Tanium network ports

For the ports required in a Tanium as a Service deployment, see Tanium as a Service User Guide: Host and network security requirements.

Network port requirements for Tanium Core Platform servers depend on whether you have a Tanium Appliance or Windows deployment. The Tanium Client has its own port requirements. For details about the requirements for each port, see Tanium Core Platform port use details.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Module- and service-specific port requirements

To see additional port requirements that are specific to Tanium™ modules and shared services, click the following links to access the associated user guides:

Tanium Appliance

The following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication:

 Table 1: Network communication ports in a Tanium Appliance deployment
Components Processes Inbound Port Destination Port
Tanium Server taniumserver 443, 8443, 17472 80, 443, 17477
Tanium Module Server taniummoduleserver 17477 80, 443, 8443
Tanium Zone Server taniumzoneserver 17472  
Tanium Zone Server Hub taniumzoneserver   17472
Tanium Client TaniumClient.exe, TaniumClient, taniumclient 17472 17472

Installing and managing the Tanium Appliance requires communication over common network service ports. The following table lists the default ports for these services:

 Table 2: Appliance network service ports
Services Inbound port Destination port
DNS   53/tcp, 53/udp
ESP (IPSec for cluster) 50/ip 50/ip
IKE (IPSec for cluster) 500/udp, 4500/udp 500/udp, 4500/udp
LDAP (optional)   389/tcp, 636/tcp
NTP   123/udp
SSH, SCP, SFTP 22/tcp1 22/tcp1
SNMP (optional) 161/udp  
syslog (optional)   514/udp, 514/tcp
iDRAC (recommended) 443/tcp2, 5900/tcp2  

1 In addition to remote access to the appliances, port 22 is used for a secure communications channel between the appliances.

2 These ports need to be open only for the IP address of the dedicated iDRAC port (if applicable). The iDRAC port has an IP address that is different from the TanOS network interfaces. See Tanium Appliance Deployment Guide: Configure the iDRAC interface.

The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Appliance infrastructure.

Figure  1:  Network communication ports

Windows

The following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication.

 Table 3: Network communication ports in a Windows deployment
Component Process Inbound Port Destination Port
Tanium Server TaniumReceiver.exe 443, 17472 80, 443 (active-active), 1433 or 5432, 17472 (active-active), 17477
SQL Server or PostgreSQL Server Sqlservr.exe or postgres.exe 1433 or 5432  
Tanium Module Server TaniumModuleServer.exe 17477 80, 443
Tanium Zone Server TaniumZoneServer.exe *17472  
Tanium Zone Server Hub TaniumZoneServer.exe   *17472
Tanium Client TaniumClient.exe 17472 *17472
*As a best practice to improve the security of the Zone Server, configure separate ports for traffic from Zone Server Hubs and Tanium Clients. For the steps, see Tanium Core Platform Deployment Guide for Windows: Configure ports for traffic from Zone Server Hubs and Tanium Clients.

The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Windows infrastructure:

Figure  2:  Network communication ports

Tanium Client

You can use the Tanium™ Client Management module to deploy any version of the Tanium Client. For the ports that Client Management requires for communication, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.

Tanium Core Platform port use details

The following sections list details about ports that Tanium Core Platform components use, and indicate the default ports.

To change the default ports for platform servers, see Tanium Core Platform server settings. To change the default ports for Tanium Clients, see Tanium Client Management User Guide: Network connectivity, ports, and firewalls.

Tanium Server

The Tanium Server acts as the central hub of communication in the Tanium environment. The server receives traffic that Tanium Clients and the Tanium Console initiate. The server initiates connections to the Tanium database server as well as any Zone Servers.

Inbound (Tanium Client to Tanium Server)

Rule summary

Allow traffic to TCP port 17472 on the Tanium Server from any endpoint to be managed on the internal network.

Details

The communication flow between the Tanium Clients and the Tanium Server is counter-intuitive. For instance, if you ask a question through the Tanium Console, intuition might suggest that it is the server that initiates connections to query the clients. However, in the Tanium platform, special clients known as leaders are the only ones that initiate connections to the Tanium Server.

In addition, all Tanium Clients initiate connections when they register. During registration, the Tanium Client reports information about itself and gathers configuration updates, including changes to peer lists.

Inbound (Tanium Console)

Rule summary

Allow traffic from trusted hosts (such as a management subnet address) to TCP port 443 on the Tanium Server.

Details

For security, the TCP and SOAP communication to the Tanium Server is TLS-encrypted, so the Tanium Server installer configures the server to listen for TCP and SOAP requests on port 443. If another installed application is listening on port 443, you can designate a different port.

Outbound (Tanium Server to Database Server)

Rule summary

Allow traffic from the Tanium Server on port 1433 or 5432 (TCP) to the database server.

