Direct Connect requirements

Review the requirements before you install and use Direct Connect.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium™ Core Platform servers:
- 7.4.3.1204 or later to use Direct Connect
- 7.5.5 or later to use Tanium™ Screen Sharing
Tanium™ Appliance:

(Optional) If you are using a Tanium Appliance for your Zone Server, you must install the Direct Connect Zone Proxy through the Tanium Operations menu on the Zone Server appliance. For more information, see Appliance Deployment Guide: Install the Direct Connect Zone Proxy. To install the Direct Connect Zone Proxy on a Tanium Appliance with the All-in-One role, use the TanOS shell..
Tanium™ Client:

Tanium Client Management User Guide: Client version and host system requirements

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Solution dependencies

Other Tanium solutions are required for Direct Connect to function. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Direct Connect dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Direct Connect requires.

Tanium recommended installation

If you select only Direct Connect to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Direct Connect , the server automatically updates those dependencies to the latest available versions.

If you select only Direct Connect to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Import specific solutions

If you select only Direct Connect to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Direct Connect has the following required dependencies at the specified minimum version:

Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)
Tanium RDB Service 1.2.11 or later
Tanium™ System User Service 1.0.77 or later

Feature-specific dependencies

If you select only Direct Connect to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Direct Connect has the following feature-specific dependencies at the specified minimum versions:

Tanium™ Console 3.4.46 or later to use screen sharing functionality
Tanium Direct Connect 2.7.43 or later to configure and use screen sharing functionality
Tanium™ Interact 2.1.14 or later to use screen sharing functionality
Tanium™ Reporting 1.12.143 or later to use screen sharing functionality
Tanium™ Reporting Content 1.0.21 or later to use screen sharing functionality
Tanium RDB Service 1.2.105 or later to use screen sharing functionality
Tanium Screen Sharing 1.2.30 or later to use screen sharing functionality on-premises
Tanium™ Secrets Service 1.0.118 or later to use screen sharing functionality
Tanium System User Service 1.0.169 or later to use screen sharing functionality

Client extensions

Tanium Endpoint Configuration installs client extensions for Direct Connect on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Direct Connect functions:

Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.

Tanium Module Server

Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported internet protocols

Direct Connect supports only endpoints that have IPv4 addresses.

Supported operating systems

The following endpoint operating systems are supported with Direct Connect.

Operating System	Version	Notes
Windows	Windows 7 Service Pack 1 or later Windows Server 2008 R2 Service Pack 1 or later
macOS	Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.
Linux	Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

Screen sharing operating systems

The following endpoint operating systems are supported for screen sharing through Tanium. For a list of operating systems supported by ScreenMeet, see ScreenMeet Docs: Requirements.

The first time a Tanium user establishes a screen sharing session with a macOS endpoint, the endpoint user must select ScreenMeetSupport in the Screen Recording and Accessibility permissions in System Preferences, then click Later when prompted. For more information, see ScreenMeet Docs: Connecting to Mac devices.

Operating System	Version	Notes
Windows	Windows 8 Windows 10 Windows 10S Windows 11	Windows operating systems also require .NET Framework 4.6.2 or later. Windows operating systems support attended and unattended screen sharing sessions.
macOS	10.13 or later	macOS operating systems support only attended screen sharing sessions.

Operating System

Version

Notes

Windows

Windows 8
Windows 10
Windows 10S
Windows 11

Windows operating systems also require .NET Framework 4.6.2 or later.

Windows operating systems support attended and unattended screen sharing sessions.

macOS

10.13 or later

macOS operating systems support only attended screen sharing sessions.

Host and network security requirements

Specific ports and processes are needed to run Direct Connect.

Ports

The following ports, which communicate over HTTPS using TLS 1.2 (RSA 2048-bit), are required for Direct Connect.

These ports are not required for screen sharing.

The following port, which communicates over HTTPS using TLS 1.2 (RSA 2048-bit), is required for Direct Connect.

This port is not required for screen sharing.

Source	Destination	Port	Protocol	Purpose
Tanium Client (internal)	Module Server	17475	TCP	Used by the Module Server for endpoint connections to internal clients.
Tanium Client (external)	Zone Server¹Tanium Cloud	17486	TCP	Used by the Zone Server for endpoint connections to external clients. This port begins listening after the Zone Proxy provisioning process is complete on port 17488. The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Module Server	Zone Server¹	17487	TCP	Used by the Zone Server for Module Server connections. This port begins listening after the Zone Proxy provisioning process is complete on port 17488. The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy.
Module Server	Zone Server¹	17488	TCP	Used by the Module Server to provision the Zone Proxy on the Zone Server. After the Zone Proxy is provisioned, used for connection status and diagnostics. On TanOS, the Direct Connect Zone Proxy installer automatically configures the firewall on the Zone Server to open port 17488. You must manually configure the firewall to open this port on Windows. This port number is not configurable.
Tanium Server	Module Server	17477	TCP	Tanium Server initiates connections to the Module ServerTanium Cloud on port 17477.
¹ These ports are required only when you use a Zone Server.

