Installing the Tanium Zone Server

Install a Tanium Zone Server in your DMZ to proxy communication from external endpoints to the Tanium Server. You can install the Zone Server Hub on the same host as the Tanium Server or on a dedicated host. You can deploy two Zone Servers and two Zone Server Hubs in an active-active high availability (HA) configuration to ensure continuous availability in the event of an outage or scheduled maintenance. For details about the Zone Server, Zone Server Hub, and deployment options, see Tanium™ Zone Server.

Before you begin

Ensure that you meet the following requirements before installing the Zone Server:

Installer version: Ensure that you have the right version of the installer (SetupZoneServer.exe). The installation package for all Tanium Core Platform servers must have the same build number (for example, all must have build number 7.5.6.1113). Contact Tanium Support for details.
Host requirements: The host system must meet the hardware, software, and network connectivity requirements suitable for your deployment: see Requirements and Reference: Host system resource guidelines.
Firewall rules: Your network administrator must configure firewall rules to allow communication from the Zone Server Hub to the Zone Server on the port that you configured for that traffic. The default is TCP port 17472 but you can specify a different port: see Configure ports for traffic from Zone Server Hubs and Tanium Clients.
Security exclusions: Your security team must configure exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance: see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
Initialization bundle: If you are performing a fresh installation of the Zone Server and Zone Server Hub, download the Tanium™ initialization bundle (tanium-init.dat). The Zone Server and Hub use the file to secure communication with the Tanium Server. For the download procedure, see Tanium Console User Guide: Download infrastructure configuration files (keys).

Install the Tanium Zone Server

This section provides procedures for the following workflow:

Run the installer on the Zone Server Hub host computer. In this example, the Tanium Server host computer is also the Zone Server Hub host computer.
Run the installer on one or more Zone Server host computers in the DMZ.

The Tanium Zone Server installer takes the following actions:

Opens TCP port 17472 in the local host computer Windows Firewall.
Installs Tanium Zone Server Hub or Zone Server on the local host computer and starts the service.

Install the Zone Server Hub

Perform the following steps for each Zone Server Hub.

Sign in as an administrator user on the internal network host system where you will install the Zone Server Hub.
Copy the installer (SetupZoneServer.exe) to a temporary location on the hub host.
(Fresh installations only) Copy the initialization file (tanium-init.dat) from the Tanium Server to a temporary location on the hub host if you will install the hub on a dedicated host. If you will install the hub on the Tanium Server host, you can find the file in the Tanium Server installation folder.
Right-click SetupZoneServer.exe and select Run as administrator.
Complete the installation wizard. The following table provides guidelines for key settings.

Settings	Guidelines
Choose Install Location	The default installation folder is C:\Program Files (x86)\Tanium\Tanium Zone Server.
Zone Server Type	Select Zone Server Hub.
Choose Service Account for Tanium Zone Server	Specify Account: Define a service account to run the Tanium Zone Server service on the local host computer: User Name: Enter only the account name portion of the credentials, such as taniumsvc. Domain: Enter the domain name, such as example.com. Password: Enter the account password.
Choose Service Account for Tanium Zone Server	Local System Account: Select this option to install software and run the service in the context of the Local System account. Because this account grants higher operating system privileges than are necessary for Zone Server operations, the best practice is to not select this option for production deployments.
Initialization File	(Fresh installations only) Specify the file path of the tanium-init.dat file.
Server Address	Specify the fully qualified domain name (FQDN) or IP address of the Tanium Server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
Server Port	The inbound port on which the Zone Server Hub receives traffic from the Tanium Server and Zone Server. The default is 17472.

