Proxy server settings

Tanium as a Service deployments include a customer-specific proxy server that allows the destinations that are required for Tanium modules to work. To request additional allowed entries, consult your Technical Account Manager (TAM).

Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium Core Platform servers to access Internet locations directly, you can configure access through the proxies. The Tanium Server connects to the Internet to download content updates from Tanium and to download necessary files from other trusted suppliers. The Tanium Module Server connects to the Internet to download module software updates from Tanium. Individual Tanium modules might also have requirements to access the Internet.

The Tanium Server and Module Server use a utility called Tanium Downloader (TDownloader) to securely download files. To configure access through proxies, you configure the TDownloader settings on both servers.

For a list of sites that Tanium Core Platform servers access, see Internet URLs required.

A destination server might have its own requirements, such as certificate authentication or user authentication. For information about configuring advanced options for these requirements, see Tanium Support KB: TDownloader.

Figure  1:  Tanium deployment with proxy server

The Tanium Core Platform supports two types of proxies:

  • Basic: A strictly IP address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. Add the IP addresses or host names of the Tanium Server and Module Server to the access list of the proxy server. If the proxy server requires authentication, configure the account ID and password.
  • NTLM: If the proxy server is set up to use Microsoft NT LAN Manager (NTLM), and you configure the Tanium Server service to run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to configure an account ID and password.

For Tanium™ Appliance deployments, TDownloader runs in the context of the tanium service account user.

For Tanium deployments on customer-provided Windows Infrastructure, TDownloader runs in the context of the Tanium Server service account user that was specified during installation.

In most cases, use the Tanium Console to configure proxy settings unless you must configure the settings before you can access the console. See the Tanium Console User Guide: Configuring proxy server settings.

In most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or Module Server host.

The proxy server configuration is stored in configuration files on the Tanium Server. Load-balanced Tanium Servers do not automatically synchronize the configuration files. If you change these settings in load-balanced deployments, be sure to perform the procedure on both Tanium Servers in the cluster.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Enter 2 to go to the Tanium Server TDL Settings menu or enter 5 to go to the Module Server TDL Settings menu.
  5. Use the menu to edit proxy server settings.
Table 1:   Tanium Server TDownloader (TDL) settings
Settings Guidelines
BypassCRLCheckHostListUse this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.

Note: Enhancements have been made in recent releases to automatically bypass the proxy server for these host addresses:

7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.

7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost.

7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.

7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.

LogVerbosityLevelSpecify one of the following decimal values for the log verbosity level:
  • 0: Logging disabled.
  • 1: Normal log level.
  • 41: Recommended during troubleshooting.
  • >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer IP address of the proxy server.

Note: By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.

ProxyPortProxy server listening port.
ProxyTypeThe options are Basic, NTLM, or None.
ProxyUserid For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the connection with the proxy server.
TrustedCertPathPath to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates.
TrustedHostList Enter a comma-separated list of FQDNs or IP addresses that specify all Tanium Servers and the Module Server. Traffic from 127.0.0.1 and localhost is trusted automatically. Tanium Core Platform 7.0.314.6242 or later supports wildcards. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
ForceIPV6Add this setting manually if you need it, but only with guidance from your TAM. In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server, TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add the ForceIPV6 setting with a value of 1.

In most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or Module Server host.

The proxy server configuration is stored in configuration files on the Tanium Server. Tanium Servers do not automatically synchronize the configuration files among high availability (HA) peers. If you change these settings in HA deployments, be sure to perform the procedure on both Tanium Servers in the HA cluster.

The Windows Registry entry for proxy server settings is found in the following location for on the Tanium Server host and Tanium Module Server host:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server

Table 2:   TDownloader settings
NameTypeData
BypassCRLCheckHostListREG_SZUse this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostListREG_SZMust be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.

Note: Enhancements have been made in recent releases to automatically bypass the proxy server for these host addresses:

7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost.

7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost.

7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.

7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.

ProxyServerREG_SZIP address of the proxy server.

Note: By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.

ProxyPortREG_SZProxy server listening port.
ProxyTypeREG_SZThe options are Basic, NTLM, or None.
ProxyUseridREG_SZ For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPasswordREG_SZ

The corresponding password.

TrustedHostListREG_SZ Enter a comma-separated list of FQDNs or IP addresses that specify all Tanium Servers and the Module Server. Traffic from 127.0.0.1 and localhost is trusted automatically. Tanium Core Platform 7.0.314.6242 and later supports wildcards. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

By default, TDownloader resolves a proxy server hostname as an IPv4 address. Tanium Core Platform 7.3 and later support IPv6. If necessary, you can override the default by adding a setting to the TDownloader registry in the following location:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Downloader

Table 3:   TDownloader Registry Key setting
NameTypeData
LogVerbosityLevelREG_DWORDSpecify one of the following decimal values for the log verbosity level:
  • 0: Logging disabled.
  • 1: Log level during normal operation.
  • 41: Best practice log level during troubleshooting.
  • 91 or higher: Enable the most detailed log levels for short periods of time only.
ForceIPV6REG_DWORD Add this registry key manually if you need it, but only with guidance from your TAM. By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, add the ForceIPV6 key and set its value to 1.