Direct Connect supports the following cipher suites for encrypting information in TLS communication:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

If you have a license for screen sharing, see ScreenMeet Docs: Security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Direct Connect security exclusions
Target Device	Exclusion Type	Exclusion
Module Server	Process	<Module Server>\services\direct-connect-service\TaniumDirectConnectService.exe
Module Server	Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Zone Server	Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
Zone Server	Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe
Windows endpoints	File	<Tanium Client>\TaniumClientExtensions.dll
	File	<Tanium Client>\TaniumClientExtensions.dll.sig
	File	<Tanium Client>\extensions\TaniumDEC.dll
	File	<Tanium Client>\extensions\TaniumDEC.dll.sig
	Process	<Tanium Client>\TaniumCX.exe
macOS endpoints	File	<Tanium Client>/libTaniumClientExtensions.dylib
	File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
	File	<Tanium Client>/extensions/libTaniumDEC.dylib
	File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
	Process	<Tanium Client>/TaniumCX
Linux endpoints	File	<Tanium Client>/libTaniumClientExtensions.so
	File	<Tanium Client>/libTaniumClientExtensions.so.sig
	File	<Tanium Client>/extensions/libTaniumDEC.so
	File	<Tanium Client>/extensions/libTaniumDEC.so.sig
	Process	<Tanium Client>/TaniumCX

Direct Connect security exclusions
Target Device	Exclusion Type	Exclusion
Windows endpoints	File	<Tanium Client>\TaniumClientExtensions.dll
	File	<Tanium Client>\TaniumClientExtensions.dll.sig
	File	<Tanium Client>\extensions\TaniumDEC.dll
	File	<Tanium Client>\extensions\TaniumDEC.dll.sig
	Process	<Tanium Client>\TaniumCX.exe
macOS endpoints	File	<Tanium Client>/libTaniumClientExtensions.dylib
	File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
	File	<Tanium Client>/extensions/libTaniumDEC.dylib
	File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
	Process	<Tanium Client>/TaniumCX
Linux endpoints	File	<Tanium Client>/libTaniumClientExtensions.so
	File	<Tanium Client>/libTaniumClientExtensions.so.sig
	File	<Tanium Client>/extensions/libTaniumDEC.so
	File	<Tanium Client>/extensions/libTaniumDEC.so.sig
	Process	<Tanium Client>/TaniumCX

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the following URLs for screen sharing.

Allowing these URLs is not required for Direct Connect.

URL	Description
`*.screenmeet.com`	establish screen sharing connections
`*.scrn.mt`	establish screen sharing connections
`https://onpremapi.ssc.cloud.tanium.com/redeemOTP`	from the Tanium Module Server, obtain a one-time passcode (OTP) over port 443/TCP for provisioning an on-premises installation

For a list of hosts and IP addresses to allow for ScreenMeet, see: ScreenMeet Docs: Firewall configuration.

If you deployed proxy servers to your network, for the best results, allow traffic from these URLs to bypass the proxy servers. Screen sharing traffic passed through proxy servers negatively impacts performance. For more information, see ScreenMeet Docs: ScreenMeet Enterprise Deployment Guide.

Zone Proxy server requirements

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure zone proxies.

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

User role requirements

The following tables list the role permissions required to use Direct Connect. To review a summary of the predefined roles, see Set up Direct Connect users.

Do not assign the Direct Connect Service Account and Direct Connect Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Direct Connect user role permissions
Permission	Direct Connect Administrator^1,2	Direct Connect User¹	Direct Connect Read Only User¹	Direct Connect Satellite Operator¹	Direct Connect Endpoint Configuration Approver^1,2
Direct Connect Cron Allows performing service account work
Direct Connect Endpoint Configuration Approve Endpoint Configuration items for Direct Connect					APPROVE
Direct Connect Logs Access Direct Connect logs	READ
Direct Connect Satellite Manage satellites	READ WRITE			READ WRITE
Direct Connect Session Access endpoint connections	READ WRITE	READ WRITE	READ	WRITE
Direct Connect Settings Access Direct Connect settings	READ WRITE				READ
Directconnect View the Direct Connect workbench	SHOW	SHOW	SHOW	SHOW	SHOW
¹ This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. ² This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

Screen Sharing user role permissions
Permission	Screen Sharing Administrator	Screen Sharing Agent
Screen Sharing API Connect to Screen Sharing API	EXECUTE	EXECUTE
Screen Sharing Audit Event Log View event log for auditing purposes	READ
Screen Sharing Config Configure ScreenMeet initial account configuration settings that Tanium provides for new account provisioning or resetting existing account configuration	READ WRITE	READ
Screen Sharing Console Get magic URL for connecting to ScreenMeet	EXECUTE
Screen Sharing Licensing View ScreenMeet license information	READ	READ
Screen Sharing Platform Integration User Interact with the platform	ACCOUNT	ACCOUNT
Screen Sharing Provisioning Get provisioning information	READ
Screen Sharing Settings Configure screen sharing settings	READ WRITE
Screen Sharing Support Session Start a screen sharing session on a remote endpoint, requiring endpoint user permission	READ WRITE EXECUTE DELETE	READ WRITE EXECUTE DELETE
Screen Sharing Support Session All Join any screen sharing session, even if started by another user	READ EXECUTE DELETE
Screen Sharing Support Session Options Set options for screen sharing	READ WRITE	READ
Screen Sharing Support Session Unattended Start a screen sharing session on a remote endpoint without needing endpoint user permission
Screen Sharing TDS Integration User Query Tanium Data Service	ACCOUNT	ACCOUNT

Provided Direct Connect platform content permissions
Permission	Direct Connect Administrator	Direct Connect User	Direct Connect Read Only User	Direct Connect Satellite Operator	Direct Connect Service Account	Direct Connect Endpoint Configuration Approver
Action	READ WRITE				READ WRITE	READ
Own Action	READ				READ	READ
Package	READ				READ WRITE	READ
Plugin	READ	READ	READ	READ	READ EXECUTE	READ
Saved Question	READ	READ	READ	READ	READ	READ
Sensor	READ				READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

Provided Screen Sharing platform content permissions
Permission	Screen Sharing Administrator	Screen Sharing Agent
Action	WRITE	WRITE
Own Action	READ	READ
Package	READ	READ
Plugin	READ EXECUTE	READ EXECUTE
Sensor	READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.