Direct Connect requirements

Review the requirements before you install and use Direct Connect.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium™ Core Platform servers:

    • 7.4.3.1204 or later to use Direct Connect

    • 7.5.5 or later to use Tanium™ Screen Sharing
  • Tanium™ Appliance:

    (Optional) If you are using a Tanium Appliance for your Zone Server, you must install the Direct Connect Zone Proxy through the Tanium Operations menu on the Zone Server appliance. For more information, see Appliance Deployment Guide: Install the Direct Connect Zone Proxy. To install the Direct Connect Zone Proxy on a Tanium Appliance with the All-in-One role, use the TanOS shell..

  • Tanium™ Client:
  • Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Solution dependencies

Other Tanium solutions are required for Direct Connect to function. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Direct Connect dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Direct Connect requires.

Tanium recommended installation

If you select only Direct Connect to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Direct Connect , the server automatically updates those dependencies to the latest available versions.

If you select only Direct Connect to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Import specific solutions

If you select only Direct Connect to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Direct Connect has the following required dependencies at the specified minimum version:

Feature-specific dependencies

If you select only Direct Connect to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Direct Connect has the following feature-specific dependencies at the specified minimum versions:

  • Tanium™ Console 3.4.46 or later to use screen sharing functionality
  • Tanium Direct Connect 2.7.43 or later to configure and use screen sharing functionality
  • Tanium™ Interact 2.1.14 or later to use screen sharing functionality
  • Tanium™ Reporting 1.12.143 or later to use screen sharing functionality
  • Tanium™ Reporting Content 1.0.21 or later to use screen sharing functionality
  • Tanium RDB Service 1.2.105 or later to use screen sharing functionality
  • Tanium Screen Sharing 1.2.30 or later to use screen sharing functionality on-premises
  • Tanium™ Secrets Service 1.0.118 or later to use screen sharing functionality
  • Tanium System User Service 1.0.169 or later to use screen sharing functionality

Client extensions

Tanium Endpoint Configuration installs client extensions for Direct Connect on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Direct Connect functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.

Tanium Module Server

Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported internet protocols

Direct Connect supports only endpoints that have IPv4 addresses.

Supported operating systems

The following endpoint operating systems are supported with Direct Connect.

Operating SystemVersionNotes
Windows
  • Windows 7 Service Pack 1 or later
  • Windows Server 2008 R2 Service Pack 1 or later

 

macOS

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

 
Linux

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

 

Screen sharing operating systems

The following endpoint operating systems are supported for screen sharing through Tanium. For a list of operating systems supported by ScreenMeet, see ScreenMeet Docs: Requirements.

The first time a Tanium user establishes a screen sharing session with a macOS endpoint, the endpoint user must select ScreenMeetSupport in the Screen Recording and Accessibility permissions in System Preferences, then click Later when prompted. For more information, see ScreenMeet Docs: Connecting to Mac devices.

Operating SystemVersionNotes
Windows
  • Windows 8
  • Windows 10
  • Windows 10S
  • Windows 11

Windows operating systems also require .NET Framework 4.6.2 or later.

Windows operating systems support attended and unattended screen sharing sessions.

macOS
  • 10.13 or later

macOS operating systems support only attended screen sharing sessions.

Host and network security requirements

Specific ports and processes are needed to run Direct Connect.

Ports

The following ports, which communicate over HTTPS using TLS 1.2 (RSA 2048-bit), are required for Direct Connect.

These ports are not required for screen sharing.

The following port, which communicates over HTTPS using TLS 1.2 (RSA 2048-bit), is required for Direct Connect.

This port is not required for screen sharing.

SourceDestinationPort ProtocolPurpose
Tanium Client (internal)Module Server17475TCPUsed by the Module Server for endpoint connections to internal clients.
Tanium Client (external)Zone Server1Tanium Cloud17486TCPUsed by the Zone Server for endpoint connections to external clients. This port begins listening after the Zone Proxy provisioning process is complete on port 17488.
The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Module ServerZone Server117487TCPUsed by the Zone Server for Module Server connections. This port begins listening after the Zone Proxy provisioning process is complete on port 17488.
The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy.
17488TCPUsed by the Module Server to provision the Zone Proxy on the Zone Server. After the Zone Proxy is provisioned, used for connection status and diagnostics. On TanOS, the Direct Connect Zone Proxy installer automatically configures the firewall on the Zone Server to open port 17488. You must manually configure the firewall to open this port on Windows. This port number is not configurable.
Tanium ServerModule Server17477TCPTanium Server initiates connections to the Module ServerTanium Cloud on port 17477.
1 These ports are required only when you use a Zone Server.

