Managing satellites

Satellites are specific Tanium Clients that you designate to run certain targeted, secure workloads on behalf of the Module Server,Tanium Cloud, such as non-line-of-sight scans in Discover or remote authenticated scans in Comply.

Figure  1:  Tanium Client designated as a satellite

For example, suppose you have a lab network with unmanaged endpoints on a subnet separated from your main network, and you want to use Comply to perform scans on the lab endpoints. Also suppose you are using a managed endpoint with multiple network interface controllers (NICs) to bridge the lab subnet to the main network. You can designate that endpoint as a satellite and then configure Comply to use it to perform scans on the unmanaged endpoints.

Because the server Tanium Cloud might need to send sensitive, encrypted data (such as credentials) to a satellite when running a workload, you must verify each endpoint that you designate as a satellite to prevent spoofing attacks. Any such sensitive data is never sent using the linear chain, nor is it stored on-disk on the satellite.

Create satellites

For the best results, do not configure endpoints as satellites if the endpoints are internet-facing devices or might become internet-facing devices.

You can designate only Windows, macOS, or Linux endpoints as satellites.

Designate satellites

  1. In the Satellites section of the Direct Connect Overview page, click Create Satellite.

  2. In the Designate Endpoints section, search for and designate endpoints.

    • To use the simple search, enter part of the IP address or computer name for an endpoint you want to designate.

    • To search using other criteria, click Filter Builder. Build a query to search for the endpoint using advanced filters to filter question results based on match conditions.

      Click + and use the controls to add filter conditions:

      • Add Row: Add one or more conditions.
      • Add Group: Select this option to nest a Boolean operator and then use Add Row to build the nested expression.

    In the results, click Create Satellite beside each endpoint you want to designate as a satellite, and then click Close to clear the search. Each new satellite is added to the Satellites Pending Verification list. If necessary, perform a new search with different criteria to designate additional endpoints.

  3. After you finish designating endpoints, click Continue.

Name and verify satellites

  1. On the Verify Satellites page, enter a meaningful Satellite Name for each designated endpoint. This name is separate from the computer name, and it appears in the selection list when you configure an activity that uses a satellite.

  2. Sign in to each endpoint and run <Tanium Client>\Tools\DirectConnect\scripts\get_endpoint_fingerprint.cmd (Windows) or <Tanium Client>/Tools/DirectConnect/scripts/get_endpoint_fingerprint.sh (non-Windows).

    Take note of the fingerprint that is returned by the command on each endpoint and return to the Verify Satellites page in the Tanium Console.

  3. For each Unique Identifier, enter the fingerprint that you recorded for each endpoint, and click Save.

To use visual verification, which lets you avoid manually entering the Unique Identifier for each designated endpoint, select Visually verify satellites instead. This option automatically populates the Unique Identifier for each designated endpoint. However, it is critical that you sign in to each endpoint, run <Tanium Client>\Tools\DirectConnect\scripts\get_endpoint_fingerprint.cmd (Windows) or <Tanium Client>/Tools/DirectConnect/scripts/get_endpoint_fingerprint.sh (non-Windows), and verify that the returned Unique Identifier matches the one that is automatically populated on the Verify Satellites page. If you proceed without actual verification, sensitive data such as credentials could be sent to an unintended endpoint.

For a higher level of security, clear the selection for Visually verify satellites instead, and manually enter the Unique Identifier for each designated endpoint.