Deploying a standby Module Server

TanOS supports configuration and data sync from an active Tanium Module Server appliance to a standby Module Server appliance. Data, including the Module Server database, is copied to the standby appliance on demand or according to a schedule that you specify.

To protect data consistency, the scheduled TMS sync job stops each solution module service, performs the synchronization, and restarts the service before stopping the next solution module service. Be sure to determine a TMS sync schedule that does not disrupt solution module processes. You might have to adjust scheduled activities for the solution modules accordingly.

Requirements and limitations

A redundant cluster deployment has the following requirements:

Each Module Server must be installed on the same appliance model (size).
Each Module Server must run the same software version, including build number (for example, each must have build number 7.3.314.3424).
The two Module Servers must be able to connect to each other via a reliable Ethernet connection. The connection requires a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

Before you begin

Configure basic network, host, and user settings on both appliances.
- For Tanium Cloud Appliances, see Completing the initial setup (Tanium Cloud Appliance).
- For Tanium Physical Appliances, see Completing the initial setup (Tanium Physical Appliance).
- For Tanium Virtual Appliances, see Completing the initial setup (Tanium Virtual Appliance).

Specify the IP addresses of the redundant cluster interfaces when you configure the IPsec tunnel.
Specify the IP addresses of the Tanium traffic interfaces when you configure the Module Server IP addresses.

Make sure your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium core platform components use. In addition to the ports used by individual Module Servers, a Module Server in a cluster sends and receives sync traffic over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).
Install the active Module Server and complete the steps to set up the remote Module Server configuration on both the Tanium Server and Module Server as described in Documentation Home > Tanium Core Platform > Tanium Appliance Deployment Guide.
Install the standby Module Server as described in Documentation Home > Tanium Core Platform > Tanium Appliance Deployment Guide. Do not configure the Tanium Server to use the standby Module Server or enable the remote Module Server except in the event of failover. For failover instructions, see Deploying a standby Module Server.

Set up the IPsec tunnel

IPsec is used to ensure end-to-end security between the two appliances.

Start two SSH terminal sessions so you can copy and paste between them:
- First Module Server
- Second Module Server

Enter A to go to the Appliance Configuration menu.

View screen

------------------------------------------------------

           >>> Appliance Configuration <<< 

         1: Hostname/DNS Configuration
         2: Networking Configuration
         3: NTP Configuration
         4: Syslog Configuration
         5: SNMP Configuration
         6: Module File Share Configuration
         7: Reset all NICs to DHCP (VM only)

         A: Security
         I: iDRAC Management
         X: Advanced Configuration

         R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter 2 to go to the Networking Configuration menu.

View screen

------------------------------------------------------

     >>> Appliance Configuration -> Networking <<< 

          1: Network Interfaces
          2: IPSEC Configuration
          3: Routing Configuration
          4: Restart Networking

          T: NIC Teaming

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter 2 to go to the IPSEC menu.

View screen

------------------------------------------------------

    >>> Appliance Configuration -> IP -> IPSEC <<< 

          1: Display Local IPSEC host key
          2: Display IPSEC Configuration
          3: Configure IPSEC
          4: Delete IPSEC
          5: Restart IPSEC
          6: Test IPSEC

          R: Return to previous menu  RR: Return to top

------------------------------------------------------

On the second appliance, copy the IPsec host key to the clipboard:

From the IPSEC menu (A-2-2), enter 1 to view the local IPsec host key.

View screen

>>> Appliance Configuration -> IP -> IPSEC -> Display Host Key <<< 

 Local Host Key Information:

0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTOzI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjH
pNpMdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1
xKNOkR4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK0+JHyxuu0UL6yvIVKeV1H8ohSbr
DD213ut8lDQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3KiwZldH6fof/h+dADWWuwcgge
k4NzyI1DRtBbdA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1GoTny1OiWArEDJUoW8IYUQI
qPvmItG76zKwfIL1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4Lw46G2OQaO1Eg5LHzY
GS6BnEUG896yXvlxZJWZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5LrI+kUpA8FUCgY1tI
dQPdXMU6F0K+wWapSzCtbs8D343LYOMmiKgP2rZpFPOEc9

 Press enter to continue

Copy the key to the clipboard.

On the first appliance, from the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the first appliance. When prompted, paste the IPsec host key for the second appliance.

View screen

>>> Appliance Configuration -> IP -> IPSEC -> Configure IPSEC <<< 

 To configure IPSEC connectivity between TanOS systems the following information is required

 - Local IP address
 - Remote IP address
 - Remote host key

 Any exiting configuration will be overwritten!

