Working with appliances in an air-gapped environment

If either of the following components does not have internet access, you must use an air gap installation to set up a TanOS appliance:

  • The Tanium Server
  • The Tanium Console

After you complete the air gap installation, you can use the Airgap Operations menu to configure the Tanium deployment to access Tanium content in the air-gapped environment.

Upgrades to TanOS in an air-gapped environment use the same procedures as other environments, with the exception that you must always copy upgrade files to the /incoming directory on the appliance. See Upgrade TanOS.

Overview

In an internet-connected Tanium deployment, the Tanium Server connects to content.tanium.com to read a manifest file that enumerates the solutions that can be imported into the deployment. This is the listing you see when you navigate to the Solutions page in the Tanium Console (see Tanium Console User Guide: Managing Tanium solutions). When a user performs the operation to import the solution, the solution imports from the remote location. In addition, a Tanium package might reference external files that exist on public sites or a local server.

Importing solutions in an internet-connected Tanium deployment

In an air-gapped environment, the Tanium Server does not have access to the internet. Content that is ordinarily downloaded from content.tanium.com and other internet locations must be imported and maintained from an authorized and accessible local server.

To support customer deployments in air-gapped environments, the Tanium content build system generates air-gapped support versions of solution modules and content packs. The air-gapped versions replace references to content.tanium.com and other remote URLs with references to the local host.

In contrast to the internet-connected deployment shown above, communication in an air-gapped environment is done on the Tanium Server host computer.

Importing solutions in an air-gapped Tanium deployment

Perform initial setup of an air-gapped environment

Initial setup of an air-gapped Tanium deployment includes the initial setup of the included appliances, installation of a full update (which includes the air-gapped version of solution modules and content packs), and a few additional configuration tasks that are specific to air-gapped installations.

Before you begin

Make sure you have access to these files that you must bring into the air-gapped environment:

  • Tanium license file
  • TanOS physical or virtual appliance image
  • Air gap full zip (content zip) file
  • Content signing key utility
  • Software to:
    • Connect to the Tanium Appliances through SSH.
    • Transfer files to and from the appliance through SFTP.
    • Generate SSH keys.
  • Additional module content
    • Mandatory: Default Computer Groups XML file
    • Optional, depending on modules and use cases:
      • If necessary, air-gapped versions of modules that are more recent than those in the full ZIP package
      • THR Signals
      • Comply standards
      • Comply engines
      • OS patches
      • Tanium Client installers

Prepare a TanOS installation for an air-gapped environment

  1. Follow the initial configuration steps relevant to the TanOS environment:

  2. Obtain a valid license and the Tanium Core Platform installation package from Tanium Support, and upload them to the appliance:

    1. On your management computer, set up an SFTP client such as WinSCP to connect to the appliance.

    2. Use the SFTP client to copy your license file (tanium.license) and installation package (<tanium.version>_linux_server_package_8.zip) to the /incoming directory on the appliance.

      TanOS uses the installation package to install the Tanium roles when you configure the Appliance Array, and it copies the license to the appropriate location during installation of the Tanium Server role.

    Do not skip these steps and upload the license later directly through the Tanium console. Upload the license file manually so that when you install the Tanium Core Platform server roles, the license gets applied automatically.

  3. Follow the steps in Installing and managing an Appliance Array.

    You now have a standard installation of Tanium. For example, if you sign in to the Tanium Console, it tries to import Tanium Interact and some default content from content.tanium.com and then fails. To fix this problem, you must convert the non-air gap installation into an air-gap installation.

  4. On the Tanium Server, modify the trusted host list so that the first entry is the FQDN of the Tanium Server.

    This step establishes the Tanium Server as a reachable and trusted destination. Later, when the Tanium Console is accessible, you return to the trusted host list to add other Tanium Servers and Tanium Module Servers in the deployment, as needed. For guidance, see Configure the Trusted Host Lists.

