Installing the Tanium Server
This topic describes how to install a standalone Tanium Server on a dedicated Windows Server host. For details about the Tanium Server and its deployment options, see Tanium Server. To install Tanium Servers in a high availability (HA) deployment, see Installing Tanium Servers in an active-active HA cluster.
The Tanium Server installer performs the following actions:
- Installs any necessary database tools, such as Microsoft SQL Server client tools and utilities.
- Creates the Tanium databases on a remote database server and initializes the database tables in those databases.
- Opens required ports in the local host computer Windows Firewall.
- Installs the Tanium Server on the local host computer and starts the Tanium Server service. The service starts the application server that hosts the Tanium Console. The certificate and private key that you specify during installation establish Hypertext Transfer Protocol Secure (HTTPS) access to the Tanium Console and API.
Ensure that you meet the following requirements before installing the Tanium Server:
- Installer: Ensure that you have the correct version of the installer (SetupServer.exe) and that you can access it. The installation package for all Tanium Core Platform servers must have the same build number (for example, all must have build number 22.214.171.1240). Contact Tanium Support for details.
- Tanium license: Ensure that you can access the Tanium license file: tanium.license.
- Host requirements: The host systems for the Tanium server and database server must meet the hardware, software, and network connectivity requirements suitable for your deployment: see Requirements, Tanium Server host system , and SQL server host system or PostgreSQL server host system.
- User accounts: Your Microsoft Active Directory administrator must configure the accounts that your team needs for the Tanium Core Platform deployment: see Administrator account permissions.
- Firewall rules: Your network administrator must configure firewall rules to allow communication on the TCP ports that the Tanium Core Platform uses: see Internet access, network connectivity, and firewall.
- Security exclusions: Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance: see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
- Certificates and keys: If you want to use a certificate issued by a certificate authority (CA) for securing connections from user systems to the Tanium Server for Tanium Console or API access, ensure that the CA-issued certificate and associated private key are present on the Tanium Server. The certificate file name must be SOAPServer.crt and the key file name must be SOAPServer.key. During installation, you can select a CA-issued certificate or configure the Tanium Server to generate a self-signed certificate.
To facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues.
For details and procedures, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.
- Database server: Your database administrator must create a database server for the Tanium Core Platform deployment: see Set up a database server.
Before installing the Tanium Server, your database administrator must set up a database server for the Tanium Core Platform deployment. The Tanium Server installer creates the Tanium database on this server. In production deployments, the database must run on a standalone server that allows remote connections from the Tanium Server. In a proof-of-concept (POC) deployment, you can install the Tanium database locally on the Tanium Server.
In an HA deployment, the Tanium Servers share the Tanium database. Therefore, even if the database is local to one Tanium Server, the peer Tanium Server must connect to it remotely.
Choose the database type (Microsoft SQL or PostgreSQL) and set up the server.
By default, the connection between the Tanium Server and standalone database server is not encrypted, but configuring encryption is a best practice.
- Configure a privileged domain administrator account that you can use to create the Tanium databases when you run the installer: see Administrator account permissions.
- Ensure that the Windows Secondary Logon service (seclogon) has its Startup type set to Automatic or Manual, not Disabled. Otherwise, the Tanium database installation will fail.
- (SQL server only) Configure the SQL instance to allow remote connections:
- Log into the database server as an administrator.
- Open the SQL Server Configuration Manager program.
- In the navigation pane, open the SQL Server Network Configuration node and select the protocols for your database instance (for example, Protocols for SQLEXPRESS2012).
- In the display pane, right-click TCP/IP and select Enable.
- (SQL server only, best practice) Install SQL Server Management Studio on the Tanium Server host computer.
SQL Server Management Studio is optional, but most administrators find it useful to verify database transactions and to manage the databases. If you install SQL Server Management Studio before you run the installer, the installer does not prompt you to download and install the Microsoft SQL Server utilities (see SQL Command Line Utilities Not Found).
- Sign in to the host system as a local administrator or domain user with administrator permissions.
- Copy the installation package file and license to a temporary location.
- Right-click the SetupServer.exe file and select Run as administrator.
- Complete the installation wizard. The following table provides guidelines for key settings.
|Database Server Type||Select the type of database to use:
|Postgres Not Found||
If you set the Database Server Type to PostgreSQL Server and the installer cannot find a local PostgreSQL Server installation, the following options appear:
|SQL Command Line Utilities Not Found||
If you set the Database Server Type to Microsoft SQL Server and the installer cannot find a local SQL Server installation and SQL utilities, the following options appear:
SQL Server 2014 SP2 Express takes substantially longer to download than SQL 2012 Native Client. Therefore, if you plan to use a remote database server, select Download and Install SQL 2012 Native Client and SQL 2012 Command Line Utilities now or download the files from Microsoft using the links that the installation wizard provides.
|Choose type of installation||
|Choose Service Account for Tanium Server and Database Access||Specify Account
This option is required for production deployments. Specify a service account that can connect to the remote database server and has permissions to create databases. The account you specify will also run the Tanium Server service on the local host computer. Specify the following details:
|Local System Account
This option is supported only if you set the Database Server Type to Microsoft SQL Server and you are setting up a limited POC deployment where the Tanium Server and database server are on the same local host system.
|Choose Install Location||
The default is C:\Program Files\Tanium\Tanium Server.
For additional security in enterprise production deployments, install the Tanium Server on a non-system hard drive.
|License Configuration||Click Browse, navigate to the directory where you copied the Tanium license file (tanium.license), select the file, and click Open.|
|Key Database Restoration||The Tanium Server uses a pki.db file to store the Tanium root keys and subordinate keys that are required for TLS communication among Tanium Core Platform components (see Managing Tanium keys). Select the source for this file:
The installer puts the pki.db file in the Tanium Server installation folder.
|Server Console/API Port||Specify the Tanium Server inbound port for traffic from the Tanium Console and API. The default is 443.|
|SSL Certificate and Key||The Tanium Server uses the SSL/TLS certificate (SOAPServer.crt) and private key (SOAPServer.key) to secure communication with Tanium Console or API users and communication with the Module Server.
|Server Port||Specify the Tanium Server inbound port for traffic from Tanium Clients that are in the internal network. The default is 17472.|
|SQL server and database||
you set the Database Server Type to Microsoft SQL Server, you have the following options:
Click Test to test the connection.
Tip: If the SQL Server listens on a custom-assigned port (not 1433), specify the port in the Remote SQL Path text box. For example, SQL1\SQLEXPRESS,1444.
If you set the Database Server Type to PostgreSQL Server, specify the following settings:
Click Test to test the connection.
|Install local Tanium Module Server||Select this option only if you are installing a POC deployment in which the Tanium Server and Module Server run on the same host system.|
|Open Tanium Ports in Windows Firewall||Select this option to open Tanium Server ports in the Windows Firewall. Ports 443 and 17472 are the default port numbers.|
|Set Administrator Account||(Fresh installation only) Set the Username and Password for the initial Tanium Console administrator account. This is the account that you will use when you first sign in to the console. Subsequently, you can create additional users. For Active Directory accounts, use DOMAIN\username or UPN format. For example, TAM\TaniumAdmin or [email protected]. For local accounts, use MACHINE\username syntax.|
|Choose Start Menu Folder||(Fresh installation only) Select a folder for the Tanium Server in the Windows Start menu. The default is Tanium Server.|
Install the remote Module Server. See Installing the Tanium Module Server.
Last updated: 6/11/2021 9:09 AM | Feedback