Tanium network ports

For the ports required in a Tanium Cloud deployment, see Tanium Cloud Deployment Guide: Host and network security requirements.

Network port requirements for Tanium Core Platform servers depend on whether you have a Tanium Appliance or Windows deployment. The Tanium Client has its own port requirements. For details about the requirements for each port, see Tanium Core Platform port use details.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Tanium Appliance

The following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication.

Network communication ports used by Tanium components
Source Destination Port Protocol Purpose
Tanium Clients Tanium Server 17472 TCP Client communication with the Tanium Server
Tanium Client (internal) Tanium Module Server 17475 TCP Used by the Module Server for endpoint connections to internal clients using Direct Connect.
Tanium Client (external) Tanium Zone Server1 17486 TCP Used by the Zone Server for endpoint connections to external clients using Direct Connect.
The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Tanium Module Server Tanium Zone Server1 17487 TCP Used by the Zone Server for Module Server connections using Direct Connect.
The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy.
Tanium Module Server Tanium Server 443, 8443 TCP Tanium Module Server communication to the Tanium Server
Console users Tanium Server 443, 8443 TCP Tanium Console communication with the Tanium Server
Tanium Server Tanium Module Server 17477 TCP Tanium Module Server communication from Tanium Server
Tanium Zone Server Hub Tanium Zone Server1 17472 TCP Tanium Zone Server Hub communication with the Tanium Zone Servers
Tanium Server,
Module Server
External servers 443, 80 TCP Tanium Server or Module Server communication with external servers such as content.tanium.com
1 These ports are required only when you use a Zone Server.

In addition, the installation and management of the appliance requires communication over common network service ports. The following table shows the default ports for these services.

Appliance network service ports
Source Destination Port Protocol Purpose

Tanium Servers

Tanium Module Servers

DNS servers 53 UDP, TCP DNS resolution for Tanium Servers and Tanium Module Servers

Tanium Servers

Tanium Servers Not applicable IPsec ESP1 Protocol for data confidentiality and authentication in Tanium Server cluster communications
Tanium Module Servers Tanium Module Servers Not applicable IPsec ESP1

Protocol for data confidentiality and authentication during Tanium Module Server synchronization

Tanium Servers

Tanium Servers 500, 4500 UDP IPsec IKE for setting up a secure channel in Tanium Server cluster communications
Tanium Module Servers Tanium Module Servers 500, 4500 UDP IPsec IKE for setting up a secure channel during Tanium Module Server synchronization
Tanium Servers LDAP servers 389, 636 TCP (Optional) External LDAP communications for Tanium authentication
All Tanium Appliances NTP servers 123 UDP NTP time synchronization
Tanium Servers All Tanium Appliances 22 TCP SSH, SCP, SFTP communication for appliance array management
Tanium administrator workstations All Tanium Appliances 22 TCP SSH, SCP, SFTP communication for appliance management
SNMP servers Tanium Appliances 161 UDP (Optional) SNMP monitoring
Tanium Appliances Syslog servers 514 TCP, UDP (Optional) Syslog monitoring
Tanium administrator workstations Tanium Appliances 443, 5900 TCP (Physical appliances only) iDRAC communications2
Tanium Console user workstations/browsers content.tanium.com
update.microsoft.com
*.digicert.com
80, 443 TCP Download and install solutions to the Tanium Core Platform
Tanium Appliances download.tanium.com 443 TCP (Optional) Download and install Tanium Server upgrades.

1 IPSec ESP is not a port. For Appliance Array traffic to properly work, you must add custom exceptions to your firewall rules.

2 These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different from the TanOS network interfaces. See the Tanium Appliance Deployment Guide: Configure the iDRAC interface.

Do not allow a Tanium Server, a Module Server, or a Zone Server Hub to accept inbound connections from the internet. On a Zone Server, allow only the Tanium Client port to accept inbound connections from the internet.

The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Appliance infrastructure.

Figure  1:  Network communication ports
For the topology of deployments that use a proxy server between Tanium Core Platform servers and external servers, see Tanium Console User Guide: Overview of proxy servers.

Tanium™ Direct Connect uses additional ports for communication between Tanium Clients and the Module Server. See Tanium Direct Connect User Guide: Host and network security requirements.

For more information about the port requirements of other Tanium modules and shared services, see Solution-specific port requirements.

