Other versions

Reference: Proxy server settings

Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium core platform servers to access Internet locations directly, you can configure access through the proxies. The Tanium Server connects to the Internet to download content updates from Tanium and necessary files from other trusted suppliers (for a list of sites the Tanium Server accesses, see Internet access (direct or by proxy). The Tanium Module Server connects to the Internet to download solution module software updates from Tanium. Solution modules also might have requirements to access the Internet.

Types of proxy servers

Tanium supports two types of proxies:

  • Basic

    Basic proxies might require authentication; you can configure the account ID and password. A strictly IP-address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. If this is the case, be sure to add the IP address or hostname of the Tanium Server to the access list of the proxy server.

  • NTLM

    If the proxy server is set up to use NTLM, and you configured the Tanium Server service on Windows to run in the context of a service account that has sufficient privileges to traverse the proxy server, you do not have to configure the account ID and password.

The proxy server configuration is stored in configuration files on the Tanium Server host computer. Tanium Servers do not automatically sync the configuration files between high availability peers. If you change these settings in active-active deployments, be sure to perform the procedure on both Tanium Servers.

Configure and test proxy server settings

  1. Go to Configuration > Common > Proxy Settings.
  2. Use the Tanium Server Proxy Settings box to specify proxy settings for the Tanium Server connections.
  3. Proxy Server IP address of the proxy server. By default, the Tanium Downloader (TDownloader) service that manages downloads for the Tanium Server and Tanium Module Server resolves the Proxy Server address as an IPv4 address. If the proxy server has an IPv6 address, you must enter it within brackets (for example, [2001:db8::1]) and, on Windows systems, configure the Tanium Downloader registry with a ForceIPV6 key set to 1 (see TDownloader).
    Proxy User ID For a basic proxy that requires authentication, enter an account username to establish the connection with the proxy server.

    This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.

    Proxy Type
    • BASIC
    • NTLM
    Port Number Port number of the proxy server.
    Proxy Password For a basic proxy that requires authentication, enter an account password to establish the connection with the proxy server. The password is stored in clear text within the registry.

    This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service.

    Bypass Proxy Host List You might need to configure exceptions so that connections to specific hosts bypass the proxy server. For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster.

    A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server to download content. It is important to bypass the proxy server for these URIs, or else the download will fail.

    Enter the exceptions as FQDNs or IP addresses. You must enter IPv6 addresses within square brackets (such as [2001:db8::1]. In most cases, the exceptions you need to specify are localhost, 127.0.0.1 (IPv4), [::1] (IPv6), and all Tanium Server FQDNs and IP addresses. For example:

    ts1.example.com, ts2.example.com,localhost,127.0.0.1,[::1], 10.10.10.11,10.10.10.15

    Specify literal values. Tanium core platform 7.0.314.6242 and later supports wildcards.

    Bypass CRL Check Host List Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
    Trusted Host List Use this setting to list the trusted servers that the Tanium Server can download files from even if those servers do not have valid SSL certificates. In an active-active cluster, specify both Tanium Servers. Tanium core platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
  4. Optional. To propagate the Tanium Server Proxy Settings to the Module Server Proxy Settings, select Mirror Changes to Module Server.
  5. Save your changes.
  6. Use the Module Server Proxy Settings box to specify proxy settings for the Module Server connections if they differ from the proxy settings for the Tanium Server.
  7. Save your changes.
  8. Use the Validate Proxy Settings box to test your settings.
  9. Component Tanium Server or Module Server.
    File Source
    • From Tanium—Use predefined settings for a connection to content.tanium.com.
    • From Random Site—Use predefined settings for a connection to www.msftncsi.com.
    • Specify URL/Hash—Configure your own test settings.
    URL If you set the File Source to Specify URL/Hash, specify the URL.
    Hash If you set the File Source to Specify URL/Hash, specify the hash.
    Download Time If you set the File Source to Specify URL/Hash, specify a maximum download time before returning a failure message.
  10. Click Start Download.

    The Tanium Console returns a success or failure message. If the test fails, check that the proxy server is up and is configured as expected. Also, check that the Tanium settings you specified match the settings that the proxy server expects. The TDownloader logs have detailed event messages.

Only users assigned the Administrator reserved role can see and use the Configuration pages. In Windows installations, the proxy settings are written to the Windows Registry. You can change settings in the registry directly (see Windows Registry). Be sure to edit only the Tanium Server entry, not the Tanium Module Server entry, in the registries of both the Tanium Server host and the Tanium Module Server host.

Last updated: 10/22/2018 1:50 PM | Feedback