Health Check requirements

Review the requirements before you install and use Health Check.

Tanium dependencies

Make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.2 or later.
License For information about licensing, Contact Tanium Support.

Tanium™ Module Server

Health Check is installed and runs as a service on the Module Server. The resource impact on the Module Server is minimal and depends on usage.

Endpoints

Health Check does not deploy packages to endpoints. For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Host and network security requirements

Specific ports and processes are needed to run Health Check.

Ports

The following ports are required for Health Check communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17242 TCP Internal purposes; not externally accessible
Module Server Tanium Server 445 TCP Collect host information for Tanium Server
Module Server Zone Server 445 TCP Collect host information for Zone Server

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Health Check security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\health-service\node.exe
  Process <Module Server>\services\health-service\twsm.exe

Internet URLs

For data sharing through a proxy from the Tanium Server to the Internet, your security administrator must allow the following URLs.

  • receiver.reporting.tanium.com
  • prd-pending-be96af380693f912.s3.eu-central-1.amazonaws.com

User role requirements

The Administrator reserved role is required for all Health Check tasks.

If you are running Tanium Servers on Windows, ensure that you change the account that is used to run the Tanium Health Check service from LOCAL SYSTEM to an account that has access to the Tanium Servers and Zone Servers. Otherwise, the generated reports do not contain server information about the Tanium Servers and Zone Servers.