Configuring proxy server settings

Tanium Cloud deployments include a customer-specific proxy server that allows the destinations that are required for Tanium modules to work. Contact Tanium Support to request additional allowed entries.

Overview of proxy server connections

Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium Core Platform servers to access Internet locations directly, configure access through the proxies. The Tanium Server and Tanium Module Server connect to the Internet to download content and module software updates from Tanium, and to download necessary files from other remote sources. Individual Tanium modules might also have requirements to access the Internet.

The Tanium Server and Module Server use the Tanium Downloader (TDownloader) utility to securely download files. To configure access through proxies, configure TDownloader settings on both servers.

To configure Tanium Client 7.4 or later to connect through a Hypertext Transfer Protocol Secure (HTTPS) proxy server to Tanium Cloudthe Tanium Server or Tanium Zone Server, see Tanium Client Management User Guide: Connect through an HTTPS proxy server.

For a list of sites that Tanium Core Platform servers access, see Internet URLs required.

A remote source might have its own requirements, such as certificate authentication or user authentication. See Tanium Console User Guide: Managing downloads authentication.

To troubleshoot proxy server issues, see Tanium Downloader log.

Figure 1: Tanium deployment with proxy server

Types of proxy servers

The Tanium Core Platform supports two types of proxies:

Basic: A strictly IP address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. Add the IP addresses or fully qualified domain names of Tanium Cloud the Tanium Server and Module Server to the access list of the proxy server. If the proxy server requires authentication, configure the account ID and password.
NTLM: If the proxy server is set up to use Microsoft NT LAN Manager (NTLM), and you configure the Tanium CloudTanium Server service to run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to configure an account ID and password.

TDownloader user context

For Tanium™ Appliance deployments, TDownloader runs in the context of the tanium service account user.

For Tanium deployments on customer-provided Windows Infrastructure, TDownloader runs in the context of the Tanium Server service account user that was specified during installation.

Tanium Console: Configure proxy settings

In most cases, use the Tanium Console to configure proxy settings unless you must configure the settings before you can access the Console. See the Tanium Console User Guide: Configuring proxy server settings.

Tanium Appliance: Configure proxy settings

In most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or Module Server host.

The proxy server configuration is stored in configuration files on the Tanium Server. Active-active Tanium Servers do not automatically synchronize the configuration files. If you change these settings in active-active deployments, be sure to perform the procedure on both Tanium Servers in the cluster.

Enter 2 to go to the Tanium Operations menu.

View screen

------------------------------------------------------

             >>> Tanium Operations Menu <<< 

         1: Tanium Service Control
         2: Tanium Configuration Settings
         4: Install Custom SOAP Cert
         5: Manage Custom Signing Keys
         7: Download SOAP Certificate
         9: Import CAC Certificate

         A: Configure Module Server(s)
         B: Configure Tanium Cluster
         C: Manage Content
         M: Module Operations

         I: Import public key to Tanium Zone Server

         X: Advanced Operations

         R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter 2 to go to the Configuration Settings menu.

View screen

------------------------------------------------------

 >>> Tanium Operations -> Configuration Settings <<< 

Note: Some settings may require a service restart to take effect.

          1: Edit Tanium Server Settings
          2: Edit Tanium Server TDL Settings
          3: Add Tanium Server TDL Auth User
          4: Add Tanium Server TDL Auth Cert

          5: Edit Tanium Module Server Settings
          6: Edit Tanium Module Server TDL Settings
          7: Add Tanium Module Server TDL Auth User
          8: Add Tanium Module Server TDL Auth Cert

          9: Edit Tanium Zone Server Settings
          11: Edit isolated subnets list
          12: Edit separated subnets list

          13: Control Root CA Certs

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter 2 to go to the Tanium Server TDL Settings menu or enter 5 to go to the Module Server TDL Settings menu.
Use the menu to edit proxy server settings.

Table 1: Tanium Server TDownloader (TDL) settings
Settings	Guidelines
BypassCRLCheckHostList	Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList	Enter a comma-separated list of FQDNs or IP addresses for the hosts that do not go through the proxy server. You do not have to enter 127.0.0.1, localhost, or the Tanium Module Server, but enter active-active Tanium Servers if necessary. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. All supported Tanium Core Platform versions allow wildcards.
LogVerbosityLevel	Specify the logging level of the Tanium Downloader log as a decimal value. For details and best practices, see Logging levels.
ProxyServer	IP address of the proxy server. By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.
ProxyPort	Proxy server listening port.
ProxyType	The options are Basic, NTLM, or None.
ProxyUserid	For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword	For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the connection with the proxy server.
TrustedCertPath	Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates.
TrustedHostList	By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP address. You do not have to enter 127.0.0.1, localhost, the Tanium Module Server, or Tanium Servers (standalone or active-active). All supported Tanium Core Platform versions allow wildcards. You must enter IPv6 addresses within square brackets (for example, `[2001:db8::1]`). Contact Tanium Support before modifying this setting.
ForceIPV6	Add this setting manually if you need it, but only with guidance from Tanium Support ([email protected]). In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server, TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add the ForceIPV6 setting with a value of 1.

Windows: Configure proxy settings

The proxy server configuration is stored in configuration files on the Tanium Server. Tanium Servers do not automatically synchronize the configuration files among active-active peers. If you change these settings in active-active deployments, be sure to perform the procedure on both Tanium Servers.

The Windows Registry entry for proxy server settings is found in the following location for on the Tanium Server host and Tanium Module Server host:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server

Table 2: TDownloader settings
Name	Type	Data
BypassCRLCheckHostList	REG_SZ	Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList	REG_SZ	A comma-separated list of FQDNs or IP addresses for the hosts that do not go through the proxy server. You do not have to enter 127.0.0.1, localhost, or the Tanium Module Server, but enter the active-active Tanium Servers if necessary. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. All supported Tanium Core Platform versions allow wildcards.
ProxyServer	REG_SZ	IP address of the proxy server. Note: By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.
ProxyPort	REG_SZ	Proxy server listening port.
ProxyType	REG_SZ	The options are Basic, NTLM, or None.
ProxyUserid	REG_SZ	For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword	REG_SZ	The corresponding password.
TrustedHostList	REG_SZ	By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP address. You do not have to enter 127.0.0.1, localhost, the Tanium Module Server, or Tanium Servers (standalone or active-active). Wildcards are supported. You must enter IPv6 addresses within square brackets (for example, `[2001:db8::1]`). Contact Tanium Support before modifying this setting.

By default, TDownloader resolves a proxy server hostname as an IPv4 address. If necessary, you can override the default by adding a setting to the TDownloader registry in the following location:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Downloader

Table 3: TDownloader Registry Key setting
Name	Type	Data
LogVerbosityLevel	REG_DWORD	Controls the logging level for TDownloader. For details and best practices, see Logging levels.
ForceIPV6	REG_DWORD	Contact Tanium Support for guidance before you manually add this registry key. By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, add the ForceIPV6 key and set its value to 1.