Installing the Tanium Server in an active-active HA cluster

You can deploy two Tanium Servers in an active-active high availability (HA) cluster to ensure continuous availability in the event of an outage or scheduled maintenance. For details about HA deployments, see Tanium Server.

HA cluster requirements and limitations

An HA deployment has the following requirements:

  • Each Tanium Server must run the same software version, including build number (for example, each must have build number 7.3.314.4103).
  • Each Tanium Server must meet or exceed the requirements for the total number of endpoints that your deployment targets. Each server must be able to independently handle load from the full deployment in the event of failure. For details, see Reference: Host system sizing guidelines.
  • The HA peers must connect to each other over a reliable Ethernet connection that has a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.
  • Each Tanium Server requires Internet access, directly or through a proxy server, to download files from designated domains.
  • Each Tanium Server must connect to the shared database server and shared Module Server. The connection requires a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.

You do not have to configure a Microsoft Windows cluster. The procedures provided here are based on two standalone Windows Server host computers.

Before you begin

Make sure:

  • You can access the installer package and license file.
  • Your network security administrator has configured security rules to allow communication on the TCP ports Tanium Core Platform components use. In addition to the ports used by standalone Tanium Servers, a Tanium Server in an HA cluster sends and receives HA-related data on port 17472 (TCP).
  • Your Microsoft Active Directory administrator has set up the accounts your team needs for the Tanium platform deployment.
  • Your database administrator has created a database server for the Tanium platform deployment and that there is a privileged domain administrator account that you can use to create the Tanium databases when you run the installer.

Deploy the HA cluster

  1. Set up the shared database server.
  2. Complete the installation for the Tanium Server on the primary host computer as described in Installing the Tanium Server.
  3. Complete the installation for the Tanium Module server as described in Installing the Tanium Module Server.
  4. Log into the second host computer and run the Command Prompt utility as the local administrator so that you have permissions to create a folder in Program Files.
  5. Create the directory by running the following command, where <drive> is the target drive (such as D).

    md "<drive>:\Program Files\Tanium\Tanium Server"

  6. Copy the following files from the Tanium Server installation directory on the primary host computer to the directory you just created on the secondary host:
    • SOAPServer.crt
    • SOAPServer.key
    • tanium.license
    • tanium.pvk

    Always follow your organization's best practices for securely copying sensitive files, such as the Tanium Server private key file. For example, use GPG to encrypt the files before copying and to decrypt when they are in place on the target server.

  7. If the primary server has been deployed for days before you are deploying the secondary server, copy the Strings folder from the Tanium installation directory on the primary host computer to the same directory on the secondary host computer. This step is not necessary if you are deploying both servers at the same time.
  8. Copy the installation package file to a temporary location.
  9. Right-click the SetupServer.exe file, select Run as administrator, and complete the installation wizard.
  10. Complete registration for the second Tanium Server with the remote Module Server.

    On the Module Server host computer, use the CLI to add registration for the second Tanium Server. Specify a Tanium Console admin username and password. For example:

    cmd-prompt> TaniumModuleServer register ts2.tam.local
    Enter administrator username: TaniumAdmin

    Enter password for user 'TaniumAdmin': <password>
    Successfully completed registration.

    Registration involves copying files between the Module Server and the Tanium Server. Both must be reachable when you issue the registration command or the command fails.

    For information about using the CLI, see Tanium Core Platform Deployment Reference Guide: Command-line interface.

Next steps

Verify the deployment: see Verifying the Tanium Core Platform deployment.

HA configuration notes

Tanium Servers in an HA cluster do not automatically synchronize their Windows Registry settings. Therefore, you must repeat any changes to these settings on each Tanium Server in the cluster. Settings stored in the Windows Registry include:

  • Log level
  • Proxy server settings
  • Bypass proxy settings
  • Trusted host settings
  • Bypass certificate revocation list (CRL) check settings
  • Tanium Client subnets

For the procedures to edit these settings, see the Tanium Console User Guide.

For guidelines on Tanium Server Windows Registry settings, see Tanium Core Platform Deployment Reference Guide: Settings.

Last updated: 11/12/2019 3:30 PM | Feedback