Installing the Tanium Module Server

This topic describes how to install a Tanium Module Server on a dedicated Windows Server host. For details about the Module Server and its deployment options, see Tanium Module Server.

The Module Server installer performs the following actions:

  • Opens TCP port 17477 in the local host computer Windows Firewall.
  • Installs the Module Server on the host computer and starts the service.

If possible, run the installer and specify connection settings to automatically register with the Tanium Server. Otherwise, complete the manual registration workflow.

Install the Module Server and automatically register with the Tanium Server

The installer for Module Server 7.2 and later supports automatic registration with the Tanium Server. Automatic registration performs the following tasks:

  • Generates required certificates: trusted.crt on the Module Server host and trusted-module-servers.crt on the Tanium Server host. The servers use these certificates to validate the certificates used for mutual authentication: SOAPServer.crt on the Tanium Server and ssl.crt on the Module Server. For details, see Tanium Core Platform Deployment Reference Guide: SSL/TLS certificates.
  • Creates required Windows Registry entries on both the Module Server and Tanium Server host computers.

Before you begin

Ensure the following prerequisites are met and take the following actions:

  • You have the right version of the installer. The installation package for all Tanium Core Platform servers must have the same build number (for example, all must have build number 7.4.3.1242). Contact your Tanium Technical Account Manager (TAM) for details.
  • Your network security administrator must configure network firewall rules to allow communication between the Tanium Server and Module Server on TCP port 17477. For details, see Internet access, network connectivity, and firewall.
  • Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
  • If you want to use a certificate issued by a certificate authority (CA) to secure connections to the Module Server, ensure that the CA-issued certificate and associated private key are present on the Module Server. The certificate file name must be ssl.crt and the key file name must be ssl.key. During installation, you can select a CA-issued certificate or configure the Module Server to generate a self-signed certificate. As a best practice to facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues. For details, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.
  • If a local Module Server is installed on the Tanium Server host computer, perform the following steps on the Tanium Server host computer:
    1. Stop the Tanium Server service in the Windows Services program.
    2. Stop and disable the Tanium Module Server service.
    3. Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.)
    4. Restart the Tanium Server service.

Run the installer

  1. Log into the Module Server host system as an administrator user.
  2. Copy the installation package file (SetupModuleServer.exe) to a temporary location on the Module Server host.
  3. Right-click SetupModuleServer.exe and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files\Tanium\Tanium Module Server.
    Postgres Not Found(Fresh installation only) Accept the default option: Install and configure local Postgres Server. In the current release, no Tanium products use the PostgreSQL server that comes with the Module Server.
    Choose Service Account for Tanium Module ServerThe security best practice is to specify a service account other than the Local System account to install the Module Server and run the Module Server service on the local host computer.
    • Specify Account (best practice)
      • User Name: Enter only the account name portion of the credentials, such as taniumsvc.
      • Domain: Enter the fully qualified domain name (FQDN), such as example.com.
      • Password: Enter the account password.
    • Local System Account
    Module Server PortSpecify the Module Server inbound port for traffic from the Tanium Server. The default is 17477.
    SSL/TLS CertificateThe Module Server uses the SSL/TLS certificate (ssl.crt) and private key (ssl.key) to secure connections from the Tanium Server.
    • Generate Self-Signed Certificate and Key

      If you do not have a CA-issued certificate, select this option to make the installer generate a self-signed certificate and private key. For the Server Hostname, specify the FQDN of the Module Server, such as tms1.example.com.

    • Use Existing Certificate and Key

      To use a CA-issued certificate, select the certificate file and associated private key file. For details, see Tanium Core Platform Deployment Guide: Securing Tanium Console, API, and Module Server access.

    Module Postgres ConfigurationConfigure the connection to the PostgreSQL database:
    • Server: Specify localhost (default) for a local server, or the FQDN or IP address of the remote server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
    • Options: Specify additional parameters to pass in the connection. Typically, this is dbname and port. For example, dbname=postgres port=5432 user=postgres.

    Click Test to test the connection.

    Register with Tanium ServerSelect Register with the Tanium Server and specify connection information for registration with the Tanium Server:
    • Tanium Server Hostname: Specify the IP address or FQDN of the Tanium Server. In a high availability (HA) deployment, specify only the primary Tanium Server.
    • Admin username: Enter the user name of the Tanium Console administrator that you specified when installing the Tanium Server.
    • Admin password: Enter the password of the Tanium Console administrator that you specified when installing the Tanium Server.

    For upgrades, you have the option to select Manually specify Tanium Server certificate and use the default Certificate for securing communication between the Tanium Server and Module Server.

    Choose Start Menu Folder(Fresh installation only) Select a folder for the Module Server in the Windows Start menu. The default is Tanium Module Server.
    Trust Tanium Server certificateWhen the installer displays a dialog that identifies the certificate that the Tanium Server uses to authenticate to the Module Server, verify that the certificate details are correct.

    Trust Tanium Server certificate

    On a new installation, the certificate is the SOAPServer.crt file. If you are re-running the installer, the certificate is trusted.crt. The Fingerprint is the hash of the certificate public key. If the certificate is valid, click Yes to register the Module Server with the Tanium Server.


