Tanium Core Platform Servers overview

This guide describes requirements and procedures for installing the following Tanium™ Core Platform servers on customer-provided Windows infrastructure:

Tanium infrastructure types

Tanium Core Platform servers support the following infrastructure options:

Tanium™ Server

The Tanium Server is the server that communicates with Tanium™ Clients, other Tanium Core Platform servers, and the content.tanium.com servers that host Tanium content packs. Tanium Clients communicate with the Tanium Server directly or through a Tanium Zone Server that acts as a proxy. The Tanium Server also runs the Tanium™ Console and API services.

You can install the Tanium Server on a dedicated host that is separate from the Tanium Module Server and database server, or on an all-in-one host that all three servers share. Use a dedicated host for enterprise production and lab environments (see Tanium Core Platform topology); the all-in-one architecture is just for proof-of-concept deployments.

You can deploy two Tanium Servers in an active-active high availability (HA) cluster to ensure continuous availability in the event of an outage or scheduled maintenance. HA deployments have the following characteristics:

Tanium Client connections

Tanium Clients use a Tanium Server list to automatically find a backup server if the primary Tanium Server assigned to them is unavailable.

Tanium Zone Server connections

You can configure failover connections from the Tanium Servers through Zone Server Hubs to HA Zone Servers. This ensures that both Zone Servers can continue serving Tanium Clients if one Tanium Server goes down. For details, see Zone Server High Availability.

Shared database

Tanium Servers in an HA cluster read and write to one shared database. Each server creates an entry for itself in the tanium database that identifies it to the other servers in the cluster. Follow database administration best practices to ensure availability of the database server and to ensure that the Tanium databases and related database objects are backed up routinely. See Set up a database server.

Tanium Console

Each HA cluster member has a Tanium Console with its own URL.

Tanium™ solution modules

The modules are installed on a Tanium Module Server that all the Tanium Servers in an HA cluster share. However, to make the modules available in all the Tanium Servers, you must import the modules through the Tanium Console of each cluster member. The Module Server does not support HA.

HA cluster communication

Each Tanium Server passes Tanium messages (such as answers to questions) and package files to the other HA cluster members over port 17472. When you upload package files to a Tanium Server, it automatically synchronizes the files to the other HA cluster members.

HA clustering is not required to scale Tanium capacity or improve performance. You can resize the host system hardware and operating systems of standalone Tanium Core Platform servers to meet your capacity and performance requirements. For details, see Reference: Host system sizing guidelines.

To install a standalone (non-HA) Tanium Server on a dedicated Windows Server host, see Installing Tanium Server. To install Tanium Servers in an HA deployment, see Installing the Tanium Server in an active-active HA cluster.

Tanium™ Module Server

The Tanium Module Server runs application services and stores files for Tanium solution modules, such as Tanium™ Patch. Tanium users can use the Tanium Console to manage and use solution modules. The Module Server communicates directly only with the Tanium Server. Endpoints receive packages through the Tanium Server or Zone Server.

In production deployments, you install the Module Server on a dedicated host (not shared with the Tanium Server) to prevent intentional or accidental scripts from having a direct impact on the Tanium Server. For the procedure, see Installing Tanium Module Server.

In a limited proof-of-concept (POC) deployment only, you can install the Module Server and Tanium Server on the same host.

Tanium™ Zone Server

In Tanium deployments, Tanium Clients initiate connections with the Tanium Server. However, enterprise network security policies typically do not allow endpoints that reside in an external, untrusted network to initiate connections to resources such as the Tanium Server that reside in a trusted, internal network. To enable the Tanium Server to manage external endpoints, deploy one or more Tanium Zone Servers in your DMZ to proxy communication from the external endpoints. For the procedure, see Installing the Tanium Zone Server.

The Zone Server is installed as a service on a device in the DMZ. It communicates with the Tanium Server through a Tanium Zone Server Hub process that you install on a host computer in the internal network, typically the Tanium Server host computer. You configure Tanium Clients on external endpoints to register with the Zone Server as if it were the primary Tanium Server.

The following figure illustrates Zone Server and hub communication.

Figure  1:  Zone Server deployment

*By default, the Zone Server uses the same port (17472 by default) for traffic from Zone Server Hubs and Tanium Clients. However, as a best practice to improve the security of the Zone Server, configure separate ports for the hubs and clients (see Configure ports for traffic from Zone Server Hubs and Tanium Clients).

