Securing Tanium Server, Zone Server, and Tanium Client access

Tanium Cloud uses Transport Layer Security (TLS) to secure the connections among Tanium Core Platform components. You cannot change the digital certificates and keys that Tanium Cloud uses for TLS communication.

Tanium Cloud uses the Tanium™ Protocol for communication among managed endpoints and for communication between the endpoints and Tanium Cloud. It is an application protocol that is proprietary to Tanium and that uses TLS 1.2 to encrypt communication. You cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic.

Overview of TLS in the Tanium Core Platform

Communication protocols

All supported versions of the Tanium Core Platform use the following protocols for communication among platform components:

Tanium™ Protocol: This application protocol is proprietary to Tanium and uses TLS 1.2 to encrypt communication.

You cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic.
Hypertext Transfer Protocol Secure (HTTPS): The Tanium Core Platform uses TLS 1.2 to encrypt HTTPS communication among platform components. The components negotiate the TLS version for HTTPS connections with external servers but enforce TLS 1.2 as the minimum version.

The following table lists the connections among Tanium Core Platform components and the protocol that each connection uses. The numbers correspond to the connections in Figure 1.

Table 1: TLS communication in the Tanium Core Platform
Connection		Protocol
	Tanium Console or API user systems to Tanium Servers	HTTPS
	Tanium Console or API user systems to external servers, such as content.tanium.com	HTTPS
	(Windows only) Tanium Servers to Tanium database in deployments where the database is not on the Tanium Server host	By default, communication is over TCP/IP without encryption, but configuring encryption is a best practice. Consult your database administrator.
	Tanium Servers to Tanium Module Server	HTTPS
	Module Server to external servers	HTTPS
	Tanium Server to Tanium Server in an active-active deployment	Tanium Protocol * * Tanium Appliances use IPsec to secure Tanium database traffic and Lightweight Directory Access Protocol (LDAP) synchronization traffic.
	Tanium Servers to external servers	HTTPS
	Tanium Servers to Zone Server Hub Figure 1 shows the Zone Server Hub installed on a host that is separate from the Tanium Server hosts to illustrate that the connection is encrypted. However, in most deployments, you install the hubs on the same hosts as the Tanium Servers.	Tanium Protocol
	Zone Server Hub to Zone Server	Tanium Protocol
	Tanium Clients (external) to Zone Server	Tanium Protocol
	Tanium Clients (internal) to Tanium Servers	Tanium Protocol
	Tanium Client to Tanium Client (external and internal)	Tanium Protocol * * Applies only to Tanium Client 7.4 or later.

Figure 1: TLS communication in the Tanium Core Platform

To manage the certificates and keys that the Tanium Core Platform uses for HTTPS traffic, see Securing Tanium Console, API, and Module Server access.

To manage the certificates and credentials for securing connections between Tanium Core Platform servers and remote sources of content (such as packages), see Tanium Console User Guide: Managing downloads authentication.

For additional details and procedures related to the digital keys for Tanium Protocol traffic, see Tanium Console User Guide: Managing Tanium keys.

The Tanium Core Platform supports TLS for additional connections that various Tanium modules and shared services require. For details, see the user guides for your Tanium products at docs.tanium.com.

To troubleshoot TLS communication issues, see PKI TLS log.

TLS communication process

TLS communication starts when a TLS client initiates a TLS handshake to establish a secure connection with a server. The following are examples in the context of the Tanium Core Platform:

The Zone Server acts as a client when registering with the Tanium Server.
The Tanium Client acts as a client when registering with the Zone Server or Tanium Server.
A Tanium Server acts as a client when performing active-active synchronization with another Tanium Server.

During the TLS handshake, the client and server generate a shared, unique session key, which they use to secure communication for the duration of their session. You can configure TLS as optional for Tanium Clients. If the handshake fails and TLS is optional, the client and server attempt a non-TLS (unencrypted) connection instead. If the handshake fails and TLS is configured as required, the client and server cannot connect.

Supported cipher suites

The Tanium Core Platform supports the following cipher suites for creating keys and encrypting information in TLS communication:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256

TLS options, and defaults

After a fresh installation or upgrade, TLS is required for the Tanium Server (including between Tanium Servers in an active-active deployment), Zone Server, and Zone Server Hub, and you cannot disable it. The Tanium Server installer generates the TLS public and private keys that are used to set up TLS for connections with the Tanium Server.

After a fresh installation or upgrade, TLS is required by default for endpoints with Tanium Client 7.4 or later and is not required by default for endpoints with Tanium Client 7.2. You can optionally configure this requirement.

This applies both in a Windows deployment and when you install the Tanium Server role on a Tanium Appliance (see Tanium Appliance Deployment Guide: Assign roles).

