Other versions

Installing the Tanium Server in an active-active HA cluster

Overview

You can deploy Tanium Servers in an active-active high availability (HA) cluster to ensure continuous availability in the event of an outage or scheduled maintenance. In an active-active HA deployment:

  • Tanium™ Clients use a Tanium Server list to automatically find a backup server in the event the primary Tanium Server assigned to them is unavailable.
  • The Tanium Servers read and write to one shared database. Each server creates an entry for itself in the tanium database that identifies it to the other Tanium Servers in the HA cluster. Follow database administration best practices to ensure availability of the database server and to ensure that the Tanium databases and related database objects are backed up routinely.
  • Each HA cluster member has a Tanium™ Console with its own URL.
  • Tanium solution modules are installed on a shared Tanium Module Server (the Module Server does not support HA). However, to make the modules available in all the Tanium Servers in an HA cluster, you must import the modules through the Tanium Console of each cluster member.
  • Each Tanium Server passes Tanium messages (such as answers to questions) and package files to the other HA cluster members over port 17472. When you upload package files to a Tanium Server, it automatically synchronizes the files to the other HA cluster members.

HA clustering is not required to scale Tanium™ capacity or improve performance. You can resize the host system hardware and operating systems of standalone Tanium Core Platform servers to meet your capacity and performance requirements. For details, see Reference: Host system sizing guidelines.

Figure  1:  HA topology

HA cluster requirements and limitations

An HA deployment has the following requirements:

  • Each Tanium Server must run the same software version, including build number (for example, each must have build number 7.3.314.3424).
  • Each Tanium Server in the cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. Each must be able to independently handle load from the full deployment in the event of failure. For details, see Reference: Host system sizing guidelines.
  • The cluster members must be able to connect to each other via a reliable Ethernet connection. A minimum 1 Gbps connection is required.
  • Each cluster member must be able to access the Internet to download files from designated domains. Access can be direct or through a proxy server.
  • Each cluster member must be able to connect to the shared database server and shared Module Server.

You do not have to configure a Microsoft Windows cluster. The procedures provided here are based on two standalone Windows Server host computers.

The Tanium™ Appliance supports database high availability. For details, see the Tanium Appliance Installation Guide.

Before you begin

Make sure:

  • You can access the installer package and license file.
  • Your network security administrator has configured security rules to allow communication on the TCP ports Tanium Core Platform components use. In addition to the ports used by standalone Tanium Servers, a Tanium Server in an HA cluster sends and receives HA-related data on port 17472 (TCP).
  • Your Microsoft Active Directory administrator has set up the accounts your team needs for the Tanium platform deployment.
  • Your database administrator has created a database server for the Tanium platform deployment and that there is a privileged domain administrator account that you can use to create the Tanium databases when you run the installer.

Deploy the HA cluster

  1. Set up the shared database server.
  2. Complete the installation for the Tanium Server on the primary host computer as described in Installing Tanium Server.
  3. Complete the installation for the Tanium Module server as described in Installing Tanium Module Server.
  4. Log into the second host computer and run the Command Prompt utility as the local administrator so that you have privileges to create a folder in Program Files.
  5. Enter the following command to create the directory:

    md "D:\Tanium\Tanium Server"

  6. Copy the following files from the Tanium Server installation directory on the primary host computer to the directory you just created on the secondary host:
    • SOAPServer.crt
    • SOAPServer.key
    • tanium.license
    • tanium.pvk
    • tanium.pub

    Always follow your organization's best practices for securely copying sensitive files, such as the Tanium Server private key file. For example, use GPG to encrypt the files before copying and to decrypt when they are in place on the target server.

  7. If the primary server has been deployed for days before you are deploying the secondary server, copy the Strings folder from the Tanium installation directory on the primary host computer to the same directory on the secondary host computer. This step is not necessary if you are deploying both servers at the same time.
  8. Copy the installation package file to a temporary location.
  9. Right-click the SetupServer.exe file and select Run as administrator.
  10. Complete the installation wizard.
  11. Complete registration for the second Tanium Server with the remote Module Server.

    On the Module Server host computer, use the CLI to add registration for the second Tanium Server. Specify a Tanium Console admin username and password. For example:

    cmd-prompt>TaniumModuleServer register ts2.tam.local
    Enter administrator username: TaniumAdmin
    
    Enter password for user 'TaniumAdmin':
    Successfully completed registration.
    
    cmd-prompt>
    Registration involves copying files between the Module Server and the Tanium Server. Both must be reachable when you issue the registration command or the command fails.

    For information about using the CLI, see Reference: Tanium server CLI.

Verify the installation

  1. Import solution modules into each Tanium Console.

    Tanium solution modules are installed on a shared Module Server. However, the solution module workbench files must be installed on each Tanium Server. See the Tanium Core Platform User Guide for details.

  2. Deploy the Tanium Client to endpoints. When you configure client settings, specify both server names so the Tanium Clients use the ServerNameList setting to select a Tanium Server. See the Tanium Client Deployment Guide.
  3. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that both Tanium Servers are active.
  4. Verify that both servers download packages with URL-specified files when such a package is created or imported. Distribute Copy Tools is an example of a package with URL-specified files:
    1. Go to Authoring > Packages.
    2. Select the row for Distribute Copy Tools.
    3. Click Status and check that the files have been downloaded and are now cached on both servers.
  5. Create a new package and specify a locally uploaded file. After you have saved the package, wait a moment for HA sync to occur, and then check that the files are downloaded and cached by both servers.

HA configuration notes

The Tanium Server settings that are stored in the Windows Registry are not automatically synced to other cluster nodes. In active-active deployments, if you make changes to these settings, be sure to do so on both nodes.

Settings stored in the Windows Registry include:

  • Log level
  • Proxy server settings
  • Bypass proxy settings
  • Trusted host settings
  • Bypass CRL check settings
  • Client subnets

In the Tanium Console, you can use the Configuration workbench to edit these settings. Be sure to do it with each Tanium Console (for example, log into ts1.example.com and make your changes; then log into ts2.example.com and make the same changes).

For instructions on using the Configuration workbench, see the Tanium Core Platform User Guide.

For guidelines on Tanium Server Windows Registry settings, see Windows Registry.

Last updated: 11/6/2018 5:24 PM | Feedback