Zone Server Caching

To optimize Tanium system performance, the Zone Server caches action package files and files requested through the Tanium Client API. It provides these resources to Tanium Clients without having to re-request them from the Tanium Server. If necessary to prevent over-consumption of disk space on the Zone Server, you can configure a maximum cache size. In deployments where the Zone Server Hub runs on the Tanium Server host, the hub does not have its own cache but uses the Tanium Server cache. If the hub is on a dedicated host, you must enable the cache on the hub. To configure the cache on the Zone Server or hub, see Manage caching on the Zone Server and Zone Server Hub.

Zone Server High Availability

You can deploy two Zone Servers and two Zone Server Hubs in an active-active HA configuration to ensure continuous availability in the event of an outage or scheduled maintenance. The following figure illustrates a deployment that has HA pairs of Tanium Servers, Zone Server Hubs, and Zone Servers. In this example, the Zone Server Hubs run locally on the Tanium Servers.

Figure  2:  Zone Server HA deployment
Zone Servers HA

The following connections (matching the numbers in Figure  2) ensure continuous availability in this deployment:

Number 1 Each Zone Server Hub connects to a single Tanium Server.

Number 2 Each Zone Server Hub connects to both Zone Servers.

You can configure the HubPriorityList setting on each Zone Server to specify the preferred Zone Server Hub from which the server receives Tanium Client content (such as sensor definitions, configuration information, and action package files).

In deployments with multiple Zone Servers and hubs, configure the HubPriorityList to ensure that each Zone Server receives content from its closest hub. Configuring this setting also optimizes hub usage by ensuring that each hub serves one Zone Server instead of one hub servicing both servers. For the steps, see Installing the Tanium Zone Server.

In Figure  2, the HubPriorityList on Zone Server 1 (zs1.example.com) specifies Zone Server Hub 1 (ts1.example.com). Therefore, as long as ts1.example.com is available, zs1.example.com receives client content only from that hub. In the figure, solid lines indicate the connections when the priority hub is available. If the priority hub goes down, the Zone Server receives client content from the other hub; in the figure, dotted lines indicate the failover connections.

Number 3 Tanium Clients register through both Zone Servers so that both Tanium Servers can manage the clients. The Tanium Servers synchronize with each other to ensure active-active availability.

The Zone Servers do not perform HA synchronization, and neither do the hubs.

An HA deployment ensures that you can continue managing endpoints if one Tanium Server or Zone Server, or one of each, goes down. In this example, if Tanium Server 1 (ts1.example.com) goes down, Zone Server Hub 2 forwards Tanium Client content from Tanium Server 2 (ts2.example.com) to Zone Server 1 (zs1.example.com), which can therefore continue serving clients. The following figure illustrates this scenario.

Figure  3:  Tanium Server failover in an HA deployment
Tanium Server failover

If Zone Server 1 goes down in this example, Zone Server 2 (zs2.example.com) continues receiving Tanium Client content from its priority hub, Zone Server Hub 2 (ts2.example.com). The connection from Zone Server Hub 1 (ts1.example.com) to zs2.example.com remains a standby connection as long as ts2.example.com is available. The following figure illustrates this scenario.

Figure  4:  Zone Server failover in an HA deployment
Zone Server failover

When using the Tanium Core Platform to manage external endpoints, be mindful that they might not have the same access to internal resources as internal endpoints. Target actions so that Tanium Clients on external endpoints do not attempt to access resources on the internal network, such as an Active Directory server.

Tanium Core Platform topology

In an enterprise production deployment, the Tanium Server, Tanium Module Server, and database server must reside on separate hosts, as the following figure illustrates. In a proof-of-concept (POC) deployment, these three servers reside on the same host. However, the POC architecture is intended for demonstration purposes only and does not support enterprise deployments. As a best practice, use the production environment architecture for the enterprise lab environment that you use to qualify software upgrades and test content solutions. The following figure illustrates a production or lab deployment in an HA configuration.

Figure  5:  Enterprise production or enterprise lab deployment

To improve the security of the Zone Server, configure separate ports for traffic from Zone Server Hubs and Tanium Clients (see Configure ports for traffic from Zone Server Hubs and Tanium Clients).

For the topology of deployments that use a proxy server between Tanium Core Platform servers and external servers, see Tanium Console User Guide: Overview of proxy servers.

Tanium™ Direct Connect uses additional ports for communication between Tanium Clients and the Module Server. See Tanium Direct Connect User Guide: Host and network security requirements.

For more information about the port requirements of other Tanium modules and shared services, see Tanium Core Platform Deployment Reference Guide: Solution-specific port requirements.