Installing Direct Connect

If you are using Tanium as a Service, module installation and upgrades are handled by the service.

Use the Tanium Solutions page to install Direct Connect and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Direct Connect is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Direct Connect, see Import and configure Direct Connect with default settings.
  • Manual configuration with custom settings: After installing Direct Connect, you must manually configure required settings. Select this option only if Direct Connect requires settings that differ from the recommended default settings. For more information, see Import and configure Direct Connect with custom settings.

Use the Automatic configuration with default settings option.

Before you begin

Import and configure Direct Connect with default settings

When you import Direct Connect with automatic configuration, the following default settings are configured:

The following default settings are configured for Direct Connect :

  • The Direct Connect service account is set to the account that you used to import the module.
  • The Direct Connect action group is set to the computer group All Computers.
  • The Fully Qualified Domain Name setting in the Endpoint Connection settings is set to the first detected external, IPv4 address that is closest to the Tanium Server IP address.

    This domain name must resolve to the Module Server from all endpoints in all direct endpoint connections. After the initial installation and configuration completes, you can verify this value on the Endpoint Connection tab in the Direct Connect settings and update it, if needed.

(Tanium Core Platform 7.4.5 or later only) The procedure to import Direct Connect with automatic configuration includes an optional step for setting the Direct Connect action group to target the No Computers filter group. This option prevents Direct Connect from automatically deploying tools to endpoints. For example, you might want to test tools on a subset of endpoints before deploying them to all endpoints. In this case, you can manually deploy tools to an action group that targets only the subset.

To import Direct Connect and configure default settings, see Tanium Console User Guide: Import all modules and services. After the import, verify that the correct version is installed: see Verify Direct Connect version.

Import and configure Direct Connect with custom settings

To import Direct Connect without automatically configuring default settings, follow the steps in Tanium Console User Guide: Manage shared services and content. After the import, verify that the correct version is installed: see Verify Direct Connect version.

Configure the service account

The Direct Connect service account runs background processes for the Direct Connect service. This user requires the following roles:

  • Direct Connect Service Account
  • Data Collection Operator

If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

  1. From the Main menu, go to Administration > Shared Services > Direct Connect to open the Direct Connect Home page. From the Direct Connect Home page, click Settings and open the Service Account tab.
  2. Update the service account settings and click Save.

Configure the Direct Connect action group

By default, the Direct Connect action group is set to the No Computers computer group. You can set the action group to All Computers or any computer groups that you have defined.

  1. From the Main menu, click Administration > Actions > Scheduled Actions.
  2. From the list of action groups, click Direct Connect .
  3. Click Edit, select computer groups to include in the action group, and click Save.

Configure Endpoint Connection settings

Specify Endpoint Connection settings to define the domain name to use to connect to the Module Server, certificates to authenticate connections to the Module Server and endpoints, and the port to use for connections.

  1. From the Direct Connect Home page, click Settings and open the Endpoint Connection tab.
  2. In the Fully Qualified Domain Name section, provide a domain name to use to connect to the Module Server. The domain name that you provide must resolve to the Module Server from all endpoints in all direct endpoint connections. Direct Connect validates the name you provide to ensure the format. Verify the accuracy of the domain name you provide.
  3. The Port is set to 17475 by default. If needed, you can modify this port. Make sure that incoming connections to this port are allowed by applicable firewall configurations.
  4. In the Action Lock section, specify the behavior that you want for Direct Connect when action lock is enabled on endpoints:
    • Block All Direct Connection Actions
    • Allow New Connections
    • Allow New Connections and Configuration Changes

    For more information about action locks, see Tanium Console User Guide: Managing action locks.

  5. Click Save.
  6. Enter your password and click OK.

If the Fully Qualified Domain Name validates successfully, success messages are shown:
The endpoint connection settings saved successfully.
Content build is in progress. Connection settings will deploy to endpoints once complete.

If an error occurs, correct the fully qualified domain name and save again. If the information validates and saves successfully, packages for each supported operating system are created with the configuration information that is needed to use Direct Connect. These packages are distributed using a scheduled action to the Tanium Direct Connect action group.

Configure certificates

Configure certificates to authenticate connections to the Tanium Module server and endpoints.

  1. From the Direct Connect Home page, click Settings and open the Certificates tab.
  2. In the Server Certificate section, the Install a new certificate option is selected by default and cannot be modified during the initial configuration. A certificate is generated and installed to authenticate the server when an endpoint starts a connection.

    After a certificate is installed on the server, the expiration date for the certificate is shown. If a certificate is installed, you can select Renew to renew the certificate.

  3. In the Client Certificate section, the Install a new certificate option is selected by default and cannot be modified during the initial configuration. A certificate is generated, installed, and deployed to endpoints to authenticate that the endpoint is a Tanium client with permission to connect to the server.

    After a certificate is installed, the expiration date for the certificate is shown. If a certificate is installed, you can select Renew to renew the certificate.

  4. Click Save.
  5. Enter your password and click OK.

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Direct Connect , see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure zone proxies

You can optionally configure a zone proxy to enable connections to endpoints through a Tanium™ Zone Server. This configuration is required to use Direct Connect with endpoints that connect to the Module Server through a Zone Server.

Zone Proxy Server Overview

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

Before you begin

Contact Tanium Support to obtain the Direct Connect Zone Proxy Installer file for your Zone Server operating system. For more information, see Contact Tanium Support.

