Other versions

Reference: Network ports

This reference gives details on network port requirements for core platform components. Taniumâ„¢ solution modules may have additional requirements. For a detailed summary that includes solution module ports, see the Tanium Support Knowledge Base article (login required).

Summary

Component Process Inbound Port Destination Port
Tanium Server TaniumReceiver.exe 443, 17472 80, 443, 1433 or 5432, 17472 (HA), 17477
SQL Server or PostgreSQL Server Sqlservr.exe or postgres.exe 1433 or 5432  
Tanium Module Server TaniumModuleServer.exe 17477 80, 443
Tanium Zone Server TaniumZoneServer.exe 17472  
Tanium Zone Server Hub TaniumZoneServer.exe   17472
Tanium Client TaniumClient.exe 17472 17472
Tanium Client Deployment Tool (CDT) TaniumClientDeploy.exe   22, 135, 445
Unmanaged Asset CDT platform-specific methods (during deployment only) 22, 135, 445  

Tanium Server

The Tanium Server acts as the central hub of communication in the Tanium environment. The server receives traffic initiated by Tanium Clients and the Tanium Console and initiates connections to the database server as well as any Zone Servers.

Inbound (Tanium Client to Tanium Server)

Rule summary

Allow traffic to Tanium Server port 17472 (TCP) from any computer to be managed on the internal network.

Details

The communication flow between the Tanium Clients and the Tanium Server is counter-intuitive. For instance, if you ask a question through the Tanium Console, intuition might suggest that it is the server that initiates connections to query the clients. However, in the Tanium platform, special clients known as leaders are the only ones that initiate connections to the Tanium Server.

In addition, all Tanium Clients initiate connections when they register. During registration, the Tanium Client reports information about itself and gathers configuration updates, including changes to peer lists.

Inbound (Tanium Console)

Rule summary

Allow traffic to the Tanium Server port 443 (TCP) from trusted hosts (such as a management subnet address).

Details

For security, the TCP and SOAP communication to the Tanium Server is TLS-encrypted, so the Tanium Server installer configures the server to listen for TCP and SOAP requests on port 443. If another installed application is listening on port 443, you can designate a different port.

Outbound (Tanium Server to Database Server)

Rule summary

Allow traffic from the Tanium Server on port 1433 or 5432 (TCP) to the database server.

Details

The Tanium Server initiates connections to the database server on port 1433 (SQL Server) or 5432 (PostgreSQL).

Outbound (Tanium Server to Module Server)

Rule summary

Allow traffic from the Tanium Server to the Module Server port 17477 (TCP).

Details

Tanium Server initiates connections to the Module Server on port 17477.

Inbound/Outbound (HA)

Rule summary

Allow traffic to and from Tanium Server cluster members on port 17472 (TCP).

Details

Any cluster member may initiate a connection to the other. Package files that are uploaded to one member are synchronized to the other cluster members. In addition, each server passes Tanium messages (for example, answers to questions) to the other cluster members.

Tanium Module Server

Inbound (Tanium Server to Module Server)

Rule summary

Allow traffic to the Module Server port 17477 (TCP) from the Tanium Server.

Details

Check the documentation for the particular solution modules you plan to use to see if they require additional inbound ports.

Outbound (Module Server to Internet)

Rule summary

Allow traffic from the Module Server to destination ports 80 and 443 (TCP) on the Internet.

Details

The Module Server itself does not initiate connections. However, when a solution module is imported, the Module Server might need to connect to Tanium and other Internet locations to download required content, and the installed solution module services might initiate connections. Check the documentation for the particular solution modules you plan to use to see if they require additional outbound ports.

Outbound (Module Services to Tanium Server)

Rule summary

Allow traffic from the Module Server to destination port 443 (TCP) on the Tanium Server.

Details

The Tanium Module Server itself does not initiate connections. However, a solution module (such as Trace) might initiate a connection to the Tanium Server.

Tanium Zone Server hub

Outbound (Tanium Zone Server hub to Zone Server)

Rule summary

Allow traffic from the Zone Server hub (usually the Tanium Server host computer) to the destination port 17472 (TCP) on DMZ device(s) hosting the Zone Server(s).

Details

If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. The ZoneServerList.txt configuration file located in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers.

Tanium Zone Server

Inbound (Tanium Client to Zone Server)

Rule summary

Allow traffic from any computer on the Internet to port 17472 (TCP) on the Zone Server(s) in the DMZ.

Details

Tanium Clients initiate connections to a Zone Server just as if it were a Tanium Server.

Inbound (Tanium Zone Server Hub to Zone Server)

Rule summary

Allow traffic from the Zone Server Hub (usually the Tanium Server host computer) to port 17472 (TCP) on the Zone Server(s) in the DMZ.

Details

If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ.

Tanium Client

Inbound/Outbound (Tanium Client to Client)

Rule summary

Allow traffic to and from client peers on port 17472 (TCP).

Details

In addition to the client-to-server TCP communication that takes place on port 17472, Tanium Clients also communicate to peers on port 17472. Clients dynamically communicate with peers based on proximity and latency. Peer chains form to match an enterprise topology automatically. For example, endpoints in California form one chain, while endpoints in Germany form a separate chain. With this dynamic configuration in mind, you must allow bi-directional TCP communication on port 17472 between clients on the same local area network, but not necessarily all clients on the internal network.

Outbound (Tanium Client to Zone Server)

Rule summary

Allow traffic from any computer on the Internet to port 17472 (TCP) on the Zone Server(s) in the DMZ.

Details

In environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are identical to the Server-to-Client requirements.

Tanium Client Deployment Tool

Outbound (Client Deployment Tool to endpoints)

Rule summary

Allow traffic from the Tanium Client Deployment Tool host computer destination ports 135 and 445 (TCP) on the endpoints on which you want to deploy the Tanium Client. The endpoints must allow inbound traffic on these ports during deployment only.

Details

The Tanium Client Deployment Tool (CDT) allows you to target the Tanium client for installation to designated endpoints. The CDT can be installed and run from any Windows workstation or server in the target domain. This deployment mechanism is not required since there are other ways of deploying the Tanium Client (for example, existing software distribution mechanisms like ePO EEDK, and GPO), but it does require a couple items to be configured for it to be successful.

The CDT attempts to copy the necessary installation files to the root drive via the \\{machine_name}\c$ UNC. In addition to the Admin user having sufficient privileges to access machine's admin share, file sharing must be enabled.

In most Active Directory environments, admin shares are already available. However, for standalone machines that have not joined the domain, it might be required to enable admin shares, such that c$ can be reached by a user with sufficient privileges. Admin shares are not available in Home editions of Windows operating systems, but are available in all other editions. In Windows XP machines, admin shares are enabled by default. In Windows 7 and 8 machines, the admin shares of a standalone machine can be enabled by adding the following registry key and rebooting:

Hive: HKEY_LOCAL_MACHIN
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: LocalAccountTokenFilterPolicy
Data Type: REG_DWORD
Value: 1

Next, the tool uses either Microsoft PsExec or WMIC to remotely execute the installer on the endpoint. For either, the admin user must have sufficient privileges to remotely execute commands. If PsExec is used, check with your AV/endpoint protection suites, as PsExec is often disallowed. If WMIC is used, ensure the following services are enabled on the endpoint:

  • Windows Firewall Remote Management (RPC-EPMAP)
  • Windows Management Instrumentation (WMI-In)

Last updated: 10/22/2018 1:50 PM | Feedback