Configuring proxy server settings

Tanium as a Service deployments include a customer-specific proxy server that allows the destinations that are required for Tanium modules to work. Contact Tanium Support to request additional allowed destinations.

Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium Core Platform servers to access Internet locations directly, you can configure access through the proxies. The Tanium Server connects to the Internet to download content updates from Tanium and to download necessary files from other trusted suppliers. The Tanium Module Server connects to the Internet to download module software updates from Tanium. Individual Tanium modules might also have requirements to access the Internet.

To configure Tanium Client 7.4 or later to connect through a Hypertext Transfer Protocol Secure (HTTPS) proxy server to the Tanium Server or Tanium Zone Server, see Tanium Client Management User Guide: Connect through an HTTPS proxy server.

Only users who have the Administrator reserved role can see and use the Configuration > Common > Proxy Settings page.

For a list of external sites that Tanium Core Platform servers access, see Tanium Core Platform Deployment Reference Guide: Internet URLs required.

A destination server might have its own requirements, such as certificate authentication or user authentication. For information about configuring advanced options for these requirements, see Tanium Support KB: TDownloader.

Figure  1:  Tanium deployment with proxy server

Types of proxy servers

The Tanium Core Platform supports two types of proxies:

  • Basic: A strictly IP address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. Add the IP addresses or fully qualified domain names of TaaS the Tanium Server and Module Server to the access list of the proxy server. If the proxy server requires authentication, configure the account ID and password.
  • NTLM: If the proxy server is set up to use Microsoft NT LAN Manager (NTLM), and you configure the TaaSTanium Server service to run in the context of a service account that has sufficient permissions to traverse the proxy server, you do not have to configure an account ID and password.

Configure proxy server settings

In most cases, the best practice is to use the Tanium Console to configure proxy settings, as follows. However, if you need to configure proxy settings before you have access to the Tanium Console, you can configure proxy settings on the Tanium Server or Module Server host as described in the Tanium Core Platform Deployment Reference Guide: Proxy server settings.

The proxy server configuration is stored in configuration files on the Tanium Server host. Tanium Servers do not automatically synchronize the configuration files in an active-active deployment. If you change these settings, be sure to perform the procedure on both Tanium Servers in the active-active cluster.

  1. From the Main menu, go to Administration > Configuration > Proxy Settings.
  2. Configure the following Tanium Server Proxy Settings and click Save.
  3. Setting Description
    Proxy Server IP address of the proxy server.
    Proxy User ID Account username that is used to establish the connection with the proxy server. This field is required if the Proxy Type is Basic. NTLM proxies use the credentials of the user context that runs the Tanium Server service.
    Proxy Type Select the proxy type:
    • None (disables the proxy server settings)
    • Basic
    • NTLM
    Port Number Port number of the proxy server.
    Proxy Password Password that is used to establish the connection with the proxy server. The password is stored in clear text within the registry.
    Bypass Proxy Host List If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.

    For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster.

    A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs.

    Use this setting to specify destinations that do not use the proxy servers. In most cases, specify localhost,, and all Tanium Server names and IP addresses.

    For example:,,localhost,,,

    Tanium Core Platform 7.0.314.6242 and later support wildcards.

    Bypass CRL Check Host List Use this setting to list servers that the Tanium Server can trust without checking the Certificate Revocation List (CRL). Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.
    Trusted Host List By default, the Tanium Server validates the SSL/TLS certificate of remote servers when establishing connections to them (such as for downloading files). To bypass certificate validation for specific servers, enter their FQDN or IP address. Tanium Core Platform 7.0.314.6242 and later support wildcards. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

    In an active-active deployment, you do not need to add the Tanium Servers to the list. The servers automatically trust each other, as well as traffic from or localhost.

    Contact Tanium Support before modifying this setting.

    Mirror all changes to Module Server except Trusted Host List and Bypass CRL Check Host List This option appears only if the Module Server is on a dedicated host that is not shared with the Tanium Server. Enable the option if you want to copy the values for Tanium Server proxy settings to the Module Server Proxy Settings. The only values that are not copied are Bypass CRL Check Host List and Trusted Host List.
  4. Configure the Module Server Proxy Settings and click Save.
  5. Test the settings by configuring the Validate Proxy Settings fields and clicking Start Download.
    ComponentTanium Server or Module Server.
    File Source
    • From Tanium—Use predefined settings for a connection to
    • From Random Site—Use predefined settings for a connection to
    • Specify URL/Hash—Configure your own test settings.
    URLIf you selected Specify URL/Hash, specify the URL.
    HashIf you selected Specify URL/Hash, specify the hash.
    Download TimeIf you selected Specify URL/Hash, specify a maximum download time before returning a failure message.

    The Tanium Console returns a message that indicates success or failure. If the test fails, check that the proxy server is up and is configured as expected. Also, check that the Tanium Console settings you specified match the settings that the proxy server expects. The TDownloader log has detailed event messages (see Tanium Core Platform Deployment Reference Guide: Logs).