Deploying a standby Module Server

TanOS supports configuration and data sync from a primary Module Server appliance to a standby Module Server appliance. Data, including the Module Server database, is copied to the standby appliance on demand or according to a schedule that you specify.

Requirements and limitations

A redundant cluster deployment has the following requirements:

• Each Module Server must be installed on the same appliance model (size).
• Each Module Server must run the same software version, including build number (for example, each must have build number 7.3.314.3424).
• The two Module Servers must be able to connect to each other via a reliable Ethernet connection. The connection requires a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

Before you begin

• Configure basic network, host, and user settings on both appliances. See Completing the initial setup (Tanium Cloud Appliance).For physical appliances, see Completing the initial setup (hardware appliances). For virtual appliances, see Completing the initial setup (virtual appliances).
• Specify the IP addresses of the redundant cluster interfaces when you configure the IPsec tunnel.
• Specify the IP addresses of the Tanium traffic interfaces when you configure the Module Server IP addresses.
• Make sure your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium core platform components use. In addition to the ports used by individual Module Servers, a Module Server in a cluster sends and receives sync traffic over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).
• Install the primary Module Server and complete the steps to set up the remote Module Server configuration on both the Tanium Server and Module Server as described in Installing an individual Tanium Module Server.
• Install the standby Module Server as described in Install the Tanium Module Server. Do not configure the Tanium Server to use the standby Module Server or enable the remote Module Server except in the event of failover. For failover instructions, see Promote the standby Module Server.

Set up the IPsec tunnel

IPsec is used to ensure end-to-end security between the two appliances.

1. Start two SSH terminal sessions so you can copy and paste between them:
   • First Module Server
   • Second Module Server
2. Sign in to each of the Module Server appliances as a user with the tanadmin role and go to the IPsec menu:
   1. Enter A to go to the Appliance Configuration menu. View screen

      ------------------------------------------------------
      
                 >>> Appliance Configuration <<< 
      
               1: Hostname/DNS Configuration
               2: Networking Configuration
               3: NTP Configuration
               4: Syslog Configuration
               5: SNMP Configuration
               6: Module File Share Configuration
               7: Reset all NICs to DHCP (VM only)
      
               A: Security
               X: Advanced Configuration
      
               H: Help
               R: Return to previous menu
      
      ------------------------------------------------------

      ------------------------------------------------------
      
                 >>> Appliance Configuration <<< 
      
               1: Hostname/DNS Configuration
               2: Networking Configuration
               3: NTP Configuration
               4: Syslog Configuration
               5: SNMP Configuration
               6: Module File Share Configuration
      
               A: Security
               X: Advanced Configuration
      
               H: Help
               R: Return to previous menu
      
      ------------------------------------------------------

   2. Enter 2 to go to the Networking Configuration menu. View screen

      ------------------------------------------------------
      
           >>> Appliance Configuration -> Networking <<< 
      
                1: Network Interfaces
                2: IPSEC Configuration
                3: Routing Configuration
                4: Restart Networking
      
                T: NIC Teaming
      
                H: Help
                R: Return to previous menu
      
      ------------------------------------------------------

       ------------------------------------------------------
      
           >>> Appliance Configuration -> Networking <<< 
      
                1: Network Interfaces
                2: IPSEC Configuration
                3: Routing Configuration
                4: Restart Networking
      
                H: Help
                R: Return to previous menu
      
       ------------------------------------------------------

   3. Enter 2 to go to the IPSEC menu. View screen

      ------------------------------------------------------
      
          >>> Appliance Configuration -> IP -> IPSEC <<< 
      
                1: Display Local IPSEC host key
                2: Display IPSEC Configuration
                3: Configure IPSEC
                4: Delete IPSEC
                5: Restart IPSEC
                6: Test IPSEC
      
                H: Help
                R: Return to previous menu
      
      ------------------------------------------------------

3. On the second appliance, copy the IPsec host key to the clipboard:
   1. From the IPSEC menu (A-2-2), enter 1 to view the local IPsec host key. View screen

      >>> Appliance Configuration -> IP -> IPSEC -> Display Host Key <<< 
      
       Local Host Key Information:
      
