Configuring connections to Tanium Core Platform servers

When you install the Tanium Client on an endpoint, it initiates a connection to the Tanium Server or Tanium Zone Server that is assigned to it in the initial configuration. After installation, you can change the connection settings through sensors and packages that Tanium provides. You can configure a direct connection to the server or establish a Transport Layer Security (TLS) tunnel through a Hypertext Transfer Protocol Secure (HTTPS) proxy server.

Settings for client connections to Tanium Core Platform servers

The following settings, which govern connections from Tanium Clients to the Tanium Server or Zone Server, are stored on the client endpoints.

The Tanium Server and Zone Server names that you configure in Tanium Client settings (ServerName or ServerNameList) must be fully qualified domain names (FQDNs) or IP addresses that clients can use from their network location to access the servers. The server names might vary among sets of clients in different locations and the names might differ from those that you configure locally on the servers. Consult your network administration team for the server names that you must configure on clients.

For the settings that connect Tanium Clients through HTTPS proxy servers, see Connect through an HTTPS proxy server.

ServerNameList

At any given moment, the Tanium Client connects to only one Tanium Server or Zone Server. However, to avoid a single point of failure, you can configure the ServerNameList setting with a list of servers to which the client can attempt a connection. You specify the servers as a comma-separated list of FQDNs or IP addresses.

When ServerNameList has multiple entries, the Tanium Client must select one each time the client process restarts or the client resets. The client randomly selects a server from ServerNameList without applying a weight to any entry and without regard to the order in which the servers are listed. However, the client maintains a count of failed connection attempts, and gives preference to the server with the least failed connections.

The Tanium Client overwrites the value of the ServerName setting with the server that it selects from ServerNameList. The client then uses that value when requesting a connection to the Tanium Server or Zone Server.

In Tanium Core Platform 7.2.314.3263 or later, you can optionally set the port that the Tanium Client uses to communicate with servers by appending :<port_number> to the server IP addresses or FQDNs (for example, ts1.local.com:443,ts2.local.com:443,zs1.example.com:443). The ServerNameList port values override the ServerPort setting in the Tanium Client configuration (default is 17472).

ServerName

The ServerName setting specifies the FQDN or IP address of the Tanium Server or Zone Server with which the Tanium Client attempts to connect. Configure ServerName only if you do not configure the ServerNameList setting. If ServerNameList is configured, the Tanium Client overwrites the ServerName value with the server that it selects from ServerNameList.

In Tanium Core Platform 7.2.314.3263 or later, you can optionally set the port that the Tanium Client uses to communicate with servers by appending :<port_number> to ServerName (for example, ts1.local.com:443). The ServerName port overrides the ServerPort setting in the Tanium Client configuration (default is 17472).

LastGoodServerName

The LastGoodServerName setting stores the name of the last Tanium Server or Zone Server to which the Tanium Client successfully connected. If the client cannot reach the server in ServerName or any server in ServerNameList, the client attempts to connect to the server that LastGoodServerName specifies. You do not set LastGoodServerName; the client defines it automatically.

ServerPort

The ServerPort setting specifies the port that the Tanium Client uses for client-server and client-client communication. The default is 17472 but you can configure a custom port. The client automatically uses ServerPort for connections to the Tanium Servers and Zone Servers that are specified in the ServerNameList and ServerName settings. Specifying the port within those settings is not required. However, if ServerName or ServerNameList do specify a port, it overrides ServerPort.

You can randomize the listening port that the Tanium Client uses for communication from peer clients: see Randomize listening ports.

Content for configuring connections to Tanium Core Platform servers

The Tanium Default Content pack includes sensors and packages that you use to manage the ServerNameList, ServerName, and ServerPort values on the endpoints that host the Tanium Client.

Table 1:   Default content related to ServerNameList, ServerName, and ServerPort
Content Object Name Usage
Sensors Tanium Server Name Returns the current value of ServerName from the Tanium Client. For clients on which ServerNameList is configured, you can use the sensor to identify the Tanium Server or Zone Server with which the clients currently connect. For example:

Get Computer Name and Tanium Server Name from all machines

Tanium Server Name List Returns the current value of ServerNameList from the Tanium Client. For example:

Get Computer Name and Tanium Server Name List from all machines

Tanium Client Explicit Setting Returns the current value of any Tanium Client setting that you specify. For example, the following question returns the ServerPort from each Tanium Client:

Get Computer Name and Tanium Client Explicit Setting[ServerPort] from all machines

Packages Set Tanium Server Name Sets the ServerName value on Windows endpoints and restart the Tanium Client service. The ServerName setting is in the Windows registry.
Set Tanium Server Name [Non-Windows] Sets the ServerName value on non-Windows endpoints and restart the Tanium Client system service. The ServerName setting is in an SQLite database and is set through a CLI command.
Set Tanium Server Name List Sets the ServerNameList value on Windows endpoints and restart the Tanium Client service. The ServerNameList setting is in the Windows registry.
Set Tanium Server Name List [Non-Windows] Sets the ServerNameList value on non-Windows endpoints and restart the Tanium Client system service. The ServerNameList setting is in an SQLite database and is set through a CLI command.

