Securing Tanium Server, Zone Server, and Tanium Client access
Tanium Cloud uses Transport Layer Security (TLS) to secure the connections among Tanium Core Platform components. You cannot change the digital certificates and keys that Tanium Cloud uses for TLS communication.
Tanium Cloud uses the Tanium™ Protocol for communication among managed endpoints and for communication between the endpoints and Tanium Cloud. It is an application protocol that is proprietary to Tanium and that uses TLS 1.2 to encrypt communication. You cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic.
Overview of TLS in the Tanium Core Platform
All supported versions of the Tanium Core Platform use the following protocols for communication among platform components:
Tanium™ Protocol: This application protocol is proprietary to Tanium and uses TLS 1.2 to encrypt communication.
You cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic.
- Hypertext Transfer Protocol Secure (HTTPS): The Tanium Core Platform uses TLS 1.2 to encrypt HTTPS communication among platform components. The components negotiate the TLS version for HTTPS connections with external servers but enforce TLS 1.2 as the minimum version.
The following table lists the connections among Tanium Core Platform components and the protocol that each connection uses. The numbers correspond to the connections in Figure 1.
|Tanium Console or API user systems to Tanium Servers||HTTPS|
|Tanium Console or API user systems to external servers, such as content.tanium.com||HTTPS|
|(Windows only) Tanium Servers to Tanium database in deployments where the database is not on the Tanium Server host||By default, communication is over TCP/IP without encryption, but configuring encryption is a best practice. Consult your database administrator.|
|Tanium Servers to Tanium Module Server||HTTPS|
|Module Server to external servers||HTTPS|
|Tanium Server to Tanium Server in an active-active deployment||Tanium Protocol *
* Tanium Appliances use IPsec to secure Tanium database traffic and Lightweight Directory Access Protocol (LDAP) synchronization traffic.
|Tanium Servers to external servers||HTTPS|
|Tanium Servers to Zone Server Hub
Figure 1 shows the Zone Server Hub installed on a host that is separate from the Tanium Server hosts to illustrate that the connection is encrypted. However, in most deployments, you install the hubs on the same hosts as the Tanium Servers.
|Zone Server Hub to Zone Server||Tanium Protocol|
|Tanium Clients (external) to Zone Server||Tanium Protocol|
|Tanium Clients (internal) to Tanium Servers||Tanium Protocol|
|Tanium Client to Tanium Client (external and internal)||Tanium Protocol *
* Applies only to Tanium Client 7.4 or later.
To manage the certificates and credentials for securing connections between Tanium Core Platform servers and remote sources of content (such as packages), see Tanium Console User Guide: Managing downloads authentication.
For additional details and procedures related to the digital keys for Tanium Protocol traffic, see Tanium Console User Guide: Managing Tanium keys.
The Tanium Core Platform supports TLS for additional connections that various Tanium modules and shared services require. For details, see the user guides for your Tanium products at docs.tanium.com.
To troubleshoot TLS communication issues, see PKI TLS log.
TLS communication process
TLS communication starts when a TLS client initiates a TLS handshake to establish a secure connection with a server. The following are examples in the context of the Tanium Core Platform:
- The Zone Server acts as a client when registering with the Tanium Server.
- The Tanium Client acts as a client when registering with the Zone Server or Tanium Server.
- A Tanium Server acts as a client when performing active-active synchronization with another Tanium Server.
During the TLS handshake, the client and server generate a shared, unique session key, which they use to secure communication for the duration of their session. You can configure TLS as optional for Tanium Clients. If the handshake fails and TLS is optional, the client and server attempt a non-TLS (unencrypted) connection instead. If the handshake fails and TLS is configured as required, the client and server cannot connect.
Supported cipher suites
The Tanium Core Platform supports the following cipher suites for creating keys and encrypting information in TLS communication:
TLS options, and defaults
After a fresh installation or upgrade, TLS is required for the Tanium Server (including between Tanium Servers in an active-active deployment), Zone Server, and Zone Server Hub, and you cannot disable it. The Tanium Server installer generates the TLS public and private keys that are used to set up TLS for connections with the Tanium Server.
