Tanium Core Platform settings

To configure platform settings for your Tanium as a Service deployment, see Tanium Console User Guide: Managing platform settings.

You configure the host system settings of most Tanium Core Platform servers during installation. When troubleshooting an issue, Tanium Support might ask you to review or confirm these settings, but rarely asks you to change them. If Support does ask you to change settings, you can change many of them through the Tanium Console in Tanium Core Platform 7.4 or later (see Tanium Console User Guide: Managing platform settings). The following sections describe how to configure the settings through means other than the console.

You can contact Tanium Support at [email protected].

Tanium Appliance

The following table lists the configuration database locations for settings that you configure when installing Tanium Core Platform servers. You can use TanOS menus to add, delete, or modify settings with guidance from Tanium Support ([email protected]).

Table 1: Configuration database locations for Tanium Core Platform server settings
Component	DB location
Tanium Server	/opt/Tanium/TaniumServer/server.db
Module Server	/opt/Tanium/TaniumModuleServer/server.db
Zone Server	/opt/Tanium/TaniumZoneServer/zoneserver.db
TDownloader	/opt/Tanium/TaniumServer/tdownloader.db
TDownloader	/opt/Tanium/TaniumModuleServer/tdownloader.db

Edit server settings

Enter 2 to go to the Tanium Operations menu.

View screen

------------------------------------------------------

             >>> Tanium Operations Menu <<< 

         1: Tanium Service Control
         2: Tanium Configuration Settings
         4: Install Custom SOAP Cert
         5: Manage Custom Signing Keys
         6: Download Public Key
         7: Download SOAP Certificate
         9: Import CAC Certificate

         A: Configure Remote Module Server
         B: Configure Tanium Cluster
         C: Manage Content
         M: Module Operations

         I: Import public key to Tanium Zone Server

         X: Advanced Operations

         H: Help
         R: Return to previous menu

------------------------------------------------------

Enter 2 to go to the Configuration Settings menu.

View screen

------------------------------------------------------

 >>> Tanium Operations -> Configuration Settings <<< 

Note: Some settings may require a service restart to take effect.

          1: Edit Tanium Server Settings
          2: Edit Tanium Server TDL Settings
          3: Add Tanium Server TDL Auth User
          4: Add Tanium Server TDL Auth Cert

          5: Edit Tanium Module Server Settings
          6: Edit Tanium Module Server TDL Settings
          7: Add Tanium Module Server TDL Auth User
          8: Add Tanium Module Server TDL Auth Cert

          9: Edit Tanium Zone Server Settings
          11: Edit isolated subnets list
          12: Edit separated subnets list

          13: Control Root CA Certs

          H: Help
          R: Return to previous menu

------------------------------------------------------

Use the menu to view and edit settings for Tanium Core Platform servers.