Contact Tanium Support and consult your network security team before modifying the TLS configuration. Whether TLS is available and required depends on the Tanium Core Platform version, components, and infrastructure:

HSM integration

If your organization uses a hardware security module (HSM) to store and manage keys, you can configure the Tanium Server to integrate with the HSM. See Securing keys with an HSM.

(Optional) Configure the TLS requirement for Tanium Client connections

The Tanium Core Platform also requires TLS for incoming connections from endpoints with Tanium Client 7.4 or later by default. You can configure the TLS requirement for Tanium Client 7.2 and Tanium Client 7.4 and later.

From the Tanium Console Main menu, go to Administration > Configuration > Settings > Advanced Settings, and configure the following settings for connections from Tanium Clients to the Tanium Server.

These settings also apply to connections from Tanium Clients to the Zone Server if you deploy one.

require_client_tls_315_flag: Specify one of the following values:
- 1 (default): The Tanium Server allows connections from endpoints with Tanium Client 7.4 or later only if TLS is used. Tanium strongly recommends that you leave the value at 1.
- 0: The Tanium Server allows both TLS and non-TLS connections from endpoints with Tanium Client 7.4 or later. Contact Tanium Support before setting the value to 0.
require_client_tls_314_flag: Specify one of the following values:
- 0 (default): The Tanium Server allows both TLS and non-TLS connections from endpoints with Tanium Client 7.2.
- 1: The Tanium Server allows connections from endpoints with Tanium Client 7.2 only if TLS is used. Do not set the value to 1 until you are sure that all Tanium Clients that have been deployed are configured to use TLS and you are ready to deploy the Tanium Client to new endpoints with TLS configured before initial registration.

Configure TLS on Tanium Clients

Whether TLS is enabled or disabled by default, depends on the Tanium Client version:

Version 7.4 or later: After a fresh installation or upgrade, TLS is enabled and required by default. Tanium strongly recommends that you use these default settings.
Version 7.2: TLS communication is disabled by default and enabling it is optional.

Perform the following steps to enable or disable TLS on Tanium Clients:

From the Main menu, go to Administration > Configuration > Client Status.
In the Filter by Registration section, select Registered using TLS and Registered unencrypted if they are not already enabled.
The Using TLS column indicates which Tanium Clients have TLS enabled or disabled.
From the Main menu, go to Administration > Configuration > Settings > Advanced Settings and configure TLS settings for the Tanium Clients as described in Table 2.
On the Tanium Client endpoint, the setting names have the prefix Server_ (for example, Server_ReportingTLSMode). This prefix indicates that the Tanium Client received the settings from platform settings on the Tanium Server during registration, and future registration updates might change the settings. In some cases, you might want a Tanium Client to use settings that differ from the Tanium Server platform settings. For example, you might release a feature such as TLS to your Tanium Clients in stages. To override the Tanium Server platform settings, add the settings without the Server_ prefix to the Windows registry entries or Tanium Client settings database on the client endpoints. For example, if you add the ReportingTLSMode setting to a Tanium Client, it overrides the Server_ReportingTLSMode setting.

It takes two to six hours (the randomized client-reset interval) for clients to register and receive the updated settings.

Table 2: Tanium Client TLS settings configured in platform settings
Setting	Guideline
TLSMode	This setting applies to Tanium Client 7.4 or later and specifies whether TLS is required for connections between Tanium Clients and connections between Tanium Clients and the Tanium Server or Zone Server. 0 (TLS not used): TLS is disabled. 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot communicate with other clients or the servers. This is the default value.
ReportingTLSMode	This setting applies to Tanium Client 7.2. Set the mode for TLS connections from the Tanium Client to the Tanium Server or Zone Server. 0 (TLS not used): TLS is disabled. This is the default value. 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot register or communicate with the Tanium Server or Zone Server. 2 (TLS optional): The Tanium Client tries to connect over TLS. If the TLS connection fails, the Tanium Client tries a non-TLS connection. If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that Tanium Clients establish TLS connections reliably, setting the value to 1 will enforce the best security.
OptionalTLSMinAttemptCount	This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It specifies the number of times to attempt TLS before falling back to non-TLS. The range is 1 to 100 and the default is 3.
OptionalTLSBackoffIntervalSeconds	This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It specifies the number of seconds to wait before retrying TLS again after failing OptionalTLSMinAttemptCount times. This interval doubles after each series of failed attempts. The range is 1 to 86400 and the default is 1)
OptionalTLSMaxBackoffSeconds	This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It specifies the maximum back off interval. The range is 1 to 86400 and the default is 3600.

Verify the TLS connections

Verify whether Tanium Clients used TLS to connect with the Tanium Server or Zone Server when the clients last registered: from the Main menu, go to Administration > Configuration > Client Status and check the Using TLS column.

Update the TLS configuration when you make changes to key pair

When you add or revoke Tanium root keys, the Tanium Server automatically propagates the changes to all subordinate keys on the platform servers and Tanium Clients (see Tanium Console User Guide: Managing Tanium keys).