Installing Tanium Server in a redundant cluster

The Tanium Server supports high-availability (HA) features if you configure multiple of each Tanium Server component. You can configure Tanium Appliances into a redundant cluster, where the application is active-active, and the database component is active-passive. Note that a primary database failure requires minimal manual intervention to switch to the secondary database.

The redundant cluster setup workflow installs the Tanium Server and a database server on each appliance, makes updates in the configuration database, and copies the SSL certificates and SSH public/private key pair from the first appliance to the second appliance.

Overview

A redundant cluster is not required to scale Tanium capacity or to improve performance. You can size the host system hardware and OS of standalone platform servers to meet your capacity and performance requirements. Rather, the Tanium Core Platform supports a redundant cluster of Tanium Servers to ensure continuous availability in the event of an outage or scheduled maintenance.

The following figure shows a redundant cluster topology. In an redundant cluster deployment:

  • Tanium Clients use a Tanium Server list to automatically find a backup server in the event the first Tanium Server assigned to them is unavailable.
  • The Tanium Servers read and write to the database co-located on the first appliance. Data is periodically replicated from the first appliance database to the second appliance database.
  • The local authentication user configuration is periodically synchronized between the two appliances.
  • IPsec ensures end-to-end security between the two appliances.
  • Each cluster member has a Tanium Console with its own URL.
  • Tanium solution modules are installed on a shared Module Server. However, they must be imported in each Tanium Console in order to be accessed from each.
  • Each server passes Tanium messages (for example, answers to questions) to the other cluster members.
  • Package files that are uploaded to one member are synchronized to the other cluster members.
  • Follow database administration best practices to ensure availability of the database server and that the Tanium databases and related database objects are backed up routinely.
Figure  1:  Redundant cluster topology

Redundant cluster requirements and limitations

A redundant cluster deployment has the following requirements:

  • The Tanium Server application setup is active-active and the database component is active-passive.
  • Each Tanium Server must run the same software version, including build number (for example, each must have build number 7.3.314.3668).
  • Each Tanium Server in the cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. (Each must be able to independently handle load from the full deployment in the event of failure.)
  • The cluster members must be able to connect to each other via a reliable Ethernet connection. Connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.
  • Each cluster member must be able to access the Internet to download files from designated domains. Access can be direct or made through a proxy server.
  • Each cluster member must be able to connect to the shared Module Server.

Before you begin

Make sure:

  • Basic network, host, and user settings are configured on both appliances. See Completing the initial setup (hardware appliances).
  • If the deployment requires segregation of traffic types, you can configure separate interfaces on the same NIC card.

  • The cluster interfaces should not be configured with a default gateway.

  • Specify the IP addresses of the cluster interfaces when you configure the IPsec tunnel.

  • Your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium core platform components use. In addition to the ports used by individual Tanium Servers, a Tanium Server in a cluster sends and receives cluster-related data over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).

Add required SSH keys

An SSH key exchange is used to securely copy files from the first Tanium Server to the second Tanium Server during installation. In case of failure of the first appliance, you might need to re-create the cluster with the second appliance as the leader. To prepare for this possibility, copy the public key for the user tanadmin on the first appliance to the authorized key store for the tancopy user on the second appliance, and vice versa.

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • First Tanium Server
    • Second Tanium Server
  2. Copy the tanadmin key from the first appliance to the authorized key store for the tancopy user on the second appliance.
    1. On the first appliance:
      1. From the tanadmin menu, enter C to go to the User Administration menu.
      2. Enter 3 to go to the SSH Key Management menu.
      3. Enter the line number for tanadmin to display the key management menu for this user.
      4. Enter 2 to display the public key.
      5. Copy the contents of the public key to the clipboard.
    2. On the second appliance:
      1. From the tanadmin menu, enter C to go to the User Administration menu.
      2. Enter 3 to go to the SSH Key Management menu.
      3. Enter the line number for the tancopy user.
      4. Enter 3 to go to the Authorized Keys menu.
      5. Enter 2 and then follow the prompts to paste the contents of the tanadmin user public key file.
  3. Copy the tanadmin key from the second appliance to the authorized key store for the tancopy user on the first appliance.
    1. On the second appliance:
      1. Go back to the SSH Key Management menu.
      2. Enter the line number for tanadmin to display the key management menu for this user.
      3. Enter 2 to display the public key.
      4. Copy the contents of the public key to the clipboard.
    2. On the first appliance:
      1. Go back to the SSH Key Management menu.
      2. Enter the line number for the tancopy user.
      3. Enter 3 to go to the Authorized Keys menu.
      4. Enter 2 and then follow the prompts to paste the contents of the tanadmin user public key file.

Set up the IPsec tunnel

IPsec is used to ensure end-to-end security between the two appliances.

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • First Tanium Server
    • Second Tanium Server
  2. Log into each of the Tanium Server appliances as a user with the tanadmin role and go to the IPsec menu:
    1. From the tanadmin menu, enter A to go to the Appliance Configuration menu.
    2. Enter 2 to go to the Networking Configuration menu.
    3. Enter 2 to go to the IPsec menu.
  3. On the second appliance, copy the IPsec host key to the clipboard:
    1. From the IPsec menu, enter 1 to display the local IPsec host key.
    2. Copy it to the clipboard.
  4. On the first appliance, from the IPsec menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the second appliance.
  5. On the first appliance, copy the IPsec host key to the clipboard:
    1. From the IPsec menu, enter 1 to display the local IPsec host key.
    2. Copy it to the clipboard.
  6. Go to the second appliance and complete the IPsec configuration:
    1. From the IPsec menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the first appliance.
    2. Enter 6 to test the connection from this side.
  7. Go back to the first appliance and enter 6 to test the connection from this side.

Deploy the cluster

  1. Complete the installation for the first Tanium Server as described in Installing Tanium Server.
  2. Complete the installation for the second Tanium Server as described in Installing Tanium Server.
  3. Complete the installation for the Tanium Module server as described in Installing Tanium Module Server. Be sure to configure a remote Module Server connection for each Tanium Server.
  4. Log into the first Tanium Server appliance as a user with the tanadmin role and complete the following steps:
    1. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
    2. Enter B to go to the Cluster Configuration menu.
    3. Enter 1 and then follow the prompts to configure the connection with the second member and initialize the cluster.
  5. Log into the second Tanium Server appliance as a user with the tanadmin role and complete the following steps:
    1. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
    2. Enter B to go to the Cluster Configuration menu.
    3. Enter 2 and then follow the prompts to configure the connection with the first member and join the cluster.

Verify the installation

  1. Deploy the Tanium Client to endpoints. When you configure client settings, specify both server names so the Tanium Clients use the ServerNameList setting to select a Tanium Server. See the Tanium Client Deployment Guide.
  2. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that both Tanium Servers are active.
  3. Verify that both servers can download packages with URL-specified files when such a package is created or imported. Distribute Copy Tools is an example of a package with URL-specified files:
    1. Go to Authoring > Packages.
    2. Select the row for Distribute Copy Tools.
    3. Click Status and check that the files have been downloaded and are now cached on both servers.
  4. Create a new package and specify a locally uploaded file. After you have saved the package, wait a moment for cluster sync to occur, and then check that the files are downloaded and cached by both servers.

Last updated: 12/5/2019 3:52 PM | Feedback