Documentation Home > Tanium Core Platform Deployment Guide for Windows

Requirements

This topic summarizes the requirements for installing Tanium™ software.

Installation package and license files

Your technical account manager (TAM) provides the following Tanium™ installation package files and license file required to install the Tanium Server, Tanium Module Server, and Tanium Zone Server:

SetupServer.exe
SetupModuleServer.exe
SetupZoneServer.exe
tanium.license

The installation package for each of these three servers must have the same build number (for example, all must have build number 7.3.314.3641). To complete the procedures in this guide, be sure you can copy these files to, and between, the host computers.

The license is bound to the hostname you assign to the Tanium Server. In high availability (HA) deployments, the license must specify the hostnames of both Tanium Servers. Inform your TAM if the server hostnames change.

Server host system requirements

The following table summarizes basic requirements for Tanium Core Platform server hosts. For detailed version specifications and sizing guidelines, see Reference: Host system sizing guidelines.

Table 1: Server hardware and software requirements
Server	Hardware	Operating System	Software
Tanium Server	CPU cores: 4 to 80 Memory: 16 to 512 GB Disk: 100 GB to 3.5 TB	Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Microsoft Windows 2008 R2 (64-bit)	A web browser is required to use Tanium Console.
Database Server	CPU cores: 4 to 32 Memory: 4 to 48 GB Disk: 125 GB to 750 GB	Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Microsoft Windows 2008 R2 (64-bit)	Microsoft SQL Server 2019 (Tanium 7.2 and later) Microsoft SQL Server 2017 (Tanium 7.2 and later) Microsoft SQL Server 2016 Microsoft SQL Server 2014 Microsoft SQL Server 2012 Microsoft SQL Server 2008 SP3 (64-bit) PostgreSQL Server 9.5 and later (Contact your TAM for guidance on host computer specifications and PostgreSQL Server version specifications.)
Tanium Module Server	CPU cores: 4 to 16 Memory: 8 to 48 GB Disk: 150 GB to 300 GB	Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Microsoft Windows 2008 R2 (64-bit)
Tanium Zone Server	CPU cores: 4 to 80 Memory: 8 to 256 GB Disk: 100 GB to 3.5 TB	Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Microsoft Windows 2008 R2 (64-bit)

Client host system requirements

The following table summarizes basic requirements for endpoint host systems where you install the Tanium Client. Hardware resource requirements vary based on the actions that you deploy to the endpoints; consult your technical account manager (TAM) for guidance.

Table 2: Supported OS versions for Tanium Client hosts
Operating system	OS Version	Tanium Client Version
Microsoft Windows Server	Windows Server 2019 * Windows Server 2016 * Windows Server 2012, 2012 R2 Windows Server 2008, 2008 R2 * Nano Server not supported.	7.2.314.3518 7.2.314.3476 7.2.314.3211 7.2.314.2962 6.0.314.1540 6.0.314.1450
Microsoft Windows Server	Windows Server 2003, 2003R2	6.0.314.1540 6.0.314.1450
Microsoft Windows Workstation	Windows 10 Windows 8 Windows 7 Windows Vista	7.2.314.3518 7.2.314.3476 7.2.314.3211 7.2.314.2962 6.0.314.1540 6.0.314.1450
Microsoft Windows Workstation	Windows XP (including Embedded)	6.0.314.1540 6.0.314.1450
macOS (Intel processor only)	macOS 10.14 Mojave* macOS 10.13 High Sierra macOS 10.12 Sierra OS X 10.11 El Capitan OS X 10.10 Yosemite OS X 10.9 Mavericks OS X 10.8 Mountain Lion * See the Tanium™ Support Knowledge Base for the Minimum Tanium product versions required to support endpoints that run macOS 10.14 Mojave.	7.2.314.3518 7.2.314.3476 7.2.314.3236 7.2.314.2962 6.0.314.1579 6.0.314.1442
Linux
	Amazon Linux 2 LTS (2017.12)	7.2.314.3518 7.2.314.3476 7.2.314.3211
	Amazon Linux 1 AMI (2016.09, 2017.12, 2018.03)	7.2.314.3518 7.2.314.3476 7.2.314.3211 7.2.314.2962 6.0.314.1579
	Debian 9.x, 8.x	7.2.314.3518 7.2.314.3476 7.2.314.3211
	Debian 7.x, 6.x	7.2.314.3518 7.2.314.3476 7.2.314.3211 7.2.314.2962 6.0.314.1579 6.0.314.1442
	Oracle Enterprise Linux 7.x, 6.x	7.2.314.3518 7.2.314.3476 7.2.314.3211 7.2.314.2962 6.0.314.1579
	Oracle Enterprise Linux 5.x	7.2.314.3518 7.2.314.3476 7.2.314.3236 7.2.314.2962
	Red Hat Enterprise Linux (RHEL) 7.x, 6.x CentOS 7.x, 6.x	7.2.314.3518 7.2.314.3476 7.2.314.3211 7.2.314.2962 6.0.314.1579 6.0.314.1442
	Red Hat Enterprise Linux (RHEL) 5.x CentOS 5.x	7.2.314.3518 7.2.314.3476 7.2.314.3236 7.2.314.2962 6.0.314.1579 6.0.314.1321
	SUSE Linux Enterprise Server (SLES) 12 openSUSE 12.x	7.2.314.3518 7.2.314.3211 7.2.314.2962 6.0.314.1579
	SUSE Linux Enterprise Server (SLES) 11 openSUSE 11.x	7.2.314.3518 7.2.314.3211 7.2.314.2962 6.0.314.1579 6.0.314.1442
	Ubuntu 18.04 LTS	7.2.314.3518 7.2.314.3476 7.2.314.3211
	Ubuntu 16.04 LTS	7.2.314.3518 7.2.314.3476 7.2.314.3211 7.2.314.2962 6.0.314.1579
	Ubuntu 14.04 LTS	7.2.314.3518 7.2.314.3476 7.2.314.3211 7.2.314.2962 6.0.314.1579 6.0.314.1442
	Ubuntu 10.04 LTS	6.0.314.1579 6.0.314.1442
AIX	IBM AIX 7.2 IBM AIX 7.1 TL1SP10 and higher * IBM AIX 6.1 TL7SP10 and higher * * 64-bit only, requires xlC.rte 12.1.0.1 or greater.	7.2.314.3518 6.0.314.1437
Solaris	Oracle Solaris 11 SPARC * Oracle Solaris 11 x86 * Oracle Solaris 10 U8 SPARC or higher * Oracle Solaris 10 U8 x86 or higher * * Requires SUNWgccruntime.	7.2.314.3518 6.0.314.1321

