Health Check requirements
Review the requirements before you install and use Health Check.
Core platform dependencies
Make sure that your environment meets the following requirements:
- Tanium license that includes Health Check. For information about licensing, Contact Tanium Support.
- Tanium™ Core Platform servers: 7.4 or later
Tanium™ Module Server
Health Check is installed and runs as a service on the Module Server. The resource impact on the Module Server is minimal and depends on usage.
Endpoints
Health Check does not deploy packages to endpoints. For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.
Host and network security requirements
Specific ports and processes are needed to run Health Check.
Ports
The following ports are required for Health Check communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Module Server | Module Server (loopback) | 17242 | TCP | Internal purposes; not externally accessible |
| Module Server | Tanium Server | 443 | TCP | Communicate with Tanium Server using API, collect host information for Tanium Server |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\health-service\node.exe | |
| Process | <Module Server>\services\health-service\twsm.exe |
Internet URLs
For data sharing through a proxy from the Tanium Server to the Internet, your security administrator must allow the following URLs.
- receiver.reporting.tanium.com
- prd-pending-be96af380693f912.s3.eu-central-1.amazonaws.com
User role requirements
The Administrator reserved role is required for all Health Check tasks.
If you are running Tanium Servers on Windows, ensure that you change the account that is used to run the Tanium Health Check service from LOCAL SYSTEM to an account that has access to the Tanium Servers and Zone Servers. Otherwise, the generated reports do not contain server information about the Tanium Servers and Zone Servers.
Last updated: 9/12/2023 3:25 PM | Feedback
