Tanium Client and Client Management requirements

Review the requirements before deploying the Tanium Client to endpoints. Additionally, review the specific requirements for the Tanium Client Management shared service before installing it and using it to deploy and monitor the health of clients.

Client version and host system requirements

Table 1 summarizes the basic Tanium Core Platform requirements for endpoint host systems where you install the Tanium Client. Hardware resource requirements vary based on the actions that you deploy to the endpoints; contact Tanium Support at [email protected] for guidance.

Tanium modules and shared services might have additional requirements for the Tanium Client and endpoint hosts. Table 2 provides links to the user guide sections that list these requirements.

Windows endpoints must have the following root certificate authority (CA) certificates because they are required to verify the integrity of the Tanium Client binaries:
  • DigiCert Assured ID Root CA (thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43)
  • DigiCert High Assurance EV Root CA (thumbprint 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25)
  • DigiCert SHA2 Assured ID CA (thumbprint E12D2E8D47B64F469F518802DFBD99C0D86D3C6A)
  • DigiCert SHA2 Assured ID Code Signing CA (thumbprint 92C1588E85AF2201CE7915E8538B492F605B80C6)


 Table 1: Supported OS versions for Tanium Client hosts
Operating system OS Version Tanium Client Version Supported by Client Management Notes
Microsoft Windows Server
  • Currently supported Semi-Annual Channel releases of Windows Server
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.
Windows Server 2008 7.2.314.3584
7.2.314.3476
Microsoft Windows Server
  • Currently supported Semi-Annual Channel releases of Windows Server
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Windows Vista 7.2.314.3584
7.2.314.3476
 
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
macOS
  • macOS 11.0 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11.1+ El Capitan
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3608
7.2.314.3476
7.2.314.3236
  • The Tanium Client for macOS is compiled as x86 for Intel processors only.

  • (macOS 11) The Tanium Client has been found to work correctly on macOS endpoints that use the M1 ARM processors with Rosetta 2. Tanium intends to release a universal binary for native code execution on both Intel and Apple ARM processors.

  • (macOS 10.15 or later) Apple introduced the app notarization requirement as a security process in macOS 10.15. If you enable the requirement, you must install Tanium Client 7.2.314.3608 or later on endpoints that run macOS 10.15 or later.

  • (macOS 10.14 or later) The Tanium Core Platform requires a certain content pack to manage endpoints that run macOS 10.14 Mojave or later:

    • Tanium Core Platform 7.0 or later: Tanium™ Default Content 7.1.7 or later
    • Tanium Core Platform 6.5: Tanium™ Initial Content 6.5.17 or later
OS X 10.10 Yosemite 7.2.314.3476
7.2.314.3236
 
macOS
  • macOS 11.0 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11.1+ El Capitan
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
  • The Tanium Client for macOS is compiled as x86 for Intel processors only.

  • (macOS 11) The Tanium Client has been found to work correctly on macOS endpoints that use the M1 ARM processors with Rosetta 2. Tanium intends to release a universal binary for native code execution on both Intel and Apple ARM processors.

Linux Amazon Linux 2 LTS (2017.12) 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Amazon Linux 1 AMI (2016.09, 2017.12, 2018.03) 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Debian 10.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Debian 9.x, 8.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Debian 7.x, 6.x 7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Oracle Linux 8.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3632
 
Oracle Linux 7.x, 6.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.2.314.3632
 
Oracle Linux 5.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
 
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
 
  • Red Hat Enterprise Linux (RHEL) 7.x, 6.x
  • CentOS 7.x, 6.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
(CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Client Management, but you cannot use Direct Connect to access detailed client health information.
  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
 
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
 
  • SUSE Linux Enterprise Server (SLES) 11.3, 11.4
  • openSUSE 11.3, 11.4
7.2.314.3632
7.2.314.3584
 
Ubuntu 20.04 LTS 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Ubuntu 18.04 LTS 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Ubuntu 16.04 LTS 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Ubuntu 14.04 LTS 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
 
Linux Amazon Linux 2 LTS (2017.12) 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Amazon Linux 1 AMI (2016.09, 2017.12, 2018.03) 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Debian 10.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Debian 9.x, 8.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Oracle Linux 8.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063

 
Oracle Linux 7.x, 6.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Oracle Linux 5.x 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 7.x, 6.x
  • CentOS 7.x, 6.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
(CentOS 5.x) CentOS 5.x endpoints are included in summary client health information in Client Management, but you cannot use Tanium™ Direct Connect to access detailed client health information.
  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955