      0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTOzI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjHpNp
      MdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1xKNOkR
      4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK0+JHyxuu0UL6yvIVKeV1H8ohSbrDD213ut8l
      DQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3KiwZldH6fof/h+dADWWuwcggek4NzyI1DRtBb
      dA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1GoTny1OiWArEDJUoW8IYUQIqPvmItG76zKwfIL
      1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4Lw46G2OQaO1Eg5LHzYGS6BnEUG896yXvlxZJ
      WZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5LrI+kUpA8FUCgY1tIdQPdXMU6F0K+wWapSzCtb
      s8D343LYOMmiKgP2rZpFPOEc9
      
       Press enter to continue

   2. Copy the key to the clipboard.
4. On the first appliance, from the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the first appliance. When prompted, paste the IPsec host key for the second appliance. View screen

   >>> Appliance Configuration -> IP -> IPSEC -> Configure IPSEC <<< 
   
    To configure IPSEC connectivity between TanOS systems the following information is required
   
    - Local IP address
    - Remote IP address
    - Remote host key
   
    Any exiting configuration will be overwritten!
   
    Would you like to continue with IPSEC configuration? [Yes|No]: yes
    Please provide the local ip address: 192.168.76.101
    Please provide the remote ip address: 192.168.76.102
    Please provide the remote hostkey: 0sAwEAAbnlzZ6venWVMdFLWEHGNEd6bMnNMVBkH+Ye3f7y360CbeBa6SSTO
   zI0NqHNOCnTWBDEMVWpfE3Dk/2feh1rjHpNpMdhknhO5+8B47Q9HsH7DEGN4VoybNtH42xVKnApD51CGkH4Ns2o7JfHLUo+
   Dkv1Tw03b2vGNs/m//bLcUHwFKQLd1xKNOkR4BhbQ0d7AVctY5tIKzhA8BS+aIkI7XuKCfy9YEMPOgyWVvPY2UTRXwvTcvK
   0+JHyxuu0UL6yvIVKeV1H8ohSbrDD213ut8lDQJ6KbJQ5Zl/x3A0LrgTg8l0jNCGIB6d0oPiKpL7vePApViTTAgGh2l2b3K
   iwZldH6fof/h+dADWWuwcggek4NzyI1DRtBbdA5bWuAEYdzC3038/N++FQnKJ5QRXe+b9O9aHf8VTUjZbFWc/5Q0wYeQ1Go
   Tny1OiWArEDJUoW8IYUQIqPvmItG76zKwfIL1z07dMIAs71W3L/X0QthogKCAYYawktpgukqJ3HHGkAWQFHgHKoJxVhJeF4
   Lw46G2OQaO1Eg5LHzYGS6BnEUG896yXvlxZJWZgG7Y9yj3mIea9ltV7/ifPIbXoMRkWMYbnK81biqw1j2yPJfj6MrHet5Lr
   I+kUpA8FUCgY1tIdQPdXMU6F0K+wWapSzCtbs8D343LYOMmiKgP2rZpFPOEc9

5. On the first appliance, copy the IPsec host key to the clipboard:
   1. From the IPSEC menu, enter 1 to view the local IPsec host key.
   2. Copy the key to the clipboard.
6. Go to the second appliance and complete the IPsec configuration:
   1. From the IPSEC menu, enter 3 and follow the prompts to configure the IPsec tunnel on the second appliance. When prompted, paste the IPsec host key for the first appliance.
   2. Enter 6 to test the connection from the second appliance. View screen

      >>> Appliance Configuration -> IP -> IPSEC -> Test IPSEC <<< 
      
       Testing secured connectivity to the remote ip.
      
       Secure connectivity to remote IP 192.168.76.101 is working
      
      
       Press enter to continue

7. Go back to the first appliance and enter 6 to test the connection.

Assign Tanium Module Server synchronization role

Indicate which Tanium Module Server in the deployment is the source for synchronization data and which is the target for synchronized data. Specify the active, or primary, Tanium Module Server as the source, which sends data to the standby, or secondary, Tanium Module Server.

In the event of failover, you can promote the standby Tanium Module Server, which prevents it from receiving data. For more information, see Promote the standby Module Server.