Install a full update

A full update is a ZIP package that includes the air-gapped version of solution modules, production content packs, and lab content packs. A full update sets the Tanium Server manifest location to its own host name, instead of content.tanium.com. The update also generates the manifest.xml file. The location of all the entries in the file are set to the name of the Tanium Server, instead of content.tanium.com. Tanium publishes a full update a few times per year when Tanium Server releases occur.

The ISO archive and ZIP package do not contain the following solutions: Tanium™ Map, Tanium™ Integrity Monitor, Tanium™ Reveal, Tanium™ Protect, and Tanium™ Performance.

Before you begin

  • If you are installing the full update for the first time, complete the steps in Prepare a TanOS installation for an air-gapped environment.
  • Read the release notes for the content packs and modules included in the air gap ZIP file. Make sure that you understand the changes introduced in every release in the path from the current release to the target release.
  • Run a health check on each appliance in the environment to make sure each appliance is in a healthy state before you perform the update.

Download the ZIP file

  1. From a computer with internet access, download the air gap ZIP file.
  2. Copy the ZIP file to a location that is available to the appliances.

Install the update

  1. Use SFTP to copy the air gap ZIP file to the /incoming directory on the Tanium Server appliance. The file name provided by Tanium must be preserved.
  2. Sign in to the TanOS console as a user with the tanadmin role.

  3. Enter 2-C-1 (Tanium Operations > Manage Content > Install Airgap Content).

  4. Enter the line number of the file that you want to install.
  5. Follow the prompts to install the air gap ZIP file. ClosedView screen

    For the console URI, enter the public FQDN of the server.

  6. Press Enter to return to the Manage Content menu.
  7. If you have a secondary Tanium Server, repeat the preceding steps to set up that appliance.

When you install the air gap ZIP file, TanOS automatically changes the manifest URL and the labs manifest URL to the URL for the air gap server IP address. For more information, see Change the air gap manifest URLs.

Sign in to the Tanium Console and let the server complete the initial import

At this point, the Tanium installation is converted into an air gap installation.

Sign in to the Tanium Console for the first time through the FQDN of the primary Tanium Server. After this step, the system automatically imports Default Content.

If the initial import process fails:
  • Make sure the URL you are using to access the Tanium Console contains the exact same host name listed in the manifest URL configuration on the appliance. For example, do not use the IP address to connect to the console if the manifest lists the FQDN of the appliance.
  • Make sure you did not forget to set the location of the LABS manifest. See Install a full update.

Configure the Trusted Host Lists

You must add all FQDNs and IP addresses for the Tanium Server and Tanium Module Server to both the TrustedHostList and the TDL TrustedHostList. Make these changes in the Tanium Console so the TDL TrustedHostList is also updated.

  1. From the Main menu, go to Administration > Configuration > Proxy Settings.
  2. Modify the trusted host lists for the Tanium Server and Tanium Module Server so they match the following, and then click Save.

    <TS FQDN>, <TS IP>, <TMS FQDN>, <TMS IP>, localhost, 127.0.0.1

Import recommended content

  1. As a test, import Interact to make sure it works.

    If the import fails, check all the TrustedHostList settings, modify as needed, and then try this step again.

  2. Download, sign, and import the Default Computer Groups XML file.

    An air-gapped version of the Default Computer Groups content is not available, because the content does not include sensors or packages.

    To sign the file before you import it, follow the instructions in Tanium Console User Guide: Authenticating content files.

    After successfully importing Default Computer Groups, it does not appear on the Content > Solutions page even though it was installed successfully.

  3. Import Tanium Client Management.

    To deploy Tanium Clients with Client Management in an air-gapped environment, you must upload Tanium Client files. See Tanium Client Management User Guide: Manage versions of the Tanium Client available for deployments and upgrades.

Import content packs and modules

After you install full or individual updates, you can import the related content packs and modules into Tanium.

