Tanium 6.x: Port Requirements for Tanium Core Platform 6.5 and earlier

The network requirements for Tanium Core Platform 6.5 and earlier are described below. For details on Tanium Core Platform 7.0 requirements, see Network ports.

For the Tanium environment to function at an optimal level, you may need to submit a request to update firewall rules on any internal or endpoint firewalls that block the client-to-server or peer-to-peer TCP communication on the ports designated for system communication, by default 17472. Properly defined firewall rules ensure that the majority of the communication in the environment is over the local area network (LAN) instead of the wide area network (WAN), which is typically over-utilized and bottlenecked.

Tanium Server v6.2 or lower

The Tanium Server acts as the central hub of communication in the Tanium environment. The server both accepts communication from the Tanium Clients and the Tanium Console and initiates connections to the SQL Server database as well as any Zone Servers.

Client-to-Server Communications

The communications between the Clients and Server is counter-intuitive to the way typical workflows occur. For instance, if you ask a Question through the Tanium Console, it would be logical that the Server reaches out and issues the Question to the Clients. However, it is the clients that check into the Tanium Server. In the peer-to-peer model, the clients that are "reflecting"—see System Status for more details—connect to the Tanium Server originating the connection from an ephemeral TCP port (>1024) while the Tanium Server listens on TCP port 17472 by default. The Tanium Clients establish and maintain these reflection pipes at the beginning and end of each peer-to-peer chain.

In addition to the "reflection" connections, agents periodically initiate contact with the Tanium Server originating the connection from an ephemeral TCP port (>1024) while the Tanium Server listens on TCP port 17472 by default to perform the client registration process. More specifically, the client checks in to report information about itself as well as gather any platform configuration updates, peer-to-peer ring changes, etc.

Because the server does not establish any connections to clients, firewall settings need to allow Client to Server communication only. In a deployment using the Tanium Zone Server, however, the Zone Server Hub service typically installed to Tanium Server device needs the permission to connect with any Zone Server devices originating the connection from an ephemeral TCP port (>1024) to TCP port 17472 as explained in more detail in the later section Server-to-Zone Server Communications.

Port Needed: Tanium Clients to Tanium Server originating on ephemeral TCP ports (>1024) to the Tanium Server listening on TCP port 17472.

Network firewall rules
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 17472 from any computer to be managed on the internal network to the Tanium Server device

Console-to-Server Communications

An Adobe Flash based application, the Tanium Console runs from any device with a browser configured with Adobe Flashplayer 11.5 or higher. For security, the TCP and SOAP communication to the Tanium server is SSL encrypted, so the Tanium Server installer configures the underlying Apache server to listen for TCP requests on port 443 and SOAP requests on port 444. If another installed application is listening on port 443 or port 444 already, you can designate a different port for TCP and SOAP communication when installing the Tanium Server.

Port Needed: To Tanium Server originating on TCP ephemeral ports (>1024) to TCP ports 443 and 444.

Network firewall rules
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 443 from any computer on the internal network to the Tanium Server device
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 444 from any computer on the internal network to the Tanium Server device

Server-to-Database Communications

The Tanium Server can use either a SQL Server RDBMS installed locally to the same device as the Tanium Server application or a remote dedicated or shared SQL Server instance. Using a local SQL Server database typically requires no changes to network firewall rules since all communication remains on the Tanium application server device. To access database resources installed to a remote device, however, the Tanium Server service communicates, originating on ephemeral TCP ports (>1024) to the SQL Server listening by default on TCP port 1433.

Port Needed: Tanium Server to Remote SQL Server originating on ephemeral TCP ports (>1024) to the SQL Server listening on TCP port 1433.

Network firewall rules
  • Allow TCP traffic originating on TCP ephemeral ports (>1024) to TCP port 1433 from the Tanium Server device to the remote device hosting the SQL Server RDBMS

Server-to-Zone Server Communications

If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. This is the only configuration that requires you to allow outbound traffic originating on ephemeral TCP ports (>1024) from the Tanium Server device to the Tanium Zone Server(s) listening by default on TCP port 17472. The ZoneServerList.txt configuration file located in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers. See the Zone Server Configuration page for more details.

Port Needed: Tanium Server originating on TCP ephemeral ports (>1024) to the Tanium Zone Server listening by default on TCP port 17472.

Network firewall rules
  • Allow TCP traffic originating on TCP ephemeral ports (>1024) on the Tanium Zone Server Hub, usually the Tanium Server device, to the destination DMZ devices(s) listening by default on TCP port 17472 hosting the Zone Server(s).
Endpoint firewall rules - for additional security, configure the following endpoint firewall rules
  • Allow TCP traffic outbound on TCP ephemeral ports (>1024) from only the Zone Server Hub process running on the Tanium Server device
  • Allow inbound TCP traffic from the ephemeral range (>1024) to TCP port 17472 to only the Zone Server process running on the designated Zone Server device(s).

