Other versions

Installing Tanium Module Server

In a limited proof-of-concept (POC) deployment, you might not allocate a dedicated host for the Tanium™ Module Server. The Tanium™ platform is completely functional when the two servers share a common host. In an enterprise production deployment, however, you must install the Module Server on a separate host machine to prevent solution modules or scripts from having a direct impact on Tanium™ Server.

The following figure illustrates Module Server communication. The Module Server communicates directly only with Tanium Server. Tanium administrators can use Tanium™ Console to manage and use solution modules, such as Tanium™ Patch. Any packages distributed to endpoints are delivered through the Tanium Server or Zone Server.

Figure  1:  Module Server deployment

If possible, run the installer and specify connection settings to automatically register with the Tanium Server. Otherwise, complete the manual registration workflow.

Install the Module Server and automatically register with the Tanium Server

The Module Server installer takes the following actions:

  • Opens TCP port 17477 in the local host computer Windows Firewall.
  • Installs the Module Server on the host computer and starts the service.

The 7.2 Module Server installer supports automatic registration with the Tanium Server. Automatic registration:

  • installs required certificates—trusted.crt on the Module Server host and trusted-module-servers.crt on the Tanium Server host.
  • creates required Windows Registry entries on both the Module Server and Tanium Server host computers.

Before you begin

Ensure the following prerequisites are met and take the following actions:

  • Make sure your network security administrator has configured network firewall rules to allow communication between Tanium Server and Tanium Module Server on TCP port 17477.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance.
  • If a local Module Server has been installed on the Tanium Server host computer, go to the Tanium Server host computer and take the following actions:
    1. Stop the Tanium Server service.
    2. Stop and disable the Tanium Module Server service.
    3. Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.)

Run the installer

  1. Log into the Module Server host system as an administrator user.
  2. Copy the installation package file to a temporary location.
  3. Right-click the SetupModuleServer.exe file and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files\Tanium\Tanium Module Server.
    Module Server PortThe default is 17477.
    SSL Certificate
    • Generate Self-Signed Certificate and Key

      The SSL certificate and key is used to secure connections to the Module Server from services like Patch.

      If you have not obtained a certificate for this server from a commercial CA or enterprise CA, you can select this option, and the installer will generate a self-signed certificate and key (ssl.crt and ssl.key). Specify the fully qualified domain name of the Module Server. For example, tms1.example.com.

    • Use Existing Certificate and Key

      If you have purchased a commercial CA or generated an enterprise CA, use this option to select the certificate and key files.

    Register with Tanium ServerSpecify connection information for registration with the Tanium Server. Specify a Tanium Console admin username and password.

Install the Tanium Module Server and manually register with the Tanium Server

The Module Server installer takes the following actions:

  • Opens TCP port 17477 in the local host computer Windows Firewall.
  • Installs the Module Server on the host computer and starts the service.

The 7.0, 7.1, and 7.2 Module Server installers support manual registration with the Tanium Server. In 7.0 and 7.1, manual registration is your only option. In 7.2, automatic registration is simpler, but manual registration is supported in case the Tanium Server is unavailable at the time you run the Module Server installer.

Before you begin

Ensure the following prerequisites are met and take the following actions:

  • Make sure your network security administrator has configured network firewall rules to allow communication between Tanium Server and Tanium Module Server on TCP port 17477.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance.
  • Go to the Tanium Server host system installation directory and copy the SOAPServer.crt file to the Module Server host computer so you can select it when you run the installer.
  • If a local Module Server has been installed on the Tanium Server host computer, go to the Tanium Server host computer and take the following actions:
    1. Stop the Tanium Server service.
    2. Stop and disable the Tanium Module Server service.
    3. Go to the Windows Registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.)

Run the installer

  1. Log into the Tanium Module Server host system as an administrator user.
  2. Copy the installation package file to a temporary location.
  3. Right-click the SetupModuleServer.exe file and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. Settings Guidelines
    Choose Install Location The default is C:\Program Files\Tanium\Tanium Module Server.
    Module Server Port The default is 17477.
    SSL Certificate
    • Generate Self-Signed Certificate and Key

      The SSL certificate and key is used to secure connections to the Tanium Module Server from services like Patch.

      If you have not obtained a certificate for this server from a commercial CA or enterprise CA, you can select this option, and the installer will generate a self-signed certificate and key (ssl.crt and ssl.key). Specify the fully qualified domain name of the Tanium Module Server. For example, tms1.example.com.

    • Use Existing Certificate and Key

      If you have purchased a commercial CA or generated an enterprise CA, use this option to select the certificate and key files.

    Manually specify Tanium Server certificate If the Tanium Server cannot be reached over the network, you can select the manual option and select the Tanium Server certificate.

    (On a new installation, the file is the SOAPServer.crt file that was copied from the Tanium Server. If you are re-running the installer and want to use the Tanium Server certificate created by the previous run of the installer, browse and select the trusted.crt file in the installation directory).


  6. Manually register the Module Server with the Tanium Server.

    The installer creates an SSL certificate file named ssl.crt in the Module Server installation directory. Copy it to the Tanium Server installation directory and rename it trusted-module-servers.crt.

  7.  Configure the Tanium Server to use the remote Module Server:
    1. On the Tanium Server, go to the following location in the Windows Registry:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server

    2. Find the ModuleServer key and change it to the FQDN of the remote module server.
    3. Go to Windows Services and restart the Tanium Server service.

      Note: Leave the Tanium Module Service stopped and disabled.

Updating the Module Server certificate

Registration ensures secure communication between the Module Server and the Tanium Server. If you update the Module Server certificate, you must re-do the registration, either by re-running the installer or using the CLI. For an example of using the Module Server CLI registration command, see the CLI reference.

Next steps

Verify the deployment. See Verifying the installation.

Last updated: 7/17/2018 3:11 PM | Feedback