After you install a full update, if you want to install the modules and content that came with the update, then you can proceed to install them. If you want to use more recent versions of the modules than what shipped with the full ZIP package, see Install an individual update. To install additional updates for individual modules, see Update external files for individual modules.

  1. Sign in to the Tanium Console on the primary Tanium Server as a user with the Administrator reserved role, which is required to import content.
  2. From the Main menu, go to the Administration > Content > Packages page.
  3. Click Import >Import Files.
  4. Perform one of the following steps to select the file:
    • Drag and drop files from your file explorer.
    • Click Browse for File, select the file, and click Open.
  5. Review the content to import. In most cases, when you import Tanium-produced content, select the options to merge the categories configuration and to overwrite all of the other configurations, including the designated content set.
  6. Click Begin Import. If prompted, enter your credentials and click OK.
  7. Review the messages to make sure the import completes successfully, and then click Close.

If you encounter errors importing content, check the trusted host list configuration on all Tanium Server and Tanium Module Server appliances to ensure the air gap server IP address is trusted. For more information, see Configuring Appliance security and Edit TDownloader settings.

Update an existing air gap installation

To perform updates in an air-gapped environment, you obtain and install different types of update packages, and then import the included modules and content.

Types of air gap updates

Full updates

Tanium Server releases occur a few times per year. For each Tanium Server release, Tanium publishes a ZIP package that includes the air-gapped version of solution modules, production content packs, and lab content packs. A full update is also used for initial setup of an air-gapped environment.

The ISO archive and ZIP package do not contain the following solutions: Tanium™ Map, Tanium™ Integrity Monitor, Tanium™ Reveal, Tanium™ Protect, and Tanium™ Performance.

Individual updates

Tanium product releases occur weekly. Usually, a few solution modules or content packs are updated. If a solution module or content pack update is published, Tanium posts a ZIP file that contains the content XML and external files for the update.

Additional external files updates

External files for Tanium Comply, Tanium Deploy, Tanium Patch, and Tanium Threat Response might require updates more frequently than full or individual update releases. These files can be obtained and installed separately.

When to perform an update

Customer lab

Install updates at the direction of Tanium Support. Updates in the lab are completed in preparation for a rollout to production.

The following list is a typical work flow for update management:

  • Install the available full update initially when you first set up the air-gapped installation of TanOS.
  • Install full updates shortly after they are made available.
  • Install individual updates for the solution modules and content that you support shortly after they are made available.
  • Install additional external file updates regularly.

Make a habit of tracking weekly release announcements. Read the release notes to identify items included in the release that might improve the user experience and organizational objectives.

Customer production

Install updates only after you complete testing in the lab environment.

Before you begin

Make sure you have access to these files that you must bring into the air-gapped environment:

  • The appropriate update package. Support for Tanium Appliances to obtain this file.
  • Content signing key utility
  • Software to:
    • Connect to the Tanium appliances through SSH.
    • Transfer files to and from the appliance through SFTP.
  • Additional module content
    • Mandatory: Default Computer Groups XML file
    • Optional, depending on modules and use cases:
      • If necessary, air-gapped versions of modules that are more recent than those in the full ZIP package
      • THR Signals
      • Comply standards
      • Comply engines
      • OS patches
      • Tanium Client installers

Install a full update to update an existing air-gapped installation

You can install each full update as it is released to update Tanium Core Platform servers, modules, and content. See Install a full update.

After installing the full update, import updated content packs and modules. See Import content packs and modules.

Install an individual update

You can install each individual update as it is released to apply the latest module and content pack updates.

Before you begin

Read the release notes for the content pack or module included in the air gap installer file. Make sure that you understand the changes introduced in every release in the path from the current release to the target release.

The Tanium Server requires that content files imported into the Tanium Console are signed, and the signatures verified by public keys stored on the Tanium Server. The public keys for content developed by Tanium and delivered through content.tanium.com are included with the installation.

Download the update file

The installer supports both RPM and ZIP air gap files. The following instructions demonstrate an install with a ZIP file.

