Other versions

Configuring proxy server settings

The Tanium™ Server must be able to connect to the Internet to download content updates from Tanium and necessary files from other trusted suppliers.

The Tanium™ Module Server must be able to connect to the Internet to download solution module software updates from Tanium, and the solution modules themselves might have requirements to access the Internet.

For a list of sites the Tanium Server accesses, see Internet access (direct or by proxy).

Types of proxy servers

If your enterprise security policy does not allow the Tanium platform servers to access these locations directly, check to see whether your organization uses proxy servers to access the Internet. Tanium Server supports two types of proxies:

  • Basic

    Basic proxies might require authentication. A strictly IP-address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. Add the IP address or hostname of the Tanium Server to the access list of the proxy server.

    If the proxy server requires authentication, you can configure the account ID and password.

  • NTLM

    If the proxy server is set up to use NTLM, and you configure the Tanium Server service to run in the context of a service account that has sufficient privileges to traverse the proxy server, you do not have to configure account ID and password.

The proxy server configuration is stored in configuration files on the Tanium Server host computer. The configuration files are not automatically synced to other cluster nodes. If you make changes to these settings in active-active deployments, be sure to perform the procedure on both nodes.

Configure and test proxy server settings

  1. Go to Configuration > Common > Proxy Settings.
  2. Use the Tanium Server Proxy Settings box to specify proxy settings for the Tanium Server connections.
  3. Proxy ServerIP address of the proxy server.
    Proxy User IDAccount username to establish the connection with the proxy server. Required if a Basic proxy is configured. NTLM proxies use the credentials of the user context that runs the Tanium Server service.
    Proxy Type
    • BASIC
    • NTLM
    Port NumberPort number of the proxy server.
    Proxy PasswordThe password is stored in clear text within the registry.
    Bypass Proxy Host List If you configure a proxy server, you might need to configure exceptions so that connections to specified hosts do not go through the proxy server.

    For example, a proxy server should not be used for traffic between Tanium Servers in an active-active cluster.

    A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server. It is important to bypass the proxy server for these URIs.

    Use this setting to specify destinations that should not use the proxy servers. In most cases, specify localhost, 127.0.0.1, and all Tanium Server names and IP addresses.

    For example:

    ts1.example.com, ts2.example.com,localhost,127.0.0.1,10.10.10.11,10.10.10.15

    Version 7.0.314.6242 and later support wildcards.

    Bypass CRL Check Host ListUse this setting to list servers that should be trusted without CRL checking. Unless a server is specified in this list, the Tanium Server performs a CRL check and does not download files from a server that does not pass.
    Trusted Host List Unless a server is specified in this list, the Tanium Server does not download files from a server without a valid SSL certificate.

    Add the FQDN or IP address of any servers you want to trust. In an Active/Active cluster, specify the FQDN for both Tanium Servers. Version 7.0.314.6242 and later support wildcards.

  4. Optional. To populate these settings to the Module Server form on this page, select Mirror Changes to Module Server.
  5. Save your changes.
  6. Use the Module Server Proxy Settings box to specify proxy settings for the Module Server connections.
  7. Save your changes.
  8. Use the Validate Proxy Settings box to configure a test for your settings.
  9. ComponentTanium Server or Module Server.
    File Source
    • From Tanium—Use predefined settings for a connection to content.tanium.com.
    • From Random Site—Use predefined settings for a connection to www.msftncsi.com.
    • Specify URL/Hash—Configure your own test settings.
    URLIf you selected Specify URL/Hash, specify the URL.
    HashIf you selected Specify/URL/Hash, specify the hash.
    Download TimeIf you selected Specify URL/Hash, specify a maximum download time before returning a failure message.
  10. Click Start Download.

The Tanium Console returns a message that indicates success or failure. If the test fails, check that the proxy server is up and is configured as expected. Also, check that the Tanium settings you specified match the settings that are expected by the proxy server. The TDownloader log has detailed event messages.

Only users assigned the Administrator reserved role can see and use the Configuration pages.

Last updated: 10/22/2018 2:38 PM | Feedback