Direct Connect requirements

Review the requirements before you install and use Direct Connect.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium™ Core Platform servers:

    • 7.4.3.1204 or later to use Direct Connect
    • 7.5.5 or later to use Tanium™ Screen Sharing
  • Tanium™ Appliance:

    (Optional) If you are using a Tanium Appliance for your Zone Server, you must install the Direct Connect Zone Proxy through the Tanium Operations menu on the Zone Server appliance. For more information, see Appliance Deployment Guide: Install the Direct Connect Zone Proxy. To install the Direct Connect Zone Proxy on a Tanium Appliance with the All-in-One role, use the TanOS shell..

  • Tanium™ Client:
  • Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Solution dependencies

Other Tanium solutions are required for Direct Connect to function. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Direct Connect dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Direct Connect requires.

Tanium recommended installation

If you select only Direct Connect to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Direct Connect , the server automatically updates those dependencies to the latest available versions.

If you select only Direct Connect to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Import specific solutions

If you select only Direct Connect to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Direct Connect has the following required dependencies at the specified minimum version:

  • Tanium™ Interact 2.8.102 or later to use screen sharing functionality

    Interact 3.0 or later requires Tanium Core Platform 7.6.1 or later

  • Tanium™ Endpoint Configuration 1.7 or later
  • Tanium RDB Service 1.2.66 or later
  • Tanium™ System User Service 1.0.77 or later

Feature-specific dependencies

If you select only Direct Connect to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Direct Connect has the following feature-specific dependencies at the specified minimum versions:

  • Tanium™ Console 3.4.46 or later to use screen sharing functionality
  • Tanium Direct Connect 2.7.43 or later to configure and use screen sharing functionality
    • Tanium Direct Connect 2.7.54 or later for best results with screen sharing functionality
  • Tanium™ Reporting 1.27.11 or later to use screen sharing functionality
  • Tanium™ Reporting Content 1.0.21 or later to use screen sharing functionality
  • Tanium RDB Service 1.2.105 or later to use screen sharing functionality
  • Tanium Screen Sharing 1.3.155 or later to use screen sharing functionality
  • Tanium™ Secrets Service 1.0.118 or later to use screen sharing functionality
  • Tanium System User Service 1.0.169 or later to use screen sharing functionality

Client extensions

Tanium Endpoint Configuration installs client extensions for Direct Connect on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Direct Connect functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.

Tanium Module Server

Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported internet protocols

Direct Connect supports only endpoints that have IPv4 addresses.

Supported operating systems

The following endpoint operating systems are supported with Direct Connect.

Operating SystemVersionNotes
Windows
  • Windows 7 Service Pack 1 or later
  • Windows Server 2008 R2 Service Pack 1 or later

 

macOS

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

Only Direct Connect 2.2.103 or later supports Tanium Clients using the universal binary.
Linux

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

 

Screen sharing operating systems

The following endpoint operating systems are supported for screen sharing through Tanium. For a list of operating systems supported by ScreenMeet, see ScreenMeet Docs: Requirements.

The first time a Tanium console operator establishes a screen sharing session with a macOS endpoint, the endpoint user must select ScreenMeetSupport in the Screen Recording and Accessibility permissions in System Preferences, then click Later when prompted. For more information, see ScreenMeet Docs: Connecting to Mac devices.

Operating SystemVersionNotes
Windows
  • Windows 11
  • Windows 10S
  • Windows 10
  • Windows 8

 

Windows operating systems also require .NET Framework 4.6.2 or later.

Windows operating systems support attended and unattended screen sharing sessions.

Windows Server
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003 R2
macOS
  • 10.13 or later

macOS operating systems support only attended screen sharing sessions.

Host and network security requirements

Specific ports and processes are needed to run Direct Connect.

Ports

The following ports, which communicate over HTTPS using TLS 1.2 (RSA 2048-bit), are required for Direct Connect.

These ports are not required for screen sharing.

The following port, which communicates over HTTPS using TLS 1.2 (RSA 2048-bit), is required for Direct Connect.

This port is not required for screen sharing.