Tanium Server

Table 2: Tanium Server settings
Settings	Guidelines
AddressMask	Hexadecimal value of a subnet CIDR that delineates the clients that belong to a chain. Do not change this setting unless your Tanium Support instructs you to do so.
AllowedHubs	The Zone Server Hub that is allowed to connect to this Tanium Server. The Zone Server Hub is collocated on the Tanium Server appliance and this setting has the value 127.0.0.1.
AuthPluginTimeoutSeconds	The default is 60.
AuthenticationPlugin	String that specifies the Pluggable Authentication Module (PAM).
ConsoleSettingsJSON	Path to the Tanium Console settings file.
LogPath	The location for Tanium Server logs. The default is /opt/Tanium/TaniumServer/Logs.
LogVerbosityLevel	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only.
ModuleServer	Module Server IP address.
ModuleServerPort	Module Server port. The default is 17477.
PKIDatabasePassword	You must manually add this setting to prevent unauthorized access to the pki.db file, which contains the Tanium Server root keys, message-signing keys, and TLS keys. Set the Value Type to protected and specify a password to encrypt the pki.db file. The file is in the Tanium Server installation folder and a copy resides in the /backups subfolder. For details about these keys, see Tanium Console User Guide: Managing Tanium keys.
ReportingTLSCertPath	Setting for inbound connections. Path to the TLS certificate that was created upon installation. This certificate is used in TLS connections initiated by the Tanium Client, the Tanium Zone Server Hub, or the Tanium Zone Server.
ReportingTLSKeyPath	Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS.
ReportingTLSMode	Configures TLS for outgoing connections that the Tanium Server initiates. The possible values are: 0 (TLS not used) 1 (TLS required) 2 (TLS optional) Tanium Server appliances use an IPSec tunnel instead of TLS to secure Tanium database and appliance LDAP synchronization traffic. The servers use TLS to secure all other communication between them.
RequireIncomingEncryption	Setting for inbound connections. Implicitly set to 0 by default. To set a different value, you must add the setting. 0 (TLS not required) 1 (TLS required) Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to initial registration.
ServerPort	Tanium Server port. The server listens for Tanium Clients on this port. The default is 17472. Do not change the ServerPort setting in the TaniumServer.ini configuration file; instead, use the Tanium Operations > Change Tanium Port menu.
ServerSOAPPort	Tanium Console and SOAP API port. The default is 8443. Port 443 redirects to this 8443.
SQLConnectionString	Database server connection information. The following are examples: MSSQL: SQL1\[email protected] PostgreSQL: postgres:[email protected]=postgres port=5432 TanOS: postgres:<TanOS_IP_Address>@user=postgres dbname=tanium For PostgreSQL, see the PostgreSQL documentation for the supported keywords, such as dbname, port, and user. If you change this setting, you must restart the Tanium Server.
SSLCipherSuite	ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
SSLHonorCipherOrder	The default is 1.
TrustedCertPath	Path to the certificate file used for secure connections to the Tanium Console port.
Version	Tanium Server version number.

Tanium Server TDownloader

Table 3: Tanium Server TDownloader (TDL) settings
Settings	Guidelines
BypassCRLCheckHostList	Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList	Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Enhancements have been made in recent releases to automatically bypass the proxy server for these host addresses: 7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost. 7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost. 7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost. 7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
LogVerbosityLevel	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer	IP address of the proxy server. By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.
ProxyPort	Proxy server listening port.
ProxyType	The options are Basic, NTLM, or None.
ProxyUserid	For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword	For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the connection with the proxy server.
TrustedCertPath	Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates.
TrustedHostList	By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within square brackets (for example, `[2001:db8::1]`). In an active-active deployment, you do not need to add the Tanium Servers to the list. The servers automatically trust each other, as well as traffic from 127.0.0.1 or localhost. Contact Tanium Support before modifying this setting.
ForceIPV6	Add this setting manually if you need it, but only with guidance from Tanium Support ([email protected]). In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server, TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add the ForceIPV6 setting with a value of 1.

Tanium Module Server

Table 4: Module Server settings
Settings	Guidelines
LogVerbosityLevel	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only.
ServerPort	Module Server port. The default is 17477.
Version	Tanium Module Server version number.

