Direct Connect requirements

Review the requirements before you install and use Direct Connect.

Tanium dependencies

Make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform
  • 7.3.314.4250 or later
  • 7.4.1.1939 or later
Tanium™ Appliance (Optional) If you are using a Tanium Appliance for your Zone Server, you must use Tanium operating system (TanOS) 1.5.2 or later.
  • For TanOS 1.5.2 - 1.5.4, you must use the TanOS shell to install the Direct Connect Zone Proxy.
  • For TanOS 1.5.5 and later, you can install the Direct Connect Zone Proxy through the Tanium Operations menu on the Zone Server appliance. For more information, see Appliance Deployment Guide: Install the Direct Connect Zone Proxy. To install the Direct Connect Zone Proxy on a Tanium Appliance with the All-in-One role, use the TanOS shell.
Tanium™ Client 7.2.314.3211 or later 7.4 or later
Tanium™ products
  • Tanium™ Endpoint Configuration 1.0 or later (installed as part of Tanium Client Management 1.5.3 or later) is required for tools deployment and optionally approving configuration changes.
  • Tanium Protect is optional, but if you install Direct Connect 1.3.x or later for use with Protect, you must use Protect 2.1.1 or later.

If you are using any of the following Tanium™ modules that use the Tanium™ Client Recorder Extension, you must use the specified versions:

  • Tanium™ Integrity Monitor 1.7.0.0035 or later
  • Tanium™ Map 1.1.1.0006 or later
  • Tanium™ Threat Response 1.2.0.0037 or later
  • Tanium™ Trace 2.9.0.0035 or later

Tanium Module Server

Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Direct Connect.

Operating System Version
Windows
  • Windows 7 or later
  • Windows Server 2008 R2 or later
  • Windows XP and Windows Server 2003 are not supported
macOS

Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.
Linux

Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.

Host and network security requirements

Specific ports and processes are needed to run Direct Connect.

Ports

The following ports, which communicate over HTTPS using TLS 1.2 (RSA 2048-bit), are required for Direct Connect.

The following port, which communicates over HTTPS using TLS 1.2 (RSA 2048-bit), is required for Direct Connect.

Source Destination Port Protocol Purpose
Tanium Client (internal) Module Server 17475 TCP Used by the Module Server for endpoint connections to internal clients.
Tanium Client (external) Zone Server1 Tanium as a Service 17486 TCP Used by the Zone Server for endpoint connections to external clients.
The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
Module Server Zone Server1 17487 TCP Used by the Zone Server for Module Server connections.
The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
17488 TCP Allows communication between the Zone Server and the Module Server. On TanOS, the Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server. This port must be manually opened on Windows.
Tanium Server Module Server 17477 TCP Tanium Server initiates connections to the Module Server Tanium as a Service on port 17477.
1 These ports are required only when you use a Zone Server.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Direct Connect supports the following cipher suites for encrypting information in TLS communication:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 1:   Direct Connect security exclusions
Target Device Notes Process
Module Server   <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints   <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
  <Tanium Client>\TaniumCX.exe
macOS endpoints   <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  <Tanium Client>/TaniumCX
Linux endpoints   <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/TaniumCX
Table 2:   Direct Connect security exclusions
Target Device Notes Process
Windows endpoints   <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
  <Tanium Client>\TaniumCX.exe
macOS endpoints   <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  <Tanium Client>/TaniumCX
Linux endpoints   <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/TaniumCX

Zone proxy server requirements

If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure Zone Proxies.

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

User role requirements

The following tables list the role permissions required to use Direct Connect. For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Table 3:   Tanium Direct Connect User Role Privileges
Permission Direct Connect Administrator Direct Connect User Direct Connect Read Only User Direct Connect Service Account3 Direct Connect Endpoint Configuration Approver21
Show Direct Connect1

Allows users to access the Direct Connect workbench
Direct Connect Session Read

Allows users to view endpoint connections
Direct Connect Session Write

Allows users to create and manage endpoint connections
Direct Connect Settings Read

Allows users to view Direct Connect settings
Direct Connect Settings Write

Allows users to modify Direct Connect settings
Direct Connect Logs Read

Allows users to view the Direct Connect logs
Direct Connect Cron Exec

Allows performing service account work
Direct Connect Endpoint Configuration Approve

Allows approval of Endpoint Configuration items for Direct Connect

1 To install Direct Connect, you must have the reserved role of Administrator.

21 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 If you installed Tanium Client Management, this This user requires the Endpoint Configuration Service Account role. Endpoint Configuration is installed as a part of Tanium Client Management.



Table 4:   Provided Advanced user role permissions
Permission Content Set for Permission Direct Connect Administrator Direct Connect Read Only User Direct Connect Service Account Direct Connect User Direct Connect Endpoint Configuration Approver
Read Sensor Reserved
Read Sensor Base
Read Sensor Direct Connect
Read Action Direct Connect
Read Own Action Direct Connect 1

 

 1 1 1
Write Action Direct Connect
Show Preview Direct Connect 1 1 1
Read Plugin Direct Connect 1 1 1
Execute Plugin Direct Connect
Execute Plugin Endpoint Configuration
Read Package Direct Connect 1 1 1
Write Package Direct Connect
Read Saved Question Reserved
Read Saved Question Default
Read Saved Question Direct Connect

1 Denotes a provided permission.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.