Other versions

Prerequisites

This topic summarizes the prerequisites for installing Tanium™ software.

Installation package and license files

Your technical account manager (TAM) provides the following Tanium™ installation package files and license file required to complete the installation:

  • SetupServer.exe
  • SetupModuleServer.exe
  • SetupZoneServer.exe
  • tanium.license

The installation package for each of these three servers must have the same build number (for example, all must have build number 7.3.314.3409). To complete the procedures in this guide, be sure you can copy these files to, and between, the host computers.

The license is bound to the hostname you assign to the Tanium™ Server. In high availability (HA) deployments, the license must specify the hostnames of both Tanium Servers. Inform your TAM if the server hostnames change.

Server host system requirements

The following table summarizes basic requirements for server hosts. For detailed version specifications and sizing guidelines, see Reference: Host system sizing guidelines.

Table 1:   Hardware and software requirements
Server Hardware Operating System Software
Tanium Server CPU cores: 4 to 80
Memory: 16 to 512 GB
Disk: 100 GB to 3.5 TB
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Microsoft Windows 2008 R2 (64-bit)
A web browser is required to use Tanium Console.
Database Server CPU cores: 4 to 32
Memory: 4 to 48 GB
Disk: 125 GB to 750 GB
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Microsoft Windows 2008 R2 (64-bit)
  • Microsoft SQL Server 2017 (Tanium 7.2 and later)
  • Microsoft SQL Server 2016
  • Microsoft SQL Server 2014
  • Microsoft SQL Server 2012
  • Microsoft SQL Server 2008 SP3 (64-bit)
  • PostgreSQL Server 9.5 and later (Contact your TAM for guidance on host computer specifications and PostgreSQL Server version specifications.)
Tanium Module Server CPU cores: 4 to 16
Memory: 8 to 48 GB
Disk: 150 GB to 300 GB
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Microsoft Windows 2008 R2 (64-bit)
 
Tanium Zone Server CPU cores: 4 to 80
Memory: 8 to 256 GB
Disk: 100 GB to 3.5 TB
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Microsoft Windows 2008 R2 (64-bit)
 

Client host system requirements

The following table summarizes basic requirements endpoint host systems. Hardware resource requirements vary according to the actions that may be taken on the endpoint. For hardware resource guidance, consult with your technical account manager (TAM).

Table 2:   Supported OS versions
Operating system OS Version Tanium Client Version
Microsoft Windows Server
  • Windows Server 2016 *
  • Windows Server 2012, 2012 R2
  • Windows Server 2008, 2008 R2

* Nano Server not supported.

7.2.314.3211,
7.2.314.2962,
6.0.314.1540,
6.0.314.1450
Windows Server 2003, 2003R2 6.0.314.1540,
6.0.314.1450
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Vista
7.2.314.3211,
7.2.314.2962,
6.0.314.1540,
6.0.314.1450
Windows XP (including Embedded) 6.0.314.1540,
6.0.314.1450
macOS
(Intel processor only)
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11 El Capitan
  • OS X 10.10 Yosemite
  • OS X 10.9 Mavericks
  • OS X 10.8 Mountain Lion
7.2.314.3236,
7.2.314.2962,
6.0.314.1579,
6.0.314.1442
Linux
  • Amazon Linux 2 LTS (2017.12)
  • Amazon Linux AMI 2018.03 (Use the Tanium Client installer that is provided for Amazon Linux AMI 2017.09)
  • Amazon Linux AMI 2017.09
7.2.314.3211
Amazon Linux AMI 2016.09 7.2.314.3211,
7.2.314.2962,
6.0.314.1579
Debian 9.x, 8.x 7.2.314.3211
Debian 7.x, 6.x 7.2.314.3211,
7.2.314.2962,
6.0.314.1579,
6.0.314.1442
Oracle Enterprise Linux 7.x, 6.x 7.2.314.3211,
7.2.314.2962,
6.0.314.1579
Oracle Enterprise Linux 5.x 7.2.314.3236,
7.2.314.2962
  • Red Hat Enterprise Linux (RHEL) 7.x, 6.x
  • CentOS 7.x, 6.x
7.2.314.3211,
7.2.314.2962,
6.0.314.1579,
6.0.314.1442
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x
7.2.314.3236,
7.2.314.2962,
6.0.314.1579,
6.0.314.1321
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
7.2.314.3211,
7.2.314.2962,
6.0.314.1579
  • SUSE Linux Enterprise Server (SLES) 11
  • openSUSE 11.x
7.2.314.3211,
7.2.314.2962,
6.0.314.1579,
6.0.314.1442
Ubuntu 18.04 LTS 7.2.314.3211
Ubuntu 16.04 LTS 7.2.314.3211,
7.2.314.2962,
6.0.314.1579
Ubuntu 14.04 LTS 7.2.314.3211,
7.2.314.2962,
6.0.314.1579,
6.0.314.1442
Ubuntu 10.04 LTS 6.0.314.1579,
6.0.314.1442
AIX
  • IBM AIX 7.2
  • IBM AIX 7.1 TL1SP10 and higher *
  • IBM AIX 6.1 TL7SP10 and higher *

