Tanium Cloud requirements
Review the requirements before you use Tanium Cloud.
Contact Tanium Support for the official security attestation for Tanium™ Cloud. To contact Tanium Support, sign in to https://support.tanium.com.
Tanium dependencies
| Component | Requirement |
|---|---|
| Tanium™ Client | 7.4 or later |
Because Tanium Cloud requires Tanium Client 7.4 or later, some legacy operating systems might not be supported. For more information, see Tanium Client Management User Guide: Client version and host system requirements.
Endpoints
Supported operating systems
The following endpoint operating systems are supported with Tanium Cloud.
- Windows
- macOS
- Linux
- Solaris
- AIX
For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.
Third-party software
To use Tanium Cloud in production, each customer must bring a Security Assertion Markup Language (SAML 2.0) compliant identity provider with two-factor authentication (2FA) enabled. Configuration of multiple identity providers for a single Tanium Cloud instance is supported. Examples of these providers include:
- Okta
- OneLogin
- Auth0
- Microsoft Active Directory Federation Services (ADFS)
- Azure Active Directory (AD)
Host and network security requirements
Specific ports and processes are needed to run Tanium Cloud
Ports
The following ports are required for Tanium Cloud communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Tanium Client | Tanium Client | 17472 | TCP | Bi-directional communication between Tanium Client peers1 |
| Tanium Client | Tanium Cloud2 | 17472 | TCP | Outbound communication from the Tanium Client and inbound communication to Tanium Cloud3 |
| Tanium Client | Tanium Cloud2 | 17486 | TCP | Outbound communication from the Tanium Client and inbound communication to Tanium Cloud for direct endpoint connections using Direct Connect3 |
|
1 You can change the port that clients use for peer communication. See Tanium Client Management User Guide: Customize listening ports. 2 Tanium Clients connect to the Client Edge URLs shown in Tanium Cloud Management Portal (CMP). For more information, see View administration information and Tanium Client Management User Guide: Configuring connections to the Tanium Core Platform. (For Tanium Cloud for U.S. Government, the Client Edge URLs are provided during initial provisioning.) 3 Tanium Cloud can use custom ports for communication between the Tanium Client and Tanium Cloud (including both general communication and direct connections). However, this change requires assistance from Tanium Support, and it should be done before you deploy Tanium Clients to avoid disrupting connections to existing clients. Contact Tanium Support to request changing from the default port. |
||||
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Internet URLs or IP addresses
If security software is deployed in your environment to monitor and block unknown URLs or IP addresses, your security administrator must configure it to allow HTTPS communication with the following URLs to ensure continued connectivity with Tanium Clients and to allow authorized users to access Tanium Console and Tanium Cloud Management Portal (CMP).
The <customerURL> variable shown in the following URLs is the subdomain that you specify for your service vanity URL when your Tanium Cloud instance is first provisioned. See Make initial elections.
| Service | Tanium Cloud | Tanium Cloud for U.S. Government |
|---|---|---|
| Tanium Console | <customerURL>.cloud.tanium.com | <customerURL>.cloud.taniumfed.com |
| Tanium API1 | <customerURL>-api.cloud.tanium.com | <customerURL>-api.cloud.taniumfed.com |
| Tanium Cloud Management Portal | portal.<customerURL>.cloud.tanium.com | N/A |
| Tanium Cloud Package Management Service (CPMS) | distribute.cloud.tanium.com2 | N/A |
|
1 See API access. 2 For more information about CPMS and alternative methods to allow connections, see Allow connectivity to the Tanium Cloud Package Management service. |
||
Allow connectivity to the Tanium Cloud Package Management service
The Tanium CPMS provides optimized file part distribution for Tanium Clients and requires outbound HTTPS communication from the Tanium Client and inbound HTTPS communication to Tanium Cloud. Connectivity is always provided through distribute.cloud.tanium.com, but the IP address ranges that are used change over time. An up-to-date list of these IP address ranges is available in the file https://distribute-info.cloud.tanium.com/ip-ranges/ip-ranges.json.
