Installing an Appliance Array

You can deploy two Tanium Servers in an active-active cluster to ensure continuous availability in the event of an outage or scheduled maintenance. This active-active cluster is referred to as a Tanium cluster, where the Tanium Server application is active-active, and the database component is active-passive. A Tanium cluster includes other components of the Tanium Core Platform, including Tanium Module Servers and Tanium Zone Servers.

In TanOS 1.6.0 and later, you can group appliances into an Appliance Array to make it easier to set up and manage the appliances that contain the components of a Tanium cluster.

You can group appliances into an Appliance Array to make it easier to set up and manage the appliances that contain the components of a Tanium cluster.

A typical Appliance Array contains the following appliances:

  • A primary Tanium Server appliance with an active database
  • A secondary Tanium Server appliance with a passive database
  • A Tanium Module Server appliance
  • One or more Tanium Zone Server appliances

About Tanium clusters

A Tanium cluster is not required to scale Tanium capacity or to improve performance. The Tanium Core Platform supports a redundant cluster of Tanium Servers to ensure continuous availability in the event of an outage or scheduled maintenance.

In a Tanium cluster deployment:

  • Tanium Clients use a Tanium Server list to automatically find a backup server in the event the first Tanium Server that is assigned to them is unavailable.
  • The Tanium Servers read and write to the active database on the first appliance. Data is periodically replicated from the first appliance database to the second appliance database.
  • The local authentication user configuration is periodically synchronized between the two appliances.
  • IPsec ensures end-to-end security between the two appliances.
  • Each Tanium Server has a Tanium Console with its own URL.
  • Tanium solutions are installed on a shared Module Server. In Tanium Core Platform 7.4.3 and later, you only need to import solutions on one Tanium Console. For versions prior to Tanium Core Platform 7.4.3, you must import solutions on both Tanium Consoles.
  • Each Tanium Server passes messages (such as answers to questions) to the other Tanium Servers.
  • Package files that are uploaded to one server are synchronized to the other Tanium Servers.
  • Database administration best practices ensure availability of the database server and that the Tanium databases and related database objects are backed up routinely.

Tanium cluster requirements and limitations

A Tanium cluster deployment has the following requirements:

  • The Tanium Server application setup is active-active and the database component is active-passive.
  • Each Tanium Server must run the same software version, including build number. For example, each must have build number 7.4.2.2063.
  • Each Tanium Server in the Tanium cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. Each must be able to independently handle load from the full deployment in the event of failure.
  • The Tanium cluster members must be able to connect to each other via a reliable Ethernet connection. Connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.
  • Each Tanium cluster member must be able to access the Internet to download files from designated domains. Access can be either direct or made through a proxy server.
  • Each Tanium cluster member must be able to connect to the shared Module Server.

Before you begin

  • Power on all appliances.
  • For physical hardware, perform the steps listed in the Tanium Appliance Quick Start Guide to install the Tanium Appliances.
  • Configure basic network, host, and user settings on all appliances. See Completing the initial setup (Tanium Cloud Appliance).
  • Make sure all appliances are running TanOS 1.6.0 or later.
  • Make sure all appliances are running the same version of TanOS.
  • Make sure your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium Core Platform components use. In addition to the ports that are used by individual Tanium Servers, a Tanium Server in a Tanium cluster sends and receives cluster-related data over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).

Import keys (optional)

Beginning in Tanium Core Platform 7.4, the Tanium Server includes a pki.db file that contains the root keys, Tanium Server TLS keys, and message-signing keys for the Tanium Server. If you migrate from a Windows installation with Tanium Core Platform 7.4 or later, or if you restore the Tanium Server appliance from a backup, you can reuse the previous pki.db file.

For a Tanium cluster, make sure to obtain a copy of the pki.db file from each Tanium Server in the deployment. The pki.db files are unique to their respective servers. If you migrate from a Tanium Cluster on a Windows installation, and only use the pki.db from one Tanium Server, the fingerprints will not match when you enable trust between the Tanium Servers.

  1. Obtain a copy of the pki.db file from your existing Tanium Server or from a backup file.
  2. Use SFTP to copy the pki.db file to the /incoming folder on the appliance before the install.
  3. Repeat the same preceding steps for each Tanium Appliance in your deployment.

Set up the Appliance Array

Create the array

  1. Log into the primary Tanium Server appliance as a user with the tanadmin role.

    The TanOS console displays the tanadmin menu. ClosedView screen

  2. Enter 1 to go to the Tanium Installation menu. ClosedView screen
  3. Enter M to go to the Appliance Array menu. ClosedView screen
  4. Enter C and follow the prompts to create an array. ClosedView screen
  5. Press the Enter key to return to the Appliance Array menu.

