Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Tanium Cloud Requirements

            Created by Brent Henderson, Modified on Wed, 8 Apr at 11:09 AM by Brent Henderson

            About this articleThis article summarizes the requirements for using Tanium Cloud, including supported operating systems, identity provider dependencies, port and URL requirements, CDN connectivity, API access, and security exclusion guidance. Review all sections before onboarding a new client or troubleshooting connectivity issues.

            Tanium Dependencies

            ComponentRequirement
            Tanium ClientAny supported version of Tanium Client. Using an unsupported version may result in unavailable features or stability issues that can only be resolved by upgrading. See Tanium Client Management User Guide: Client version and host system requirements for the supported version list.

            Supported Endpoint Operating Systems

            The following endpoint operating systems are supported with Tanium Cloud:

            • Windows
            • macOS
            • Linux
            • Solaris
            • AIX

            For full Tanium Client OS support details, see Tanium Client Management User Guide: Client version and host system requirements.

            Identity Provider (IdP) Requirements

            Each customer must bring a SAML 2.0–compliant identity provider with two-factor authentication (2FA) enabled to use Tanium Cloud in production. Configuration of multiple identity providers for a single Tanium Cloud instance is supported.

            Supported identity providers include:

            • Microsoft Entra ID
            • Okta
            • Microsoft Active Directory Federation Services (ADFS)
            • OneLogin
            • Auth0

            Port and Network Requirements

            The following ports and destinations are required for Tanium Cloud communication. The <customerURL> variable represents the subdomain specified during initial provisioning of your Tanium Cloud service instance.

            Best Practice:Configure firewall policies to open ports for Tanium traffic usingTCP-based rulesrather than application identity-based rules. For example, on a Palo Alto Networks firewall, use service objects or service groups instead of application objects or application groups.
            SourceDestinationPortProtocolPurpose
            Tanium ClientPeer Clients174721TCPPeer-to-peer communication between Tanium Clients
            Tanium ClientTanium Cloud Client Edge URLs2174721TCPCommunication between the Tanium Client and Tanium Cloud
            Tanium ClientTanium Client (loopback)17473TCPTanium Client API. Used with the loopback interface only — does not typically require a firewall rule.
            Tanium ClientTanium Cloud Client Edge URLs217486TCPOutbound communication from the Tanium Client and inbound communication to Tanium Cloud for Direct Connect endpoint connections
            Tanium ClientTanium Cloud:
            distribute.cloud.tanium.com
            *.distribute.cloud.tanium.com

            Tanium Cloud for U.S. Government: N/A            		443TCP (HTTPS)Content Delivery Network (CDN) downloads3
            Endpoints installing Tanium Client via Azure VM extensioncontent.tanium.com443TCP (HTTPS)Endpoint downloads the Tanium Client installer. See Tanium Client Management User Guide: Deploy the Tanium Client in Microsoft Azure environments using the Tanium Client VM extension.
            Endpoints accessing Tanium ConsoleTanium Cloud:
            <customerURL>.cloud.tanium.com4,5

            Tanium Cloud for U.S. Government:
            <customerURL>.cloud.taniumfed.com4,5            		443TCP (HTTPS)Browser access to the Tanium Console
            Endpoints accessing Tanium APITanium Cloud:
            <customerURL>-api.cloud.tanium.com5

            Tanium Cloud for U.S. Government:
            <customerURL>-api.cloud.taniumfed.com5            		443TCP (HTTPS)Tanium API access. See API Access section below.
            Endpoints accessing Tanium AccountTanium Cloud:
            account.tanium.com
            *.cloud.tanium.com

            Tanium Cloud for U.S. Government: N/A            		443TCP (HTTPS)Browser access to Tanium Account for managing your Tanium Cloud instance

            1 The port Clients use for peer communication can be changed. See Tanium Client Management User Guide: Customize listening ports.

            2 Tanium Clients connect to the Client Edge URLs shown in your Tanium Account. See View administration information and configure administrative settings and Tanium Client Management User Guide: Configuring connections to the Tanium Core Platform. For Tanium Cloud for U.S. Government, Client Edge URLs are provided during initial provisioning.

            3 All endpoints using CDN downloads must allow this HTTPS communication and connect directly to the destination without interference. This communication is bidirectional but always initiated from the Tanium Client — no inbound rule is required on the Client side. If wildcards are not permitted, you must create a rule for each <n>.distribute.cloud.tanium.com FQDN where <n> represents numerals 1–20. See Tanium Console User Guide: Managing bandwidth throttles and CDN downloads.

            4 These URLs are publicly searchable.

            5 The <customerURL> component is determined during initial provisioning. See Make initial elections.

            CDN Connectivity

            Tanium Client 7.6 and later (USA region) and Tanium Client 7.8 and later (all other regions) support the Tanium Content Distribution Network (CDN) for optimized action package delivery. The CDN routes Client connections through the shortest and most efficient path among CDN entry points.

            If a CDN connection is unavailable (for example, due to network restrictions), Clients automatically fall back to downloading package files directly from Tanium Cloud.