 
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 20.04 LTS 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
 
Ubuntu 18.04 LTS 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 16.04 LTS 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
Ubuntu 14.04 LTS 7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
 
AIX
  • IBM AIX 7.2
  • IBM AIX 7.1 TL1SP10 and higher
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.2.314.3632
7.2.314.3584
  • The Tanium Client for AIX requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte), and, in most cases, the IBM LLVM runtime libraries file set (libc++.rte). For specific requirements for each file set and installation steps, see Prepare for deployment to Linux, macOS, or UNIX endpoints (for deployment using Client Management) or Deploy the Tanium Client to AIX endpoints using a package file.

  • Summary client health information in Client Management includes AIX endpoints, but you cannot use Direct Connect to access detailed client health information.

  • You cannot download the AIX installer from Client Management. To obtain the installer for AIX, contact Tanium support.

Solaris
  • Oracle Solaris 11 SPARC
  • Oracle Solaris 11 x86
  • Oracle Solaris 10 U8 SPARC or higher
  • Oracle Solaris 10 U8 x86 or higher
7.4.5.1204
7.4.4.1362
7.4.4.1250
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
  • The Tanium Client for Solaris requires SUNWgccruntime.

  • Summary client health information in Client Management includes Solaris endpoints, but you cannot use Direct Connect to access detailed client health information.

  • You cannot download the Solaris installer from Client Management. To obtain the installer for Solaris, contact Tanium support.

Module and service requirements

Click the links in the following table to see the minimum Tanium Client version (Tanium dependencies) and client endpoint requirements for each Tanium module and shared service.

 Table 2: Module- and service-specific requirements for the Tanium Client and endpoints
Product Tanium Dependencies Endpoint Requirements
Asset2 Tanium dependencies Endpoints
Client Management Tanium dependencies (following this section)

The following sections:

Comply2 Tanium dependencies Endpoints
Connect Tanium dependencies Endpoints
Deploy2 Tanium dependencies Endpoints
Direct Connect2 Tanium dependencies Endpoints
Discover2 Tanium dependencies Endpoints
Endpoint Configuration1 Tanium dependencies Endpoints
End-User Notifications Tanium dependencies Endpoints
Enforce Tanium dependencies Endpoints
Health Check Tanium dependencies Endpoints
Impact2 Tanium dependencies Endpoints
Incident Response Tanium dependencies Endpoints
Integrity Monitor2 Tanium dependencies Endpoints
Interact Tanium dependencies Endpoints
Map2 Tanium dependencies Endpoints
Network Quarantine Tanium dependencies Endpoints
Patch2 Tanium dependencies Endpoints
Performance2 Tanium dependencies Endpoints
Protect Tanium dependencies Endpoints
Reputation Tanium dependencies Endpoints
Reveal2 Tanium dependencies Endpoints
Threat Response2 Tanium dependencies Endpoints
Trends Tanium dependencies Endpoints

1 Tanium™ Endpoint Configuration is automatically installed when you install Client Management 1.5 or later.

2 This solution requires Endpoint Configuration, to deploy tools and configuration changes to endpoints. You must upgrade Client Management to version 1.5 or later to support the latest version of this solution. For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Tanium Client Management dependencies

Downloading client installers from Client Management does not require a pre-existing installation of Tanium Client.

Using client health features, including using Tanium™ Direct Connect to access detailed client health information, requires a supported Tanium Client (see Supported OS versions for Tanium Client hosts).

To use the Client Management service, make sure that your environment meets the following requirements.

 Table 3: Client Management requirements
Component Requirement
Tanium™ Core Platform 7.3 or later
Tanium™ Module Server

Client Management is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Tanium™ Client

Client Management does not require a pre-existing installation of Tanium Client.

Using client health features, including using Direct Connect to access detailed client health information, requires a supported Tanium Client (see Supported OS versions for Tanium Client hosts).

Tanium products

If you clicked Install with Recommended Configurations when you installed Client Management, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install any other modules you are using, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

Client Management requires the given minimum versions to work with the following modules:

  • Tanium™ Interact 2.4.50 or later
  • Tanium™ Discover 3.1 or later (target endpoints based on Discover tags)
  • Tanium™ Trends 3.6 or later (view charts on the Client Management Home page)
  • Tanium Direct Connect 1.4.3 or later (connect to endpoints to access detailed client health information)

Compatibility between Tanium Core Platform servers and Tanium Clients

Tanium Clients can connect only to Tanium Core Platform servers (Tanium Server, Tanium Module Server, and Tanium Zone Server) that run the same Tanium™ Protocol version as the clients or a later version than the clients. Servers and clients at version 7.3 or earlier run Tanium Protocol 314. Servers and clients at version 7.4 or later run Tanium Protocol 315. Effectively, this means that servers are backward-compatible with earlier clients; for example, servers at version 7.4 support Tanium Client 7.2, but Tanium Client 7.4 cannot connect to servers at version 7.2.

