Tanium Core Platform Installation Guide

Tanium Core Platform Installation Guide Version 7.1.314.XXXX December 18, 2018

The information in this document is subject to change without notice. Further, the information provided in this document is provided as is and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners. 2018 Tanium Inc. All rights reserved. 2018 Tanium Inc. All Rights Reserved Page 2

Table of contents Overview 11 Requirements 13 Installation package and license files 13 Server host system requirements 13 Client host system requirements 14 Tanium in cloud service environments 23 Network connectivity and firewall 23 Internet access (direct or by proxy) 24 SSL certificates 26 Administrator account privileges 26 Administrator accounts for installations and upgrades 26 Administrator accounts for post-installation/upgrade activities 27 Installing Tanium Server 30 Overview 30 Before you begin 30 PostgreSQL Server 31 Microsoft SQL Server 32 Install Tanium Server 32 Next steps 36 Installing Tanium Module Server 37 Overview 37 Install the Tanium Module Server and manually register with the Tanium Server 37 Before you begin 37 2018 Tanium Inc. All Rights Reserved Page 3

Run the installer 38 Next steps 39 Verifying the installation 40 Log into the Tanium Console 40 Verify the Tanium Server connection to the remote Module Server 40 Use the CDT to deploy the Tanium Client 41 Before you begin 41 Install the CDT 42 Deploy the Tanium Client to the Tanium Platform Windows host systems 44 Review Tanium Client registration and ask a question 47 Installing Tanium Zone Server 48 Overview 48 Before you begin 49 Install the Tanium Zone Server 49 Install the Zone Server Hub 49 Install the Zone Server 51 Verify the deployment 53 Troubleshoot 54 Installing the Tanium Server in an active-active HA cluster 57 Overview 57 HA cluster requirements and limitations 58 Before you begin 59 Deploy the HA cluster 59 Verify the installation 61 HA configuration notes 64 2018 Tanium Inc. All Rights Reserved Page 4

Troubleshooting the installation 66 Basic tips 66 Windows Registry 66 Tanium Server 66 Tanium Module Server 70 TDownloader 73 Zone Server 73 Logs 75 Installation logs 75 TDownloader logs 75 Tanium Support 76 Upgrading Tanium Core Platform servers 77 Supported upgrade paths 77 Overview 77 Before you begin 78 Order of upgrade 79 Upgrade Tanium Server 79 Upgrade a standalone Tanium Server (or the first member of an active-active cluster) 80 Upgrade the second member of an active-active cluster 81 Upgrade Tanium Module Server 81 Upgrade the Tanium Module Server 82 Upgrade Tanium Zone Server 82 Upgrade the Zone Server hub 83 Upgrade the dedicated Zone Server 83 2018 Tanium Inc. All Rights Reserved Page 5

Verify the server upgrade 83 Reimport Tanium solution modules and content packs 84 Troubleshooting 84 Basic tips 84 Upgrade logs 85 Tanium Support 85 Uninstalling Tanium 86 Uninstall a server 86 Remove databases 87 Uninstall a solution module 87 Reference: Host system sizing guidelines 88 Tanium Server host system 88 Tanium Module Server host system 90 Tanium Zone Server host system 90 PostgreSQL Server 92 SQL Server 92 Reference: Host system security exceptions 95 Folders 95 System processes 95 Solution module folders and processes 96 Reference: Network ports 98 Summary 98 Tanium Server 98 Inbound (Tanium Client to Tanium Server) 99 Rule summary 99 2018 Tanium Inc. All Rights Reserved Page 6

Details 99 Inbound (Tanium Console) 99 Rule summary 99 Details 99 Outbound (Tanium Server to Database Server) 99 Rule summary 99 Details 99 Outbound (Tanium Server to Module Server) 99 Rule summary 99 Details 100 Inbound/Outbound (HA) 100 Rule summary 100 Details 100 Tanium Module Server 100 Inbound (Tanium Server to Module Server) 100 Rule summary 100 Details 100 Outbound (Module Server to Internet) 100 Rule summary 100 Details 100 Outbound (Module Services to Tanium Server) 100 Rule summary 100 Details 101 Tanium Zone Server hub 101 Outbound (Tanium Zone Server hub to Zone Server) 101 2018 Tanium Inc. All Rights Reserved Page 7