 Would you like to continue with IPSEC configuration? [Yes|No]: yes
 Please provide the local ip address: 192.168.76.101
 Please provide the remote ip address: 192.168.76.102
 Please provide the remote hostkey: 0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTO
zI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjHpNpMdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+
Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1xKNOkR4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK
0+JHyxuu0UL6yvIVKeV1H8ohSbrDD213ut8lDQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3K
iwZldH6fof/h+dADWWuwcggek4NzyI1DRtBbdA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1Go
Tny1OiWArEDJUoW8IYUQIqPvmItG76zKwfIL1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4
Lw46G2OQaO1Eg5LHzYGS6BnEUG896yXvlxZJWZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5Lr
I+kUpA8FUCgY1tIdQPdXMU6F0K+wWapSzCtbs8D343LYOMmiKgP2rZpFPOEc9

On the first appliance, copy the IPsec host key to the clipboard:
1. From the IPSEC menu, enter 1 to view the local IPsec host key.
2. Copy the key to the clipboard.
Go to the second appliance and complete the IPsec configuration:
1. From the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the second appliance. When prompted, paste the IPsec host key for the first appliance.
2. Enter 6 to test the connection from the second appliance. View screen
```
>>> Appliance Configuration -> IP -> IPSEC -> Test IPSEC <<< 

 Testing secured connectivity to the remote ip.

 Secure connectivity to remote IP 192.168.76.101 is working


 Press enter to continue
```
Go back to the first appliance and enter 6 to test the connection.

Assign Tanium Module Server synchronization role

Indicate which Tanium Module Server in the deployment is the source for synchronization data and which is the target for synchronized data. Specify the active Tanium Module Server as the source, which sends data to the standby Tanium Module Server.

In the event of failover, you can promote the standby Tanium Module Server, which prevents it from receiving data. For more information, see Deploying a standby Module Server.

Sign into the Tanium Server appliance as a user with the tanadmin role.
Enter 2 to go to the Tanium Operations menu.

Enter A to go to the Configure Module Server(s) menu.

View screen

>>> Tanium Operations -> Configure Module Server(s) <<< 

Active Module Server: tms1.test.tanium.local

Module Server 1:
  Name: tms1.test.tanium.local
  TMS Sync Role:  source
  TMS Sync Ready: no

Module Server 2:
  Name: tms2.test.tanium.local
  TMS Sync Role:  target
  TMS Sync Ready: yes

             TMS Failover 
          P: Promote TMS
          S: Assign TMS Sync Role

             Manual TMS Configuration 
          1: Step 1 -> Configure Module Server Address (on Tanium Server) 
          2: Step 2 -> Register Module Server (on Tanium Module Server) 
          3: Read about Remote Module Server configuration

          R: Return to previous menu  RR: Return to top

Enter S to open the Assign TMS Role screen.

View screen

>>> Tanium Operations -> Configure Module Server(s) -> Assign TMS Role <<< 

Active Module Server: tms1.test.tanium.local

Module Server 1:
  Name: tms1.test.tanium.local
  TMS Sync Role:  source
  TMS Sync Ready: no

Module Server 2:
  Name: tms2.test.tanium.local
  TMS Sync Role:  target
  TMS Sync Ready: yes

          1: tms1.test.tanium.local
          2: tms2.test.tanium.local

          R: Return to previous menu  RR: Return to top

 Please select:

Enter the line number of the Tanium Module Server to use as the synchronization source. This is the active Module Server that sends data to the inactive target Module Server.

View screen

>>> Tanium Operations -> Configure Module Server(s) -> Assign TMS Role <<< 

          S: Enable TMS Sync as Source
          T: Enable TMS Sync as Target
          D: Disable TMS Sync

          R: Return to previous menu  RR: Return to top

          Please select:  S
          Press enter to continue

Enter S to enable the selected appliance as the synchronization source and press Enter.
The TanOS console redirects to the Configure Module Server(s) menu.
Enter S to open the Assign TMS Sync Role screen.
Enter the number of the Tanium Module Server to use as the synchronization target. This is the standby Module Server that receives data from the source Module Server.
Enter T and press Enter to enable the selected appliance as the synchronization target and enable synchronization between the source and target.

Perform a manual sync

Sign in to the source Module Server appliance as a user with the tanadmin role.
Enter 2 to go to the Tanium Operations menu.
Enter D to go to the Module Server Sync menu.

Enter 4 to initiate sync. The sync job details are logged to the screen.

View screen

------------------------------------------------------
   >>> Tanium Operations -> Module Server Sync <<< 

IPSEC: Ready
Remote: 192.168.76.104
Role: Active sync (source)
Last return code: OK
Sync Connectivity: Not Ready

         1: Show Detailed Status
         2: Configure IPSEC
         3: Configure TMS Sync
         4: Sync Now 
         5: Schedule Sync
			
         V: View Sync Log

         R: Return to previous menu  RR: Return to top
------------------------------------------------------


Please select: 4

Secured connectivity to remote IP 192.168.76.104 is working

 Thu May 16 20:52:14 UTC 2019 Synchronizing dir Tanium ModuleServer - Started
 Thu May 16 20:52:15 UTC 2019 Synchronizing dir Tanium ModuleServer - 85 files updated. 
 sent 121,565 bytes  received 611 bytes  244,352.00 bytes/sec
 Thu May 16 20:52:15 UTC 2019 Synchronizing dir Tanium ModuleServer - Completed
Press enter to continue