Configuring connections to the Tanium Core Platform
After you install the Tanium Client on an endpoint, the client initiates a connection to the
Settings for connections to Tanium Cloud Tanium Core Platform servers
The following settings, which govern connections from Tanium Clients to
For the settings that connect Tanium Clients through HTTPS proxy servers, see Connect through an HTTPS forward proxy server.
The Tanium Client connects to only one
The
When ServerNameList has multiple entries, the Tanium Client must select one each time the client process restarts or the client resets. The client randomly selects
The Tanium Client overwrites the value of the ServerName setting with the
You can optionally set the port that the Tanium Client uses to communicate with servers by appending :<port_number> to the server IP addresses or FQDNs (for example, ts1.local.com:443,ts2.local.com:443,zs1.example.com:443). The ServerNameList port values override the ServerPort setting in the Tanium Client configuration (default is 17472).
ServerName specifies the FQDN or IP address of the
The
You can set the port that the Tanium Client uses to communicate with servers by appending :<port_number> to ServerName (for example, ts1.local.com:443). The ServerName port overrides the ServerPort setting in the Tanium Client configuration (default is 17472).
LastGoodServerName stores the name of the last
ServerPort specifies the port that the Tanium Client uses for client-
You can also randomize the port for client-client communication: see Randomize listening ports.
Content for configuring connections to Tanium Cloud Tanium Core Platform servers
The Tanium Default Content pack includes sensors and packages to manage the ServerNameList, ServerName, and ServerPort values on the endpoints that host the Tanium Client.
Content | Object Name | Usage |
---|---|---|
Sensors | Tanium Server Name |
Returns the current value of ServerName from the Tanium Client. For clients on which ServerNameList is configured, you can use the sensor to identify the Get Computer Name and Tanium Server Name from all machines |
Tanium Server Name List |
Returns the current value of ServerNameList from the Tanium Client. For example: Get Computer Name and Tanium Server Name List from all machines |
|
Tanium Client Explicit Setting |
Returns the current value of any Tanium Client setting that you specify. For example: Get Computer Name and Tanium Client Explicit Setting[ServerPort] from all machines For the complete list of client settings that you can specify with this sensor, see Tanium Client settings. |
|
Packages | Set Tanium Server Name |
Sets the ServerName value on Windows endpoints and restarts the Tanium Client service. The ServerName setting is in the Windows registry. |
Set Tanium Server Name [Non-Windows] |
Sets the ServerName value on non-Windows endpoints and restarts the Tanium Client system service. The ServerName setting is in an SQLite database and is set through a CLI command. |
|
Set Tanium Server Name List |
Sets the ServerNameList value on Windows endpoints and restarts the Tanium Client service. The ServerNameList setting is in the Windows registry. |
|
Set Tanium Server Name List [Non-Windows] |
Sets the ServerNameList value on non-Windows endpoints and restarts the Tanium Client system service. The ServerNameList setting is in an SQLite database and is set through a CLI command. |
Configure clients to connect with multiple Tanium Servers
The following procedure provides an example of how to use the objects listed in Table 1 to set the ServerNameList on managed endpoints in a scenario where a second Tanium Server is added to the deployment after the Tanium Client is deployed. In a deployment with both Windows and non-Windows endpoints, repeat the steps for both types of endpoints.
For an example of how to set the ServerNameList on Tanium Clients that register with a Zone Server, see Tanium Core Platform Deployment Guide for Windows: Configure Tanium Clients to register with the Zone Server.
- Delete any existing scheduled actions that configure ServerNameList or ServerName to prevent conflicts with the new actions that you create for those settings.
-
Use Tanium Interact to ask a question that identifies the Tanium Clients that require an updated ServerNameList.
The following example identifies Tanium Clients that do not include both Tanium Servers (ts1.tam.local and ts2.tam.local, in this example):
Get Tanium Server Name List and Is Windows from all machines with all Tanium Server Name List not equals "ts1.tam.local,ts2.tam.local"
-
In the Question Results grid, select a group of either Windows or non-Windows endpoints that need an updated Tanium Server Name List value and click Deploy Action.
Windows endpoints and non-Windows endpoints require different packages. If you are updating both Windows and non-Windows endpoints, complete this procedure separately for each group.
