Installing the Tanium Server

This topic describes how to install a standalone Tanium Server on a dedicated Windows Server host. For details about the Tanium Server and its deployment options, see Tanium Server. To install Tanium Servers in a high availability (HA) deployment, see Installing Tanium Servers in an active-active HA cluster.

The Tanium Server installer performs the following actions:

  • Installs any necessary database tools, such as Microsoft SQL Server client tools and utilities.
  • Creates the Tanium databases on a remote database server and initializes the database tables in those databases.
  • Opens required ports in the local host computer Windows Firewall.
  • Installs the Tanium Server on the local host computer and starts the Tanium Server service. The service starts the application server that hosts the Tanium Console. The certificate and private key that you specify during installation establish Hypertext Transfer Protocol Secure (HTTPS) access to the Tanium Console and API.

Before you begin

Ensure that you meet the following requirements before installing the Tanium Server:

  • You can access the installer package and license file.
  • The host system meets the hardware, software, and network connectivity requirements suitable for your deployment. For details, see Requirements.
  • Your Microsoft Active Directory administrator has configured the accounts that your team needs for the Tanium Core Platform deployment. For details, see Administrator account permissions.
  • Your network administrator has configured firewall rules to allow communication on the TCP ports that the Tanium Core Platform uses. For details, see Internet access, network connectivity, and firewall.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance. For details, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
  • If you want to use a certificate issued by a certificate authority (CA) to secure connections from user systems to the Tanium Server for Tanium Console or API access, ensure that the CA-issued certificate and associated private key are present on the Tanium Server. The certificate file name must be SOAPServer.crt and the key file name must be SOAPServer.key. During installation, you can select a CA-issued certificate or configure the Tanium Server to generate a self-signed certificate. As a best practice to facilitate troubleshooting, use the self-signed certificate during initial installation and replace it with a CA-issued certificate later. This practice enables you to separate potential installation issues from TLS connection issues. For details, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.
  • Your database administrator has created a database server for the Tanium Core Platform deployment. The administrator must also configure a privileged domain administrator account that you can use to create the Tanium databases when you run the installer.

    The Windows Secondary Login service (seclogon) must have its Startup type set to Automatic or Manual, not Disabled, or else the Tanium database installation will fail.

    Decide the type of database to use:

    • PostgreSQL server: Check with your Technical Account Manager (TAM) if you are interested in deploying Tanium with a PostgreSQL Server. A special distribution of PostgreSQL Server is required. For details, see the Tanium Support Knowledge Base article (login required).
    • Microsoft SQL server: If you plan to deploy with an SQL Server, the best practice is to install SQL Server Management Studio on the Tanium Server host computer before you run the installer. SQL Server Management Studio is optional, but most Tanium administrators find it useful to verify database transactions and to manage the databases. If you install SQL Server Management Studio before you run the installer, the installer does not call the Microsoft SQL Server utilities installers.

As a best practice for additional security, provision a non-system hard drive for the Tanium Server installation.

Install the Tanium Server

  1. Log into the host system as a local administrator or domain user with administrator permissions.
  2. Copy the installation package file and license to a temporary location.
  3. Right-click the SetupServer.exe file and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

    5. Settings Guidelines
    Database Server Type Select the type of database to use:
    • PostgreSQL Server

      Install a remote (production deployments) or local (proof-of-concept (POC) deployments) database server and utilities.

    • Microsoft SQL Server

      The installer displays additional pages for selecting database server and client utilities options.
    Postgres Not Found If you set the Database Server Type to PostgreSQL Server and the installer cannot find a local PostgreSQL Server installation, the following options appear:
    • Install and configure local Postgres Server.

      This option supports only POC deployments.

    • Use remote Postgres Server.

      This option supports production deployments.

    • Exit the installer now.

      Select this option if you are not ready to make the connection to the remote PostgreSQL Server.
    SQL Command Line Utilities Not Found If you set the Database Server Type to Microsoft SQL Server and the installer cannot find a local SQL Server installation and SQL utilities, the following options appear:
    • Download and Install SQL 2012 Native Client and SQL 2012 Command Line Utilities now.

      Select this option to install the utilities necessary to connect to a remote SQL server and create databases. If you select this option, and the Tanium installer detects that these utilities are already present on the host system, it does not overwrite the existing installation; it simply does not call the Microsoft installer for the utilities.

    • Download and Install SQL Server 2014 SP2 Express Edition with Tools now.

      Select this option only for limited, proof-of-concept (POC) deployments.