Windows

The following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication:

Network communication ports used by Tanium components
Source Destination Port Protocol Purpose
Tanium Server,
Module Server
External servers 443, 80 TCP Tanium Server (TaniumReceiver.exe) or Module Server (TaniumModuleServer.exe) communication with external servers such as content.tanium.com
Tanium Server Tanium Server 443, 17472 TCP Communication between active-active Tanium Servers
Tanium Server Module Server 17477 TCP Tanium Server communication with the Module Server
Module Server Tanium Server 443 TCP Tanium Module Server communication with the Tanium Server
Tanium Server Tanium database 1433, 5432 TCP Tanium Server communication with the Tanium database: SQL server (Sqlservr.exe) or PostgreSQL server (postgres.exe)
Zone Server Hub Tanium Zone Server1 17472 TCP Zone Server Hub (TaniumZoneServer.exe) communication with the Zone Server (TaniumZoneServer.exe)
Tanium Clients Tanium Clients,
Tanium Server,
Tanium Zone Server
17472 TCP Communication between Tanium Clients (TaniumClient.exe),
Communication between the clients and the Tanium Server or Zone Server
Tanium Client (internal) Tanium Module Server 17475 TCP Used by the Module Server for endpoint connections to internal clients using Direct Connect.
Tanium Client (external) Tanium Zone Server1 17486 TCP Used by the Zone Server for endpoint connections to external clients using Direct Connect.
The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Tanium Module Server Tanium Zone Server1 17487 TCP Used by the Zone Server for Module Server connections using Direct Connect.
The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy.
Console/API users Tanium Server 443 TCP Tanium Console/API user workstation (browser) communication with the Tanium Server
Console/API users External servers 443, 80 TCP Tanium Console/API user workstation (browser) communication with external servers such as content.tanium.com
1 These ports are required only when you use a Zone Server.

To improve the security of the Zone Server, configure separate ports for traffic from Zone Server Hubs and Tanium Clients. For the steps, see Tanium Core Platform Deployment Guide for Windows: Configure ports for traffic from Zone Server Hubs and Tanium Clients.

Do not allow a Tanium Server, a Module Server, or a Zone Server Hub to accept inbound connections from the internet. On a Zone Server, allow only the Tanium Client port to accept inbound connections from the internet.

The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Windows infrastructure:

Figure  2:  Network communication ports
For the topology of deployments that use a proxy server between Tanium Core Platform servers and external servers, see Tanium Console User Guide: Overview of proxy servers.

Tanium™ Direct Connect uses additional ports for communication between Tanium Clients and the Module Server. See Tanium Direct Connect User Guide: Host and network security requirements.

For more information about the port requirements of other Tanium modules and shared services, see Solution-specific port requirements.

Tanium Client

For the ports that Client Management requires for communication, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.

Tanium Core Platform port use details

The following sections list details about ports that Tanium Core Platform components use, and indicate the default ports.

To change the default ports for platform servers, see Tanium Core Platform settings. To change the default ports for Tanium Clients, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.

Tanium Server

The Tanium Server acts as the central hub of communication in the Tanium environment. The server receives traffic that Tanium Clients and the Tanium Console initiate. The server initiates connections to the Tanium database server as well as any Zone Servers.

Inbound (Tanium Client to Tanium Server)

Rule summary

Allow traffic to TCP port 17472 on the Tanium Server from any endpoint to be managed on the internal network.

Details

The communication flow between Tanium Clients and the Tanium Server is counter-intuitive. For example, when you ask a question through the Tanium Console, instead of the server initiating connections to clients, it is leader clients in each linear chain that initiate connections to the Tanium Server. See Tanium Client Management User Guide: Client peering.

All Tanium Clients initiate connections to the Tanium Server when they register. During registration, each Client reports information about itself to the server and receives configuration updates, such as changes to peer lists, from the server.

Inbound (Tanium Console)

Rule summary

Allow traffic from trusted hosts to TCP port 443 on the Tanium Server. An example of a trusted host is a system on a management subnet address that is used for Tanium Console access.

Details

For security, TCP and SOAP communication to the Tanium Server is TLS-encrypted, so the Tanium Server installer configures the server to listen for TCP and SOAP requests on port 443. If another installed application is listening on port 443, you can designate a different port.

Outbound (Tanium Server to Database Server)

Rule summary

Allow traffic from the Tanium Server on TCP port 1433 or 5432 to the Tanium database server.

Details

The Tanium Server initiates connections to the Tanium database server on port 1433 (SQL Server) or 5432 (PostgreSQL).

Outbound (Tanium Server to Module Server)

Rule summary

Allow traffic from the Tanium Server to TCP port 17477 on the Module Server.