Install the Tanium Module Server and manually register with the Tanium Server

The 7.x Module Server installers support manual registration with the Tanium Server. In 7.0 and 7.1, manual registration is your only option. In 7.2 and later, automatic registration is simpler, but the installer supports manual registration in case the Tanium Server is unavailable when you run the installer.

Before you begin

Ensure the following prerequisites are met and take the following actions:

  • You have the right version of the installer. The installation package for all Tanium Core Platform servers must have the same build number (for example, all must have build number 7.4.3.1242). Contact your TAM for details.
  • Your network security administrator must configure network firewall rules to allow communication between the Tanium Server and Module Server on TCP port 17477. For details, see Internet access, network connectivity, and firewall.
  • Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
  • Copy the SOAPServer.crt file from the Tanium Server host (installation directory) to the Module Server host so that you can select it when you run the installer.
  • If you want to use a certificate issued by a certificate authority (CA) to secure connections to the Module Server, ensure that the CA-issued certificate and associated private key are present on the Module Server. The certificate file name must be ssl.crt and the key file name must be ssl.key. During installation, you can select a CA-issued certificate or configure the Module Server to generate a self-signed certificate. As a best practice to facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues. For details, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.
  • If a local Module Server is installed on the Tanium Server host computer, perform the following steps on the Tanium Server host computer:
    1. Stop the Tanium Server service in the Windows Services program.
    2. Stop and disable the Tanium Module Server service.
    3. Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.)
    4. Restart the Tanium Server service.

Run the installer

  1. Log into the Module Server host system as an administrator user.
  2. Copy the installation package file (SetupModuleServer.exe) to a temporary location on the Module Server host.
  3. Right-click SetupModuleServer.exe and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. Settings Guidelines
    Choose Install Location The default is C:\Program Files\Tanium\Tanium Module Server.
    Postgres Not Found (Fresh installation only) Accept the default option: Install and configure local Postgres Server. In the current release, no Tanium products use the PostgreSQL server that comes with the Module Server.
    Choose Service Account for Tanium Module Server The security best practice is to specify a service account other than the Local System account to install the Module Server and run the Module Server service on the local host computer.
    • Specify Account (best practice)
      • User Name: Enter only the account name portion of the credentials, such as taniumsvc.
      • Domain: Enter the fully qualified domain name (FQDN), such as example.com.
      • Password: Enter the account password.
    • Local System Account
    Local System Account

    Select this option to install software and run the Module Server service in the context of the Local System account.

    Module Server Port Specify the Module Server inbound port for traffic from the Tanium Server. The default is 17477.
    SSL/TLS Certificate The Module Server uses the SSL/TLS certificate (ssl.crt) and private key (ssl.key) to secure connections from the Tanium Server.
    • Generate Self-Signed Certificate and Key

      If you do not have a CA-issued certificate, select this option to make the installer generate a self-signed certificate and private key. For the Server Hostname, specify the FQDN of the Module Server, such as tms1.example.com.

    • Use Existing Certificate and Key

      To use a CA-issued certificate, select the certificate file and associated private key file. For details, see Tanium Core Platform Deployment Guide: Securing Tanium Console, API, and Module Server access.

    Module Postgres Configuration Configure the connection to the PostgreSQL database:
    • Server: Specify localhost (default) for a local server, or the FQDN or IP address of the remote server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
    • Options: Specify additional parameters to pass in the connection. Typically, this is dbname and port. For example, dbname=postgres port=5432 user=postgres.

    Click Test to test the connection.

    Manually specify Tanium Server certificate Select Manually specify Tanium Server certificate and select the Certificate that secures communication between the Tanium Server and Module Server. On a new installation, the file is the SOAPServer.crt file that was copied from the Tanium Server. If you are re-running the installer and want to use the Tanium Server certificate created by the previous run of the installer, browse and select the trusted.crt file in the installation directory.
    Choose Start Menu Folder (Fresh installation only) Select a folder for the Module Server in the Windows Start menu. The default is Tanium Module Server.

  6. Manually register the Module Server with the Tanium Server.

    The registration process generates an SSL/TLS certificate file named ssl.crt in the Module Server installation directory. Copy it to the Tanium Server installation directory and rename it trusted-module-servers.crt.

  7.  Configure the Tanium Server to use the remote Module Server:
    1. Log into the Tanium Server host.
    2. Go to Windows Services and stop the Tanium Server service.
    3. Go to the following location in the Windows Registry:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server

    4. Find the ModuleServer key and change it to the FQDN of the remote Module Server.
    5. Restart the Tanium Server service.

      Note: If you previously installed a local Module Server, leave the Tanium Module Server service stopped and disabled on the Tanium Server. The Tanium Server must use only the remote Module Server.

Updating the Module Server certificate

Registration ensures secure communication between the Module Server and the Tanium Server. If you update the Module Server certificate ssl.crt (see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access), you must repeat the registration, either by re-running the installer or using the CLI. For an example of using the Module Server CLI registration command, see Tanium Core Platform Deployment Reference Guide: Command-line interface.

Next steps

If your deployment will include a Tanium Zone Server, install it: see Installing the Tanium Zone Server. Otherwise, verify the deployment: see Verifying the Tanium Core Platform deployment.