SourceDestinationPort ProtocolPurpose
Tanium Client (internal)Module Server17475TCPUsed by the Module Server for endpoint connections to internal clients.
Tanium Client (external)Zone Server1Tanium Cloud17486TCPUsed by the Zone Server for endpoint connections to external clients. This port begins listening after the Zone Proxy provisioning process is complete on port 17488.
The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Module ServerZone Server117487TCPUsed by the Zone Server for Module Server connections. This port begins listening after the Zone Proxy provisioning process is complete on port 17488.
The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy.
17488TCPUsed by the Module Server to provision the Zone Proxy on the Zone Server. After the Zone Proxy is provisioned, used for connection status and diagnostics. On TanOS, the Direct Connect Zone Proxy installer automatically configures the firewall on the Zone Server to open port 17488. You must manually configure the firewall to open this port on Windows. This port number is not configurable.
Tanium ServerModule Server17477TCPTanium Server initiates connections to the Module ServerTanium Cloud on port 17477.
1 These ports are required only when you use a Zone Server.

Direct Connect supports the following cipher suites for encrypting information in TLS communication:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Screen Sharing has the same network connectivity and port requirements as the Tanium Client. For more information on Tanium Client port and network requirements, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.

If you have a license for screen sharing, see ScreenMeet Docs: Security requirements.

Security exclusions

With the exception of the security exclusions listed at Tanium Core Platform Deployment Reference Guide: Host system security exclusions, Direct Connect security exclusions are not required to use Screen Sharing, and Screen Sharing security exclusions are not required to use Direct Connect.

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Direct Connect security exclusions for Tanium Core Platform servers (Windows deployments only)
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\direct-connect-service\TaniumDirectConnectService.exe
 Process<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Zone Server Process<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
 Process<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe
Direct Connect security exclusions for endpoints
Endpoint OSNotesExclusion TypeExclusion
Windows File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\extensions\TaniumDEC.dll
 File<Tanium Client>\extensions\TaniumDEC.dll.sig
 Process<Tanium Client>\TaniumCX.exe
macOS File<Tanium Client>/libTaniumClientExtensions.dylib
 File<Tanium Client>/libTaniumClientExtensions.dylib.sig
 File<Tanium Client>/extensions/libTaniumDEC.dylib
 File<Tanium Client>/extensions/libTaniumDEC.dylib.sig
 Process<Tanium Client>/TaniumCX
Linux File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 File<Tanium Client>/extensions/libTaniumDEC.so
 File<Tanium Client>/extensions/libTaniumDEC.so.sig
 Process<Tanium Client>/TaniumCX

When configuring security exclusions for Screen Sharing, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Screen Sharing security exclusions for Tanium Core Platform servers (Windows deployments only)
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\screen-sharing-service\TaniumScreenSharingService.exe
Screen Sharing security exclusions for endpoints
Endpoint OSNotesExclusion TypeExclusion
Windows ProcessC:\ProgramData\Projector Inc\ScreenMeet Support\ScreenMeet.Support.exe
 Process<Tanium Client>\Tools\ScreenSharing\ScreenMeet.Support.exe
for 32-bit operating system versions onlyFileC:\ProgramData\Projector Inc\ScreenMeet Support\<hash-value>\webrtcnative-x86.dll
for 64-bit operating system versions onlyFileC:\ProgramData\Projector Inc\ScreenMeet Support\<hash-value>\webrtcnative-x64.dll
macOS File /Applications/ScreenMeetSupport.app

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the hosts and IP addresses listed at ScreenMeet Docs: Firewall configuration and ScreenMeet Docs: Egress IP Addresses, and the following URLs from endpoints in your environment and the Tanium Module Server, to establish screen sharing sessions.

Allowing these URLs is not required for Direct Connect.


URLDescription
*.screenmeet.comfrom endpoints, establish screen sharing connections
*.scrn.mtfrom endpoints, establish screen sharing connections
https://onpremapi.ssc.cloud.tanium.com/redeemOTPfrom the Tanium Module Server, validate a one-time passcode (OTP) over port 443/TCP for provisioning an on-premises installation

If you deployed proxy servers to your network, for the best results, allow traffic from these URLs to bypass the proxy servers. Screen sharing traffic passed through proxy servers negatively impacts performance. For more information, see ScreenMeet Docs: ScreenMeet Enterprise Deployment Guide.

Zone Proxy server requirements

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure zone proxies.

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

User role requirements

The following tables list the role permissions required to use Direct Connect. To review a summary of the predefined roles, see Set up Direct Connect users.

