Tanium network ports
For the ports required in a Tanium as a Service deployment, see Tanium as a Service User Guide: Host and network security requirements.
Network port requirements for Tanium Core Platform servers depend on whether you have a Tanium Appliance or Windows deployment. The Tanium Client has its own port requirements. For details about the requirements for each port, see Tanium Core Platform port use details.
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Module- and service-specific port requirements
To see additional port requirements that are specific to Tanium™ modules and shared services, click the following links to access the associated user guides:
- Asset
- Client Management
- Comply: No additional port requirements
- Connect
- Deploy
- Direct Connect
- Discover
- Endpoint Configuration
- End-User Notifications
- Enforce
- Health Check
- Impact
- Incident Response
- Integrity Monitor: No additional port requirements
- Interact: No additional port requirements
- Map: No additional port requirements
- Network Quarantine
- Patch: No additional port requirements
- Performance
- Protect: No additional port requirements
- Reputation
- Reveal
- Threat Response
- Trends
Tanium Appliance
The following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication.
The following figure illustrates how the Tanium Core Platform uses ports in a load-balanced deployment with Tanium Appliances.
In addition, the installation and management of the appliance requires communication over common network service ports. The following table shows the default ports for these services.
| Services | Inbound port | Destination port |
|---|---|---|
| DNS | 53/tcp, 53/udp | |
| ESP (IPSec for load-balancing cluster) | 50/ip | 50/ip |
| IKE (IPSec for load-balancing cluster) | 500/udp, 4500/udp | 500/udp, 4500/udp |
| LDAP (optional) | 389/tcp, 636/tcp | |
| NTP | 123/udp | |
| SSH, SCP, SFTP | 22/tcp | 22/tcp |
| SNMP (optional) | 161/tcp | |
| syslog (optional) | 514/udp | |
| iDRAC (recommended) | 443/tcp*, 5900/tcp* | |
| * These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different from the TanOS network interfaces. | ||
Windows
The following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication.
| Component | Process | Inbound Port | Destination Port |
|---|---|---|---|
| Tanium Server | TaniumReceiver.exe | 443, 17472 | 80, 443 (HA), 1433 or 5432, 17472 (HA), 17477 |
| SQL Server or PostgreSQL Server | Sqlservr.exe or postgres.exe | 1433 or 5432 | |
| Tanium Module Server | TaniumModuleServer.exe | 17477 | 80, 443 |
| Tanium Zone Server | TaniumZoneServer.exe | *17472 | |
| Tanium Zone Server Hub | TaniumZoneServer.exe | *17472 | |
| Tanium Client | TaniumClient.exe | 17472 | *17472 |
| *As a best practice to improve the security of the Zone Server, configure separate ports for traffic from Zone Server Hubs and Tanium Clients. For the steps, see Tanium Core Platform Deployment Guide for Windows: Configure ports for traffic from Zone Server Hubs and Tanium Clients. | |||
The following figure illustrates how the Tanium Core Platform uses ports in a high availability (HA) deployment with Windows infrastructure.
Tanium Client
You can use the Tanium™ Client Management module to deploy any version of the Tanium Client. For the ports that Client Management requires for communication, see Tanium Client Management User Guide: Host and network security requirements.
Tanium Core Platform port use details
Network administrators might ask for detailed explanations of port requirements for the Tanium Core Platform.
Tanium Server
The Tanium Server acts as the central hub of communication in the Tanium environment. The server receives traffic initiated by Tanium Clients and the Tanium Console and initiates connections to the database server as well as any Zone Servers.
Inbound (Tanium Client to Tanium Server)
Rule summary
Allow traffic to Tanium Server port 17472 (TCP) from any computer to be managed on the internal network.
Details
The communication flow between the Tanium Clients and the Tanium Server is counter-intuitive. For instance, if you ask a question through the Tanium Console, intuition might suggest that it is the server that initiates connections to query the clients. However, in the Tanium platform, special clients known as leaders are the only ones that initiate connections to the Tanium Server.
In addition, all Tanium Clients initiate connections when they register. During registration, the Tanium Client reports information about itself and gathers configuration updates, including changes to peer lists.
Inbound (Tanium Console)
Rule summary
Allow traffic to the Tanium Server port 443 (TCP) from trusted hosts (such as a management subnet address).
Details
For security, the TCP and SOAP communication to the Tanium Server is TLS-encrypted, so the Tanium Server installer configures the server to listen for TCP and SOAP requests on port 443. If another installed application is listening on port 443, you can designate a different port.