Direct Connect supports the following cipher suites for encrypting information in TLS communication:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

If you have a license for screen sharing, see ScreenMeet Docs: Security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Direct Connect security exclusions
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\direct-connect-service\TaniumDirectConnectService.exe
 Process<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Zone Server Process<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
 Process<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe
Windows endpoints File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\extensions\TaniumDEC.dll
 File<Tanium Client>\extensions\TaniumDEC.dll.sig
 Process<Tanium Client>\TaniumCX.exe
macOS endpoints File<Tanium Client>/libTaniumClientExtensions.dylib
 File<Tanium Client>/libTaniumClientExtensions.dylib.sig
 File<Tanium Client>/extensions/libTaniumDEC.dylib
 File<Tanium Client>/extensions/libTaniumDEC.dylib.sig
 Process<Tanium Client>/TaniumCX
Linux endpoints File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 File<Tanium Client>/extensions/libTaniumDEC.so
 File<Tanium Client>/extensions/libTaniumDEC.so.sig
 Process<Tanium Client>/TaniumCX
Direct Connect security exclusions
Target DeviceNotesExclusion TypeExclusion
Windows endpoints File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\extensions\TaniumDEC.dll
 File<Tanium Client>\extensions\TaniumDEC.dll.sig
 Process<Tanium Client>\TaniumCX.exe
macOS endpoints File<Tanium Client>/libTaniumClientExtensions.dylib
 File<Tanium Client>/libTaniumClientExtensions.dylib.sig
 File<Tanium Client>/extensions/libTaniumDEC.dylib
 File<Tanium Client>/extensions/libTaniumDEC.dylib.sig
 Process<Tanium Client>/TaniumCX
Linux endpoints File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 File<Tanium Client>/extensions/libTaniumDEC.so
 File<Tanium Client>/extensions/libTaniumDEC.so.sig
 Process<Tanium Client>/TaniumCX

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the following URLs for screen sharing.

Allowing these URLs is not required for Direct Connect.


URLDescription
*.screenmeet.comestablish screen sharing connections
*.scrn.mtestablish screen sharing connections
https://onpremapi.ssc.cloud.tanium.com/redeemOTPfrom the Tanium Module Server, obtain a one-time passcode (OTP) over port 443/TCP for provisioning an on-premises installation

For a list of hosts and IP addresses to allow for ScreenMeet, see: ScreenMeet Docs: Firewall configuration.

If you deployed proxy servers to your network, for the best results, allow traffic from these URLs to bypass the proxy servers. Screen sharing traffic passed through proxy servers negatively impacts performance. For more information, see ScreenMeet Docs: ScreenMeet Enterprise Deployment Guide.

Zone Proxy server requirements

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure zone proxies.

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

User role requirements

The following tables list the role permissions required to use Direct Connect. To review a summary of the predefined roles, see Set up Direct Connect users.

Do not assign the Direct Connect Service Account and Direct Connect Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Direct Connect user role permissions
PermissionDirect Connect Administrator1,2Direct Connect User1Direct Connect Read Only User1Direct Connect Satellite Operator1Direct Connect Endpoint Configuration Approver1,2
Direct Connect Cron

Allows performing service account work

Direct Connect Endpoint Configuration

Approve Endpoint Configuration items for Direct Connect


APPROVE
Direct Connect Logs

Access Direct Connect logs


READ
Direct Connect Satellite

Manage satellites


READ
WRITE

READ
WRITE
Direct Connect Session

Access endpoint connections


READ
WRITE

READ
WRITE

READ

WRITE
Direct Connect Settings

Access Direct Connect settings


READ
WRITE

READ
Directconnect

View the Direct Connect workbench


SHOW

SHOW

SHOW

SHOW

SHOW

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.


Screen Sharing user role permissions
PermissionScreen Sharing AdministratorScreen Sharing Agent
Screen Sharing API

Connect to Screen Sharing API


EXECUTE

EXECUTE
Screen Sharing Audit Event Log

View event log for auditing purposes


READ
Screen Sharing Config

Configure ScreenMeet initial account configuration settings that Tanium provides for new account provisioning or resetting existing account configuration


READ
WRITE


READ

Screen Sharing Console

Get magic URL for connecting to ScreenMeet


EXECUTE
Screen Sharing Licensing

View ScreenMeet license information


READ


READ

Screen Sharing Platform Integration User

Interact with the platform


ACCOUNT

ACCOUNT
Screen Sharing Provisioning

Get provisioning information


READ
Screen Sharing Settings

Configure screen sharing settings


READ
WRITE
Screen Sharing Support Session

Start a screen sharing session on a remote endpoint, requiring endpoint user permission


READ
WRITE
EXECUTE
DELETE


READ
WRITE
EXECUTE
DELETE
Screen Sharing Support Session All

Join any screen sharing session, even if started by another user


READ
EXECUTE
DELETE
Screen Sharing Support Session Options

Set options for screen sharing


READ
WRITE

READ
Screen Sharing Support Session Unattended

Start a screen sharing session on a remote endpoint without needing endpoint user permission

Screen Sharing TDS Integration User

Query Tanium Data Service


ACCOUNT

ACCOUNT

Provided Direct Connect platform content permissions
PermissionDirect Connect AdministratorDirect Connect UserDirect Connect Read Only UserDirect Connect Satellite OperatorDirect Connect Service AccountDirect Connect Endpoint Configuration Approver
Action
READ
WRITE

READ
WRITE

READ
Own Action
READ

 

 


READ

READ
Package
READ

READ
WRITE

READ
Plugin
READ

READ

READ

READ

READ
EXECUTE

READ
Saved Question
READ

READ

READ

READ

READ

READ
Sensor
READ

READ

READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.


Provided Screen Sharing platform content permissions
PermissionScreen Sharing AdministratorScreen Sharing Agent
Action
WRITE

WRITE
Own Action
READ

READ
Package
READ

READ
Plugin
READ
EXECUTE

READ
EXECUTE
Sensor
READ

READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.