Other versions

Installing Tanium Server in an Active-Active cluster

High-availability (HA) features support application availability even when there is failure or scheduled maintenance.

Overview

HA clustering is not required to scale Tanium™ capacity or to improve performance. You can size the host system hardware and OS of standalone platform servers to meet your capacity and performance requirements. Rather, the Tanium™ Core Platform supports HA active-active clustering of Tanium Server to ensure continuous availability in the event of an outage or scheduled maintenance.

The figure below shows an HA topology. In an active-active deployment:

  • Tanium™ Clients use a Tanium™ Server list to automatically find a backup server in the event the primary Tanium Server assigned to them is unavailable.
  • The Tanium Servers read and write to one shared database. Each server creates an entry for itself in the tanium database that identifies it to the other Tanium Servers in the cluster.
  • Each cluster member has a Tanium™ Console with its own URL.
  • Tanium solution modules are installed on a shared module server. However, to make them available in Tanium Console, they must be imported in each console.
  • Each server passes Tanium messages (for example, answers to questions) to the other cluster members over port 17472.
  • Package files that are uploaded to one member are synchronized to the other cluster members over port 17472.
  • HA is not supported for Tanium™ Module Server. You might want to provision a cold standby that you can bring into service to replace the Module Server in the event of hardware failure.
  • Follow database administration best practices to ensure availability of the database server and that the Tanium databases and related database objects are backed up routinely.
Figure  1:  HA topology

HA cluster requirements and limitations

An HA deployment has the following requirements:

  • Each Tanium Server must run the same software version, including build number (for example, each must have build number 7.2.314.2962).
  • Each Tanium Server in the cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. (Each must be able to independently handle load from the full deployment in the event of failure.)
  • The cluster members must be able to connect to each other via a reliable Ethernet connection. A minimum 1 Gbps connection is required.
  • Each cluster member must be able to access the Internet to download files from designated domains. Access can be direct or made through a proxy server.
  • Each cluster member must be able to connect to the shared database server and shared Module Server.

You do not have to configure a Microsoft Windows cluster. The procedures provided here are based on two standalone Windows Server host computers.

The Tanium™ Appliance supports database high availability. For details, see the Tanium Appliance Installation Guide.

Before you begin

Make sure:

  • You can access the installer package and license file.
  • Your network security administrator has configured security rules to allow communication on the TCP ports Tanium Core Platform components use. In addition to the ports used by standalone Tanium Servers, a Tanium Server in an HA cluster sends and receives HA-related data on port 17472 (TCP).
  • Your Microsoft Active Directory administrator has set up the accounts your team needs for the Tanium platform deployment.
  • Your database administrator has created a database server for the Tanium platform deployment and that there is a privileged domain administrator account that you can use to create the Tanium databases when you run the installer.

Deploy the HA cluster

  1. Set up the shared database server.
  2. Complete the installation for the Tanium Server on the primary host computer as described in Installing Tanium Server.
  3. Complete the installation for the Tanium Module server as described in Installing Tanium Module Server.
  4. Log into the second host computer and run the Command Prompt utility as the local administrator so that you have privileges to create a folder in Program Files.
  5. Enter the following command to create the directory:

    md "D:\Tanium\Tanium Server"

  6. Copy the following files from the Tanium Server installation directory on the primary host computer to the directory you just created on the secondary host:
    • SoapServer.crt
    • SoapServer.key
    • tanium.license
    • tanium.pvk
    • tanium.pub

    Always follow your organization's best practices for securely copying sensitive files, such as the Tanium Server private key file. For example, use GPG to encrypt the files before copying and to decrypt when they are in place on the target server.

  7. If the primary server has been deployed for days before you are deploying the secondary server, copy the Strings folder from the Tanium installation directory on the primary host computer to the same directory on the secondary host computer. This step is not necessary if you are deploying both servers at the same time.
  8. Copy the installation package file to a temporary location.
  9. Right-click the SetupServer.exe file and select Run as administrator.
  10. Complete the installation wizard.
  11. Complete registration for the second Tanium Server with the remote Module Server.

    On the Module Server host computer, use the CLI to add registration for the second Tanium Server. For example:

    cmd-prompt>TaniumModuleServer register ts2.tam.local
    Enter administrator username: TaniumAdmin
    
    Enter password for user 'TaniumAdmin':
    Successfully completed registration.
    
    cmd-prompt>

    For information about using the CLI, see Reference: Tanium server CLI.

Verify the installation

  1. Import solution modules into each Tanium Console.

    Tanium solution modules are installed on a shared Module Server. However, the solution module workbench files must be installed on each Tanium Server. See the Tanium Core Platform User Guide for details.

  2. Deploy the Tanium Client to endpoints. When you configure client settings, specify both server names so the Tanium Clients use the ServerNameList setting to select a Tanium Server. See the Tanium Client Deployment Guide.
  3. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that both Tanium Servers are active.
  4. Verify that both servers download packages with URL-specified files when such a package is created or imported. Distribute Copy Tools is an example of a package with URL-specified files:
    1. Go to Authoring > Packages.
    2. Select the row for Distribute Copy Tools.
    3. Click Status and check that the files have been downloaded and are now cached on both servers.
  5. Create a new package and specify a locally uploaded file. After you have saved the package, wait a moment for HA sync to occur, and then check that the files are downloaded and cached by both servers.

HA configuration notes

The Tanium Server settings that are stored in the Windows Registry are not automatically synced to other cluster nodes. In active-active deployments, if you make changes to these settings, be sure to do so on both nodes.

Settings stored in the Windows Registry include:

  • Log level
  • Proxy server settings
  • Bypass proxy settings
  • Trusted host settings
  • Bypass CRL check settings
  • Client subnets

In the Tanium Console, you can use the Configuration workbench to edit these settings. Be sure to do it with each Tanium Console (for example, log into ts1.example.com and make your changes; then log into ts2.example.com and make the same changes).

For instructions on using the Configuration workbench, see the Tanium Core Platform User Guide.

For guidelines on Tanium Server Windows Registry settings, see Windows Registry.

Last updated: 2/14/2018 2:16 PM | Feedback