Other versions

Installing Tanium Zone Server

Overview

In Tanium deployments, Tanium Clients initiate connections with the Tanium Server. However, enterprise network security policies typically do not allow endpoints that reside in an external, untrusted network to initiate connections to resources such as the Tanium Server that reside in a trusted, internal network. To enable the Tanium Server to manage external endpoints, deploy one or more Tanium Zone Servers in your DMZ to proxy communication from the external endpoints.

The following figure illustrates Zone Server communication. The Zone Server is installed as a service, typically on an existing, shared device in the DMZ. It communicates with the Tanium Server through a Taniumâ„¢ Zone Server Hub process that you install on a host computer in the internal network, typically the Tanium Server host computer. You configure Tanium Clients on external endpoints to register with the Zone Server as if it were the primary Tanium Server.

To optimize performance, the Zone Server caches sensor definitions, configuration information, and package files associated with actions. It provides these resources to Tanium Clients without having to re-request them from the Tanium Server.

When using Tanium to manage external endpoints, be mindful that they might not have the same access to internal resources as internal endpoints. Target actions so that Tanium Clients on external endpoints do not attempt to access resources on the internal network, like an Active Directory server, or package files staged on an internal URL.

Figure  1:  Zone Server deployment

Before you begin

Make sure:

  • You have the right version of the installer. The installation package for all servers must have the same build number (for example, all must have build number 7.3.314.3424). Contact your Tanium technical account manager (TAM).
  • All of the host computers meet the system requirements.
  • Your network administrator has configured firewall rules to allow communication between the Zone Server hub and Zone Server on TCP port 17472.
  • Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance.

Install the Tanium Zone Server

This section provides procedures for the following workflow:

  1. Run the installer on the Zone Server hub host computer and configure a Zone Server list that defines the Zone Servers with which it can communicate. In this example, the Tanium Server host computer is also the Zone Server hub host computer.

  2. Run the installer on one or more Zone Server host computers in the DMZ.

The Tanium Zone Server installer takes the following actions:

  • Opens TCP port 17472 in the local host computer Windows Firewall.
  • Installs Tanium Zone Server hub or Zone Server on the local host computer and starts the service.

Install the Zone Server Hub

  1. Log into the internal network host system as an administrator user.
  2. Copy the installation package file to a temporary location.
  3. Right-click the SetupZoneServer.exe file and select Run as administrator.
  4. Complete the installation wizard. The following table provides guidelines for key settings.

  5. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files (x86)\Tanium\Tanium Zone Server.
    Choose Service Account for Tanium Zone ServerSpecify Account

    Specify a service account to run the Tanium Zone Server Service on the local host computer. Specify the following details:

    • User Name: Just the account name portion of the credentials. For example, taniumsvc.
    • Domain: The fully qualified domain name. For example, example.com.
    • Password: The corresponding password.
    Local System Account

    Select this option to install software and run the service in the context of the Local System account.

    Server AddressSpecify the FQDN or IP address of Tanium Server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
    Server PortThe default is 17472.
    Public Key FileThe path to the Tanium Server public key. The Tanium Server public key is used to set up secure communication between the Zone Server Hub and Zone Server.
    Make this server the hub server.Select this option when you run the installer on the internal network host computer (such as the Tanium Server host computer in this example).
    Allowed Hub IP AddressNot applicable for the installation on the Zone Server Hub host.

  6. Run Notepad as Administrator. (Right-click Notepad.exe and select Run as Administrator.)
  7. Open C:\Program Files (x86)\Tanium\Tanium ZoneServer\ZoneServerList.txt.
  8. Add one line with the Tanium Zone Server FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). If you deploy multiple Zone Servers, list one entry per line.
    If Tanium Servers are configured for high availability (HA), ensure that each Zone Server Hub has unique entries in its Zone Server List. Do not configure multiple hubs to communicate with the same Zone Server.
  9. Save the file. Make sure it is saved as an ASCII plain text file (not RTF).

Install the Zone Server

  1. Go to the Tanium Server host system installation directory and copy the Tanium Server SSL public key file (tanium.pub) to the Tanium Zone Server host computer so you can select it when you run the installer.
  2. Log into the Tanium Zone Server host computer as an administrator user.
  3. Copy the installation package file to a temporary location.
  4. Right-click the SetupZoneServer.exe file and select Run as administrator.
  5. Complete the installation wizard. The following table provides guidelines for key settings.