Rule summary 101 Details 101 Tanium Zone Server 101 Inbound (Tanium Client to Zone Server) 101 Rule summary 101 Details 101 Inbound (Tanium Zone Server Hub to Zone Server) 101 Rule summary 101 Details 101 Tanium Client 102 Inbound/Outbound (Tanium Client to Client) 102 Rule summary 102 Details 102 Outbound (Tanium Client to Zone Server) 102 Rule summary 102 Details 102 Tanium Client Deployment Tool 102 Outbound (Client Deployment Tool to endpoints) 102 Rule summary 102 Details 103 Reference: Proxy server settings 104 Types of proxy servers 104 Basic 104 NTLM 104 Configure and test proxy server settings 104 2018 Tanium Inc. All Rights Reserved Page 8

Reference: SSL certificates 108 Certificate requirements 108 Replacing certificates in your deployment 108 Example: Creating a CSR with OpenSSL 109 Example: Recreating the certificate chain 111 Reference: Smart card authentication 121 Deployment requirements 121 Create a certificate 122 Extract the certificates 122 Create a new certificate file 125 Copy to the Tanium installation directory 126 Add Windows registry keys on Tanium Server host 126 Troubleshoot 131 Reference: Tanium server CLI 133 Tanium Server 133 Display help 133 Display config help 134 Example: List configuration settings 134 Example: Set configuration values 135 TDownloader 135 Display help 135 Display config help 136 Example: List configuration settings 136 Example: Set configuration values 137 Tanium Module Server 137 2018 Tanium Inc. All Rights Reserved Page 9

Display help 137 Display config help 137 Example: List configuration settings 138 Example: Set configuration values 138 Example: Register with Tanium Server 138 Tanium Zone Server 139 Display help 139 Display config help 140 Example: List configuration settings 140 Example: Set configuration values 141 Change log 142 2018 Tanium Inc. All Rights Reserved Page 10

Overview This guide describes requirements and procedures for installing the following Tanium Core Platform servers on customer-provided Windows infrastructure. Note: For the requirements and procedures to deploy the Tanium Appliance in the role of a Tanium Core Platform server, see the Tanium Appliance Installation Guide. Tanium Server The server that communicates with Tanium Clients. The Tanium Server runs the Tanium Console and API services and communicates with all other platform and solution components, as well as the content.tanium.com servers that host Tanium content packs and Tanium solution import packages. Tanium Module Server A server to run application services and store files for Tanium solution modules. In production deployments, you install the Module Server on a dedicated host (not shared with the Tanium Server) to prevent intentional or accidental scripts from having a direct impact on the Tanium Server. Tanium Zone Server A server typically deployed in an enterprise DMZ network to proxy traffic between Tanium Clients that reside on limited-access networks and a Tanium Server that resides on the trusted core network. In an enterprise production deployment, the Tanium Server, Tanium Module Server, and database server must reside on separate hosts, as illustrated in the following figure. In a limited proof-of-concept (POC) deployment, these three servers reside on the same host. However, the POC architecture is intended for demonstration purposes only and does not support enterprise deployments. As a best practice, use the production environment architecture for the enterprise lab environment that you use to qualify software upgrades and test content solutions. 2018 Tanium Inc. All Rights Reserved Page 11

Figure 1: Enterprise production or enterprise lab deployment This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties ( Third Party Items ). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium. Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights. 2018 Tanium Inc. All Rights Reserved Page 12

