Requirements

This topic summarizes the requirements for installing Tanium™ software.

Installation package and license files

Tanium provides the following installation package files and license file required to install the Tanium Server, Tanium Module Server, and Tanium Zone Server:

  • SetupServer.exe
  • SetupModuleServer.exe
  • SetupZoneServer.exe
  • tanium.license

The installation package for each of these three servers must have the same build number (for example, all must have build number 7.4.4.1250). To complete the procedures in this guide, be sure you can copy these files to, and between, the host computers.

The license is bound to the hostname you assign to the Tanium Server. In high availability (HA) deployments, the license must specify the hostnames of both Tanium Servers. Contact Tanium Support if the server hostnames change.

Server version and host system requirements

Table 1 summarizes basic requirements for Tanium Core Platform and database servers that are installed on customer-provided Windows infrastructure. For detailed version specifications and sizing guidelines, see Reference: Host system resource guidelines.

Tanium modules and shared services might have additional requirements for Tanium Core Platform servers. Table 2 provides links to the user guide sections that list these requirements.

The Standard, Enterprise, and Datacenter editions of the following Windows Server platforms are supported. The Server Core and Nano Server options are not supported.

Table 1:   Server hardware and software requirements
Server Hardware Operating System Software
Tanium Server CPU cores: 4 to 80
Memory: 16 to 512 GB
Disk: 100 GB to 3.5 TB
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
 A web browser is required to use Tanium Console: see Tanium Console User Guide: Web browser requirements.
Database Server CPU cores: 4 to 32
Memory: 4 to 48 GB
Disk: 125 GB to 750 GB
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Microsoft SQL Server 2019 (Tanium 7.2 and later)
  • Microsoft SQL Server 2017 (Tanium 7.2 and later)
  • Microsoft SQL Server 2016
  • Microsoft SQL Server 2014
  • Microsoft SQL Server 2012
  • PostgreSQL Server 9.5 and later (Requirements for guidance on host computer specifications and PostgreSQL Server version specifications.)
Tanium Module Server CPU cores: 4 to 16
Memory: 8 to 48 GB
Disk: 150 GB to 300 GB
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  
Tanium Zone Server CPU cores: 4 to 80
Memory: 8 to 256 GB
Disk: 100 GB to 3.5 TB
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  

Click the links in the following table to see the minimum Tanium Core Platform version (Tanium dependencies) and other platform server requirements for each Tanium module and shared service.

Table 2:   Module- and service-specific requirements for Tanium Core Platform servers
Product Tanium Dependencies Server Requirements
Asset Tanium dependencies Tanium Module Server
Client Management Tanium dependencies Tanium Module Server
Comply Tanium dependencies No additional requirements
Connect Tanium dependencies Tanium Module Server
Deploy Tanium dependencies Tanium Server and Module Server
Direct Connect Tanium dependencies Tanium Module Server

Zone proxy server requirements

Discover Tanium dependencies Tanium Module Server
Endpoint Configuration Tanium dependencies Tanium Module Server
End-User Notifications Tanium dependencies Tanium Module Server
Enforce Tanium dependencies No additional requirements
Health Check Tanium dependencies Tanium Module Server
Impact Tanium dependencies Tanium Module Server
Incident Response Tanium dependencies No additional requirements
Integrity Monitor Tanium dependencies No additional requirements
Interact Tanium dependencies No additional requirements
Map Tanium dependencies Tanium Module Server
Network Quarantine Tanium dependencies Tanium Module Server
Patch Tanium dependencies Tanium Server and Module Server computer resources
Performance Tanium dependencies No additional requirements
Protect Tanium dependencies Tanium Module Server
Reputation Tanium dependencies Tanium Module Server
Reveal Tanium dependencies Tanium Module Server
Threat Response Tanium dependencies Tanium Module Server
Trends Tanium dependencies Tanium Module Server

Client host system requirements

The following table summarizes basic requirements for endpoint host systems where you install the Tanium Client. Hardware resource requirements vary based on the actions that you deploy to the endpoints; contact Tanium Support at [email protected] for guidance.

We strongly recommend that all Windows endpoints have the following root certificate authority (CA) certificates because they are required to verify the integrity of the Tanium Client binaries:
  • DigiCert Assured ID Root CA (thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43)
  • DigiCert High Assurance EV Root CA (thumbprint 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25)
  • DigiCert SHA2 Assured ID CA (thumbprint E12D2E8D47B64F469F518802DFBD99C0D86D3C6A)
  • DigiCert SHA2 Assured ID Code Signing CA (thumbprint 92C1588E85AF2201CE7915E8538B492F605B80C6)

Table 3:   Supported OS versions for Tanium Client hosts
Operating system OS Version Tanium Client Version
Microsoft Windows Server *

* Standard, Enterprise, and Datacenter editions are supported, with or without the Server Core option enabled. The Nano Server option is not supported.
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012, 2012 R2
  • Windows Server 2008 R2 *

* Tanium modules that use Python Runtime Services require Windows Server 2008 R2 endpoints to have Service Pack 1 (SP1) or higher.

 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Windows Server 2008 7.2.314.3584
7.2.314.3476
Microsoft Windows Workstation
  • Windows 10
  • Windows 8
  • Windows 7
 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Windows Vista 7.2.314.3584
7.2.314.3476
macOS *

* Intel processor only
  • macOS 10.15 Catalina*
  • macOS 10.14 Mojave**
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11.1+ El Capitan

* If you enable the app notarization requirement (a security process that Apple introduced in macOS 10.15), you must install Tanium Client 7.2.314.3608 or later.

** See the Tanium™ Support Knowledge Base for the Minimum Tanium product versions required to support endpoints that run macOS 10.14 Mojave or later.

 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3608
7.2.314.3476
7.2.314.3236
OS X 10.10 Yosemite 7.2.314.3476
7.2.314.3236
Linux
Amazon Linux 2 LTS (2017.12) 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Amazon Linux 1 AMI (2016.09, 2017.12, 2018.03) 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Debian 10.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
Debian 9.x, 8.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Debian 7.x, 6.x 7.2.314.3632
7.2.314.3584
7.2.314.3476
Oracle Linux 8.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.2.314.3632
Oracle Enterprise Linux 7.x, 6.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Oracle Enterprise Linux 5.x 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
  • Red Hat Enterprise Linux (RHEL) 8.x
  • CentOS 8.x
 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
  • Red Hat Enterprise Linux (RHEL) 7.x, 6.x
  • CentOS 7.x, 6.x
 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
  • Red Hat Enterprise Linux (RHEL) 5.x
  • CentOS 5.x
 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
7.2.314.3236
  • SUSE Linux Enterprise Server (SLES) 15
  • openSUSE 15.x
 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
  • SUSE Linux Enterprise Server (SLES) 12
  • openSUSE 12.x
 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
  • SUSE Linux Enterprise Server (SLES) 11.3, 11.4
  • openSUSE 11.3, 11.4
 7.2.314.3632
7.2.314.3584
Ubuntu 20.04 LTS 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
Ubuntu 18.04 LTS 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Ubuntu 16.04 LTS 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
Ubuntu 14.04 LTS 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584
7.2.314.3476
AIX *

* Requires a 64-bit operating system and the IBM XL C++ runtime environment file set (xlC.rte). For the required xlC.rte version and the steps to install it, see Deploying the Tanium Client to AIX endpoints.
  • IBM AIX 7.2
  • IBM AIX 7.1 TL1SP10 and higher
 7.4.4.1250
7.4.4.1226
7.2.314.3632
7.2.314.3584
Solaris *

* Requires SUNWgccruntime
  • Oracle Solaris 11 SPARC
  • Oracle Solaris 11 x86
  • Oracle Solaris 10 U8 SPARC or higher
  • Oracle Solaris 10 U8 x86 or higher
 7.4.4.1250
7.4.4.1226
7.4.2.2073
7.4.2.2063
7.4.2.2033
7.4.1.1955
7.2.314.3632
7.2.314.3584

Internet access, network connectivity, and firewall

Tanium components use TCP/IP to communicate over IPv4 and IPv6 networks. Tanium Core Platform 7.2 and earlier supports only IPv4. Requirements if you need IPv6 support in version 7.3 or later. You must work with your network administrator to ensure that the Tanium components are provisioned with IP addresses and can use DNS to resolve host names.

During installation and ongoing operations, the Tanium Server and the web browser that you use to access the Tanium Console must connect to https://content.tanium.com to import updates to Tanium Core Platform components and modules. The Tanium Server might need to connect to additional URLs based on the components you import. For a list of the required URLs, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

The Tanium Server must be able to connect to the Tanium database server and Module Server. In an HA deployment, the Tanium Servers must be able to connect to each other over a reliable Ethernet connection. All these connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

If your enterprise network environment requires outbound Internet connections to traverse a proxy server, you can configure the proxy settings as described under Tanium Console User Guide: Configuring proxy server settings.

Table 4 summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication. Host and network firewalls might require configuration to allow the specified processes to send and receive TCP data over the listed ports. The Tanium installer opens required ports in the Windows host firewall. You must work with your network security administrator to ensure the platform components can communicate through any security barriers (such as firewalls) in their communication path. For a detailed explanation, see Tanium Core Platform Deployment Reference Guide: Network ports.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Your security administrator might also need to create rules to exempt or exclude Tanium processes that run on the host computers from blocking by antivirus or processing by encryption or other security and management stack software. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exceptions.

Table 4:   Network communication ports for the Tanium Core Platform
Component Process Inbound Port Destination Port
Tanium Server TaniumReceiver.exe 443, 17472 80, 443, 1433 or 5432, 17472 (HA), 17477
SQL Server or PostgreSQL Server Sqlservr.exe or postgres.exe 1433 or 5432  
Tanium Module Server TaniumModuleServer.exe 17477 80, 443
Tanium Zone Server TaniumZoneServer.exe *17472  
Tanium Zone Server Hub TaniumZoneServer.exe   *17472
Tanium Client TaniumClient.exe 17472 *17472
Unmanaged endpoint Client Deployment Tool platform-specific methods (during deployment only) 22, 135, 445  
*As a best practice to improve the security of the Zone Server, configure separate ports for traffic from Zone Server Hubs and Tanium Clients.

The following figure illustrates how the Tanium Core Platform uses these ports in an HA deployment on Windows infrastructure.

Figure  1:  Network communication ports

SSL/TLS certificates

SSL/TLS certificate and key exchanges secure connections to the Tanium™ Console or Tanium™ API, as well as connections between the Tanium Server and Tanium Module Server. When you run the server installation wizards, they prompt you to generate a self-signed certificate or specify the location of a certificate that was issued by a commercial certificate authority (CA) or your own enterprise CA. As a best practice to facilitate troubleshooting, use the self-signed certificates during initial installation and replace them with CA-issued certificates later. This practice enables you to separate potential installation issues from TLS connection issues. For details, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

Administrator account permissions

Work with your Microsoft Active Directory (AD) administrator to provision the accounts needed during Tanium Core Platform installations or upgrades and for post-installation or post-upgrade activities.

Administrator accounts for installations and upgrades

The following table lists the administrator accounts required to install or upgrade Tanium Core Platform servers, create Tanium databases, or deploy Tanium Clients. You can use a single service account to install the Tanium Server and to create databases on the SQL or PostgreSQL server, as long as the account has the all required group memberships and permissions for those servers. You can also use a single service account to install the Zone Server and Zone Server Hub. You must use a separate service account to install the Module Server.

Table 5:   Administrator account permissions required for installations and upgrades
Service Account Type Host System Required Group or Permissions Account Purpose
Tanium Server and Tanium databases AD service account* Tanium Server host Administrator, interactive sign in This service account installs and upgrades the Tanium Server software.
SQL Server host Sysadmin on the SQL instance When running the installer from the Tanium Server, this service user connects remotely to the SQL Server and creates the tanium and tanium_archive databases.
PostgreSQL Server host Administrator When running the installer from the Tanium Server, this service user connects remotely to the PostgreSQL Server and creates the tanium and tanium_archive databases.
Tanium Module Server AD service account* Tanium Module Server host Administrator This service account installs and upgrades the Tanium Module Server software.
Tanium Zone Server and Zone Server Hub Local user or AD Tanium Zone Server host Administrator, interactive sign in This service account installs and upgrades the Tanium Zone Server software.
Tanium Zone Server Hub host Administrator, interactive sign in This service account installs and upgrades the Tanium Zone Server Hub software.
Tanium Client Local System or AD Tanium Client Deployment Tool host Administrator This account connects to endpoints and installs and upgrades Tanium Client software.
*It is possible to use the Local System account in a POC deployment, but not in a production deployment.

Administrator accounts for post-installation/upgrade activities

The following table lists the administrator accounts required for regular, ongoing operations performed after installations or upgrades, including running the services for Tanium Core Platform servers and Tanium Clients, and accessing Tanium databases. If you reuse the accounts used for installations and upgrades, first reduce the account permissions to those specified in the following table. You can use a single service account to run the Tanium Server service and access the Tanium databases. You can also use a single service account to run the Zone Server and Zone Server Hub services. You must use a separate service account to run the Module Server service.

Table 6:   Administrator account permissions required for post-installation/upgrade activities
Service Account Type Host System Required Group or Permissions Account Purpose
Tanium Server and Tanium databases AD service account* Tanium Server host User-level permissions This service account runs the Tanium Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
SQL Server host DBO on Tanium databases This service user account accesses the tanium and tanium_archive databases. If you use the same account for running the Tanium Server service, the account must be able to connect remotely to the SQL Server. The account requires db_owner role membership for the Tanium databases. Assign the View server state permission as a best practice to enable the Tanium Server to access data faster than the DBO role alone.
PostgreSQL Server host User-level permissions This service user account accesses the tanium and tanium_archive databases. If you use the same account for running the Tanium Server service, the account must be able to connect remotely to the PostgreSQL Server.
Tanium Module Server AD service account* Tanium Module Server host Administrator This service account runs the Tanium Module Server service. The service runs in the context of the Local System account.
Tanium Zone Server and Zone Server Hub Local user or AD Tanium Zone Server host User-level permissions This service account runs the Tanium Zone Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
Tanium Zone Server Hub host User-level permissions This service account runs the Tanium Zone Server Hub service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
Tanium Client Local System Tanium Client Deployment Tool host Administrator On Windows, the Tanium Client service runs in the context of the Local System account.
*It is possible to use the Local System account in a POC deployment, but not in a production deployment.