Direct Connect requirements
Review the requirements before you
Core platform dependencies
Make sure that your environment meets the following requirements:
-
Tanium™ Core Platform servers:
-
7.4.3.1204 or later
-
7.5.2.3503 or later
-
-
Tanium™ Appliance:
(Optional) If you are using a Tanium Appliance for your Zone Server, you must use Tanium operating system (TanOS) 1.5.2 or later.
- For TanOS 1.5.2 - 1.5.4, you must use the TanOS shell to install the Direct Connect Zone Proxy.
- For TanOS 1.5.5 and later, you can install the Direct Connect Zone Proxy through the Tanium Operations menu on the Zone Server appliance. For more information, see Appliance Deployment Guide: Install the Direct Connect Zone Proxy. To install the Direct Connect Zone Proxy on a Tanium Appliance with the All-in-One role, use the TanOS shell.
- Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Solution dependencies
Other Tanium solutions are required for Direct Connect to function. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.
Some Direct Connect dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Direct Connect requires.
Tanium recommended installation
If you select only Direct Connect to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Direct Connect , the server automatically updates those dependencies to the latest available versions.
If you select only Direct Connect to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.
Import specific solutions
If you select only Direct Connect to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.
Required dependencies
Direct Connect has the following required dependency at the specified minimum version:
- Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)
- Tanium™ System User Service 1.0.77 or later
Client extensions
Tanium Endpoint Configuration installs client extensions for Direct Connect on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Direct Connect functions:
- Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
- Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
- DEC CX - Provides a direct connection between endpoint and
Tanium Module Server
Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.
For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.
Endpoints
Supported internet protocols
Direct Connect supports only endpoints that have IPv4 addresses.
Supported operating systems
The following endpoint operating systems are supported with Direct Connect.
| Operating System | Version | Notes |
|---|---|---|
| Windows |
| |
| macOS | Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements. | |
| Linux | Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements. |
Host and network security requirements
Specific ports and processes are needed to run Direct Connect.
Ports
The following ports, which communicate over HTTPS using TLS 1.2 (RSA 2048-bit), are required for Direct Connect.
The following port, which communicates over HTTPS using TLS 1.2 (RSA 2048-bit), is required for Direct Connect.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Tanium Client (internal) | Module Server | 17475 | TCP | Used by the Module Server for endpoint connections to internal clients. |
| Tanium Client | 17486 | TCP | Used | |
| Module Server | Zone Server1 | 17487 | TCP | Used by the Zone Server for Module Server connections. This port begins listening after the Zone Proxy provisioning process is complete on port 17488. The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy. |
| 17488 | TCP | Used by the Module Server to provision the Zone Proxy on the Zone Server. After the Zone Proxy is provisioned, used for connection status and diagnostics. On TanOS, the Direct Connect Zone Proxy installer automatically configures the firewall on the Zone Server to open port 17488. You must manually configure the firewall to open this port on Windows. This port number is not configurable. | ||
| Tanium Server | Module Server | 17477 | TCP | Tanium Server initiates connections to |
| 1 These ports are required only when you use a Zone Server. | ||||
Direct Connect supports the following cipher suites for encrypting information in TLS communication:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\direct-connect-service\TaniumDirectConnectService.exe | |
| Process | <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe | ||
| Zone Server | Process | <Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe | |
| Process | <Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe | ||
| Windows endpoints | File | <Tanium Client>\TaniumClientExtensions.dll | |
| File | <Tanium Client>\TaniumClientExtensions.dll.sig | ||
| File | <Tanium Client>\extensions\TaniumDEC.dll | ||
| File | <Tanium Client>\extensions\TaniumDEC.dll.sig | ||
| Process | <Tanium Client>\TaniumCX.exe | ||
| macOS endpoints | File | <Tanium Client>/libTaniumClientExtensions.dylib | |
| File | <Tanium Client>/libTaniumClientExtensions.dylib.sig | ||
| File | <Tanium Client>/extensions/libTaniumDEC.dylib | ||
| File | <Tanium Client>/extensions/libTaniumDEC.dylib.sig | ||
| Process | <Tanium Client>/TaniumCX | ||
| Linux endpoints | File | <Tanium Client>/libTaniumClientExtensions.so | |
| File | <Tanium Client>/libTaniumClientExtensions.so.sig | ||
| File | <Tanium Client>/extensions/libTaniumDEC.so | ||
| File | <Tanium Client>/extensions/libTaniumDEC.so.sig | ||
| Process | <Tanium Client>/TaniumCX |
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Windows endpoints | File | <Tanium Client>\TaniumClientExtensions.dll | |
| File | <Tanium Client>\TaniumClientExtensions.dll.sig | ||
| File | <Tanium Client>\extensions\TaniumDEC.dll | ||
| File | <Tanium Client>\extensions\TaniumDEC.dll.sig | ||
| Process | <Tanium Client>\TaniumCX.exe | ||
| macOS endpoints | File | <Tanium Client>/libTaniumClientExtensions.dylib | |
| File | <Tanium Client>/libTaniumClientExtensions.dylib.sig | ||
| File | <Tanium Client>/extensions/libTaniumDEC.dylib | ||
| File | <Tanium Client>/extensions/libTaniumDEC.dylib.sig | ||
| Process | <Tanium Client>/TaniumCX | ||
| Linux endpoints | File | <Tanium Client>/libTaniumClientExtensions.so | |
| File | <Tanium Client>/libTaniumClientExtensions.so.sig | ||
| File | <Tanium Client>/extensions/libTaniumDEC.so | ||
| File | <Tanium Client>/extensions/libTaniumDEC.so.sig | ||
| Process | <Tanium Client>/TaniumCX |
Zone Proxy server requirements
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure zone proxies.
For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.
User role requirements
The following tables list the role permissions required to use Direct Connect. To review a summary of the predefined roles, see Set up Direct Connect users.
Do not assign the Direct Connect Service Account and Direct Connect Service Account - All Content Sets roles to users. These roles are for internal purposes only.
For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.
| Permission | Direct Connect Administrator1,2 | Direct Connect User1 | Direct Connect Read Only User1 | Direct Connect Satellite Operator1 | Direct Connect Endpoint Configuration Approver1,2 |
|---|---|---|---|---|---|
| Direct Connect Cron Allows performing service account work |  | | | | |
| Direct Connect Endpoint Configuration Approve Endpoint Configuration items for Direct Connect | | | | |  APPROVE |
| Direct Connect Logs Access Direct Connect logs | READ | | | | |
| Direct Connect Satellite Manage satellites | READ WRITE | | | READ WRITE | |
| Direct Connect Session Access endpoint connections | READ WRITE | READ WRITE | READ | WRITE | |
| Direct Connect Settings Access Direct Connect settings | READ WRITE | | | | READ |
| Directconnect View the Direct Connect workbench | SHOW | SHOW | SHOW | SHOW | SHOW |
1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. 2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. | |||||
| Permission | Direct Connect Administrator | Direct Connect User | Direct Connect Read Only User | Direct Connect Satellite Operator | Direct Connect Service Account | Direct Connect Endpoint Configuration Approver |
|---|---|---|---|---|---|---|
| Action | READ WRITE | | | | READ WRITE | READ |
| Own Action | READ | |
|
| READ | READ |
| Package | READ | | | | READ WRITE | READ |
| Plugin | READ | READ | READ | READ | READ EXECUTE | READ |
| Saved Question | READ | READ | READ | READ | READ | READ |
| Sensor | READ | | | | READ | READ |
| You can view which content sets are granted to any role in the Tanium Console. | ||||||
For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.
Last updated: 9/2/2022 12:46 PM | Feedback