Configuring connections to the Tanium Core Platform

After you install the Tanium Client on an endpoint, the client initiates a connection to the Tanium Cloud using one of the FQDNs that are configured in the initial settings. After installation, you can change the connection settings as necessary through sensors and packages that Tanium provides. You can configure a direct connection to Tanium Cloud or establish a Transport Layer Security (TLS) tunnel through a Hypertext Transfer Protocol Secure (HTTPS) proxy server.

Settings for connections to Tanium Cloud

The following settings, which govern connections from Tanium Clients to Tanium Cloud, are stored on the client endpoints.

For the settings that connect Tanium Clients through HTTPS proxy servers, see Connect through an HTTPS forward proxy server.

ServerNameList

The Tanium Client connects to only one Tanium Cloud server address at a time. However, to avoid a single point of failure, the ServerNameList setting is configured with a list of FQDNs from Client Edge URLs to which the client can attempt a connection. The FQDNs are specified as a comma-separated list. The Client Edge URLs are available in the Tanium Cloud Management Portal (CMP). For more information, see Tanium Cloud Deployment Guide: Getting started with Tanium Cloud.

Do not modify this setting, except during initial configuration of the Tanium Client when a tanium-init.dat file that includes the appropriate FQDNs is unavailable, or as directed by Tanium Support.

The Tanium Client must select an entry from ServerNameList each time the client process restarts or the client resets. The client randomly selects an FQDN from ServerNameList without regard to the order in which the FQDNs are listed. However, the client maintains a count of failed connection attempts, and gives preference to the FQDN with the least failed connections.

The Tanium Client overwrites the value of the ServerName setting with the FQDN that it selects from ServerNameList. The client then uses that value when requesting a connection to Tanium Cloud.

ServerName

ServerName indicates Tanium Cloudthe FQDN with which the Tanium Client attempts to connect.Do not set ServerName. The ServerNameList setting includes FQDNs for all available Client Edge URLs, and the Tanium Client overwrites the ServerName value with the FQDN that it selects from ServerNameList.

LastGoodServerName

LastGoodServerName stores the name of the FQDN from the Tanium Cloud Client Edge URL to which the Tanium Client last successfully connected. If the client cannot reach any FQDN in ServerNameList, the client attempts to connect to the FQDN that LastGoodServerName specifies. Do not set LastGoodServerName; the client defines it automatically.

ServerPort

ServerPort specifies the port that the Tanium Client uses for communication with Tanium Cloud and with peer clients. Do not change the default of 17472, which is required for communication with Tanium Cloud.

If you configure the ListenPort setting, it overrides ServerPort for communication with peer clients. You can also randomize the port for client-client communication. For more information, see Customize listening ports

Content for configuring connections to Tanium Cloud

The Tanium Default Content pack includes sensors and packages to manage the ServerNameList and ServerName settings on the endpoints that host the Tanium Client.

Use the packages that are listed in this table only at the direction of Tanium Support.

 Table 1: Default content related to ServerNameList, ServerName, and ServerPort
Content Object Name Usage
Sensors Tanium Server Name

Returns the current value of ServerName from the Tanium Client, which identifies the Tanium Cloud FQDN with which the client currently connects. For example:

Get Computer Name and Tanium Server Name from all machines

Tanium Server Name List

Returns the current value of ServerNameList from the Tanium Client. For example:

Get Computer Name and Tanium Server Name List from all machines

Tanium Client Explicit Setting

Returns the current value of any Tanium Client setting that you specify. For example:

Get Computer Name and Tanium Client Explicit Setting[ServerPort] from all machines

For the complete list of client settings that you can specify with this sensor, see Tanium Client settings reference.

Packages

 Set Tanium Server Name

Sets the ServerName value on Windows endpoints and restarts the Tanium Client service. The ServerName setting is in the Windows registry.
Set Tanium Server Name [Non-Windows]

Sets the ServerName value on non-Windows endpoints and restarts the Tanium Client system service. The ServerName setting is in an SQLite database and is set through a CLI command.
Set Tanium Server Name List

Sets the ServerNameList value on Windows endpoints and restarts the Tanium Client service. The ServerNameList setting is in the Windows registry.
Set Tanium Server Name List [Non-Windows]

Sets the ServerNameList value on non-Windows endpoints and restarts the Tanium Client system service. The ServerNameList setting is in an SQLite database and is set through a CLI command.

