This guide provides step-by-step instructions for the installation of Tanium Server 6.5 with the Tanium databases on a separate server device. This is the basic configuration for a production environment.
Tanium Server 6.5 requires the use of a dedicated server device for Tanium Module Server. This guide includes instructions for the installation of Tanium Module Server as well as post-installation steps that configure Tanium Server to use the remote instance of Tanium Module Server.
The installation of Microsoft SQL Express with the Tanium databases on the Tanium Server device is limited to POC (proof of concept) or other lab scenarios. For information about installing Tanium Server 6.5 with Microsoft SQL Express for POC, see Tanium Server 6.5 Installation on the Tanium Knowledge Base.
The procedures in this guide are based on a configuration of Tanium Endpoint Platform with Tanium Server 6.5, Microsoft Windows Server 2012 R2, and Microsoft SQL Server 2012.
Tanium: Basic configuration
The basic deployment of Tanium Endpoint Platform with Tanium Server 6.5 includes the following physical or virtual server devices.
- A dedicated device for Tanium Server
- A dedicated device for Tanium Module Server
- A dedicated server device hosting the Microsoft Active Directory Domain Controller role
- A dedicated device for Microsoft SQL Server
Requirements for a basic configuration
The installation of Tanium Server 6.5 requires the following hardware and software. For a checklist of items to have on hand before beginning deployment of Tanium Endpoint Platform, ask your Technical Account Manager (TAM) for the document Tanium Endpoint Platform Installation Checklist.
Tanium Server 6.5 requires a physical or virtual server device that meets the following minimum requirements.
The minimum requirements to run Tanium Server on a Windows-based server device are as follows:
- 4 processor cores
- 8 GB RAM
- 100 GB disk space
For detailed guidance on how to allocate a server device for Tanium Server and other components of Tanium Endpoint Platform, see System Requirements.
Deployment of Tanium Server 6.5 requires the following software.
- Microsoft Windows Server. Tanium Server 6.5 requires Windows Server 2008 R2 and later versions. Microsoft Windows Server 2008 is no longer supported.
- Microsoft SQL Server. The Tanium Server 6.5 installer includes an "Express" option that installs Microsoft SQL Express on the Tanium Server device. This option is limited to POC deployments. For production environments using the "Custom" option, the Tanium Server installation process requires the deployment and configuration of Microsoft SQL Server before Tanium Server is installed.
- SQL Command-line Utilities. These utilities may be included in certain versions and editions of the server software. The Tanium Server 6.5 installer will display a message if they cannot be located.
- (Optional) SQL Server Management Studio.
For detailed information about the requirements for the server devices that host your deployment of Tanium Endpoint Platform, see System Requirements.
Before you install
This section provides information about what you should have on hand before you deploy the basic configuration of Tanium Endpoint Platform with Tanium Server 6.5.
Create or configure the following accounts on the Tanium Server and Microsoft SQL Server devices.
Be sure to note the account information for use during the installation of Tanium Server.
- Create a service account on the Tanium Server device. The account user must have Local Administrator privileges on the Tanium Server device. An Active Directory Domain Account is recommended for a production environment using a remote database.
- Add the Tanium Server service account as a user of the Microsoft SQL Server device. Grant the user the sysadmin (system administrator) role.
This role is required during the installation process. After installation, the role can be demoted to dbo (database owner) level.
- (Optional) Grant the Tanium Server service account View Server State permissions on the SQL Server device.
This dynamic management view optimizes data access for speed.
For more information about the service accounts and permissions that are used during the Tanium Server installation process, see SQL Server Privileges.
Select the ports to be configured
By default, the Tanium Server installer configures the following ports. You can optionally specify other ports during the installation process.
|Port Number||Applications and Description|
|Port 17472||Tanium Server and Tanium Client
This is the default port used for client-to-server and peer-to-peer communication over TCP.
Configure the network firewall to allow TCP traffic on this port from any computer on the core network to the Tanium Server device.
Configure the entwork firewall to allow TCP traffic on this port from any Tanium managed computer on the local area network (LAN) to any other Tanium-managed computer on the same LAN.
Port 443 for TCP
Port 444 for SOAP
Ports 443 and 444 are the default ports for TCP communication from Tanium Console to Tanium Server.
Configure the network firewall to allow TCP traffic on these ports from computers on the core network to the Tanium Server device.
|Port 1433||Tanium Server and Microsoft SQL Server
Port 1433 is reserved for access to remote deployments of Microsoft SQL Server.