For details about the Tanium Protocol, see Tanium Core Platform Deployment Reference Guide: Overview of TLS in the Tanium Core Platform.

The release numbers for Tanium Core Platform servers and Tanium Clients have the format <major release>.<minor release>.<point release>, such as 7.4.5. Clients can connect to the servers when their major and minor release numbers match regardless of whether the point release numbers match. For example, Tanium Client 7.4.5 can connect to Tanium Server 7.4.2.

  • To ensure that all the features and fixes in a release are available to Tanium Core Platform servers and Tanium Clients, upgrade both to the same major, minor, and point release.

  • Do not install the Tanium Client on the same host as a Tanium Core Platform server. If you choose to install the client on Tanium Core Platform server machines, you must take precautions to prevent these servers from being targeted in endpoint actions that might be disruptive to the Tanium environment, and to prevent unauthorized users from accessing the servers as endpoints. You cannot install the client on a Tanium Appliance, and you cannot use Tanium Client Management to install the client on the Tanium Module Server.

Endpoint accounts

Tanium Client service account

On Windows, the Tanium Client is installed as a service that runs in the context of the Local System account.

On AIX, Linux, macOS, and Solaris, the Tanium Client is installed as a system service, which must run with a User ID (UID) of 0.

Account permissions for Client Management

During client installation using Client Management, you must have an account configured with the appropriate permissions on each endpoint. You add credentials for these accounts during the deployment process (see Configure client credentials). These accounts and permissions are necessary only during deployment, and they can be removed or changed after you successfully deploy clients.

To protect credentials that are used for client deployment, use one of the following methods: 
  • Use a temporary account that is removed after deployment.
  • Disable or change the password for the account after client deployment is complete.

Windows endpoints

On each Windows endpoint, you must have an account with Local Administrator rights, or a local or domain account configured that has the following abilities:

  • Remotely connect to the endpoint and authenticate with SMB
  • Create folders within the installation directory for 32-bit applications, or the custom location where the Tanium Client will be installed (by default, C:\Program Files (x86)\ for 64-bit versions of Windows, or C:\Program Files\ for 32-bit versions of Windows)
  • Write and execute files in the Tanium installation directory (by default, C:\Program Files (x86)\Tanium\ for 64-bit versions of Windows, or C:\Program Files\Tanium\ for 32-bit versions of Windows)

Non-Windows endpoints

On each non-Windows endpoint, you must have an account configured that can remotely connect to the endpoint and authenticate with SSH. You must use one of the following options to configure a user with elevated privileges to perform installation:

  • The root user
  • A user that is listed in the sudoers file on each endpoint, to allow the account you are using for installation to use sudo

    If you restrict user commands in the sudoers file, you must allow the commands used by Client Management during deployment.

Specific distributions or your specific environment might have specific authentication requirements.

Amazon Linux: Amazon Linux requires key-based authentication. On the endpoint, be sure to enable SSH key-based authentication and enable NOPASSWD in the sudoers file for the admin user account. Add this user name and password to the credentials list. This configuration ensures that the key, and not a password, is used to elevate the admin permissions of the user so that the user can install the Tanium Client and start the service.

Network connectivity, ports, and firewalls

TCP/IP requirements for Tanium Client

TaaS uses Tanium Core Platform components use TCP/IP to communicate over IPv4 networks and IPv6 networks. Tanium Core Platform 7.2 or earlier supports only IPv4. Contact Tanium Support if you need IPv6 support in version 7.3 or later. Work with your network administrator to ensure that the TaaS instancesTanium components have IP addresses and can use Domain Name System (DNS) to resolve host names.

Port requirements for Tanium Client

The following ports are the defaults that are required for Tanium Client communication.