    The Appliance Array menu refreshes with the new array.

    TanOS assigns the new (pending) role for the appliance as a Tanium Server.ClosedView screen

Add members to the array

Perform the following steps to add the other appliances to the array.

  1. Enter A from the Appliance Array menu on the primary Tanium Server appliance.
  2. Follow the prompts to add the appliance to the array. ClosedView screen
  3. Press the Enter key to return to the Appliance Array menu.

    The Appliance Array menu refreshes with the new member. ClosedView screen

Repeat these steps to add the remaining appliances to the array. ClosedView screen

Assign roles

Use the Appliance Array menu to assign roles to each appliance.

  1. Return to the Appliance Array menu on the primary Tanium Server appliance.
  2. Enter the line number for an appliance without a pending New Role.

    The Manage Member menu displays. ClosedView screen

  3. Enter T, M, or Z to assign the corresponding role to the appliance.

    The Appliance Array menu refreshes with the new pending role. ClosedView screen

Repeat these steps to assign roles to the remaining appliances in the array. ClosedView screen

To preserve the assigned roles, do not close the Appliance Array menu.

Install Tanium roles

Perform the following steps to install the Tanium Core Platform components on the appliances in the Appliance Array.

  1. From the Appliance Array menu, enter I to install all pending roles.
  2. Enter Yes to exchange information with all members in the array.
  3. When prompted, enter the line number of the Tanium Core Platform version that you want to install.
  4. Enter Yes to confirm the installation actions.
  5. When prompted, specify a password for the initial Tanium Console admin user (tanium).
  6. If you copied the pki.db file to the /incoming folder on the appliance, the installer discovers the file and prompts you to install it. Enter YES to continue.

TanOS installs the components of the Tanium Core Platform on the selected appliances.

Enable trust between Tanium Servers (Tanium Core Platform 7.4 and later)

For Tanium Core Platform 7.4 and later, you must enable trust between the Tanium Servers before you install the Tanium Zone Server Hub add-on. Perform these steps for each Tanium Server in your deployment:

  1. In a web browser, log into the Tanium Console of a Tanium Server with the Tanium role and the password you set when you installed the Tanium Server. The URL format is https://<Tanium_Server_FQDN>.

    The Tanium Server performs any initial imports on the first login. For more information, see Verifying the installation.

  2. From the Tanium Console, go to Console > Configuration > Tanium Server > Trusted Tanium Servers.

    A pending trust displays for the other Tanium Server. An alert might also display at the top of the page.

  3. Verify the IP Address displays the IP address of the other Tanium Server, and record any values for Root Key Fingerprints.
  4. In a web browser, log into the Tanium Console of the other Tanium Server with the Tanium role and the password you set when you installed the Tanium Server.
  5. Go to Console > Configuration > Tanium Server > Root Key Management.
  6. In the Active Root Keys section, verify that the fingerprints of the keys match the values of the Root Key Fingerprints shown in the Trusted Tanium Servers tab on the first Tanium Server.
  7. If the fingerprints are identical, return to the Tanium Console on the first Tanium Server, click View More next to the pending trust, and click Accept.

    If the fingerprint or IP address of a Tanium Server is wrong, decommission the server before denying trust. Denied trust is irreversible for any particular instance of a Tanium Server. To subsequently approve trust, you must uninstall and reinstall the server so that it generates a new root key pair.

  8. Enter your credentials and click OK to confirm the operation.
  9. Repeat the same preceding steps to accept trust on the other Tanium Server. When you finish, the Trust Status for each Tanium Server changes to Trusted.

Install the Zone Server Hubs

After you install the Tanium Server role on a Tanium Appliance and accept trust between the Tanium Servers, install the Zone Server Hubs. Perform the following steps on each Tanium Server appliance.

A Tanium Zone Server appliance connects to the Zone Server Hub on one of the Tanium Server appliances. For redundancy, install the Zone Server Hubs on all Tanium Server appliances

  1. Log into the TanOS console on the Tanium Server appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 1 to go to the Tanium Installation menu. ClosedView screen
  3. Enter A and follow the prompts to install the Zone Server Hub.
    • For Tanium Core Platform 7.3 and earlier, configure the zoneserverlist.txt file when prompted. The zone server list is a list of zone servers that are allowed to connect to this Zone Server Hub.
  4. Repeat the same preceding steps to install the Zone Server Hub add-on on the other Tanium Server appliance.

