Configuring proxy server settings

Tanium as a Service deployments include a customer-specific proxy server that allows the destinations that are required for Tanium modules to work. To request additional allowed entries, consult your Technical Account Manager (TAM).

Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium Core Platform servers to access Internet locations directly, you can configure access through the proxies. The Tanium Server connects to the Internet to download content updates from Tanium and to download necessary files from other trusted suppliers. The Tanium Module Server connects to the Internet to download module software updates from Tanium. Individual Tanium modules might also have requirements to access the Internet.

Only users who have the Administrator reserved role can see and use the Configuration > Common > Proxy Settings page.

For a list of sites that Tanium Core Platform servers access, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

A destination server might have its own requirements, such as certificate authentication or user authentication. For information about configuring advanced options for these requirements, see Tanium Support KB: TDownloader.

Figure  1:  Tanium deployment with proxy server

Types of proxy servers

The Tanium Core Platform supports two types of proxies:

  • Basic: A strictly IP address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. Add the IP addresses or host names of the Tanium Server and Module Server to the access list of the proxy server. If the proxy server requires authentication, configure the account ID and password.
  • NTLM: If the proxy server is set up to use Microsoft NT LAN Manager (NTLM), and you configure the Tanium Server service to run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to configure an account ID and password.

Configure and test proxy server settings

In most cases, the best practice is to use the Tanium Console to configure proxy settings, as follows. However, if you need to configure proxy settings before you have access to the Tanium Console, you can configure proxy settings on the Tanium Server or Module Server host as described in the Tanium Core Platform Deployment Reference Guide: Proxy server settings.

The proxy server configuration is stored in configuration files on the Tanium Server host. Tanium Servers do not automatically synchronize the configuration files among high availability (HA) peers. If you change these settings in HA deployments, be sure to perform the procedure on both Tanium Servers in the HA cluster.

  1. From the Main menu, select Administration > Configuration > Common > Proxy Settings.
  2. Configure the following Tanium Server Proxy Settings and save your changes.
  3. Proxy Server IP address of the proxy server.
    Proxy User ID Account username that is used to establish the connection with the proxy server. This field is required if the Proxy Type is Basic. NTLM proxies use the credentials of the user context that runs the Tanium Server service.
    Proxy Type Select the proxy type:
    • None (disables the proxy server settings)
    • Basic
    • NTLM
    Port Number Port number of the proxy server.
    Proxy Password Password that is used to establish the connection with the proxy server. The password is stored in clear text within the registry.
    Bypass Proxy Host List If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.

    For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster.

    A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs.

    Use this setting to specify destinations that do not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses.

    For example:

    ts1.example.com, ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15

    Tanium Core Platform 7.0.314.6242 and later support wildcards.

    Bypass CRL Check Host List Use this setting to list servers that the Tanium Server can trust without checking the Certificate Revocation List (CRL). Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.
    Trusted Host List By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them. To bypass certificate validation for specific servers, enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards.

    In a high availability (HA) deployment, enter the IP address or FQDN of each Tanium Server in the HA cluster.

    Consult your TAM before modifying this setting.

    Mirror all changes to Module Server except Trusted Host List and Bypass CRL Check Host List This option appears only if the Module Server is on a dedicated host that is not shared with the Tanium Server. Enable the option if you want to copy the values for Tanium Server proxy settings to the Module Server Proxy Settings. The only values that are not copied are Bypass CRL Check Host List and Trusted Host List.
  4. Configure the Module Server Proxy Settings and save your changes.
  5. Test the settings by configuring the Validate Proxy Settings fields and clicking Start Download.
    ComponentTanium Server or Module Server.
    File Source
    • From Tanium—Use predefined settings for a connection to content.tanium.com.
    • From Random Site—Use predefined settings for a connection to www.msftncsi.com.
    • Specify URL/Hash—Configure your own test settings.
    URLIf you selected Specify URL/Hash, specify the URL.
    HashIf you selected Specify URL/Hash, specify the hash.
    Download TimeIf you selected Specify URL/Hash, specify a maximum download time before returning a failure message.

    The Tanium Console returns a message that indicates success or failure. If the test fails, check that the proxy server is up and is configured as expected. Also, check that the Tanium Console settings you specified match the settings that the proxy server expects. The TDownloader log has detailed event messages (see Tanium Core Platform Deployment Reference Guide: Logs).