* 64-bit only, requires xlC.rte 12.1.0.1 or greater.

6.0.314.1437
Solaris
  • Oracle Solaris 11 SPARC *
  • Oracle Solaris 11 x86 *
  • Oracle Solaris 10 U8 SPARC or higher *
  • Oracle Solaris 10 U8 x86 or higher *

* Requires SUNWgccruntime.

6.0.314.1321

Tanium in cloud service environments

The Tanium Server and Tanium Client generally support the same operating systems listed above when virtualized in cloud service environments. Tanium customers have used our software in:

  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)
  • Microsoft Azure
  • Oracle Cloud Infrastructure (OCI)

Use of Tanium in cloud environments entails important architectural considerations that can be unique from one deployment to another. Work with your TAM when planning to deploy or expand into such environments.

Network connectivity and firewall

Tanium components use TCP/IP to communicate over IPv4 and IPv6 networks (IPv6 support requires 7.3 versions of the Tanium Core Platform servers and Tanium Client). You must work with your network administrator to ensure that the Tanium components are provisioned with IP addresses and can use DNS to resolve hostnames.

The table below summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication. Host and network firewalls might need to be configured to allow the specified processes to send/receive TCP via the ports listed. The Tanium installer opens required ports in the Windows host firewall. You must work with your network security administrator to ensure the platform components can communicate through any security barriers (such as firewalls) in their communication path. For a detailed explanation, see Reference: Network ports.

Your security administrator might also need to create rules to exempt or exclude Tanium processes that run on the host computers from blocking by antivirus or processing by encryption or other security and management stack software. For details, see Reference: Host system security exceptions.

Table 3:   Network communication ports used by Tanium components
Component Process Inbound Port Destination Port
Tanium Server TaniumReceiver.exe 443, 17472 80, 443, 1433 or 5432, 17472 (HA), 17477
SQL Server or PostgreSQL Server Sqlservr.exe or postgres.exe 1433 or 5432  
Tanium Module Server TaniumModuleServer.exe 17477 80, 443
Tanium Zone Server TaniumZoneServer.exe 17472  
Tanium Zone Server Hub TaniumZoneServer.exe   17472
Tanium Client TaniumClient.exe 17472 17472
Tanium Client Deployment Tool (CDT) TaniumClientDeploy.exe   22, 135, 445
Unmanaged endpoint CDT platform-specific methods (during deployment only) 22, 135, 445  

Internet access (direct or by proxy)

During installation, the Tanium Server installer (SetupServer.exe) prompts you to download SQL Server Native Client and SQL Server CLI Utilities if you have not already done so. To enable the download, the host computer must be able to connect to http://download.microsoft.com.

During both installation and ongoing operations, the Tanium Server must be able to connect to https://content.tanium.com to import updates to Tanium core components and modules. The Tanium Server may need to connect to additional locations, based on the components you import.