Configure AllowedHubs on the Tanium Zone Server appliances

  1. Log into the TanOS console on the Tanium Zone Server appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 9 to edit the Tanium Zone Server settings. ClosedView screen
  5. Enter A to add a new setting.
  6. For the key, enter AllowedHubs and press the Enter key.
  7. For the value, enter the comma-separated IP addresses of the Tanium Server appliances and press the Enter key. ClosedView screen
  8. Repeat the preceding steps for each Tanium Zone Server appliance.

Enable Zone Server trusts (Tanium Core Platform 7.4 and later)

For Tanium Core Platform 7.4 and later, you must enable trust between the Zone Server Hubs and the Tanium Zone Servers so that they can communicate with each other.

Enable trust between the Tanium Servers and the Zone Server Hubs

  1. Display the Zone Server Hub fingerprint on each Tanium Server appliance that you installed the Zone Server Hub add-on.
    1. Log into the TanOS console on the Tanium Server appliance as a user with the tanadmin role.
    2. Enter @ to open the About the Appliance page. Note the value of the TZS Hub Registration Fingerprint field. ClosedView screen
  2. In a web browser, log into the Tanium Console on the primary Tanium Server appliance with the Tanium role and the password you set when you installed the Tanium Server.
  3. From the Tanium Console, go to Console > Configuration > Tanium Server > Zone Server Hub Trusts.

    Pending trusts display for each Tanium Server appliance with the Zone Server Hub add-on.

  4. For each pending trust:
    1. Verify that the fingerprint of the Zone Server Hub matches the fingerprint shown in the TZS Hub Registration Fingerprint field in the About the Appliance page in the TanOS console of a Tanium Server appliance.
    2. If the fingerprints are identical, return to the Tanium Console, click Accept/Deny next to the matching Zone Server Hub, and click Accept.

      If the fingerprint or IP address of a Zone Server Hub is wrong, decommission the hub before denying trust for it. Denied trust is irreversible for any particular instance of a hub. To subsequently approve trust, you must uninstall and reinstall the hub so that it generates a new fingerprint.

    3. Enter your credentials and click OK.

Enable trust between the Zone Server and the Zone Server Hub

After you approve trust for Zone Server Hub, perform the following steps for each Zone Server.

  1. Log into the TanOS console of the Zone Server appliance as a user with the tanadmin role.
  2. Enter @ to open the About the Appliance page. Note the value of the TZS Registration Fingerprint field. ClosedView screen
  3. Log into the Tanium Console with the Tanium role and the password you set when you installed the Tanium Server.
  4. From the Tanium Console, go to Console > Configuration > Tanium Server > Zone Server Hub Trusts.
  5. Next to the Zone Server Hub that you want to connect to the Zone Server, click Add Zone Server, enter the IP address of the Zone Server, and click OK.
  6. Enter your credentials, click OK, and refresh the page. The Tanium Console might take a few minutes to show the mapping. When it does, the mapping Status displays Pending next to the Zone Server. The mapping also appears in the Zone Servers to Zone Server Hub Mappings grid.
  7. Verify that the fingerprint of the Zone Server matches the fingerprint shown in the TZS Registration Fingerprint field in the About the Appliance page in the TanOS console.
  8. If the fingerprints are identical, return to the Tanium Console, click Accept/Deny next to the Zone Server, and click Accept.
  9. Enter your credentials and click OK. In the Zone Server tile, the mapping Status changes to Approved.

Set up TLS for the Tanium Server deployment (Tanium Core Platform 7.3 or earlier)

Installation of the Tanium Server automatically sets up TLS for Tanium Client to Tanium Server connections. One setting is set implicitly to a non-disruptive value by default: 

  • RequireIncomingEncryption is set to 0 (TLS not required)

Tanium Core Platform version 7.3 or prior

To change the default values, go to the Tanium Operations menu and use the Configuration Settings menu to change the values. See Change a Tanium server configuration

Tanium Core Platform version 7.4 or later

When you install the Tanium Zone Server role, TLS is enabled by default in Tanium Core Platform 7.4.

For detailed information about TLS communication in a Tanium deployment, see Tanium Core Platform Deployment Reference Guide: Setting up TLS communication.

What to do next

  1. Verify the installation. If you installed Tanium Server 7.4 or later, this includes uploading the Tanium license.
  2. Download the Tanium Server public key file to include in Tanium Client installation packages.