1. Sign into the Tanium Server appliance as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operations menu.
3. Enter A to go to the Configure Module Server(s) menu. View screen

   ------------------------------------------------------
   
   			>>> Tanium Operations -> Configure Module Server(s) 
   
   				Active Module Server: tms1.test.tanium.local
   
   				Module Server 1:
   				Name: tms1.test.tanium.local
   				TMS Sync Role:  source
   				TMS Sync Ready: no
   
   				Module Server 2:
   				Name: tms2.test.tanium.local
   				TMS Sync Role:  target
   				TMS Sync Ready: yes
   
   				TMS Failover
   				P: Promote TMS
   				S: Assign TMS Sync Role
   
   				Manual TMS Configuration
   				1: Step 1 -> Configure Module Server Address (on Tanium Server)
   				2: Step 2 -> Register Module Server (on Tanium Module Server)
   				3: Read about Remote Module Server configuration
   
   				R: Return to previous menu  RR: Return to top
   
   		

4. Enter S to open the Assign TMS Role screen. View screen

   		Tanium Operations -> Configure Module Server(s) -> Assign TMS Role 
   
   				Active Module Server: tms1.test.tanium.local
   
   				Module Server 1:
   				Name: tms1.test.tanium.local
   				TMS Sync Role:  source
   				TMS Sync Ready: no
   
   				Module Server 2:
   				Name: tms2.test.tanium.local
   				TMS Sync Role:  target
   				TMS Sync Ready: yes
   
   				1: tms1.test.tanium.local
   				2: tms2.test.tanium.local
   
   				R: Return to previous menu  RR: Return to top
   
   				Please select: 
   
   
   		

5. Enter the line number of the Tanium Module Server to use as the synchronization source. This is the active Module Server that sends data to the inactive target Module Server. View screen

   		Tanium Operations -> Configure Module Server(s) -> Assign TMS Role 
   
   
   			S: Enable TMS Sync as Source
   			T: Enable TMS Sync as Target
   			D: Disable TMS Sync
   
   			R: Return to previous menu  RR: Return to top
   
   			Please select:  S
    			Press enter to continue
   
   
   		

6. Enter S to enable the selected appliance as the synchronization source and press Enter.
   The TanOS console redirects to the Configure Module Server(s) menu.
7. Enter S to open the Assign TMS Sync Role screen.
8. Enter the number of the Tanium Module Server to use as the synchronization target. This is the standby Module Server that receives data from the source Module Server.
9. Enter T and press Enter to enable the selected appliance as the synchronization target and enable synchronization between the source and target.
   

Perform a manual sync

1. Sign in to the source Module Server appliance as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operations menu.
3. Enter D to go to the Module Server Sync menu.
4. Enter 4 to initiate sync. The sync job details are logged to the screen. View screen

   ------------------------------------------------------
      >>> Tanium Operations -> Module Server Sync <<< 
   
   IPSEC: Ready
   Remote: 192.168.76.104
   Role: Active sync (source)
   Last return code: OK
   Sync Connectivity: Not Ready
   
            1: Show Detailed Status
            2: Configure IPSEC
            3: Configure TMS Sync
            4: Sync Now 
            5: Schedule Sync
   			
   	  V: View Sync Log
   
            H: Help
            R: Return to previous menu
   ------------------------------------------------------
   
   
   Please select: 4
   
   Secured connectivity to remote IP 192.168.76.104 is working
   
    Thu May 16 20:52:14 UTC 2019 Synchronizing dir Tanium ModuleServer - Started
    Thu May 16 20:52:15 UTC 2019 Synchronizing dir Tanium ModuleServer - 85 files updated. sent 121,565 bytes  received 611 bytes  244,352.00 bytes/sec
    Thu May 16 20:52:15 UTC 2019 Synchronizing dir Tanium ModuleServer - Completed
   Press enter to continue

Schedule sync jobs

1. Sign in to the source Module Server appliance as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operations menu.
3. Enter D to go to the Module Server Sync menu.
4. Enter 5 to go to the Schedule TMS Sync menu. View screen

   >>> Schedule TMS Sync <<< 
   
   Current time: Thu 2019-05-16 21:06:37 UTC
   Active: Disabled
   Day of Month | 1             | 00:00 UTC
   Crontab formatted time string: 00 00 1 * *
   
   Pending: Disabled
   Day of Month | 1             | 00:00 UTC
   Crontab formatted time string: 00 00 1 * *
   
            1: Disable Schedule
            2: Enable Schedule
   
            4: Schedule by Day of Month
            5: Schedule by Day of Week
            6: Select Time of Day
   
            7: Activate Schedule Settings
            H: Help
   
            R: Return to previous menu
   ------------------------------------------------------

   The top of the menu shows active and pending settings. The changes you make are pending until you use menu 7 to make them active.

