Configuring Direct Connect

If you did not install Direct Connect with the Apply All Tanium recommended configurations, you must enable and configure certain features. Additionally, if you want to enable connections to endpoints through a Tanium™ Zone Server, you must configure a zone proxy.

(Tanium Core Platform 7.4.5 or later only) You can set the Direct Connect action group to target the No Computers filter group by enabling restricted targeting before adding Direct Connect to your Tanium licenseimporting Direct Connect . This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Direct Connect action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Direct Connect with automatic configuration, the following default settings are configured:

The following default setting is configured:

Setting Default Value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Fully Qualified Domain Name for the module server

The Fully Qualified Domain Name setting in the Endpoint Connection settings is set to the first-detected IPv4 address that is closest to the Tanium Server IP address. (This is often the IP address of the module server.)

The IP address or FQDN that is specified for this setting must resolve to the Module Server from all endpoints in all direct endpoint connections. After the initial installation and configuration completes, you can verify this value on the Endpoint Connection tab in the Direct Connect settings and update it if needed.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Direct Connect , see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, you must approve the deployment of Direct Connect tools in Endpoint Configuration before they deploy to endpoints.

Configure Direct Connect

Configure service account

The Direct Connect service account runs background processes for the Direct Connect service. This user requires the Direct Connect Service Account role. If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

For more information about Direct Connect permissions, see User role requirements.

If you imported Direct Connect with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. On the Direct Connect Overview page, click Settings and then click Service Account if needed.
  2. Provide a user name and password, and then click Save.

Configure the Direct Connect action group

Importing Adding the Direct Connect module automatically creates an action group to target specific endpoints. Select the computer groups to include in the Direct Connect action group.

Set the action group to All Computers, unless you want to block direct connections to some endpoints.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Direct Connect.
  3. Select the computer groups to include in the action group, and click Save.

    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Configure Endpoint Connection settings

Specify Endpoint Connection settings to define the domain name to use to connect to the Module Server, certificates to authenticate connections to the Module Server and endpoints, and the port to use for connections.

  1. From the Direct Connect Home page, click Settings and open the Endpoint Connection tab.
  2. In the Fully Qualified Domain Name section, provide an IP address or FQDN to use to connect to the Module Server. The IP address or FQDN that you provide must resolve to the Module Server from all endpoints in all direct endpoint connections.
  3. The Port is set to 17475 by default. If needed, you can modify this port. Make sure that incoming connections to this port are allowed by applicable firewall configurations.
  4. In the Action Lock section, specify the behavior that you want for Direct Connect when action lock is enabled on endpoints:
    • Block All Direct Connection Actions
    • Allow New Connections
    • Allow New Connections and Configuration Changes

    For more information about action locks, see Tanium Console User Guide: Managing action locks.

  5. Click Save.

If the Fully Qualified Domain Name validates successfully, success messages are shown:
The endpoint connection settings saved successfully.
Content build is in progress. Connection settings will deploy to endpoints once complete.

If an error occurs, correct the fully qualified domain name and save again. If the information validates and saves successfully, packages for each supported operating system are created with the configuration information that is needed to use Direct Connect. These packages are distributed using a scheduled action to the Tanium Direct Connect action group.

Configure certificates

Configure certificates to authenticate connections to the Tanium Module server and endpoints.

  1. From the Direct Connect Home page, click Settings and open the Certificates tab.
  2. In the Server Certificate section, the Install a new certificate option is selected by default and cannot be modified during the initial configuration. A certificate is generated and installed to authenticate the server when an endpoint starts a connection.

    After a certificate is installed on the server, the expiration date for the certificate is shown. If a certificate is installed, you can select Renew to renew the certificate.

  3. In the Client Certificate section, the Install a new certificate option is selected by default and cannot be modified during the initial configuration. A certificate is generated, installed, and deployed to endpoints to authenticate that the endpoint is a Tanium client with permission to connect to the server.

    After a certificate is installed, the expiration date for the certificate is shown. If a certificate is installed, you can select Renew to renew the certificate.

  4. Click Save.
  5. Enter your password and click OK.

Set up Direct Connect users

You can use the following set of predefined user roles to set up Direct Connect users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Direct Connect Administrator

Assign the Direct Connect Administrator role to users who manage the configuration and deployment of Direct Connect functionality to endpoints.

This role can perform the following tasks:

  • Configure Direct Connect settings

  • Test direct endpoint connections

  • View own active endpoint sessions

Direct Connect User

Assign the Direct Connect User role to users who test direct endpoint connections and who can review their own active endpoint sessions.

Direct Connect Read Only User

Assign the Direct Connect Read Only User role to users who can only review their own active endpoint sessions.

