Deploying a standby Module Server

TanOS supports configuration and data sync from a primary Module Server appliance to a standby Module Server appliance. Data is copied to the standby appliance on demand or according to a schedule that you specify.

In order to protect data consistency, the scheduled TMS sync job disables (shuts down) the Module Server and all solution modules for the duration of the TMS sync job. Be sure to determine a TMS sync schedule that does not disrupt solution module processes. You might have to adjust scheduled activities for the solution modules accordingly.

About the standby Module Server

The Module Server service on the standby appliance is not enabled. In the event the primary Module Server appliance is taken out of service:

  1. Enable the Module Server service on the standby appliance.
  2. Reconfigure the Taniumâ„¢ Server(s) connection to the remote Module Server so that it uses the IP address and hostname for the newly active Module Server.

Requirements and limitations

A redundant cluster deployment has the following requirements:

  • Each Module Server must be installed on the same appliance model (size).
  • Each Module Server must run the same software version, including build number (for example, each must have build number 7.3.314.3424).
  • The two Module Servers must be able to connect to each other via a reliable Ethernet connection. The connection requires a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

Before you begin

Make sure:

  • Basic network, host, and user settings are configured on both appliances. See Completing the initial setup (hardware appliances).

    • We recommend you allocate a network interface on each Module Server appliance for the redundant cluster sync communication.

    The interfaces used for the redundant cluster sync communication should not be configured with a default gateway and do not need a default gateway.

    Specify the IP addresses of the redundant cluster interfaces when you configure the IPsec tunnel.

    Specify the IP addresses of the Tanium traffic interfaces when you configure the Module Server IP addresses.

  • Your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium core platform components use. In addition to the ports used by individual Module Servers, a Module Server in a cluster sends and receives sync traffic over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).

Set up the IPsec tunnel

IPsec is used to ensure end-to-end security between the two appliances.

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • First Module Server
    • Second Module Server
  2. Log into each of the Module Server appliances as a user with the tanadmin role and go to the IPsec menu:
    1. From the tanadmin menu, enter A to go to the Appliance Configuration menu.
    2. Enter 2 to go to the Networking Configuration menu.
    3. Enter 2 to go to the IPsec menu.
  3. On the second appliance, copy the IPsec host key to the clipboard:
    1. From the IPsec menu, enter 1 to display the local IPsec host key.
    2. Copy it to the clipboard.
  4. On the first appliance, from the IPsec menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the second appliance.
  5. On the first appliance, copy the IPsec host key to the clipboard:
    1. From the IPsec menu, enter 1 to display the local IPsec host key.
    2. Copy it to the clipboard.
  6. Go to the second appliance and complete the IPsec configuration:
    1. From the IPsec menu, enter 3 and follow the prompts to configure this side of the IPsec tunnel. When prompted, paste the IPsec host key for the first appliance.
    2. Enter 6 to test the connection from this side.
  7. Go back to the first appliance and enter 6 to test the connection from this side.

Configure Sync

  1. Install the primary Module Server and complete the steps to set up the remote Module Server configuration on both the Tanium Server and Module Server as described in Installing Tanium Module Server.
  2. Install the standby Module Server but do not complete the steps to set up the remote Module Server configuration. You complete those steps only when making the standby Module Server active.
  3. Log into the standby Module Server appliance as a user with the tanadmin role and complete the following steps:
    1. Enter 2 to go to the Tanium Operations menu.
    2. Enter D to go to the Module Server Sync menu.
    3. Enter 3 and then follow the prompts to enable sync on the standby Module Server.
  4. Log into the primary Module Server appliance as a user with the tanadmin role and complete the following steps:
    1. Enter 2 to go to the Tanium Operations menu.
    2. Enter D to go to the Module Server Sync menu.
    3. Enter 3 and then follow the prompts to enable sync on the primary Module Server.

Perform a manual sync

  1. Log into the primary Module Server appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter D to go to the Module Server Sync menu.
  4. Enter 4 to initiate sync. The sync job details are logged to the screen.

Schedule sync jobs

  1. Log into the primary Module Server appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter D to go to the Module Server Sync menu.
  4. Enter 5 to display the Schedule TMS Sync menu.

    The top of the menu displays active and pending settings. The changes you make are pending until you use menu 7 to make them active.

  5. Use the menu to configure the schedule:
    1. Enter 1 or 2 to toggle the enabled/disabled status for the schedule.
    2. Enter 3 or 4 to set the schedule by day (s) of the month or days in a week.
      • A comma (,) indicates separate days. For example, 1,15.
      • A hyphen (-) indicates contiguous days. For example, mon-fri.
      • Specify days of the week with three-letter abbreviations: sun, mon, tue, wed, thu, fri, sat.
    3. Enter 6 to set the time of day.
    4. Enter 7 to make your changes active.

Display detailed status for Module Server sync

The top of the Module Server Sync menu shows configuration status and the last return code for the sync job. You can use menu 1 to display detailed status.

  1. Log into the Module Server appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu.
  3. Enter D to go to the Module Server Sync menu.
  4. Enter 1 to view the status.