Installing an Appliance Array

In TanOS 1.6.0 and later, you can group appliances into an Appliance Array to make it easier to set up and manage the appliances that contain the components of a Tanium cluster.

A typical Appliance Array contains the following Appliances:

  • A primary Tanium Server Appliance with an active database
  • A secondary Tanium Server Appliance with a passive database
  • A Tanium Module Server Appliance
  • An optional standby Tanium Module Server Appliance
  • One or more Tanium Zone Server Appliances

When you add members to an Appliance Array, the role installation process installs the Tanium Core Platform components for the Tanium Server, Tanium Module Server, or Tanium Zone Server on the individual Appliances.

In TanOS 1.6.5 and later, the array installation process automatically establishes trust between the appliances in the array.

About Tanium clusters

A Tanium cluster is not required to scale Tanium capacity or to improve performance. The Tanium Core Platform supports a redundant cluster of Tanium Servers to ensure continuous availability in the event of an outage or scheduled maintenance.

In a Tanium cluster deployment:

  • Tanium Clients use a Tanium Server list to automatically find a backup server in the event the first Tanium Server that is assigned to them is unavailable.
  • The Tanium Servers read and write to the active database on the first appliance. Data is periodically replicated from the first Appliance database to the second appliance database.
  • The local authentication user configuration is periodically synchronized between the two appliances.
  • IPsec ensures end-to-end security between the two appliances.
  • Each Tanium Server has a Tanium Console with its own URL.
  • Tanium solutions are installed on a shared Module Server. In Tanium Core Platform 7.4.3 and later, you only need to import solutions on one Tanium Console. For versions prior to Tanium Core Platform 7.4.3, you must import solutions on both Tanium Consoles.
  • Each Tanium Server passes messages (such as answers to questions) to the other Tanium Servers.
  • Package files that are uploaded to one server are synchronized to the other Tanium Servers.
  • Database administration best practices ensure availability of the database server and that the Tanium databases and related database objects are backed up routinely.

Tanium cluster requirements and limitations

A Tanium cluster deployment has the following requirements:

  • The Tanium Server application setup is active-active and the database component is active-passive.
  • Each Tanium Server must run the same software version, including build number. For example, each must have build number 7.4.2.2063.
  • Each Tanium Server in the Tanium cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. Each must be able to independently handle load from the full deployment in the event of failure.
  • The Tanium cluster members must be able to connect to each other via a reliable Ethernet connection. Connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.
  • Each Tanium cluster member must be able to access the Internet to download files from designated domains. Access can be either direct or made through a proxy server.
  • Each Tanium cluster member must be able to connect to the shared Module Server.

Before you begin

  • Power on all Appliances.
  • For a Tanium Physical Appliance, perform the steps listed in the Tanium Appliance Quick Start Guide to install the Tanium Appliances.
  • Configure basic network, host, and user settings on all Appliances.
  • If the tanadmin user is set up for SSH key authentication on all appliances, copy the public key for the tanadmin user on the primary appliance to the tanadmin user accounts on the remaining appliances.
    • For information on how to use TanOS menus to add a public key for a user account, see Add authorized keys.
    • For information on how to use the CLI to add a public key for a user account, see the add pubkeys command at TanOS management commands.
  • Make sure all appliances are running TanOS 1.6.0 or later.
  • Make sure all appliances are running the same version of TanOS.
  • Make sure your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium Core Platform components use. In addition to the ports that are used by individual Tanium Servers, a Tanium Server in a Tanium cluster sends and receives cluster-related data over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).

(Optional) Import keys

Beginning in Tanium Core Platform 7.4, the Tanium Server includes a pki.db file that contains the root keys, Tanium Server TLS keys, and message-signing keys for the Tanium Server. If you migrate from a Windows installation with Tanium Core Platform 7.4 or later, or if you restore the Tanium Server appliance from a backup, you can reuse the previous pki.db file.

For a Tanium cluster, make sure to obtain a copy of the pki.db file from each Tanium Server in the deployment. The pki.db files are unique to their respective servers. If you migrate from a Tanium Cluster on a Windows installation, and only use the pki.db from one Tanium Server, the fingerprints will not match when you enable trust between the Tanium Servers.

  1. Obtain a copy of the pki.db file from your existing Tanium Server or from a backup file.
  2. Use SFTP to copy the pki.db file to the /incoming folder on the appliance before the install.
  3. Repeat the same preceding steps for each Tanium Appliance in your deployment.

