Configuring Direct Connect

If you did not install Direct Connect with the Apply All Tanium recommended configurations, you must enable and configure certain features. Additionally, if you want to enable connections to endpoints through a Tanium™ Zone Server, you must configure a zone proxy.

(Tanium Core Platform 7.4.5 or later only) You can set the Direct Connect action group to target the No Computers filter group by enabling restricted targeting before adding Direct Connect to your Tanium licenseimporting Direct Connect . This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Direct Connect action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Direct Connect with automatic configuration, the following default settings are configured:

The following default setting is configured:

Setting Default Value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Fully Qualified Domain Name for the module server

The Fully Qualified Domain Name setting in the Endpoint Connection settings is set to the first-detected IPv4 address that is closest to the Tanium Server IP address. (This is often the IP address of the module server.)

The IP address or FQDN that is specified for this setting must resolve to the Module Server from all endpoints in all direct endpoint connections. After the initial installation and configuration completes, you can verify this value on the Endpoint Connection tab in the Direct Connect settings and update it if needed.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Direct Connect , see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, you must approve the deployment of Direct Connect tools in Endpoint Configuration before they deploy to endpoints.

Configure Direct Connect

(Optional) Configure the Direct Connect action group

Importing the Direct Connect module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Direct Connect , the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Direct Connect , configuring the Direct Connect action group is optional.

Select the computer groups to include in the Direct Connect action group.

Set the action group to All Computers, unless you want to block direct connections to some endpoints.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Direct Connect.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Configure Endpoint Connection settings

Specify Endpoint Connection settings to define the domain name to use to connect to the Module Server, certificates to authenticate connections to the Module Server and endpoints, and the port to use for connections.

  1. From the Direct Connect Overview page, click Settings and open the Endpoint Connection tab.
  2. In the Fully Qualified Domain Name section, provide an IP address or FQDN to use to connect to the Module Server. If the Module Server has multiple IP addresses or FQDNs used by different endpoints (such as groups of endpoints that connect to different interfaces or that use different DNS servers), enter all IP addresses or FQDNs separated by commas. One of the IP addresses or FQDNs that you provide must resolve to the Module Server from all endpoints in all direct endpoint connections.
  3. The Port is set to 17475 by default. If needed, you can modify this port. Make sure that incoming connections to this port are allowed by applicable firewall configurations.
  4. Select Bypass Action Lock to allow Direct Connect to make connections to endpoints with action lock turned on.

    For more information about action locks, see Tanium Console User Guide: Managing action locks.

  5. Click Save.

If the Fully Qualified Domain Name validates successfully, success messages are shown:
The endpoint connection settings saved successfully.
Content build is in progress. Connection settings will deploy to endpoints once complete.

If an error occurs, correct the fully qualified domain name and save again. If the information validates and saves successfully, packages for each supported operating system are created with the configuration information that is needed to use Direct Connect. These packages are distributed using a scheduled action to the Tanium Direct Connect action group.

Configure certificates

Configure certificates to authenticate connections to the Tanium Module server and endpoints.

  1. From the Direct Connect Overview page, click Settings and open the Certificates tab.
  2. In the Server Certificate section, the Install a new certificate option is selected by default and cannot be modified during the initial configuration. A certificate is generated and installed to authenticate the server when an endpoint starts a connection.

    After a certificate is installed on the server, the expiration date for the certificate is shown. If a certificate is installed, you can select Renew to renew the certificate.

  3. In the Client Certificate section, the Install a new certificate option is selected by default and cannot be modified during the initial configuration. A certificate is generated, installed, and deployed to endpoints to authenticate that the endpoint is a Tanium client with permission to connect to the server.

    After a certificate is installed, the expiration date for the certificate is shown. If a certificate is installed, you can select Renew to renew the certificate.

  4. Click Save.
  5. Enter your password and click OK.

Set up Direct Connect users

You can use the following set of predefined user roles to set up Direct Connect users.

To review specific permissions for each role, see User role requirements.

On installation, Direct Connect creates a Direct Connect user to automatically manage the Direct Connect service account. Do not edit or delete the Direct Connect user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Direct Connect Administrator

Assign the Direct Connect Administrator role to users who manage the configuration and deployment of Direct Connect functionality to endpoints.

This role can perform the following tasks:

  • Configure Direct Connect settings

  • Test direct endpoint connections

  • View own active endpoint sessions

Direct Connect User

Assign the Direct Connect User role to users who test direct endpoint connections and who can review their own active endpoint sessions.

Direct Connect Read Only User

Assign the Direct Connect Read Only User role to users who can only review their own active endpoint sessions.

Direct Connect Satellite Operator

Assign the Direct Connect Satellite Operator role to users who create and manage satellites.