Configure clients to connect with multiple Tanium Servers

The following procedure is an example of how to use the objects listed in Table 1 to set the ServerNameList on managed endpoints in a common scenario: a second Tanium Server is added to the deployment after the Tanium Client is deployed. In a deployment with both Windows and non-Windows endpoints, repeat the steps for both types of endpoints.

For an example of how to set the ServerNameList on Tanium Clients that register with a Zone Server, see Tanium Core Platform Deployment Guide for Windows: Configure Tanium Clients to register with the Zone Server.

  1. Delete any existing scheduled actions that configure ServerNameList or ServerName to prevent conflicts with the new actions that you create for those settings.
  2. Use Tanium Interact to issue a question that identifies which Tanium Clients require an updated ServerNameList.

    The following example identifies Tanium Clients does not include both Tanium Servers (ts1.tam.local,ts2.tam.local).

    Get Tanium Server Name List and Is Windows from all machines with all Tanium Server Name List not equals "ts1.tam.local,ts2.tam.local"


  3. In the Question Results grid, select the Windows or non-Windows endpoints (not both) that need an updated Tanium Server Name List value and click Deploy Action.
  4. Specify one of the following as the Deployment Package:
    • Set Tanium Server Name List for Windows endpoints
    • Set Tanium Server Name List [Non-Windows] for non-Windows endpoints
  5. Enter the FQDNs or IP addresses of both Tanium Servers in the Server Name List field.

  6. Set a schedule for the action.

    Set a reissue interval if some target endpoints might be offline when you initially deploy the action.

  7. In the Targeting Criteria section, ensure the settings target Windows endpoints or non-Windows endpoints based on the package that you selected.
  8. Click Show preview to continue and verify that the targeting is correct

  9. Click Show preview to continue and verify that the targeting is correct.
  10. Click Deploy Action and review the action status to verify that the action completes without errors.

  11. Use Tanium Interact to issue a question that returns the ServerNameList values from Tanium Clients.

    Get Tanium Server Name List and Is Windows from all machines

  12. Review the Question Results grid to verify that the Tanium Server Name List value includes both Tanium Servers.


    You might have to wait a few minutes for the results to show the new values. Ensure that live updates Live Updates are enabled for the results grid.

Connect through an HTTPS proxy server

If the network policies of your organization prohibit endpoints from connecting through the Internet directly to a Tanium Server or Zone Server, you can configure Tanium Client 7.4 or later to establish a TLS tunnel through an HTTPS proxy server. A proxy might be required for Tanium Clients in remote branch office networks. A proxy might also be required if the Tanium Server functions as a managed security service provider (MSSP) in an isolated network where routing changes are not possible. To prevent a single proxy failure from interrupting client connections, you can configure clients to send connection requests to multiple proxies.

The steps to connect to a proxy depend on whether the endpoints can access a proxy auto configuration (PAC) file, which is available only for Windows endpoints. A PAC file defines how web browsers connect to specific URLs, directly or through a proxy server, and defines how the browsers select the correct proxy for each URL. Configure the ProxyAutoConfigAddress setting on endpoints that can access a PAC file and the ProxyServers setting on all other endpoints. Configure only one of the settings on any single endpoint: if you configure both, the Tanium Client uses only ProxyAutoConfigAddress and ignores ProxyServers.

If no proxy servers are available, the Tanium Client falls back to connecting directly with the Tanium Server or Zone Server.

Tanium Clients can traverse a proxy only when connecting to a server. Connections between clients must be direct.

Figure  1:  Connecting through an HTTPS proxy server

Before you begin

Work with your network administration team to perform the following tasks before connecting Tanium Clients to a proxy server:

  1. Configure the proxy server to allow the following ports for Tanium traffic regardless of any security restrictions that are configured on the server:

    • Port 17472 for Tanium Client connections
    • Port 17486 for Zone Server and Taniumâ„¢ Direct Connect connections
  2. (Windows endpoints only) If Tanium Clients must establish proxy connections through a PAC file, create the file and copy it to a web server that the clients can access.

Tanium Clients that require a proxy connection do not connect directly to Tanium Core Platform servers. Because the Tanium Client Management service requires a direct connection from the Tanium Module Server to clients, you cannot use that service to deploy clients that require a proxy connection.

Configure proxy connections with a PAC file

For Tanium Clients on Windows endpoints, you can configure proxy connections using a PAC file if one is available. The endpoint downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular Tanium Server or Zone Server.

Configure proxy connections during client deployment

Configure Tanium Clients to use a PAC file by setting ProxyAutoConfigAddress during client installation.

