Other versions

Installing Tanium Zone Server

This chapter describes how to install the Tanium™ Zone Server component.

Overview

In Tanium deployments, Tanium™ Clients initiate communication with Tanium™ Server. Your enterprise network security policies likely do not allow endpoints that reside in the untrusted network to initiate connections to resources that reside in the internal network, such as Tanium Server. To enable Tanium Server to manage these endpoints, you can deploy one or more Tanium Zone Servers in the DMZ to proxy communication from the external endpoints.

The figure below illustrates Zone Server communication. The Zone Server is installed as a service, typically on an existing, shared device in the DMZ. It communicates with the Tanium Server through a Zone Server Hub process that you install on a host computer in the internal network, typically the Tanium Server host computer. You set up external clients to register with the Zone Server as if it were the primary Tanium Server.

To optimize performance as much as possible, the Zone Server is designed to cache sensor definitions, configuration information, and the files packaged in actions. It provides these resources to clients without having to re-request them from the Tanium Server.

When using Tanium to manage external clients, be mindful that they might not have the same access to internal resources as internal clients. Target actions so that external clients are not instructed to attempt to access resources on the internal network, like an Active Directory server, or package files staged on an internal URL.

Figure  1:  Zone Server deployment

Before you begin

Make sure:

  • You have the right version of the installer. The installation package for all servers must have the same build number (for example, all must have build number 7.2.314.3246). Contact your Tanium technical account manager (TAM).
  • All of the host computers meet the system requirements.
  • Your network administrator has configured firewall rules to allow communication between the Zone Server hub and Zone Server on TCP port 17472.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance.

Install the Tanium Zone Server

This section provides procedures for the following workflow:

  1. Run the installer on the Zone Server hub host computer and configure a Zone Server list that defines the Zone Servers with which it can communicate. In this example, the Tanium Server host computer is also the Zone Server hub host computer.

  2. Run the installer on one or more Zone Server host computers in the DMZ.

The Tanium Zone Server installer takes the following actions:

  • Opens TCP port 17472 in the local host computer Windows Firewall.
  • Installs Tanium Zone Server hub or Zone Server on the local host computer and starts the service.

Install the Zone Server Hub

  1. Log into the internal network host system as an administrator user.
  2. Copy the installation package file to a temporary location.
  3. Right-click the SetupZoneServer.exe file and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files (x86)\Tanium\Tanium Zone Server.
    Choose Service Account for Tanium Zone ServerSpecify Account

    Specify a service account to run the Tanium Zone Server Service on the local host computer. Specify the following details:

    • User Name: Just the account name portion of the credentials. For example, taniumsvc.
    • Domain: The fully qualified domain name. For example, example.com.
    • Password: The corresponding password.
    Local System Account

    Select this option to install software and run the service in the context of the Local System account.

    Server AddressSpecify the FQDN or IP address of Tanium Server.
    Server PortThe default is 17472.
    Public Key FileThe path to the Tanium Server public key. The Tanium Server public key is used to set up secure communication between the Zone Server Hub and Zone Server.
    Make this server the hub server.Select this option when you run the installer on the internal network host computer (such as the Tanium Server host computer in this example).
    Allowed Hub IP AddressNot applicable for the installation on the Zone Server Hub host.

  6. Run Notepad as Administrator. (Right-click Notepad.exe and select Run as Administrator.)
  7. Open C:\Program Files (x86)\Tanium\Tanium ZoneServer\ZoneServerList.txt.
  8. Add one line with the Tanium Zone Server FQDN or IP address. If you deploy multiple Zone Servers, list one entry per line.
  9. Save the file. Make sure it is saved as an ASCII plain text file (not RTF).


 


Install the Zone Server

  1. Go to the Tanium Server host system installation directory and copy the Tanium Server SSL public key file (tanium.pub) to the Tanium Zone Server host computer so you can select it when you run the installer.
  2. Log into the Tanium Zone Server host computer as an administrator user.
  3. Copy the installation package file to a temporary location.
  4. Right-click the SetupZoneServer.exe file and select Run as administrator.
  5. Complete the installation wizard. The following table provides guidelines for key settings.

