Configuring Tanium Client subnets

Separated subnets and isolated subnets provide methods for modifying the default peering behavior of Tanium Clients. Before configuring these subnets, be sure you understand the default behavior and the impact of your changes: see Tanium Client User Guide: Configuring Tanium Client Peering.

The Tanium Server stores subnet settings in configuration files on its host computer and does not automatically synchronize the settings with its high availability (HA) peers. If you change these settings in HA deployments, perform the procedure on both Tanium Servers in the HA cluster.

Users require the Administrator reserved role to see and use the Configuration > Tanium Server > Subnets page.

Configure separated subnets

Tanium Clients in a separated subnet can peer only with neighbors that are within that subnet. Clients use the separated subnets configuration for peering based on whether they connect to the Tanium Server or Zone Server. Each server uses the configuration to manage the peer list for clients that register through it. You do not have to restart the Tanium Server or Zone Server services after configuring separated subnets.

  1. Go to Configuration > Tanium Server > Subnets.
  2. Enter each Separated Subnet in CIDR format (such as 192.168.2.0/24). Tanium Core Platform 7.3 and later supports IPv6 subnets (consult your TAM), which you must enter within square brackets followed by the prefix (such as [2001:db8::]/32).

    3. Note: Use either the ; or # character at the beginning of a line or immediately following an entry to add optional comments or documentation.

  3. Save your changes. The Tanium Server stores the configuration as a file named SeparatedSubnets.txt in the installation folder.
  4. Copy the file to the Zone Server installation folder on each Zone Server. In most environments, the file requires the same content for all Zone Servers and Tanium Servers, and the best practice is to keep the files synchronized across servers to avoid confusion. In complex environments with overlapping subnets, you might have to segregate subnets differently for Zone Servers. If necessary, you can modify the SeparatedSubnets.txt copy on each Zone Server that requires a unique configuration.

It takes up to four hours for Tanium Clients to register and receive an updated peer list (registration reset interval).

Configure isolated subnets

Because network communication between VPN clients has significantly greater latency than a client-to-server connection, configure an Isolated Subnet for each of the VPN client subnets to prevent client peering on those subnets. Tanium Clients use the isolated subnets configuration based on whether they connect to the Tanium Server or Zone Server. Each server uses the configuration to manage the peer list for Tanium Clients that register through it. You do not have to restart the Tanium Server or Zone Server services after configuring isolated subnets.

Figure  1:  Isolated subnets
  1. Go to Configuration > Tanium Server > Subnets.
  2. Enter each Isolated Subnet in CIDR format (such as 192.168.2.0/24). Tanium Core Platform 7.3 and later supports IPv6 subnets (consult your TAM), which you must enter within square brackets followed by the prefix (such as [2001:db8::]/32).

    3. Note: Use either the ; or # character at the beginning of a line or immediately following an entry to add optional comments or documentation.

  3. Save your changes. The Tanium Server stores the configuration as a file named IsolatedSubnets.txt in the installation folder.
  4. Copy the file to the Zone Server installation folder on each Zone Server. In most environments, the file requires the same content for all Zone Servers and Tanium Servers, and the best practice is to keep the files synchronized across servers to avoid confusion. In complex environments with overlapping subnets, you might have to segregate subnets differently for Zone Servers. If necessary, you can modify the IsolatedSubnets.txt copy on each Zone Server that requires a unique configuration.

It takes up to four hours for Tanium Clients to register and receive an updated peer list (registration reset interval).