Direct Connect Service Account

Assign the Direct Connect Service Account role to the account that performs background processes for Direct Connect. For more information, see Configure service account.

Direct Connect Endpoint Configuration Approver

Assign the Direct Connect Endpoint Configuration Approver role to a user who approves or rejects Direct Connect configuration items in Tanium Endpoint Configuration.

Configure zone proxies

You can optionally configure a zone proxy to enable connections to endpoints through a Zone Server. This configuration is required to use Direct Connect with endpoints that connect to the Module Server through a Zone Server.

Zone Proxy Server Overview

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

Before you begin

Contact Tanium Support to obtain the Direct Connect Zone Proxy Installer file for your Zone Server operating system. For more information, see Contact Tanium Support.

Confirm that all required ports are available. For more information, see Host and network security requirements.

Install or upgrade the Direct Connect Zone Proxy

  1. Copy the Direct Connect Zone Proxy Installer to the Zone Server.
  2. Run the Direct Connect Zone Proxy Installer on the Zone Server to install or upgrade the Direct Connect Zone Proxy.
  3. If you are performing initial installation of the Direct Connect Zone Proxy, copy the provision secret and certificate (known as the provision payload) for use in the configuration in Direct Connect.

    The provision payload is stored in provision.txt, which is located in the following directories:

    • TanOS: <Tanium Installation Directory>/TaniumDirectConnectZoneProxy/settings/PROVISION.txt

      During the installation process on TanOS, the Provision Secret and Certificate also appear in the console where you run the installation. You can copy the Provision Secret and Certificate from the console or from the PROVISION.txt file.

    • Windows: <Tanium Install Directory>\Tanium Direct Connect Zone Proxy\settings\PROVISION.txt

      At the end of the installation on Windows, click Open Provision Token to open PROVISION.txt. You can copy the Provision Secret and Certificate from this file.



    Either copy these during the install or retrieve them from provision.txt for use during the subsequent configuration steps. For example:

    The preceding figure is provided as an example of the Provision Secret and Certificate values to copy during the installation. The content is intentionally truncated and cannot be used as-is. You must use the values from your installation for the certificate pinning to work. If you use this example Provision Secret and Certificate in your environment, your configuration will fail.

To complete the configuration for an initial installation, return to Direct Connect. No further configuration is necessary during an upgrade.

configure the Direct Connect Zone Proxy

After you complete the initial installation of a Direct Connect Zone Proxy, you must configure it in Direct Connect. This configuration is not necessary during an upgrade.

  1. From the Direct Connect menu, click Zone Proxies.
  2. Click Add Zone Proxy.
  3. Specify the zone proxy Name.
  4. Paste the Provision Secret and Certificate that you saved during the installation into the Provision Payload field.
  5. Configure the Module Server Connection:

    1. Specify the Zone Proxy Host.

      This value is the host name or IP address that is used by the Module Server to connect to the Zone Server. It is the Zone Server's internal IP address, host name, or fully qualified domain name that can be resolved by the Module Server. For example, DMZZoneServer.internal.local.

    2. Specify the Bind IP Address.

      This value is the binding IP address that is used by the Zone Server for Module Server connections. It is the Zone Server's internal IP address that can be reached by the Module Server.

      Use this value to specify the IPv4 interface on the Zone Server to bind to for module server connections on multihomed servers. To listen on all interfaces, specify 0.0.0.0.

      In most environments, this value is not the same as the IP address of the Module Server.

    3. Specify the Port.

      This value is the binding port that is used by the Zone Server for module server connections. The default value is 17487.

  6. Configure the Endpoint Connection:

    1. Specify the Zone Proxy Host.

      This value is the host name or IP address that is used by endpoints to connect to the Zone Server. It is the Zone Server's external IP address or fully qualified domain name that can be resolved by endpoints. This value is a public, internet-routable IP address or host name. For example, MyZoneServer.company.com.

    2. Specify the Bind IP Address.

      This value is the binding IP address that is used by the Zone Server for endpoint connections. It is the Zone Server's external IP address that can be reached by endpoints. This value is a public, internet-routable IP address.

      Use this value to specify the IPv4 interface on the Zone Server to bind to for endpoint connections on multihomed servers. To listen on all interfaces, specify 0.0.0.0.

    3. Specify the Port.

      This value is the binding port that is used by the Zone Server for endpoint connections. The default value is 17486.

  7. Click Save.
  8. Enter your password and click OK.

The status of the zone proxy shows in the Status column. When the configuration is complete, the status is Connected.

Due to the provisioning process, you cannot modify existing zone proxy configurations. If needed, you can delete the configuration and recreate it with different values. To delete a configuration, hover over the configuration and click Delete.

You can also see the status and activity for existing Zone Proxies from this page.