Installing an individual Tanium Module Server
Use the procedures in this chapter only if you are unable to use an Appliance Array to install the Tanium Server. For the best results, use an Appliance Array for easier setup and management of the Appliances in your deployment. For instructions on installing an Appliance Array, including installing the necessary Tanium Appliance server roles, see
Installing an Appliance Array.
The Tanium™ Module Server role installation and registration workflow creates the Module Server and the configuration and certificates that are required for secure communication with the Tanium Server. The steps you complete with the Configure Remote Module Server menu register the Module Server with the Tanium Server. During registration, the two servers generate and install the required certificates: trusted.crt on the Module Server appliance and trusted-module-servers.crt on the Tanium Server appliance.
- You must repeat the remote Module Server configuration steps for each node to register the Module Server with each node in a Tanium Server cluster.
- If you use the Tanium Operations menu to replace the self-signed SOAP certificate on the Tanium Server with an SSL certificate provided by a Certificate Authority, you must redo the remote Module Server configuration steps to update the certificates that are derived from that certificate on each server.
Before you begin
Make sure:
-
Basic network, host, and user settings are configured.
- Network firewall rules allow communication between Tanium Server and Tanium Module Server on TCP port 17477.
- You know the Tanium Console admin user (tanium) password. You are prompted to specify the Tanium Console admin user (tanium) and password when you register the Module Server with the Tanium Server.
Install the Tanium Module Server
To add an appliance with a Tanium Module Server role to an existing Appliance Array, add the Appliance to the array, assign a role to the appliance, and then install the pending role. For steps, see Add an appliance to an Appliance Array. After you install the pending role, you must configure the Tanium Server to use the Module Server and then enable the Module Server.
- Sign in to the Module Server appliance as a user with the tanadmin role.
- Enter 1 to go to the Tanium Installation menu.
View screen------------------------------------------------------
>>> Tanium Installation <<<
Currently installed Role: Tanium Role not installed
Currently installed Add-On: No add-ons installed
------------------------------------------------------
M: Manage Appliance Array
1: Install Tanium Server (All-in-one)
2: Install Tanium Server Service
3: Install Tanium Module Server Service
4: Install Tanium Zone Server Service
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 3 to install the Tanium Module Server.
- When prompted, specify the Tanium platform version that you want to install.
The installation takes approximately 30 seconds to complete.
Configure the Tanium Server to use the Module Server
- Sign in to a Tanium Server appliance as a user with the tanadmin role.
- Enter 2 to go to the Tanium Operations menu. View screen
------------------------------------------------------
>>> Tanium Operations Menu <<<
1: Tanium Service Control
2: Tanium Configuration Settings
4: Install Custom SOAP Cert
5: Manage Custom Signing Keys
7: Download SOAP Certificate
9: Import CAC Certificate
A: Configure Module Server(s)
B: Configure Tanium Cluster
C: Manage Content
M: Module Operations
I: Import public key to Tanium Zone Server
X: Advanced Operations
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter A to go to the Configure Module Server(s) menu. View screen
------------------------------------------------------
>>> Tanium Operations -> Configure Module Server(s)
Active Module Server: tms1.test.tanium.local
Module Server 1:
Name: tms1.test.tanium.local
TMS Sync Role: source
TMS Sync Ready: no
Module Server 2:
Name: tms2.test.tanium.local
TMS Sync Role: target
TMS Sync Ready: yes
TMS FailoverP: Promote TMS
S: Assign TMS Sync Role
Manual TMS Configuration1: Step 1 -> Configure Module Server Address (on Tanium Server)
2: Step 2 -> Register Module Server (on Tanium Module Server)
3: Read about Remote Module Server configuration
R: Return to previous menu RR: Return to top
- Enter 1 and follow the prompts to configure the Module Server address, which specifies the address the Tanium Server uses to connect to the Module Server. Be sure to copy the certificate fingerprint. You need the certificate fingerprint to configure the Module Server. View screen
>>> Tanium Operations -> Configure Module Server(s) -> Configure Module Server Address <<<
Before continuing, please have the following at hand:
- Hostname of the remote module server
- Domain name of the remote module server
- IP of the remote module server
After completing this step and until step 2 (registration) has been completed on the remote
module server, this Tanium Server will have limited functionality!