Network connectivity and firewall

Tanium components use TCP/IP to communicate over IPv4 and IPv6 networks. Tanium Core Platform 7.2 and earlier supports only IPv4. If you need IPv6 support in version 7.3 or later, consult your TAM. You must work with your network administrator to ensure that the Tanium components are provisioned with IP addresses and can use DNS to resolve hostnames.

The table below summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication. Host and network firewalls might need to be configured to allow the specified processes to send/receive TCP via the ports listed. The Tanium installer opens required ports in the Windows host firewall. You must work with your network security administrator to ensure the platform components can communicate through any security barriers (such as firewalls) in their communication path. For a detailed explanation, see Reference: Network ports.

Your security administrator might also need to create rules to exempt or exclude Tanium processes that run on the host computers from blocking by antivirus or processing by encryption or other security and management stack software. For details, see Reference: Host system security exceptions.

Table 3: Network communication ports used by Tanium components
Component	Process	Inbound Port	Destination Port
Tanium Server	TaniumReceiver.exe	443, 17472	80, 443, 1433 or 5432, 17472 (HA), 17477
SQL Server or PostgreSQL Server	Sqlservr.exe or postgres.exe	1433 or 5432
Tanium Module Server	TaniumModuleServer.exe	17477	80, 443
Tanium Zone Server	TaniumZoneServer.exe	17472
Tanium Zone Server Hub	TaniumZoneServer.exe		17472
Tanium Client	TaniumClient.exe	17472	17472
Tanium Client Deployment Tool (CDT)	TaniumClientDeploy.exe		22, 135, 445
Unmanaged endpoint	CDT platform-specific methods (during deployment only)	22, 135, 445

Internet access (direct or by proxy)

During installation, the Tanium Server installer (SetupServer.exe) prompts you to download SQL Server Native Client and SQL Server CLI Utilities if you have not already done so. To enable the download, the host computer must be able to connect to http://download.microsoft.com.

During installation and ongoing operations, the Tanium Server and the browser used to access the Tanium Console must be able to connect to https://content.tanium.com to import updates into Tanium Core Platform components and modules.

The Tanium Server might need to connect to additional locations, based on the components you import. The following table lists URLs that the Tanium Server accesses.

Import type	Components	URLs
Any	Any (Both the Tanium Server and the browser used to access the Tanium Console must connect to these URLs.)	https://content.tanium.com
Any		http://*.digicert.com Module import fails if the Certificate Revocation List is blocked or inaccessible.
Content	Initial Content	http://linux-usb.org
	Managed Applications (login required)	http://ardownload.adobe.com/ http://airdownload.adobe.com/ http://download.macromedia.com/ http://dl.google.com/ https://download.mozilla.org/ https://secure-appldnld.apple.com/
	Windows Security Patch Management	http://download.windowsupdate.com
	IR Gatherer	https://download.sysinternals.com
Modules
	Patch	http://download.windowsupdate.com
	IOC Detect	https://download.sysinternals.com
Labs Content	EMET	https://download.microsoft.com
	MSERT	https://definitionupdates.microsoft.com
	Stinger	http://downloadcenter.mcafee.com
	Symantec	https://support.symantec.com
Notes: If a Tanium content pack or solution module is not listed, it means no additional URLs are required for it. Previous Tanium Server versions required access to http://curl.haxx.se. Tanium Server 7.0 and later do not require access to this site.