After a fresh installation or upgrade, TLS is required by default for endpoints with Tanium Client 7.4 or later and is not required by default for endpoints with Tanium Client 7.2. You can optionally configure this requirement.
This applies both in a Windows deployment and when you install the Tanium Server role on a Tanium Appliance (see Tanium Appliance Deployment Guide: Assign roles).
Contact Tanium Support and consult your network security team before modifying the TLS configuration. Whether TLS is available and required depends on the Tanium Core Platform version, components, and infrastructure:
If your organization uses a hardware security module (HSM) to store and manage keys, you can configure the Tanium Server to integrate with the HSM. See Securing keys with an HSM.
(Optional) Configure the TLS requirement for Tanium Client connections
The Tanium Core Platform also requires TLS for incoming connections from endpoints with Tanium Client 7.4 or later by default. You can configure the TLS requirement for Tanium Client 7.2 and Tanium Client 7.4 and later.
From the Tanium Console Main menu, go to Administration > Configuration > Settings > Advanced Settings, and configure the following settings for connections from Tanium Clients to the Tanium Server.
These settings also apply to connections from Tanium Clients to the Zone Server if you deploy one.
- require_client_tls_315_flag: Specify one of the following values:
- 1 (default): The Tanium Server allows connections from endpoints with Tanium Client 7.4 or later only if TLS is used. Tanium strongly recommends that you leave the value at 1.
- 0: The Tanium Server allows both TLS and non-TLS connections from endpoints with Tanium Client 7.4 or later. Contact Tanium Support before setting the value to 0.
- require_client_tls_314_flag: Specify one of the following values:
- 0 (default): The Tanium Server allows both TLS and non-TLS connections from endpoints with Tanium Client 7.2.
- 1: The Tanium Server allows connections from endpoints with Tanium Client 7.2 only if TLS is used. Do not set the value to 1 until you are sure that all Tanium Clients that have been deployed are configured to use TLS and you are ready to deploy the Tanium Client to new endpoints with TLS configured before initial registration.
Configure TLS on Tanium Clients
Whether TLS is enabled or disabled by default, depends on the Tanium Client version:
- Version 7.4 or later: After a fresh installation or upgrade, TLS is enabled and required by default. Tanium strongly recommends that you use these default settings.
- Version 7.2: TLS communication is disabled by default and enabling it is optional.
Perform the following steps to enable or disable TLS on Tanium Clients:
- From the Main menu, go to Administration > Configuration > Client Status.
- In the Filter by Registration section, select Registered using TLS and Registered unencrypted if they are not already enabled.
The Using TLS column indicates which Tanium Clients have TLS enabled or disabled.
- From the Main menu, go to Administration > Configuration > Settings > Advanced Settings and configure TLS settings for the Tanium Clients as described in Table 2.
On the Tanium Client endpoint, the setting names have the prefix Server_ (for example, Server_ReportingTLSMode). This prefix indicates that the Tanium Client received the settings from platform settings on the Tanium Server during registration, and future registration updates might change the settings. In some cases, you might want a Tanium Client to use settings that differ from the Tanium Server platform settings. For example, you might release a feature such as TLS to your Tanium Clients in stages. To override the Tanium Server platform settings, add the settings without the Server_ prefix to the Windows registry entries or Tanium Client settings database on the client endpoints. For example, if you add the ReportingTLSMode setting to a Tanium Client, it overrides the Server_ReportingTLSMode setting.
It takes two to six hours (the randomized client-reset interval) for clients to register and receive the updated settings.
Verify the TLS connections
Verify whether Tanium Clients used TLS to connect with the Tanium Server or Zone Server when the clients last registered: from the Main menu, go to Administration > Configuration > Client Status and check the Using TLS column.
Update the TLS configuration when you make changes to key pair
When you add or revoke Tanium root keys, the Tanium Server automatically propagates the changes to all subordinate keys on the platform servers and Tanium Clients (see Tanium Console User Guide: Managing Tanium keys).
Last updated: 5/31/2023 4:44 PM | Feedback