5. Use the menu to configure the schedule:
   1. Enter 1 or 2 to toggle the enabled/disabled status for the schedule.
   2. Enter 4 or 5 to set the schedule by days of the month or days in a week.
      • A comma (,) indicates separate days. For example, 1,15.
      • A hyphen (-) indicates contiguous days. For example, mon-fri.
      • Specify days of the week with three-letter abbreviations: sun, mon, tue, wed, thu, fri, sat.
   3. Enter 6 to set the time of day.
   4. Enter 7 to make your changes active.

View detailed status for Module Server sync

The top of the Module Server Sync menu shows configuration status and the last return code for the sync job. You can use menu 1 to view detailed status.

1. Sign in to the source Module Server appliance as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operations menu.
3. Enter D to go to the Module Server Sync menu.
4. Enter 1 to view the status. View screen

   >>> Tanium Operations -> Module Server Sync -> Check Status <<< 
   
   
    Secured connectivity to remote IP 192.168.76.104 is working
   
    Active sync state (source)
   
    Current time:  Thu May 16 21:08:18 UTC 2019
    Last sync log:
   #### Starting module server sync ####
   Start time: Thu May 16 20:52:13 UTC 2019
   SYNC_ROLE 1 found
     Thu May 16 20:52:14 UTC 2019 Synchronizing dir TaniumModuleServer - Started
     Thu May 16 20:52:14 UTC 2019 CMD: sudo nohup rsync -aAvp --delete-after --stats --exclude services /opt/Tanium/TaniumModuleServer/ /opt/mounts/sync_tms/
     Thu May 16 20:52:15 UTC 2019 rsync return code 0
     Thu May 16 20:52:15 UTC 2019 Synchronizing dir TaniumModuleServer - 85 files updated. sent 121,565 bytes  received 611 bytes  244,352.00 bytes/sec
     Thu May 16 20:52:15 UTC 2019 Synchronizing dir TaniumModuleServer - Completed
   End time: Thu May 16 20:52:15 UTC 2019
   %%%% Ended module server sync %%%%%
   
    Last return code:  OK
   
   Press enter to continue

Promote the standby Module Server

The Module Server service on the standby appliance is not enabled while the primary appliance is active. To make the standby appliance active, such as in the event of a failure on the primary Module Server, perform the following steps to promote the standby Module Server.

1. Sign in to the Tanium Server appliance as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operations menu.
3. Enter A to go to the Configure Module Server(s) menu.
4. Enter P to Promote TMS. View screen

   >>> Tanium Operations ->  Configure Module Server(s) ->  Promote TMS <<< 
   
   			Active Module Server: tms1.test.tanium.local
   
   			Module Server 1:
   			Name: tms1.test.tanium.local
   			TMS Sync Role:  source
   			TMS Sync Ready: no
   
   			Module Server 2:
   			Name: tms2.test.tanium.local
   			TMS Sync Role:  target
   			TMS Sync Ready: yes
   
   			Which Module Server should be promoted to primary?
   
   			1: tms1.test.tanium.local
   			2: tms2.test.tanium.local
   
   			R: Return to previous menu  RR: Return to top
   
   			Please select: 
   		

5. Enter the line number of the Module Server to promote to primary.
6. Enter the administrative user name for the web-based Tanium Console. This is different from TanOS console tanadmin users.
7. Enter the password for the Tanium Console administrative user and press Enter.

After you perform this procedure, the two Module Servers are disconnected from each other and the standby Module Server is active and registered with the Tanium Server. To use the non-active Module Server as a standby appliance, disable synchronization on the non-active Module Server, assign the Module Server synchronization role of source to the active Module Server, and assign the Module Server synchronization role of target to the new standby Module Server.

Add the Module server to the Appliance Array

If you set up a Tanium cluster with an Appliance Array, add the standby Module Server to the array.