-
Specify one of the following as the Deployment Package:
- Set Tanium Server Name List for Windows endpoints
- Set Tanium Server Name List [Non-Windows] for non-Windows endpoints
-
Enter the FQDNs or IP addresses of both Tanium Servers in the Server Name List field.
-
Set a schedule for the action.
Set a reissue interval if some target endpoints might be offline when you initially deploy the action.
- In the Targeting Criteria section, ensure the settings target Windows endpoints or non-Windows endpoints based on the package that you selected.
-
Click Show preview to continue and verify that the targeting is correct.
-
Click Deploy Action and review the action status to verify that the action completes without errors. For more information about the action status, see Tanium Console User Guide: View action status.
-
Use Tanium Interact to ask a question that returns the ServerNameList values from Tanium Clients.
Get Tanium Server Name List and Is Windows from all machines
-
Review the Question Results grid to verify that the Tanium Server Name List value includes both Tanium Servers.
You might have to wait a few minutes for the results to show the new values. Ensure that live updates
are enabled for the results grid.
Connect through an HTTPS forward proxy server
If the network policies of your organization prohibit endpoints from connecting through the Internet directly to
To use a proxy server with Tanium Clients, your environment must meet the following requirements:
- Tanium Client 7.4.2.2033 or later must be installed on endpoints that connect through the proxy server.
- The proxy server uses the HTTP CONNECT method for TLS tunneling.
- The proxy server must not require authentication.
- The proxy server does not perform SSL/TLS inspection. You cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic between Tanium Clients and the Tanium Server or between peer Tanium Clients.
The steps to connect to a proxy depend on whether the endpoints can access a proxy auto configuration (PAC) file, which is available only for Windows endpoints. A PAC file defines how web browsers connect to specific URLs (such as the
If no proxy servers are available, the Tanium Client falls back to connecting directly with
Tanium Clients can traverse a proxy only when connecting to


Before you begin
Work with your network administration team to perform the following tasks before connecting Tanium Clients to a proxy server:
-
Configure the proxy server to allow the port that the client uses for Tanium traffic (default 17472) regardless of any security restrictions that are configured on the server. See Network connectivity, ports, and firewalls.
-
(Windows endpoints only) If Tanium Clients must establish proxy connections through a PAC file, create the file and copy it to a web server that the clients can access.
Tanium Clients that require a proxy connection do not connect directly to Tanium Core Platform servers. Because the Tanium Client Management service requires a direct connection from the Tanium Module Server to clients, you cannot use Client Management to deploy clients that require a proxy connection.
Configure proxy connections with a PAC file
For Tanium Clients on Windows endpoints, you can configure proxy connections using a PAC file if one is available. The endpoint downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular
Configure proxy connections during client deployment
Configure Tanium Clients to use a PAC file by setting ProxyAutoConfigAddress during client installation. See
Installation method | Method to set ProxyAutoConfigAddress |
---|---|
Client Management |
Include the ProxyAutoConfigAddress setting and the URL of the PAC file as a key and value in client settings. For more information, see Create a client configuration.
|
Command-line interface (CLI) |
Specify the setting as one of the parameters of a silent installation: SetupClient.exe /ProxyAutoConfigAddress=http[s]://<PAC file host URL>/<PAC file name> /S You might also have to specify the /ServerAddress= |
Installation wizard |
Run the following CLI command to configure ProxyAutoConfigAddress after completing the wizard: TaniumClient config set-string ProxyAutoConfigAddress ^ |
Configure proxy connections After client deployment
You can configure Tanium Clients to use a PAC file after the initial client deployment, or change the file on clients that already use a PAC file.
-
Go to the Tanium Home page and ask the following question to identify the proxy servers with which Tanium Clients currently connect, if any:
Get Tanium Client Explicit Setting[ProxyAutoConfigAddress] and Tanium Client Explicit Setting[ProxyServers] from all machines
- Select the results for clients that do not already use the PAC file that you want and click Deploy Action.
-
Configure the package settings:
- Deployment Package: Select Modify Tanium Client Setting.
- RegType: Select REG_SZ.
- ValueName: Enter ProxyAutoConfigAddress.
- ValueData: Enter the new PAC file URL and file name in the format http[s]://<PAC file URL>/<PAC file name>.pac.
-
(Optional) In the Schedule Deployment section, set a schedule for the action.
