Installing the Tanium Server
This topic describes how to install a standalone Tanium Server on a dedicated Windows Server host. For details about the Tanium Server and its deployment options, see Tanium™ Server. To install Tanium Servers in a high availability (HA) deployment, see Installing Tanium Servers in an active-active HA cluster.
The Tanium Server installer performs the following actions:
- Installs any necessary database tools, such as Microsoft SQL Server client tools and utilities.
- Creates the Tanium databases on a remote database server and initializes the database tables in those databases.
- Opens required ports in the local host computer Windows Firewall.
- Installs the Tanium Server on the local host computer and starts the Tanium Server service. The service starts the application server that hosts the Tanium Console. The certificate and private key that you specify during installation establish Hypertext Transfer Protocol Secure (HTTPS) access to the Tanium Console and API.
Before you begin
Ensure that you meet the following requirements before installing the Tanium Server:
- Installer: Ensure that you have the correct version of the installer (SetupServer.exe) and that you can access it. The installation package for all Tanium Core Platform servers must have the same build number (for example, all must have build number 7.5.4.1158). Contact Tanium Support for details.
- Tanium license: Ensure that you can access the Tanium license file: tanium.license.
- Host requirements: The host systems for the Tanium server and database server must meet the hardware, software, and network connectivity requirements suitable for your deployment: see Requirements, Reference: Host system resource guidelines, and SQL server host system or PostgreSQL server host system.
- User accounts: Your Microsoft Active Directory administrator must configure the accounts that your team needs for the Tanium Core Platform deployment: see Administrator account permissions.
- Firewall rules: Your network administrator must configure firewall rules to allow communication on the TCP ports that the Tanium Core Platform uses: see Internet access, network connectivity, and firewalls.
- Security exclusions: Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance: see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
- Certificates and keys: If you want to use a certificate issued by a certificate authority (CA) for securing connections from user systems to the Tanium Server for Tanium Console or API access, ensure that the CA-issued certificate and associated private key are present on the Tanium Server. The certificate file name must be SOAPServer.crt and the key file name must be SOAPServer.key. During installation, you can select a CA-issued certificate or configure the Tanium Server to generate a self-signed certificate.
To facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues.
For details and procedures, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.
- Database server: Your database administrator must create a database server for the Tanium Core Platform deployment: see Set up a database server.
Set up a database server
Before installing the Tanium Server, your database administrator must set up a database server for the Tanium Core Platform deployment. The Tanium Server installer creates the Tanium database on this server. In production deployments, the database must run on a standalone server that allows remote connections from the Tanium Server. In a proof-of-concept (POC) deployment, you can install the Tanium database locally on the Tanium Server.
In an HA deployment, the Tanium Servers share the Tanium database. Therefore, even if the database is local to one Tanium Server, the peer Tanium Server must connect to it remotely.
Create and configure the database server
-
Choose the database type, Microsoft SQL (MSSQL) or PostgreSQL, and create the database server. See the MSSQL or PostgreSQL documentation for the steps to create the server.
Contact Tanium Support first if you want a PostgreSQL server. A special distribution of PostgreSQL Server is required.By default, the connection between the Tanium Server and standalone database server is not encrypted, but configuring encryption is a best practice.
- Configure a privileged domain administrator account that you can use to create the Tanium databases when you run the installer: see Administrator account permissions.
- Ensure that the Windows Secondary Logon service (seclogon) has its Startup type set to Automatic or Manual, not Disabled. Otherwise, the Tanium database installation will fail.
- (SQL server only) Configure the SQL instance to allow remote connections:
- Sign in to the database server as an administrator.
- Open the SQL Server Configuration Manager program.
- In the navigation pane, open the SQL Server Network Configuration node and select the protocols for your database instance (for example, Protocols for SQLEXPRESS2012).
- In the display pane, right-click TCP/IP and select Enable.
-
(SQL server only, best practice) Install the Microsoft SQL Server Management Studio program on the Tanium Server host computer.
Microsoft SQL Server Management Studio is optional, but most administrators find it useful to verify database transactions and to manage the databases. If you install Microsoft SQL Server Management Studio before you run the installer, the installer does not prompt you to download and install the Microsoft SQL Server utilities (see SQL Command Line Utilities Not Found).
Manage the Tanium database collation mode
The Tanium Server installer creates the Tanium database with the default collation mode of your database server. The collation mode controls which characters are available to use in the names (identifiers) of configuration objects, such as computer groups or sensors. Be sure to set a default collation mode that allows all the characters that you plan to use for object names. Some collations do not support Supplemental Unicode characters beyond the Basic Multilingual Plane. The following steps describe how to set the collation mode on an SQL server:
-
Sign in to the Tanium Server as an administrator.
- Open the Microsoft SQL Server Management Studio program.
- In the navigation pane, right-click the tanium database and select Properties.
-
In the Select a page section, select Options.
The Collation drop-down list shows the current collation mode.
- If necessary, select a new Collation and click OK.
Install the Tanium Server
- Sign in to the host system as a local administrator or domain user with administrator permissions.
- Copy the installer (SetupServer.exe) and license to a temporary location.
