Installing Tanium Zone Server

The Tanium™ Zone Server role installation creates the Tanium Zone Server and configuration database. The workflow described here also installs the Tanium Zone Server Hub Add-On and configures the Zone Server Hub to listen for connections from the Zone Server.

Overview

In Tanium deployments, Tanium™ Clients initiate communication with the Tanium™ Server. Your enterprise network security policies likely do not allow endpoints that reside in the untrusted network to initiate connections to resources that reside in the internal network, such as the Tanium Server. To enable the Tanium Server to manage these endpoints, you can deploy one or more Tanium Zone Servers in the DMZ to proxy communication from the external endpoints.

The figure below illustrates Zone Server communication. The Zone Server is installed as a service, typically on an existing, shared device in the DMZ. It communicates with the Tanium Server through a Zone Server Hub process that you install as an add-on to the Tanium Server appliance. You set up external clients to register with the Zone Server as if it were the primary Tanium Server.

To optimize performance as much as possible, the Zone Server is designed to cache sensor definitions, configuration information, and the files packaged in actions. It provides these resources to clients without having to re-request them from the Tanium Server.

When using Tanium to manage external clients, be mindful that they might not have the same access to internal resources as internal clients. Target actions so that external clients are not instructed to attempt to access resources on the internal network, like an Active Directory server, or package files staged on an internal URL.

Figure  1:  Zone Server deployment

Before you begin

Make sure:

Install the Tanium Zone Server

This section provides procedures for the following workflow:

  1. Deploy one or more Zone Server appliances in the DMZ.
  2. Install the Zone Server hub add-on on the Tanium Server appliance and configure a Zone Server list that defines the Zone Servers with which it can communicate.

Install the Zone Server

  1. Log into the Zone Server appliance as the user tanadmin.

    The TanOS console displays the tanadmin menu.

  2. Enter 1 to go to the Tanium Installation menu.
  3. Enter 4 to install the Tanium Zone Server.
  4. When prompted, specify the Tanium platform version you want to install.

The installation is completed in about 30 seconds.

Import the Tanium Server public key file to the Zone Server

  1. On your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Zone Server appliance:
    1. Specify tancopy for user name.
    2. Click the Advanced button.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Completing the initial setup (hardware appliances).
  2. Use SFTP to copy the tanium.pub file to the /incoming directory on the Zone Server appliance.
  3. Log into the Zone Server appliance as the user tanadmin.
  4. Enter 2 to go to the Tanium Operations menu.
  5. Enter I and then follow the prompts to copy the Tanium Server public key file (tanium.pub) into the Zone Server installation directory.

Install the Zone Server hub

After you have installed the Tanium Server role on a Tanium Appliance, you can install the Zone Server Hub Add-On.

  1. Log into the Tanium Server appliance as the user tanadmin.
  2. Enter 1 to go to the Tanium Installation menu.
  3. Enter A and then follow the prompts to install the Tanium Zone Server Hub Add-On and configure the zoneserverlist.txt file. The zone server list is a list of Zone Servers that are allowed to connect to this Zone Server Hub.

Set up TLS for the Zone Server deployment

The certificates and keys used for Tanium Client to Tanium Server TLS connections are generated automatically when you install the Tanium Server. However, the certificates and keys are not set up automatically for Zone Server deployments. Follow the instructions in this section to set up TLS for Zone Server deployments.

Overview

The TLS implementation leverages the existing Tanium platform public key infrastructure (PKI) to establish trust between platform components. The Core Platform servers use the existing Tanium Server public/private keypair for the TLS handshake, establishing a unique session key for each session with the Tanium Client.

After you have performed the prerequisite task, configuring a Tanium Zone Server encryption requires the following 3 step process:

  1. On the Zone Server, generate a Certificate Signing Request (CSR).
  2. On the Tanium Server, issue the certificate.
  3. On the Zone Server, add the certificate and key files and configure default values for TLS settings.

To change the default values, go to the Tanium Operations menu and use the Configuration Settings menu to change the values.

Prerequisite: Add the Zone Server tanadmin SSH key to the tancopy user on the Tanium Server

  1. Start two SSH terminal sessions so you can copy and paste between them:
    • Zone Server
    • Tanium Server
  2. Log into the Zone Server appliance as the user tanadmin and complete the following steps:
    1. Enter C to go to the User Administration menu.
    2. Enter 3 to go to the SSH Key Management menu.
    3. Enter the line number for tanadmin to display the key management menu for this user.
    4. Enter 2 to display the public key.
    5. Copy the contents of the public key to the clipboard.
  3. Log into the Tanium Server appliance as the user tanadmin and complete the following steps:
    1. Enter C to go to the User Administration menu.
    2. Enter 3 to go to the SSH Key Management menu.
    3. Enter the line number for the tancopy user.
    4. Enter 3 to go to the Authorized Keys menu.
    5. Enter 2 and then follow the prompts to paste the contents of the Tanium Server tanadmin user public key file you copied in Step 7.

Step 1: Generate a Certificate Signing Request

  1. Log into the Zone Server appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter Z to go to the Zone Server Operations menu.
  4. Enter 1 and follow the prompts to generate the certificate signing request.

Step 2: Issue the Certificate

  1. Log into the Tanium Server appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter Z to go to the Zone Server Operations menu.
  4. Enter 2 and follow the prompts to issue the certificate.

Step 3: Install the certificate and configure TLS settings

  1. Log into the Zone Server appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter Z to go to the Zone Server Operations menu.
  4. Enter 3 and follow the prompts to install the certificate and create default settings.

To change the default values, go to the Tanium Operations menu and use the Configuration Settings menu to change the values.

Verify the TLS connection

To verify whether Tanium Clients used TLS to connect with the Tanium Server or Zone Server the last time that they registered, go to Administration > System Status and check the Using TLS column.

Figure  2:  System Status: Using TLS column

The Tanium Server Info page has information on TLS connections for the server segments. To access the page, go to https://<Tanium Server FQDN>/info and log in with a user account that has the Administrator reserved role, such as the tanium user created during installation.

Figure  3:  TLS status on the Info page

Key changes

The TLS reporting certificate (reporting.crt) is signed with the Tanium Server private key (tanium.pvk). Therefore, if you update the Tanium Server public-private key pair, you must regenerate the reporting.crt and reporting.pvk files used in the Tanium Server TLS implementation and then regenerate the reporting.crt and reporting.pvk files used in the Zone Server TLS implementation.

Last updated: 2/5/2019 11:52 AM | Feedback