Set up the Appliance Array

Create the array

  1. Sign in to the primary Tanium Server Appliance as a user with the tanadmin role.
  2. Enter 1 to go to the Tanium Installation menu. ClosedView screen
  3. Enter M to go to the Appliance Array menu. ClosedView screen
  4. Enter C and follow the prompts to create an array. ClosedView screen
  5. Press the Enter key to go to the Appliance Array menu.

    The Appliance Array menu refreshes with the new array.

    TanOS assigns the new (pending) role for the appliance as a Tanium Server. ClosedView screen

Add members to the array

Before you begin: If the tanadmin user is set up for SSH key authentication on all appliances, copy the public key for the tanadmin user on the primary appliance to the tanadmin user accounts on the remaining appliances. For information on how to use TanOS menus to add a public key for a user account, see Add authorized keys. For information on how to use the CLI to add a public key for a user account, see the add pubkeys command at TanOS management commands.

Perform the following steps to add the other appliances to the array.

  1. Enter A from the Appliance Array menu on the primary Tanium Server Appliance.
  2. Follow the prompts to add the appliance to the array. ClosedView screen
  3. Press the Enter key to go to the Appliance Array menu.

    The Appliance Array menu refreshes with the new member. ClosedView screen

Repeat these steps to add the remaining appliances to the array. ClosedView screen

Assign roles

Use the Appliance Array menu to assign a Tanium Server, Tanium Module Server, or Tanium Zone Server role to each appliance.

  1. Return to the Appliance Array menu on the primary Tanium Server Appliance.
  2. Enter the line number for an appliance without a pending New Role.

    The Manage Member menu appears. ClosedView screen

  3. Enter T, M, or Z to assign the corresponding role to the appliance.

    The Appliance Array menu refreshes with the new pending role. ClosedView screen

Repeat these steps to assign roles to the remaining appliances in the array. ClosedView screen

To preserve the assigned roles, do not close the Appliance Array menu.

Install Tanium roles

Perform the following steps to install the Tanium Core Platform components on the appliances in the Appliance Array.

If you have RPM files for an updated version of the Tanium Core Platform, use SFTP to copy the files to the /incoming folder of the primary Tanium Server Appliance. This includes the RPM files for the Tanium Server, Tanium Module Server, and Tanium Zone Server. When you use the following process to install Tanium through an Appliance Array, the installation process automatically copies the required RPM file from the primary Tanium server to each appliance in the array.

  1. From the Appliance Array menu, enter I.
  2. Follow the prompts to install pending roles.
    • When prompted, enter the line number of the Tanium Core Platform version that you want to install.
    • If you install roles to a new array, specify a password for the initial Tanium Console admin user (tanium) when prompted.
    • If the array already contains an appliance with the Tanium Server role, specify a Tanium Console user and password with administrative credentials when prompted.
    • If you copied the pki.db file to the /incoming folder on the appliance, the installer discovers the file and prompts you to install it. Enter YES to continue.

TanOS installs the components of the Tanium Core Platform on the selected appliances.

After you install the Tanium roles to the appliances, you can add more appliances to the array. To do so, add the appliance to the array, assign a role to the appliance, install the pending role, and then perform any additional required configuration for the Tanium role (see the following sections starting with Installing an Appliance Array).

Promote a Tanium Server to array manager

An array manager is a Tanium Server that can sign in to and issue commands to other array members. The following Tanium Servers are automatically assigned the array manager designation:

  • The Tanium Server on which you set up the array. For instructions, see Set up the Appliance Array.
  • Up to 2 Tanium Servers in an array that are upgraded from 1.6.x to 1.7
  • An appliance on which you install Tanium Server using the existing array manager

In the following scenarios, a Tanium Server can be a member of an array without having array manager capabilities:

  • You add a member to an array with no role and install Tanium Server directly on the member, rather than through the array.
  • You add an existing Tanium Server to an array.

Use the following steps to promote a Tanium Server to array manager.

  1. On an array manager, sign in to the TanOS console as a user with the tanadmin role.
  2. Enter 1 to open the Tanium Installation menu.
  3. Enter M to open the Manage Appliance Array menu.
  4. Enter the line number of the appliance to promote to array manager.
  5. Enter P to promote the appliance to array manager.

What to do next