Proxy server settings

Basic

Basic proxies might require authentication; you can configure the user ID and password. A strictly IP-address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. If this is the case, be sure to add the IP address or hostname of the Tanium Server to the access list of the proxy server.

NTLM

If the proxy server is set up to use NTLM, and you configured the Tanium Server service on Windows to run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to configure the account ID and password. Otherwise, you must specify a user ID and password.

TDownloader user context

For Tanium deployments on Tanium™ Appliance or Tanium™ Infrastructure as a Service (IaaS), TDownloader runs in the context of the tanium service account user.

For Tanium deployments on customer-provided Windows Infrastructure, TDownloader runs in the context of the Tanium Server service account user that was specified during installation.

Configure proxy settings with the Tanium Console

In most cases, use the Tanium Console to configure proxy settings. See the Tanium Console User Guide: Configuring proxy server settings.

Tanium Appliance: Configure proxy settings

In most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or Module Server host.

Log into the TanOS console as the user tanadmin.
Enter 2 to go to the Tanium Operations menu.
Enter 2 to go to the Tanium Configuration Settings menu.
Enter 2 to go to the Tanium Server TDL Settings menu or enter 5 to go to the Module Server TDL Settings menu.
Use the menu to edit proxy server settings.

Table 1: Tanium Server TDownloader (TDL) settings
Settings	Guidelines
BypassCRLCheckHostList	Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address.
BypassProxyHostList	Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server, 127.0.0.1, and localhost. Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Note: Enhancements have been made in recent releases to automatically bypass the proxy server for these host addresses: 7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost. 7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost. 7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost. 7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
LogVerbosityLevel	Log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer	IP address of the proxy server. Note: By default, TDownloader resolves the proxy server address as an IPv4 address.
ProxyPort	Proxy server listening port.
ProxyType	The options are Basic, NTLM, or None.
ProxyUserid	For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword	The corresponding password.
TrustedCertPath	Path to the TLS CA bundle of trusted certificates.
TrustedHostList	Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server. Traffic from 127.0.0.1 and localhost is trusted automatically. Tanium core platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address.

Windows: Configure proxy settings

In most cases, use the Tanium Console to configure proxy settings. In some circumstances, you might need to configure proxy settings before you have access to the Tanium Console. If necessary, you can configure proxy settings on the Tanium Server or Module Server host.

The Windows Registry entry for proxy server settings is found in the following location for on the Tanium Server host and Tanium Module Server host:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server

Table 2: TDownloader settings
Name	Type	Data
BypassCRLCheckHostList	REG_SZ	Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList	REG_SZ	Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Note: Enhancements have been made in recent releases to automatically bypass the proxy server for these host addresses: 7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost. 7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost. 7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost. 7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
ProxyServer	REG_SZ	IP address of the proxy server. Note: By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.
ProxyPort	REG_SZ	Proxy server listening port.
ProxyType	REG_SZ	The options are Basic, NTLM, or None.
ProxyUserid	REG_SZ	For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword	REG_SZ	The corresponding password.
TrustedHostList	REG_SZ	Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server. Traffic from 127.0.0.1 and localhost is trusted automatically. Tanium core platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

By default, TDownloader resolves a proxy server hostname as an IPv4 address. Tanium Core Platform 7.3 and later support IPv6. If necessary, you can override the default by adding a setting to the TDownloader registry in the following location:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Downloader

Table 3: TDownloader Registry Key setting
Name	Type	Data
LogVerbosityLevel	REG_DWORD	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only.
ForceIPV6	REG_DWORD	Add this registry key manually if you need it, but only with guidance from your TAM. By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, add the key and set its value to 1.