Installing the Tanium Server

This topic describes how to install a standalone Tanium Server on a dedicated Windows Server host. For details about the Tanium Server and its deployment options, see Tanium™ Server. To install Tanium Servers in a high availability (HA) deployment, see Installing Tanium Servers in an active-active HA cluster.

The Tanium Server installer performs the following actions:

  • Installs any necessary database tools, such as Microsoft SQL Server client tools and utilities.
  • Creates the Tanium databases on a remote database server and initializes the database tables in those databases.
  • Opens required ports in the local host computer Windows Firewall.
  • Installs the Tanium Server on the local host computer and starts the Tanium Server service. The service starts the application server that hosts the Tanium Console. The certificate and private key that you specify during installation establish Hypertext Transfer Protocol Secure (HTTPS) access to the Tanium Console and API.

Before you begin

Ensure that you meet the following requirements before installing the Tanium Server:

  • Installer: Ensure that you have the correct version of the installer (SetupServer.exe) and that you can access it. The installation package for all Tanium Core Platform servers must have the same build number (for example, all must have build number 7.5.6.1095). Contact Tanium Support for details.
  • Tanium license: Ensure that you can access the Tanium license file: tanium.license.
  • Host requirements: The host systems for the Tanium server and database server must meet the hardware, software, and network connectivity requirements suitable for your deployment: see Requirements, Reference: Host system resource guidelines, and SQL server host system or PostgreSQL server host system.
  • User accounts: Your Microsoft Active Directory administrator must configure the accounts that your team needs for the Tanium Core Platform deployment: see Administrator account permissions.
  • Firewall rules: Your network administrator must configure firewall rules to allow communication on the TCP ports that the Tanium Core Platform uses: see Internet access, network connectivity, and firewalls.
  • Security exclusions: Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance: see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
  • Certificates and keys: If you want to use a certificate issued by a certificate authority (CA) for securing connections from user systems to the Tanium Server for Tanium Console or API access, ensure that the CA-issued certificate and associated private key are present on the Tanium Server. The certificate file name must be SOAPServer.crt and the key file name must be SOAPServer.key. During installation, you can select a CA-issued certificate or configure the Tanium Server to generate a self-signed certificate.

    To facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues.

    For details and procedures, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

  • Database server: Your database administrator must create a database server for the Tanium Core Platform deployment: see Set up a database server.
  • Secondary Logon service: The Windows Secondary Logon service (seclogon) on the host computer for the Tanium Server must have its Startup type set to Automatic or Manual (not Disabled) during installation of the Tanium Server . If the Secondary Logon service is disabled, the installation cannot connect to the database server (even if it is being installed locally), and the installation of the Tanium database fails. The Secondary Logon service is required only during installation and upgrades.

Set up a database server

Before installing the Tanium Server, your database administrator must set up a database server for the Tanium Core Platform deployment. The Tanium Server installer creates the Tanium database on this server. In production deployments, the database must run on a standalone server that allows remote connections from the Tanium Server. In a proof-of-concept (POC) deployment, you can install the Tanium database locally on the Tanium Server.

In an HA deployment, the Tanium Servers share the Tanium database. Therefore, even if the database is local to one Tanium Server, the peer Tanium Server must connect to it remotely.

Create and configure the database server

  1. Choose the database type, Microsoft SQL (MSSQL) or PostgreSQL, and create the database server. See the MSSQL or PostgreSQL documentation for the steps to create the server.

    Contact Tanium Support first if you want a PostgreSQL server. A special distribution of PostgreSQL Server is required.

    By default, the connection between the Tanium Server and standalone database server is not encrypted, but configuring encryption is a best practice.

  2. Configure a privileged domain administrator account that you can use to create the Tanium databases when you run the installer: see Administrator account permissions.

  3.  (SQL server only) Configure the SQL instance to allow remote connections:
    1. Sign in to the database server as an administrator.
    2. Open the SQL Server Configuration Manager program.
    3. In the navigation pane, open the SQL Server Network Configuration node and select the protocols for your database instance (for example, Protocols for SQLEXPRESS2012).
    4. In the display pane, right-click TCP/IP and select Enable.

      SQL server remote connections

  4. (SQL server only, best practice) Install the Microsoft SQL Server Management Studio program on the Tanium Server host computer.

    Microsoft SQL Server Management Studio is optional, but most administrators find it useful to verify database transactions and to manage the databases. If you install Microsoft SQL Server Management Studio before you run the installer, the installer does not prompt you to download and install the Microsoft SQL Server utilities (see SQL Command Line Utilities Not Found).