(Non-local hub only) If the Zone Server Hub resides on a different host than the Tanium Server, sign in to the Tanium Server CLI and configure the AllowedHubs setting:
1. Navigate to the Tanium Server installation folder:
  $ cd <Tanium Server>
2. Enable (best practice) or disable enforcement of the AllowedHubs setting. The default value 1 specifies that the Tanium Server enforces the setting: only hubs listed in AllowedHubs can communicate with the Tanium Server. The value 0 enables any hub to communicate with the Tanium Server regardless of the AllowedHubs setting.
  $ TaniumReceiver config set EnforceAllowedHubs [1|0]
3. If you enabled enforcement of AllowedHubs, configure it as follows, where <hub1,hub2...> is a comma-separated list of hubs that are authorized to communicate with this Tanium Server. Specify the hubs by FQDN or IP address. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). The default value is 127.0.0.1 (localhost).
  $ TaniumReceiver config set AllowedHubs <hub1,hub2...>
(Non-local hub only) If the Zone Server Hub resides on a different host than the Tanium Server, enable the file cache and set its maximum size: see Manage caching on the Zone Server and Zone Server Hub.

Install the Zone Server

Perform the following steps for each Zone Server.

Sign in to the Tanium Zone Server host computer as an administrator user.
Copy the installer (SetupZoneServer.exe) to a temporary location on the Zone Server.
(Fresh installation only) Copy the initialization file (tanium-init.dat) from the Tanium Server to a temporary location on the Zone Server.
Right-click the SetupZoneServer.exe file and select Run as administrator.
Complete the installation wizard. The following table provides guidelines for key settings.

Settings	Guidelines
Choose Install Location	The default is C:\Program Files (x86)\Tanium\Tanium Zone Server.
Zone Server Type	Select Zone Server.
Choose Service Account for Tanium Zone Server	Specify Account: Define a service account to run the Tanium Zone Server service on the local host computer: User Name: Enter only the account name portion of the credentials, such as taniumsvc. Domain: Enter the domain name, such as example.com. Password: Enter the account password.
Choose Service Account for Tanium Zone Server	Local System Account: Select this option to install software and run the service in the context of the Local System account. Because this account grants higher operating system privileges than are necessary for Zone Server operations, the best practice is to not select this option for production deployments.
Initialization File	(Fresh installations only) Specify the file path of the tanium-init.dat file.
IP addresses or FQDNs of allowed Zone Server Hubs	Enter a comma-separated list of IP addresses or FQDNs for the Zone Server Hubs that are authorized to communicate with this Zone Server. You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]). In an HA deployment, specify both Zone Server Hubs. This installation setting populates the the AllowedHubs setting on the Zone Server. To change this setting at a later time, configure it using the following command on the Zone Server, where <hub1,hub2...> is a comma-separated list of the allowed hubs. $ TaniumZoneServer config set AllowedHubs <hub1,hub2...>

(HA only) As a best practice, specify the preferred Zone Server Hub from which the Zone Server receives Tanium Client content, such as action packages (see Tanium Zone Server for details). Sign in to the Zone Server CLI (see Tanium Core Platform Deployment Guide: Command-line interface) and run the following commands:
$ cd <Zone Server>
$ TaniumZoneServer config set HubPriorityList <hub IP address or FQDN>
(Best Practice) Configure separate ports on the Zone Server for traffic from Zone Server Hubs and Tanium Clients: see Configure ports for traffic from Zone Server Hubs and Tanium Clients.
Enable trust between the Zone Server Hub and Tanium Server, and map Zone Servers to the hub: see Tanium Console User Guide: Managing Zone Servers and hubs.
If the Zone Server requires different separated subnets or isolated subnets than the Tanium Server, configure them as described in Tanium Client Management User Guide: Configuring Tanium Client peering.
Configure the connections from Tanium Clients that must register with the Zone Server: see Configure Tanium Clients to register with the Zone Server.
If necessary to prevent over-consumption of disk space on the Zone Server, configure a maximum file cache size: see Manage caching on the Zone Server and Zone Server Hub.
Verify the deployment: see Verifying the deployment.

