Direct Connect requirements

Review the requirements before you install and use Direct Connect.

Tanium dependencies

Component Requirement
Tanium™ Core Platform
  • 7.3.314.4250 or later
  • 7.4.1.1939 or later
Tanium™ Appliance (Optional) If you are using a Tanium Appliance for your Zone Server, you must use Tanium operating system (TanOS) 1.5.2 or later.
  • For TanOS 1.5.2 - 1.5.4, you must use the TanOS shell to install the Direct Connect Zone Proxy.
  • For TanOS 1.5.5 and later, you can install the Direct Connect Zone Proxy through the Tanium Operations menu on the Zone Server appliance. For more information, see Appliance Deployment Guide: Install the Direct Connect Zone Proxy. To install the Direct Connect Zone Proxy on a Tanium Appliance with the All-in-One role, use the TanOS shell.
Tanium™ Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Tanium™ solutions

If you clicked Tanium Recommended Installation when you installed Direct Connect, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install any other solutions you are using, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

The following solution is required for features of Direct Connect to function. The given version is the minimum required:

  • Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium™ Client Management 1.5 or later)

The following solutions are optional:

  • Tanium™ Enforce
  • Tanium™ Performance

The following solutions are optional, but Direct Connect requires the specified minimum versions to work with them:

  • Tanium™ Connect 4.12 or later
  • Tanium™ Integrity Monitor 1.7.0.0035 or later
  • Tanium™ Map 1.1.1.0006 or later
  • Tanium™ Threat Response 1.2.0.0037 or later

Tanium Module Server

Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.

Endpoints

Supported internet protocols

Direct Connect supports only endpoints that have IPv4 addresses.

Supported operating systems

The following endpoint operating systems are supported with Direct Connect.

Operating System Version Notes
Windows
  • Windows 7 Service Pack 1 or later
  • Windows Server 2008 R2 Service Pack 1 or later
 Windows 7 Service Pack 1 requires Microsoft KB2758857.
macOS

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

  
Linux

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

  

Host and network security requirements

Specific ports and processes are needed to run Direct Connect.

Ports

The following ports, which communicate over HTTPS using TLS 1.2 (RSA 2048-bit), are required for Direct Connect.

The following port, which communicates over HTTPS using TLS 1.2 (RSA 2048-bit), is required for Direct Connect.

Source Destination Port Protocol Purpose
Tanium Client (internal) Module Server 17475 TCP Used by the Module Server for endpoint connections to internal clients.
Tanium Client (external) Zone Server1 Tanium as a Service 17486 TCP Used by the Zone Server for endpoint connections to external clients. This port begins listening after the Zone Proxy provisioning process is complete on port 17488.
The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Module Server Zone Server1 17487 TCP Used by the Zone Server for Module Server connections. This port begins listening after the Zone Proxy provisioning process is complete on port 17488.
The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy.
17488 TCP Used by the Module Server to provision the Zone Proxy on the Zone Server. After the Zone Proxy is provisioned, used for connection status and diagnostics. On TanOS, the Direct Connect Zone Proxy installer automatically configures the firewall on the Zone Server to open port 17488. You must manually configure the firewall to open this port on Windows. This port number is not configurable.
Tanium Server Module Server 17477 TCP Tanium Server initiates connections to the Module Server Tanium as a Service on port 17477.
1 These ports are required only when you use a Zone Server.

Direct Connect supports the following cipher suites for encrypting information in TLS communication:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Direct Connect security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\direct-connect-service\node.exe
  Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Zone Server   Process <Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
Windows endpoints   Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
  Process <Tanium Client>\extensions\TaniumDEC.dll
  Process <Tanium Client>\extensions\TaniumDEC.dll.sig
7.2.x clients; requires SHA2 support to allow installation Process <Tanium Client>\Python27\TPython.exe
7.4.x clients; requires SHA2 support to allow installation Process <Tanium Client>\Python38\TPython.exe
  Process <Tanium Client>\TaniumCX.exe
7.4.x clients Folder <Tanium Client>\Python38
macOS endpoints   Process <Tanium Client>/libTaniumClientExtensions.dylib
  Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
  Process <Tanium Client>/extensions/libTaniumDEC.dylib
  Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX
Linux endpoints   Process <Tanium Client>/libTaniumClientExtensions.so
  Process <Tanium Client>/libTaniumClientExtensions.so.sig
  Process <Tanium Client>/extensions/libTaniumDEC.so
  Process <Tanium Client>/extensions/libTaniumDEC.so.sig
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX
Direct Connect security exclusions
Target Device Notes Exclusion Type Exclusion
Windows endpoints   Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
  Process <Tanium Client>\extensions\TaniumDEC.dll
  Process <Tanium Client>\extensions\TaniumDEC.dll.sig

Requires SHA2 support to allow installation

 Process <Tanium Client>\Python38\TPython.exe
  Process <Tanium Client>\TaniumCX.exe
  Folder <Tanium Client>\Python38
macOS endpoints   Process <Tanium Client>/libTaniumClientExtensions.dylib
  Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
  Process <Tanium Client>/extensions/libTaniumDEC.dylib
  Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX
Linux endpoints   Process <Tanium Client>/libTaniumClientExtensions.so
  Process <Tanium Client>/libTaniumClientExtensions.so.sig
  Process <Tanium Client>/extensions/libTaniumDEC.so
  Process <Tanium Client>/extensions/libTaniumDEC.so.sig
  Process <Tanium Client>/python38/bin/pybin
  Process <Tanium Client>/TaniumCX

Zone Proxy server requirements

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure zone proxies.

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

User role requirements

The following tables list the role permissions required to use Direct Connect. To review a summary of the predefined roles, see Set up Direct Connect users.

For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Direct Connect user role permissions
Permission Direct Connect Administrator1,2 Direct Connect User1 Direct Connect Read Only User1 Direct Connect Service Account2,3 Direct Connect Endpoint Configuration Approver1,2
Direct Connect Cron

Allows performing service account work
EXEC
Direct Connect Endpoint Configuration

Approve Endpoint Configuration items for Direct Connect
APPROVE
Direct Connect Logs

Access Direct Connect logs
READ
Direct Connect Satellite

Manage satellites
READ
WRITE
Direct Connect Session

Access endpoint connections
READ
WRITE
READ
WRITE
READ
Direct Connect Settings

Access Direct Connect settings
READ
WRITE
READ
Directconnect

View the Direct Connect workbench
SHOW
SHOW
SHOW
SHOW

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.



Provided Direct Connect platform content permissions
Permission Direct Connect Administrator Direct Connect User Direct Connect Read Only User Direct Connect Service Account Direct Connect Endpoint Configuration Approver
Action
READ
WRITE
READ
WRITE
READ
Own Action
READ

 
READ
READ
Package
READ
READ
WRITE
READ
Plugin
READ
READ
READ
READ
EXECUTE
READ
Saved Question
READ
READ
READ
READ
READ
Sensor
READ
READ
READ
You can view which content sets are granted to any role in the Tanium Console.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.