 Table 4: Default port Port requirements for Tanium Client
Component Port Protocol Direction Purpose
Tanium Server 17472 TCP Inbound/outbound Used for communication between the Tanium Server and the Tanium Client
Zone server 17472 TCP Inbound/outbound Used for communication between the Zone Server and the Tanium Client
Tanium Client 17472 TCP Inbound/outbound Used for communication between the Tanium Client and TaaS the Tanium Server or Zone Server, and between the Tanium Client and peer clients
Tanium Client 17473 TCP Loopback Used for the Tanium Client API (usually does not require a firewall rule)

Work with your network security administrator to ensure that firewalls and security applications do not block port 17472, which the port that the Tanium Client uses for communication with TaaS the Tanium Server or Zone Server and with peer clients (default is port 17472). You can change the port that clients use to communicate with the server by configuring the ServerPort setting. You can also change the port that clients use for peer communication by configuring the ListenPort setting. If you do not configure ListenPort, clients default to using ServerPort for peer communication. The default client peering settings ensure that clients form linear chains only within the boundaries of local area networks (LANs). Therefore, firewalls must allow bi-directional TCP communication on the listening port between clients that are in the same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For more information about network port requirements in Tanium, see Tanium Core Platform Deployment Reference Guide: Tanium network portsTanium as a Service Deployment Guide: Host and network security requirements. For details on client peering settings, see Configuring Tanium Client peering.

macOS:

The Tanium Client service is signed to automatically allow communication through the default macOS firewall. However, the client installation process does not modify any host-based firewall that might be in use. For more information about managing macOS firewalls, see macOS firewall rules.

On endpoints that run macOS 10.14 (Mojave) or later, you might have to configure a firewall rule to prevent end users from seeing a pop-up for allowing connections during a Tanium Client upgrade. See Manage pop-ups for Tanium Client upgrades.

Linux: For more information about managing Linux firewalls, see Linux firewall rules.

The following figure illustrates a deployment with external and internal Tanium Clients. In this example, the external clients are in virtual private networks (VPNs) and therefore do not peer with each other (see Configure isolated subnets). Each external client has a leader connection to the Tanium Zone Server. The internal clients peer with each other in linear chains, and each chain connects to the Tanium Server through a backward and forward leader.

Figure  1:  Tanium Client connectivity

The following figure illustrates a deployment where Tanium Clients have direct endpoint connections to TaaS over port 17486 for Tanium modules that use the Tanium™ Direct Connect shared service. Therefore, the firewalls must allow traffic on port 17486 as well as port 17472. The clients in virtual private networks (VPNs) do not peer with each other and each of these clients has a leader connection to TaaS (see Configure isolated subnets). The clients that peer with each other connect to TaaS through backward and forward leaders at opposite ends of their linear chains.

Figure  2:  Tanium Client connectivity
The Tanium Server and Zone Server also use port 17472. Therefore, if you install the client on the same host as the server in a Windows deployment, the listening port for client-to-client communication automatically increments to 17473 on that host to prevent port conflicts. This installation is not a best practice (see Compatibility between Tanium Core Platform servers and Tanium Clients).

If you configure the Tanium Client to randomly select a new listening port at intervals, you must configure endpoint firewalls to allow incoming connections on any port that the Tanium Client process requests. See Randomize listening ports.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Some Tanium modules and shared services have additional port requirements for the Tanium Client: see Tanium Core Platform Deployment Reference Guide: Module- and service-specific port requirements.

The port number for the client API is one higher than the client-client listening port, which means that, by default, the API port is 17473. However, if the listening port changes, the API port also changes. For example, if you set ListenPort to 17473, the client API port becomes 17474. Because the API is on the loopback interface (localhost), the API port usually does not require a firewall rule for allowing traffic.

Port requirements for Client Management

The following ports are required for Client Management communication.

 Table 5: Port requirements for Client Management
Source Destination Port Protocol Purpose
Module Server Endpoints (non-Windows) 22 TCP Used for SSH communication from the module server to the target endpoint during client installation.
Module Server Endpoints (Windows) 135 TCP Used for WMI communication from the module server to the target endpoint during client installation.
445 TCP Used for SMB communication from the module server to the target endpoint during client installation.
Tanium Client (internal) Module Server 17475 TCP Used for direct connection to endpoints for detailed client health information.
Tanium Client (external) Zone Server1 17486 TCP Used for direct connection to endpoints for detailed client health information. The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
Module Server Zone Server1 17487 TCP Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
17488 TCP Allows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows.

1These ports are required only when you use a Zone Server.

 Table 5: Port reqirements for Client Management
Source Destination Port Protocol Purpose
Tanium Client TaaS 17486 TCP Used for direct connection to endpoints for detailed client health information.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For additional information about preparing endpoints for remote installation, see Prepare for deployment to Linux, macOS, or UNIX endpoints and Prepare for deployment to Windows endpoints.