Tanium Client

Client-to-Client Communications

In addition to the client-to-server TCP communication that takes place Tanium Clients also communicate to other Tanium-managed computers originating on the ephemeral port range (>1024) to TCP port 17472. The Tanium environment can perform hundreds or thousands of times faster than other security or systems management tools because the Tanium Clients communicate in secure, linearly-controlled peer-to-peer rings. Because clients dynamically communicate with other nearby agents based on proximity and latency, rings tend to form automatically to match a customer's topology—endpoints in California will form one ring while endpoints in Germany will form a separate ring. With this dynamic configuration in mind, you must allow bi-directional TCP communication originating in the ephemeral range (>1024) to TCP port 17472 between clients on the same local area network, but not necessarily all clients on the internal network.

Port Needed: Tanium Clients or Zone Clients originating in the TCP ephemeral range (>1024) to TCP port 17472.

Network firewall rules
  • Allow TCP traffic originating in ephemeral ports (>1024) to TCP port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.

Client-to-Zone Server Communications

In customer environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are identical to the Server-to-Client requirements. In fact, Clients don't know the difference between Zone Servers and Servers!

Port Needed: Tanium Clients to Zone Server originating on TCP ephemeral ports (>1024) to TCP port 17472.

Network firewall rules to manage devices within a DMZ
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 17472 from any DMZ computer to be managed to any other computer to be managed within the same DMZ
Network firewall rules to manage devices on the Internet that have no VPN connection to the core network
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 17472 from any computer on the Internet to the Zone Server in the DMZ designated to proxy traffic from off-network devices
Endpoint firewall rules
  • For additional security, configure the endpoint firewall on any Zone Server device(s) to allow inbound TCP traffic originating in the ephemeral range (>1024) to TCP port 17472 to only the Zone Server process

Tanium Client Deployment using the Tanium Client Deployment Tool

The Tanium Client Deployment Tool (CDT) allows you to target the Tanium client for installation to designated endpoints. The CDT can be installed and run from any Windows workstation or server in the target domain. This deployment mechanism isn't required since there are other ways of deploying the Tanium Client (e.g., existing software distribution mechanisms, ePO EEDK, GPO, etc), but does require a couple items to be configured for it to be successful. More information about the CDT can be found here - https://docs.tanium.com/client/client/client_deployment_tool.html

The Client Deployment tool will attempt to copy the necessary installation files to the root drive via the \\{machine_name}\c$ UNC. In addition to the Admin user having sufficient privileges to access machine's admin share, file sharing must be enabled on the endpoint as well as TCP ports 135 and 445 to allow it.

In most AD environments, admin shares are already available. However, for standalone machines which have not joined the domain, it may be required to enable admin shares, such that c$ can be reached by a user with sufficient privileges. Admin shares are not available in Home editions of Windows operating systems, but are available in all other editions. In Windows XP machines, admin shares will be enabled by default. In Windows 7 and 8 machines, the admin shares of a standalone machine can be enabled by adding the following registry key and rebooting:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: LocalAccountTokenFilterPolicy
Data Type: REG_DWORD
Value: 1

Next, the tool uses either Microsoft PsExec (default) or WMIC to remotely execute the installer on the endpoint. For either, the Admin user must have sufficient privileges to remotely execute commands. If PsExec is used, check with your AV/endpoint protection suites, as PsExec is often times disallowed. If WMIC is used, ensure the following services are enabled on the endpoint:

  • Windows Firewall Remote Management (RPC-EPMAP)
  • Windows Management Instrumentation (WMI-In)

Port Needed: Tanium Client Deployment Tool to Endpoints over TCP ports 135 and 445.
Endpoint Configuration Needed: ICMP and File Sharing are needed, as well as RPC-EPMAP and remote WMI services for WMIC deployment method.

Port Configuration 6.5

For the Tanium environment to function at an optimal level, you may need to submit a request to update firewall rules on any internal or endpoint firewalls that block the client-to-server or peer-to-peer TCP communication on the ports designated for system communication, by default 17472. Properly defined firewall rules ensure that the majority of the communication in the environment is over the local area network (LAN) instead of the wide area network (WAN), which is typically over-utilized and bottlenecked. The network requirements for the Tanium Server, Zone Server, Clients, and Console are described below.

