Upgrading Tanium Core Platform servers

In the Tanium Console, the Solutions page (Administration > Confiugration > Solutions) indicates at the top-right if Tanium Core Platform servers are up-to-date or if an update is available.

Supported upgrade paths

 Table 1: Supported upgrade paths
Path Notes
7.5.x to 7.5.x Minor upgrade. Contact Tanium Support for guidance and caveats.
7.4.x to 7.5.x Major upgrade. Before upgrading, ensure that all the Tanium modules and shared services are at the minimum or later versions that are required to support Tanium Core Platform 7.5 or later. See Tanium Console User Guide: Tanium dependencies.
7.3.x to 7.5.x Major upgrade. In 7.4 or later, you must enable trust between Tanium Servers in a high availability (HA) deployment and among Tanium Servers, Zone Servers, and Zone Server Hubs. For fresh installations, you must download and deploy an initialization file to Zone Servers, Zone Server Hubs, and Tanium Client 7.4 to enable TLS communication with the Tanium Server.
7.2.x to 7.5.x

Server upgrade overview

The maintenance window for upgrading Tanium Core Platform servers is usually under an hour. To avoid unexpected issues, all servers must run the same software version. As a best practice, complete the upgrade for all the servers in the same maintenance window. If you have a high availability (HA) cluster, complete the upgrade for both Tanium Servers in the same window.

If you do not need to change the server host names, SSL/TLS certificates, or key files, you can simply run the Tanium Core Platform installers to replace the existing installation with updated files, and upload the new license file (if any) to the installation directory on the Tanium Servers (see Managing the Tanium license).

In some cases, you might want to take the opportunity to change server host names or install new SSL/TLS certificates and keys (for example, if the existing ones are due to expire). If so, the upgrade experience is similar to the initial installation and has similar prerequisite steps. If you change the server host names, you must reconfigure the Tanium Client on endpoints so they can communicate with the servers.

The upgrade procedures in this guide assume your host and network environment meets the initial installation requirements (see Requirements).

The settings that you manage through the Tanium Console are saved to the Tanium database. Therefore, any customizations that you saved in your existing deployment persist through the upgrade.

Before you begin

Perform the following tasks before upgrading:

  • Read the release notes for all of the Tanium Core Platform software versions that were released after your current version to stay informed about expected behavior.
  • Make sure the current deployment is working as expected, including all Tanium Core Platform servers and solutions.
  • Contact Tanium Support if you plan to change the Tanium Server hostname. Tanium Support needs the new hostname when creating a Tanium license for you.
  • Obtain the installers (.exe files) and new license file from Tanium Support.
  • A normal upgrade does not require you to restore from backups, but backups can save you work if you encounter issues and want to restore the system to a known functional state. See Back up Tanium Core Platform servers and databases.
  • Under ordinary circumstances, the installer for each Tanium Core Platform server stops the associated Tanium service, updates the software, and restarts the service. In deployments with an exceptionally large amount of data, stopping a service might take an exceptionally long time, and the installer might abort the installation before the service properly shuts down. As a best practice to avoid this, use the Windows Services program to stop the Tanium Core Platform services in the following order before starting the upgrade:
    • Tanium Zone Server
    • Tanium Zone Server Hub
    • Tanium Module Server
    • (HA deployment only) Non-primary Tanium Server
    • Primary (HA) or standalone (non-HA) Tanium Server

Order of upgrade

You must upgrade Tanium Core Platform servers in the following order:

  1. Tanium Servers (primary and non-primary servers in HA deployments)
  2. Module Server
  3. Zone Server Hub
  4. Zone Server

Upgrade the Tanium Server

When you upgrade, the Tanium™ Server installer takes the following actions:

  • Stops the Tanium Server service.
  • Installs Tanium Server software and Tanium Console UI components.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Updates the Tanium databases on the remote database server and re-initializes the database tables in those databases.
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Server service.

