Direct Connect requirements

Review the requirements before you install and use Direct Connect.

Tanium dependencies

Make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform
  • 7.2.314.2831 or later
  • 7.3.314.3668 or later
  • 7.4.1.1939 or later
Tanium™ Appliance (Optional) If you are using a Tanium Appliance for your Zone Server, you must use Tanium operating system (TanOS) 1.5.2 or later.
Tanium™ Client
  • 7.2.314.3211 or later
  • 7.4.1.1955 or later
Tanium™ products

The following modules are optional, but Performance requires the specified minimum versions to work with them:

  • Tanium Protect: If you install Direct Connect 1.3.x or later for use with Protect, you must use Protect 2.1.1 or later.

If you are using any of the following Tanium™ modules that use the Tanium™ Client Recorder Extension, you must use the specified versions:

  • Tanium™ Integrity Monitor 1.7.0.0035 or later
  • Tanium™ Map 1.1.1.0006 or later
  • Tanium™ Threat Response 1.2.0.0037 or later
  • Tanium™ Trace 2.9.0.0035 or later

Tanium Module Server

Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Direct Connect.

  • Windows
  • Linux
  • macOS

For a list of specific operating system versions, see Tanium Client User Guide: Host system requirements.

Host and network security requirements

Specific ports are needed to run Direct Connect.

Ports

The following ports are required for Direct Connect communication.

Component Port Direction Purpose
Module Server 17475 Inbound Connecting to the Module Server for direct connections to endpoints.
Zone Server1 17486 Inbound The binding port that is used by the Zone Server for endpoint connections.
The default port number is 17486. If needed, you can specify a different port number when you configure the Zone Proxy.
17487 Inbound (Module Server to Zone Server) The binding port that is used by the Zone Server for module server connections.
The default port number is 17487. If needed, you can specify a different port number when you configure the Zone Proxy.
17488 Inbound (Module Server to Zone Server) The Direct Connect Zone Proxy installer automatically opens port 17488 on the Zone Server to allow communication between the Zone Server and the Module Server.

1 These ports are required only when you use a Zone Server.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Table 1:   Direct Connect security exclusions
Target Device Process
Windows endpoints <Tanium Client>\TaniumClientExtensions.dll
<Tanium Client>\TaniumClientExtensions.dll.sig
<Tanium Client>\extensions\TaniumDEC.dll
<Tanium Client>\extensions\TaniumDEC.dll.sig
macOS endpoints <Tanium Client>/libTaniumClientExtensions.dylib
<Tanium Client>/libTaniumClientExtensions.dylib.sig
<Tanium Client>/extensions/libTaniumDEC.dylib
<Tanium Client>/extensions/libTaniumDEC.dylib.sig
Linux endpoints <Tanium Client>/libTaniumClientExtensions.so
<Tanium Client>/libTaniumClientExtensions.so.sig
<Tanium Client>/extensions/libTaniumDEC.so
<Tanium Client>/extensions/libTaniumDEC.so.sig

Zone proxy server requirements

If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure Zone Proxies.

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

User role requirements

Table 2:   Tanium Direct Connect User Role Privileges
Permission Direct Connect Administrator Direct Connect Read Only User Direct Connect Service Account Direct Connect User
Show Direct Connect

Allows users to access the Direct Connect workbench

Direct Connect Session Read

Allows users to view endpoint connections

Direct Connect Session Write

Allows users to create and manage endpoint connections

Direct Connect Settings Read

Allows users to view Direct Connect settings

Direct Connect Settings Write

Allows users to modify Direct Connect settings

Direct Connect Logs Read

Allows users to view the Direct Connect logs

Direct Connect Cron Exec

Allows performing service account work




Table 3:   Provided Advanced user role permissions for Tanium 7.1.314.3071 or later
Permission Content Set for Permission Direct Connect Administrator Direct Connect Read Only User Direct Connect Service Account Direct Connect User
Read Sensor Reserved
Read Sensor Base
Read Sensor Direct Connect
Read Action Direct Connect
Read Own Action Direct Connect 1 1 1 1
Write Action Direct Connect
Show Preview Direct Connect 1 1 1
Read Plugin Direct Connect 1 1 1 1
Execute Plugin Direct Connect
Read Package Direct Connect 1 1 1
Write Package Direct Connect
Read Saved Question Reserved
Read Saved Question Direct Connect

1 Denotes a provided permission.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.