  6. SettingsGuidelines
    Choose Install LocationThe default is C:\Program Files (x86)\Tanium\Tanium Zone Server.
    Choose Service Account for Tanium Zone ServerSpecify Account

    Specify a service account to run the Tanium Zone Server Service on the local host computer. Specify the following details:

    • User Name: Just the account name portion of the credentials. For example, taniumsvc.
    • Domain: The fully qualified domain name. For example, example.com.
    • Password: The corresponding password.
    Local System Account

    Select this option to install software and run the service in the context of the Local System account.

    Server AddressThis field does not apply when you install the Zone Server.
    Server PortThe default is 17472.
    Public Key FileThe path to the Tanium Server public key. The Tanium Server public key is used to set up secure communication between the Zone Server Hub and Zone Server.
    Make this server the hub server.Make sure this option is not selected when you run the installer on the Tanium Zone Server host computer.
    Allowed Hub IP AddressA comma-separated list of IP addresses of Zone Server Hubs that are authorized to communicate with this Zone Server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).

    This option enhances security by restricting access to only those hubs that are explicitly specified. If you do not want to restrict allowed hubs, go to the Tanium Zone Server Windows Registry (HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/Tanium/Tanium ZoneServer) and set EnforceAllowedHubs to 0.


  7. On the Tanium Server host computer, go to Windows Services and restart the Tanium Server service.
  8. On the Zone Server hub host computer, go to Windows Services and restart the Tanium Zone Server service.
  9. On the Zone Server host computer, go to Windows Services and restart the Tanium Zone Server service.

Verify the deployment

  1. On the Tanium Server host computer, use the Tanium Client Deployment Tool to deploy the Tanium Client to the Tanium Zone Server host computer. In the configuration, for Tanium Server, specify the Zone Server FQDN (zs1.tam.local in this example).
  2. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that the Tanium Client on the Zone Server is reporting via the Tanium Zone Server.

Troubleshoot

If verification fails:

  1. Check the status of the Windows Service for the Tanium Server, Zone Server, Zone Server hub, and Tanium Client. Start any services that are not started.
  2. Check the Windows registry for typos or missing values.
  3. Test connectivity in both directions: hub to Zone Server and Zone Server to hub. You can use whatever utility you like to test connectivity. The following examples show how to use Portqry to check if a remote server is listening on a specified port.

    c:\>portqry -n zs1.tam.local -p tcp -e 17472
    Querying target system called:
    zs1.tam.local
    Attempting to resolve name to IP address...
    Name resolved to 10.10.10.15
    querying...
    TCP port 17472 (unknown service): LISTENING
    c:\>

    c:\>portqry -n ts1.tam.local -p tcp -e 17472
    Querying target system called:
    ts1.tam.local
    Attempting to resolve name to IP address...
    Name resolved to 10.10.10.11
    querying...
    TCP port 17472 (unknown service): LISTENING
    c:\>

    If you can reach the remote server and get an answer (LISTENING), then the issue is not with basic connectivity. If you cannot reach the remote server, you might need to work with your network and security administrators to resolve it.

  4. Make sure DNS can be used to resolve FQDN to IP address. The example with Portqry shows DNS resolution. You can also use nslookup.

    c:\>nslookup zs1.tam.local
    Server: Unknown
    Address: 10.10.10.10
    Name: zs1.tam.local
    Address: 10.10.10.15

    c:\>nslookup ts1.tam.local
    Server: Unknown
    Address: 10.10.10.10
    Name: zs1.tam.local
    Address: 10.10.10.11

    If DNS resolution fails, work with your network administrator to resolve it. If that is not possible, you can reconfigure the connection settings using the IP address instead of FQDN.

  5. If the preceding steps do not resolve the issue, generate logs as follows and then contact your TAM.
    1. Set the log verbosity level to 41 on the Tanium Client, Zone Server, Zone Server hub, and Tanium Server.
    2. Reproduce the issue by re-asking the question you used to verify the deployment.
    3. Examine both the server and client logs. Your TAM can analyze the logs.

 

Last updated: 11/6/2018 5:24 PM | Feedback