Requirements This topic summarizes the requirements for installing Tanium software. Installation package and license files Your technical account manager (TAM) provides the following Tanium installation package files and license file required to complete the installation: SetupServer.exe SetupModuleServer.exe SetupZoneServer.exe tanium.license The installation package for each of these three servers must have the same build number (for example, all must have build number 7.1.314.3214). To complete the procedures in this guide, be sure you can copy these files to, and between, the host computers. The license is bound to the hostname you assign to the Tanium Server. In high availability (HA) deployments, the license must specify the hostnames of both Tanium Servers. Inform your TAM if the server hostnames change. Server host system requirements The following table summarizes basic requirements for server hosts. For detailed version specifications and sizing guidelines, see Reference: Host system sizing guidelines on page 88. Table 1: Hardware and software requirements Server Hardware Operating System Software Tanium Server CPU cores: 4 to 80 Memory: 16 to 512 GB Disk: 100 GB to 3.5 TB Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Microsoft Windows 2008 R2 (64-bit) A web browser is required to use Tanium Console. 2018 Tanium Inc. All Rights Reserved Page 13

Server Hardware Operating System Software Database Server CPU cores: 4 to 32 Memory: 4 to 48 GB Disk: 125 GB to 750 GB Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Microsoft Windows 2008 R2 (64-bit) Microsoft SQL Server 2017 (Tanium 7.2 and later) Microsoft SQL Server 2016 Microsoft SQL Server 2014 Microsoft SQL Server 2012 Microsoft SQL Server 2008 SP3 (64-bit) PostgreSQL Server 9.5 and later (Contact your TAM for guidance on host computer specifications and PostgreSQL Server version specifications.) Tanium Module Server CPU cores: 4 to 16 Memory: 8 to 48 GB Disk: 150 GB to 300 GB Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Microsoft Windows 2008 R2 (64-bit) Tanium Zone Server CPU cores: 4 to 80 Memory: 8 to 256 GB Disk: 100 GB to 3.5 TB Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Microsoft Windows 2008 R2 (64-bit) Client host system requirements The following table summarizes basic requirements endpoint host systems. Hardware resource requirements vary according to the actions that may be taken on the endpoint. For hardware resource guidance, consult with your technical account manager (TAM). 2018 Tanium Inc. All Rights Reserved Page 14

Table 2: Supported OS versions Operating system OS Version Tanium Client Version Microsoft Windows Server Windows Server 2016 * Windows Server 2012, 2012 R2 Windows Server 2008, 2008 R2 * Nano Server not supported. 7.2.314.3476, 7.2.314.3211, 7.2.314.2962, 6.0.314.1540, 6.0.314.1450 Windows Server 2003, 2003R2 6.0.314.1540, 6.0.314.1450 Microsoft Windows Workstation Windows 10 Windows 8 Windows 7 Windows Vista 7.2.314.3476, 7.2.314.3211, 7.2.314.2962, 6.0.314.1540, 6.0.314.1450 Windows XP (including Embedded) 6.0.314.1540, 6.0.314.1450 macos (Intel processor only) macos 10.14 Mojave* macos 10.13 High Sierra macos 10.12 Sierra OS X 10.11 El Capitan OS X 10.10 Yosemite OS X 10.9 Mavericks OS X 10.8 Mountain Lion * See the Tanium Support Knowledge Base for the Minimum Tanium product versions required to support endpoints that run macos 10.14 Mojave. 7.2.314.3476, 7.2.314.3236, 7.2.314.2962, 6.0.314.1579, 6.0.314.1442 2018 Tanium Inc. All Rights Reserved Page 15

Operating system OS Version Tanium Client Version Oracle Enterprise Linux 5.x 7.2.314.3476, 7.2.314.3236, 7.2.314.2962 Red Hat Enterprise Linux (RHEL) 7.x, 6.x CentOS 7.x, 6.x Red Hat Enterprise Linux (RHEL) 5.x CentOS 5.x SUSE Linux Enterprise Server (SLES) 12 opensuse 12.x SUSE Linux Enterprise Server (SLES) 11 opensuse 11.x 7.2.314.3476, 7.2.314.3211, 7.2.314.2962, 6.0.314.1579, 6.0.314.1442 7.2.314.3476, 7.2.314.3236, 7.2.314.2962, 6.0.314.1579, 6.0.314.1321 7.2.314.3211, 7.2.314.2962, 6.0.314.1579 7.2.314.3211, 7.2.314.2962, 6.0.314.1579, 6.0.314.1442 Ubuntu 18.04 LTS 7.2.314.3476, 7.2.314.3211 Ubuntu 16.04 LTS 7.2.314.3476, 7.2.314.3211, 7.2.314.2962, 6.0.314.1579 Ubuntu 14.04 LTS 7.2.314.3476, 7.2.314.3211, 7.2.314.2962, 6.0.314.1579, 6.0.314.1442 Ubuntu 10.04 LTS 6.0.314.1579, 6.0.314.1442 2018 Tanium Inc. All Rights Reserved Page 22

Operating system OS Version Tanium Client Version AIX IBM AIX 7.2 IBM AIX 7.1 TL1SP10 and higher * IBM AIX 6.1 TL7SP10 and higher * 6.0.314.1437 * 64-bit only, requires xlc.rte 12.1.0.1 or greater. Solaris Oracle Solaris 11 SPARC * Oracle Solaris 11 x86 * Oracle Solaris 10 U8 SPARC or higher * Oracle Solaris 10 U8 x86 or higher * 6.0.314.1321 * Requires SUNWgccruntime. Tanium in cloud service environments The Tanium Server and Tanium Client generally support the same operating systems listed above when virtualized in cloud service environments. Tanium customers have used our software in: Amazon Web Services (AWS) Google Cloud Platform (GCP) Microsoft Azure Oracle Cloud Infrastructure (OCI) Use of Tanium in cloud environments entails important architectural considerations that can be unique from one deployment to another. Work with your TAM when planning to deploy or expand into such environments. Network connectivity and firewall Tanium components use TCP/IP to communicate over IPv4 and IPv6 networks (IPv6 support requires 7.3 versions of the Tanium Core Platform servers and Tanium Client). You must work with your network administrator to ensure that the Tanium components are provisioned with IP addresses and can use DNS to resolve hostnames. The table below summarizes the Tanium processes and default values for ports used in Tanium Core Platform communication. Host and network firewalls might need to be configured to allow the specified processes to send/receive TCP via the ports listed. The 2018 Tanium Inc. All Rights Reserved Page 23

Tanium installer opens required ports in the Windows host firewall. You must work with your network security administrator to ensure the platform components can communicate through any security barriers (such as firewalls) in their communication path. For a detailed explanation, see Reference: Network ports on page 98. Your security administrator might also need to create rules to exempt or exclude Tanium processes that run on the host computers from blocking by antivirus or processing by encryption or other security and management stack software. For details, see Reference: Host system security exceptions on page 95. Table 3: Network communication ports used by Tanium components Component Process Inbound Port Destination Port Tanium Server TaniumReceiver.exe 443, 17472 80, 443, 1433 or 5432, 17472 (HA), 17477 SQL Server or PostgreSQL Server Sqlservr.exe or postgres.exe 1433 or 5432 Tanium Module Server TaniumModuleServer.exe 17477 80, 443 Tanium Zone Server TaniumZoneServer.exe 17472 Tanium Zone Server Hub TaniumZoneServer.exe 17472 Tanium Client TaniumClient.exe 17472 17472 Tanium Client Deployment Tool (CDT) TaniumClientDeploy.exe 22, 135, 445 Unmanaged endpoint CDT platform-specific methods (during deployment only) 22, 135, 445 Internet access (direct or by proxy) During installation, the Tanium Server installer (SetupServer.exe) prompts you to download SQL Server Native Client and SQL Server CLI Utilities if you have not already done so. To enable the download, the host computer must be able to connect to http://download.microsoft.com. During installation and ongoing operations, the Tanium Server and the browser used to access the Tanium Console must be able to connect to https://content.tanium.com to import updates into Tanium Core Platform components and modules. 2018 Tanium Inc. All Rights Reserved Page 24

