Requirements

Review the requirements before you set up and use a Tanium Appliance.

SSL certificates

The connections to the Tanium Console or SOAP and REST APIs, the connections between the Tanium Server and the Tanium Module Server, and connections to the Module Server are secured with SSL/TLS certificate and key exchanges. The installation process uses self-signed certificates. For best results, verify the installation with the self-signed certificates before you replace them with your commercial or enterprise certificates signed by a Certificate Authority. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues.

For more information on SSL certificate requirements, see the Tanium Core Platform Deployment Reference Guide: SSL certificates.

Network connectivity and firewall

Tanium components use TCP/IP to communicate. You must work with your network administrator to ensure that the Tanium components are provisioned IP addresses and that DNS can be used to resolve host names.

The Tanium Server must be able to connect to the Tanium database server and Module Server. In a redundant cluster, the Tanium Servers must be able to connect to each other over a reliable Ethernet connection. All of these connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

The following table summarizes the Tanium processes and default values for ports used in Tanium core platform communication. You might need to configure network firewalls to allow the specified processes to send/receive TCP packets through the ports listed. For a detailed explanation, see Tanium Core Platform Deployment Reference Guide: Network ports.

Table 1:   Network communication ports used by Tanium components
Components Processes Inbound Port Destination Port
Tanium Server taniumserver 443, 8443, 17472 80, 443, 17477
Tanium Module Server taniummoduleserver 17477 80, 443, 8443
Tanium Zone Server taniumzoneserver 17472  
Tanium Zone Server Hub taniumzoneserver   17472
Tanium Client TaniumClient.exe, TaniumClient, taniumclient 17472 17472

In addition, the installation and management of the appliance requires communication over common network service ports. The following table shows the default ports for these services.

Table 2:   Appliance network service ports
Services Inbound port Destination port
DNS   53/tcp, 53/udp
ESP (IPSec for cluster) 50/ip 50/ip
IKE (IPSec for cluster) 500/udp, 4500/udp 500/udp, 4500/udp
LDAP (optional)   389/tcp, 636/tcp
NTP   123/udp
SSH, SCP, SFTP 22/tcp1 22/tcp1
SNMP (optional) 161/udp  
syslog (optional)   514/udp
iDRAC (recommended) 443/tcp2, 5900/tcp2  

1 In addition to remote access to the appliances, port 22 is used for a secure communications channel between the appliances.

2 These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different from the TanOS network interfaces. See Configure the iDRAC interface

For a network port summary that includes solution module ports, see the Tanium Support Knowledge Base article (login required).

Internet access (direct or by proxy)

During both installation and ongoing operations, the Tanium Server must be able to access specific Internet URLs to import updates to Tanium core components and modules. For a list of URLs, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

Proxies

If your enterprise network environment requires outbound Internet connections to traverse a proxy server, you can configure settings to use to traverse the proxy server. For guidelines on proxy settings, see Tanium Core Platform Deployment Reference Guide: Proxy server settings.

Air gap

If you plan to deploy Tanium into an air-gapped environment, see Reference: Air gap support.