Configure ports for traffic from Zone Server Hubs and Tanium Clients

By default, the Zone Server uses the same incoming port (default is 17472) for traffic from Zone Server Hubs and Tanium Clients. As a best practice to improve the security of the Zone Server, configure separate ports:

Sign in to the Zone Server host as an administrator user.
Access the CLI (see Tanium Core Platform Deployment Reference Guide: Command-line interface).
Navigate to the Zone Server installation folder:

> cd <Zone Server>
Configure the port for traffic from Tanium Clients:

> TaniumZoneServer config set ZoneServerPort <port>

If Tanium Clients are already configured to communicate with the Zone Server, the best practice is to leave this port number unchanged and edit only the port for traffic from Zone Server Hubs.
Configure the port for traffic from Zone Server Hubs:

> TaniumZoneServer config set ZoneServerPortForHub <port>
If traffic between the Zone Server and Zone Server Hubs traverses a firewall, configure the firewall to allow only hubs that are in the AllowedHubs list to connect to the port that you specified in the ZoneServerPortForHub setting. For the steps to configure the firewall, see your firewall documentation. To see which hubs are in the AllowedHubs list, run the following command:

> TaniumZoneServer config get AllowedHubs
Access the Windows Services program and restart the Tanium ZoneServer service.
Delete and recreate the Zone Server Hub-to-Zone Server mappings of the Zone Server for which you configured separate ports.

For the steps, see Tanium Console User Guide: Delete a Zone Server Hub-to-Zone Server mapping and Tanium Console User Guide: Map Zone Servers to a Zone Server Hub.

Manage caching on the Zone Server and Zone Server Hub

To optimize performance for the Tanium Core Platform, the Zone Server caches package files for actions and files requested through the Tanium Client API. The Zone Server provides these resources to Tanium Clients without having to re-request them from the Tanium Server. In Tanium Core Platform 7.4 or later, this file cache is disabled by default on the Zone Server Hub because in most deployments the hub is installed on the Tanium Server, which has its own cache. However, if the hub is installed on a dedicated host, you must enable it to perform the same caching as the Zone Server. By default, the cache uses a maximum of 20% disk space on the Zone Server and on the hub on a dedicated host, but you can change that limit.

Set the maximum cache size to whichever is the lesser value between 200GB and 60% of available disk space on the drive where the Zone Server or hub is installed.

When you set the cache size, the Zone Server or Zone Server Hub automatically removes all the files that are currently in the cache (<Zone Server/hub>\Cache\HotCacheFile).

Manage Zone Server caching

From the Main menu, go to Administration > Configuration > Settings > Advanced Settings and click Add Setting.
Configure the following parameters and click Save:
- Setting Type: Select Server
- Platform Setting Name: Enter zs_hot_cache_limit_in_MB.
- Value Type: Select Numeric
- Value: Enter the maximum storage space in megabytes for the Zone Server cache. The default is 0 (20% of disk space).

Manage Zone Server Hub caching

If the Zone Server Hub is installed on the Tanium Server, the hub cache is unnecessary. After you upgrade from a Tanium Core Platform version earlier than 7.4, you can delete the hub cache to clear disk space by deleting the <Zone Server Hub>\Cache\HotCacheFile folder.

If the Zone Server Hub is installed on a dedicated host, configure the cache as follows:

Sign in to the hub host as an administrator user.
Access the hub CLI (see Tanium Core Platform Deployment Reference Guide: Command-line interface) and run the following commands:

$ cd <Zone Server Hub>

$ TaniumZoneServer config set EnableFileCache 1
Open the Windows Services program and restart the Tanium ZoneServer service.
Sign in to the Tanium Console.
From the Main menu, go to Administration > Configuration > Settings > Advanced Settings and click Add Setting.
Configure the following setting and click Save:
- Setting Type: Select Server
- Name: Enter hub_hot_cache_limit_in_MB.
- Value Type: Select Numeric
- Value: Enter the maximum storage space in megabytes for the hub cache. The default is 0 (20% of disk space).

Configure Tanium Clients to register with the Zone Server

To configure Tanium Clients to register with a Zone Server, you must add it to the ServerNameList setting on each client. This setting can specify multiple Zone Servers and Tanium Servers. When attempting to connect, the client randomly selects one server at a time in the list and registers only with the first server for which the client can resolve the IP address. To ensure that clients connect and register with the correct server, work with your network administrator to review your Domain Name System (DNS) configuration. For example, external clients typically resolve the IP addresses of Zone Servers in the DMZ but not of Tanium Servers in the internal network. By contrast, internal clients typically resolve the IP addresses of Tanium Servers in the internal network but not of Zone Servers in the DMZ.

