Zero Trust requirements
Review the requirements before you
Core platform dependencies
Make sure that your environment meets the following requirements:
- Tanium license that includes Tanium™ Enforce.
- Tanium™ Core Platform 7.4.2.2063 or later
Solution dependencies
Other Tanium solutions are required for Zero Trust to function (required dependencies) or for specific Zero Trust features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.
Some Zero Trust dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Zero Trust requires.
Tanium recommended installation
If you select Tanium Recommended Installation when you import Zero Trust, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.
Import specific solutions
If you select only Zero Trust to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Zero Trust, the server automatically updates those dependencies to the latest available versions.
If you select only Zero Trust to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.
Required dependencies
Zero Trust has the following required dependencies at the specified minimum versions:
- Tanium™ Core Content 1.3.100 or later
- Core Content 1.8.5 or later requires Tanium™ Client Management. See Tanium Client Management dependencies.
- Tanium™ Core AD Query Content 3.3.4 or later
- Tanium™ Enforce 1.10 or later
- Tanium™ Interact 2.14.106 or later
- Tanium™ RDB Service 1.2.145 or later
- Tanium™ Secrets Service 1.0.104 or later
- Tanium™ System User Service 1.0.77 or later
Feature-specific dependencies
If you select only Zero Trust to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Zero Trust has the following feature-specific dependencies at the specified minimum versions:
- Tanium™ Connect 5.0 or later is required to export audit data
Tanium™ Module Server
Zero Trust is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.
For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.
Endpoints
Supported Internet protocols
Zero Trust supports IPv4 and IPv6 addresses.
Supported operating systems
The following endpoint operating systems are supported with Zero Trust.
| Operating System | Version | Notes |
|---|---|---|
| Windows | Same as Tanium Client support. | See Tanium Client Management User Guide: Client version and host system requirements. |
| macOS | Same as Tanium Client support. | See Tanium Client Management User Guide: Client version and host system requirements. |
| Linux |
Ubuntu Desktop 22.04 and later Ubuntu Desktop 22.04 LTS and later |
Endpoints must meet Entra ID requirements listed at Microsoft: Get started with Linux enrollment |
Host and network security requirements
Specific ports and processes are needed to run Zero Trust.
Ports
The following ports are required for Zero Trust communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Module Server | Module Server (loopback) | 17612 | TCP | Internal purposes, not externally accessible |
| Microsoft Entra ID | 443 | TCP | Send trust data to Entra ID |
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Tanium Cloud | Microsoft Entra ID | 443 | TCP | Send trust data to Entra ID |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\zero-trust-service\TaniumZeroTrustService.exe |
Zero Trust requires no specific security exclusions. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, allow the following URLs on the Tanium Module Server:
| IAM provider | URL |
|---|---|
| Microsoft Entra ID | https://graph.microsoft.com/v1.0/devices |
| https://login.microsoftonline.com/ |
User role requirements
The following tables list the role permissions required to use Zero Trust. To review a summary of the predefined roles, see Configuring Zero Trust.
Do not assign the Zero Trust Service Account and Zero Trust Service Account - All Content Sets roles to users. These roles are for internal purposes only.
For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.
| Permission | Zero Trust Operator1 | Zero Trust User1 |
|---|---|---|
|
Zero Trust View the Zero Trust workbench |
SHOW
SHOW OPERATOR USER |
SHOW
SHOW USER |
|
Zero Trust Microsoft Entra ID Audit View all Entra ID audit log entries, regardless of computer management group permissions |
READ |
|
|
Zero Trust Microsoft Entra ID Config View and edit Entra ID configuration in Zero Trust |
READ WRITE |
READ |
|
Zero Trust Microsoft Entra ID Current Audit View the current Entra ID log |
READ |
READ |
|
Zero Trust Microsoft Entra ID Manual Rules Manually apply Entra ID rules |
WRITE |
|
|
Zero Trust Microsoft Entra ID Rules View and edit Entra ID rules |
READ WRITE |
READ |
|
1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. |
||
| Permission | Zero Trust Operator1 | Zero Trust User1 |
|---|---|---|
| Filter Group |
READ |
READ |
| Plugin |
READ EXECUTE |
READ EXECUTE |
| Sensor |
READ |
READ |
|
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. |
||
Last updated: 9/22/2023 8:57 AM | Feedback