Tanium Server v6.5 or higher

The Tanium Server acts as the central hub of communication in the Tanium environment. The server both accepts communication from the Tanium Clients and the Tanium Console and initiates connections to the SQL Server database as well as any Zone Servers.

 

Client-to-Server Communications

The communications between the Clients and Server is counter-intuitive to the way typical workflows occur. For instance, if you ask a Question through the Tanium Console, it would be logical that the Server reaches out and issues the Question to the Clients. However, it is the clients that check into the Tanium Server. In the peer-to-peer model, the clients that are "reflecting"—see System Status for more details—connect to the Tanium Server originating on TCP ephemeral ports (>1024) to TCP port 17472. The Tanium Clients establish and maintain these reflection pipes at the beginning and end of each peer-to-peer chain.

In addition to the "reflection" connections, agents periodically initiate contact with the Tanium Server originating in the TCP ephemeral range (>1024) to TCP port 17472 to perform the client registration process. More specifically, the client checks in to report information about itself as well as gather any platform configuration updates, peer-to-peer ring changes, etc.

Because the server does not establish any connections to clients, firewall settings need to allow Client to Server communication only. In a deployment using the Tanium Zone Server, however, the Zone Server Hub service typically installed to Tanium Server device needs the permission to connect with any Zone Server devices originating the connection from the TCP ephemeral port range (> 1024) to TCP port 17472 as explained in more detail in the later section Server-to-Zone Server Communications.

Customers utilizing the Tanium Trace tools will need to allow a connection from the Tanium Client to the Tanium Module Server when performing Direct Connect or Snapshot upload functionality. Direct Connect is supported for internet or zone server clients using the Trace Zone Proxy.

Port Needed: Tanium Clients to Tanium Server originating the connection from the TCP ephemeral range (>1024) to TCP port 17472.

Port Needed: Tanium Trace Clients to Tanium Module Server originating on TCP ephemeral ports (>1024) to TCP port 17444.

Network firewall rules
  • Allow TCP traffic originating on TCP ephemeral ports (>1024) to TCP port 17472 from any computer to be managed on the internal network to the Tanium Server device
  • Allow TCP traffic originating on ephemeral ports (> 1024) to TCP port 17444 from any computer to be managed on the internal network to the Tanium Module Server device (**Trace Direct Connect Only**)

Console-to-Server Communications

An HTML5/Adobe Flash based application, the Tanium Console runs from any device with a browser configured with Adobe Flashplayer 11.5 or higher. For security, the TCP and SOAP communication to the Tanium server is SSL encrypted, so the Tanium Server installer configures the server to listen for TCP and SOAP requests on port 443. If another installed application is listening on port 443, you can designate a different port for TCP and SOAP communication when installing the Tanium Server.

Port Needed: To Tanium Server over TCP port 443, and Module Server port 17440

Network firewall rules
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 443 from any computer on the internal network to the Tanium Server device
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 17440 from any computer on the internal network to the Tanium Module Server device (Patch Workbench)

Server-to-Database Communications

The Tanium Server can use either a SQL Server RDBMS installed locally to the same device as the Tanium Server application or a remote dedicated or shared SQL Server instance. Using a local SQL Server database typically requires no changes to network firewall rules since all communication remains on the Tanium application server device. To access database resources installed to a remote device, however, the Tanium Server service communicates over the port reserved for SQL, by default port 1433, to the database.

Port Needed: Tanium Server to Remote SQL Server originating on TCP ephemeral ports (>1024) to TCP port 1433.

Network firewall rules
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 1433 from the Tanium Server device to the remote device hosting the SQL Server RDBMS

 

Server-to-Module Server Communications

Tanium 6.5 introduces the Tanium Module Server (formerly known as the Tanium Plugin Server) used to extend the functionality of Tanium through the use of various workbenches. The Tanium Module Server requires communication with the Tanium Server on port 17477

Port Needed: Tanium Server to Tanium Module Server originating on ephemeral ports (>1024) to TCP port 17477.

Network firewall rules
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 17477 from the Tanium Server to the Tanium Module Server.

Server-to-Zone Server Communications

If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. This is the only configuration that requires you to allow outbound traffic originating on TCP ephemeral ports to TCP port 17472 from the Tanium Server device. The ZoneServerList.txt configuration file located in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers. See the Zone Server Configuration page for more details.

Port Needed: Tanium Server to Zone Server originating on TCP ephemeral ports (>1024) to TCP port 17472.