Details

The Tanium Server initiates connections to the Module Server on port 17477.

Outbound (Tanium Server to Internet)

Rule summary

Allow traffic from the Tanium Server to TCP destination ports 80 and 443 on the Internet.

Using port 443 is a security best practice because traffic on that port is encrypted through Hypertext Transfer Protocol Secure (HTTPS) protocol.

Details

The Tanium Server initiates connections to https://content.tanium.com and http://*.digicert.com when importing updates to Tanium Core Platform components and solutions. The server might also initiate connections to other Internet sites such as https://update.microsoft.com for other operations. For details, see Internet URLs required.

Inbound/Outbound (active-active deployment)

Rule summary

Allow traffic between Tanium Servers in an active-active cluster on TCP port 17472.

Details

Any active-active cluster member might initiate a connection to the other member. Package files that are uploaded to one member are synchronized to the other. In addition, each member passes Tanium messages, such as question answers, to the other cluster member.

Tanium Module Server

Inbound (Tanium Server to Module Server)

Rule summary

Allow traffic from the Tanium Server to TCP port 17477 on  the Module Server.

Details

Check the documentation for the particular Tanium solutions that you plan to use to see whether they require additional inbound ports. See Solution-specific port requirements.

Outbound (Module Server to Internet)

Rule summary

Allow traffic from the Module Server to destination TCP ports 80 and 443 on the Internet.

Using port 443 is a security best practice because traffic on that port is encrypted through the HTTPS protocol.

Details

The Module Server does not initiate connections. However, when a solution is imported, the Module Server might need to connect to Tanium and other Internet locations to download required content, and the installed solution services might initiate connections. Check the documentation for the particular solutions that you plan to use to see if they require additional outbound ports. See Solution-specific port requirements.

Outbound (solutions services to Tanium Server)

Rule summary

Allow traffic from the Module Server to the following destination TCP ports on the Tanium Server:

  • 443: Windows and Appliance deployments

  • 8443: Appliance deployments only
Details

The Module Server does not initiate connections. However, a solution on the Module Server might initiate a connection to the Tanium Server.

Tanium Zone Server Hub

Outbound (Tanium Zone Server Hub to Zone Server)

Rule summary

Allow traffic from the Zone Server Hub to the destination TCP port 17472 on DMZ machines that host the Zone Servers. In an Appliance deployment, the hub is always installed on the Tanium Server appliance. In a Windows deployment, the hub is usually installed on the Tanium Server host but can also be installed on a dedicated host.

Details

If you are using the Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium Server on the core network, then the Zone Server Hub must be able to connect to the Zone Servers in the DMZ. The hub-to-Zone Server mappings determine the destination Zone Servers. For more information, see Tanium Console User Guide: Managing Zone Servers and hubs.

Tanium Zone Server

Inbound (Tanium Client to Zone Server)

Rule summary

Allow traffic from any computer on the Internet to TCP port 17472 on the Zone Servers in the DMZ.

Details

Tanium Clients initiate connections to a Zone Server as if it were a Tanium Server.

Inbound (Tanium Zone Server Hub to Zone Server)

Rule summary

Allow traffic from the Zone Server Hub to TCP port 17472 on the Zone Servers in the DMZ. In an Appliance deployment, the hub is always installed on the Tanium Server appliance. In a Windows deployment, the hub is usually installed on the Tanium Server host but can also be installed on a dedicated host.

Details

If you are using the Tanium Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub must be able to connect to the Zone Servers in the DMZ.

Tanium Client

Inbound/Outbound (Tanium Client to Client)

Rule summary

Allow traffic between Tanium Client peers on the TCP listening port 17472.

Details

In addition to the client-to-server TCP communication that occurs on port 17472, Tanium Clients also communicate with their peers on port 17472. The default client peering settings ensure that clients form linear chains only within the boundaries of local area networks (LANs). Therefore, you must allow bi-directional TCP communication on the listening port between clients that are in the same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For details on client peering settings, see Tanium Client Management User Guide: Configuring Tanium Client peering.

Outbound (Tanium Client to Zone Server)

Rule summary

Allow traffic from any endpoint on the Internet to TCP port 17472 on the Zone Servers in the DMZ.

Details

In deployments with a Zone Server, a Tanium Client might connect to a Zone Server instead of a Tanium Server. The communication requirements for these clients are identical to the Tanium Server-to-Tanium Client requirements.

Solution-specific port requirements

To see additional port requirements that are specific to Tanium™ modules and shared services, click the following links to access the associated user guides: