Other versions

Installing Tanium Module Server

In an enterprise production deployment, you must install the Tanium Module Server and Tanium Server on separate hosts to prevent solution modules or scripts from directly impacting the Tanium Server. The Module Server communicates directly only with the Tanium Server. Tanium administrators can use the Tanium Console to manage and use solution modules, such as Tanium™ Patch. Endpoints receive packages through the Tanium Server or Zone Server. Figure  1 illustrates how these components communicate.

In a limited proof-of-concept (POC) deployment only, you can install the Module Server and Tanium Server on the same host.

If possible, run the installer and specify connection settings to automatically register with the Tanium Server. Otherwise, complete the manual registration workflow.

Install the Module Server and automatically register with the Tanium Server

The Module Server installer takes the following actions:

  • Opens TCP port 17477 in the local host computer Windows Firewall.
  • Installs the Module Server on the host computer and starts the service.

The installer for Module Server 7.2 and later supports automatic registration with the Tanium Server. Automatic registration:

  • installs required certificates—trusted.crt on the Module Server host and trusted-module-servers.crt on the Tanium Server host.
  • creates required Windows Registry entries on both the Module Server and Tanium Server host computers.

Before you begin

Ensure the following prerequisites are met and take the following actions:

  • Make sure your network security administrator has configured network firewall rules to allow communication between Tanium Server and Tanium Module Server on TCP port 17477.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance.
  • If a local Module Server has been installed on the Tanium Server host computer, go to the Tanium Server host computer and take the following actions:
    1. Stop the Tanium Server service.
    2. Stop and disable the Tanium Module Server service.
    3. Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.)
    4. Restart the Tanium Server service.

Run the installer

  1. Log into the Module Server host system as an administrator user.
  2. Copy the installation package file to a temporary location.
  3. Right-click the SetupModuleServer.exe file and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files\Tanium\Tanium Module Server.
    Module Server PortThe default is 17477.
    SSL Certificate
    • Generate Self-Signed Certificate and Key

      The SSL certificate and key is used to secure connections to the Module Server from services like Patch.

      If you have not obtained a certificate for this server from a commercial CA or enterprise CA, you can select this option, and the installer will generate a self-signed certificate and key (ssl.crt and ssl.key). Specify the fully qualified domain name of the Module Server. For example, tms1.example.com.

    • Use Existing Certificate and Key

      If you have purchased a commercial CA or generated an enterprise CA, use this option to select the certificate and key files.

    Register with Tanium ServerSpecify connection information for registration with the Tanium Server. Specify a Tanium Console admin username and password.

Install the Tanium Module Server and manually register with the Tanium Server

The Module Server installer takes the following actions:

  • Opens TCP port 17477 in the local host computer Windows Firewall.
  • Installs the Module Server on the host computer and starts the service.

The 7.x Module Server installers support manual registration with the Tanium Server. In 7.0 and 7.1, manual registration is your only option. In 7.2 and later, automatic registration is simpler, but the installer supports manual registration in case the Tanium Server is unavailable when you run the installer.

Before you begin

Ensure the following prerequisites are met and take the following actions:

  • Make sure your network security administrator has configured network firewall rules to allow communication between Tanium Server and Tanium Module Server on TCP port 17477.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance.
  • Go to the Tanium Server host system installation directory and copy the SOAPServer.crt file to the Module Server host computer so you can select it when you run the installer.
  • If a local Module Server has been installed on the Tanium Server host computer, go to the Tanium Server host computer and take the following actions:
    1. Stop the Tanium Server service.
    2. Stop and disable the Tanium Module Server service.
    3. Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.)
    4. Restart the Tanium Server service.

Run the installer

  1. Log into the Tanium Module Server host system as an administrator user.
  2. Copy the installation package file to a temporary location.
  3. Right-click the SetupModuleServer.exe file and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. Settings Guidelines
    Choose Install Location The default is C:\Program Files\Tanium\Tanium Module Server.
    Module Server Port The default is 17477.
    SSL Certificate
    • Generate Self-Signed Certificate and Key

      The SSL certificate and key is used to secure connections to the Tanium Module Server from services like Patch.

      If you have not obtained a certificate for this server from a commercial CA or enterprise CA, you can select this option, and the installer will generate a self-signed certificate and key (ssl.crt and ssl.key). Specify the fully qualified domain name of the Tanium Module Server. For example, tms1.example.com.

    • Use Existing Certificate and Key

      If you have purchased a commercial CA or generated an enterprise CA, use this option to select the certificate and key files.

    Manually specify Tanium Server certificate If the Tanium Server cannot be reached over the network, you can select the manual option and select the Tanium Server certificate.

    (On a new installation, the file is the SOAPServer.crt file that was copied from the Tanium Server. If you are re-running the installer and want to use the Tanium Server certificate created by the previous run of the installer, browse and select the trusted.crt file in the installation directory).


  6. Manually register the Module Server with the Tanium Server.

    The installer creates an SSL certificate file named ssl.crt in the Module Server installation directory. Copy it to the Tanium Server installation directory and rename it trusted-module-servers.crt.

  7.  Configure the Tanium Server to use the remote Module Server:
    1. Log into the Tanium Server host system.
    2. Go to Windows Services and stop the Tanium Server service.
    3. Go to the following location in the Windows Registry:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server

    4. Find the ModuleServer key and change it to the FQDN of the remote Module Server.
    5. Restart the Tanium Server service.

      Note: If you previously installed a local Module Server, leave the Tanium Module Server service stopped and disabled on the Tanium Server. The Tanium Server must use only the remote Module Server.

Updating the Module Server certificate

Registration ensures secure communication between the Module Server and the Tanium Server. If you update the Module Server certificate, you must re-do the registration, either by re-running the installer or using the CLI. For an example of using the Module Server CLI registration command, see the CLI reference.

Next steps

Verify the deployment. See Verifying the installation.

Last updated: 11/6/2018 5:24 PM | Feedback