Host system security exclusions

Some environments use security software to monitor and block unknown host system processes. Work with your network and security team to define exclusions that allow TaaSTanium Core Platform components and processes to operate smoothly and at optimal performance.

Security exclusions for Tanium Client

For Tanium Client, you typically must configure security software to exempt Tanium Client installation directories from real-time inspection and configure a policy to ignore input and output from Tanium binaries.

The following tools and files have specific requirements for the Tanium Client:

  • Microsoft Group Policy Objects (GPO) or other central management tools for managing host firewalls: You might need to create rules to allow inbound and outbound TCP traffic across the port that the client uses for Tanium traffic (default 17472) on any managed endpoints. See Network connectivity, ports, and firewalls.

  • McAfee Host Intrusion Prevention System (HIPS): Mark the Tanium Client as both Trusted for Firewall and Trusted for IPS, in accordance with McAfee KB71704.

  • Windows Update offline scan file (Wsusscn2.cab): The Tanium Client uses Wsusscn2.cab to assess endpoints for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, see the Microsoft KB for information on configuring those tools to interact appropriately with the Wsusscn2.cab file.

Some Tanium modules and shared services have their own security exclusions for the Tanium Client. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 6 lists Tanium Client directories that anti-virus software or other host-based security applications must exclude from on-access or real-time scans. Include subdirectories of these locations when you create the exception rules. The listed directory paths are the defaults. If you changed the directory locations to non-default paths, create rules that are based on the actual locations.

 Table 6: Security exclusions for Tanium Client directories
Endpoint OS Installation Directory
Windows (64-bit OS versions) \Program Files (x86)\Tanium\Tanium Client
Windows (32-bit OS versions) \Program Files\Tanium\Tanium Client
macOS /Library/Tanium/TaniumClient
Linux, Solaris, AIX /opt/Tanium/TaniumClient

Security applications must allow (not block, quarantine, or otherwise process) the following system processes. The <Tanium Client> variable indicates the Tanium Client installation directory, which is configurable during client installation.

 Table 7: Security exclusions for system processes on Tanium Client endpoints
Endpoint OS Process
Windows, macOS, Linux <Tanium Client>/Tools/StdUtils directory or all the files that it contains, including:
  • 7za.exe (Windows) or 7za (macOS, Linux)
  • runasuser.exe (Windows only)
  • runasuser64.exe (Windows only)
  • TaniumExecWrapper.exe (Windows) or TaniumExecWrapper (macOS, Linux)
  • TaniumFileInfo.exe (Windows only)
  • TPowerShell.exe (Windows only)
macOS, Linux, Solaris, AIX TaniumClient
taniumclient
macOS, Linux distribute-tools.sh
TaniumCX
python
Windows TaniumClient.exe
TaniumCX.exe
TPython.exe
<Tanium Client>\Python27\*.dll
<Tanium Client>\Python38\*.dll

Security exclusions for Client Management

If you are using the Tanium Client Management service, your security administrator must create the following additional exclusions to allow the Client Management processes to run without interference.

The <Tanium Client> variable refers to the Tanium Client installation directory, which is configurable during client deployment.

The <Module Server> variable refers to the Tanium Module server installation directory.

