Taniumâ„¢ Appliance 1.3 Installation Guide

PDF 1.3
PDF 1.2
  • All Files
Documentation Home > Tanium Appliance Installation Guide

Deploying a standby Module Server

TanOS supports configuration and data sync from a primary Module Server appliance to a standby Module Server appliance. Data is copied every hour to the standby appliance. The Module Server service on the standby appliance is not enabled.

In the event the primary Module Server appliance is taken out of service:

  1. Enable the Module Server service on the standby appliance.
  2. Reconfigure the Taniumâ„¢ Server(s) connection to the remote Module Server so that it uses the IP address and hostname for the newly active Module Server.

Requirements and limitations

A high-availability (HA) deployment has the following requirements:

  • Each Module Server must be installed on the same appliance model (size).
  • Each Module Server must run the same software version, including build number (for example, each must have build number 7.3.314.3424).
  • The two Module Servers must be able to connect to each other via a reliable Ethernet connection. A minimum 1 Gbps connection is required.

Before you begin

Make sure:

  • Basic network, host, and user settings are configured on both appliances. See Completing the initial setup (hardware appliances).

    • We recommend you allocate a network interface on each Module Server appliance for the HA sync communication.

    The interfaces used for the HA sync communication should not be configured with a default gateway and do not need a default gateway.

    Specify the IP addresses of the HA interfaces when you configure the IPsec tunnel.

    Specify the IP addresses of the Tanium traffic interfaces when you configure the Module Server IP addresses.

  • Your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium core platform components use. In addition to the ports used by individual Module Servers, a Module Server in an HA cluster sends and receives sync traffic over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).

Set up the IPsec tunnel

IPsec is used to ensure end-to-end security between the two appliances.

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • First Module Server
    • Second Module Server
  2. Log into the first Module Server appliance as the user tanadmin.
  3. Enter A to go to the Appliance Configuration menu.
  4. Enter 2 to go to the Networking Configuration menu.
  5. Enter 2 to go to the IPsec menu.
  6. Log into the second Module Server appliance as the user tanadmin.
  7. Go to the IPsec menu.
  8. Enter 1 to display the local IPsec host key.
  9. Copy it to the clipboard.
  10. Go back to the first appliance.
  11. Enter 3 and follow the prompts to configure this side of the IPsec tunnel. Paste the IPsec host key for the second appliance.
  12. Enter 1 to display the local IPsec host key for the first appliance and copy it to the clipboard so you can paste it into the configuration for the second appliance.
  13. Go back to the second appliance.
  14. Go to the IPsec menu.
  15. Enter 3 and follow the prompts to configure this side of the IPsec tunnel. Paste the IPsec host key for the first appliance.
  16. Enter 6 to test the connection from this side.
  17. Go back to the first appliance.
  18. Enter 6 to test the connection from this side.

Configure Sync

  1. Install the primary Module Server and complete the steps to set up the remote Module Server configuration on both the Tanium Server and Module Server as described in Installing Tanium Module Server.
  2. Install the standby Module Server but do not complete the steps to set up the remote Module Server configuration. You complete those steps only when making the standby Module Server active.
  3. Log into the standby Module Server appliance as the user tanadmin.
  4. Enter 2 to go to the Tanium Operations menu.
  5. Enter D to go to the Module Server Sync menu.
  6. Enter 2 and then follow the prompts to enable sync on the standby Module Server.
  7. Log into the primary Module Server appliance as the user tanadmin.
  8. Enter 2 to go to the Tanium Operations menu.
  9. Enter D to go to the Module Server Sync menu.
  10. Enter 2 and then follow the prompts to enable sync on the primary Module Server.


Check sync status

  1. Log into the Module Server appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter D to go to the Module Server Sync menu.
  4. Enter 1 to view the status.

Last updated: 11/8/2018 3:04 PM | Feedback