Configuring Tanium Client subnets

Separated subnets and isolated subnets provide methods for modifying the default peering behavior of Tanium Clients. Default peering settings define the boundaries of client subnets in the Taniumâ„¢ linear chain architecture. Before configuring separated or isolated subnets, be sure you understand the behavior that the default settings define and the impact of your changes: see Tanium Client User Guide: Configuring Tanium Client Peering.

For the permissions to view and manage the Tanium Client subnet configurations, see Configure Tanium Client subnets .

In Tanium Core Platform 7.4.3 or later, Tanium Servers write subnet configurations to the Tanium database and automatically synchronize them in a high availability (HA) deployment. On Zone Servers, you must manually configure and maintain a SeparatedSubnets.txt file and IsolatedSubnets.txt file.

In most environments, the separated and isolated subnets configurations are the same for all Zone Servers and Tanium Servers. The best practice is to keep the configurations synchronized across servers to avoid confusion. In complex environments with overlapping subnets, you might have to segregate subnets differently for Zone Servers. In such cases, you can modify the subnets configuration on each Zone Server that requires a unique configuration.

The following figure illustrates a deployment where internal Tanium Clients register with Tanium Servers in a high availability (HA) deployment and external clients register with the Zone Server. This example shows separated subnets and isolated subnets within the linear chains that the default peering settings define.

Figure  1:  Tanium Client peering

Configure separated subnets

Tanium Clients in a separated subnet can peer only with other clients that are within that subnet. Clients use the separated subnets configuration for peering based on whether they connect to the Tanium Server or Zone Server. Each server uses the configuration to manage the peer list for clients that register through it. You do not have to restart the Tanium Server or Zone Server services after configuring separated subnets.

After you configure separated subnets, Tanium Clients can take up to four hours (the client reset interval) to finish applying all the changes associated with the new configuration. To verify that the separated subnets work as expected after the clients register, see Tanium Clients User Guide: Configuring Tanium Client peering.

Configure separated subnets on the Tanium Server

  1. From the Main menu, select Console > Configuration > Tanium Server and click Subnets.
  2. In the Separated Subnets section, click New Subnets.
  3. Enter each separated subnet in CIDR format (such as 192.168.2.0/26), with one line per entry.

    Tanium Core Platform 7.3 or later supports IPv6 subnets (consult your TAM). You must enter IPv6 subnets within square brackets followed by the prefix (such as [2001:db8::]/32).

    The following is an example:

    192.168.0.0/26
    192.168.2.0/26
    [2001:db8::]/32

    If your deployment includes Zone Servers, copy your entries from the text field to your clipboard to facilitate the associated task: Configure separated subnets on a Zone Server.

  4. Save your changes.

Configure separated subnets on a Zone Server

If your deployment includes Zone Servers, perform the following steps based on your Tanium infrastructure to add a separated subnets configuration to each server.

Windows infrastructure

  1. Create a plain text file named SeparatedSubnets.txt.
  2. Copy and paste the separated subnets information that you entered for the Tanium Server into SeparatedSubnets.txt.

    If you did not already copy the information to your clipboard, go to Console > Configuration > Tanium Server, click Subnets, select the separated subnets configuration, click Edit, and copy the entries from the text field.

  3. Move SeparatedSubnets.txt to the installation folder of each Zone Server (default is \Program Files (x86)\Tanium\Tanium Zone Server). If necessary, you can modify the file contents for each Zone Server that requires a unique configuration.

Tanium Appliance infrastructure

  1. On the Zone Server appliance, log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 12 to edit the SeparatedSubnets.txt file. ClosedView screen
  5. Use the menu to specify subnets in CIDR format.

Configure isolated subnets

Because network communication between VPN clients has significantly greater latency than a client-to-server connection, configure an Isolated Subnet for each of the VPN client subnets to prevent Tanium Client peering on those subnets. Tanium Clients use the isolated subnets configuration based on whether they connect to the Tanium Server or Zone Server. Each server uses the configuration to manage the peer list for Tanium Clients that register through it. You do not have to restart the Tanium Server or Zone Server services after configuring isolated subnets.

After you configure isolated subnets, Tanium Clients can take up to four hours (the client reset interval) to finish applying all the changes associated with the new configuration. To verify that the isolated subnets work as expected after the clients register, see Tanium Clients User Guide: Configuring Tanium Client peering.

Configure isolated subnets on the Tanium Server

  1. From the Main menu, select Console > Configuration > Tanium Server and click Subnets.
  2. In the Isolated Subnets section, click New Subnets.
  3. Enter each isolated subnet in CIDR format (such as 192.168.2.0/26), with one line per entry.

    Tanium Core Platform 7.3 or later supports IPv6 subnets (consult your TAM). You must enter IPv6 subnets within square brackets followed by the prefix (such as [2001:db8::]/32).

    The following is an example:

    192.168.0.0/26
    192.168.2.0/26
    [2001:db8::]/32

    If your deployment includes Zone Servers, copy your entries from the text field to your clipboard to facilitate the associated task: Configure isolated subnets on a Zone Server.

  4. Save your changes.

Configure isolated subnets on a Zone Server

If your deployment includes Zone Servers, perform the following steps based on your Tanium infrastructure to add an isolated subnets configuration to each server.

Windows infrastructure

  1. Create a plain text file named IsolatedSubnets.txt.
  2. Copy and paste the isolated subnets information that you entered for the Tanium Server into IsolatedSubnets.txt.

    If you did not already copy the information to your clipboard, go to Console > Configuration > Tanium Server, click Subnets, select the isolated subnets configuration, click Edit, and copy the entries from the text field.

  3. Move IsolatedSubnets.txt to the installation folder of each Zone Server (default is \Program Files (x86)\Tanium\Tanium Zone Server). If necessary, you can modify the file contents for each Zone Server that requires a unique configuration.

Tanium Appliance infrastructure

  1. On the Zone Server appliance, log into the TanOS console as a user with the tanadmin role.
  2. From the tanadmin menu, enter 2 to go to the Tanium Operations menu. ClosedView screen
  3. Enter 2 to go to the Configuration Settings menu. ClosedView screen
  4. Enter 11 to edit the IsolatedSubnets.txt file. ClosedView screen
  5. Use the menu to specify subnets in CIDR format.