Installing Tanium Server in an active-active cluster

High-availability (HA) features support Taniumâ„¢ Server availability even when there is a failure or scheduled maintenance.

The active-active cluster setup workflow installs the Tanium Server and a database server on each appliance, makes updates in the configuration database, and copies the SSL certificates and SSH public/private key pair from the first appliance to the second appliance.

Overview

HA clustering is not required to scale Tanium capacity or to improve performance. You can size the host system hardware and OS of standalone platform servers to meet your capacity and performance requirements. Rather, the Tanium Core Platform supports HA active-active clustering of Tanium Server to ensure continuous availability in the event of an outage or scheduled maintenance.

The following figure shows an HA topology. In an active-active deployment:

  • Tanium Clients use a Tanium Server list to automatically find a backup server in the event the first Tanium Server assigned to them is unavailable.
  • The Tanium Servers read and write to the database co-located on the first appliance. Data is periodically replicated from the first appliance database to the second appliance database.
  • The local authentication user configuration is periodically synchronized between the two appliances.
  • IPsec ensures end-to-end security between the two appliances.
  • Each cluster member has a Tanium Console with its own URL.
  • Tanium solution modules are installed on a shared Module Server. However, they must be imported in each Tanium Console in order to be accessed from each.
  • Each server passes Tanium messages (for example, answers to questions) to the other cluster members.
  • Package files that are uploaded to one member are synchronized to the other cluster members.
  • Follow database administration best practices to ensure availability of the database server and that the Tanium databases and related database objects are backed up routinely.
Figure  1:  HA topology

HA cluster requirements and limitations

An HA deployment has the following requirements:

  • Each Tanium Server must run the same software version, including build number (for example, each must have build number 7.3.314.3424).
  • Each Tanium Server in the cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. (Each must be able to independently handle load from the full deployment in the event of failure.)
  • The cluster members must be able to connect to each other via a reliable Ethernet connection. A minimum 1 Gbps connection is required.
  • Each cluster member must be able to access the Internet to download files from designated domains. Access can be direct or made through a proxy server.
  • Each cluster member must be able to connect to the shared Module Server.

Before you begin

Make sure:

  • Basic network, host, and user settings are configured on both appliances. See Completing the initial setup (hardware appliances).
  • We recommend you allocate a network interface on each Tanium Server appliance for the HA cluster communication.

    The interfaces used for the HA cluster communication should not be configured with a default gateway and do not need a default gateway.

    Specify the IP addresses of the HA interfaces when you configure the IPsec tunnel.

    Specify the IP addresses of the Tanium traffic interfaces when you configure the HA cluster IP addresses.

  • Your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium core platform components use. In addition to the ports used by individual Tanium Servers, a Tanium Server in an HA cluster sends and receives HA-related data over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).

Add required SSH keys

An SSH key exchange is used to securely copy files from the first Tanium Server to the second Tanium Server during installation.

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • First Tanium Server
    • Second Tanium Server
  2. Log into the first Tanium Server appliance as the user tanadmin.

    The TanOS console displays the tanadmin menu.

  3. Enter C to go to the User Administration menu.
  4. Enter 3 to go to the SSH Key Management menu.
  5. Enter the line number for tanadmin to display the key management menu for this user.
  6. Enter 2 to display the public key.
  7. Copy the contents of the public key to the clipboard.
  8. Log into the second Tanium Server appliance as the user tanadmin.
  9. Enter C to go to the User Administration menu.
  10. Enter 3 to go to the SSH Key Management menu.
  11. Enter the line number for the tancopy user.
  12. Enter 3 to go to the Authorized Keys menu.
  13. Enter 2 and then follow the prompts to paste the contents of the Tanium Server tanadmin user public key file you copied in Step 7.

Set up the IPsec tunnel

IPsec is used to ensure end-to-end security between the two appliances.

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • First Tanium Server
    • Second Tanium Server
  2. Log into the first Tanium Server appliance as the user tanadmin.
  3. Enter A to go to the Appliance Configuration menu.
  4. Enter 2 to go to the Networking Configuration menu.
  5. Enter 2 to go to the IPsec menu.
  6. Log into the second Tanium Server appliance as the user tanadmin.
  7. Go to the IPsec menu.
  8. Enter 1 to display the local IPsec host key.
  9. Copy it to the clipboard.
  10. Go back to the first appliance.
  11. Enter 3 and follow the prompts to configure this side of the IPsec tunnel. Paste the IPsec host key for the second appliance.
  12. Enter 1 to display the local IPsec host key for the first appliance and copy it to the clipboard so you can paste it into the configuration for the second appliance.
  13. Go back to the second appliance.
  14. Go to the IPsec menu.
  15. Enter 3 and follow the prompts to configure this side of the IPsec tunnel. Paste the IPsec host key for the first appliance.
  16. Enter 6 to test the connection from this side.
  17. Go back to the first appliance.
  18. Enter 6 to test the connection from this side.

Deploy the HA cluster

  1. Complete the installation for the first Tanium Server as described in Installing Tanium Server.
  2. Complete the installation for the second Tanium Server as described in Installing Tanium Server.
  3. Complete the installation for the Tanium Module server as described in Installing Tanium Module Server. Be sure to configure a remote Module Server connection for each Tanium Server.
  4. Log into the first Tanium Server appliance as the user tanadmin.
  5. Enter 2 to go to the Tanium Operations menu.
  6. Enter B to go to the Cluster Configuration menu.
  7. Enter 1 and then follow the prompts to configure the connection with the second member and initialize the HA cluster.
  8. Log into the second Tanium Server appliance as the user tanadmin.
  9. Enter 2 to go to the Tanium Operations menu.
  10. Enter B to go to the Cluster Configuration menu.
  11. Enter 2 and then follow the prompts to configure the connection with the first member and join the HA cluster.


Verify the installation

  1. Deploy the Tanium Client to endpoints. When you configure client settings, specify both server names so the Tanium Clients use the ServerNameList setting to select a Tanium Server. See the Tanium Client Deployment Guide.
  2. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that both Tanium Servers are active.
  3. Verify that both servers can download packages with URL-specified files when such a package is created or imported. Distribute Copy Tools is an example of a package with URL-specified files:
    1. Go to Authoring > Packages.
    2. Select the row for Distribute Copy Tools.
    3. Click Status and check that the files have been downloaded and are now cached on both servers.
  4. Create a new package and specify a locally uploaded file. After you have saved the package, wait a moment for HA sync to occur, and then check that the files are downloaded and cached by both servers.

Last updated: 11/8/2018 3:04 PM | Feedback