  1. From a computer with internet access, download the air gap ZIP file.
  2. Copy the file to a location that is available to the appliances.

Install the update

  1. Use SFTP to copy the air gap ZIP file to the /incoming directory on the Tanium Server appliance.
  2. Sign in to the TanOS console as a user with the tanadmin role.

  3. Enter 2-C-1 (Tanium Operations > Manage Content > Install Airgap Content).

  4. Enter the line number of the file that you want to install.
  5. Follow the prompts to install the air gap ZIP file, but do not press Enter after the install completes. ClosedView screen
  6. Copy the URL that appears for the XML file.
  7. Press Enter to go to the Manage Content menu.
  8. Download the XML file to your local computer. For example, you can open the URL in a web browser and save the file to your computer. Depending on the configuration, you might need to change the FQDN of the server to the IP address.
  9. Use keyutility.exe to generate a cryptographic key pair and use it to sign the XML file. For more information, see Enable import of user-created content. ClosedView screen

What to do next

After installing the individual update, import updated content packs and modules. See Import content packs and modules.

Update external files for individual modules

External files for Tanium Comply, Tanium Deploy, Tanium Patch, and Tanium Threat Response might require updates more frequently than full or individual update releases. These files can be obtained and installed separately.

Update the Tanium Comply engine packages

In an internet-connected environment, Tanium Comply automatically connects to content.tanium.com to download updates for key components used in endpoint scans. In an air-gapped environment, you must update these components manually through the Tanium Console. For complete instructions, see Tanium Comply User Guide: Configure Comply for an air-gapped environment.

Configure an alternate location for the Predefined Package Gallery in Tanium Deploy

The Predefined Package Gallery in Tanium Deploy provides a collection of common software packages that are hosted at content.tanium.com. These packages are preconfigured and ready to deploy to endpoints. By default, the Tanium Server in an air-gapped environment cannot directly access Deploy Gallery package definitions. You can configure an alternative Gallery location so that a Tanium Server in an air-gapped environment can still download the Gallery. For complete instructions, see Tanium Deploy User Guide: Configure an alternate location for the Predefined Package Gallery.

Update Tanium Patch files

When the Tanium Server is in an air-gapped environment, the server cannot download patches from the internet. You must configure Patch to install patches from an alternate file location in the Patch settings for Windows endpoints.

To update Tanium Patch files, follow the steps in Tanium Patch User Guide: Downloading patches in an air-gapped environment, but perform the following steps after you download the remote package files:

  1. Rename the ZIP file to content-results.zip and copy to a location that is available to the Tanium Server appliance.
  2. Use SFTP to copy the ZIP file to the /incoming directory on the Tanium Server appliance.
  3. Sign in to the TanOS console as a user with the tanadmin role.

  4. Enter 2-C-4 (Tanium Operations > Manage Content > Manage Web Server Content).

  5. Enter 1 to go to the Tanium Web Server Content Installer menu and follow the prompts to install the content-results.zip file.
  6. Verify the configuration as instructed in the Patch documentation.

Install or update Tanium Threat Response Signals

In an internet-connected environment, Tanium Threat Response automatically connects to content.tanium.com to download updates for Tanium Signals. In an air-gapped environment, you must update the Tanium Signals files manually.

Download the Tanium Signals file
  1. From a computer with internet access, go to the content download URL and download the DetectSignalsV3.zip file.
  2. Use a ZIP program to add another ZIP layer. The extra layer is required to import the ZIP file to the Tanium Server appliance. For example:
    1. Go to Administration > Content > Packages, search for Distribute Tanium Standard Utilities, and download 7za.exe.
    2. Create an archive named content-DetectSignalsV3.zip that includes the file DetectSignalsV3.zip. 
      cmd> 7za a content-DetectSignalsV3.zip DetectSignalsV3.zip
7-Zip (a) 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30

Scanning the drive:
1 file, 13644 bytes (14 KiB)
Creating archive: content-DetectSignalsV3.zip

Add new data to archive: 1 file, 13644 bytes (14 KiB)

Files read from disk: 1
Archive size: 13735 bytes (14 KiB)

Everything is Ok

      The file must be named content-DetectSignalsV3.zip. TanOS expects the prefix content-.

