Installing an individual Tanium Module Server

The Tanium™ Module Server role installation and registration workflow creates the Module Server and the configuration and certificates that are required for secure communication with the Tanium Server. The steps you complete with the Configure Remote Module Server menu register the Module Server with the Tanium Server. During registration, the two servers generate and install the required certificates: trusted.crt on the Module Server appliance and trusted-module-servers.crt on the Tanium Server appliance.

Before you begin

Make sure:

• Basic network, host, and user settings are configured. See Completing the initial setup (Tanium Cloud Appliance).
  • For physical appliances, see Completing the initial setup (hardware appliances).
  • For virtual appliances, see Completing the initial setup (virtual appliances).
• Network firewall rules allow communication between Tanium Server and Tanium Module Server on TCP port 17477.
• You know the Tanium Console admin user (tanium) password. You are prompted to specify the Tanium Console admin user (tanium) and password when you register the Module Server with the Tanium Server.

Install the Tanium Module Server

To add an appliance with a Tanium Module Server role to an existing Appliance Array, add the appliance to the array, assign a role to the appliance, and then install the pending role. For steps, see Add an appliance to an Appliance Array. After you install the pending role, you must configure the Tanium Server to use the Module Server and then enable the Module Server.

1. Sign in to the Module Server appliance as a user with the tanadmin role.
2. Enter 1 to go to the Tanium Installation menu. View screen

   ------------------------------------------------------
   
                >>> Tanium Installation <<< 
   
   Currently installed Role: Tanium Role not installed
   Currently installed Add-On: No add-ons installed
   
   ------------------------------------------------------
   
            M: Manage Appliance Array
            1: Install Tanium Server (All-in-one)
            2: Install Tanium Server Service
            3: Install Tanium Module Server Service
            4: Install Tanium Zone Server Service
   
            H: Help
            R: Return to previous menu
   
   ------------------------------------------------------

3. Enter 3 to install the Tanium Module Server.
4. When prompted, specify the Tanium platform version that you want to install.

The installation takes approximately 30 seconds to complete.

Configure the Tanium Server to use the Module Server

1. Sign in to a Tanium Server appliance as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operations menu. View screen

   ------------------------------------------------------
   
                >>> Tanium Operations Menu <<< 
   
            1: Tanium Service Control
            2: Tanium Configuration Settings
            4: Install Custom SOAP Cert
            5: Manage Custom Signing Keys
            6: Download Public Key
            7: Download SOAP Certificate
            9: Import CAC Certificate
   
            A: Configure Module Server(s)
            B: Configure Tanium Cluster
            C: Manage Content
            M: Module Operations
   
            I: Import public key to Tanium Zone Server
   
            X: Advanced Operations
   
            H: Help
            R: Return to previous menu
   
   ------------------------------------------------------

3. Enter A to go to the Configure Module Server(s) menu. View screen

   ------------------------------------------------------
   
   			>>> Tanium Operations -> Configure Module Server(s) 
   
   				Active Module Server: tms1.test.tanium.local
   
   				Module Server 1:
   				Name: tms1.test.tanium.local
   				TMS Sync Role:  source
   				TMS Sync Ready: no
   
   				Module Server 2:
   				Name: tms2.test.tanium.local
   				TMS Sync Role:  target
   				TMS Sync Ready: yes
   
   				TMS Failover
   				P: Promote TMS
   				S: Assign TMS Sync Role
   
   				Manual TMS Configuration
   				1: Step 1 -> Configure Module Server Address (on Tanium Server)
   				2: Step 2 -> Register Module Server (on Tanium Module Server)
   				3: Read about Remote Module Server configuration
   
   				R: Return to previous menu  RR: Return to top
   
   		

4. Enter 1 and follow the prompts to configure the Module Server address, which specifies the address the Tanium Server uses to connect to the Module Server. Be sure to copy the certificate fingerprint. You need the certificate fingerprint to configure the Module Server. View screen

   >>> Tanium Operations ->  Configure Module Server(s) ->  Configure Module Server Address <<< 
   
    Before continuing, please have the following at hand:
    - Hostname of the remote module server
    - Domain name of the remote module server
    - IP of the remote module server
   
    After completing this step and until step 2 (registration) has been completed on the remote module server,
    this Tanium Server will have limited functionality!
    The following fingerprint is required for step 2:
    800BBFB2942BD9A033F39CBC61049BCE68DEBDF789B38E05569AC0C0794D0BD985C1CF9A0CB73420FCC53F01756E51F287D29B6D62DFFD5781909E8BCA6E7202
   
