Configuring proxy server settings

Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium Core Platform servers to access Internet locations directly, you can configure access through the proxies. The Tanium Server must connect to the Internet to download content updates from Tanium and to download necessary files from other trusted suppliers. The Tanium Module Server must connect to the Internet to download module software updates from Tanium. Individual Tanium modules might also have requirements to access the Internet. For a list of sites that Tanium Core Platform servers access, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

Only users who have the Administrator reserved role can see and use the Configuration > Common > Proxy Settings page.

Figure  1:  Tanium deployment with proxy server

Types of proxy servers

Tanium Server supports two types of proxies:

  • Basic: Basic proxies might require authentication. A strictly IP-address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. Add the IP address or hostname of the Tanium Server to the access list of the proxy server. If the proxy server requires authentication, you can configure the account ID and password.
  • NTLM: If the proxy server is set up to use NTLM, and you configure the Tanium Server service to run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to configure account ID and password.

The proxy server configuration is stored in configuration files on the Tanium Server host. Tanium Servers do not automatically synchronize the configuration files among high availability (HA) peers. If you change these settings in HA deployments, be sure to perform the procedure on all Tanium Servers in the HA cluster.

Configure and test proxy server settings

In most cases, the best practice is to use the Tanium Console to configure proxy settings, as follows. However, if you need to configure proxy settings before you have access to the Tanium Console, you can configure proxy settings on the Tanium Server or Module Server host as described in the Tanium Core Platform Deployment Reference Guide: Proxy server settings.

  1. Go to Configuration > Common > Proxy Settings.
  2. Configure the following Tanium Server Proxy Settings and save your changes.
  3. Proxy Server IP address of the proxy server.
    Proxy User ID Account username that is used to establish the connection with the proxy server. This field is required if the Proxy Type is Basic. NTLM proxies use the credentials of the user context that runs the Tanium Server service.
    Proxy Type Select the proxy type:
    • None (disables the proxy server settings)
    • Basic
    • NTLM
    Port Number Port number of the proxy server.
    Proxy Password Password that is used to establish the connection with the proxy server. The password is stored in clear text within the registry.
    Bypass Proxy Host List If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.

    For example, a proxy server should not be used for traffic between Tanium Servers in an active-active cluster.

    A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs.

    Use this setting to specify destinations that should not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses.

    For example:

    ts1.example.com, ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15

    Tanium Core Platform 7.0.314.6242 and later support wildcards.

    Bypass CRL Check Host List Use this setting to list servers that the Tanium Server can trust without checking the Certificate Revocation List (CRL). Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.
    Trusted Host List Unless a server is specified in this list, the Tanium Server does not download files from a server without a valid SSL certificate.

    Add the FQDN or IP address of any servers that you want to trust. In a high availability (HA) cluster, enter the address or FQDN of each Tanium Server in the cluster. Tanium Core Platform 7.0.314.6242 and later support wildcards.

    Mirror all changes to Module Server except Trusted Host List and Bypass CRL Check Host List Select this option if you want to propagate all the values for Tanium Server proxy settings, except the Bypass CRL Check Host List and Trusted Host List values, to the Module Server Proxy Settings.
  4. Configure the Module Server Proxy Settings and save your changes.
  5. Test the settings by configuring the Validate Proxy Settings fields and clicking Start Download.
  6. Component Tanium Server or Module Server.
    File Source
    • From Tanium—Use predefined settings for a connection to content.tanium.com.
    • From Random Site—Use predefined settings for a connection to www.msftncsi.com.
    • Specify URL/Hash—Configure your own test settings.
    URL If you selected Specify URL/Hash, specify the URL.
    Hash If you selected Specify URL/Hash, specify the hash.
    Download Time If you selected Specify URL/Hash, specify a maximum download time before returning a failure message.

The Tanium Console returns a message that indicates success or failure. If the test fails, check that the proxy server is up and is configured as expected. Also, check that the Tanium settings you specified match the settings that the proxy server expects. The TDownloader log has detailed event messages (see Tanium Core Platform Deployment Reference Guide: Logs).

Last updated: 7/17/2019 8:28 AM | Feedback