Installing Tanium Servers in an active-active HA cluster

You can deploy two Tanium Servers in an active-active high availability (HA) cluster to ensure continuous availability in the event of an outage or scheduled maintenance. For details about HA deployments, see Tanium Server.

HA cluster requirements and limitations

An HA deployment has the following requirements:

  • Use the same installer for both Tanium Servers. All Tanium Core Platform servers must have the same build number (for example, all must have build number Contact your Tanium Technical Account Manager (TAM) for details.
  • Each Tanium Server in the cluster must meet or exceed the requirements for the total number of endpoints that your deployment targets. Each must be able to independently handle load from the full deployment in the event of failure. For details, see Reference: Host system resource guidelines.
  • The cluster members must be able to connect to each other over a reliable Ethernet connection. The connection requires a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.
  • Each cluster member must be able to access the Internet to download files from designated domains. Access can be direct or through a proxy server.
  • Each cluster member must be able to connect to the shared database server and shared Module Server. The connection requires a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

You do not have to configure a Microsoft Windows cluster. The procedures provided here are based on two standalone Windows Server host computers.

Before you begin

Ensure the following conditions are met before installing the Tanium Servers:

  • You can access the installer package and license file.
  • The host systems meet the hardware, software, and network connectivity requirements suitable for your deployment. For details, see Requirements.
  • Your Microsoft Active Directory administrator has configured the accounts that your team needs for the Tanium Core Platform deployment. For details, see Administrator account permissions.
  • Your network administrator has configured firewall rules to allow communication on the TCP ports that the Tanium Core Platform uses. In addition to the ports that a standalone Tanium Server uses, Tanium Servers in an HA cluster send and receive HA-related data on port 17472 (TCP). For details, see Internet access, network connectivity, and firewall.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
  • If you want to use a certificate issued by a certificate authority (CA) to secure connections from user systems to the Tanium Servers for Tanium Console or API access, ensure that the CA-issued certificate and associated private key are present on the Tanium Servers. The certificate file name must be SOAPServer.crt and the key file name must be SOAPServer.key. During installation, you can select a CA-issued certificate or configure the Tanium Server to generate a self-signed certificate. As a best practice to facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues. For details, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.
  • Your database administrator has created a database server for the Tanium Core Platform deployment. The administrator must also configure a privileged domain administrator account that you can use to create the Tanium databases when you run the installer.

    The Windows Secondary Login service (seclogon) must have its Startup type set to Automatic or Manual, not Disabled, or else the Tanium database installation will fail.

    Decide the type of database to use:

    • PostgreSQL server: Check with your Technical Account Manager (TAM) if you are interested in deploying Tanium with a PostgreSQL Server. A special distribution of PostgreSQL Server is required. For details, see the Tanium Support Knowledge Base article (login required).
    • Microsoft SQL server: If you plan to deploy with an SQL Server, the best practice is to install SQL Server Management Studio on the Tanium Server hosts before you run the installer. SQL Server Management Studio is optional, but most administrators find it useful to verify database transactions and to manage the databases. If you install SQL Server Management Studio before you run the installer, the installer does not call the Microsoft SQL Server utilities installers.

Deploy the HA cluster

  1. Set up the shared database server.
  2. Install the Tanium Server on the primary host computer as described in Installing the Tanium Server.
  3. Install the Tanium Module server as described in Installing the Tanium Module Server.
  4. Log into the secondary host computer and run the Command Prompt utility as the local administrator, which has the permissions required to create a folder in the Program Files directory.
  5. Create the directory by running the following command, where <drive> is the target drive (such as D):

    md "<drive>:\Program Files\Tanium\Tanium Server"

  6. Copy the following files from the Tanium Server installation directory on the primary host to the directory you just created on the secondary host:
    • SOAPServer.crt
    • SOAPServer.key
    • tanium.license

    Always follow the best practices of your organization for securely copying sensitive files. For example, use GNU Privacy Guard (GPG) to encrypt the files before copying and to decrypt when they are in place on the target server.

  7. If the primary server has been deployed for days before you deploy the secondary server, copy the Strings folder from the Tanium installation directory on the primary host to the same directory on the secondary host. This step is not necessary if you deploy both servers at the same time.
  8. Copy the installation package file (SetupServer.exe) to a temporary location on the secondary host.
  9. Right-click SetupServer.exe, select Run as administrator, and complete the installation wizard.
  10. Register the remote Module Server with the second Tanium Server.

    Registration involves copying files between the Module Server and the Tanium Server. Both must be reachable when you issue the registration CLI command or else the command fails. For information about using the CLI, see Tanium Core Platform Deployment Reference Guide: Command-line interface.

    1. Access the CLI on the Module Server host and navigate to the Module Server installation directory:

      cmd-prompt>cd <Module Server>

    2. Issue the registration command, and specify a Tanium Console administrator user name and password when prompted:

      cmd-prompt>TaniumModuleServer register <Tanium_Server_FQDN>
      Enter administrator username: <username>
      Enter password for user '<username>':<password>
      Successfully completed registration.

  11. Enable trust between the Tanium Servers to enable communication for HA synchronization and failover: see Tanium Console User Guide: Managing Tanium Server trust.
  12. Verify the deployment: see Verifying the Tanium Core Platform deployment.

HA configuration notes

Tanium Servers in an HA cluster do not automatically synchronize their Windows Registry settings. Therefore, you must repeat any changes to these settings on each Tanium Server in the cluster. Settings stored in the Windows Registry include:

  • Log level
  • Proxy server settings
  • Bypass proxy settings
  • Trusted host settings
  • Bypass certificate revocation list (CRL) check settings
  • Tanium Client subnets

For the procedures to edit these settings, see the Tanium Console User Guide.

For guidelines on Tanium Server Windows Registry settings, see Tanium Core Platform Deployment Reference Guide: Settings.