Managing Zone Servers and hubs

Tanium as a Service automatically establishes and manages trust among Tanium Core Platform components.

In deployments where network security policies do not allow Tanium Clients in an external, untrusted network to initiate connections with the Tanium Server, you can deploy a Tanium Zone Server in the DMZ to proxy communication between the clients and Tanium Server. The Tanium Server communicates with the Zone Server through a Tanium Zone Server Hub. You must enable trust between each Tanium Server and hub so that they can communicate. You must also map each Zone Server to a hub so that only trusted Zone Servers communicate with hubs. In an active-active deployment, enable trust and configure mappings for each Tanium Server, Zone Server, and hub.

Figure  1:  Zone Server deployment

In Tanium™ Appliance deployments, the Zone Server Hub is always installed on the Tanium Server. In Windows deployments, the hub is typically installed on the Tanium Server but can also be on a dedicated host.

For more information about the Zone Server and hub and the procedures to install them, see:

The following procedures address these use cases:

  • You upgraded from Tanium Core Platform 7.3 or earlier and must enable trust and configure mappings because the servers require them in version 7.4 or later.
  • You completed the fresh installation of the Tanium Servers, Zone Servers, and Zone Server Hubs, and now you must enable trust and configure mappings.
  • You must add a Zone Server or hub to an existing deployment.
  • You must replace a Zone Server or hub. In this case, you must revoke the trust state and delete the mappings for the old hub and then enable trust and configure mappings for the new hub.

You require the Administrator reserved role to manage trust and mappings among Zone Servers and hubs.

Establish trust and configure mappings

Before you begin

In an active-active deployment, perform the following tasks in sequence on each Tanium Server.

Approve trust for Zone Server Hubs

Perform the following steps for each Zone Server Hub.

If you upgraded the Zone Server Hub from version 7.3 or earlier, the hub migrates the ZoneServerList.txt file into Zone Server mappings after you approve trust for the hub.

  1. Display the registration fingerprint of the Zone Server Hub so that, in a later step, you can verify its identity before establishing trust.

    Appliance deployment:

    1. Sign in to the TanOS console of the Zone Server Hub appliance as a user with the tanadmin role.
    2. Enter @ to open the About the Appliance page and note the value of the TZS Hub Registration Fingerprint field. ClosedView screen

    Windows deployment:

    1. Sign in to the Zone Server Hub and access the CLI.
    2. Navigate to the Zone Server Hub installation directory (such as \Program Files (x86)\Tanium\Tanium ZoneServer):

      > cd <Zone Server>

    3. Display the registration fingerprint of the Zone Server Hub:

      > TaniumZoneServer pki show-registration-fingerprint

  2. Sign in to the Tanium Console of a Tanium Server.
  3. From the Main menu, go to Administration > Configuration > Zone Servers > Zone Server Hubs.

    The page displays a tile for each Zone Server Hub that you installed.

  4. Verify the identity of each Zone Server Hub by its Fingerprint and its IP address or FQDN.

    If the identifiers of a Zone Server Hub are wrong, decommission the hub before denying trust for it. Denied trust is irreversible for any particular instance of a hub. To subsequently approve trust, you must uninstall and reinstall the hub so that it generates a new fingerprint.

  5. In the Zone Server Hub tile, click Accept and Confirm.

    The tile shows the trust Status is Approved.

Map Zone Servers to a Zone Server Hub

After approving trust for Zone Server Hubs, perform the following steps for each Zone Server. In an active-active deployment, map both Zone Servers to each Zone Server Hub.

  1. Display the registration fingerprint of the Zone Server so that, in a later step, you can verify its identity before establishing trust.

    Appliance deployment:

    1. Log into the TanOS console of the Zone Server appliance as a user with the tanadmin role.
    2. Enter @ to open the About the Appliance page. Note the value of the TZS Registration Fingerprint field. ClosedView screen

    Windows deployment:

    1. Sign in to the Zone Server and access the CLI.
    2. Navigate to the Zone Server installation directory (such as \Program Files (x86)\Tanium\Tanium ZoneServer):

      > cd <Zone Server>

    3. Display the registration fingerprint of the Zone Server:

      > TaniumZoneServer pki show-registration-fingerprint

  2. Sign in to the Tanium Console.
  3. From the Main menu, go to Administration > Configuration > Zone Servers > Zone Servers Hubs.
  4. In a Zone Server Hub tile, click Add Zone Server.
  5. Enter the Zone Server FQDN, Host Name, or IP address.
  6. (Optional) If you configured the Zone Server to use a port other than the default 17472 for traffic from the Zone Server Hub, select Override Default Port and enter the port number.

    Configure separate ports for traffic from Zone Server Hubs and Tanium Clients to improve the security of the Zone Server. See Tanium Core Platform Deployment Guide for Windows: Configure ports for traffic from Zone Server Hubs and Tanium Clients.

  7. Click Save.

    Below the Zone Server Hub tile, the Tanium Console displays a tile for the Zone Server that you added.

  8. Click the Zone Servers tab.

    The page displays a tile with a Status of Pending for each Zone Server that you added.

  9. Verify the identity of each Zone Server by its Fingerprint  and its IP address or FQDN.

    If the identifiers of a Zone Server are wrong, decommission the server before denying trust for it.

  10. In the Zone Server tile, click Accept and Confirm.

    The tile shows the mapping Status is Approved.

Revoke trust and delete mappings

If you need to replace one of the Zone Server Hubs, revoke the trust state and Zone Server mappings for the old hub before establishing trust and mappings for the new hub. If you need to replace a Zone Server, delete its hub mapping before creating a mapping for the new Zone Server.

You cannot undo the revocation of server trust without reinstalling the revoked Zone Server or Zone Server Hub.

In an active-active deployment, perform these tasks on each Tanium Server.

Revoke a Zone Server Hub

  1. Sign in to the Tanium Console of a Tanium Server.
  2. From the Main menu, go to Administration > Configuration > Zone Servers > Zone Server Hubs.

    The page displays a tile for each Zone Server Hub.

  3. In the Zone Server Hub tile, click Revoke and Confirm.

Revoke a Zone Server

  1. Sign in to the Tanium Console of a Tanium Server.
  2. From the Main menu, go to Administration > Configuration > Zone Servers > Zone Servers.

    The page displays a tile for each Zone Server.

  3. In the Zone Server tile, click Revoke and Confirm.

Delete a Zone Server Hub-to-Zone Server mapping

  1. Sign in to the Tanium Console of a Tanium Server.
  2. From the Main menu, go to Administration > Configuration > Zone Servers > Zone Server Hubs.

    The page displays a Zone Server tile for each mapping.

  3. In the Zone Server tile, click Delete Mapping.