Module Server TDownloader

Table 5: Module Server TDownloader settings
Settings	Guidelines
BypassCRLCheckHostList	Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList	Must be set with a comma-separated list of FQDN or IP addresses that specify all Tanium Servers and the Module Server, 127.0.0.1, and localhost. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Enhancements have been made in recent releases to automatically bypass the proxy server for these host addresses: 7.0.314.6573+ — Automatically bypass 127.0.0.1 and localhost. 7.1.314.3204+ — Automatically bypass 127.0.0.1 and localhost. 7.2.314.3181+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost. 7.3.314.2866+ — Automatically bypass Tanium Server, 127.0.0.1, and localhost.
LogVerbosityLevel	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only.
ProxyServer	IP address of the proxy server. By default, TDownloader resolves the proxy server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and configure the TDownloader setting ForceIPV6 to 1.
ProxyPort	Proxy server listening port.
ProxyType	The options are Basic, NTLM, or None.
ProxyUserid	For a proxy server that requires authentication, enter the user ID to establish the connection with the proxy server.
ProxyPassword	For a proxy server that requires authentication, enter the password of the ProxyUserid user to establish the connection with the proxy server.
TrustedCertPath	Path to the Transport Layer Security (TLS) certificate authority (CA) bundle of trusted certificates.
TrustedHostList	By default, the Module Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading module software updates). To bypass certificate validation for specific servers, enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within square brackets (for example, `[2001:db8::1]`). Contact Tanium Support before modifying this setting.
ForceIPV6	Add this setting manually if you need it, but only with guidance from your Tanium Support ([email protected]). In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server, TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add the ForceIPV6 setting with a value of 1.

Tanium Zone Server

Table 6: Zone Server settings
Settings	Guidelines
AllowedHubs	Enter a comma-separated list of IP addresses of Zone Server Hubs that are authorized to communicate with this Zone Server.
EnforceAllowedHubs	Set the value to 1.
HubPriorityList	This setting applies only to Tanium Core Platform 7.4 or later. The setting specifies the FQDN or IP address of the preferred Zone Server Hub for sending Tanium Client content (such as sensor definitions, configuration information, and action package files) to the Zone Server. As long as that hub is available, the Zone Server does not receive content from any other hub. If the preferred hub goes down, the Zone Server fails over to receiving content from any other available hub.
LogVerbosityLevel	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Normal log level. 41: Recommended during troubleshooting. >= 91: Most detailed log level. Enable for short periods of time only.
ReportingTLSCertPath	Setting for inbound connections. Path to the TLS certificate. This certificate is used in TLS connections that the Tanium Client initiated.
ReportingTLSKeyPath	Setting for inbound connections. Path to the private key file used in TLS connections. This setting must be present to enable TLS.
ReportingTLSMode	Configures TLS for outgoing connections that the server initiates. On a Zone Server Hub, you configure this option to enable TLS for the Zone Server Hub to Zone Server segment. Automatically set to 2 when you complete the Zone Server TLS setup. 0 (TLS not used) 1 (TLS required) 2 (TLS optional)
RequireIncomingEncryption	Setting for inbound connections. Automatically set to 0 when you complete the Zone Server TLS setup. 0 (TLS not required) 1 (TLS required) Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to initial registration.
ServerName	This setting is deprecated. Do not specify a value.
ServerPort	Tanium Server Port. The default is 17472.
Version	Tanium Zone Server version number.
ZoneHubFlag	0 if not the hub; 1 if the hub.

Windows

The following table lists the Windows Registry locations for settings that you configure when installing Tanium Core Platform servers. To view or edit the settings, use the Command-line interface.

Table 7: Windows registry locations
Component	Windows Registry location
Tanium Server	HKLM\Software\Wow6432Node\Tanium\Tanium Server
Module Server	HKLM\Software\Wow6432Node\Tanium\Tanium Module Server
Zone Server Zone Server Hub	HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer
TDownloader	HKLM\Software\Wow6432Node\Tanium\Downloader

