Tanium as a Service deployments include a customer-specific proxy server that allows the destinations that are required for Tanium modules to work. Contact Tanium Support to request additional allowed destinations.
Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium Core Platform servers to access Internet locations directly, you can configure access through the proxies. The Tanium Server connects to the Internet to download content updates from Tanium and to download necessary files from other trusted suppliers. The Tanium Module Server connects to the Internet to download module software updates from Tanium. Individual Tanium modules might also have requirements to access the Internet.
To configure Tanium Client 7.4 or later to connect through a Hypertext Transfer Protocol Secure (HTTPS) proxy server to the Tanium Server or Tanium Zone Server, see Tanium Client Management User Guide: Connect through an HTTPS proxy server.
Only users who have the Administrator reserved role can see and use the Configuration > Common > Proxy Settings page.
For a list of external sites that Tanium Core Platform servers access, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.
A destination server might have its own requirements, such as certificate authentication or user authentication. For information about configuring advanced options for these requirements, see Tanium Support KB: TDownloader.
The Tanium Core Platform supports two types of proxies:
- Basic: A strictly IP address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. Add the IP addresses or fully qualified domain names of
TaaS the Tanium Server and Module Serverto the access list of the proxy server. If the proxy server requires authentication, configure the account ID and password.
- NTLM: If the proxy server is set up to use Microsoft NT LAN Manager (NTLM), and you configure the
TaaS Tanium Serverservice to run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to configure an account ID and password.
In most cases, the best practice is to use the Tanium Console to configure proxy settings, as follows. However, if you need to configure proxy settings before you have access to the Tanium Console, you can configure proxy settings on the Tanium Server or Module Server host as described in the Tanium Core Platform Deployment Reference Guide: Proxy server settings.
The proxy server configuration is stored in configuration files on the Tanium Server host. Tanium Servers do not automatically synchronize the configuration files in an active-active deployment. If you change these settings, be sure to perform the procedure on both Tanium Servers in the active-active cluster.
- From the Main menu, go to Administration > Configuration > Common > Proxy Settings.
- Configure the following Tanium Server Proxy Settings and click Save.
- None (disables the proxy server settings)
- Configure the Module Server Proxy Settings and click Save.
- Test the settings by configuring the Validate Proxy Settings fields and clicking Start Download.
Setting Description Component Tanium Server or Module Server. File Source
- From Tanium—Use predefined settings for a connection to content.tanium.com.
- From Random Site—Use predefined settings for a connection to www.msftncsi.com.
- Specify URL/Hash—Configure your own test settings.
URL If you selected Specify URL/Hash, specify the URL. Hash If you selected Specify URL/Hash, specify the hash. Download Time If you selected Specify URL/Hash, specify a maximum download time before returning a failure message.
The Tanium Console returns a message that indicates success or failure. If the test fails, check that the proxy server is up and is configured as expected. Also, check that the Tanium Console settings you specified match the settings that the proxy server expects. The TDownloader log has detailed event messages (see Tanium Core Platform Deployment Reference Guide: Logs).
|Proxy Server||IP address of the proxy server.|
|Proxy User ID||Account username that is used to establish the connection with the proxy server. This field is required if the Proxy Type is Basic. NTLM proxies use the credentials of the user context that runs the Tanium Server service.|
|Proxy Type||Select the proxy type:
|Port Number||Port number of the proxy server.|
|Proxy Password||Password that is used to establish the connection with the proxy server. The password is stored in clear text within the registry.|
|Bypass Proxy Host List||If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.
For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster.
A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs.
Use this setting to specify destinations that do not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses.
Tanium Core Platform 7.0.314.6242 and later support wildcards.
|Bypass CRL Check Host List||Use this setting to list servers that the Tanium Server can trust without checking the Certificate Revocation List (CRL). Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.|
|Trusted Host List||By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading files). To bypass certificate validation for specific servers, enter their
FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards.
In an active-active deployment, you do not need to add the Tanium Servers to the list. The servers automatically trust each other, as well as traffic from 127.0.0.1 or localhost.
Contact Tanium Support before modifying this setting.
|Mirror all changes to Module Server except Trusted Host List and Bypass CRL Check Host List||This option appears only if the Module Server is on a dedicated host that is not shared with the Tanium Server. Enable the option if you want to copy the values for Tanium Server proxy settings to the Module Server Proxy Settings. The only values that are not copied are Bypass CRL Check Host List and Trusted Host List.|
Last updated: 4/13/2021 12:26 PM | Feedback