Network firewall rules
  • Allow TCP traffic originating on TCP ephemeral ports (>1024) to TCP port 17472 from the Zone Server Hub, usually the Tanium Server device, to the destination DMZ devices(s) hosting the Zone Server(s).
Endpoint firewall rules - for additional security, configure the following endpoint firewall rules
  • Allow TCP traffic outbound originating on TCP ephemeral ports to TCP port 17472 from only the Zone Server Hub process running on the Tanium Server device
  • Allow TCP traffic originating on ephemeral ports (>1024) inbound to TCP port 17472 to only the Zone Server process running on the designated Zone Server device(s).

Tanium Client

Client-to-Client Communications

In addition to the client-to-server TCP communication that takes place over port 17472, Tanium Clients also communicate to other Tanium-managed computers originating on TCP ephemeral ports (>1024) to TCP port 17472. The Tanium environment can perform hundreds or thousands of times faster than other security or systems management tools because the Tanium Clients communicate in secure, linearly-controlled peer-to-peer rings. Because clients dynamically communicate with other nearby agents based on proximity and latency, rings tend to form automatically to match a customer's topology—endpoints in California will form one ring while endpoints in Germany will form a separate ring. With this dynamic configuration in mind, you must allow bi-directional TCP communication originating on TCP ephemeral ports to TCP port 17472 between clients on the same local area network, but not necessarily all clients on the internal network.

Port Needed: Tanium Clients or Zone Clients originating on ephemeral ports (>1024) to TCP port 17472, bi-directionally.

Network firewall rules
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 17472 from any computer to be managed on a local area network to any other computer to be managed on the same local area network.

 

Client-to-Zone Server Communications

In customer environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are identical to the Server-to-Client requirements. In fact, Clients don't know the difference between Zone Servers and Servers!

Port Needed: Tanium Clients to Zone Server over TCP port 17472.

Network firewall rules to manage devices within a DMZ
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 17472 from any DMZ computer to be managed to any other computer to be managed within the same DMZ
Network firewall rules to manage devices on the Internet that have no VPN connection to the core network
  • Allow TCP traffic originating on ephemeral ports (>1024) to TCP port 17472 from any computer on the Internet to the Zone Server in the DMZ designated to proxy traffic from off-network devices
Endpoint firewall rules
  • For additional security, configure the endpoint firewall on any Zone Server device(s) to allow inbound TCP traffic originating on ephemeral ports (>1024) to TCP port 17472 to only the Zone Server process

 

Tanium Client Deployment using the Tanium Client Deployment Tool

The Tanium Client Deployment Tool (CDT) allows you to target the Tanium client for installation to designated endpoints. The CDT can be installed and run from any Windows workstation or server in the target domain. This deployment mechanism isn't required since there are other ways of deploying the Tanium Client (e.g., existing software distribution mechanisms, ePO EEDK, GPO, etc), but does require a couple items to be configured for it to be successful. More information about the CDT can be found here - https://docs.tanium.com/client/client/client_deployment_tool.html

The Client Deployment tool will attempt to copy the necessary installation files to the root drive via the \\{machine_name}\c$ UNC. In addition to the Admin user having sufficient privileges to access machine's admin share, file sharing must be enabled on the endpoint as well as TCP ports 135 and 445 to allow it.

In most AD environments, admin shares are already available. However, for standalone machines which have not joined the domain, it may be required to enable admin shares, such that c$ can be reached by a user with sufficient privileges. Admin shares are not available in Home editions of Windows operating systems, but are available in all other editions. In Windows XP machines, admin shares will be enabled by default. In Windows 7 and 8 machines, the admin shares of a standalone machine can be enabled by adding the following registry key and rebooting:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: LocalAccountTokenFilterPolicy
Data Type: REG_DWORD
Value: 1

Next, the tool uses either Microsoft PsExec (default) or WMIC to remotely execute the installer on the endpoint. For either, the Admin user must have sufficient privileges to remotely execute commands. If PsExec is used, check with your AV/endpoint protection suites, as PsExec is often times disallowed. If WMIC is used, ensure the following services are enabled on the endpoint:

  • Windows Firewall Remote Management (RPC-EPMAP)
  • Windows Management Instrumentation (WMI-In)

Port Needed: Tanium Client Deployment Tool to Endpoints over TCP ports 135 and 445.
Endpoint Configuration Needed: ICMP and File Sharing are needed, as well as RPC-EPMAP and remote WMI services for WMIC deployment method.