    • Exit the installer now. (Download and install manually)

      Select this option if you want to install the utilities yourself. After you have done so, if you re-run the Tanium installer, you can select the first option, and the Tanium installer will verify that the utilities are present and not call the Microsoft installer.
    Choose type of installation
    • Custom Install: Select this option for production deployments.
    • Express Install: Select this option only for limited, POC deployments.
    Choose Service Account for Tanium Server and Database Access Specify Account

    This option is required for production deployments. Specify a service account that can connect to the remote database server and has permissions to create databases. The account you specify will also run the Tanium Server service on the local host computer. Specify the following details:

    • User Name: Just the account name portion of the credentials, such as taniumsvc.
    • Domain: The fully qualified domain name, such as example.com.
    • Password: The account password.
    Local System Account

    This option is supported only if you set the Database Server Type to Microsoft SQL Server and you are setting up a limited POC deployment where the Tanium Server and database server are on the same local host system.
    Choose Install Location The default is C:\Program Files\Tanium\Tanium Server. As a best practice for additional security in enterprise production deployments, install the Tanium Server on a non-system hard drive.
    License Configuration Click Browse, navigate to the directory where you copied the Tanium license file (tanium.license), select the file, and click Open.
    Key Database Restoration The Tanium Server uses a pki.db file to store the Tanium root keys and subordinate keys that are required for TLS communication among Tanium Core Platform components (see Managing Tanium keys). Select the source for this file:
    • Generate a new key database: The Tanium Server creates a new pki.db file.
    • Restore a key database from backup: If you saved the pki.db file from a previous installation of this Tanium Server, copy it to a temporary location on the current server host, click Browse, select the file, and click Open. Note that you must also restore the Tanium database associated with the backup pki.db file to enable Tanium Clients to connect to that Tanium Server.

    The installer puts the pki.db file in the Tanium Server installation folder.
    Server Console/API Port Specify the Tanium Server inbound port for traffic from the Tanium Console and API. The default is 443.
    SSL Certificate and Key The Tanium Server uses the SSL/TLS certificate (SOAPServer.crt) and private key (SOAPServer.key) to secure communication with Tanium Console or API users and communication with the Module Server.
    • Generate Self-Signed Certificate and Key

      If you select this option, the installer generates a self-signed certificate and private key. For the Server Host Name, specify the fully qualified domain name (FQDN) of the Tanium Server. For example, ts1.example.com or ts1.example.com. If you are deploying an HA pair, specify the FQDN for both servers, separated by a comma (no spaces). For example, ts1.example.com,ts2.example.com.

    • Use Existing Certificate and Key

      To use a CA-issued certificate, select the certificate file and associated private key file. For details, see Tanium Core Platform Deployment Guide: Securing Tanium Console, API, and Module Server access.
    Server Port Specify the Tanium Server inbound port for traffic from Tanium Clients that are in the internal network. The default is 17472.
    SQL server and database If you set the Database Server Type to Microsoft SQL Server, you have the following options:
    • Use Local Database

      This option is supported only for POC deployments. When SQL Server is installed on the local host computer, you can select a database server from the Local Instance list box.

    • Use Remote Database

      Select this option and specify the path to the remote database server in the Remote SQL Path text box. The syntax is <hostname>\<database server name>. For example, SQL1\SQLEXPRESS.

    Click Test to test the connection.

    Tip: If the SQL Server listens on a custom-assigned port (not 1433), specify the port in the Remote SQL Path text box. For example, SQL1\SQLEXPRESS,1444.
    Postgres Configuration If you set the Database Server Type to PostgreSQL Server, specify the following settings:
    • Server Port: The default is 17472.
    • Server: Specify localhost (default) for a local server, or the FQDN or IP address of the remote server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
    • Options: Specify additional parameters to pass in the connection. Typically, this is dbname and port. For example, dbname=postgres port=5432 user=postgres.

    Click Test to test the connection.
    Install local Tanium Module Server Select this option only if you are installing a POC deployment in which the Tanium Server and Module Server run on the same host system.
    Open Tanium Ports in Windows Firewall Select this option to open Tanium Server ports in the Windows Firewall. Ports 443 and 17472 are the default port numbers.
    Set Administrator Account (Fresh installation only) Set the Username and Password for the initial Tanium Console administrator account. This is the account that you will use when you first log into the console. Subsequently, you can create additional users. For Active Directory accounts, use DOMAIN\username or UPN format. For example, TAM\TaniumAdmin or [email protected]. For local accounts, use MACHINE\username syntax.
    Choose Start Menu Folder (Fresh installation only) Select a folder for the Tanium Server in the Windows Start menu. The default is Tanium Server.

Next steps

Install the remote Module Server. See Installing the Tanium Module Server.