers 500, 4500 UDP IPSEC IKE for Tanium Module Server synchronization
Tanium Servers LDAP servers 389, 636 TCP (Optional) External LDAP communications for Tanium authentication
All Tanium Appliances NTP servers 123 UDP NTP time synchronization
Tanium Servers All Tanium Appliances 22 TCP SSH, SCP, SFTP communication for appliance array management
Tanium administrator workstations All Tanium Appliances 22 TCP SSH, SCP, SFTP communication for appliance management
SNMP servers Tanium Appliances 161 UDP (Optional) SNMP monitoring
Tanium Appliances Syslog servers 514 TCP, UDP (Optional) Syslog monitoring
Tanium administrator workstations Tanium Appliances 443, 5900 TCP (Physical appliances only) iDRAC communications1
Tanium Console user workstations/browsers content.tanium.com
update.microsoft.com
*.digicert.com
80, 443 TCP Download and install solutions to the Tanium Core Platform
1 These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different from the TanOS network interfaces. See Configure the iDRAC interface.

The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Appliance infrastructure.

Figure  1:  Network communication ports

For more information about the port requirements of specific Tanium modules and shared services, see the Tanium Core Platform Deployment Reference Guide: Solution-specific port requirements.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Internet access (direct or by proxy)

During both installation and ongoing operations, the Tanium Server must be able to access specific Internet URLs to import updates to Tanium core components and modules. For a list of URLs, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

Proxies

If your enterprise network environment requires outbound Internet connections to traverse a proxy server, you can configure settings to use to traverse the proxy server. For guidelines on proxy settings, see Tanium Core Platform Deployment Reference Guide: Proxy server settings.

Air gap

If you plan to deploy Tanium into an air-gapped environment, see Reference: Air gap support.