Tanium Server

Table 8: Tanium Server settings
Name	Windows Registry Type	Data
AddressMask	REG_DWORD	Hexadecimal value of a subnet CIDR that delineates the IPv4 clients that belong to a linear chain. Do not change this registry value unless your Tanium Support instructs you to do so.
AddressPrefixIPv6	REG_DWORD	IPv6 prefix represented as a decimal number between 0 and 128 inclusive that delineates the clients belonging to a linear chain. The default 0 specifies no peering. Contact Tanium Support at [email protected] to determine the optimum value for peering in IPv6 networks. Tanium Core Platform 7.3 and later.
AllowedHubs	REG_SZ	Enter a comma-separated list of Zone Server Hubs that are authorized to communicate with this Tanium Server. Specify the hubs by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). Note that you can configure the AllowLocalHubs key as an exception to the AllowedHubs list.
AllowLocalHubs	REG_DWORD	By default, this key is not present in the registry but has a value of 1, which enables any local Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting. Add this registry key manually if you need it, but only with guidance from your Tanium Support. Setting the value to 0 allows local Zone Server Hubs to communicate with the Tanium Server only if they are listed in AllowedHubs.
BypassCRLCheckHostList	REG_SZ	Servers that the Tanium Server trusts without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList	REG_SZ	Hosts that bypass the proxy server. For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster. A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server to download content. It is important to bypass the proxy server for these URIs, or else the download will fail. Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses within square brackets (such as [2001:db8::1]. In most cases, the exceptions you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and all Tanium Server FQDNs and IP addresses. For example: ts1.example.com, ts2.example.com,localhost,127.0.0.1, [::1],10.10.10.11,10.10.10.15 Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.
ConsoleSettingsJSON	REG_SZ	Path to the console settings file.
DBUserDomain	REG_SZ	The domain for the service account that connects to the database server. Specified when you completed the installation wizard.
DBUserName	REG_SZ	User name for the service account that connects to the database server. Specified when you completed the installation wizard.
EnforceAllowedHubs	REG_DWORD	The default value 1 specifies that the Tanium Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Tanium Server. The value 0 enables any Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting.
LogPath	REG_SZ	Path to Tanium Server logs.
LogVerbosityLevel	REG_DWORD	Specify one of the following decimal values for the logging level: 0: Logging disabled. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only.
ModuleServer	REG_SZ	FQDN of the Module Server.
ModuleServerPort	REG_DWORD	Module Server Port. The default is 17477.
Path	REG_SZ	Installation path.
PGDLLPath	REG_SZ	Path to the PostgreSQL Server libraries.
PGRoot	REG_SZ	Path to the Postgres installation directory.
PKIDatabasePassword	REG_SZ	You must manually add this setting to prevent unauthorized access to the pki.db file, which contains the Tanium Server root keys, message-signing keys, and TLS keys. Set the Value Type to protected and specify a password to encrypt the pki.db file. The file is in the Tanium Server installation folder and a copy resides in the /backups subfolder. For details about these keys, see Tanium Console User Guide: Managing Tanium keys.
ProxyPassword	REG_SZ	For a basic proxy server that requires authentication, this setting is the account password used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.
ProxyPort	REG_SZ	Proxy server listening port.
ProxyType	REG_SZ	Basic or NTLM.
ProxyServer	REG_SZ	IP address of the proxy server. By default, the Tanium Downloader (TDownloader) service that manages downloads for the Tanium Server and Tanium Module Server resolves the ProxyServer address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and, on Windows systems, configure the Tanium Downloader registry with a ForceIPV6 key set to 1.
ProxyUserid	REG_SZ	For a basic proxy server that requires authentication, this setting is the account username used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.
PythonPath	REG_SZ	Deprecated setting that is no longer used.
ServerName	REG_SZ	The network adapter binding that the Tanium Server uses to listen for IPv4 client registrations. The default value 0.0.0.0 indicates binding to all network adapters. Do not change this registry value unless Tanium Support instructs you to do so.
ServerNameIPv6	REG_SZ	Add this registry key manually if you need it, but only with guidance from Tanium Support. By default, the key is hidden and has a value of [::], which indicates that the Tanium Server binds to all network adapters to listen for IPv6 client registrations. To bind to a specific network adapter, add the key and enter the IPv6 address of the adapter within square brackets (for example, [2001:db8::1]).
ServerPort	REG_DWORD	Tanium Server Port. The server listens for Tanium Clients on this port. Specified when you completed the installation wizard. The default is 17472.
ServerSOAPPort	REG_DWORD	Tanium Console and SOAP API port. Specified when you complete the installation wizard. The default is 443.
SQLConnectionString	REG_SZ	Database server connection information. The following are examples: MSSQL: SQL1\[email protected] PostgreSQL: postgres:[email protected]=postgres port=5432 TanOS: postgres:<TanOS_IP_Address>@user=postgres dbname=tanium For PostgreSQL, see the PostgreSQL documentation for the supported keywords, such as dbname, port, and user. If you change this setting, you must restart the Tanium Server: see Tanium Console User Guide: Manage the Tanium Server service.
TrustedCertPath	REG_SZ	Path to the certificate file used for secure connections to the Tanium Console port. The certificate is selected when you completed the installation wizard.
TrustedHostList	REG_SZ	By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within square brackets (for example, `[2001:db8::1]`). In an active-active deployment, you do not need to add the Tanium Servers to the list. The servers automatically trust each other, as well as traffic from 127.0.0.1 or localhost. Contact Tanium Support before modifying this setting.
Version	REG_SZ	Tanium Server version number.

