Installing Tanium Servers in an active-active HA cluster

You can deploy two Tanium Servers in an active-active high availability (HA) cluster to ensure continuous availability in the event of an outage or scheduled maintenance. For details about HA deployments, see Tanium™ Server. If the deployment includes HA Zone Servers, see Zone Server High Availability.

HA cluster requirements and limitations

An HA deployment has the following requirements:

  • Installer version: Use the same installer for both Tanium Servers. All Tanium Core Platform servers must have the same build number (for example, all must have build number Contact Tanium Support for details.
  • Host capacity: Both Tanium Servers must meet or exceed the requirements for the total number of endpoints that your deployment targets. That means each server must be able to independently handle load from the full deployment in the event of failure. For details, see Resource requirements.
  • Peer-to-peer connectivity: The Tanium Servers must be able to connect to each other over a reliable Ethernet connection. The connection requires a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.
  • Internet access: Each Tanium Server must be able to access the Internet to download files from designated domains (see Tanium Core Platform Deployment Reference Guide: Internet URLs required). Access can be direct or through a proxy server (see Tanium Console User Guide: Configuring proxy server settings).
  • Shared database and Tanium Module Server: Each cluster member must be able to connect to the shared database server and shared Module Server. The connection requires a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

You do not have to configure a Microsoft Windows cluster. The procedures provided here are based on two standalone Windows Server host computers.

Before you begin

Ensure the following conditions are met before installing the Tanium Servers:

  • Installer: Ensure that you can access the Tanium Server installer: SetupServer.exe.
  • Tanium license: Ensure that you can access the Tanium license file: tanium.license.
  • Host requirements: The host systems must meet the hardware, software, and network connectivity requirements suitable for your deployment: see Requirements.
  • User accounts: Your Microsoft Active Directory administrator must configure the accounts that your team needs for the Tanium Core Platform deployment: see Administrator account permissions.
  • Firewall rules: Your network administrator must configure firewall rules to allow communication on the TCP ports that the Tanium Core Platform uses. In addition to the ports that a standalone Tanium Server uses, Tanium Servers in an HA cluster send and receive HA-related data on port 17472 (TCP). For details, see Internet access, network connectivity, and firewalls.
  • Security exclusions: Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance: see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
  • Certificates and keys: If you want to use a certificate issued by a certificate authority (CA) for securing connections from user systems to the Tanium Servers for Tanium Console or API access, ensure that the CA-issued certificate and associated private key are present on the Tanium Servers. The certificate file name must be SOAPServer.crt and the key file name must be SOAPServer.key. During installation, you can select a CA-issued certificate or configure the Tanium Server to generate a self-signed certificate.

    To facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues.

    For details and procedures, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

  • Database server: Your database administrator must create a database server for the Tanium Core Platform deployment: see Set up a database server.

Deploy the HA cluster

  1. Install the Tanium Server on the primary host computer as described in Install the Tanium Server.
  2. Install the Tanium Module server as described in Installing the Tanium Module Server.
  3. Sign in to the secondary host computer and run the Command Prompt utility as the local administrator, which has the permissions required to create a folder in the Program Files directory.
  4. Create the directory by running the following command, where <drive> is the target drive (such as D):

    md "<drive>:\Program Files\Tanium\Tanium Server"

  5. Copy the following files from the Tanium Server installation directory on the primary host to the directory you just created on the secondary host:
    • SOAPServer.crt
    • SOAPServer.key
    • tanium.license

    Always follow the best practices of your organization for securely copying sensitive files. For example, use GNU Privacy Guard (GPG) to encrypt the files before copying and to decrypt when they are in place on the target server.

  6. If the primary server has been deployed for days before you deploy the secondary server, copy the Strings folder from the Tanium installation directory on the primary host to the same directory on the secondary host. This step is not necessary if you deploy both servers at the same time.
  7. Copy the installer (SetupServer.exe) to a temporary location on the secondary host.
  8. Install the Tanium Server on the secondary host as described in Install the Tanium Server.

    Because you already copied the license to the appropriate directory, skip the step to copy it to a temporary location.

  9. Register the remote Module Server with the second Tanium Server.

    Registration involves copying files between the Module Server and the Tanium Server. Both must be reachable when you issue the registration CLI command or else the command fails. For information about using the CLI, see Tanium Core Platform Deployment Reference Guide: Command-line interface.

    1. Access the CLI on the Module Server host and navigate to the Module Server installation directory:

      cmd-prompt>cd <Module Server>

    2. Issue the registration command, and specify a Tanium Console administrator user name and password when prompted:

      cmd-prompt>TaniumModuleServer register <Tanium_Server_FQDN>
      Enter administrator username: <username>
      Enter password for user '<username>':<password>
      Successfully completed registration.

  10. Enable trust between the Tanium Servers to enable communication for HA synchronization and failover: see Tanium Console User Guide: Managing Tanium Server trust.
  11. (Optional) Relocate the package file repository on both Tanium Servers if you want to use a directory other than the default <Tanium Server installation directory>\Downloads directory.
  12. (Optional) Integrate the Tanium Servers with a hardware security module (HSM) if your organization uses an HSM to store and manage digital keys. See Tanium Core Platform Deployment Reference Guide: Securing keys with an HSM.
  13. Verify the deployment: see Verifying the deployment.

HA configuration notes

Tanium Servers in an HA cluster do not automatically synchronize their Windows Registry settings. Therefore, you must repeat any changes to these settings on each Tanium Server in the cluster. Settings stored in the Windows Registry include:

  • Log level
  • Proxy server settings
  • Bypass proxy settings
  • Trusted host settings
  • Bypass certificate revocation list (CRL) check settings

For the procedures to edit these settings, see the Tanium Console User Guide.

For guidelines on Tanium Server Windows Registry settings, see Tanium Core Platform Deployment Reference Guide: Settings.