Installing Direct Connect

If you are using Tanium as a Service, module installation and upgrades are handled by the service.

Use the Tanium Solutions page to install Direct Connect and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Direct Connect is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Direct Connect, see Import and configure Direct Connect with default settings.
  • Manual configuration with custom settings: After installing Direct Connect, you must manually configure required settings. Select this option only if Direct Connect requires settings that differ from the recommended default settings. For more information, see Import and configure Direct Connect with custom settings.

Before you begin

Import and configure Direct Connect with default settings

When you import Direct Connect with automatic configuration, the following default settings are configured:

  • The Direct Connect service account is set to the account that you used to import the module.
  • The Direct Connect action group is set to the computer group All Computers.
  • The Fully Qualified Domain Name setting in the Endpoint Connection settings is set to the first detected external, IPv4 address that is closest to the Tanium Server IP address.

    This domain name must resolve to the Module Server from all endpoints in all direct endpoint connections. After the initial installation and configuration completes, you can verify this value on the Endpoint Connection tab in the Direct Connect settings and update it, if needed.

To import Direct Connect and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Direct Connect version.

Import and configure Direct Connect with custom settings

To import Direct Connect without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Direct Connect version.

Configure the Direct Connect action group

The action group defines the set of endpoints to which you are deploying the Direct Connect packages. By default, the Computer Group Targets setting for the Direct Connect action group is set to No Computers. You can set the action group to All Computers or any computer groups that you have defined.

  1. From the Direct Connect Home page, in the Configuration section, click the Configure Action Group step and click Configure Action Group.
  2. Select the computer group for the group of endpoints that you want to use for Direct Connect . Click Save.

Configure the service account

The Direct Connect service account runs background processes for the Direct Connect service. The Direct Connect service account must have the Direct Connect Service Account role.

  1. From the Direct Connect Home page, in the Configuration section, click the Configure Service Account step and click Configure Service Account.
  2. Enter the Tanium credentials and click Save.
  3. You can also set or update the service account from the Direct Connect settings. Click Settings , and update the service account settings on the Service Account tab. Click Save.

Configure Endpoint Connection settings

Specify Endpoint Connection settings to define the domain name to use to connect to the Module Server, certificates to authenticate connections to the Module Server and endpoints, and the port to use for connections.

  1. From the Direct Connect Home page, in the Configuration section, click the Configure Endpoint Connection step and click Configure Endpoint Connection.
  2. In the Fully Qualified Domain Name section, provide a domain name to use to connect to the Module Server. The domain name that you provide must resolve to the Module Server from all endpoints in all direct endpoint connections. Direct Connect validates the name you provide to ensure the format. Verify the accuracy of the domain name you provide.
  3. The Port is set to 17475 by default. If needed, you can modify this port. Make sure that incoming connections to this port are allowed by applicable firewall configurations.
  4. In the Action Lock section, specify the behavior that you want for Direct Connect when action lock is enabled on endpoints:
    • Block All Direct Connection Actions
    • Allow New Connections
    • Allow New Connections and Configuration Changes

    For more information about action locks, see Tanium Console User Guide: Managing action locks.

  5. Click Save.
  6. Enter your password and click OK.

If the Fully Qualified Domain Name validates successfully, success messages display:
The endpoint connection settings saved successfully.
Content build is in progress. Connection settings will deploy to endpoints once complete.

If an error occurs, correct the fully qualified domain name and save again. If the information validates and saves successfully, packages for each supported operating system are created with the configuration information that is needed to use Direct Connect. These packages are distributed using a scheduled action to the Tanium Direct Connect action group.

Configure certificates

Configure certificates to authenticate connections to the Tanium Module server and endpoints.

  1. From the Direct Connect Home page, click Settings . Click the Certificates tab.
  2. In the Server Certificate section, the Install a new certificate option is selected by default and cannot be modified during the initial configuration. A certificate is generated and installed to authenticate the server when an endpoint starts a connection.

    After a certificate is installed on the server, the expiration date for the certificate displays. If a certificate is installed, you can select Renew to renew the certificate.

  3. In the Client Certificate section, the Install a new certificate option is selected by default and cannot be modified during the initial configuration. A certificate is generated, installed, and deployed to endpoints to authenticate that the endpoint is a Tanium client with permission to connect to the server.

    After a certificate is installed, the expiration date for the certificate displays. If a certificate is installed, you can select Renew to renew the certificate.