            Important:Endpoints must be able to connect directly to CDN URLs or IP addresses without interference. Additionally, endpoints must have theStarfield Services Root Certificate Authority – G2certificate from Amazon Trust Services installed. This certificate is included with Tanium Client 7.8.1.3126 and later. Endpoints running earlier Client versions may need the certificate installed manually, or the Client should be upgraded to 7.8.1.3126 or later.
            Note (U.S. Government):Tanium Cloud for U.S. Government does not currently support CDN downloads. Access to distribute.cloud.tanium.com or associated IP addresses is not required in that environment.

            Use one of the following methods to allow CDN communication, depending on your security policies and firewall capabilities:

            1. Create an ACL or firewall rule referencing https://distribute-info.cloud.tanium.com/ip-ranges/ip-ranges.json to allow communication from the Tanium Client to the IP address ranges in that file.
            2. Allow communication from the Tanium Client to the URL pattern *.distribute.cloud.tanium.com.
            3. Explicitly allow communication from the Tanium Client to each URL <n>.distribute.cloud.tanium.com, where <n> represents numerals 1–20 (e.g., 1.distribute.cloud.tanium.com, 2.distribute.cloud.tanium.com, etc.).
            4. Create an ACL or firewall rule that explicitly allows the IP address ranges listed in the file above, and schedule regular updates to keep the ACL current as IP ranges change over time.

            An up-to-date list of CDN IP address ranges is always available at:
            https://distribute-info.cloud.tanium.com/ip-ranges/ip-ranges.json

            Firewall and Proxy Support

            Firewall

            Tanium Cloud supports Clients behind a firewall (direct route), as long as the Clients can reach two internet IP addresses on two TCP ports.

            Proxy

            Tanium Cloud supports Clients behind an HTTPS proxy (indirect route), as long as the Clients can reach two internet IP addresses on two TCP ports. For configuration details, see Tanium Client Management User Guide: Connect through an HTTPS forward proxy server.

            API Access

            To access the Tanium Cloud APIs, you must first create an API Token. See Tanium Console User Guide: Create API tokens.

            Note:The maximum payload size for API requests and responses is 10 MB.
            Tip:If you need outbound API access for Tanium solutions such as Asset, Connect, or Discover, you can enable network egress for those solution APIs. See Configuring external API access for details.
            Tanium Cloud API URL
            <customerURL>-api.cloud.tanium.com
            Tanium Cloud for U.S. Government API URL
            <customerURL>-api.cloud.taniumfed.com

            The <customerURL> variable is the subdomain specified during initial provisioning. See Make initial elections.

            Network Egress

            To allow outbound communications from Tanium Cloud to specific destinations, you can configure network egress allow list rules. See Configuring network egress for Tanium Cloud for details.

            Solution-Specific Port Requirements

            The following Tanium modules and shared services have their own port requirements. Modules marked No additional ports require only the base Tanium Cloud ports documented above.

            • AssetNo additional ports
            • AutomateNo additional ports
            • BenchmarkNo additional ports
            • Certificate ManagerNo additional ports
            • Client ManagementSee module guide
            • Cloud WorkloadsNo additional ports
            • ComplySee module guide
            • ConnectSee module guide
            • CriticalitySee module guide
            • DeployNo additional ports
            • Direct ConnectSee module guide
            • Directory QuerySee module guide
            • DiscoverSee module guide
            • Endpoint ConfigurationNo additional ports
            • Endpoint Management for MobileSee module guide
            • End-User NotificationsNo additional ports
            • EnforceSee module guide
            • EngageSee module guide
            • GatewayNo additional ports
            • GuideNo additional ports
            • Health CheckSee module guide
            • ImpactSee module guide
            • Integrations GallerySee module guide
            • Integrity MonitorNo additional ports
            • InteractNo additional ports
            • InvestigateSee module guide
            • Jump GateNo additional ports
            • Mac Device EnrollmentSee module guide
            • PatchNo additional ports
            • PerformanceSee module guide
            • ProvisionSee module guide
            • ReportingNo additional ports
            • ReputationNo additional ports
            • RevealSee module guide
            • Threat ResponseSee module guide
            • TrendsNo additional ports
            • Zero TrustSee module guide

            For modules marked See module guide, click the module name in the Tanium documentation portal to access port requirements specific to that solution.

            Security Exclusions

            If antivirus (AV) or other security software is present in the environment to monitor and block unknown host system processes, a security administrator must create exclusions to allow Tanium processes to run without interference. This includes security software bundled with the endpoint OS — for example, fapolicyd on some Linux distributions, or Microsoft Defender on Windows.

            Note:If required exclusions are not configured, or if Tanium suspects interference from AV or security software, Tanium may require that you temporarily remove or disable the AV or security software for troubleshooting purposes, then restore it once troubleshooting is complete.

            For the complete list of security exclusions to define across Tanium, see Tanium Client Management Guide: Reference: Endpoint security exclusions. For product-specific guidance, see the related articles below.

            User Role Requirements

            Tanium Account User Roles

            User roles in your Tanium Account determine which users can manage the configuration of your Tanium Cloud service instance. See Tanium Account User Guide: Tanium Account user roles for role definitions and permissions.

            Tanium Core Platform User Roles

            For information about role permissions and associated content sets in Tanium Core Platform, see Tanium Core Platform User Guide: Managing RBAC.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0