Tanium Cloud requirements
Review the requirements before you use Tanium Cloud.
Contact Tanium Support for the official security attestation for Tanium™ Cloud. To contact Tanium Support, sign in to https://support.tanium.com.
Tanium dependencies
| Component | Requirement |
|---|---|
| Tanium™ Client | 7.4 or later |
Because Tanium Cloud requires Tanium Client 7.4 or later, some legacy operating systems might not be supported. For more information, see Tanium Client Management User Guide: Client version and host system requirements.
Endpoints
Supported operating systems
The following endpoint operating systems are supported with Tanium Cloud.
- Windows
- macOS
- Linux
- Solaris
- AIX
For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.
Third-party software
To use Tanium Cloud in production, each customer must bring a Security Assertion Markup Language (SAML 2.0) compliant identity provider with two-factor authentication (2FA) enabled. Configuration of multiple identity providers for a single Tanium Cloud instance is supported. Examples of these providers include:
- Okta
- OneLogin
- Auth0
- Microsoft Active Directory Federation Services (ADFS)
- Azure Active Directory (AD)
Host and network security requirements
Specific ports and processes are needed to run Tanium Cloud
Ports
The following ports are required for Tanium Cloud communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Tanium Client | Tanium Client | 17472 | TCP | Bi-directional communication between Tanium Client installations |
| Tanium Client | Tanium Cloud | 17472 | TCP | Outbound communication from the Tanium Client and inbound communication to Tanium Cloud |
| Tanium Client | Tanium Cloud | 17486 | TCP | Outbound communication from the Tanium Client and inbound communication to Tanium Cloud for direct endpoint connections |
| Tanium Client | distribute.cloud.tanium.com | 443 | TCP (HTTPS) | Outbound communication from the Tanium Client and inbound communication to Tanium Cloud for optimized file part distribution |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
API access
To access the Tanium Cloud APIs, you must first create an API Token. For more information, see Tanium Console User Guide: Create API tokens.
Use the following URL for Tanium Cloud API access:
| URL | Notes |
|---|---|
| <customerURL>-api.cloud.tanium.com | The maximum payload size for API requests and responses is 10 MB. |
For information about setting up the URL for API access, see Customer requirements.
Solution-specific port requirements
To see additional port requirements that are specific to Tanium™ modules and shared services, click the following links to access the associated user guides:
-
-
-
- Certificate Manager: No additional port requirements
- Client Management
- Comply
- Connect
- Criticality
-
- Direct Connect
- Directory Query
- Discover
-
-
- Enforce
-
- Health Check
- Impact
-
-
- Map
-
- Performance
- Provision
-
-
- Reveal
- Threat Response
-
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
Firewall
Tanium Cloud works with clients in networks with firewalls (direct route), as long as the clients can reach two internet IP addresses on two TCP ports.
Proxy
Tanium Cloud works with clients in networks with proxies (indirect route), as long as the clients can reach two internet IP addresses on two TCP ports.
For more information about proxies, see Tanium Client Management User Guide: Connect through an HTTPS forward proxy server.
User role requirements
For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.
Customer requirements
Unless otherwise stated in your agreement with Tanium, Tanium Cloud entitles customers to a single service instance by default. It is a best practice to use a single service instance in most cases. This simplifies usage and reporting for your endpoint environment; however, additional instances can be purchased. Contact your sales representative if you require more than a single service instance.
To use Tanium Cloud, customers must provide the following information to Tanium:
- Service Vanity URL for the Tanium Console and clients: This <customerURL>.cloud.tanium.com URL is used to access the Tanium Console, and for clients to connect to the service. Choose a string for <customerURL> that meets the requirements (allowed: a-z, 0-9, and hyphen; maximum length: 40 characters).
This URL is a publicly searchable URL.
- Primary Tanium Administrator email address: Provide the email address for whomever is the primary Tanium administrator, which can manage identity provider configurations, create other users, and build RBAC as needed.
The email address must be able to authenticate with the identity provider the customer wants to use with Tanium Cloud.
To change your designated primary administrator email address, contact Tanium Support.
- Data Hosting Region Selection: The region choice has no performance dependencies, and is only for regional data hosting consideration.
Last updated: 3/28/2023 8:22 AM | Feedback