  6. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files (x86)\Tanium\Tanium Zone Server.
    Choose Service Account for Tanium Zone ServerSpecify Account

    Specify a service account to run the Tanium Zone Server Service on the local host computer. Specify the following details:

    • User Name: Just the account name portion of the credentials. For example, taniumsvc.
    • Domain: The fully qualified domain name. For example, example.com.
    • Password: The corresponding password.
    Local System Account

    Select this option to install software and run the service in the context of the Local System account.

    Server AddressThis field does not apply when you install the Zone Server.
    Server PortThe default is 17472.
    Public Key FileThe path to the Tanium Server public key. The Tanium Server public key is used to set up secure communication between the Zone Server Hub and Zone Server.
    Make this server the hub server.Make sure this option is not selected when you run the installer on the Tanium Zone Server host computer.
    Allowed Hub IP AddressA comma-separated list of IP addresses of Zone Server Hub(s) that are authorized to communicate with this Zone Server.

    This option enhances security by restricting access to only hubs that are explicitly specified. If you do not want to restrict allowed hubs, go the Tanium Zone Server Windows Registry and set EnforceAllowedHubs to 0.


  7. On the Tanium Server host computer, go to Windows Services and restart the Tanium Server service.
  8. On the Zone Server hub host computer, go to Windows Services and restart the Tanium Zone Server service.
  9. On the Zone Server host computer, go to Windows Services and restart the Tanium Zone Server service.

Verify the deployment

  1. On the Tanium Server host computer, use the Tanium Client Deployment Tool to deploy the Tanium Client to the Tanium Zone Server host computer. In the configuration, for Tanium Server, specify the Zone Server FQDN (zs1.tam.local in this example).
  2. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that the Tanium Client on the Zone Server is reporting via the Tanium Zone Server.

Troubleshoot

If verification fails:

  1. Check the status of the Windows Service for the Tanium Server, Zone Server, Zone Server hub, and Tanium Client. Start any services that are not started.
  2. Check the Windows registry for typos or missing values.
  3. Test connectivity in both directions: hub to Zone Server and Zone Server to hub. You can use whatever utility you like to test connectivity. The following examples show how to use Portqry to check if a remote server is listening on a specified port.

    c:\>portqry -n zs1.tam.local -p tcp -e 17472
    Querying target system called:
    zs1.tam.local
    Attempting to resolve name to IP address...
    Name resolved to 10.10.10.15
    querying...
    TCP port 17472 (unknown service): LISTENING
    c:\>

    c:\>portqry -n ts1.tam.local -p tcp -e 17472
    Querying target system called:
    ts1.tam.local
    Attempting to resolve name to IP address...
    Name resolved to 10.10.10.11
    querying...
    TCP port 17472 (unknown service): LISTENING
    c:\>

    If you can reach the remote server and get an answer (LISTENING), then the issue is not with basic connectivity. If you cannot reach the remote server, you might need to work with your network and security administrators to resolve it.

  4. Make sure DNS can be used to resolve FQDN to IP address. The example with Portqry shows DNS resolution. You can also use nslookup.

    c:\>nslookup zs1.tam.local
    Server: Unknown
    Address: 10.10.10.10
    Name: zs1.tam.local
    Address: 10.10.10.15

    c:\>nslookup ts1.tam.local
    Server: Unknown
    Address: 10.10.10.10
    Name: zs1.tam.local
    Address: 10.10.10.11

    If DNS resolution fails, work with your network administrator to resolve it. If that is not possible, you can reconfigure the connection settings using the IP address instead of FQDN.

  5. If you are unable to resolve the issue with the previous steps, contact your TAM. First, increase the log level and reproduce the issue:
    • Set log verbosity level to 41 on the Tanium Client, the Zone Server and Zone Server hub, and the Tanium Server.
    • After you have increased logging, reproduce the issue (i.e, re-ask the question you used to verify the deployment.)
    • Examine both server and client logs. Your TAM can analyze the logs.

 

Last updated: 7/17/2018 3:11 PM | Feedback