This topic summarizes prerequisites to software installation.
Your technical account manager (TAM) provides the Tanium™ installation package and license files required to complete the installation. The files include:
The installation package for these three servers must have the same build number (for example, all must have build number
The license is bound to hostname(s) you assign to the Tanium™ Server(s). For HA deployments, both hostnames are used in the license data. Let your TAM know if the hostnames provisioned for the servers are changed.
The following table summarizes basic requirements for server hosts. For detailed version specifications and sizing guidelines, see Reference: Host system sizing guidelines.
The following table summarizes basic requirements endpoint host systems. Hardware resource requirements vary according to the actions that may be taken on the endpoint. For hardware resource guidance, consult with your technical account manager (TAM).
The Tanium Server and Tanium Client generally support the same operating systems listed above when virtualized in cloud service environments. Tanium customers have used our software in:
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Microsoft Azure
- Oracle Cloud Infrastructure (OCI)
Use of Tanium in cloud environments entails important architectural considerations that can be unique from one deployment to another. Work with your TAM when planning to deploy or expand into such environments.
Tanium components use TCP/IP to communicate over IPv4 networks. IPv6 is not supported. You must work with your network administrator to ensure that the Tanium components are provisioned IP addresses and that DNS can be used to resolve hostnames.
The table below summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication. Host and network firewalls might need to be configured to allow the specified processes to send/receive TCP via the ports listed. The Tanium installer opens required ports in the Windows host firewall. You must work with your network security administrator to ensure the platform components can communicate through any security barriers (such as firewalls) in their communication path. For a detailed explanation, see Reference: Network ports.
Your security administrator might also need to create rules to exempt or exclude Tanium processes that run on the host computers from blocking by antivirus or processing by encryption or other security and management stack software. For details, see Reference: Host system security exceptions.
During installation, the Tanium Server installer (SetupServer.exe) prompts you to download SQL Server Native Client and SQL Server CLI Utilities if you have not already done so. To enable the download, the host computer must be able to connect to http://download.microsoft.com.
During both installation and ongoing operations, the Tanium Server must be able to connect to https://content.tanium.com to import updates to Tanium core components and modules. The Tanium Server may need to connect to additional locations, based on the components you import.
The following table lists URLs that are accessed by Tanium Server.
Module import fails if the Certificate Revocation List is blocked or inaccessible.
|Managed Applications (login required)||http://ardownload.adobe.com/
|Windows Security Patch Management||http://download.windowsupdate.com|
If your enterprise security policy does not allow Tanium Server to access these locations directly, you can use proxy servers. See Reference: Proxy server settings.
If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations.
If you plan to deploy Tanium into an air-gapped environment, consult with your TAM.
The connections to the Tanium™ Console or SOAP and REST APIs, the connections between Tanium Server and Tanium Module Server, and connections to the Module Server are secured with SSL/TLS certificate and key exchanges.
When you run the installation wizards, you are prompted to generate a self-signed certificate or specify the location of an existing certificate and key that was issued by a commercial Certificate Authority (CA) or your own enterprise CA. We recommend that you use the self-signed certificate option when you complete the initial installation steps provided in this guide. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues. After you have verified the deployment, you can copy the certificates issued by the commercial or enterprise CA in place of the self-signed certificate, as described in Reference: SSL certificates.
Work with your Microsoft Active Directory administrator to provision the accounts needed for installation.
|Host System||Administrator Account||Required Group or Privileges||Purpose|
|Tanium Server host||AD service account*||Administrator**, Interactive Logon***||Installs the software and starts the Tanium Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when you run the installer.|
|Tanium Module Server host||AD service account*||Administrator||Installs the software and starts the Tanium Module Server service. The service runs in the context of the Local System account.|
|SQL Server host||AD service account||Sysadmin on the SQL Server||When the installer is run from the Tanium Server, this service user connects remotely to the SQL Server and creates the tanium and tanium_archive databases.|
|AD service account||DBO on Tanium DB||After the Tanium databases have been created, you can downgrade the service account role from sysadmin. The account must have db_owner role membership for the Tanium databases. We also recommend View server state permission. This dynamic management view enables the Tanium Server to access data faster than the DBO role alone.|
|PostgreSQL Server host||AD service account||Administrator**||When the installer is run from the Tanium Server, this service user connects remotely to the PostgreSQL Server and creates the tanium and tanium_archive databases.|
|Tanium Zone Server host||AD service account*||Administrator**||Installs the software and starts the Tanium Zone Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when you run the installer.|
|Tanium Client Deployment Tool host||Local System or AD||Administrator||Connects to the endpoint and installs Tanium Client software.|
|Tanium Client host||Local System||Administrator||On Windows, the service runs in the context of the Local System account.|
*It is possible to use Local System in a POC deployment, but it is not supported for a production deployment.
** For installation and upgrades, the service account for the Tanium Server must have Administrator privileges. After installation or upgrade, you can reduce permissions to user-level permissions.
***Interactive Logon is required only during installation of the Tanium Server. It can be revoked after installation.
Last updated: 5/22/2018 3:02 PM | Feedback