Details

The Tanium Server initiates connections to the database server on port 1433 (SQL Server) or 5432 (PostgreSQL).

Outbound (Tanium Server to Module Server)

Rule summary

Allow traffic from the Tanium Server to TCP port 17477 on the Module Server.

Details

The Tanium Server initiates connections to the Module Server on port 17477.

Outbound (Tanium Server to Internet)

Rule summary

Allow traffic from the Tanium Server to destination ports 80 and 443 (TCP) on the Internet.

Using port 443 is a security best practice because traffic on that port is encrypted through the Hypertext Transfer Protocol Secure (HTTPS) protocol.

Details

The Tanium Server initiates connections to https://content.tanium.com and http://*.digicert.com when importing updates to Tanium Core Platform components and modules. The server might also initiate connections to other Internet sites such as https://update.microsoft.com for other operations.

Inbound/Outbound (active-active deployment)

Rule summary

Allow traffic to and from Tanium Servers in an active-active cluster on TCP port 17472.

Details

Any cluster member might initiate a connection to the other member. Package files that are uploaded to one member are synchronized to the other cluster member. In addition, each member passes Tanium messages (such as answers to questions) to the other cluster member.

Tanium Module Server

Inbound (Tanium Server to Module Server)

Rule summary

Allow traffic from the Tanium Server to TCP port 17477 on  the Module Server.

Details

Check the documentation for the particular Tanium modules that you plan to use to see whether they require additional inbound ports: see Module- and service-specific port requirements.

Outbound (Module Server to Internet)

Rule summary

Allow traffic from the Module Server to destination ports 80 and 443 (TCP) on the Internet.

Using port 443 is a security best practice because traffic on that port is encrypted through the HTTPS protocol.

Details

The Module Server does not initiate connections. However, when a module is imported, the Module Server might need to connect to Tanium and other Internet locations to download required content, and the installed module services might initiate connections. Check the documentation for the particular modules that you plan to use to see if they require additional outbound ports: see Module- and service-specific port requirements.

Outbound (Module Services to Tanium Server)

Rule summary

Allow traffic from the Module Server to destination port 443 (TCP) on the Tanium Server.

Details

The Module Server does not initiate connections. However, a module might initiate a connection to the Tanium Server.

Tanium Zone Server Hub

Outbound (Tanium Zone Server Hub to Zone Server)

Rule summary

Allow traffic from the Zone Server Hub to the destination TCP port 17472 on DMZ machines that host the Zone Servers. In an Appliance deployment the hub is always installed on the Tanium Server appliance. In a Windows deployment, the hub is usually installed on the Tanium Server host but can also be installed on a dedicated host.

Details

If you are using the Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium Server on the core network, then the Zone Server Hub must be able to connect to the Zone Servers in the DMZ. In Tanium Core Platform 7.3 or earlier, the ZoneServerList.txt configuration file in the hub installation folder identifies the addresses of the destination Zone Servers. In later releases, the hub-to-Zone Server mappings determine the destination Zone Servers: see Tanium Console User Guide: Managing Zone Servers and hubs.

Tanium Zone Server

Inbound (Tanium Client to Zone Server)

Rule summary

Allow traffic from any computer on the Internet to TCP port 17472 on the Zone Servers in the DMZ.

Details

Tanium Clients initiate connections to a Zone Server as if it were a Tanium Server.

Inbound (Tanium Zone Server Hub to Zone Server)

Rule summary

Allow traffic from the Zone Server Hub to TCP port 17472 on the Zone Servers in the DMZ. In an Appliance deployment the hub is always installed on the Tanium Server appliance. In a Windows deployment, the hub is usually installed on the Tanium Server host but can also be installed on a dedicated host.

Details

If you are using the Tanium Zone Server to proxy traffic from managed endpoints on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub must be able to connect to the Zone Servers in the DMZ.

Tanium Client

Inbound/Outbound (Tanium Client to Client)

Rule summary

Allow traffic to and from Tanium Client peers on the TCP listening port 17472.

Details

In addition to the client-to-server TCP communication that occurs on port 17472, Tanium Clients also communicate to peers on port 17472. The default client peering settings ensure that clients form linear chains only within the boundaries of local area networks (LANs). Therefore, you must allow bi-directional TCP communication on the listening port between clients that are in the same LAN, but not necessarily between all clients across your enterprise wide area network (WAN). For details on client peering settings, see Tanium Client Management User Guide: Configuring Tanium Client peering.

Outbound (Tanium Client to Zone Server)

Rule summary

Allow traffic from any endpoint on the Internet to TCP port 17472 on the Zone Servers in the DMZ.

Details

In deployments with a Zone Server, a Tanium Client might connect to a Zone Server instead of a Tanium Server. The communication requirements for these clients are identical to the Tanium Server-to-Tanium Client requirements.