Use one of the following methods to allow communication, depending on your security policies and the capabilities of your security software:
- Create an access control list (ACL) or firewall rule that references the file https://distribute-info.cloud.tanium.com/ip-ranges/ip-ranges.json to allow the IP address ranges included in the file.
- Allow the URL distribute.cloud.tanium.com.
- Create an ACL or firewall rule that explicitly allows the IP address ranges listed in the file https://distribute-info.cloud.tanium.com/ip-ranges/ip-ranges.json, and regularly update the ACL or rule.
Because Tanium Cloud for U.S. Government does not support CPMS at this time, access to distribute.cloud.tanium.com or associated IP addresses is not currently required in Tanium Cloud for U.S. Government.
API access
To access the Tanium Cloud APIs, you must first create an API Token. For more information, see Tanium Console User Guide: Create API tokens.
The maximum payload size for API requests and responses is 10 MB.
Use one of the following URLs for Tanium Cloud API access:
Tanium Cloud API access
<customerURL>-api.cloud.tanium.com
Tanium Cloud for U.S. Government API acess
<customerURL>-api.cloud.taniumfed.com
The <customerURL> variable is the subdomain that you specify for your service vanity URL when your Tanium Cloud instance is first provisioned. See Make initial elections.
Solution-specific port requirements
To see additional port requirements that are specific to Tanium™ modules and shared services, click the following links to access the associated user guides:
-
-
-
- Certificate Manager: No additional port requirements
- Client Management
- Comply
- Connect
- Criticality
-
- Direct Connect
- Directory Query
- Discover
-
-
- Enforce
- Engage
-
- Health Check
- Impact
-
-
- Investigate
- Mac Device Enrollment
- Map
-
- Performance
- Provision
-
-
- Reveal
- Threat Response
-
- Zero Trust
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
Firewall
Tanium Cloud works with clients in networks with firewalls (direct route), as long as the clients can reach two internet IP addresses on two TCP ports.
Proxy
Tanium Cloud works with clients in networks with proxies (indirect route), as long as the clients can reach two internet IP addresses on two TCP ports.
For more information about proxies, see Tanium Client Management User Guide: Connect through an HTTPS forward proxy server.
User role requirements
Tanium Cloud Management Portal user roles
The following table lists the role permissions for Tanium Cloud Management Portal (CMP) users. For the steps to configure CMP users in your identity provider, see Configuring identity providers and user provisioning in CMP. For evaluation or demonstration purposes, you can also configure local users. See Manage local users for evaluation or demonstration.
| Permission | Root Administrator1 | Administrator2 | Audit History Read-Only User3 | Read-Only User | |
|---|---|---|---|---|---|
| View Tanium instance and entitlement details |
|
|
|
|
|
| View module installation activity |
|
|
|
|
|
| View Tanium Cloud artifacts |
|
|
|
|
|
| Manage IDP configuration |
|
|
|
|
|
| Manage local users |
|
|
|
|
|
| View network egress rules |
|
|
|
|
|
| Manage network egress rules |
|
|
|
|
|
| Manage maintenance window |
|
|
|
|
|
| View own event history |
|
|
|
|
|
| View all users' event history |
|
|
|
|
|
| Manage own notifications |
|
|
|
|
|
|
1 This role applies only to the built-in primary administrator account, which you cannot edit or delete. To change your designated primary administrator email address, contact Tanium Support. 2 To configure administrative CMP users in an identity provider, see (Optional) Step 3: Configure administrative users for CMP. 3 This role is available only for local users. See Manage local users for evaluation or demonstration. |
|||||
Tanium Core Platform user roles
For more information about role permissions and associated content sets in Tanium Core Platform, see Tanium Core Platform User Guide: Managing RBAC.
Last updated: 9/20/2023 1:41 PM | Feedback