Direct Connect requirements
Review the requirements before you
Tanium dependencies
Make sure that your environment meets the following requirements.
Component | Requirement |
---|---|
Tanium™ Core Platform |
|
Tanium™ Appliance | (Optional) If you are using a Tanium Appliance for your Zone Server, you must use Tanium operating system (TanOS) 1.5.2 or later.
|
Tanium™ Client | Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client User Guide: Client version and host system requirements. If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions. |
Tanium™ products |
|
If you are using any of the following Tanium™ modules that use the Tanium™ Client Recorder Extension, you must use the specified versions:
|
Tanium Module Server
Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.
Endpoints
Supported operating systems
The following endpoint operating systems are supported with Direct Connect.
Operating System | Version | Notes |
---|---|---|
Windows |
|
Windows 7 Service Pack 1 requires Microsoft KB2758857. |
macOS |
Same as Tanium Client support. See Tanium Client User Guide: Host system requirements. |
|
Linux |
Same as Tanium Client support. See Tanium Client User Guide: Host system requirements. |
Host and network security requirements
Specific ports and processes are needed to run Direct Connect.
Ports
The following ports, which communicate over HTTPS using TLS 1.2 (RSA 2048-bit), are required for Direct Connect.
The following port, which communicates over HTTPS using TLS 1.2 (RSA 2048-bit), is required for Direct Connect.
Source | Destination | Port | Protocol | Purpose |
---|---|---|---|---|
Tanium Client (internal) | Module Server | 17475 | TCP | Used by the Module Server for endpoint connections to internal clients. |
Tanium Client |
|
17486 | TCP | Used |
Module Server | Zone Server1 | 17487 | TCP | Used by the Zone Server for Module Server connections. The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy. |
17488 | TCP | Allows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows. | ||
Tanium Server | Module Server | 17477 | TCP | Tanium Server initiates connections to |
1 These ports are required only when you use a Zone Server. |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Direct Connect supports the following cipher suites for encrypting information in TLS communication:
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
Target Device | Notes | Process |
---|---|---|
Module Server | <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe | |
Windows endpoints | <Tanium Client>\TaniumClientExtensions.dll | |
<Tanium Client>\TaniumClientExtensions.dll.sig | ||
<Tanium Client>\extensions\TaniumDEC.dll | ||
<Tanium Client>\extensions\TaniumDEC.dll.sig | ||
7.2.x clients1 | <Tanium Client>\Python27\TPython.exe | |
7.4.x clients1 | <Tanium Client>\Python38\TPython.exe | |
7.4.x clients | <Tanium Client>\Python38\*.dll | |
<Tanium Client>\TaniumCX.exe | ||
macOS endpoints | <Tanium Client>/libTaniumClientExtensions.dylib | |
<Tanium Client>/libTaniumClientExtensions.dylib.sig | ||
<Tanium Client>/extensions/libTaniumDEC.dylib | ||
<Tanium Client>/extensions/libTaniumDEC.dylib.sig | ||
7.2.x clients | <Tanium Client>/python27/bin/pybin | |
7.4.x clients | <Tanium Client>/python38/bin/pybin | |
<Tanium Client>/TaniumCX | ||
Linux endpoints | <Tanium Client>/libTaniumClientExtensions.so | |
<Tanium Client>/libTaniumClientExtensions.so.sig | ||
<Tanium Client>/extensions/libTaniumDEC.so | ||
<Tanium Client>/extensions/libTaniumDEC.so.sig | ||
7.2.x clients | <Tanium Client>/python27/bin/pybin | |
7.4.x clients | <Tanium Client>/python38/bin/pybin | |
<Tanium Client>/TaniumCX | ||
1 = TPython requires SHA2 support to allow installation. |
Target Device | Notes | Process |
---|---|---|
Windows endpoints | <Tanium Client>\TaniumClientExtensions.dll | |
<Tanium Client>\TaniumClientExtensions.dll.sig | ||
<Tanium Client>\extensions\TaniumDEC.dll | ||
<Tanium Client>\extensions\TaniumDEC.dll.sig | ||
1 | <Tanium Client>\Python38\TPython.exe | |
<Tanium Client>\Python38\*.dll | ||
<Tanium Client>\TaniumCX.exe | ||
macOS endpoints | <Tanium Client>/libTaniumClientExtensions.dylib | |
<Tanium Client>/libTaniumClientExtensions.dylib.sig | ||
<Tanium Client>/extensions/libTaniumDEC.dylib | ||
<Tanium Client>/extensions/libTaniumDEC.dylib.sig | ||
<Tanium Client>/python38/bin/pybin | ||
<Tanium Client>/TaniumCX | ||
Linux endpoints | <Tanium Client>/libTaniumClientExtensions.so | |
<Tanium Client>/libTaniumClientExtensions.so.sig | ||
<Tanium Client>/extensions/libTaniumDEC.so | ||
<Tanium Client>/extensions/libTaniumDEC.so.sig | ||
<Tanium Client>/python38/bin/pybin | ||
<Tanium Client>/TaniumCX | ||
1 = TPython requires SHA2 support to allow installation. |
Zone proxy server requirements
If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure zone proxies.
For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.
User role requirements
The following tables list the role permissions required to use Direct Connect. For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.
Permission | Direct Connect Administrator | Direct Connect User | Direct Connect Read Only User | Direct Connect Service Account3 | Direct Connect Endpoint Configuration Approver21 |
---|---|---|---|---|---|
Show Direct Connect1
Allows users to access the Direct Connect workbench |
|
|
|
|
|
Direct Connect Session Read
Allows users to view endpoint connections |
|
|
|
|
|
Direct Connect Session Write
Allows users to create and manage endpoint connections |
|
|
|
|
|
Direct Connect Settings Read
Allows users to view Direct Connect settings |
|
|
|
|
|
Direct Connect Settings Write
Allows users to modify Direct Connect settings |
|
|
|
|
|
Direct Connect Logs Read
Allows users to view the Direct Connect logs |
|
|
|
|
|
Direct Connect Cron Exec
Allows performing service account work |
|
|
|
|
|
Direct Connect Endpoint Configuration Approve
Allows approval of Endpoint Configuration items for Direct Connect |
|
|
|
|
|
1 To install Direct Connect, you must have the Import Signed Content micro admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator. 21 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. 3 |
Permission | Content Set for Permission | Direct Connect Administrator | Direct Connect Read Only User | Direct Connect Service Account | Direct Connect User | Direct Connect Endpoint Configuration Approver |
---|---|---|---|---|---|---|
Read Sensor | Reserved |
|
|
|
|
|
Read Sensor | Base |
|
|
|
|
|
Read Sensor | Direct Connect |
|
|
|
|
|
Read Action | Direct Connect |
|
|
|
|
|
Read Own Action | Direct Connect |
|
|
|
|
|
Write Action | Direct Connect |
|
|
|
|
|
Show Preview | Direct Connect |
|
|
|
|
|
Read Plugin | Direct Connect |
|
|
|
|
|
Execute Plugin | Direct Connect |
|
|
|
|
|
Execute Plugin | Endpoint Configuration |
|
|
|
|
|
Read Package | Direct Connect |
|
|
|
|
|
Write Package | Direct Connect |
|
|
|
|
|
Read Saved Question | Reserved |
|
|
|
|
|
Read Saved Question | Default |
|
|
|
|
|
Read Saved Question | Direct Connect |
|
|
|
|
|
1 Denotes a provided permission. |
For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.
Last updated: 2/26/2021 12:28 PM | Feedback