Configure the network firewall to allow TCP traffic on port 1433 from the Tanium Server device to the remote device that hosts the Microsoft SQL Server instance.
Installing Tanium Server: Step-by-step
Step 1. Open the installer and accept the License Agreement
- Create the root folder structure for Tanium Server. By default this is \Program Files\Tanium\Tanium Server.
- Right-click the SetupServer icon and select the option to Run as Administrator.
The Tanium Server setup wizard opens.
- Click Next to review the Tanium Server License Agreement.
- Click I Agree to accept the License Agreement.
Step 2. Choose the Custom Installation Option
Production environments use the Custom Install option. This option allows you to specify configuration options, including the location of the Tanium databases.
- Choose Custom Install, and click Next.
Step 3. Specify a service account to create the Tanium database
A custom installation with remote databases requires a service account that can be used to access the databases during the installation process and after.
During the installation process, the Tanium Server installer:
- Confirms the connection to the remote database.
- Creates the Tanium databases named tanium and tanium_archive.
- Creates and initializes the database tables in the tanium and tanium_archive databases.
The service account should have Administrator privileges on the Tanium Server and be granted the sysadmin role on the remote database. After installation, the privilege level of the user account on the remote database can be lowered to database owner (the dbo role).
For information about alternatives to using an Administrator account to configure the Tanium databases, see SQL Server Privileges.
To specify the service account
- Click Specify Account.
- Name the username, domain and password for the account that will be used to access the remote database.
- Click Next.
Step 4. Specify the installation directory
By default, Tanium Server is installed in the directory C:\Program Files\Tanium\Tanium Server. You can accept or modify this location.
To specify the installation directory
- In Destination folder, accept the default location or specify another location on the security network.
- Click Next.
Step 5. Specify console and port settings
Port settings are configured on Tanium Server during the installation process. For more information, see Port Requirements.
To change the default port settings during installation
- In Server Console/API Port, type the port number that Tanium Server will use to communicate with Tanium Console. Tanium API also uses this port.
- Select Use Existing Certificate and Key. For a production environment, you should already have a certificate. If you do not, contact your Technical Account Manager (TAM).
- Specify the directory locations of the Certificate Path and the Key Path.
- Click Next.
- The Server Port value is set to 17472 by default. This is the port that Tanium Server uses to communicate with the tanium and tanium_archive databases. You can accept this default or change it to another configured port on the server device.
- Chose the Use Remote Database option.
- In Remote SQL Path, provide the computer name of the server device that will host the Tanium databases.
- Confirm that Tanium Server can communicate with the SQL database by clicking Test.
- To destroy and replace an existing Tanium Server database, select Remove Existing Tanium Server Database, losing all data.
Exercise caution in using this option.
- Confirm the default option to Open Tanium Server Ports in Windows Firewall.
- Click Next.
The Set Administrator Account page opens.
To set the Administrator account
- In Username, type the username of the Active Directory Domain Account you created for the installation process.
- In Password, type the name of the associated password.
- Click Next.
You can accept or modify the name of the Tanium folder that appears on the Windows Start menu.
To select a Start menu folder
- Review the name of the Tanium Server folder. To change it or create a new folder, type the name in the text box.
By default, the folder name is Tanium Server.
- Click Install.
The Tanium Server installer deploys of a local instance of Tanium Module Server. After you install Tanium Module Server on a dedicated server device, the Windows Registry settings must be updated and this instance should be uninstalled. For information about this process, see the section of the instructions on Tanium Module Server installation called "Modify Windows Registry."
After the Tanium Server 6.5 installation completes, by default Tanium Console opens and the Tanium Knowledge Base is displayed.
- Click Finish.
Now you can login to Tanium Console.
- In Username, enter the username for the account that was created with local administration privileges on the Tanium Server device.
- In Password, enter the associated password.
- Click Log in.
Your first login to the Tanium Console begins the download of the Initial Content.
The Initial Content includes Tanium sensors, packages, and utilities.
After the download of the Initial Content is complete, Tanium Console opens and displays the core set of dashboards that Tanium Server provides. A message displayed over the dashboards provides a link to download the Tanium Client Deployment Tool. The next step is to deploy Tanium Client to the endpoints you have selected to be managed by the Tanium Endpoint Platform.
After you install Tanium Server
After the installation of Tanium Server completes, there are a few more steps you must take to use Tanium Endpoint Platform in your security network:
- Download the Tanium Client Deployment Tool.
- Deploy Tanium Client to the endpoint devices you want Tanium to manage.
- Install Tanium Module Server.
- Configure Tanium Server to use the remote instance of Tanium Module Server.