The Tanium Server might need to connect to additional locations, based on the components you import. The following table lists URLs that the Tanium Server accesses. Import type Components URLs Any Any (Both the Tanium Server and the browser used to access the Tanium Console must connect to these URLs.) https://content.tanium.com http://*.digicert.com Module import fails if the Certificate Revocation List is blocked or inaccessible. Content Initial Content http://linux-usb.org Managed Applications (login required) http://ardownload.adobe.com/ http://airdownload.adobe.com/ http://download.macromedia.com/ http://dl.google.com/ https://download.mozilla.org/ https://secure-appldnld.apple.com/ Windows Security Patch Management IR Gatherer http://download.windowsupdate.com https://download.sysinternals.com Modules Patch http://download.windowsupdate.com IOC Detect https://download.sysinternals.com Labs Content EMET https://download.microsoft.com MSERT Stinger Symantec https://definitionupdates.microsoft.com http://downloadcenter.mcafee.com https://support.symantec.com Notes: If a Tanium content pack or solution module is not listed, it means no additional URLs are required for it. Previous Tanium Server versions required access to http://curl.haxx.se. Tanium Server 7.0 and later do not require access to this site. 2018 Tanium Inc. All Rights Reserved Page 25

If your enterprise security policy does not allow Tanium Server to access these locations directly, you can use proxy servers. See Reference: Proxy server settings on page 104. If your enterprise network uses SSL intercept technologies, such as man-in-the-middle (MITM) proxies, you must configure them so that they do not prevent the Tanium Server and Tanium Module Server from downloading files from these locations. If you plan to deploy Tanium into an air-gapped environment, consult with your TAM. SSL certificates SSL/TLS certificate and key exchanges secure connections to the Tanium Console or SOAP and REST APIs, as well as connections between the Tanium Server and Tanium Module Server. When you run the installation wizards, they prompt you to generate a self-signed certificate or specify the location of an existing certificate and key that was issued by a commercial Certificate Authority (CA) or your own enterprise CA. As a best practice, use the self-signed certificate option when you complete the initial installation steps provided in this guide. Doing this facilitates troubleshooting by separating potential installation issues and SSL issues. After you verify the deployment, you can replace the self-signed certificate with the certificates that the commercial or enterprise CA issued. For the procedure, see Replacing certificates in your deployment on page 108 Administrator account privileges Work with your Microsoft Active Directory (AD) administrator to provision the accounts needed during Tanium Core Platform installations or upgrades and for postinstallation/upgrade activities. Administrator accounts for installations and upgrades The following table lists the administrator accounts required to install or upgrade Tanium Core Platform servers, create Tanium databases, or deploy Tanium Clients. You can use a single service account to install the Tanium Server and to create databases on the SQL or PostgreSQL server, as long as the account has the all required group memberships and privileges for those servers. You can also use a single service account to install the Zone Server and Zone Server Hub. You must use a separate service account to install the Module Server. 2018 Tanium Inc. All Rights Reserved Page 26

Table 4: Service Administrator account privileges required for installations and upgrades Account Type Host System Required Group or Privileges Account Purpose Tanium Server and Tanium databases AD service account* Tanium Server host SQL Server host Administrator, Interactive Logon Sysadmin on the SQL instance This service account installs and upgrades the Tanium Server software. When running the installer from the Tanium Server, this service user connects remotely to the SQL Server and creates the tanium and tanium_ archive databases. PostgreSQL Server host Administrator When running the installer from the Tanium Server, this service user connects remotely to the PostgreSQL Server and creates the tanium and tanium_archive databases. Tanium Module Server AD service account* Tanium Module Server host Administrator This service account installs and upgrades the Tanium Module Server software. Tanium Zone Server and Zone Server Hub AD service account* Tanium Zone Server host Tanium Zone Server Hub host Administrator, Interactive Logon Administrator, Interactive Logon This service account installs and upgrades the Tanium Zone Server software. This service account installs and upgrades the Tanium Zone Server Hub software. Tanium Client Local System or AD Tanium Client Deployment Tool host Administrator This account connects to endpoints and installs and upgrades Tanium Client software. *It is possible to use the Local System account in a POC deployment, but not in a production deployment. Administrator accounts for post-installation/upgrade activities The following table lists the administrator accounts required for regular, ongoing operations performed after installations or upgrades, including running the services for Tanium Core Platform servers and Tanium Clients, and accessing Tanium databases. If you 2018 Tanium Inc. All Rights Reserved Page 27

