Tanium Cloud requirements

Review the requirements before you use Tanium Cloud.

Contact Tanium Support for the official security attestation for Tanium™ Cloud. To contact Tanium Support, sign in to https://support.tanium.com.

Tanium dependencies

Component Requirement
Tanium™ Client 7.4 or later

Because Tanium Cloud requires Tanium Client 7.4 or later, some legacy operating systems might not be supported. For more information, see Tanium Client Management User Guide: Client version and host system requirements.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Tanium Cloud.

  • Windows
  • macOS
  • Linux
  • Solaris
  • AIX

For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Third-party software

To use Tanium Cloud in production, each customer must bring a Security Assertion Markup Language (SAML 2.0) compliant identity provider with two-factor authentication (2FA) enabled. Configuration of multiple identity providers for a single Tanium Cloud instance is supported. Examples of these providers include: 

  • Okta
  • OneLogin
  • Auth0
  • Microsoft Active Directory Federation Services (ADFS)
  • Azure Active Directory (AD)

Host and network security requirements

Specific ports and processes are needed to run Tanium Cloud

Ports

The following ports are required for Tanium Cloud communication.

Source Destination Port Protocol Purpose
Tanium Client Tanium Client 17472 TCP Bi-directional communication between Tanium Client installations
Tanium Client Tanium Cloud 17472 TCP Outbound communication from the Tanium Client and inbound communication to Tanium Cloud
Tanium Client Tanium Cloud 17486 TCP Outbound communication from the Tanium Client and inbound communication to Tanium Cloud for direct endpoint connections
Tanium Client distribute.cloud.tanium.com 443 TCP (HTTPS) Outbound communication from the Tanium Client and inbound communication to Tanium Cloud for optimized file part distribution

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

API access

To access the Tanium Cloud APIs, you must first create an API Token. For more information, see Tanium Console User Guide: Create API tokens.

Use the following URL for Tanium Cloud API access:

URL Notes
<customerURL>-api.cloud.tanium.com The maximum payload size for API requests and responses is 10 MB.

For information about setting up the URL for API access, see Customer requirements.

Solution-specific port requirements

To see additional port requirements that are specific to Tanium™ modules and shared services, click the following links to access the associated user guides:

  • API Gateway: No additional port requirements
  • Asset: No additional port requirements
  • Benchmark: No additional port requirements
  • Certificate Manager: No additional port requirements
  • Client Management
  • Comply
  • Connect
  • Criticality
  • Deploy: No additional port requirements
  • Direct Connect
  • Directory Query
  • Discover
  • Endpoint Configuration: No additional port requirements
  • End-User Notifications: No additional port requirements
  • Enforce
  • Feed: No additional port requirements
  • Health Check
  • Impact
  • Integrity Monitor: No additional port requirements
  • Interact: No additional port requirements
  • Map
  • Patch: No additional port requirements
  • Performance
  • Provision
  • Reporting: No additional port requirements
  • Reputation: No additional port requirements
  • Reveal
  • Threat Response
  • Trends: No additional port requirements

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Firewall

Tanium Cloud works with clients in networks with firewalls (direct route), as long as the clients can reach two internet IP addresses on two TCP ports.

Tanium Cloud deployment with clients behind a firewall

Proxy

Tanium Cloud works with clients in networks with proxies (indirect route), as long as the clients can reach two internet IP addresses on two TCP ports.

Tanium Cloud deployment with clients behind a proxy

For more information about proxies, see Tanium Client Management User Guide: Connect through an HTTPS forward proxy server.

User role requirements

For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Customer requirements

Unless otherwise stated in your agreement with Tanium, Tanium Cloud entitles customers to a single service instance by default. It is a best practice to use a single service instance in most cases. This simplifies usage and reporting for your endpoint environment; however, additional instances can be purchased. Contact your sales representative if you require more than a single service instance.

To use Tanium Cloud, customers must provide the following information to Tanium:

  • Service Vanity URL for the Tanium Console and clients: This <customerURL>.cloud.tanium.com URL is used to access the Tanium Console, and for clients to connect to the service. Choose a string for <customerURL> that meets the requirements (allowed: a-z, 0-9, and hyphen; maximum length: 40 characters).

    This URL is a publicly searchable URL.

  • Primary Tanium Administrator email address: Provide the email address for whomever is the primary Tanium administrator, which can manage identity provider configurations, create other users, and build RBAC as needed.

    The email address must be able to authenticate with the identity provider the customer wants to use with Tanium Cloud.

    To change your designated primary administrator email address, contact Tanium Support.

  • Data Hosting Region Selection: The region choice has no performance dependencies, and is only for regional data hosting consideration.