    Would you like to continue? [Yes|No]: yes
   
    Continue with change.
    Please enter the IP of the remote module server: 10.10.10.103
    Please enter the hostname (NOT FQDN) of the remote module server: appliance-tms1
    Please enter the domain name of the remote module server: tam.local
   
    Disabling local module server instance (if exist)
    Setting new Tanium Module Server address 10.10.10.103
    Changing hosts file
   
    Would you like to restart the Tanium Server service? Attention - this might take a long time! [Yes|No]: yes
   
    Restarting the Tanium server service
   
    Attention: 
    Step 1 of the Remote Module Server configuration process completed successful.
    Step 2 needs to be completed on the Remote Module Server. Follow the instructions
    in "Tanium Operations (2) -> Register Remote Module Server (A)"
    This Tanium Server will not be functional until step 2 has been completed as well.
   
    The following fingerprint is required for step 2 - please copy it: 
    800BBFB2942BD9A033F39CBC61049BCE68DEBDF789B38E05569AC0C0794D0BD985C1CF9A0CB73420FCC53F01756E51F287D29B6D62DFFD5781909E8BCA6E7202
   
    Press enter to continue

Enable the remote Module Server

1. Sign in to the Tanium Module Server appliance as a user with the tanadmin role.
2. Enter 2 to go to the Tanium Operations menu. View screen

   ------------------------------------------------------
   
                >>> Tanium Operations Menu <<< 
   
            1: Tanium Service Control
            2: Tanium Configuration Settings               
            4: Install Custom SOAP Cert
            5: Manage Custom Signing Keys
   
            A: Register Module Server
            D: Configure Module Server sync
            M: Module Operations
   
            X: Advanced Operations
   
            H: Help
            R: Return to previous menu
   
   ------------------------------------------------------

3. Enter A to go to the Register Module Server menu.
4. Enter 2 and follow the prompts to enable the remote Module Server and to configure its connection with the Tanium Server. Specify the Tanium Console admin user (tanium, not a TanOS user). View screen

   >>> Tanium Operations -> Configure Module Server(s) -> Enable Module Server <<< 
   
    Before continuing, please have the following at hand:
    - Hostname of the Tanium server
    - Domain name of the Tanium server
    - IP of the Tanium server
    - Credentials of a Tanium User with administrative privileges
    - Fingerprint of the Tanium Server certificate (obtained in Step 1)
   
    Would you like to continue? [Yes|No]: yes
   
    Going ahead with module server registration
    Please enter the IP of the Tanium server: 10.10.10.101
    Please enter the hostname (NOT FQDN) of the Tanium server: appliance-ts1
    Please enter the domain name of the Tanium server: tam.local
    Please enter the administrative user name: tanium
    Please enter the password (will not be displayed): 
    Please enter the fingerprint of the Tanium servers certificate: 800BBFB2942BD9A033F39CBC61049BCE68DEBDF789B38E05569AC0C0794D0BD985C1CF9A0CB73420FCC53F01756E51F287D29B6D62DFFD5781909E8BCA6E7202
   
    Verified entered fingerprint successfully
    Registering module server with 10.10.10.101 (60 second timeout)...
    Added hosts entry
    Registration completed successful
   
    Restarting module server to ensure settings have taken
   
    Restart complete
   
    Press enter to continue

   For a cluster, register the Tanium servers individually. View screen

   >>> Tanium Operations -> Configure Remote Module Server -> Enable Module Server <<< 
   
    Before continuing, please have the following at hand:
    - Hostname of the Tanium server
    - Domain name of the Tanium server
    - IP of the Tanium server
    - Credentials of a Tanium User with administrative privileges
    - Fingerprint of the Tanium Server certificate (obtained in Step 1)
   
    Would you like to continue? [Yes|No]: yes
   
    Going ahead with module server registration
    Please enter the IP of the Tanium server: 10.10.10.102
    Please enter the hostname (NOT FQDN) of the Tanium server: appliance-ts2
    Please enter the domain name of the Tanium server: tam.local
    Please enter the administrative user name: tanium
    Please enter the password (will not be displayed): 
    Please enter the fingerprint of the Tanium servers certificate: 800BBFB2942BD9A033F39CBC61049BCE68DEBDF789B38E05569AC0C0794D0BD985C1CF9A0CB73420FCC53F01756E51F287D29B6D62DFFD5781909E8BCA6E7202
   
    Verified entered fingerprint successfully
    Registering module server with 10.10.10.102 (60 second timeout)...
    Added hosts entry
    Registration completed successful
   
    Restarting module server to ensure settings have taken
   
    Restart complete
   
    Press enter to continue

What to do next

Install one or more Tanium Zone Servers (if applicable).