reuse the accounts used for installations and upgades, first reduce the account privileges to those specified in the following table. You can use a single service account to run the Tanium Server service and access the Tanium databases. You can also use a single service account to run the Zone Server and Zone Server Hub services. You must use a separate service account to run the Module Server service. Table 5: activities Service Administrator account privileges required for post-installation/upgrade Account Type Host System Required Group or Privileges Account Purpose Tanium Server and Tanium databases AD service account* Tanium Server host User-level privileges This service account runs the Tanium Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server. SQL Server host DBO on Tanium databases This service user account accesses the tanium and tanium_archive databases. If you use the same account for running the Tanium Server service, the account must be able to connect remotely to the SQL Server. The account requires db_ owner role membership for the Tanium databases. Assign the View server state privilege as a best practice to enable the Tanium Server to access data faster than the DBO role alone. PostgreSQL Server host User-level privileges This service user account accesses the tanium and tanium_archive databases. If you use the same account for running the Tanium Server service, the account must be able to connect remotely to the PostgreSQL Server. Tanium Module Server AD service account* Tanium Module Server host Administrator This service account runs the Tanium Module Server service. The service runs in the context of the Local System account. 2018 Tanium Inc. All Rights Reserved Page 28

Service Account Type Host System Required Group or Privileges Account Purpose Tanium Zone Server and Zone Server Hub AD service account* Tanium Zone Server host User-level privileges This service account runs the Tanium Zone Server service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server. Tanium Zone Server Hub host User-level privileges This service account runs the Tanium Zone Server Hub service. The service runs in the context of the Local System or the AD account, depending on the option you select when installing the server. Tanium Client Local System Tanium Client Deployment Tool host Administrator On Windows, the Tanium Client service runs in the context of the Local System account. *It is possible to use the Local System account in a POC deployment, but not in a production deployment. 2018 Tanium Inc. All Rights Reserved Page 29

Installing Tanium Server Overview The Tanium Server is the Tanium Core Platform server that communicates with Tanium Clients and all other platform and solution components, as well as the content.tanium.com servers that host Tanium content packs. Tanium Clients communicate with the Tanium Server directly or through a Tanium Zone Server that acts as a proxy (see Installing Tanium Zone Server on page 48). The Tanium Server also runs the Tanium Console and API services. The Tanium Server supports the following deployment options. Standalone or active-active high availability (HA) cluster (see Installing the Tanium Server in an active-active HA cluster on page 57) Windows server (see Server host system requirements on page 13), cloud service environment (see Tanium in cloud service environments on page 23), or Tanium Appliance see (see the Tanium Appliance Installation Guide) Dedicated host that is separate from the Tanium Module Server and database server, or an all-in-one host that all three servers share. Use a dedicated host for enterprise production and lab environments; the all-in-one architecture is just for proof-ofconcept deployments (see Overview). This topic describes how to install a standalone (non-ha) Tanium Server on a dedicated Windows Server host. The Tanium Server installer takes the following actions: Installs any necessary database tools, such as Microsoft SQL Server client tools and utilities. Creates the Tanium databases on a remote database server and initializes the database tables in those databases. Opens required ports in the local host computer Windows Firewall. Installs Tanium Server on the local host computer and starts the Tanium Server service. The service starts the application server that hosts the Tanium Console. HTTPS access is set up using the certificate and key specified during installation. Before you begin Make sure: 2018 Tanium Inc. All Rights Reserved Page 30