Outbound (Tanium Server to Database Server)
Rule summary
Allow traffic from the Tanium Server on port 1433 or 5432 (TCP) to the database server.
Details
The Tanium Server initiates connections to the database server on port 1433 (SQL Server) or 5432 (PostgreSQL).
Outbound (Tanium Server to Module Server)
Rule summary
Allow traffic from the Tanium Server to the Module Server port 17477 (TCP).
Details
Tanium Server initiates connections to the Module Server on port 17477.
Outbound (Tanium Server to Internet)
Rule summary
Allow traffic from the Tanium Server to destination ports 80 and 443 (TCP) on the Internet. Using port 443 is a security best practice because traffic on that port is encrypted through the Hypertext Transfer Protocol Secure (HTTPS) protocol.
Details
The Tanium Server initiates connections to https://content.tanium.com and http://*.digicert.com when importing updates to Tanium Core Platform components and modules. The server might also initiate connections to other Internet sites such as https://update.microsoft.com for other operations.
Inbound/Outbound (HA or load-balanced deployment)
Rule summary
Allow traffic to and from Tanium Server cluster members on port 17472 (TCP).
Details
Any cluster member may initiate a connection to the other. Package files that are uploaded to one member are synchronized to the other cluster members. In addition, each server passes Tanium messages (for example, answers to questions) to the other cluster members.
Tanium Module Server
Inbound (Tanium Server to Module Server)
Rule summary
Allow traffic to the Module Server port 17477 (TCP) from the Tanium Server.
Details
Check the documentation for the particular solution modules you plan to use to see if they require additional inbound ports.
Outbound (Module Server to Internet)
Rule summary
Allow traffic from the Module Server to destination ports 80 and 443 (TCP) on the Internet. Using port 443 is a security best practice because traffic on that port is encrypted through the HTTPS protocol.
Details
The Module Server itself does not initiate connections. However, when a solution module is imported, the Module Server might need to connect to Tanium and other Internet locations to download required content, and the installed solution module services might initiate connections. Check the documentation for the particular solution modules you plan to use to see if they require additional outbound ports.
Outbound (Module Services to Tanium Server)
Rule summary
Allow traffic from the Module Server to destination port 443 (TCP) on the Tanium Server.
Details
The Tanium Module Server itself does not initiate connections. However, a solution module (such as Trace) might initiate a connection to the Tanium Server.
Tanium Zone Server Hub
Outbound (Tanium Zone Server Hub to Zone Server)
Rule summary
Allow traffic from the Zone Server Hub (usually installed on the Tanium Server host computer) to the destination port 17472 (TCP) on DMZ devices hosting the Zone Servers.
Details
If you are using the Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium Server on the core network, then the Zone Server Hub must be able to connect to the Zone Servers in the DMZ. In Tanium Core Platform 7.3 or earlier, the ZoneServerList.txt configuration file in the Zone Server Hub installation folder identifies the addresses of the destination Zone Servers. In later releases, the Zone Server Hub-to-Zone Server mappings determine the destination Zone Servers.
Tanium Zone Server
Inbound (Tanium Client to Zone Server)
Rule summary
Allow traffic from any computer on the Internet to port 17472 (TCP) on the Zone Servers in the DMZ.
Details
Tanium Clients initiate connections to a Zone Server just as if it were a Tanium Server.
Inbound (Tanium Zone Server Hub to Zone Server)
Rule summary
Allow traffic from the Zone Server Hub (usually installed on the Tanium Server host computer) to port 17472 (TCP) on the Zone Servers in the DMZ.
Details
If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub must be able to connect to the Zone Servers in the DMZ.
Tanium Client
Inbound/Outbound (Tanium Client to Client)
Rule summary
Allow traffic to and from client peers on port 17472 (TCP).
Details
In addition to the client-to-server TCP communication that takes place on port 17472, Tanium Clients also communicate to peers on port 17472. Clients dynamically communicate with peers based on proximity and latency. Peer chains form to match an enterprise topology automatically. For example, endpoints in California form one chain, while endpoints in Germany form a separate chain. With this dynamic configuration in mind, you must allow bi-directional TCP communication on port 17472 between clients on the same local area network, but not necessarily all clients on the internal network.
Outbound (Tanium Client to Zone Server)
Rule summary
Allow traffic from any computer on the Internet to port 17472 (TCP) on the Zone Servers in the DMZ.
Details
In environments using the Zone Server, a Tanium Client might be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these clients are identical to the Tanium Server-to-Tanium Client requirements.
Last updated: 11/20/2020 3:46 PM | Feedback