Installing Tanium Zone Server

Overview

In Tanium deployments, Tanium Clients initiate connections with the Tanium Server. However, enterprise network security policies typically do not allow endpoints that reside in an external, untrusted network to initiate connections to resources such as the Tanium Server that reside in a trusted, internal network. To enable the Tanium Server to manage external endpoints, deploy one or more Tanium Zone Servers in your DMZ to proxy communication from the external endpoints.

The following figure illustrates Zone Server communication. The Zone Server is installed as a service, typically on an existing, shared device in the DMZ. It communicates with the Tanium Server through a Taniumâ„¢ Zone Server Hub process that you install on a host computer in the internal network, typically the Tanium Server host computer. You configure Tanium Clients on external endpoints to register with the Zone Server as if it were the primary Tanium Server.

To optimize performance, the Zone Server caches sensor definitions, configuration information, and package files associated with actions. It provides these resources to Tanium Clients without having to re-request them from the Tanium Server.

When using Tanium to manage external endpoints, be mindful that they might not have the same access to internal resources as internal endpoints. Target actions so that Tanium Clients on external endpoints do not attempt to access resources on the internal network, like an Active Directory server, or package files staged on an internal URL.

Figure  1:  Zone Server deployment

Before you begin

Make sure:

  • You have the right version of the installer. The installation package for all servers must have the same build number (for example, all must have build number 7.3.314.3641). Contact your Tanium technical account manager (TAM).
  • All of the host computers meet the system requirements.
  • Your network administrator has configured firewall rules to allow communication from the Zone Server Hub to the Zone Server on TCP port 17472.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance.

Install the Tanium Zone Server

This section provides procedures for the following workflow:

  1. Run the installer on the Zone Server Hub host computer and configure a Zone Server list that defines the Zone Servers with which it can communicate. In this example, the Tanium Server host computer is also the Zone Server Hub host computer.

  2. Run the installer on one or more Zone Server host computers in the DMZ.

The Tanium Zone Server installer takes the following actions:

  • Opens TCP port 17472 in the local host computer Windows Firewall.
  • Installs Tanium Zone Server Hub or Zone Server on the local host computer and starts the service.

Install the Zone Server Hub

  1. Log in as an administrator user on the internal network host system where you will install the Zone Server Hub.
  2. Copy the installation package file (SetupZoneServer.exe) to a temporary location.
  3. Right-click SetupZoneServer.exe and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files (x86)\Tanium\Tanium Zone Server.
    Choose Service Account for Tanium Zone ServerSpecify Account

    Specify a service account to run the Tanium Zone Server Service on the local host computer. Specify the following details:

    • User Name: Just the account name portion of the credentials. For example, taniumsvc.
    • Domain: The fully qualified domain name. For example, example.com.
    • Password: The corresponding password.
    Local System Account

    Select this option to install software and run the service in the context of the Local System account.

    Server AddressSpecify the FQDN or IP address of the Tanium Server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
    Server PortThe default is 17472.
    Public Key FileThe path to the Tanium Server public key. The Tanium Server public key is used to set up secure communication between the Zone Server Hub and Zone Server.
    Make this server the hub server.Select this option when you run the installer on the internal network host computer (such as the Tanium Server host computer in this example).
    Allowed Hub IP AddressNot applicable for the installation on the Zone Server Hub host.

  6. Run Notepad as Administrator: right-click Notepad.exe and select Run as Administrator.
  7. Open C:\Program Files (x86)\Tanium\Tanium ZoneServer\ZoneServerList.txt.
  8. Add one line with the Tanium Zone Server FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). If you deploy multiple Zone Servers, list one entry per line.
    If Tanium Servers are configured for high availability (HA), ensure that each Zone Server Hub has unique entries in its Zone Server List. Do not configure multiple hubs to communicate with the same Zone Server.
  9. Save the file as an ASCII plain text file (not RTF).
  10. (Non-local hub only) If the Zone Server Hub resides on a different host than the Tanium Server, configure the following Windows registry keys on the Tanium Server.

    ValueTypeGuidelines
    AllowedHubsREG_SZA comma-separated list of Zone Server Hubs that are authorized to communicate with this Tanium Server. Specify the hubs by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). The default value is 127.0.0.1 (localhost).
    EnforceAllowedHubsREG_DWORDThe default value 1 specifies that the Tanium Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Tanium Server. The value 0 enables any Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting.

Install the Zone Server

  1. Go to the Tanium Server host system installation directory and copy the Tanium Server SSL public key file (tanium.pub) to the Tanium Zone Server host computer so you can select it when you run the installer.
  2. Log into the Tanium Zone Server host computer as an administrator user.
  3. Copy the installation package file to a temporary location.
  4. Right-click the SetupZoneServer.exe file and select Run as administrator.
  5. Complete the installation wizard. The following table provides guidelines for key settings.

  6. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files (x86)\Tanium\Tanium Zone Server.
    Choose Service Account for Tanium Zone ServerSpecify Account

    Specify a service account to run the Tanium Zone Server Service on the local host computer. Specify the following details:

    • User Name: Just the account name portion of the credentials. For example, taniumsvc.
    • Domain: The fully qualified domain name. For example, example.com.
    • Password: The corresponding password.
    Local System Account

    Select this option to install software and run the service in the context of the Local System account.

    Server AddressSpecify the FQDN or IP address of the Tanium Server.
    Server PortThe default is 17472.
    Public Key FileThe path to the Tanium Server public key. The Tanium Server public key is used to set up secure communication between the Zone Server Hub and Zone Server.
    Make this server the hub server.Make sure this option is not selected when you run the installer on the Tanium Zone Server host computer.
    Allowed Hub IP AddressA comma-separated list of IP addresses of Zone Server Hubs that are authorized to communicate with this Zone Server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

    This option enhances security by restricting access to only those hubs that are explicitly specified. If you do not want to restrict allowed hubs, go to the Tanium Zone Server Windows Registry (HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/Tanium/Tanium ZoneServer) and set EnforceAllowedHubs to 0.


  7. On the Tanium Server host computer, go to Windows Services and restart the Tanium Server service.
  8. On the Zone Server Hub host computer, go to Windows Services and restart the Tanium Zone Server service.
  9. On the Zone Server host computer, go to Windows Services and restart the Tanium Zone Server service.

Verify the deployment

  1. On the Tanium Server host computer, use the Tanium Client Deployment Tool to deploy the Tanium Client to the Tanium Zone Server host computer. In the configuration, for Tanium Server, specify the Zone Server FQDN (zs1.tam.local in this example).
  2. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that the Tanium Client on the Zone Server is reporting via the Tanium Zone Server.

    If verification fails, see Troubleshoot server installation issues.

Last updated: 2/22/2019 12:22 PM | Feedback