Direct Connect Endpoint Configuration Approver

Assign the Direct Connect Endpoint Configuration Approver role to a user who approves or rejects Direct Connect configuration items in Tanium Endpoint Configuration.

Do not assign the Direct Connect Service Account and Direct Connect Service Account - All Content Sets roles to users. These roles are for internal purposes only.

Configure zone proxies

You can optionally configure a zone proxy to enable connections to endpoints through a Zone Server. This configuration is required to use Direct Connect with endpoints that connect to the Module Server through a Zone Server.

Zone Proxy Server Overview

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

Before you begin

Contact Tanium Support to obtain the Direct Connect Zone Proxy Installer file for your Zone Server operating system. For more information, see Contact Tanium Support.

Confirm that all required ports are available. For more information, see Host and network security requirements.

Install or upgrade the Direct Connect Zone Proxy

  1. Copy the Direct Connect Zone Proxy Installer to the Zone Server.
  2. Run the Direct Connect Zone Proxy Installer on the Zone Server to install or upgrade the Direct Connect Zone Proxy.

  3. If you are performing initial installation of the Direct Connect Zone Proxy, copy the provision secret and certificate (known as the provision payload) for use in the configuration in Direct Connect.

    The provision payload is stored in provision.txt, which is located in the following directories:

    • TanOS: <Tanium Installation Directory>/TaniumDirectConnectZoneProxy/settings/PROVISION.txt

      During the installation process on TanOS, the Provision Secret and Certificate also appear in the console where you run the installation. You can copy the Provision Secret and Certificate from the console or from the PROVISION.txt file.

    • Windows: <Tanium Install Directory>\Tanium Direct Connect Zone Proxy\settings\PROVISION.txt

      At the end of the installation on Windows, click Open Provision Token to open PROVISION.txt. You can copy the Provision Secret and Certificate from this file.



    Either copy these during the install or retrieve them from provision.txt for use during the subsequent configuration steps. For example:

    The preceding figure is provided as an example of the Provision Secret and Certificate values to copy during the installation. The content is intentionally truncated and cannot be used as-is. You must use the values from your installation for the certificate pinning to work. If you use this example Provision Secret and Certificate in your environment, your configuration will fail.

To complete the configuration for an initial installation, return to Direct Connect. No further configuration is necessary during an upgrade.

configure the Direct Connect Zone Proxy

After you complete the initial installation of a Direct Connect Zone Proxy, you must configure it in Direct Connect. This configuration is not necessary during an upgrade.

  1. From the Direct Connect menu, click Zone Proxies.
  2. Click Add Zone Proxy.
  3. Specify the zone proxy Name.
  4. Paste the Provision Secret and Certificate that you saved during the installation into the Provision Payload field.
  5. Configure the Module Server Connection:

    1. Specify the Zone Proxy Host.

      This value is the internal IP address of the Zone Server that is accessible from the Module Server, or a host name or fully qualified domain name (FQDN) that the Module Server can resolve to an accessible address (for example, DMZZoneServer.internal.local).

    2. Specify the Bind IP Address.

      This value specifies the IPv4 network interface binding that the Zone Server uses to listen for Module Server connections. To listen on all interfaces, specify 0.0.0.0.

    3. Specify the Port that the Zone Server uses to listen for module server connections. The default value is 17487.
  6. Configure the Endpoint Connection:

    1. Specify the Zone Proxy Host.

      This value is the public IP address of the Zone Server that is accessible from endpoints, or an FQDN that endpoints can resolve to the public address (for example, MyZoneServer.company.com). If the Zone Server has multiple IP addresses or FQDNs used by different endpoints (such as groups of endpoints that connect to different interfaces or that use different DNS servers), enter all IP addresses or FQDNs separated by commas.

    2. Specify the Bind IP Address.

      This value specifies the IPv4 network interface binding that the Zone Server uses to listen for endpoint connections. To listen on all interfaces, specify 0.0.0.0.

    3. Specify the Port that the Zone Server uses to listen for endpoint connections. The default value is 17486.
  7. Click Save.
  8. Enter your password and click OK.

The status of the zone proxy shows in the Status column. When the configuration is complete, the status is Connected.

Due to the provisioning process, you cannot modify existing zone proxy configurations. If needed, you can delete the configuration and recreate it with different values. To delete a configuration, hover over the configuration and click Delete.

You can also see the status and activity for existing Zone Proxies from this page.

Uninstall the Direct Connect Zone Proxy (Windows)

A user with Local Administrator rights on the endpoint can remove the Tanium Client through either the Windows Control Panel Add/Remove Programs or Programs and Features applet.

For information about managing the Direct Connect Zone Proxy on TanOS, see Appliance Deployment Guide: Install the Direct Connect Zone Proxy.