Do not assign the Direct Connect Service Account and Direct Connect Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Direct Connect user role permissions
PermissionDirect Connect Administrator1,2Direct Connect User1Direct Connect Read Only User1Direct Connect Satellite Operator1Direct Connect Endpoint Configuration Approver1,2Direct Connect File Modifier1
Direct Connect Audit

View Direct Connect audit events


READ
Direct Connect Core Query

Issue queries on an endpoint


READ

READ
Direct Connect Cron

Allows performing service account work

Direct Connect Endpoint Configuration

Approve Endpoint Configuration items for Direct Connect


APPROVE
Direct Connect File

Access endpoint file systems through Direct Connect


READ
WRITE

READ

READ
WRITE
Direct Connect Must Gather

Access must gather runs and steps on an endpoint


EXEC
READ

EXEC
READ

EXEC
READ
Direct Connect Satellite

Manage satellites


READ
WRITE

READ
WRITE
Direct Connect Service Account

For internal purposes only

Direct Connect Session

View, create, and manage endpoint connections


READ
WRITE

READ
WRITE

READ

READ
WRITE

READ
WRITE
Direct Connect Settings

View and modify Direct Connect settings


READ
WRITE

READ
Directconnect

View the Direct Connect workbench


SHOW

SHOW

SHOW

SHOW

SHOW

SHOW

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.


Do not assign the Screen Sharing Service Account role to users. This role is for internal purposes only.

Screen Sharing user role permissions
PermissionScreen Sharing Administrator1Screen Sharing Agent
Screen Sharing API

Connect to Screen Sharing API


EXECUTE

EXECUTE
Screen Sharing Audit Event Log

View event log for auditing purposes


READ
Screen Sharing Config

For internal purposes only


READ
WRITE


READ

Screen Sharing Console

Get magic URL for accessing ScreenMeet console


EXECUTE
Screen Sharing Console Admin

Get magic URL for accessing ScreenMeet console and organizational settings


EXECUTE
Screen Sharing Feed Integration User

Interact with notifications from Tanium Feed.


ACCOUNT
Screen Sharing Platform Integration User

Interact with the platform


ACCOUNT

ACCOUNT
Screen Sharing Provisioning Otp

Set provisioning information through Otp


READ
WRITE
Screen Sharing Product Options

Retrieve ScreenMeet product options values: Show recording option (provided by Screen Sharing Support Session Write)


READ

READ
Screen Sharing Settings

Configure screen sharing settings


READ
WRITE

READ
Screen Sharing Support Session

Start a screen sharing session on a remote endpoint, requiring endpoint user permission


READ
WRITE
EXECUTE
DELETE

READ
WRITE
EXECUTE
DELETE
Screen Sharing Support Session All

Join any screen sharing session, even if started by another user


READ
EXECUTE
DELETE
Screen Sharing Support Session Disable Autolock

Disable automatic endpoint locking after ending an unattended session that the user established

Screen Sharing Support Session Options

Set options for screen sharing


READ
WRITE

READ
Screen Sharing Support Session Unattended

Establish unattended sessions with Windows endpoints that do not require endpoint user permission

Screen Sharing TDS Integration User

Interact with data provided by Tanium Data Service


ACCOUNT

ACCOUNT

1 This role provides module permissions for Tanium Feed. You can view which Feed permissions are granted to this role in the Tanium Console. For more information, see Tanium Feed User Guide: User role requirements.


Provided Direct Connect platform content permissions
PermissionDirect Connect AdministratorDirect Connect UserDirect Connect Read Only UserDirect Connect Satellite OperatorDirect Connect Endpoint Configuration ApproverDirect Connect File Modifier
Action
READ
WRITE

READ
WRITE

READ
WRITE

READ

READ
WRITE
Bypass Action Approval

Own Action
READ

READ

 


READ

READ

READ
Package
READ

READ

READ

READ

READ
Plugin
READ
EXECUTE

READ
EXECUTE

READ

READ
EXECUTE

READ

READ
EXECUTE
Saved Question
READ

READ

READ

READ
WRITE

READ

READ
Sensor
READ

READ

READ
WRITE

READ

READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.


Provided Screen Sharing platform content permissions
PermissionScreen Sharing AdministratorScreen Sharing Agent
Action
READ
WRITE

READ
WRITE
Own Action
READ

READ
Package
READ

READ
Plugin
READ
EXECUTE

READ
EXECUTE
Sensor
READ

READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.