Installing an individual Tanium Zone Server

The Tanium™ Zone Server role installation creates the Tanium Zone Server and configuration database. The workflow described here also installs the Tanium Zone Server Hub Add-On and configures the Zone Server Hub to listen for connections from the Zone Server.

Overview

In Tanium deployments, Tanium™ Clients initiate communication with the Tanium™ Server. Your enterprise network security policies likely do not allow endpoints that reside in the untrusted network to initiate connections to resources that reside in the internal network, such as the Tanium Server. To enable the Tanium Server to manage these endpoints, you can deploy one or more Tanium Zone Servers in the DMZ to proxy communication from the external endpoints.

The figure below illustrates Zone Server communication. The Zone Server is installed as a service on an appliance in the DMZ. It communicates with the Tanium Server through a Zone Server Hub process that you install as an add-on to the Tanium Server appliance. You set up external clients to register with the Zone Server as if it were the primary Tanium Server.

To optimize performance as much as possible, the Zone Server is designed to cache sensor definitions, configuration information, and the files packaged in actions. It provides these resources to clients without having to re-request them from the Tanium Server.

When you use Tanium to manage external clients, be mindful that they might not have the same access to internal resources as internal clients. Target actions so that external clients are not instructed to attempt to access resources on the internal network, like an Active Directory server, or package files staged on an internal URL.

Figure  1:  Zone Server deployment

Before you begin

Make sure:

Install the Tanium Zone Server

This section provides procedures for the following workflow:

  1. Deploy one or more Zone Server appliances in the DMZ.
  2. Install the Zone Server Hub add-on on the Tanium Server appliance and configure a Zone Server list that defines the Zone Servers with which it can communicate.

Install the Zone Server

  1. Log into the Zone Server appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 1 to go to the Tanium Installation menu. ClosedView screen
  3. Enter 4 to install the Tanium Zone Server.
  4. When prompted, specify the Tanium platform version that you want to install.
  5. Enter YES to continue with the installation.

The installation takes approximately 30 seconds to complete.

Import the Tanium Server public key file to the Zone Server

For Tanium Core Platform 7.3 and earlier, copy the tanium.pub file from the Tanium Server appliance. In Tanium Core Platform 7.4 and later, the public keys are stored in the tanium-init.dat file.

Install the Zone Server hub

After you install the Tanium Server role on a Tanium Appliance, you can install the Zone Server Hub Add-On.

  1. Log into the Tanium Server appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 1 to go to the Tanium Installation menu. ClosedView screen
  3. Enter A and follow the prompts to install the Tanium Zone Server Hub Add-On.
    • For Tanium Core Platform 7.3 and earlier, configure the zoneserverlist.txt file when prompted. The zone server list is a list of Zone Servers that are allowed to connect to this Zone Server Hub.
    • For Tanium Core Platform 7.4 and later, you do not need to configure the zoneserverlist.txt file.

Set up AllowedHubs on the Zone Server appliance

  1. Log into the Zone Server appliance as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 9 to edit the Tanium Zone Server settings. ClosedView screen
  5. Enter A to add a new setting.
  6. For the key, enter AllowedHubs and press the Enter key.
  7. For the value, enter the IP address of the Tanium Server and press the Enter key. ClosedView screen

Configure trust mappings for 7.4 and later

For Tanium Core Platform 7.4 and later, you must enable trust between the Tanium Server, Tanium Zone Server Hub, and Tanium Zone Servers so that they can communicate with each other.

Approve trust for the Zone Server Hub

  1. Log into the TanOS console of the Zone Server Hub appliance as a user with the tanadmin role.
  2. Enter @ to open the About the Appliance page. Note the value of the TZS Hub Registration Fingerprint field. ClosedView screen
  3. Log into the Tanium Console with the Tanium role and the password you set when you installed the Tanium Server.
  4. From the Tanium Console, click Console > Configuration > Tanium Server and open the Zone Server Hub Trusts tab.
  5. Verify that the fingerprint of of the Zone Server Hub matches the fingerprint shown in the TZS Hub Registration Fingerprint field in the About the Appliance page in the TanOS console.
  6. If the fingerprints are identical, return to the Tanium Console, click Accept/Deny next to the Zone Server Hub, and click Accept.
  7. Enter your credentials and click OK.

Map the Zone Server to the Zone Server Hub

After you approve trust for Zone Server Hub, perform the following steps for each Zone Server.

  1. Log into the TanOS console of the Zone Server appliance as a user with the tanadmin role.
  2. Enter @ to open the About the Appliance page. Note the value of the TZS Registration Fingerprint field. ClosedView screen
  3. Log into the Tanium Console with the Tanium role and the password you set when you installed the Tanium Server.
  4. From the Tanium Console, click Console > Configuration > Tanium Server and open the Zone Server Hub Trusts tab.
  5. Next to the Zone Server Hub, click Add Zone Server, enter the IP address of the Zone Server, and click OK.
  6. Enter your credentials, click OK, and refresh the page. The Tanium Console might take a few minutes to show the mapping. When it does, the mapping Status displays Pending next to the Zone Server. The mapping also appears in the Zone Servers to Zone Server Hub Mappings grid.
  7. Verify that the fingerprint of the Zone Server matches the fingerprint shown in the TZS Registration Fingerprint field in the About the Appliance page in the TanOS console.
  8. If the fingerprints are identical, return to the Tanium Console, click Accept/Deny next to the Zone Server, and click Accept.
  9. Enter your credentials and click OK. In the Zone Server tile, the mapping Status changes to Approved.

Set up TLS for the Tanium Zone Server 7.3 and earlier

When you install the Tanium Zone Server role, TLS is enabled by default in Tanium Core Platform 7.4, but not in earlier versions.

The certificates and keys used for Tanium Client to Tanium Server TLS connections automatically generate when you install the Tanium Server. However, the certificates and keys are not set up automatically for Zone Server deployments. For information about TLS communication in a Tanium deployment prior to 7.4, including how to set up TLS for Zone Server communication, see Tanium Core Platform Deployment Reference Guide: Setting up TLS communication.