 

Tanium Server communication requirements

Tanium Server using a local SQL Server

 
  Source Device Destination Device
Action Protocol Address Process Port Address Process Port
Allow TCP Any computer with the Tanium Client Tanium Client (TaniumClient.exe) (ephemeral) Tanium application server Tanium Server (TaniumReceiver.exe) 17472
Allow TCP From any computer allowed to run the Console N/A (ephemeral) Tanium application server Tanium Server (TaniumReceiver.exe) 443

 

Tanium Server using remote SQL Server

 
  Source Device Destination Device
Action Protocol Address Process Port Address Process Port
Allow TCP Any computer with the Tanium Client Tanium Client (TaniumClient.exe) (ephemeral) Tanium application server Tanium Server (TaniumReceiver.exe) 17472
Allow TCP From any computer allowed to run the Console N/A (ephemeral) Tanium application server Tanium Server (TaniumReceiver.exe) 443
Allow TCP Tanium application server Tanium Server (TaniumReceiver.exe) (ephemeral) Remote Microsoft SQL Server DBMS server MSSQLSERVER (sqlservr.exe) 1433

 

Tanium Servers in Active/Active array configuration

 
  Source Device Destination Device
Action Protocol Address Process Port Address Process Port
Allow TCP All Tanium application server array members Tanium Server (TaniumReceiver.exe) (ephemeral) All Tanium application server array members Tanium Server (TaniumReceiver.exe) 17472
Allow TCP All Tanium application server array members Tanium Server (TaniumReceiver.exe) (ephemeral) Remote Microsoft SQL Server DBMS server MSSQLSERVER (sqlservr.exe) 1433
Allow TCP From any computer allowed to run the Console N/A (ephemeral) Tanium application server Tanium Server (TaniumReceiver.exe) 443

 

Tanium Client communication requirements within the internal network

 
  Source Device Destination Device
Action Protocol Address Process Port Address Process Port
Allow TCP Any Tanium Client-managed devices on the network Tanium Client (TaniumClient.exe) (ephemeral) Any Tanium Client-managed devices on the network Tanium Client (TaniumClient.exe) 17472
Allow TCP Any Tanium Client-managed devices on the network Tanium Client (TaniumClient.exe) (ephemeral) Tanium application Server Tanium Server (TaniumReciever.exe) 17472
Allow Outbound TCP Any Tanium managed endpoint with the trace service installed Tanium Trace Websocket (TaniumTraceWebsocketClient.exe) (ephemeral) Trace service on Tanium Module Server Tanium Trace (taniumtrace.exe) 17444

 

Tanium component communication requirements to manage devices within a DMZ

 
  Source Device Destination Device
Action Protocol Address Process Port Address Process Port
Allow TCP Device hosting the Zone Server Hub service
(Typically the Tanium application server)
Tanium ZoneServer (TaniumZoneServer.exe) (ephemeral) Zone Server(s) Tanium ZoneServer (TaniumZoneServer.exe) 17472
Allow TCP Any Tanium Client-managed devices
within the same DMZ
Tanium Client (TaniumClient.exe) (ephemeral) Any Tanium Client-managed devices
within the same DMZ
Tanium Client (TaniumClient.exe) 17472
Allow TCP Any Tanium Client-managed devices
within the same DMZ
Tanium Client (TaniumClient.exe) (ephemeral) Zone Server within the respective DMZ Tanium ZoneServer (TaniumZoneServer.exe) 17472

 

Tanium component communication requirements to manage off-network devices

 
  Source Device Destination Device
Action Protocol Address Process Port Address Process Port
Allow TCP Device hosting the Zone Server Hub service
(Typically the Tanium application server)
Tanium ZoneServer (TaniumZoneServer.exe) (ephemeral) Zone Server(s) Tanium ZoneServer (TaniumZoneServer.exe) 17472
Allow TCP External IP address allocated for the Zone Server Tanium Client (TaniumClient.exe) (ephemeral) Zone Server(s) Tanium ZoneServer (TaniumZoneServer.exe) 17472

 

Tanium Module Server and specific module communication requirements

 
  Source Device Destination Device
Action Protocol Address Process Port Address Process Port
Allow TCP Tanium application server Tanium Server (TaniumReceiver.exe) (ephemeral) Tanium Module Server Tanium Module Server (TaniumModuleServer.exe) 17477
Allow Inbound TCP Any Tanium managed endpoint with the trace service installed Tanium Trace Service (TaniumTraceCLI.exe) (ephemeral) Trace service on Tanium Module Server Tanium Trace (taniumtrace.exe) 17444
Allow TCP From any computer allowed to run the Console and Tanium Patch N/A (ephemeral) Tanium Patch service on the Tanium Module Server Tanium Patch (TaniumPatch.exe) 17440
Allow TCP From any computer allowed to run the Console and Tanium Trace N/A (ephemeral) Trace service on Tanium Module Server Tanium Trace (taniumtrace.exe) 17443
Have more questions? Submit a request