If your enterprise security policy does not allow Tanium Server to access these locations directly, you can use proxy servers. See Reference: Proxy server settings.

If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations.

If you plan to deploy Tanium into an air-gapped environment, consult with your TAM.

SSL certificates

SSL/TLS certificate and key exchanges secure connections to the Tanium™ Console or SOAP and REST APIs, as well as connections between the Tanium Server and Tanium Module Server.

When you run the installation wizards, they prompt you to generate a self-signed certificate or specify the location of an existing certificate and key that was issued by a commercial Certificate Authority (CA) or your own enterprise CA. As a best practice, use the self-signed certificate option when you complete the initial installation steps provided in this guide. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues. After you verify the deployment, you can replace the self-signed certificate with the certificates that the commercial or enterprise CA issued. For the procedure, see Replacing certificates in your deployment

Administrator account privileges

Work with your Microsoft Active Directory (AD) administrator to provision the accounts needed during Tanium Core Platform installations or upgrades and for post-installation/upgrade activities.

Administrator accounts for installations and upgrades

The following table lists the administrator accounts required to install or upgrade Tanium Core Platform servers, create Tanium databases, or deploy Tanium Clients. You can use a single service account to install the Tanium Server and to create databases on the SQL or PostgreSQL server, as long as the account has the all required group memberships and privileges for those servers. You can also use a single service account to install the Zone Server and Zone Server Hub. You must use a separate service account to install the Module Server.

Table 4: Administrator account privileges required for installations and upgrades
Service	Account Type	Host System	Required Group or Privileges	Account Purpose
Tanium Server and Tanium databases	AD service account*	Tanium Server host	Administrator, Interactive Logon	This service account installs and upgrades the Tanium Server software.
		SQL Server host	Sysadmin on the SQL instance	When running the installer from the Tanium Server, this service user connects remotely to the SQL Server and creates the tanium and tanium_archive databases.
		PostgreSQL Server host	Administrator	When running the installer from the Tanium Server, this service user connects remotely to the PostgreSQL Server and creates the tanium and tanium_archive databases.
Tanium Module Server	AD service account*	Tanium Module Server host	Administrator	This service account installs and upgrades the Tanium Module Server software.
Tanium Zone Server and Zone Server Hub	Local System or AD	Tanium Zone Server host	Administrator, Interactive Logon	This service account installs and upgrades the Tanium Zone Server software.
Tanium Zone Server and Zone Server Hub	Local System or AD	Tanium Zone Server Hub host	Administrator, Interactive Logon	This service account installs and upgrades the Tanium Zone Server Hub software.
Tanium Client	Local System or AD	Tanium Client Deployment Tool host	Administrator	This account connects to endpoints and installs and upgrades Tanium Client software.
*It is possible to use the Local System account in a POC deployment, but not in a production deployment.

Administrator accounts for post-installation/upgrade activities

The following table lists the administrator accounts required for regular, ongoing operations performed after installations or upgrades, including running the services for Tanium Core Platform servers and Tanium Clients, and accessing Tanium databases. If you reuse the accounts used for installations and upgades, first reduce the account privileges to those specified in the following table. You can use a single service account to run the Tanium Server service and access the Tanium databases. You can also use a single service account to run the Zone Server and Zone Server Hub services. You must use a separate service account to run the Module Server service.

Table 5: Administrator account privileges required for post-installation/upgrade activities
Service	Account Type	Host System	Required Group or Privileges	Account Purpose
Tanium Server and Tanium databases	AD service account*	Tanium Server host	User-level privileges	This service account runs the Tanium Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
		SQL Server host	DBO on Tanium databases	This service user account accesses the tanium and tanium_archive databases. If you use the same account for running the Tanium Server service, the account must be able to connect remotely to the SQL Server. The account requires db_owner role membership for the Tanium databases. Assign the View server state privilege as a best practice to enable the Tanium Server to access data faster than the DBO role alone.
		PostgreSQL Server host	User-level privileges	This service user account accesses the tanium and tanium_archive databases. If you use the same account for running the Tanium Server service, the account must be able to connect remotely to the PostgreSQL Server.
Tanium Module Server	AD service account*	Tanium Module Server host	Administrator	This service account runs the Tanium Module Server service. The service runs in the context of the Local System account.
Tanium Zone Server and Zone Server Hub	Local System or AD	Tanium Zone Server host	User-level privileges	This service account runs the Tanium Zone Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
Tanium Zone Server and Zone Server Hub	Local System or AD	Tanium Zone Server Hub host	User-level privileges	This service account runs the Tanium Zone Server Hub service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
Tanium Client	Local System	Tanium Client Deployment Tool host	Administrator	On Windows, the Tanium Client service runs in the context of the Local System account.
*It is possible to use the Local System account in a POC deployment, but not in a production deployment.

Last updated: 2/22/2019 12:22 PM | Feedback