  4. Click Save.
  5. Enter your password and click OK.

Configure Zone Proxies

You can optionally configure a zone proxy to enable connections to endpoints through a Taniumâ„¢ Zone Server. This configuration is required to use Direct Connect with endpoints that connect to the Module Server through a Zone Server.

Figure  1:  Zone Proxy Server Overview

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

Before you begin

Work with your TAM to obtain the Direct Connect Zone Proxy Installer file for your Zone Server operating system.

Confirm that all required ports are available. For more information, see Host and network security requirements.

Install and configure the Direct Connect Zone Proxy

  1. Copy the Direct Connect Zone Proxy Installer to the Zone Server.
  2. Run the Direct Connect Zone Proxy Installer on the Zone Server to install the Direct Connect Zone Proxy.

    The installation process generates the Provision Secret and Certificate (referred to as the Provision Payload).

    The provision payload is stored in provision.txt, which is located in the following directories:

    • TanOS: <Tanium Install Directory>/TaniumDirectConnectZoneProxy/settings/PROVISION.txt

      During the installation process on TanOS, the Provision Secret and Certificate also display in the console where you run the installation. You can copy the Provision Secret and Certificate from the console or from the PROVISION.txt file.

    • Windows: <Tanium Install Directory>\Tanium Direct Connect Zone Proxy\settings\PROVISION.txt

      At the end of the installation on Windows, click Open Provision Token to open PROVISION.txt. You can copy the Provision Secret and Certificate from this file.



    Either copy these during the install or retrieve them from provision.txt for use during the subsequent configuration steps. For example:

    The preceding figure is provided as an example of the Provision Secret and Certificate values to copy during the installation. The content is intentionally truncated and cannot be used as-is. You must use the values from your installation for the certificate pinning to work. If you use this example Provision Secret and Certificate in your environment, your configuration will fail.

    If needed, you can rerun the installer to generate a new provision payload.

    After the installation completes and you save the provision payload (provision secret and certificate), return to Direct Connect.

  3. From the Direct Connect menu, click Zone Proxies.
  4. Click Add Zone Proxy.
  5. Specify the Zone Proxy Name.
  6. Paste the Provision Secret and Certificate that you saved during the installation into the Provision Payload field.
  7. Configure the Module Server Connection:

    1. Specify the Zone Proxy Host.

      This value is the host name or IP address that is used by the Module Server to connect to the Zone Server. It is the Zone Server's internal IP address, host name, or fully qualified domain name that can be resolved by the Module Server. For example, DMZZoneServer.internal.local.

    2. Specify the Bind IP Address.

      This value is the binding IP address that is used by the Zone Server for Module Server connections. It is the Zone Server's internal IP address that can be reached by the Module Server.

      Use this value to specify the IPv4 interface on the Zone Server to bind to for module server connections on multihomed servers. To listen on all interfaces, specify 0.0.0.0.

      In most environments, this value is not the same as the IP address of the Module Server.

    3. Specify the Port.

      This value is the binding port that is used by the Zone Server for module server connections. The default value is 17487.

  8. Configure the Endpoint Connection:

    1. Specify the Zone Proxy Host.

      This value is the host name or IP address that is used by endpoints to connect to the Zone Server. It is the Zone Server's external IP address or fully qualified domain name that can be resolved by endpoints. This value is a public, internet-routable IP address or host name. For example, MyZoneServer.company.com.

    2. Specify the Bind IP Address.

      This value is the binding IP address that is used by the Zone Server for endpoint connections. It is the Zone Server's external IP address that can be reached by endpoints. This value is a public, internet-routable IP address.

      Use this value to specify the IPv4 interface on the Zone Server to bind to for endpoint connections on multihomed servers. To listen on all interfaces, specify 0.0.0.0.

    3. Specify the Port.

      This value is the binding port that is used by the Zone Server for endpoint connections. The default value is 17486.

  9. Click Save.
  10. Enter your password and click OK.

The status of the Zone Proxy displays in the Status column. When the configuration is complete, the status is Connected.

Due to the provisioning process, you cannot modify existing Zone Proxy configurations. If needed, you can delete the configuration and recreate it with different values. To delete a configuration, hover over the configuration and click Delete.

You can also see the status and activity for existing Zone Proxies from this page.

Upgrade Direct Connect

For the steps to upgrade Direct Connect, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Direct Connect version.

Verify Direct Connect version

After you import or upgrade Direct Connect, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, click Direct Connect to open the Direct Connect Home page.
  3. To display version information, click Info Info.

What to do next

See Getting started for more information about using Direct Connect .