Direct Connect requirements

Review the requirements before you install and use Direct Connect.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium™ Core Platform servers:

    • 7.4.3.1204 or later

    • 7.5.2.3503 or later

  • Tanium™ Appliance:

    (Optional) If you are using a Tanium Appliance for your Zone Server, you must use Tanium operating system (TanOS) 1.5.2 or later.

    • For TanOS 1.5.2 - 1.5.4, you must use the TanOS shell to install the Direct Connect Zone Proxy.
    • For TanOS 1.5.5 and later, you can install the Direct Connect Zone Proxy through the Tanium Operations menu on the Zone Server appliance. For more information, see Appliance Deployment Guide: Install the Direct Connect Zone Proxy. To install the Direct Connect Zone Proxy on a Tanium Appliance with the All-in-One role, use the TanOS shell.
  • Tanium™ Client:
  • Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Solution dependencies

Other Tanium solutions are required for Direct Connect to function. The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Direct Connect dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Direct Connect requires.

Tanium recommended installation

If you select only Direct Connect to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Direct Connect , the server automatically updates those dependencies to the latest available versions.

If you select only Direct Connect to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Import specific solutions

If you select only Direct Connect to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Direct Connect has the following required dependency at the specified minimum version:

Client extensions

Tanium Endpoint Configuration installs client extensions for Direct Connect on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Direct Connect functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.

Tanium Module Server

Direct Connect is installed and runs as a service on the Module Server. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported internet protocols

Direct Connect supports only endpoints that have IPv4 addresses.

Supported operating systems

The following endpoint operating systems are supported with Direct Connect.

Operating SystemVersionNotes
Windows
  • Windows 7 Service Pack 1 or later
  • Windows Server 2008 R2 Service Pack 1 or later
 
macOS

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

 
Linux

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

 

Host and network security requirements

Specific ports and processes are needed to run Direct Connect.

Ports

The following ports, which communicate over HTTPS using TLS 1.2 (RSA 2048-bit), are required for Direct Connect.

The following port, which communicates over HTTPS using TLS 1.2 (RSA 2048-bit), is required for Direct Connect.

SourceDestinationPort ProtocolPurpose
Tanium Client (internal)Module Server17475TCPUsed by the Module Server for endpoint connections to internal clients.
Tanium Client (external)Zone Server1Tanium Cloud17486TCPUsed by the Zone Server for endpoint connections to external clients. This port begins listening after the Zone Proxy provisioning process is complete on port 17488.
The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Module ServerZone Server117487TCPUsed by the Zone Server for Module Server connections. This port begins listening after the Zone Proxy provisioning process is complete on port 17488.
The default port number is 17487. If needed, you can specify a different port number when you configure the zone proxy.
17488TCPUsed by the Module Server to provision the Zone Proxy on the Zone Server. After the Zone Proxy is provisioned, used for connection status and diagnostics. On TanOS, the Direct Connect Zone Proxy installer automatically configures the firewall on the Zone Server to open port 17488. You must manually configure the firewall to open this port on Windows. This port number is not configurable.
Tanium ServerModule Server17477TCPTanium Server initiates connections to the Module Server Tanium Cloud on port 17477.
1 These ports are required only when you use a Zone Server.

Direct Connect supports the following cipher suites for encrypting information in TLS communication:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Direct Connect security exclusions
Target DeviceNotesExclusion TypeExclusion
Module Server Process<Module Server>\services\direct-connect-service\TaniumDirectConnectService.exe
 Process<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Zone Server Process<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
 Process<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe
Windows endpoints File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\extensions\TaniumDEC.dll
 File<Tanium Client>\extensions\TaniumDEC.dll.sig
 Process<Tanium Client>\TaniumCX.exe
macOS endpoints File<Tanium Client>/libTaniumClientExtensions.dylib
 File<Tanium Client>/libTaniumClientExtensions.dylib.sig
 File<Tanium Client>/extensions/libTaniumDEC.dylib
 File<Tanium Client>/extensions/libTaniumDEC.dylib.sig
 Process<Tanium Client>/TaniumCX
Linux endpoints File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 File<Tanium Client>/extensions/libTaniumDEC.so
 File<Tanium Client>/extensions/libTaniumDEC.so.sig
 Process<Tanium Client>/TaniumCX
Direct Connect security exclusions
Target DeviceNotesExclusion TypeExclusion
Windows endpoints File<Tanium Client>\TaniumClientExtensions.dll
 File<Tanium Client>\TaniumClientExtensions.dll.sig
 File<Tanium Client>\extensions\TaniumDEC.dll
 File<Tanium Client>\extensions\TaniumDEC.dll.sig
 Process<Tanium Client>\TaniumCX.exe
macOS endpoints File<Tanium Client>/libTaniumClientExtensions.dylib
 File<Tanium Client>/libTaniumClientExtensions.dylib.sig
 File<Tanium Client>/extensions/libTaniumDEC.dylib
 File<Tanium Client>/extensions/libTaniumDEC.dylib.sig
 Process<Tanium Client>/TaniumCX
Linux endpoints File<Tanium Client>/libTaniumClientExtensions.so
 File<Tanium Client>/libTaniumClientExtensions.so.sig
 File<Tanium Client>/extensions/libTaniumDEC.so
 File<Tanium Client>/extensions/libTaniumDEC.so.sig
 Process<Tanium Client>/TaniumCX

Zone Proxy server requirements

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

If you want to use Direct Connect to connect to endpoints that route to the module server through a Zone Server, you must install and configure the Direct Connect Zone Proxy on that Zone Server. For more information, see Configure zone proxies.

For best results, do not use a load balancer in front of your Zone Server. If you must use a load balancer, it must be configured for persistent TCP connections and the port that you configure in the Direct Connect Zone Proxy for the Endpoint Inbound Port must be open on the load balancer. By default, this port is 17486.

User role requirements

The following tables list the role permissions required to use Direct Connect. To review a summary of the predefined roles, see Set up Direct Connect users.

Do not assign the Direct Connect Service Account and Direct Connect Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For more information about role-based access control (RBAC), role permissions, and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Direct Connect user role permissions
PermissionDirect Connect Administrator1,2Direct Connect User1Direct Connect Read Only User1Direct Connect Satellite Operator1Direct Connect Endpoint Configuration Approver1,2
Direct Connect Cron

Allows performing service account work

Direct Connect Endpoint Configuration

Approve Endpoint Configuration items for Direct Connect


APPROVE
Direct Connect Logs

Access Direct Connect logs


READ
Direct Connect Satellite

Manage satellites


READ
WRITE

READ
WRITE
Direct Connect Session

Access endpoint connections


READ
WRITE

READ
WRITE

READ

WRITE
Direct Connect Settings

Access Direct Connect settings


READ
WRITE

READ
Directconnect

View the Direct Connect workbench


SHOW

SHOW

SHOW

SHOW

SHOW

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

2 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.




Provided Direct Connect platform content permissions
PermissionDirect Connect AdministratorDirect Connect UserDirect Connect Read Only UserDirect Connect Satellite OperatorDirect Connect Service AccountDirect Connect Endpoint Configuration Approver
Action
READ
WRITE

READ
WRITE

READ
Own Action
READ

 

 


READ

READ
Package
READ

READ
WRITE

READ
Plugin
READ

READ

READ

READ

READ
EXECUTE

READ
Saved Question
READ

READ

READ

READ

READ

READ
Sensor
READ

READ

READ
You can view which content sets are granted to any role in the Tanium Console.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.