Configuring Tanium Client subnets

Separated subnets and isolated subnets provide methods for modifying the default peering behavior of Tanium Clients. Default peering settings define the boundaries of client subnets in the Tanium™ linear chain architecture. Before configuring separated or isolated subnets, be sure that you understand the behavior that the default settings define and the impact of your changes: see Tanium Client User Guide: Configuring Tanium Client Peering.

For the permissions to view and manage the Tanium Client subnet configurations, see Configure Tanium Client subnets .

In Tanium Core Platform 7.4.3 or later, Tanium Servers write subnet configurations to the Tanium database and automatically synchronize them in an active-active deployment. On Zone Servers, you must manually configure and maintain a SeparatedSubnets.txt file and IsolatedSubnets.txt file.

In most environments, the separated and isolated subnets configurations are the same for all Zone Servers and Tanium Servers. Keep the configurations synchronized across servers to avoid confusion. In complex environments with overlapping subnets, you might have to segregate subnets differently for Zone Servers. In such cases, modify the subnets configuration on each Zone Server that requires a unique configuration.

The following figure illustrates a deployment with where internal Tanium Clients connect with Tanium Servers in an active-active deployment and external clients connect with the Zone Server. This example shows separated subnets and isolated subnets within the linear chains that the default peering settings define.

The following figure shows the Tanium database on a dedicated host. However, in a Tanium Appliance deployment, the database is on the same host as the Tanium Servers.

Configure separated subnets

Tanium Clients in a separated subnet can peer only with other clients that are within that subnet. Configure separated subnets to specify more granular exceptions for Tanium Client peering than the default /24 subnet boundaries that the address mask or prefix settings define (see Tanium Client User Guide: Address mask and prefix settings). Clients use the separated subnets configuration for peering based on whether they connect to the Tanium Server or Zone Server. Each server uses the configuration to manage the peer lists for clients that register through it. After you configure separated subnets, you do not have to restart the servers.

After you configure separated subnets, Tanium Clients take two to six hours (the randomized client-reset interval) to finish applying all the changes associated with the new configuration. To verify that the separated subnets work as expected after the clients register, see Tanium Clients User Guide: Verify Tanium Client peering and leader connections.

Configure separated subnets on the Tanium Server

From the Main menu, go to Administration > Configuration > Subnets.
In the Separated Subnets section, click New Subnets.
Enter each separated subnet in CIDR format (such as: 192.168.2.0/26), with one line per entry. Use the ; or # character before any optional comments.
Tanium Core Platform 7.3 or later supports IPv6 subnets (for details, contact Tanium Support at [email protected]). You must enter IPv6 subnets within square brackets followed by the prefix (such as: [2001:db8::]/32).
See the following example:
192.168.0.0/26 #This is a data center subnet.
192.168.2.0/26 ;This is a branch office subnet.
[2001:db8::]/32
If your deployment includes Zone Servers, copy your entries from the text field to your clipboard to facilitate the associated task: Configure separated subnets on a Zone Server.
Click Save.

Configure separated subnets on a Zone Server

If your deployment includes Zone Servers, perform the following steps based on your Tanium infrastructure to add a separated subnets configuration to each server.

Windows infrastructure

Create a plain text file named SeparatedSubnets.txt.
Copy and paste the separated subnets information that you entered for the Tanium Server into SeparatedSubnets.txt.
If you did not already copy the information to your clipboard, go to Administration > Configuration > Subnets, select the separated subnets configuration, click Edit, and copy the entries from the text field.
Move SeparatedSubnets.txt to the installation directory of each Zone Server (default is \Program Files (x86)\Tanium\Tanium Zone Server). If necessary, you can modify the file contents for each Zone Server that requires a unique configuration.

Tanium Appliance infrastructure

On the Zone Server appliance, sign into the TanOS console as a user with the tanadmin role.

From the tanadmin menu, enter 2 to go to the Tanium Operations menu.

View screen

------------------------------------------------------

             >>> Tanium Operations Menu <<< 

         1: Tanium Service Control
         2: Tanium Configuration Settings
         3: Change Tanium Port
         4: Install Custom SOAP Cert
         5: Manage Custom Signing Keys
         6: Download Public Key
         7: Download SOAP Certificate

         A: Configure Remote Module Server
         B: Configure Tanium Cluster
         C: Manage Content
         M: Module Operations

         I: Import public key to Tanium Zone Server

         X: Advanced Operations

         H: Help
         R: Return to previous menu

------------------------------------------------------

Enter 2 to go to the Configuration Settings menu.

View screen

------------------------------------------------------

 >>> Tanium Operations -> Configuration Settings <<< 

Note: Some settings may require a service restart to take effect.

          1: Edit Tanium Server Settings
          2: Edit Tanium Server TDL Settings
          3: Add Tanium Server TDL Auth User
          4: Add Tanium Server TDL Auth Cert

          5: Edit Tanium Module Server Settings
          6: Edit Tanium Module Server TDL Settings
          7: Add Tanium Module Server TDL Auth User
          8: Add Tanium Module Server TDL Auth Cert

          9: Edit Tanium Zone Server Settings
          11: Edit isolated subnets list
          12: Edit separated subnets list

          13: Control RedHat CA Cert

          H: Help
          R: Return to previous menu

------------------------------------------------------

Enter 12 to edit the SeparatedSubnets.txt file.

View screen

>>> Tanium TanOS -> Tools -> Edit Files -> SeparatedSubnets.txt <<< 

          #: Line Content

          1: 192.168.1.0/24

          A: Add a line

          R: Return to previous menu

------------------------------------------------------

Use the menu to specify subnets in CIDR format.

Configure isolated subnets

Configure isolated subnets to disable client peering for a specified list of subnet and endpoint IP addresses. If the IP address of a Tanium Client is in an isolated subnet, TaaS the Tanium Server or Zone Server sends that client an empty peer list to prevent the client from participating in peering.

After you configure isolated subnets, you do not have to restart the Tanium Servers or Zone Servers. Tanium Clients take two to six hours (the randomized client-reset interval) to finish applying all the changes associated with the new configuration. To verify that the isolated subnets work as expected after the clients register, see Tanium Clients User Guide: Verify Tanium Client peering and leader connections.

Configure isolated subnets for Tanium Clients that are in VPNs. VPN clients have local IP addresses in a special VPN address block, but their host endpoints are actually not close to each other. VPN clients would use WAN links for peering and latency would be significantly greater than for client-to-server connections.

You might find it convenient to use isolated subnets to disable peering in other cases, such as for testing or debugging peering when you have to troubleshoot network issues. Note that disabling peering causes Tanium Clients to consume more network resources in terms of bandwidth and client-server connections over the WAN. For troubleshooting cases, after you resolve the network issues, the best practice is to remove the clients from the isolated subnets configuration so that they resume peering.

Configure isolated subnets on the Tanium Server

From the Main menu, go to Administration > Configuration > Subnets.
In the Isolated Subnets section, click New Subnets.
Enter each isolated subnet in CIDR format (such as 192.168.2.0/26), with one line per entry. Use the ; or # character before any optional comments.
Tanium Core Platform 7.3 or later supports IPv6 subnets (contact Tanium Support at [email protected]). You must enter IPv6 subnets within square brackets followed by the prefix (such as [2001:db8::]/32).
See the following example:
192.168.0.0/26 #This is a data center subnet.
192.168.2.0/26 ;This is a branch office subnet.
[2001:db8::]/32
If your deployment includes Zone Servers, copy your entries from the text field to your clipboard to facilitate the associated task: Configure isolated subnets on a Zone Server.
Click Save.

Configure isolated subnets on a Zone Server

If your deployment includes Zone Servers, perform the following steps based on your Tanium infrastructure to add an isolated subnets configuration to each server.

Windows infrastructure

Create a plain text file named IsolatedSubnets.txt.
Copy and paste the isolated subnets information that you entered for the Tanium Server into IsolatedSubnets.txt.
If you did not already copy the information to your clipboard, go to Administration > Configuration > Subnets, select the isolated subnets configuration, click Edit, and copy the entries from the text field.
Move IsolatedSubnets.txt to the installation directory of each Zone Server (default is \Program Files (x86)\Tanium\Tanium Zone Server). If necessary, you can modify the file contents for each Zone Server that requires a unique configuration.

Tanium Appliance infrastructure

On the Zone Server appliance, sign into the TanOS console as a user with the tanadmin role.

From the tanadmin menu, enter 2 to go to the Tanium Operations menu.

View screen

------------------------------------------------------

             >>> Tanium Operations Menu <<< 

         1: Tanium Service Control
         2: Tanium Configuration Settings
         3: Change Tanium Port
         4: Install Custom SOAP Cert
         5: Manage Custom Signing Keys
         6: Download Public Key
         7: Download SOAP Certificate

         A: Configure Remote Module Server
         B: Configure Tanium Cluster
         C: Manage Content
         M: Module Operations

         I: Import public key to Tanium Zone Server

         X: Advanced Operations

         H: Help
         R: Return to previous menu

------------------------------------------------------

Enter 2 to go to the Configuration Settings menu.

View screen

------------------------------------------------------

 >>> Tanium Operations -> Configuration Settings <<< 

Note: Some settings may require a service restart to take effect.

          1: Edit Tanium Server Settings
          2: Edit Tanium Server TDL Settings
          3: Add Tanium Server TDL Auth User
          4: Add Tanium Server TDL Auth Cert

          5: Edit Tanium Module Server Settings
          6: Edit Tanium Module Server TDL Settings
          7: Add Tanium Module Server TDL Auth User
          8: Add Tanium Module Server TDL Auth Cert

          9: Edit Tanium Zone Server Settings
          11: Edit isolated subnets list
          12: Edit separated subnets list

          13: Control RedHat CA Cert

          H: Help
          R: Return to previous menu

------------------------------------------------------

Enter 11 to edit the IsolatedSubnets.txt file.

View screen

>>> Tanium TanOS -> Tools -> Edit Files -> IsolatedSubnets.txt <<< 

          #: Line Content

          1: 192.168.1.0/24

          A: Add a line

          R: Return to previous menu

------------------------------------------------------

Use the menu to specify subnets in CIDR format.