If you use the command-line interface (CLI) to install the client, specify the setting as one of the parameters of a silent installation:

SetupClient.exe /ProxyAutoConfigAddress=http[s]://<PAC file host URL>/<PAC file name> /S

You might also have to specify the /ServerAddress=<Tanium Server FQDN/IP> parameter depending on the client version and tanium-init.dat file: see Command-line interface (CLI).

If you use the Installation wizard to install the client, run the following CLI command to configure ProxyAutoConfigAddress after completing the wizard:

TaniumClient config set-string ProxyAutoConfigAddress "http[s]://<PAC file host URL>/<PAC file name>.pac"

Configure proxy connections After client deployment

The following steps describe how to configure Tanium Clients to use a PAC file after the initial client deployment, or how to change the file on clients that already use one:

  1. Go to the Tanium Home page and issue the following question to identify the proxy servers with which Tanium Clients currently connect, if any:

    Get Tanium Client Explicit Setting[ProxyAutoConfigAddress] and Tanium Client Explicit Setting[ProxyServers] from all machines

  2. Select the results for clients that do not already use the PAC file that you want and click Deploy Action.
  3. Configure the package settings:
    • Deployment Package: Select Modify Tanium Client Setting.
    • RegType: Select REG_DWORD.
    • ValueName: Enter ProxyAutoConfigAddress.
    • ValueData: Enter the new PAC file URL and file name in the format http[s]://<PAC file URL>/<PAC file name>.pac.
  4. (Optional) In the Schedule Deployment section, set a schedule for the action.

    Set a reissue interval if some target endpoints might be offline when you initially deploy the action.

  5. In the Targeting Criteria section, ensure that the settings target only the endpoints that require the updated proxy setting.
  6. Click Show preview to continue and verify that the targeting is correct.
  7. Click Deploy Action and review the action status to verify that the action completes without errors.
  8. Issue the following question to verify that clients have the updated ProxyAutoConfigAddress setting:

    Get Tanium Client Explicit Setting[ProxyAutoConfigAddress] from all machines

    Clients do not apply the updated setting until you manually restart them or wait for the automatic client reset, which by default occurs at a random interval in the range of two to six hours.

  9. (Optional) Restart the Tanium Client service on each endpoint to apply the updated proxy setting immediately. For the steps, see Manage the Tanium Client service on Windows.

Configure proxy connections without a PAC file

On non-Windows endpoints, or on Windows endpoints that cannot access a PAC file, configure the Tanium Client to connect to a proxy server by specifying the proxy IP address or FQDN and proxy port in the ProxyServers setting. If you specify multiple proxies, the client tries to connect to the proxies in the order that ProxyServers lists them. After any single connection succeeds, the client stops trying to connect with more proxies.

Configure proxy connections during client deployment

Configure Tanium Clients to connect through proxy servers by setting ProxyServers during the step to configure additional client settings in the deployment procedures:

You can configure ProxyServers by using the following CLI command on all endpoints or in the TaniumClient.ini file (if it exists) on macOS endpoints:

TaniumClient config set-string ProxyServers "<proxy1 FQDN|IP address>:<port>,...,<proxyN FQDN|IP address>:<port>"

Configure proxy connections after client deployment

The following steps describe how to configure Tanium Clients to establish proxy connections after the initial client deployment, or how to change the proxy setting on clients that already connect to a proxy. Because Windows and non-Windows endpoints require separate packages to update settings, repeat the steps for both of those sets of endpoints.

  1. Go to the Tanium Home page and issue the following question to identify the proxy servers with which Tanium Clients currently connect, if any:

    Get Tanium Client Explicit Setting[ProxyServers] from all machines

  2. Select the results for clients that require new or updated proxy connections and click Deploy Action.
  3. Configure the package settings:
    • Deployment Package: Select Modify Tanium Client Setting for Windows endpoints or Modify Tanium Client Setting [Non-Windows] for other endpoints.
    • RegType: Select REG_DWORD.
    • ValueName: Enter ProxyServers.
    • ValueData: Enter a comma-separated list of proxy IP addresses or FQDNs and proxy ports in the format <proxy1 FQDN|IP address>:<port>,...,<proxyN FQDN|IP address>:<port>.
  4. (Optional) In the Schedule Deployment section, set a schedule for the action.

    Set a reissue interval if some target endpoints might be offline when you initially deploy the action.

  5. In the Targeting Criteria section, ensure that the settings target only the endpoints that:
    • Require the updated proxy setting
    • Correspond to the selected package (Windows or non-Windows)
  6. Click Show preview to continue and verify that the targeting is correct.
  7. Click Deploy Action and review the action status to verify that the action completes without errors.
  8. Issue the following question to verify that clients have the correct ProxyServers setting.

    Get Tanium Client Explicit Setting[ProxyServers] from all machines

    Clients do not apply the updated setting until you manually restart them or wait for the automatic client reset, which by default occurs at a random interval in the range of two to six hours.

  9. (Optional) Restart the Tanium Client service on each endpoint to apply the updated proxy setting immediately: