Requirements

This topic summarizes the requirements for installing Tanium Core Platform servers.

For the host system requirements of the Tanium Client, see Tanium Client Management User Guide: Tanium Client and Client Management requirements.

Installation package and license files

Tanium provides the following installation package files and license file required to install the Tanium Server, Tanium Module Server, and Tanium Zone Server:

SetupServer.exe
SetupModuleServer.exe
SetupZoneServer.exe
tanium.license

The installation package for each of these three servers must have the same build number (for example, all must have build number 7.5.6.1113). To complete the procedures in this guide, be sure you can copy these files to, and between, the host computers.

The license is bound to the hostname you assign to the Tanium Server. In high availability (HA) deployments, the license must specify the hostnames of both Tanium Servers. Contact Tanium Support if the server hostnames change.

Server version and host system requirements

The Server hardware and software requirements table summarizes basic requirements for Tanium Core Platform and database servers that are installed on customer-provided Windows infrastructure. For detailed version specifications and sizing guidelines, see Reference: Host system resource guidelines.

Tanium solutions (modules and shared services) might have additional requirements for Tanium Core Platform servers. The Solution-specific requirements for Tanium Core Platform servers table provides links to the user guide sections that list these requirements.

The Standard, Enterprise, and Datacenter editions of the following Windows Server platforms are supported. The Server Core and Nano Server options are not supported.

Server hardware and software requirements
Server	Hardware	Operating System	Software
Tanium Server	CPU cores: 8 to 80 Memory: 32 to 512 GB Disk: 250 GB to 3 TB Disk array IOPS: 2,500	Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012	A web browser is required to use Tanium Console: see Tanium Console User Guide: Web browser requirements.
Database Server	CPU cores: 4 to 32 Memory: 8 to 48 GB Disk: 150 GB to 750 GB Database size: 20 GB to 500 GB Disk array IOPS: 2,000	Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012	Microsoft SQL Server 2019 or later PostgreSQL Server 9.5 or later (Contact Tanium Support for guidance on host computer specifications and PostgreSQL Server version specifications.)
Tanium Module Server	CPU cores: 8 to 80 Memory: 32 to 512 GB Disk: 150 GB to 300 GB Disk array IOPS: 2,500	Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012
Tanium Zone Server	CPU cores: 8 to 80 Memory: 16 to 256 GB Disk: 250 GB to 3 TB Disk array IOPS: 2,500	Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012

Click the links in the following table to see the minimum Tanium Core Platform version (Tanium dependencies) and other platform server requirements for each Tanium module and shared service.

Solution-specific requirements for Tanium Core Platform servers
Product	Tanium Dependencies	Server Requirements
Tanium™ API Gateway	Core platform dependencies	Tanium Module Server
Tanium™ Asset	Core platform dependencies	Tanium Module Server
Tanium™ Software Bill of Materials (SBOM) add-in for Asset	Core platform dependencies	No additional requirements
Tanium™ Benchmark	Core platform dependencies	Tanium Module Server
Tanium™ Certificate Manager	Core platform dependencies	No additional requirements
Tanium™ Client Management	Core platform dependencies	Tanium Module Server Compatibility between Tanium Core Platform servers and Tanium Clients
Tanium™ Comply	Core platform dependencies	No additional requirements
Tanium™ Connect	Core platform dependencies	Tanium Module Server
Tanium™ Console	Core platform dependencies	Core Platform resources
Tanium™ Criticality	Core platform dependencies	Tanium Module Server
Tanium™ Deploy	Core platform dependencies	Tanium Server and Module Server
Tanium™ Direct Connect	Core platform dependencies	Tanium Module Server Zone proxy server requirements
Tanium™ Screen Sharing add-in for Direct Connect	No additional requirements	No additional requirements
Tanium™ Directory Query	Core platform dependencies	No additional requirements
Tanium™ Discover	Core platform dependencies	Tanium Module Server
Tanium™ Endpoint Configuration	Core platform dependencies	Tanium Module Server
Tanium™ End-User Notifications	Core platform dependencies	Tanium Module Server
Tanium™ Enforce	Core platform dependencies	Tanium Module Server
Tanium™ Engage	Core platform dependencies	Tanium Module Server
Tanium™ Feed	Core platform dependencies	Tanium Module Server
Tanium™ Health Check	Core platform dependencies	Tanium Module Server
Tanium™ Impact	Core platform dependencies	Tanium Module Server
Tanium™ Integrity Monitor	Core platform dependencies	No additional requirements
Tanium™ Interact	Core platform dependencies	No additional requirements
Tanium™ Investigate	Core platform dependencies	Tanium Module Server
Tanium™ Mac Device Enrollment	Core platform dependencies	Tanium Module Server
Tanium™ Map	Core platform dependencies	Tanium Module Server
Tanium™ Network Quarantine	Core platform dependencies	Tanium Module Server
Tanium™ Patch	Core platform dependencies	Tanium Server and Module Server computer resources
Tanium™ Performance	Core platform dependencies	No additional requirements
Tanium™ Provision	Core platform dependencies	Tanium Module Server
Tanium™ Reporting	Core platform dependencies	Tanium Module Server
Tanium™ Reputation	Core platform dependencies	Tanium Module Server
Tanium™ Reveal	Core platform dependencies	Tanium Module Server
Tanium™ Threat Response	Core platform dependencies	Tanium Module Server
Tanium™ Trends	Core platform dependencies	Tanium Module Server
Tanium™ Zero Trust	Core platform dependencies	No additional requirements

Tanium Core Platform server and client compatibility

Tanium Clients can connect only to Tanium Core Platform servers (Tanium Server, Tanium Module Server, and Tanium Zone Server) that run the same Tanium™ Protocol version as the clients or a later version than the clients. Servers at version 7.3 and clients at version 7.2 run Tanium Protocol 314. Servers and clients at version 7.4 or later run Tanium Protocol 315. Effectively, this means that servers are backward-compatible with earlier clients; for example, servers at version 7.4 support Tanium Client 7.2, but Tanium Client 7.4.x cannot connect to servers at version 7.3.

For details about the Tanium Protocol, see Tanium Core Platform Deployment Reference Guide: Overview of TLS in the Tanium Core Platform.

The release numbers for Tanium Core Platform servers and Tanium Clients have the format <major release>.<minor release>.<point release>, such as 7.4.5. Clients can connect to the servers when their major and minor release numbers match regardless of whether the point release numbers match. For example, Tanium Client 7.4.5 can connect to Tanium Server 7.4.2.

To ensure that all the features and fixes in a release are available to Tanium Core Platform servers and Tanium Clients, upgrade both to the same major, minor, and point release.
Do not install the Tanium Client on the same host as a Tanium Core Platform server. Managing Tanium Core Platform servers as endpoints requires significantly more complex access restrictions in Tanium. Tanium users with management rights over Tanium Core Platform servers might be able to circumvent access restrictions within Tanium or inadvertently deploy actions that interfere with Tanium functionality. If you choose to install the client on Tanium Core Platform server machines, you must carefully restrict access to computer groups that include Tanium Core Platform servers, such as All Computers, All Servers, and All Windows. You cannot install the client on a Tanium Appliance, and you cannot use Tanium Client Management to install the client on the Tanium Module Server.

Internet access, network connectivity, and firewalls

Internet Protocol (IP) support

All supported versions of the Tanium Core Platform use TCP/IP to communicate over IPv4 and IPv6 networks. Contact Tanium Support if you need IPv6 support. You must work with your network administrator to ensure that the Tanium components are provisioned with IP addresses and can use DNS to resolve host names.

Internet URLs

During installation and ongoing operations, the Tanium Server and the web browser that you use to access the Tanium Console must connect to https://content.tanium.com to import updates to Tanium Core Platform components and modules. The Tanium Server might need to connect to additional URLs based on the components you import. For a list of the required URLs, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

Server throughput and latency

The Tanium Server must be able to connect to the Tanium database server and Module Server. In an HA deployment, the Tanium Servers must be able to connect to each other over a reliable Ethernet connection. All these connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

Proxy server

If your enterprise network environment requires outbound Internet connections to traverse a proxy server, you can configure the proxy settings as described under Tanium Console User Guide: Configuring proxy server settings.

Ports and firewalls

The following table summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication. Host and network firewalls might require configuration to allow the specified processes to send and receive TCP data over the listed ports. The Tanium installer opens required ports in the Windows host firewall. You must work with your network security administrator to ensure the platform components can communicate through any security barriers (such as firewalls) in their communication path. For a detailed explanation, see Tanium Core Platform Deployment Reference Guide: Network ports. Your security administrator might also need to create rules to exempt or exclude Tanium processes that run on the host computers from blocking by antivirus or processing by encryption or other security and management stack software. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exceptions.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Network communication ports used by Tanium components
Source	Destination	Port	Protocol	Purpose
Console/API users	content.tanium.com update.microsoft.com *.digicert.com	443	TCP	Download and install solutions to the Tanium Core Platform
Console/API users	Tanium Servers	443	TCP	Tanium Console/API user workstation (browser) communication with Tanium Servers
Module Servers	Tanium Servers	443	TCP	Module Server communication with Tanium Servers
Module Servers	Zone Servers¹	17487	TCP	Used by Zone Servers for Module Server connections using Direct Connect. The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy.
Tanium Clients	Tanium Clients Tanium Servers Zone Servers	17472	TCP	Communication between Tanium Clients (TaniumClient.exe), communication between the clients and the Tanium Servers or Zone Servers
Tanium Clients (external)	Zone Servers¹	17486	TCP	Used by Zone Servers for endpoint connections to external clients using Direct Connect. The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Tanium Clients (internal)	Module Servers	17475	TCP	Used by the Module Server for endpoint connections to internal clients using Direct Connect.
Tanium Servers	Module Servers	17477	TCP	Tanium Server communication with Module Servers
Tanium Servers	Tanium database	1433, 5432	TCP	Tanium Server communication with the Tanium database: SQL server (Sqlservr.exe) or PostgreSQL server (postgres.exe)
Tanium Servers	Tanium Servers	443, 17472	TCP	Communication between active-active Tanium Servers
Tanium Servers, Module Servers	content.tanium.com *.digicert.com	443	TCP	Tanium Server (TaniumReceiver.exe) or Module Server (TaniumModuleServer.exe) communication with content.tanium.com to import updates to Tanium Core Platform components and modules
Zone Server Hub	Zone Servers¹	17472	TCP	Zone Server Hub (TaniumZoneServer.exe) communication with Zone Servers (TaniumZoneServer.exe)
¹ These ports are required only when you use a Zone Server.

To improve the security of the Zone Server, configure separate ports for traffic from Zone Server Hubs and Tanium Clients. For the steps, see Configure ports for traffic from Zone Server Hubs and Tanium Clients.

Do not allow a Tanium Server, a Module Server, or a Zone Server Hub to accept inbound connections from the internet. On a Zone Server, allow only the Tanium Client port to accept inbound connections from the internet.

The following figure illustrates how the Tanium Core Platform uses ports in an active-active deployment with Windows infrastructure:

For the topology of deployments that use a proxy server between Tanium Core Platform servers and external servers, see Tanium Console User Guide: Overview of proxy servers.

Tanium™ Direct Connect uses additional ports for communication between Tanium Clients and the Module Server. See Tanium Direct Connect User Guide: Host and network security requirements.

For more information about the port requirements of other Tanium modules and shared services, see the Tanium Core Platform Deployment Reference Guide: Solution-specific port requirements.

SSL/TLS certificates

SSL/TLS certificate and key exchanges secure connections to the Tanium™ Console or Tanium™ API, as well as connections between the Tanium Server and Tanium Module Server. When you run the server installation wizards, they prompt you to generate a self-signed certificate or specify the location of a certificate that was issued by a commercial certificate authority (CA) or your own enterprise CA.

To facilitate troubleshooting, use the self-signed certificates during initial installation and replace them with CA-issued certificates later. This practice enables you to separate potential installation issues from TLS connection issues.

For details, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

Administrator account permissions

Work with your Microsoft Active Directory (AD) administrator to provision the accounts needed during Tanium Core Platform installations or upgrades and for post-installation or post-upgrade activities. To change accounts or update their passwords, see Tanium Console User Guide: Windows service accounts.

Administrator accounts for installations and upgrades

The following table lists the administrator accounts required to install or upgrade Tanium Core Platform servers, create Tanium databases, or deploy Tanium Clients. You can use a single service account to install the Tanium Server and to create databases on the SQL or PostgreSQL server, as long as the account has the all required group memberships and permissions for those servers. You can also use a single service account to install the Zone Server and Zone Server Hub. You must use a separate service account to install the Module Server.

Administrator account permissions required for installations and upgrades
Service	Account Type	Host System	Required Group or Permissions	Account Purpose
Tanium Server and Tanium databases	AD service account*	Tanium Server host	Administrator, interactive sign in	This service account installs and upgrades the Tanium Server software.
		SQL Server host	Sysadmin on the SQL instance	When running the installer from the Tanium Server, this service user connects remotely to the SQL Server and creates the tanium and tanium_archive databases.
		PostgreSQL Server host	Administrator	When running the installer from the Tanium Server, this service user connects remotely to the PostgreSQL Server and creates the tanium and tanium_archive databases.
Tanium Module Server	AD service account*	Tanium Module Server host	Administrator	This service account installs and upgrades the Tanium Module Server software.
Tanium Zone Server and Zone Server Hub	Local user or AD	Tanium Zone Server host	Administrator, interactive sign in	This service account installs and upgrades the Tanium Zone Server software.
Tanium Zone Server and Zone Server Hub	Local user or AD	Tanium Zone Server Hub host	Administrator, interactive sign in	This service account installs and upgrades the Tanium Zone Server Hub software.
Tanium Client	LocalSystem or AD	Tanium Client Deployment Tool host	Administrator	This account connects to endpoints and installs and upgrades Tanium Client software.
*You can use the LocalSystem account in a POC deployment, but not in a production deployment.

Administrator accounts for post-installation/upgrade activities

The following table lists the administrator accounts required for regular, ongoing operations performed after installations or upgrades, including running the services for Tanium Core Platform servers and Tanium Clients, and accessing Tanium databases. If you reuse the accounts used for installations and upgrades, first reduce the account permissions to those specified in the following table. You can use a single service account to run the Tanium Server service and access the Tanium databases. You can also use a single service account to run the Zone Server and Zone Server Hub services. You must use a separate service account to run the Module Server service.

Administrator account permissions required for post-installation/upgrade activities
Service	Account Type	Host System	Required Group or Permissions	Account Purpose
Tanium Server and Tanium databases	AD service account*	Tanium Server host	User-level permissions	This service account runs the Tanium Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
		SQL Server host	DBO on Tanium databases	This service user account accesses the tanium and tanium_archive databases. If you use the same account for running the Tanium Server service, the account must be able to connect remotely to the SQL Server. The account requires db_owner role membership for the Tanium databases. Assign the View server state permission as a best practice to enable the Tanium Server to access data faster than the DBO role alone.
		PostgreSQL Server host	User-level permissions	This service user account accesses the tanium and tanium_archive databases. If you use the same account for running the Tanium Server service, the account must be able to connect remotely to the PostgreSQL Server.
Tanium Module Server	AD service account*	Tanium Module Server host	Administrator	This service account runs the Tanium Module Server service. The service runs in the context of the Local System account.
Tanium Zone Server and Zone Server Hub	Local user or AD	Tanium Zone Server host	User-level permissions	This service account runs the Tanium Zone Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
Tanium Zone Server and Zone Server Hub	Local user or AD	Tanium Zone Server Hub host	User-level permissions	This service account runs the Tanium Zone Server Hub service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server.
Tanium Client	LocalSystem	Tanium Client Deployment Tool host	Administrator	On Windows, the Tanium Client service runs in the context of the Local System account.
*You can use the LocalSystem account in a POC deployment, but not in a production deployment.