Manage the Tanium database collation mode

The Tanium Server installer creates the Tanium database with the default collation mode of your database server. The collation mode controls which characters are available to use in the names (identifiers) of configuration objects, such as computer groups or sensors. Be sure to set a default collation mode that allows all the characters that you plan to use for object names. Some collations do not support Supplemental Unicode characters beyond the Basic Multilingual Plane. The following steps describe how to set the collation mode on an SQL server:

  1. Sign in to the Tanium Server as an administrator.

  2. Open the Microsoft SQL Server Management Studio program.
  3. In the navigation pane, right-click the tanium database and select Properties.
  4. In the Select a page section, select Options.

    The Collation drop-down list shows the current collation mode.

  5. If necessary, select a new Collation and click OK.

Install the Tanium Server

  1. Sign in to the host system as a local administrator or domain user with administrator permissions.
  2. Copy the installer (SetupServer.exe) and license to a temporary location.
  3. Right-click the installer and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.
Settings Guidelines
Database Server Type Select the type of database to use:
  • PostgreSQL Server

    Install a remote (production deployments) or local (proof-of-concept (POC) deployments) database server and utilities.

  • Microsoft SQL Server

    The installer displays additional pages for selecting database server and client utilities options.

Postgres Not Found If you set the Database Server Type to PostgreSQL Server and the installer cannot find a local PostgreSQL Server installation, the following options appear:
  • Install and configure local Postgres Server.

    This option supports only POC deployments.

  • Use remote Postgres Server.

    This option supports production deployments.

  • Exit the installer now.

    Select this option if you are not ready to make the connection to the remote PostgreSQL Server.

SQL Command Line Utilities Not Found If you set the Database Server Type to Microsoft SQL Server and the installer cannot find a local SQL Server installation and SQL utilities, the following options appear:
  • Download and Install SQL 2012 Native Client and SQL 2012 Command Line Utilities now.

    Select this option to install the utilities necessary to connect to a remote SQL server and create databases. If you select this option, and the Tanium installer detects that these utilities are already present on the host system, it does not overwrite the existing installation; it simply does not call the Microsoft installer for the utilities.

  • Download and Install SQL Server 2014 SP2 Express Edition with Tools now.

    Select this option only for limited, proof-of-concept (POC) deployments.

  • Exit the installer now. (Download and install manually)

    Select this option if you want to install the utilities yourself. After you have done so, if you re-run the Tanium installer, you can select the first option, and the Tanium installer will verify that the utilities are present and not call the Microsoft installer.

SQL Server 2014 SP2 Express takes substantially longer to download than SQL 2012 Native Client. Therefore, if you plan to use a remote database server, select Download and Install SQL 2012 Native Client and SQL 2012 Command Line Utilities now or download the files from Microsoft using the links that the installation wizard provides.

Choose type of installation
  • Custom Install: Select this option for production deployments.
  • Express Install: Select this option only for limited, POC deployments.
Choose Service Account for Tanium Server and Database Access Specify Account

This option is required for production deployments. Specify a service account that can connect to the remote database server and has permissions to create databases. The account you specify will also run the Tanium Server service on the local host computer. Specify the following details:

  • User Name: Enter only the account name portion of the credentials, such as taniumsvc.
  • Domain: Enter the domain name, such as example.com.
  • Password: Enter the account password.
Local System Account

This option is supported only if you set the Database Server Type to Microsoft SQL Server and you are setting up a limited POC deployment where the Tanium Server and database server are on the same local host system.

Choose Install Location The default is C:\Program Files\Tanium\Tanium Server.

For additional security in enterprise production deployments, install the Tanium Server on a non-system hard drive.

License Configuration Click Browse, navigate to the directory where you copied the Tanium license file (tanium.license), select the file, and click Open.
Key Database Restoration The Tanium Server uses a pki.db file to store the Tanium root keys and subordinate keys that are required for TLS communication among Tanium Core Platform components (see Managing Tanium keys). Select the source for this file:
  • Generate a new key database: The Tanium Server creates a new pki.db file.
  • Restore a key database from backup: If you saved the pki.db file from a previous installation of this Tanium Server, copy it to a temporary location on the current server host, click Browse, select the file, and click Open. Note that you must also restore the Tanium database associated with the backup pki.db file to enable Tanium Clients to connect to that Tanium Server.

The installer puts the pki.db file in the Tanium Server installation folder.