The steps to configure Tanium Clients to register with the Zone Server depend on whether you have already deployed the clients.

Initial Tanium Client deployment

Perform the following steps if you have not yet deployed the Tanium Clients that must register with the Zone Server:

Use Tanium™ Client Management to download installer bundles as described under Tanium Client Management User Guide: Download the installation bundle for alternative deployment.
Each endpoint OS type requires a separate bundle. Each bundle contains the following files, which you use when deploying the clients:
- Installer file to install the Tanium Client, such as SetupClient.exe for Windows endpoints.
  The Linux bundle contains an installer for each supported Linux distribution.
- Initialization file (tanium-init.dat) to secure connections between the Tanium Client and other Tanium Core Platform components.
Deploy the Tanium Client to endpoints as described in the Tanium Client Management User Guide. For the ServerNameList setting, specify the FQDN or IP address of each Zone Server and Tanium Server.
You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
In the Tanium Client installation wizard for Windows, you specify the ServerNameList value in the Server Address field.
Work with your network administrator to ensure that Tanium Clients that must register with the Zone Server cannot resolve the IP address of the Tanium Server.
This step is necessary to prevent clients from bypassing the Zone Server and connecting directly with the Tanium Server.
Use Tanium Interact to issue a question that returns the value of the ServerName and ServerNameList settings from Tanium Clients. The ServerName is the FQDN or IP address of the server with which clients currently connect.
Get Tanium Server Name and Tanium Server Name List from all machines
In the Question Results grid, verify that the Tanium Server Name value displays the Zone Server for any clients that must register with it, and verify that the Tanium Server Name List value includes all the servers that you specified.

Existing Tanium Client deployment

Perform the following steps to change the ServerNameList setting on Tanium Clients that you want to register with the Zone Server. In a deployment with both Windows and non-Windows endpoints, repeat the steps for both types of endpoints.

Delete any existing scheduled actions that configure the ServerNameList or ServerName to prevent conflicts with the new actions that you create for those settings.
Use Tanium Interact to issue a question that identifies the Tanium Clients that do not yet register with the Zone Server.
The following example identifies Tanium Clients in a deployment where the Zone Server FQDN is zs1.tam.local and the active-active Tanium Servers are ts1.tam.local and ts2.tam.local.
Get Tanium Server Name List and Is Windows from all machines with all Tanium Server Name List not equals “zs1.tam.local,ts1.tam.local,ts2.tam.local"
In the Question Results grid, select the Windows or non-Windows endpoints (not both) that must register with the Zone Server and click Deploy Action.
Specify one of the following as a Deployment Package:
- Set Tanium Server Name List for Windows endpoints
- Set Tanium Server Name List [Non-Windows] for non-Windows endpoints
Enter the FQDN or IP address of each Zone Server and Tanium Server in the Server Name List field.
You must enter IPv6 addresses within square brackets (for example, [2001:db8::1]).
Set a schedule for the action.

Consider setting a reissue interval if some target endpoints might be offline when you initially deploy the action.
In the Targeting Criteria section, ensure that the settings specify only Windows endpoints or non-Windows endpoints based on the package that you selected
Click Show preview to continue and verify that the targeting is correct.
Click Deploy Action and review the action status to verify that the action completes without errors.
Use Tanium Interact to issue a question that returns the ServerName and ServerNameList values from Tanium Clients. The ServerName is the FQDN or IP address of the server with which clients currently connect. If the action succeeded, the ServerName indicates the Zone Server for at least some clients and the Tanium Server Name List value lists all the correct servers (zs1.tam.local,ts1.tam.local,ts2.tam.local, in this example).
You might have to wait a few minutes for the results to show the new values. Ensure that live updates are enabled for the results grid. Whether a particular Tanium Client connects to the Zone Server or Tanium Server depends on the Domain Name System (DNS) configuration of your network.
Get Tanium Server Name and Tanium Server Name List from all machines
Work with your network administrator to ensure that the Tanium Clients that must register with the Zone Server cannot resolve the IP address of the Tanium Server.
This step is necessary to prevent those clients from bypassing the Zone Server and connecting directly with the Tanium Server.