Configuring proxy server settings

Tanium Cloud deployments include a customer-specific proxy server that allows the destinations that are required for Tanium solutions to work. To add allowed destinations, see Tanium Cloud Deployments Guide: Configuring network egress allow list rules in the CMP.

Overview of proxy servers

Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium Core Platform servers to access Internet locations directly, configure access through the proxies. The Tanium Server and Tanium Module Server connect to the Internet to download content and module software updates from Tanium, and to download necessary files from other remote sources. Individual Tanium modules might also have requirements to access the Internet.

To configure Tanium Client 7.4 or later to connect through a Hypertext Transfer Protocol Secure (HTTPS) proxy server to the Tanium Server or Tanium Zone Server, see Tanium Client Management User Guide: Connect through an HTTPS proxy server.

Only users who have the Administrator reserved role can see and use the Administration > Configuration > Proxy Settings page.

For a list of external sites that Tanium Core Platform servers access, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

A remote source might have its own requirements, such as certificate authentication or user authentication. See Managing downloads authentication.

Figure  1:  Tanium deployment with proxy server

Types of proxy servers

The Tanium Core Platform supports two types of proxies:

  • Basic: A strictly IP address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. Add the IP addresses or fully qualified domain names of Tanium Cloud the Tanium Server and Module Server to the access list of the proxy server. If the proxy server requires authentication, configure the account ID and password.
  • NTLM: If the proxy server is set up to use Microsoft NT LAN Manager (NTLM), and you configure the Tanium CloudTanium Server service to run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to configure an account ID and password.

Configure proxy server settings

In most cases, the best practice is to use the Tanium Console to configure proxy settings, as follows. However, if you need to configure proxy settings before you have access to the Tanium Console, you can configure proxy settings on the Tanium Server or Module Server host as described in the Tanium Core Platform Deployment Reference Guide: Proxy server settings.

The proxy server configuration is stored in configuration files on the Tanium Server host. Tanium Servers do not automatically synchronize the configuration files in an active-active deployment. If you change these settings, be sure to perform the procedure on both Tanium Servers in the active-active cluster.

  1. From the Main menu, go to Administration > Configuration > Proxy Settings.
  2. Configure the following Tanium Server Proxy Settings and click Save.
    3. Setting Description
    Proxy Type Select the proxy type:
    • None (disables the proxy server settings)
    • Basic
    • NTLM
    Proxy Server IP address of the proxy server.
    Port Number Port number of the proxy server.
    Proxy User ID Account username that is used to establish the connection with the proxy server. This field is required if the Proxy Type is Basic. NTLM proxies use the credentials of the user context that runs the Tanium Server service.
    Proxy Password Password that is used to establish the connection with the proxy server. The password is stored in clear text within the registry.
    Bypass Proxy Host List If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server. Enter the hosts as a comma-separated list of FQDNs or IP addresses. You do not have to enter 127.0.0.1, localhost, or the Tanium Module Server, but enter the active-active Tanium Servers if necessary. All supported Tanium Core Platform versions allow wildcards.
    Bypass CRL Check Host List Use this setting to list servers that the Tanium Server can trust without checking the Certificate Revocation List (CRL). Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.
    Trusted Host List

    By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them, such as for downloading files. To bypass certificate validation for specific servers, enter their FQDN or IP address. You do not have to enter 127.0.0.1, localhost, the Tanium Module Server, or Tanium Servers (standalone or active-active). All supported Tanium Core Platform versions allow wildcards. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

    Contact Tanium Support before modifying this setting.
    Mirror all changes to Module Server except Trusted Host List and Bypass CRL Check Host List This option appears only if the Module Server is on a dedicated host that is not shared with the Tanium Server. Enable the option if you want to copy the values for Tanium Server proxy settings to the Module Server Proxy Settings. The only values that are not copied are Bypass CRL Check Host List and Trusted Host List.
  3. Configure the Module Server Proxy Settings and click Save.
  4. Test the settings by configuring the Validate Proxy Settings fields and clicking Start Download.
    SettingDescription
    ComponentTanium Server or Module Server.
    File Source
    • From Tanium—Use predefined settings for a connection to content.tanium.com.
    • From Random Site—Use predefined settings for a connection to www.msftncsi.com.
    • Specify URL/Hash—Configure your own test settings.
    URLIf you selected Specify URL/Hash, specify the URL.
    HashIf you selected Specify URL/Hash, specify the hash.
    Download TimeIf you selected Specify URL/Hash, specify a maximum download time before returning a failure message.

    The Tanium Console returns a message that indicates success or failure. If the test fails, check that the proxy server is up and is configured as expected. Also, check that the Tanium Console settings you specified match the settings that the proxy server expects. The TDownloader log has detailed event messages. See Tanium Core Platform Deployment Reference Guide: TDownloader logs.

  5. Enable the global setting authenticate_api_token_with_x_forwarded_for_ip only if all API token access to the Tanium Server must go through a reverse proxy server. If the setting is disabled in such deployments, you cannot restrict which systems are allowed token access.

    1. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
    2. In the Name column, click authenticate_api_token_with_x_forwarded_for_ip.
    3. Set the value to 1 and click Save.

    6. To configure which systems have API token access to the Tanium Server, see Enable systems to use API tokens.

  6. If the proxy server has an IPv6 address, configure the ForceIPV6 setting.

    Contact Tanium Support for guidance before configuring this setting.

    1. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
    2. Click Add Setting, specify the following values, and click Save:

      • Setting Type: Server

      • Value TypeNumeric
      • Value1