    3. Copy the file to a location that is available to the Tanium Server appliance.
Install or update the Tanium Signals file
  1. Install the content on the Tanium Server appliance:
    1. Use SFTP to copy the Tanium Signals ZIP file to the /incoming directory on the Tanium Server appliance.
    2. Sign in to the TanOS console as a user with the tanadmin role.

    3. Enter 2-C-4 (Tanium Operations > Manage Content > Manage Web Server Content).

    4. Enter 1 to go to the Tanium Web Server Content Installer menu and follow the prompts to install the Tanium Signals ZIP file.
  2. Specify the location on the appliance for the Tanium Signal's manifest URL setting.
    1. In a web browser, sign in to the Tanium Console, and go to Modules > Threat Response.
    2. From the Threat Response menu, go to Intel > Sources.
    3. Edit the Tanium Signals source. If the source does not exist, click New Source and complete the configuration.
    4. For the manifest URL, specify the URL for the zip file that you installed in the previous steps. The URL has the following form: https://<TS FQDN>/content/files/DetectSignalsV3.zip. The file name of the zip file is case sensitive.
    5. Save the configuration.
    6. From the Sources page in Threat Response, make sure the Intel Count populates with items in the Tanium Signals row.
Troubleshooting tips
  • If the server deployment uses self-signed certificates, select the Ignore SSL option.
  • If you encounter errors importing content, check the trusted host list configuration on both the Tanium Server and Tanium Module Server to ensure the air gap server IP address is trusted.
  • After you save the configuration, the Module Server attempts to download the Tanium Signals ZIP file. On the Module Server, check the Threat Response log (TanOS menu path 3-2-10-2). Export the log and search for the string signals.downloadSignalsZip to see the logs related to the download operation.

View air gap usage report

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-C (Tanium Operations > Manage Content).

  3. Enter 2 to go to the Airgap Content Usage report. ClosedView screen

Prune unused air gap content

You can prune solutions that have been upgraded to a later version and content that was included in an update but that has not been imported.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-C-3 (Tanium Operations > Manage Content > Prune Airgap Content).

  3. Follow the prompts to prune the air gap content.

Manage web server content

TanOS has menus to support installation and management of air-gapped web server content.

Before you begin

Use SFTP to copy the air gap content files to the /incoming directory on the appliance. The file names must be in the content-*.zip format. The web content installs to the <Tanium Server>/http/content/files directory.

Install content

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-C-4-1 (Tanium Operations > Manage Content > Manage Web Server Content > Tanium Web Server Content Installer).

  3. Follow the prompts to install the content.

Delete content by name

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-C-4 (Tanium Operations > Manage Content > Manage Web Server Content).

  3. Enter 2 and follow the prompts to delete the content.

Delete content by list

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-C-4 (Tanium Operations > Manage Content > Manage Web Server Content).

  3. Enter 3 and follow the prompts to delete the content.

Change the air gap manifest URLs

The manifest and lab manifest refer to the URL the Tanium Console uses to locate solution modules and content packs available for download and use. The default locations point to content.tanium.com. In an air-gapped deployment, the manifest URLs are different. Use the TanOS menu to change them to the air gap content location. If a lab license is in use, you must change both the manifest and lab manifest locations.

When you install a full update, TanOS automatically changes the manifest URL and the labs manifest URL to the URL for the air gap server IP address, and it is only necessary to follow these steps if the manifest is not located on the Tanium Server. For more information, see Install a full update.

  1. Sign in to the TanOS console as a user with the tanadmin role.

  2. Enter 2-C-B (Tanium Operations > Manage Content > Manifest URL Change).

  3. Use the menu to change the manifest URL.