 Table 8: Client Management security exclusions
Target Device Notes Process
Module Server   <Module Server>\services\client-management-service\node.exe
  <Module Server>\services\twsm-v1\twsm.exe
Windows x86 endpoints During client installation \Program Files\Tanium\TaniumClientBootstrap.exe
During client installation \Program Files\Tanium\SetupClient.exe
During client installation <Tanium Client>\SetupClient.exe
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
  <Tanium Client>\TaniumCX.exe
Windows x64 endpoints During client installation \Program Files (x86)\Tanium\TaniumClientBootstrap.exe
During client installation \Program Files (x86)\Tanium\SetupClient.exe
During client installation <Tanium Client>\SetupClient.exe
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
  <Tanium Client>\TaniumCX.exe
macOS endpoints During client installation /Library/Tanium/TaniumClientBootstrap
During client installation /Library/Tanium/SetupClient
During client installation <Tanium Client>/SetupClient
  <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  <Tanium Client>/TaniumCX
Linux endpoints During client installation /opt/Tanium/TaniumClientBootstrap
During client installation /opt/Tanium/SetupClient
During client installation <Tanium Client>/SetupClient
  <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/TaniumCX
Solaris and AIX endpoints During client installation /opt/Tanium/TaniumClientBootstrap
During client installation /opt/Tanium/SetupClient
During client installation <Tanium Client>/SetupClient
 Table 8: Client Management security exclusions
Target Device Process
Windows x86 endpoint <Tanium Client>\TaniumClientExtensions.dll
<Tanium Client>\TaniumClientExtensions.dll.sig
<Tanium Client>\extensions\TaniumDEC.dll
<Tanium Client>\extensions\TaniumDEC.dll.sig
<Tanium Client>\TaniumCX.exe
Windows x64 endpoints <Tanium Client>\TaniumClientExtensions.dll
<Tanium Client>\TaniumClientExtensions.dll.sig
<Tanium Client>\extensions\TaniumDEC.dll
<Tanium Client>\extensions\TaniumDEC.dll.sig
<Tanium Client>\TaniumCX.exe
macOS endpoints <Tanium Client>/libTaniumClientExtensions.dylib
<Tanium Client>/libTaniumClientExtensions.dylib.sig
<Tanium Client>/extensions/libTaniumDEC.dylib
<Tanium Client>/extensions/libTaniumDEC.dylib.sig
<Tanium Client>/TaniumCX
Linux endpoints <Tanium Client>/libTaniumClientExtensions.so
<Tanium Client>/libTaniumClientExtensions.so.sig
<Tanium Client>/extensions/libTaniumDEC.so
<Tanium Client>/extensions/libTaniumDEC.so.sig
<Tanium Client>/TaniumCX

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to add the following URL to the approved list.

  • https://content.tanium.com

User role requirements for Client Management

The following tables list the role permissions required to use Client Management. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

To install Client Management, you must have the Import Signed Content Micro Admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

 Table 9: Client Management user role permissions
Permission Client Management Administrator1 Client Management User1 Client Management API User Client Management Auditor Client Management Operator Client Management Read-Only User1


Show Clientmanagement

View the Client Management workbench















Client-management Configurations Read

Read client and deployment configurations















Client-management Configurations Write

Create and modify client and deployment configurations















Client-management Credentials Read

Read credentials list, but not view associated passwords or key data















Client-management Credentials Write

Create and modify credentials lists















Client-management Deployments Read

View data about client deployments















Client-management Deployments Write

Create deployments of Tanium Client to unmanaged endpoints















Client-management Direct Connect

Connect to an endpoint using Direct Connect and read data from that endpoint

















Client-management Operate

Download installationpackages for the Tanium Client















Client-management Settings Write

Write access to global settings in the Client Management module













Client-management Read Audit Log

Read audit log with API 













Client-management Use API

Write access to global settings in the Client Management module















Direct Connect Session Read

Allows users to view endpoint connections

















Direct Connect Session Write

Allows users to create and manage endpoint connections















1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

 

 Table 10: Provided Client Management Micro AdminAdministration and AdvancedPlatform content user role permissions
Permission Role Type Content Set for Permission Client Management Administrator Client Management User Client Management API User Client Management Auditor Client Management Operator Client Management Read-Only User
Read System Status Micro Admin Administration  
Read Sensor Advanced Platform content Tanium Client Management
Read Sensor Advanced Platform content Reserved
Read Sensor Advanced Platform content Base
Read Sensor Advanced Platform content Client Extensions
Read Sensor Advanced Platform content Direct Connect
Read Action Advanced Platform content Reserved
Read Action Advanced Platform content Direct Connect
Write Action Advanced Platform content Reserved
Write Action Advanced Platform content Direct Connect
Execute Plugin Advanced Platform content Tanium Client Management
Execute Plugin Advanced Reserved
Read Package Advanced Platform content Reserved
Read Package Advanced Platform content Direct Connect
Write Package Advanced Platform content Reserved
Write Package Advanced Platform content Direct Connect
Read Saved Question Advanced Platform content Tanium Client Management
Read Saved Question Advanced Platform content Reserved
Read Saved Question Advanced Platform content Direct Connect
Read Filter Group Advanced Platform content Tanium Client Management
Read Filter Group Advanced Platform content Reserved
Read Filter Group Advanced Platform content Default Filter Groups

 

 Table 11: Optional roles for Client Management
Role Enables
Discover Read Only User For service account: Deploy to endpoints based on Discover labels

For more information and descriptions of content sets and permissions, see Tanium Core Platform User Guide: Managing roles.