The Windows Secondary Logon service (seclogon) on the host computer for the Tanium Server must have its Startup type set to Automatic or Manual (not Disabled) during an upgrade of the Tanium Server . If the Secondary Logon service is disabled, the installation cannot connect to the database server (even if it is installed locally), and the upgrade of the Tanium database fails. The Secondary Logon service is required only during installation and upgrades.

In an upgrade of a production deployment, the installer detects from the Windows Registry that the Tanium Module Server is not installed locally, so it does not attempt to upgrade it or start the Tanium Module Server service.

Upgrade a standalone (non-HA) or primary (HA) Tanium Server

  1. Sign in to the host system as a local administrator or domain user with administrator permissions.
  2. Copy the installer (SetupServer.exe) and license files to a temporary location on the host computer.
  3. If you have new SSL/TLS certificate and key files, copy them to the host computer so you can select them when you run the installer.
  4. Right-click SetupServer.exe and select Run as administrator.
  5. Complete the installation wizard. Consider the following:
    • Select Custom Install, not Express Install. When you select Custom Install, the installer prompts you for each setting and populates the wizard form with the values extant in the present installation. This gives you a chance to review the current installation and replace the certificate and license files, if necessary, or change other installation settings. When you select Express Install, the installer uses the existing values but does not give you an opportunity to review or change them.
    • On the License Configuration page, be sure to select the new license file if appropriate.
    • If the server has new SSL/TLS certificate and key files, use the Certificate Path and Key Path to select them; otherwise, use the values that the installer populates.

Upgrade a secondary (HA) Tanium Server

  1. Sign in to the host system as a local administrator or domain user with administrator permissions.
  2. Copy the installer (SetupServer.exe) and license files to a temporary location on the host computer.
  3. If you updated the SSL/TLS certificate and key files, copy the following files from the Tanium Server installation directory on the primary host to the installation directory on the non-primary host:
    • SOAPServer.crt
    • SOAPServer.key
    • tanium.license

      • Always follow your organization's best practices for securely copying sensitive files, such as the Tanium Server SOAPServer.key file. For example, use GNU Privacy Guard (GPG) to encrypt the files before copying and then decrypt when they are in place on the target server.

  4. Right-click SetupServer.exe and select Run as administrator.
  5. Complete the installation wizard. Consider the following:
    • Select the Custom installation type, not Express. When you select Custom, the installer prompts you for each setting and populates the wizard form with the values extant in the present installation. This gives you a chance to review the current installation and replace the certificate and license files, if necessary, or change other installation settings. When you select Express, the installer uses the existing values but does not give you an opportunity to review or change them.
    • On the License Configuration page, be sure to select the new license file if appropriate.
    • If the server has new SSL/TLS certificate and key files, use the SSL Certificate and Key controls to select them; otherwise, retain the values that the installer populated.
    • After upgrading the Tanium Module Server, you must manually register it with the non-primary Tanium Server (see the last step under Upgrade the Tanium Module Server).
  6. If you upgraded from a Tanium Core Platform version earlier than 7.4, you must enable trust between the Tanium Server HA peers: see Tanium Console User Guide: Managing Tanium Server trust.

Upgrade the Tanium Module Server

When you upgrade, the Tanium™ Module Server installer takes the following actions:

  • Stops the Tanium Module Server service.
  • Updates Tanium Module Server software.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Initiates registration with the primary (HA) or standalone Tanium Server (if selected).
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Module Server service.

Before you begin

Ensure that your network security administrator has configured network firewall rules to allow communication between the Tanium Server and Module Server on TCP ports 17477 and 443. See Internet access, network connectivity, and firewalls.

When you first upgrade to the latest release, automatically register the Module Server with the primary (HA) or standalone Tanium Server instead of manually registering.