Tanium Module Server

Table 9: Module Server settings
Name	Type	Data
LogVerbosityLevel	REG_DWORD	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only.
Path	REG_SZ	Installation path.
PythonPath	REG_SZ	Deprecated setting that is no longer used.
ServerName	REG_SZ	The network adapter binding that the Tanium Module Server uses to listen for IPv4 connections. The default value 0.0.0.0 indicates binding to all network adapters.
ServerNameIPv6	REG_SZ	Tanium Core Platform 7.3 and later. You must add this registry key manually if you need it, but only with guidance from Tanium Support. By default, the key is hidden and has a value of [::], which indicates that the Tanium Module Server binds to all network adapters to listen for IPv6 connections. To bind to a specific network adapter, add the key and enter the IPv6 address of the adapter within square brackets (for example, [2001:db8::1]).
ServerPort	REG_DWORD	Tanium Module Server port. The default is 17477.
Version	REG_SZ	Tanium Module Server version number.

The Module Server host computer has a registry entry for the Tanium Server:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server

The settings in this registry entry are for the proxy server configuration.

Table 10: Proxy server settings on the Module Server
Name	Type	Data
BypassCRLCheckHostList	REG_SZ	Servers that the Tanium Server trusts without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
BypassProxyHostList	REG_SZ	Hosts that bypass the proxy server. For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster. A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server to download content. It is important to bypass the proxy server for these URIs, or else the download will fail. Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses within square brackets (such as [2001:db8::1]. In most cases, the exceptions you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and all Tanium Server FQDNs and IP addresses. For example: ts1.example.com, ts2.example.com,localhost,127.0.0.1, [::1],10.10.10.11,10.10.10.15 Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards.
ProxyPassword	REG_SZ	For a basic proxy server that requires authentication, this setting is the account password used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.
ProxyPort	REG_SZ	Proxy server listening port.
ProxyType	REG_SZ	Basic or NTLM.
ProxyServer	REG_SZ	IP address of the proxy server. By default, the Tanium Downloader (TDownloader) service that manages downloads for the Tanium Server and Tanium Module Server resolves the ProxyServer address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and, on Windows systems, configure the Tanium Downloader registry with a ForceIPV6 key set to 1.
ProxyUserid	REG_SZ	For a basic proxy server that requires authentication, this setting is the account username used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.
TrustedHostList	REG_SZ	By default, the Module Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading module software updates). To bypass certificate validation for specific servers, enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within square brackets (for example, `[2001:db8::1]`). Contact Tanium Support before modifying this setting.

TDownloader

The Tanium Downloader (TDownloader) entry is used for log verbosity level and IPv6 support.

Table 11: TDownloader settings
Name	Type	Data
LogVerbosityLevel	REG_DWORD	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only.
ForceIPV6	REG_DWORD	Tanium Core Platform 7.3 and later. Add this registry key manually if you need it, but only with guidance from Tanium Support. In deployments where traffic between Tanium Core Platform servers and the Internet traverses a proxy server, TDownloader resolves the proxy address as an IPv4 address by default. If the proxy server has an IPv6 address, add the ForceIPV6 key and set its value to 1.