The following table lists URLs that are accessed by Tanium Server.

Import type Components URLs
Any Any https://content.tanium.com
http://*.digicert.com

Module import fails if the Certificate Revocation List is blocked or inaccessible.

Content Initial Content http://linux-usb.org
Managed Applications (login required) http://ardownload.adobe.com/

http://airdownload.adobe.com/

http://download.macromedia.com/

http://dl.google.com/

https://download.mozilla.org/

https://secure-appldnld.apple.com/

Windows Security Patch Management http://download.windowsupdate.com
IR Gatherer https://download.sysinternals.com
Modules
Patch http://download.windowsupdate.com
IOC Detect https://download.sysinternals.com
Labs Content EMET https://download.microsoft.com
MSERT https://definitionupdates.microsoft.com
Stinger http://downloadcenter.mcafee.com
Symantec https://support.symantec.com

Notes:

  • If a Tanium content pack or solution module is not listed, it means no additional URLs are required for it.
  • Previous Tanium Server versions required access to http://curl.haxx.se. Tanium Server 7.0 and later do not require access to this site.

If your enterprise security policy does not allow Tanium Server to access these locations directly, you can use proxy servers. See Reference: Proxy server settings.

If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations.

If you plan to deploy Tanium into an air-gapped environment, consult with your TAM.

SSL certificates

The connections to the Tanium™ Console or SOAP and REST APIs, the connections between Tanium Server and Tanium Module Server, and connections to the Module Server are secured with SSL/TLS certificate and key exchanges.

When you run the installation wizards, you are prompted to generate a self-signed certificate or specify the location of an existing certificate and key that was issued by a commercial Certificate Authority (CA) or your own enterprise CA. We recommend that you use the self-signed certificate option when you complete the initial installation steps provided in this guide. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues. After you have verified the deployment, you can copy the certificates issued by the commercial or enterprise CA in place of the self-signed certificate, as described in Reference: SSL certificates.

Administrator account privileges

Work with your Microsoft Active Directory (AD) administrator to provision the accounts needed for installation. You can use the same AD service account for the Tanium Server and SQL or PostgreSQL server, as long as the account has the all required group memberships and privileges for those servers.

Table 4:   Administrator account privileges required for installation
Host System Account Type Required Group or Privileges Account Purpose
Tanium Server host AD service account* Administrator**, Interactive Logon*** This service account installs the software and starts the Tanium Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when running the installer.
SQL Server host AD service account Sysadmin on the SQL Server When running the installer from the Tanium Server, this service user connects remotely to the SQL Server and creates the tanium and tanium_archive databases.
DBO on Tanium databases After this service user creates the Tanium databases, you can downgrade the account role from sysadmin. The account must have db_owner role membership for the Tanium databases. Assigning the View server state privilege is a best practice. This dynamic management view enables the Tanium Server to access data faster than the DBO role alone.
PostgreSQL Server host AD service account Administrator** When running the installer from the Tanium Server, this service user connects remotely to the PostgreSQL Server and creates the tanium and tanium_archive databases.
Tanium Module Server host AD service account* Administrator This service account installs the software and starts the Tanium Module Server service. The service runs in the context of the Local System account.
Tanium Zone Server host AD service account* Administrator**, Interactive Logon*** This service account installs the software and starts the Tanium Zone Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when running the installer.
Tanium Client Deployment Tool host Local System or AD Administrator This account connects to the endpoints and installs Tanium Client software.
Tanium Client host Local System Administrator On Windows, the Tanium Client service runs in the context of the Local System account.

*It is possible to use the Local System account in a POC deployment, but not in a production deployment.

**For installation and upgrades, the service account for the Tanium Server and Zone Server must have Administrator privileges. After installation or upgrade, you can reduce the privileges to user level.

***The Interactive Logon privilege is required only when installing the Tanium Server and Zone Server. After installation, you can revoke the privilege.

Last updated: 10/22/2018 1:50 PM | Feedback