The following fingerprint is required for step 2:
800BBFB2942BD9A033F39CBC61049BCE68DEBDF789B38E05569AC0C0794D0BD985C1CF9A0CB73420FCC53F01756E51F28
7D29B6D62DFFD5781909E8BCA6E7202
Would you like to continue? [Yes|No]: yes
Continue with change.
Please enter the IP of the remote module server: 10.10.10.103
Please enter the hostname (NOT FQDN) of the remote module server: appliance-tms1
Please enter the domain name of the remote module server: tam.local
Disabling local module server instance (if exist)
Setting new Tanium Module Server address 10.10.10.103
Changing hosts file
Would you like to restart the Tanium Server service?
Attention - this might take a long time! [Yes|No]: yes
Restarting the Tanium server service
Attention:
Step 1 of the Remote Module Server configuration process completed successful.
Step 2 needs to be completed on the Remote Module Server. Follow the instructions
in "Tanium Operations (2) -> Register Remote Module Server (A)"
This Tanium Server will not be functional until step 2 has been completed as well.
The following fingerprint is required for step 2 - please copy it:
800BBFB2942BD9A033F39CBC61049BCE68DEBDF789B38E05569AC0C0794D0BD985C1CF9A0CB73420FCC53F01756E51F28
7D29B6D62DFFD5781909E8BCA6E7202
Press enter to continue
Enable the remote Module Server
- Sign in to the Tanium Module Server appliance as a user with the tanadmin role.
- Enter 2 to go to the Tanium Operations menu. View screen
------------------------------------------------------
>>> Tanium Operations Menu <<<
1: Tanium Service Control
2: Tanium Configuration Settings
4: Install Custom SOAP Cert
5: Manage Custom Signing Keys
A: Register Module Server
D: Configure Module Server sync
M: Module Operations
X: Advanced Operations
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter A to go to the Register Module Server menu.
- Enter 2 and follow the prompts to enable the remote Module Server and to configure its connection with the Tanium Server. Specify the Tanium Console admin user (tanium, not a TanOS user). View screen
>>> Tanium Operations -> Configure Module Server(s) -> Enable Module Server <<<
Before continuing, please have the following at hand:
- Hostname of the Tanium server
- Domain name of the Tanium server
- IP of the Tanium server
- Credentials of a Tanium User with administrative privileges
- Fingerprint of the Tanium Server certificate (obtained in Step 1)
Would you like to continue? [Yes|No]: yes
Going ahead with module server registration
Please enter the IP of the Tanium server: 10.10.10.101
Please enter the hostname (NOT FQDN) of the Tanium server: appliance-ts1
Please enter the domain name of the Tanium server: tam.local
Please enter the administrative user name: tanium
Please enter the password (will not be displayed):
Please enter the fingerprint of the Tanium servers certificate: 800BBFB2942BD9A033F39CBC61049BCE
68DEBDF789B38E05569AC0C0794D0BD985C1CF9A0CB73420FCC53F01756E51F287D29B6D62DFFD5781909E8BCA6E7202
Verified entered fingerprint successfully
Registering module server with 10.10.10.101 (60 second timeout)...
Added hosts entry
Registration completed successful
Restarting module server to ensure settings have taken
Restart complete
Press enter to continue
For a cluster, register the Tanium servers individually. View screen
>>> Tanium Operations -> Configure Remote Module Server -> Enable Module Server <<<
Before continuing, please have the following at hand:
- Hostname of the Tanium server
- Domain name of the Tanium server
- IP of the Tanium server
- Credentials of a Tanium User with administrative privileges
- Fingerprint of the Tanium Server certificate (obtained in Step 1)
Would you like to continue? [Yes|No]: yes
Going ahead with module server registration
Please enter the IP of the Tanium server: 10.10.10.102
Please enter the hostname (NOT FQDN) of the Tanium server: appliance-ts2
Please enter the domain name of the Tanium server: tam.local
Please enter the administrative user name: tanium
Please enter the password (will not be displayed):
Please enter the fingerprint of the Tanium servers certificate: 800BBFB2942BD9A033F39CBC6
1049BCE68DEBDF789B38E05569AC0C0794D0BD985C1CF9A0CB73420FCC53F01756E51F287D29B6D62DFFD5781
909E8BCA6E7202
Verified entered fingerprint successfully
Registering module server with 10.10.10.102 (60 second timeout)...
Added hosts entry
Registration completed successful
Restarting module server to ensure settings have taken
Restart complete
Press enter to continue
What to do next
Install one or more Tanium Zone Servers (if applicable).