The Windows Secondary Logon service (seclogon) on the host computer for the Tanium Module Server must have its Startup type set to Automatic or Manual (not Disabled) during an upgrade of the Tanium Module Server . If the Secondary Logon service is disabled, the installation cannot connect to the database server (even if it is installed locally), and the upgrade of the Tanium database fails. The Secondary Logon service is required only during installation and upgrades.

Upgrade the Tanium Module Server

  1. Sign in to the Tanium Module Server host system as an administrator user.
  2. Copy the installer (SetupModuleServer.exe) to a temporary location on the host computer.
  3. If the Tanium Module Server has new certificate and public key files, copy them to a temporary location on the Tanium Module Server host computer so you can select them when you run the installer.
  4. Right-click SetupModuleServer.exe and select Run as administrator.
  5. Complete the installation wizard. Consider these points:
    • If the Tanium Module Server has a new certificate and key, use the Use Existing Certificate and Key controls to select them.
    • If the Tanium Server has a new certificate, use the Register with the Tanium Server or Manually specify Tanium Server certificate controls to select it. In an HA deployment, register with the primary Tanium Server.
    • If you do not use automatic registration, or if registration fails, see Install and manually register the Module Server for steps you must perform after completing the wizard to finish registration.
  6. (HA only) Access the CLI of the Module Server host and run the following commands to register with the non-primary Tanium Server.

    cmd-prompt>cd <Module Server>
    cmd-prompt>TaniumModuleServer register <Tanium_Server_FQDN>
    Enter administrator username: <username>
    Enter password for user '<username>':
    Successfully completed registration.

    For information about using the CLI, see Tanium Core Platform Deployment Reference Guide: Command-line interface.

    You typically only need to perform registration one time when you first upgrade to the latest release. You only need to re-register if you change the Tanium Server or Module Server certificates.
  7. Sign in to the Tanium Server host system as an administrator user, open the Windows Registry Editor, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server key, and ensure that the ModuleServer value specifies the IP address of the Module Server.

    The IP address 127.0.0.1 applies only to a local Module Server that is installed on the same system as the Tanium Server.

Upgrade the Tanium Zone Server

Tanium™ Zone Server software is installed on the Zone Server Hub (a host computer in the internal network, typically the Tanium Server host computer) and on one or more dedicated Zone Server host computers in the DMZ. Upgrade both types of servers.

When you upgrade, the Tanium Zone Server installer takes the following actions:

  • Stops the Tanium Zone Server service.
  • Updates Tanium Zone Server software.
  • Updates the Windows registry with the values you specify in the interactive installation wizard.
  • Opens required ports in the local host computer Windows Firewall.
  • Starts the Tanium Zone Server service.

Upgrade the Zone Server Hub

  1. Sign in to the Tanium Server host system as an administrator user.
  2. Copy the installer (SetupZoneServer.exe) to a temporary location.
  3. Right-click SetupZoneServer.exe and select Run as administrator.
  4. Complete the installation wizard.

Upgrade the dedicated Zone Server

  1. Sign in to the Tanium Zone Server host system as an administrator user.
  2. Copy the installer (SetupZoneServer.exe) to a temporary location.
  3. Right-click SetupZoneServer.exe and select Run as administrator.
  4. Complete the installation wizard.

Enable trust and configure mappings among servers

If you upgraded from a Tanium Core Platform version earlier than 7.4, you must enable trust between each Tanium Server and Zone Server Hub so that they can communicate. You must also map each Zone Server to a hub so that only trusted Zone Servers communicate with hubs. For the procedures, see Tanium Console User Guide: Managing Zone Servers and hubs.

Verify the servers upgrade

If errors occur when you verify the upgrade, see Troubleshoot server installation and upgrade issues.

  1. Sign in to the Tanium Console as a user with the Administrator role.

    The Console Home page displays any errors that occurred during the Module Server upgrade.

  2. From the Main menu, go to Administration > Configuration > Client Status to review recent Tanium Client registration details and verify that clients are registering as expected.