Deployment checklist

There are a number of topics to consider for a successful and scalable Tailscale deployment beyond configuration of individual devices and access controls. This document details some of the less obvious, but still important, concerns for using and deploying Tailscale at scale. This document can serve as your Tailscale deployment checklist.

Support

• Internal support—provide documentation to your users on how to get internal support within your organization. See end-user client configuration for ways to customize the Tailscale client to help with this.
• Tailscale support—document how and when to contact Tailscale support in internal documentation and provide to relevant aparties—for example, IT help desk or production operations teams. Include instructions to ask end-users to generate a bugreport when reporting issues internally and share the bug report identifier when contacting Tailscale support.

Production best practices

• Understand how Tailscale and customers share security responsibilities.
• Implement production best practices related to security, performance, and specific providers.
• Understand direct vs relayed connections and what firewall ports to open, if any, to get the best performance from in your environment.

Stay up-to-date on Tailscale news

• Subscribe to the Tailscale newsletter and blog to stay up-to-date on general Tailscale news. Use email addresses that go to a group of users rather than a single individual.
• Subscribe to the Tailscale changelog RSS feed to stay up-to-date on client and service changes.
• Subscribe to the Tailscale security bulletins RSS feed to stay up-to-date on security notifications.

Organization notifications

• Set contact preferences to receive email notifications regarding account, configuration, and security updates. Use email addresses that go to a group of users rather than a single individual.

User Management

User & group provisioning

• Configure System for Cross-domain Identity Management (SCIM) with a supported provider to enable automatic user & group provisioning.

Tailscale-specific roles

• Transfer organization ownership to an appropriate team member. Oftentimes, the person that created the tailnet is not who should be the owner long-term.
• Assign appropriate Tailscale-specific roles to team members based on their job function and responsibilities. Network admin, IT admin, and billing admin are common roles to assign.

Tailnet management

General settings

• Configure tailnet, user management, and device management settings per your organization's needs and security policies.

ACL management

• Manage your Tailscale ACLs with infrastructure-as-code and GitOps to have an audit trail of changes to Tailscale access controls and configuration in your version control system with peer review of changes.
• Review common patterns for tag names and implement consistent tags that represent access patterns and network segments for your devices.

Device management

• Set a custom authentication period to require users to re-authenticate with your identity provider per your company's security policies.
• Enable device identity collection to accurately identify devices in your tailnet.
• Set default source posture rules to require minimum operating system and Tailscale client versions.
• If integrating CrowdStrike Falcon with Tailscale, set a minimum ZTA score to control access from unmanaged devices—for example, falcon:ztaScore >= 0.

End-user client configuration

• Deploy Tailscale client applications to end-users using a mobile device management (MDM) solution.
• Enable automatic client updates for end-user devices to ensure employee devices stay up-to-date.
• Configure end-user client applications using system policies via your MDM solution. Review the full list of system policies to determine which options are important to your organization. Some common ones are below.
  • Force client behavior end-users will depend on:
    • UseTailscaleDNSSettings to always or never apply Tailscale DNS configuration when the tunnel is connected
    • UseTailscaleSubnets to always or never accept subnets advertised by other nodes in your tailnet
    • PostureChecking to always or never gather device posture data
  • Hide unused capabilities in the client menu such as:
    • AdminConsole to show or hide the Admin Console menu item
    • HiddenNetworkDevices to show or hide one or more categories of devices in the Network Devices menu item
    • ManageTailnetLock to show or hide the Manage tailnet lock menu item
    • RunExitNode to show or hide the Run as Exit Node menu item
  • Provide information for how to get support from Tailscale administrators or your IT team:
    • ManagedByCaption to specify a caption to be displayed in the Managed By view
    • ManagedByOrganizationName to specify the name of the organization managing Tailscale, for instance “XYZ Corp IT”
    • ManagedByURL to specify a URL pointing to a help desk webpage or Slack channel

Server configuration

• Automate server deployments using infrastructure-as-code to provision devices in a repeatable manner less susceptible to human error.

Monitoring

Monitor tailnet changes

• Configure webhooks to receive important notifications to your central monitoring and alerting system—for example, your monitoring service or Slack. In particular, we recommend notifications for the following event types:
  • Device misconfiguration: exitNodeIPForwardingNotEnabled
  • Device misconfiguration: subnetIPForwardingNotEnabled
  • Tailnet management: nodeNeedsApproval
  • Tailnet management: userNeedsApproval
  • Tailnet management: userRoleUpdated
  • Webhook management: webhookUpdated
  • Webhook management: webhookDeleted

Log streaming

• Configure log streaming to stream configuration and network flow logs to your security information and event management (SIEM) system.

• Configure data retention of logs in your SIEM per your company's security policies.

• Configure alerts in your SIEM to notify you of noteworthy events. In particular, we recommend alerts for events related to settings changed via the Tailscale admin console:

  // other fields omitted for brevity
  {
    "action": "CREATE",
    "origin": "ADMIN_CONSOLE",
    // ...
  },
  {
    "action": "UPDATE",
    "origin": "ADMIN_CONSOLE",
    // ...
  },
  {
    "action": "DELETE",
    "origin": "ADMIN_CONSOLE",
    // ...
  },