Confirm that all required ports are available. For more information, see Host and network security requirements.

Install and configure the Direct Connect Zone Proxy

  1. Copy the Direct Connect Zone Proxy Installer to the Zone Server.
  2. Run the Direct Connect Zone Proxy Installer on the Zone Server to install the Direct Connect Zone Proxy.

    The installation process generates the Provision Secret and Certificate (referred to as the Provision Payload).

    The provision payload is stored in provision.txt, which is located in the following directories:

    • TanOS: <Tanium Installation Directory>/TaniumDirectConnectZoneProxy/settings/PROVISION.txt

      During the installation process on TanOS, the Provision Secret and Certificate also appear in the console where you run the installation. You can copy the Provision Secret and Certificate from the console or from the PROVISION.txt file.

    • Windows: <Tanium Install Directory>\Tanium Direct Connect Zone Proxy\settings\PROVISION.txt

      At the end of the installation on Windows, click Open Provision Token to open PROVISION.txt. You can copy the Provision Secret and Certificate from this file.



    Either copy these during the install or retrieve them from provision.txt for use during the subsequent configuration steps. For example:

    The preceding figure is provided as an example of the Provision Secret and Certificate values to copy during the installation. The content is intentionally truncated and cannot be used as-is. You must use the values from your installation for the certificate pinning to work. If you use this example Provision Secret and Certificate in your environment, your configuration will fail.

    If needed, you can rerun the installer to generate a new provision payload.

    After the installation completes and you save the provision payload (provision secret and certificate), return to Direct Connect.

  3. From the Direct Connect menu, click Zone Proxies.
  4. Click Add Zone Proxy.
  5. Specify the zone proxy Name.
  6. Paste the Provision Secret and Certificate that you saved during the installation into the Provision Payload field.
  7. Configure the Module Server Connection:

    1. Specify the Zone Proxy Host.

      This value is the host name or IP address that is used by the Module Server to connect to the Zone Server. It is the Zone Server's internal IP address, host name, or fully qualified domain name that can be resolved by the Module Server. For example, DMZZoneServer.internal.local.

    2. Specify the Bind IP Address.

      This value is the binding IP address that is used by the Zone Server for Module Server connections. It is the Zone Server's internal IP address that can be reached by the Module Server.

      Use this value to specify the IPv4 interface on the Zone Server to bind to for module server connections on multihomed servers. To listen on all interfaces, specify 0.0.0.0.

      In most environments, this value is not the same as the IP address of the Module Server.

    3. Specify the Port.

      This value is the binding port that is used by the Zone Server for module server connections. The default value is 17487.

  8. Configure the Endpoint Connection:

    1. Specify the Zone Proxy Host.

      This value is the host name or IP address that is used by endpoints to connect to the Zone Server. It is the Zone Server's external IP address or fully qualified domain name that can be resolved by endpoints. This value is a public, internet-routable IP address or host name. For example, MyZoneServer.company.com.

    2. Specify the Bind IP Address.

      This value is the binding IP address that is used by the Zone Server for endpoint connections. It is the Zone Server's external IP address that can be reached by endpoints. This value is a public, internet-routable IP address.

      Use this value to specify the IPv4 interface on the Zone Server to bind to for endpoint connections on multihomed servers. To listen on all interfaces, specify 0.0.0.0.

    3. Specify the Port.

      This value is the binding port that is used by the Zone Server for endpoint connections. The default value is 17486.

  9. Click Save.
  10. Enter your password and click OK.

The status of the zone proxy shows in the Status column. When the configuration is complete, the status is Connected.

Due to the provisioning process, you cannot modify existing zone proxy configurations. If needed, you can delete the configuration and recreate it with different values. To delete a configuration, hover over the configuration and click Delete.

You can also see the status and activity for existing Zone Proxies from this page.

Manage dependencies for Tanium solutions

When you start the Direct Connect workbench for the first time, the Tanium Console ensures that all of the required dependencies for Direct Connect are installed at the required version. You must install all required Tanium dependencies before the Direct Connect workbench can load. A banner appears if one or more Tanium dependencies are not installed in the environment. The Tanium Console lists the required Tanium dependencies and the required versions.

  1. Install the modules and shared services that the Tanium Console lists as dependencies, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.
  2. From the Main menu, go to Modules > Direct Connect to open the Direct Connect Overview page.

Upgrade Direct Connect

For the steps to upgrade Direct Connect, see Tanium Console User Guide: Import, re-import, or update specific solutions. After the upgrade, verify that the correct version is installed: see Verify Direct Connect version.

Verify Direct Connect version

After you import or upgrade Direct Connect , verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Administration > Shared Services > Direct Connect to open the Direct Connect Overview page.
  3. To display version information, click Info Info.

Manage dependencies for Tanium solutions

When you start the Direct Connect workbench for the first time, the Tanium console ensures that all of the required dependencies for Direct Connect are installed at the required version. You must install all required Tanium dependencies before the Direct Connect workbench can load. A banner appears if one or more Tanium dependencies are not installed in the environment. The Tanium Console lists the required Tanium dependencies and the required versions.

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Select the required solutions, click Import Selected, and then click Begin Import. When the import is complete, you are returned to the Tanium Solutions page.
  3. From the Main menu, go to Administration > Shared Services > Direct Connect to open the Direct Connect Overview page after you import all of the required Tanium dependencies.

What to do next

See Getting started for more information about using Direct Connect .