Connect through an HTTPS forward proxy server

If the network policies of your organization prohibit endpoints from connecting through the Internet directly to Tanium Cloud, you can configure the Tanium Client 7.4.2.2033 or later to establish a TLS tunnel through an HTTPS forward proxy server. An organization might require a proxy for Tanium Clients in remote branch office networks. You might also require a proxy if Tanium Cloud functions as a managed security service provider (MSSP) in an isolated network where routing changes are not possible. To prevent a single proxy failure from interrupting client connections, you can configure clients to send connection requests to multiple proxies.

To use a proxy server with Tanium Clients, your environment must meet the following requirements:

  • Tanium Client 7.4.2.2033 or later must be installed on endpoints that connect through the proxy server.
  • The proxy server uses the HTTP CONNECT method for TLS tunneling.
  • The proxy server must not require authentication.
  • The proxy server does not perform SSL/TLS inspection. You cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic between Tanium Clients and Tanium Cloud or between peer Tanium Clients.

As an alternative to connecting through a proxy server, you can use a Tanium Cloud Access Point to facilitate communication from networks that have restricted access to Tanium Cloud. For more information, see Tanium Appliance Deployment Guide: Installing a Tanium Cloud Access Point.

The steps to connect to a proxy depend on whether the endpoints can access a proxy auto configuration (PAC) file, which is available only for Windows endpoints. A PAC file defines how web browsers connect to specific hosts (such as a Tanium Cloud FQDN), directly or through a proxy server, and defines how the browsers select the correct proxy for each URL. Configure the ProxyAutoConfigAddress setting on endpoints that can access a PAC file and the ProxyServers setting on endpoints that cannot. Configure only one of the settings on any single endpoint: if you configure both, the Tanium Client uses only ProxyAutoConfigAddress and ignores ProxyServers.

If no proxy servers are available, the Tanium Client falls back to connecting directly with Tanium Cloud.

Tanium Clients can traverse a proxy only when connecting to Tanium Cloud. Connections between clients must be direct.

Figure  1:  Connecting through an HTTPS proxy server to Tanium Cloud

Before you begin

Work with your network administration team to perform the following tasks before connecting Tanium Clients to a proxy server:

  1. Configure the proxy server to allow port 17472, regardless of any security restrictions that are configured on the server. See Network connectivity, ports, and firewalls.

  2. (Windows endpoints only) If Tanium Clients must establish proxy connections through a PAC file, create the file and copy it to a web server that the clients can access.

Configure proxy server settings during client deployment.

Configure proxy connections with a PAC file

For Tanium Clients on Windows endpoints, you can configure proxy connections using a PAC file if one is available. The endpoint downloads the file from the URL that you specify and runs a script that the file contains to select the correct proxy for connecting to a particular Tanium Cloud FQDN.

Configure proxy connections during client deployment

Configure Tanium Clients to use a PAC file by setting ProxyAutoConfigAddress during client installation. See Deploy the Tanium Client to Windows endpoints using the installer for the steps to install the client.

 Table 2: Methods to set a PAC file URL during deployment
Installation method Method to set ProxyAutoConfigAddress
Command-line interface (CLI)

Specify the setting as one of the parameters of a silent installation:

SetupClient.exe /ProxyAutoConfigAddress=http[s]://<PAC file host URL>/<PAC file name> /S

You might also have to specify the /ServerAddress=<Tanium Cloud FQDNs> parameter depending on whether a tanium‑init.dat file with the appropriate server list is available. See Command-line interface (CLI).
Installation wizard

Run the following CLI command to configure ProxyAutoConfigAddress after completing the wizard:

TaniumClient config set-string ProxyAutoConfigAddress ^
"http[s]://<PAC file host URL>/<PAC file name>.pac"

Configure proxy connections After client deployment

You can configure Tanium Clients to use a PAC file after the initial client deployment, or change the file on clients that already use a PAC file.

  1. Go to the Tanium Home page and ask the following question to identify the proxy servers with which Tanium Clients currently connect, if any:

    Get Tanium Client Explicit Setting[ProxyAutoConfigAddress] and Tanium Client Explicit Setting[ProxyServers] from all machines

  2. Select the results for clients that do not already use the PAC file that you want and click Deploy Action.

  3. Configure the package settings:

    • Deployment Package: Select Modify Tanium Client Setting.
    • RegType: Select REG_SZ.
    • ValueName: Enter ProxyAutoConfigAddress.
    • ValueData: Enter the new PAC file URL and file name in the format http[s]://<PAC file URL>/<PAC file name>.pac.

  4. (Optional) In the Schedule Deployment section, set a schedule for the action.