You can access the installer package and license file. The host system meets the hardware and software requirements suitable for your deployment. Your Microsoft Active Directory administrator has set up the accounts your team needs for the Tanium platform deployment. Your database administrator has created a database server for the Tanium platform deployment and that there is a privileged domain administrator account that you can use to create the Tanium databases when you run the installer. Your network administrator has configured firewall rules to allow communication on the TCP ports Tanium uses. Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance. Note: As a best practice for additional security, provision a non-system hard drive for the Tanium Server installation. In addition, note that the installer behaves differently depending on the value you specify for the installation directory. If you use the default location (C:\Program Files\Tanium\Tanium Server), the installer reads the registry for the location of the Module Server. If none is found, the installer automatically installs the local Module Server. (It does this to support simple proof-of-concept deployments.) If you are performing an upgrade and there is a registry entry for a remote Module Server, the installer does not install the local Module Server. If you specify a non-default location (for example, C:\Tanium), and the registry does not have an entry for a remote Module Server, the installer prompts you to install the local Module Server, and you can cancel the local Module Server installation. As a best practice, cancel it to save yourself the effort of manually stopping and disabling the local Module Server. PostgreSQL Server Check with your technical account manager (TAM) if you are interested in deploying Tanium with a PostgreSQL Server. A special distribution of PostgreSQL Server is required. For details, see the Tanium Support Knowledge Base article (login required). 2018 Tanium Inc. All Rights Reserved Page 31

Microsoft SQL Server If you plan to deploy with an SQL Server, the best practice is to install SQL Server Management Studio on the Tanium Server host computer before you run the installer. SQL Server Management Studio is optional, but most Tanium administrators find it useful to verify database transactions and to manage the databases. If you install SQL Server Management Studio before you run the installer, the installer does not call the Microsoft SQL Server utilities installers. Install Tanium Server 1. Log into the host system as a local administrator or domain user with administrator privileges. 2. Copy the installation package file and license to a temporary location. 3. Right-click the SetupServer.exe file and select Run as administrator. 4. Complete the installation wizard. The following table provides guidelines for key settings. Settings Guidelines Database Server Type PostgreSQL Server Install a local database server and utilities. Microsoft SQL Server Call additional installer pages to select database server and client utilities options. Postgres Not Found If you select Postgres, the installer checks for a local PostgreSQL Server installation. If none found, it presents you with the following options: Install and configure local Postgres Server. This option supports proof-of-concept (POC) deployments only. Use remote Postgres Server. This option supports production deployments. Exit the installer now. Select this option if you are not ready to make the connection to the remote PostgreSQL Server. 2018 Tanium Inc. All Rights Reserved Page 32

Settings SQL Command Line Utilities Not Found Guidelines If you select SQL Server, the installer checks for a local SQL Server installation and SQL utilities. If none found, it presents you with the following options: Download and Install SQL 2012 Native Client and SQL 2012 Command Line Utilities now. Select this option to install the utilities necessary to connect to a remote SQL server and create databases. If you select this option, and the Tanium installer detects that these utilities are already present on the host system, it does not overwrite the existing installation; it simply does not call the Microsoft installer for the utilities. Download and Install SQL Server 2014 SP2 Express Edition with Tools now. Do not select this option for a production deployment. It is intended only for limited, proof-of-concept installations. Exit the installer now. (Download and install manually) Select this option if you want to install the utilities yourself. After you have done so, if you re-run the Tanium installer, you can select the first option, and the Tanium installer will verify that the utilities are present and not call the Microsoft installer. Installation Type Custom Install Select this option for production deployments. Express Install Do not select this option for a production deployment. It is intended only for limited, proof-of-concept installations. 2018 Tanium Inc. All Rights Reserved Page 33

Settings Choose Service Account for Tanium Server and Database Access Guidelines Specify Account This option is required for production deployments. Specify a service account that can connect to the remote database server and has privileges to create databases. The account you specify will also run the Tanium Server Service on the local host computer. Specify the following details: User Name: Just the account name portion of the credentials. For example, taniumsvc. Domain: The fully qualified domain name. For example, example.com. Password: The corresponding password. Local System Account This option is supported for limited proof-of-concept deployments where the Tanium Server and database server are co-located on the local host system. Choose Install Location The default is C:\Program Files\Tanium\Tanium Server. As a best practice for additional security in enterprise production deployments, install the Tanium Server on a non-system hard drive. License Configuration Server Console/API Port Browse and select the directory where you have copied the license file. The default is 443. 2018 Tanium Inc. All Rights Reserved Page 34