Zone Server

Table 12: Zone Server settings
Name	Type	Data
AllowedHubs	REG_SZ	Enter a comma-separated list of Zone Server Hubs that are authorized to communicate with this Zone Server. Specify the hubs by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
EnableFileCache	REG_SZ	This setting applies only to Tanium Core Platform 7.4 or later. If you installed the Zone Server Hub on a dedicated host instead of on the Tanium Server, set the value to 1 to enable the hub to cache package files for actions and files requested through the Tanium Client API. The hub provides these resources to the Zone Server without having to re-request them from the Tanium Server. To limit the cache size, set the hub_hot_cache_limit_in_MB. In Tanium Core Platform 7.4 or later, the hub cache is disabled by default (value is 0) because the hub is typically installed on the Tanium Server, which has its own cache.
EnforceAllowedHubs	REG_DWORD	The default value 1 specifies that the Zone Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Zone Server. The value 0 enables any Zone Server Hub to communicate with the Zone Server regardless of the AllowedHubs setting.
hub_hot_cache_limit_in_MB		This setting applies only if the Zone Server Hub is installed on a dedicated host instead of on the Tanium Server. The hub uses its cache to forward Tanium Client content to the Zone Server without having to re-request the content from the Tanium Server. The content includes package files for actions and files requested through the Tanium Client API. Use the hub_hot_cache_limit_in_MB setting to limit the cache size. As a best practice, set the limit to whichever is the lesser value between 200GB and 60% of available disk space on the drive where the hub is installed. In Tanium Core Platform 7.4 or later, the hub cache is disabled by default and therefore uses no disk space. If you enable the cache by setting the EnableFileCache value to 1, the default hub_hot_cache_limit_in_MB value is 0 (20% disk space). Do not enable the hub cache if the hub is installed on the Tanium Server, which uses its own cache.
HubPriorityList	REG_SZ	This setting applies only to Tanium Core Platform 7.4 or later. The setting specifies the FQDN or IP address of the preferred Zone Server Hub for sending Tanium Client content (such as sensor definitions, configuration information, and action package files) to the Zone Server. As long as that hub is available, the Zone Server does not receive content from any other hub. If the preferred hub goes down, the Zone Server fails over to receiving content from any other available hub. Typically you use this setting for active-active deployments that have pairs of Zone Servers and hubs, where each hub connects to each Zone Server. In active-active deployments, adding the HubPriorityList is a best practice to ensure that each Zone Server receive content from its closest hub. Configuring this setting also optimizes hub usage by ensuring that each hub serves one Zone Server instead of one hub servicing both servers.
LogPath	REG_SZ	Path to Tanium Zone Server logs.
LogVerbosityLevel	REG_DWORD	Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only.
Path	REG_SZ	Installation path.
ServerName	REG_SZ	This setting is deprecated. Do not specify a value.
ServerPort	REG_DWORD	Tanium Server Port. Specified when you completed the installation wizard. The default is 17472.
ServiceUserDomain	REG_SZ	The Zone Server Windows service runs in the context of a service account. This entry contains the domain specified during installation.
ServiceUserName	REG_SZ	The Zone Server Windows service runs in the context of a service account. This entry contains the user name specified during installation.
Version	REG_SZ	Tanium Zone Server version number.
ZoneHubFlag	REG_DWORD	The value indicates whether this Zone Server instance is (1) or is not (0) a Zone Server Hub.
zs_hot_cache_limit_in_MB		The Zone Server caches content that it provides to Tanium Clients without having to re-request the content from the Tanium Server. The content includes package files for actions and files requested through the Tanium Client API. Use the zs_hot_cache_limit_in_MB setting to limit the cache size. As a best practice, set the limit to whichever is the lesser value between 200GB and 60% of available disk space on the drive where the hub is installed.