Server Console/API Port Specify the Tanium Server inbound port for traffic from the Tanium Console and API. The default is 443.
SSL Certificate and Key The Tanium Server uses the SSL/TLS certificate (SOAPServer.crt) and private key (SOAPServer.key) to secure communication with Tanium Console or API users and communication with the Module Server.
  • Generate Self-Signed Certificate and Key

    If you select this option, the installer generates a self-signed certificate and private key. For the Server Host Name, specify the fully qualified domain name (FQDN) of the Tanium Server. For example, ts1.example.com or ts1.example.com. If you are deploying an HA pair, specify the FQDN for both servers, separated by a comma (no spaces). For example, ts1.example.com,ts2.example.com.

  • Use Existing Certificate and Key

    To use a CA-issued certificate, select the certificate file and associated private key file. For details, see Tanium Core Platform Deployment Guide: Securing Tanium Console, API, and Module Server access.

Server Port Specify the Tanium Server inbound port for traffic from Tanium Clients that are in the internal network. The default is 17472.
SQL server and database If you set the Database Server Type to Microsoft SQL Server, you have the following options:
  • Use Local Database

    This option is supported only for POC deployments. When SQL Server is installed on the local host computer, you can select a database server from the Local Instance list box.

  • Use Remote Database

    Select this option and specify the path to the remote database server in the Remote SQL Path field. In most cases, the syntax is <hostname>\<database instance name>, such as SQL1\SQLEXPRESS. However, if you use both the default SQL instance name (MSSQLSERVER) and default port (1433), the syntax is just <hostname>.

Click Test to test the connection.

If the SQL Server listens on a custom-assigned port (not 1433), specify the port in the Remote SQL Path. For example, SQL1\SQLEXPRESS,1444.

Postgres Configuration If you set the Database Server Type to PostgreSQL Server, specify the following settings:
  • Server Port: The default is 17472.
  • Server: Specify localhost (default) for a local server, or the FQDN or IP address of the remote server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
  • Options: Specify additional parameters to pass in the connection. Typically, this is dbname and port. For example, dbname=postgres port=5432 user=postgres.

Click Test to test the connection.

Install local Tanium Module Server Select this option only if you are installing a POC deployment in which the Tanium Server and Module Server run on the same host system.
Open Tanium Ports in Windows Firewall Select this option to open Tanium Server ports in the Windows Firewall. Ports 443 and 17472 are the default port numbers.
Set Administrator Account (Fresh installation only) Set the Username and Password for the initial Tanium Console administrator account. This is the account that you will use when you first sign in to the Console. Subsequently, you can create additional users. For Active Directory accounts, use DOMAIN\username or UPN format. For example, TAM\TaniumAdmin or [email protected]. For local accounts, use MACHINE\username syntax.
Choose Start Menu Folder (Fresh installation only) Select a folder for the Tanium Server in the Windows Start menu. The default is Tanium Server.

Relocate the package file repository

The Tanium Server downloads package files that are associated with actions and stores them in the <Tanium Server installation directory>\Downloads directory by default. Optionally, you can change the directory if another drive on the server has better resources for storing package downloads.

To monitor repository usage and manually clear expired files, see Tanium Console User Guide: Manage the package file repository.

  1. Create the new package downloads directory (such as E:\Tanium\Downloads) if it does not already exist.

  2. Verify that the Tanium Server and Tanium database are properly backed up. See Back up Tanium Core Platform servers and databases.

  3. Sign in to the Tanium Server host as the Administrator user.

  4. Open the Windows Services program, right-click the Tanium Server service, and select Stop.

  5. Copy all the files and subdirectories from <Tanium Server installation directory>\Downloads to the new directory.

  6. Open a Command Prompt and navigate to the Tanium Server installation directory:

    cd <installation directory>

  7. Configure the Tanium Server to use the new package downloads directory:

    TaniumReceiver config set-string DownloadPath <downloads directory>

  8. Open the Windows Services program, right-click the Tanium Server service, and select Start.

  9. Verify that the server uses the new directory for package downloads:
    1. Sign in to the Tanium Console as a user who is assigned the Administrator reserved role.

    2. From the Main menu, go to Administration > Configuration > Package File Repository.
    3. Verify that the Download Cache Folder Path shows the new directory.
  10. Remove the original Downloads directory from the Tanium Server.

Next steps

  1. Install the remote Module Server. See Installing the Tanium Module Server.

  2. (Optional) Integrate the Tanium Server with a hardware security module (HSM) if your organization uses an HSM to store and manage digital keys. See Tanium Core Platform Deployment Reference Guide: Securing keys with an HSM.