Installing Tanium Server 6.5 in an Active-Active Array

Introduction

Tanium Endpoint Platform supports the deployment of 2 Tanium Servers, in a high-availability active-active server array. This section describes the requirements for an installation of Tanium Server in an active-active array.

Server Description

A Tanium active-active server array has the following characteristics:

  • The servers in the array read from and write to the same databases.
  • Each server in the array creates an entry for itself in the tanium database that identifies it to other servers in the array.
  • Each server passes Tanium messages, for example, answers to questions, to its array partners.
  • Each array member is able to host package source files that are uploaded to one member. 

Configurations for an active-active array

Deployment of Tanium Server in an active-active configuration requires the members of the server array to be deployed within the same network zone with consideration given to ensuring the continued operation of the Tanium-managed environment. In cases requiring high-availability across multiple network zones, use Tanium Zone Server.

The active-active deployment of Tanium Endpoint Platform with Tanium Server 6.5 includes the following physical or virtual server devices.

 

  • Two devices, each hosting a Tanium Server instance
  • A dedicated device for Tanium Module Server
  • A server device hosting the Active Directory Domain Controller role
  • A dedicated device for Microsoft SQL Server
600px-Fig18_active-active_config.png
 
Figure 1. A basic configuration of Tanium Server 6.5 in an active-active server array

 

Load-balancing an active-active server array

Tanium Server supports the following additional methods of distributing traffic among members of the server array.

Server Name List
Tanium Client version 6.X for Windows, Linux, Unix and Mac supports the random selection of a Tanium Server instance from a list of IP addresses that you define.
Server Name Script
A script, written in any language supported by the respective operating system, that the client executes to generate a comma separated list of network addresses. The client attempts to contact the Tanium Server using each address in the same order provided by the script the output.

Using a script to determine the network address to reach the Tanium Server based on inspectable characteristics of the host enables an organization to assign the server's network address dynamically. For example, hosts that appear to be in California should connect to a West Coast server before connecting to an East Coast server. Use the Console's Global Settings tab to create the ServerNameScript setting and assign it a value. Treat the value as read-only—make necessary changes through only the Global Settings feature of the Tanium Console, not manually or programatically.

 

Requirements for an active-active configuration

An active-active Tanium Server array has requirements in addition to those that are required for the installation of Tanium Server on a single host. These include the following:

  • Array members must run the same version of Tanium Server.
  • Array members must be connected to each other.
  • Array members must share a reliable, high-throughput connection.
  • Array members must be able to access the Internet to download files from designated domains. Access can be direct or made through a proxy server.
  • Your deployment of Tanium Endpoint Platform includes a management server that meets or exceeds the requirements outlined in Application and Database Server Resource Guidelines for the total number of computers to be managed.
  • Every additional server provisioned in the array must be able to support the total number of computers to be managed according to the requirements outlined in Application and Database Server Resource Guidelines.
  • Your deployment includes an existing, remote SQL Server instance that hosts the tanium and tanium_archive databases. The servers that form the array will share this instance.
  • Requirements for Tanium Module Server with active-active array- The Tanium Module Server supports a 2 server high availability model, but the high availability function is not yet supported by all Tanium Modules. Please contact your Technical Account Manager for more information.

Before you install

This section provides information about what you should have on hand before you begin to install Tanium Server 6.5 with a remotely located database.

Port configuration for a Tanium server array

A Tanium server array requires the following port configuration.

Source Port Destination
Array Member Server 1 17472 Array Member Server 2
Array Member Server 2 17472 Array Member Server 1
Array Member Server 1 443 Array Member Server 2
Array Member Server 2 443 Array Member Server 1
Any computer authorized to run the console 443 Array Member Server 1
Array Member Server 1 444 Array Member Server 2
Array Member Server 2 444 Array Member Server 1
Any computer authorized to run the console 444 Example

Firewall rules for active-active configuration

Configure firewalls to allow the following communications over TCP.

Source
Action
Source
Process and port
Destination
Address
Destination
Process and port
Allow Bi-directional

All Tanium application server array members

Tanium Server (TaniumReceiver.exe)
17472
All Tanium application
server array members
Tanium Server
(TaniumReceiver.exe)
17472
Allow

All Tanium application server array members

php.exe
80
Domain names or IP Addresses
of external Servers 
Hosting required download files
N/A
80
Allow

All Tanium application server array members

Tanium Server (TaniumReceiver.exe) 1433 Remote Microsoft SQL Server DBMS server MSSQLSERVER
(sqlservr.exe)

1433

Allow

From any computer allowed to run the Console

N/A
443
Tanium application server Tanium Server
(TaniumReceiver.exe)
443

Installation of an active-active Tanium Server array

Install Tanium Server on the first server device in the array, install the SQL Database, and then install and configure Tanium Module Server

  • If you have not already deployed a dedicated Active Directory Domain Controller, do so before adding a second Tanium Server instance to create the server array. The DHCP and DNS roles are required to implement the server array.
  • Use the instructions in the first section of this document to install Tanium Server and the remote instance of Microsoft SQL Server that hosts the tanium and tanium_archive databases. For more information, see Installing Tanium Server: Step-by-Step.
  • Install Tanium Module Server on a dedicated server device using the instructions in Tanium Module Server Installation and be sure to remove the local instance of Tanium Module Server from the first Tanium Server device. 

Install Tanium Server onto the second device in the server array

  • Create the same root folder structure that you used on the first server device on which you deployed Tanium Server. By default, this is \Program Files\Tanium\Tanium Server.
  • Copy theSOAPServer.crt andSOAPServer.key files from the installation folder of the installed Tanium Server device to the installation folder on the second server device.
  • Verify that you have the same Tanium Server installer that was used to install the first Tanium Server device.
  • Copy the installer to the installation directory on the second server device.
  • Repeat Step 1: Open the installer and review the license agreement.
  • Select the Custom install option.
  • When prompted during the installation process, name the same database instance.
  • Configure the client. 

 

Download file synchronization

Each Tanium Server in the server array maintains its own download location for files in Tanium packages. Download files are synchronized between server devices based on how they were added to the package.

Files added to packages by using the Add Local Files option

  • The files are uploaded to the primary Tanium Server.
  • The files are renamed to match their SHA-256 value.
  • The files are then saved to the \Downloads folder.

File synchronization

Within five minutes of file upload, each member of the server array attempts an HTTPS connection to the first server to obtain copies of any files that are not already contained in its \Downloadsfolder.

CAUTION

Synchronization may fail if members of the server array are using a self-signed SSL certificate. This scenario requires the update of Windows Registry for each server device. The TrustedHostList server registry value must be updated to include the IP addresses of all members of the server array.

Files added by using the Add URI option

In this case, the files are referenced by the specification of a URI, for example, a web URL or a \\server\share location.

  • The first server downloads the files by the specified URI.
  • If the package includes the SHA-256 hash of a file, each of the remaining members of the server array attempt to download the file from one of the other servers.
  • If the hash of the file is not included in the array or the file is not available from another server member, the server downloads the files from the URI source locations that are defined in the package and saves those files to the \Download folder.

CAUTION

Downloads may fail if members of the server array must interact with a proxy server to download external files and the following conditions exist:

  • Proxy settings have not been configured.
  • Web filter rules have not be configured.
  • Windows Registry has not been updated with the Trusted Host List. 
  • Windows Registry has not been updated with the Trusted Certificate Path. 

Tanium actions that require the deployment of a package will not execute on endpoints until all array members receive the file. In the event that the download queue is full, the interval before servers initiate new downloads may exceed 5 minutes.

Tanium Module Server

In an Active-Active server setup both servers will utilize the same module server for the modules that will be installed. At this time, the Tanium modules are not configured to support Active-Active. For this reason, it is common to have an Active-Active pair of Tanium Servers and only one Tanium Module Server.

Importing Tanium Workbenches in an Active-Active Setup

When a Tanium workbench, such as Connect or IOC Detect, is imported from the "Solutions" tab of the console, files are downloaded on the Tanium Server to serve the browser and add the necessary tab in the console. At this time, these files are not sync'd between Tanium Servers. This makes it necessary to import the module on each server in order to have the workbenches available in the console on both servers. This will re-install the module on the module server, but this is a harmless operation.

Since the workbenches in the console appear from left to right in the order that they are imported, it is recommended to import the modules in the same order on TaniumServer01 as you will on TaniumServer02 so that the tabs are in the same order. Contact your Technical Account Manager if you need assistance with re-ordering the workbenches in the console.

There is an existing request being worked on to eliminate the need to import on each server.

Hot Spare Module Server

If the Tanium Module Server goes down, the Tanium console will be crippled in functionality. For this reason, it is an option to have a second Module Server available as a hot spare. If this is a configuration you would like to explore, please contact your Technical Account Manager.

Have more questions? Submit a request