Set a reissue interval if some target endpoints might be offline when you initially deploy the action.
- In the Targeting Criteria section, ensure that the settings target only the endpoints that require the updated proxy setting.
- Click Show preview to continue and verify that the targeting is correct.
- Click Deploy Action and review the action status to verify that the action completes without errors.
-
Ask the following question to verify that clients have the updated ProxyAutoConfigAddress setting:
Get Tanium Client Explicit Setting[ProxyAutoConfigAddress] from all machines
Clients do not apply the updated setting until you manually restart them or wait for the automatic client reset, which by default occurs at a random interval in the range of two to six hours.
- (Optional) Restart the Tanium Client service on each endpoint to apply the updated proxy setting immediately. For the steps, see Manage the Tanium Client service on Windows.
Configure proxy connections without a PAC file
On non-Windows endpoints, or on Windows endpoints that cannot access a PAC file, configure the Tanium Client to connect to a proxy server by specifying the proxy IP address or FQDN and the proxy port in the ProxyServers setting. If you specify multiple proxies, the client tries to connect to the proxies in the order that ProxyServers lists them. After any single connection succeeds, the client stops trying to connect with more proxies.
Configure proxy connections during client deployment
Configure Tanium Clients to connect through proxy servers by setting ProxyServers during installation. For installation procedures, see Deploying the Tanium Client using an installer or package file.
Installation method | OS | Method to set ProxyServers |
---|---|---|
Client Management | Any |
Include the ProxyServers setting and the addresses of proxy servers as a key and value in client settings. For more information, see Create a client configuration.
|
Command-line interface (CLI) | Windows |
Specify the setting as one of the parameters of a silent installation: SetupClient.exe ^ |
Non-Windows |
Run the following CLI command to configure ProxyServers during the step to configure Tanium Client settings: ./TaniumClient config set-string ProxyServers \ |
|
Installation wizard | Windows |
Run the following CLI command to configure ProxyServers after completing the wizard: TaniumClient config set-string ProxyServers ^ |
macOS |
Run the following CLI command to configure ProxyServers after completing the wizard: ./TaniumClient config set-string ProxyServers \ |
Configure proxy connections after client deployment
You can configure Tanium Clients to establish proxy connections after the initial client deployment, or change the proxy setting on clients that already connect to a proxy. In a deployment with both Windows and non-Windows endpoints, repeat the steps for both types of endpoints.
-
Go to the Tanium Home page and ask the following question to identify the proxy servers with which Tanium Clients currently connect, if any:
Get Tanium Client Explicit Setting[ProxyServers] and Is Windows from all machines
-
Select the results for either Windows or non-Windows endpoints that require new or updated proxy connections and click Deploy Action.
Windows endpoints and non-Windows endpoints require different packages. If you are updating both Windows and non-Windows endpoints, complete this procedure separately for each group.
-
Configure the package settings:
- Deployment Package: Select Modify Tanium Client Setting for Windows endpoints or Modify Tanium Client Setting [Non-Windows] for other endpoints.
- RegType (Windows only): Select REG_SZ.
- Type (non-Windows only): Select STRING.
- ValueName: Enter ProxyServers.
- ValueData: Enter a comma-separated list of proxy IP addresses or FQDNs and proxy ports in the format <proxy1 FQDN|IP address>:<port>,...,<proxyN FQDN|IP address>:<port>.
-
(Optional) In the Schedule Deployment section, set a schedule for the action.
Set a reissue interval if some target endpoints might be offline when you initially deploy the action.
-
In the Targeting Criteria section, ensure that the settings target only the endpoints that:
- Require the updated proxy setting
- Run the operating system that matches the selected package (Windows or non-Windows)
- Click Show preview to continue and verify that the targeting is correct.
- Click Deploy Action and review the action status to verify that the action completes without errors.
-
Ask the following question to verify that clients have the correct ProxyServers setting.
Get Tanium Client Explicit Setting[ProxyServers] and Is Windows from all machines
Clients do not apply the updated setting until you manually restart them or wait for the automatic client reset, which by default occurs at a random interval in the range of two to six hours.
-
(Optional) Restart the Tanium Client service on each endpoint to apply the updated proxy setting immediately:
Last updated: 5/12/2022 11:54 AM | Feedback