- Right-click the installer and select Run as administrator.
- Complete the installation wizard. The following table provides guidelines for key settings.
Settings | Guidelines |
---|---|
Database Server Type | Select the type of database to use:
|
Postgres Not Found |
If you set the Database Server Type to PostgreSQL Server and the installer cannot find a local PostgreSQL Server installation, the following options appear:
|
SQL Command Line Utilities Not Found |
If you set the Database Server Type to Microsoft SQL Server and the installer cannot find a local SQL Server installation and SQL utilities, the following options appear:
SQL Server 2014 SP2 Express takes substantially longer to download than SQL 2012 Native Client. Therefore, if you plan to use a remote database server, select Download and Install SQL 2012 Native Client and SQL 2012 Command Line Utilities now or download the files from Microsoft using the links that the installation wizard provides. |
Choose type of installation |
|
Choose Service Account for Tanium Server and Database Access | Specify Account
This option is required for production deployments. Specify a service account that can connect to the remote database server and has permissions to create databases. The account you specify will also run the Tanium Server service on the local host computer. Specify the following details:
|
Local System Account
This option is supported only if you set the Database Server Type to Microsoft SQL Server and you are setting up a limited POC deployment where the Tanium Server and database server are on the same local host system. |
|
Choose Install Location |
The default is C:\Program Files\Tanium\Tanium Server. For additional security in enterprise production deployments, install the Tanium Server on a non-system hard drive. |
License Configuration | Click Browse, navigate to the directory where you copied the Tanium license file (tanium.license), select the file, and click Open. |
Key Database Restoration | The Tanium Server uses a pki.db file to store the Tanium root keys and subordinate keys that are required for TLS communication among Tanium Core Platform components (see Managing Tanium keys). Select the source for this file:
The installer puts the pki.db file in the Tanium Server installation folder. |
Server Console/API Port | Specify the Tanium Server inbound port for traffic from the Tanium Console and API. The default is 443. |
SSL Certificate and Key | The Tanium Server uses the SSL/TLS certificate (SOAPServer.crt) and private key (SOAPServer.key) to secure communication with Tanium Console or API users and communication with the Module Server.
|
Server Port | Specify the Tanium Server inbound port for traffic from Tanium Clients that are in the internal network. The default is 17472. |
SQL server and database |
If
you set the Database Server Type to Microsoft SQL Server, you have the following options:
Click Test to test the connection. If the SQL Server listens on a custom-assigned port (not 1433), specify the port in the Remote SQL Path. For example, SQL1\SQLEXPRESS,1444. |
Postgres Configuration |
If you set the Database Server Type to PostgreSQL Server, specify the following settings:
Click Test to test the connection. |
Install local Tanium Module Server | Select this option only if you are installing a POC deployment in which the Tanium Server and Module Server run on the same host system. |
Open Tanium Ports in Windows Firewall | Select this option to open Tanium Server ports in the Windows Firewall. Ports 443 and 17472 are the default port numbers. |
Set Administrator Account | (Fresh installation only) Set the Username and Password for the initial Tanium Console administrator account. This is the account that you will use when you first sign in to the Console. Subsequently, you can create additional users. For Active Directory accounts, use DOMAIN\username or UPN format. For example, TAM\TaniumAdmin or [email protected]. For local accounts, use MACHINE\username syntax. |
Choose Start Menu Folder | (Fresh installation only) Select a folder for the Tanium Server in the Windows Start menu. The default is Tanium Server. |
Relocate the package file repository
The Tanium Server downloads package files that are associated with actions and stores them in the <Tanium Server installation directory>\Downloads directory by default. Optionally, you can change the directory if another drive on the server has better resources for storing package downloads.
To monitor repository usage and manually clear expired files, see Tanium Console User Guide: Manage the package file repository.
-
Create the new package downloads directory (such as E:\Tanium\Downloads) if it does not already exist.
-
Verify that the Tanium Server and Tanium database are properly backed up. See Back up Tanium Core Platform servers and databases.
-
Sign in to the Tanium Server host as the Administrator user.
-
Open the Windows Services program, right-click the Tanium Server service, and select Stop.
-
Copy all the files and subdirectories from <Tanium Server installation directory>\Downloads to the new directory.
-
Open a Command Prompt and navigate to the Tanium Server installation directory:
cd <installation directory>
-
Configure the Tanium Server to use the new package downloads directory:
TaniumReceiver config set-string DownloadPath <downloads directory>
-
Open the Windows Services program, right-click the Tanium Server service, and select Start.
- Verify that the server uses the new directory for package downloads:
-
Sign in to the Tanium Console as a user who is assigned the Administrator reserved role.
- From the Main menu, go to Administration > Configuration > Package File Repository.
- Verify that the Download Cache Folder Path shows the new directory.
-
Remove the original Downloads directory from the Tanium Server.
Next steps
-
Install the remote Module Server. See Installing the Tanium Module Server.
- (Optional) Integrate the Tanium Server with a hardware security module (HSM) if your organization uses an HSM to store and manage digital keys. See Tanium Core Platform Deployment Reference Guide: Securing keys with an HSM.
Last updated: 6/9/2022 9:52 AM | Feedback