    Set a reissue interval if some target endpoints might be offline when you initially deploy the action.

  5. In the Targeting Criteria section, ensure that the settings target only the endpoints that require the updated proxy setting.
  6. Click Show preview to continue and verify that the targeting is correct.
  7. Click Deploy Action and review the action status to verify that the action completes without errors.

  8. Ask the following question to verify that clients have the updated ProxyAutoConfigAddress setting:

    Get Tanium Client Explicit Setting[ProxyAutoConfigAddress] from all machines

    Clients do not apply the updated setting until you manually restart them or wait for the automatic client reset, which by default occurs at a random interval in the range of two to six hours.

  9. (Optional) Restart the Tanium Client service on each endpoint to apply the updated proxy setting immediately. For the steps, see Manage the Tanium Client service on Windows.

Configure proxy connections without a PAC file

On non-Windows endpoints, or on Windows endpoints that cannot access a PAC file, configure the Tanium Client to connect to a proxy server by specifying the proxy IP address or FQDN and the proxy port in the ProxyServers setting. If you specify multiple proxies, the client tries to connect to the proxies in the order that ProxyServers lists them. After any single connection succeeds, the client stops trying to connect with more proxies.

Configure proxy connections during client deployment

Configure Tanium Clients to connect through proxy servers by setting ProxyServers during installation. For installation procedures, see Deploying the Tanium Client using an installer or package file.

 Table 3: Methods to set proxy server addresses during deployment
Installation method OS Method to set ProxyServers
Command-line interface (CLI) Windows

Specify the setting as one of the parameters of a silent installation:

SetupClient.exe ^
/ProxyServers=<FQDN|IPaddress:PortNumber> /S

Non-Windows

Run the following CLI command to configure ProxyServers during the step to configure Tanium Client settings:

./TaniumClient config set-string ProxyServers \
"<proxy1 FQDN|IP address>:<port>,...,<proxyN FQDN|IP address>:<port>"

Installation wizard Windows

Run the following CLI command to configure ProxyServers after completing the wizard:

TaniumClient config set-string ProxyServers ^
"<proxy1 FQDN|IP address>:<port>,...,<proxyN FQDN|IP address>:<port>"

macOS

Run the following CLI command to configure ProxyServers after completing the wizard:

./TaniumClient config set-string ProxyServers \
"<proxy1 FQDN|IP address>:<port>,...,<proxyN FQDN|IP address>:<port>"

Configure proxy connections after client deployment

You can configure Tanium Clients to establish proxy connections after the initial client deployment, or change the proxy setting on clients that already connect to a proxy. In a deployment with both Windows and non-Windows endpoints, repeat the steps for both types of endpoints.

  1. Go to the Tanium Home page and ask the following question to identify the proxy servers with which Tanium Clients currently connect, if any:

    Get Tanium Client Explicit Setting[ProxyServers] and Is Windows from all machines

  2. Select the results for either Windows or non-Windows endpoints that require new or updated proxy connections and click Deploy Action.

    Windows endpoints and non-Windows endpoints require different packages. If you are updating both Windows and non-Windows endpoints, complete this procedure separately for each group.

  3. Configure the package settings:

    • Deployment Package: Select Modify Tanium Client Setting for Windows endpoints or Modify Tanium Client Setting [Non-Windows] for other endpoints.
    • RegType (Windows only): Select REG_SZ.
    • Type (non-Windows only): Select STRING.
    • ValueName: Enter ProxyServers.
    • ValueData: Enter a comma-separated list of proxy IP addresses or FQDNs and proxy ports in the format <proxy1 FQDN|IP address>:<port>,...,<proxyN FQDN|IP address>:<port>.

  4. (Optional) In the Schedule Deployment section, set a schedule for the action.

    Set a reissue interval if some target endpoints might be offline when you initially deploy the action.

  5. In the Targeting Criteria section, ensure that the settings target only the endpoints that:

    • Require the updated proxy setting
    • Run the operating system that matches the selected package (Windows or non-Windows)
  6. Click Show preview to continue and verify that the targeting is correct.
  7. Click Deploy Action and review the action status to verify that the action completes without errors.

  8. Ask the following question to verify that clients have the correct ProxyServers setting.

    Get Tanium Client Explicit Setting[ProxyServers] and Is Windows from all machines

    Clients do not apply the updated setting until you manually restart them or wait for the automatic client reset, which by default occurs at a random interval in the range of two to six hours.

  9. (Optional) Restart the Tanium Client service on each endpoint to apply the updated proxy setting immediately: