Installing and managing an Appliance Array

An Appliance Array manages the connections and establishes trust between the Tanium Appliances that contain the components of a Tanium deployment. The Appliance Array makes it easy to set up and manage the appliances.

A typical Appliance Array contains the following appliances:

A primary Tanium Server appliance with an active database
A secondary Tanium Server appliance with a passive database
A Tanium Module Server appliance
An optional standby Tanium Module Server appliance
One or more Tanium Zone Server appliances

After you add members to an Appliance Array, you assign and install roles for the Tanium Core Platform components for the Tanium Server, Tanium Module Server, or Tanium Zone Server on the individual appliances.

When you create an array on an appliance, the appliance becomes a controlling member of the array.

A controlling member can add members, remove members, and refresh the array.
When you install a Tanium Server role on an appliance in the array, the corresponding appliance becomes a controlling member of the array. Any other appliances without a Tanium Server role become non-controlling members; this could include the appliance where the array was created (a refresh may be needed on the affected appliances to see the change).

Use the Appliance Array menu to create an array, add appliances to the array, assign Tanium roles to the appliances, and then install the roles on all appliances from a single menu. If you need to add an additional appliance later on, you can add the appliance to the array, and then assign and install a role to use with your existing installation.

SSH communication is required for managing an Appliance Array. If you are deploying a Tanium Zone Server in a network that does not allow SSH communication, you can install the Zone Server separately after you install the array.

Configuring a Tanium cluster

If you add two Tanium Servers to an Appliance Array, TanOS automatically configures a Tanium cluster.

Use a redundant cluster of Tanium Servers to ensure continuous availability in the event of an outage or scheduled maintenance.

A Tanium cluster does not scale Tanium capacity or improve performance.

For information about managing replication and failover in an existing Tanium cluster, see Manage a Tanium cluster.

In a Tanium cluster deployment:

The Tanium Server application setup is active-active and the database component is active-passive.
Tanium Clients use a Tanium Server list to automatically find a backup server in the event the first Tanium Server that is assigned to them is unavailable due to an outage or scheduled maintenance.
The Tanium Servers read and write to the active database on the first appliance. Data is asynchronously replicated from the first appliance database to the second appliance database.
The local authentication user configuration is actively synchronized between the two appliances.
IPsec ensures end-to-end security between the two appliances.
Each Tanium Server has a Tanium Console with its own URL.
Tanium solutions are installed on a shared Module Server. In Tanium Core Platform 7.4.3 and later, you only need to import solutions on one Tanium Console. For versions prior to Tanium Core Platform 7.4.3, you must import solutions on both Tanium Consoles.
Each Tanium Server passes messages (such as answers to questions) to the other Tanium Servers.
Package files that are uploaded to one server are synchronized to the other Tanium Servers.

Tanium cluster requirements and limitations

A Tanium cluster deployment has the following requirements:

Each Tanium Server must run the same software version, including build number. For example, each must have build number 7.5.6.1095.
Each Tanium Server in the Tanium cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. Each must be able to independently handle load from the full deployment in the event of failure.
The Tanium cluster members must be able to connect to each other via a reliable Ethernet connection. Connections require a minimum throughput of 1 Gbps and a maximum round-trip latency of 30 ms.
Each Tanium cluster member must be able to access the Internet to download files from designated domains. Access can be either direct or made through a proxy server.
Each Tanium cluster member must be able to connect to the shared Module Server.

Before you begin

Power on all appliances.
For a physical Tanium Appliance, perform the steps listed in the Tanium Appliance Data Center Guide to install the Tanium Appliances.
Configure basic network, host, and user settings on all appliances.
- For physical Tanium Appliances, see Completing the initial setup (physical Tanium Appliance).
- For virtual Tanium Appliances, see Completing the initial setup (virtual Tanium Appliance).
- For cloud-based Tanium Appliances, see See Completing the initial setup (cloud-based Tanium Appliance).
If the tanadmin user is set up for SSH key authentication on all appliances, copy the public key for the tanadmin user on the primary appliance to the tanadmin user accounts on the remaining appliances.
- For information on how to use TanOS menus to add a public key for a user account, see Add authorized keys.
- For information on how to use the CLI to add a public key for a user account, see the add pubkeys command at TanOS management commands.
Make sure all appliances are running TanOS 1.6.0 or later.
Make sure all appliances are running the same version of TanOS.
Make sure your network security administrator has configured security rules to allow communication on the TCP ports that the Tanium Core Platform components use. In addition to the ports that are used by individual Tanium Servers, a Tanium Server in a Tanium cluster sends and receives cluster-related data over an IPsec connection. The network security rules must allow ESP (50/ip) and IKE (500/udp, 4500/udp).

(Optional) Import keys

Beginning in Tanium Core Platform 7.4, the Tanium Server includes a pki.db file that contains the root keys, Tanium Server TLS keys, and message-signing keys for the Tanium Server. If you migrate from a Windows installation with Tanium Core Platform 7.4 or later, or if you restore the Tanium Server appliance from a backup, you can reuse the previous pki.db file.

For a Tanium cluster, import the pki.db only to the appliance that you are using for the primary Tanium Server. The array setup manages trust between the Tanium Servers automatically. You need the pki.db file only from the primary Tanium Server in an existing deployment or backup.

Obtain a copy of the pki.db file from your existing Tanium Server or from a backup file.
Use SFTP to copy the pki.db file to the /incoming folder on the appliance before the install.

Create the array

Enter 1 to go to the Tanium Installation menu.

View screen

------------------------------------------------------

             >>> Tanium Installation <<< 

Currently installed Role: Tanium Role not installed
Currently installed Add-On: No add-ons installed

------------------------------------------------------

         M: Manage Appliance Array
         1: Install Tanium Server (All-in-one)
         2: Install Tanium Server Service
         3: Install Tanium Module Server Service
         4: Install Tanium Zone Server Service
         5: Install Tanium Cloud Access Point

         R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to go to the Appliance Array menu.

View screen

 ------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 INFO: This appliance is not currently a member of an array

    C: Create Appliance Array

    R: Return to previous menu

------------------------------------------------------

Enter C and follow the prompts to create an array.

View screen

>>> Installation -> Appliance Array -> Create Array <<< 

 This activity creates a new array, with the current appliance being the
 initial controlling member. Other appliances can then be added to this
 array, provided that either:
   A. The added member has no role (i.e. is not yet a TS, TMS, etc.); or
   B. The controlling member has a TS (All-in-One or TaniumServer)

 Please enter the name of the array: Tanium Appliance Array
 Select the address other members would use to contact this appliance
          1: 10.10.10.60

 Please select: 1
 Successfully created the Appliance Array

 Press enter to continue

Press the Enter key to go to the Appliance Array menu.

The Appliance Array menu refreshes with the new array.

TanOS assigns the new (pending) role for the appliance as a Tanium Server. View screen

------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 Array Name:              Tanium Appliance Array
 Array UUID:              0f6c41f1-409c-4515-9b8a-f4e5b6798695
 Number of Array Members: 1

       Hostname        Current Role           Platform    New Role
    1: ts1             None                   None        Tanium Server 

    A: Add Member
    F: Refresh Appliance Array
    I: Install Pending Role Changes
    X: Reset Appliance Array

    R: Return to previous menu

------------------------------------------------------

Add members to the array

Before you begin: If the tanadmin user is set up for SSH key authentication on all appliances, copy the public key for the tanadmin user on the primary appliance to the tanadmin user accounts on the remaining appliances. For information on how to use TanOS menus to add a public key for a user account, see Add authorized keys. For information on how to use the CLI to add a public key for a user account, see the add pubkeys command at TanOS management commands.

If you have instead configured separate public keys for the tanadmin user on each appliance, you can use agent forwarding to authenticate with the added array members by including the -A SSH option when you connect to the array manager. This avoids entering the password for new array members. For example:

ssh -A [email protected]_manager

Agent forwarding requires an SSH agent (such as ssh-agent in OpenSSH) to be running on your local host. For more information, see the documentation for your SSH client.

Perform the following steps to add the other appliances to the array.

Enter A from the Appliance Array menu on the primary Tanium Server appliance.

Follow the prompts to add the appliance to the array. View screen

 >>> Installation -> Appliance Array -> Add Member <<< 

 This activity adds a remote TanOS appliance to the array. Doing so requires
 logging into the remote appliance to gather information and provide that
 appliance with information about the array. You may be asked to enter the
 password for tanadmin on the remote appliance.
 Only TanOS 1.6 and later can be added to an Appliance Array.
 Initial config must have been run on the remote appliance.

 Please enter the remote appliance address: 10.10.10.61
 If prompted, please enter the password for [email protected] 
 Password: 
 
 The authenticity of host '10.10.10.61 (10.10.10.61)' can't be established.
 ECDSA key fingerprint is SHA256:v95SkzzNuh9kP6WTxkXXC9iIAKWfpy+PZss7UoSz1Dk.
 ECDSA key fingerprint is MD5:ab:b8:80:86:fb:6b:25:15:00:85:23:09:36:3d:f9:c5.   
 Are you sure you want to continue connecting (yes/no)?
			
 Successfully added host 10.10.10.61 to the Appliance Array

 Press enter to continue

During the process of adding a member to the array, the array manager asks you to confirm the ECDSA fingerprint of the new member. To verify that the fingerprint is correct, log in to the appliance you are adding to the array, view the SSH fingerprints, and confirm that the fingerprint listed for ECDSA matches the fingerprint that the prompt displays. See View SSH fingerprints. Alternatively, you can use the following CLI command: ssh -qt [email protected] show ssh-host-fingerprints

Press the Enter key to go to the Appliance Array menu.

The Appliance Array menu refreshes with the new member. View screen

------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 Array Name:              Tanium Appliance Array
 Array UUID:              0f6c41f1-409c-4515-9b8a-f4e5b6798695
 Number of Array Members: 2

       Hostname        Current Role           Platform    New Role
    1: ts1             None                   None        Tanium Server 
    2: ts2             None                   None        No Change

    A: Add Member
    F: Refresh Appliance Array
    I: Install Pending Role Changes
    X: Reset Appliance Array

    R: Return to previous menu

------------------------------------------------------

Repeat these steps to add the remaining appliances to the array. View screen

------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 Array Name:              Tanium Appliance Array
 Array UUID:              0f6c41f1-409c-4515-9b8a-f4e5b6798695
 Number of Array Members: 4

       Hostname        Current Role           Platform    New Role
    1: ts1             None                   None        Tanium Server 
    2: ts2             None                   None        No Change
    3: tms1            None                   None        No Change
    4: tzs1            None                   None        No Change

    A: Add Member
    F: Refresh Appliance Array
    I: Install Pending Role Changes
    X: Reset Appliance Array

    R: Return to previous menu

------------------------------------------------------

Assign roles

Use the Appliance Array menu to assign a Tanium Server, Tanium Module Server, or Tanium Zone Server role to each appliance.

Return to the Appliance Array menu on the primary Tanium Server appliance.

Enter the line number for an appliance without a pending New Role.

The Manage Member menu appears. View screen

>>> Appliance Configuration -> Appliance Array -> Manage Member <<< 

 Serial Number:      VMware-564d7441f288a8d6-a4da1a1bac78aaa5
 Name:               ts2
 FQDN:               ts2.tam.local
 TanOS Version:      1.7.6.0144 
 Role:               None
 Pending Role:       No Change

    T: Assign Role: TaniumServer
    M: Assign Role: TaniumModuleServer
    Z: Assign Role: TaniumZoneServer
    U: Cancel Pending Role Change

    D: Delete Member

    R: Return to previous menu

------------------------------------------------------

Enter T, M, or Z to assign the corresponding role to the appliance.

The Appliance Array menu refreshes with the new pending role. View screen

------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 Array Name:              Tanium Appliance Array
 Array UUID:              0f6c41f1-409c-4515-9b8a-f4e5b6798695
 Number of Array Members: 4

       Hostname        Current Role       Platform       New Role
    1: ts1             None               None           Tanium Server 
    2: ts2             None               None           Tanium Server 
    3: tms1            None               None           No Change
    4: tzs1            None               None           No Change

    A: Add Member
    F: Refresh Appliance Array
    I: Install Pending Role Changes
    X: Reset Appliance Array

    R: Return to previous menu  RR: Return to top

------------------------------------------------------

Repeat these steps to assign roles to the remaining appliances in the array. View screen

------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 Array Name:              Tanium Appliance Array
 Array UUID:              0f6c41f1-409c-4515-9b8a-f4e5b6798695
 Number of Array Members: 4

       Hostname        Current Role     Platform      New Role
    1: ts1             None             None          Tanium Server 
    2: ts2             None             None          Tanium Server 
    3: tms1            None             None          Tanium Module Server 
    4: tzs1            None             None          Tanium Zone Server 

    A: Add Member
    F: Refresh Appliance Array
    I: Install Pending Role Changes
    X: Reset Appliance Array

    R: Return to previous menu

------------------------------------------------------

If you close the Appliance Array menu before you install Tanium, you must reassign roles.

Install Tanium roles

Perform the following steps to install the Tanium Core Platform components on the appliances in the Appliance Array. When you use the following process to install Tanium through an Appliance Array, the installation process automatically copies the required RPM file from the primary Tanium server to each appliance in the array.

Before you begin

Obtain the tokens URL from Tanium to gain access to RPM update files. This includes the RPM files for the Tanium Server, Tanium Module Server, and Tanium Zone Server.

Alternatively, use SFTP to copy the RPM update files to the /incoming folder of the primary Tanium Server appliance. This method is necessary if you have a proxy server that your Tanium Server must use to reach the internet. After you install Tanium, you can configure proxy settings from the Tanium Console which is used for future upgrades.

Install roles

From the Appliance Array menu, enter I.
Follow the prompts to install pending roles.
- When prompted, enter the line number of the Tanium Core Platform version that you want to install.
- If you install roles to a new array, specify a password for the initial Tanium Console admin user (tanium) when prompted.
- If the array already contains an appliance with the Tanium Server role, specify a Tanium Console user and password with administrative credentials when prompted.
- If you have the tokens URL, enter T and then enter the URL.
- If you copied the pki.db file to the /incoming folder on the appliance, the installer discovers the file and prompts you to install it. Enter YES to continue.

TanOS installs the components of the Tanium Core Platform on the selected appliances.

After you install the Tanium roles to the appliances, you can add more appliances to the array. To do so, add the appliance to the array, assign a role to the appliance, install the pending role, and then perform any additional required configuration for the Tanium role.

What to do next

Schedule sync jobs.
If you are deploying a Tanium Zone Server in a network that does not allow SSH communication, install the Zone Server separately.
If you are deploying Zone Servers and you plan to use Direct Connect, install the Direct Connect Zone Proxy on each Zone Server.
Verify the installation, including uploading the Tanium license.

Additional management tasks for an Appliance Array

Promote a Tanium Server to array manager

An array manager is a Tanium Server that can sign in to and issue commands to other array members. The following Tanium Servers are automatically assigned the array manager designation:

The Tanium Server on which you set up the array. For instructions, see Create the array.
Up to two Tanium Servers in an array that are upgraded from 1.6.x to 1.7x
An appliance on which you install Tanium Server using the existing array manager

In the following scenarios, a Tanium Server can be a member of an array without having array manager capabilities:

You add a member to an array with no role and install Tanium Server directly on the member, rather than through the array.
You add an existing Tanium Server to an array.

Use the following steps to promote a Tanium Server to array manager.

On an array manager, sign in to the TanOS console as a user with the tanadmin role.
Enter 1 to open the Tanium Installation menu.
Enter M to open the Manage Appliance Array menu.
Enter the line number of the appliance to promote to array manager.
Enter P to promote the appliance to array manager.

Remove an appliance from an Appliance Array

From a controlling member of an array, you can remove other appliances from the array, including other controlling members.

An appliance cannot remove itself from an array. To remove an appliance, you must sign in to another controlling member of the array to perform the steps. To remove the last member of an array, reset the array.

Enter 1 to go to the Tanium Installation menu.

View screen

------------------------------------------------------

             >>> Tanium Installation <<< 

Currently installed Role: Tanium Role not installed
Currently installed Add-On: No add-ons installed

------------------------------------------------------

         M: Manage Appliance Array
         1: Install Tanium Server (All-in-one)
         2: Install Tanium Server Service
         3: Install Tanium Module Server Service
         4: Install Tanium Zone Server Service
         5: Install Tanium Cloud Access Point

         R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to go to the Appliance Array menu.

View screen

------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 Array Name:              Tanium Appliance Array
 Array UUID:              0f6c41f1-409c-4515-9b8a-f4e5b6798695
 Number of Array Members: 2

       Hostname        Current Role           Platform    New Role
    1: ts1             None                   None        Tanium Server 
    2: ts2             None                   None        No Change

    A: Add Member
    F: Refresh Appliance Array
    I: Install Pending Role Changes
    X: Reset Appliance Array

    R: Return to previous menu

------------------------------------------------------

Enter the line number of the appliance that you want to remove from the array.

View screen

>>> Appliance Configuration -> Appliance Array -> Manage Member <<< 

 Report from remote appliance 'appliance-162-2' at '10.10.10.65'

 Serial Number:      be04e9e1-c5e7-46e5-975e-93320a8c8792
 Name:               appliance-162-2
 TanOS Version:      1.7.6.0144 
 Role:               Tanium Server
 TaniumServer:       7.5.6.1095 

          D: Delete Member

          R: Return to previous menu

------------------------------------------------------

Enter D and follow the prompts to remove the appliance from the array.

View screen

>>> Appliance Configuration -> Appliance Array -> Delete Member <<< 

 Report from remote appliance 'appliance-162-2' at '10.10.10.65'

 Serial Number:      be04e9e1-c5e7-46e5-975e-93320a8c8792
 Name:               appliance-162-2
 TanOS Version:      1.7.6.0144 
 Role:               Tanium Server
 TaniumServer:       7.5.6.1095 

 This operation will remove a member from the array.

 1. The member will be asked to leave
 2. The controlling appliance will forget about the member
 3. All remaining members will be informed of the removal

 As a result all appliances associated with the array will be updated and
 will no longer recognize the appliance as part of the array.

 Are you sure you want to remove appliance-160-2 from the array? [Yes|No]:

Refresh an Appliance Array

From a controlling member of an array, you can refresh the array to retrieve current membership from the other appliances in the array. This information is refreshed on all appliances in the array.

Enter 1 to go to the Tanium Installation menu.

View screen

------------------------------------------------------

             >>> Tanium Installation <<< 

Currently installed Role: Tanium Role not installed
Currently installed Add-On: No add-ons installed

------------------------------------------------------

         M: Manage Appliance Array
         1: Install Tanium Server (All-in-one)
         2: Install Tanium Server Service
         3: Install Tanium Module Server Service
         4: Install Tanium Zone Server Service
         5: Install Tanium Cloud Access Point

         R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to go to the Appliance Array menu.

View screen

------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 Array Name:              Tanium Appliance Array
 Array UUID:              0f6c41f1-409c-4515-9b8a-f4e5b6798695
 Number of Array Members: 4

          1: ts1                  Tanium Server       
          2: ts2                  Tanium Server       
          3: tms1                 Tanium Module Server
          4: tzs1                 Tanium Zone Server  

          A: Add Member
          F: Refresh Appliance Array
          X: Reset Appliance Array

          R: Return to previous menu

------------------------------------------------------

Enter F and follow the prompts to refresh the array.

View screen

>>> Appliance Configuration -> Appliance Array -> Refresh Array <<< 

 This action will communicate with each member of the array, retrieve current
 information, and re-distrubute that information to all array members.

 Do you want to continue? [Yes|No]: yes

 Getting update from ts2 (10.10.10.61)
 Getting update from tms1 (10.10.10.62)
 Getting update from tzs1 (10.10.10.63)
 Sending update to ts2 (10.10.10.61)
 Sending update to tms1 (10.10.10.62)
 Sending update to tzs1 (10.10.10.63)

 Press enter to continue

Reset an Appliance Array

Reset an Appliance Array to remove the appliance from the array. If the appliance is the only member of the array, reset the array to delete the array.

To delete an array, sign in to a controlling member of the array, remove all other members of the array, and then reset the array.

Enter 1 to go to the Tanium Installation menu.

View screen

------------------------------------------------------

             >>> Tanium Installation <<< 

Currently installed Role: Tanium Role not installed
Currently installed Add-On: No add-ons installed

------------------------------------------------------

         M: Manage Appliance Array
         1: Install Tanium Server (All-in-one)
         2: Install Tanium Server Service
         3: Install Tanium Module Server Service
         4: Install Tanium Zone Server Service
         5: Install Tanium Cloud Access Point

         R: Return to previous menu  RR: Return to top

------------------------------------------------------

Enter M to go to the Appliance Array menu.

View screen

------------------------------------------------------

        >>> Installation -> Appliance Array <<< 

 Array Name:              Tanium Appliance Array
 Array UUID:              0f6c41f1-409c-4515-9b8a-f4e5b6798695
 Number of Array Members: 1

       Hostname        Current Role           Platform    New Role
    1: ts1             None                   None        Tanium Server 

    A: Add Member
    F: Refresh Appliance Array
    I: Install Pending Role Changes
    X: Reset Appliance Array

    R: Return to previous menu

------------------------------------------------------

Enter X and follow the prompts to reset the array.

View screen

>>> Appliance Configuration -> Appliance Array -> Reset Array <<< 

 This appliance is the sole member of an existing array. Since it is the sole
 member, resetting the array will not affect other appliances.

 Do you want to drop this appliance from the array? [Yes|No]: yes

 Press enter to continue