Settings Guidelines SSL Certificate and Key Generate Self-Signed Certificate and Key The SSL certificate and key is used for secure communication with console users and API users. If you select this option, the installer generates a self-signed certificate and key. Specify the fully qualified domain name (FQDN) of the Tanium Server. For example, ts1.example.com or ts1.example.com. If you are deploying a cluster, specify the FQDN for both servers, separated by a comma (no spaces). For example, ts1.example.com,ts2.example.com. Use Existing Certificate and Key Server Port The default is 17472. If you have purchased a commercial CA or generated an enterprise CA, use this option to select the certificate file and key file. SQL server and database If you are setting up a connection to an SQL Server, you have the following options: Use Local Database This option is supported for proof-of-concept deployments only. When SQL Server is installed on the local host computer, you can select a database server from the Local Instance list box. Use Remote Database Select this option and specify the path to the remote database server in the Remote SQL Path text box. The syntax is <hostname>\<database server name>. For example, SQL1\SQLEXPRESS. Click Test to test the connection. Tip: If the SQL Server listens on a custom-assigned port (not 1433), specify the port in the Remote SQL Path text box. For example, SQL1\SQLEXPRESS,1444. 2018 Tanium Inc. All Rights Reserved Page 35

Settings Postgres Configuration Guidelines If you are setting up a connection to a Postgres server, you must specify the following settings: Server localhost for a local server or the FQDN or IP address of the remote server. Options Additional parameters to pass in the connection. Typically, this is dbname and port. For example, dbname=postgres port=5432 user=postgres. Click Test to test the connection. Remove Existing Tanium Server database Open Tanium Ports in Windows Firewall Set Administrator Account Select this option if you are re-running the installer and you want to clean up the previous database instance before creating a new one. Select this option to open the Tanium Server ports in Windows Firewall. Ports 443 and 17472 are the default port numbers. Set the user name and password for the initial Tanium Console administrator account. This is the account that must be used in the initial login. From there, the administrator can create additional users. For Active Directory accounts, use DOMAIN\username or UPN format. For example, TAM\TaniumAdmin or TaniumAdmin@TAM. For local accounts, use MACHINE\username syntax. Choose Start Menu Folder The default is Tanium Server. Next steps Install the remote Module Server. See Installing Tanium Module Server on page 37. 2018 Tanium Inc. All Rights Reserved Page 36

Installing Tanium Module Server Overview In an enterprise production deployment, you must install the Tanium Module Server and Tanium Server on separate hosts to prevent solution modules or scripts from directly impacting the Tanium Server. The Module Server communicates directly only with the Tanium Server. Tanium administrators can use the Tanium Console to manage and use solution modules, such as Tanium Patch. Endpoints receive packages through the Tanium Server or Zone Server. Figure 1 illustrates how these components communicate. Note: In a limited proof-of-concept (POC) deployment only, you can install the Module Server and Tanium Server on the same host. Install the Tanium Module Server and manually register with the Tanium Server The Module Server installer takes the following actions: Opens TCP port 17477 in the local host computer Windows Firewall. Installs the Module Server on the host computer and starts the service. The 7.x Module Server installers support manual registration with the Tanium Server. In 7.0 and 7.1, manual registration is your only option. In 7.2 and later, automatic registration is simpler, but the installer supports manual registration in case the Tanium Server is unavailable when you run the installer. Before you begin Ensure the following prerequisites are met and take the following actions: Make sure your network security administrator has configured network firewall rules to allow communication between Tanium Server and Tanium Module Server on TCP port 17477. Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance. 2018 Tanium Inc. All Rights Reserved Page 37

Go to the Tanium Server host system installation directory and copy the SOAPServer.crt file to the Module Server host computer so you can select it when you run the installer. If a local Module Server has been installed on the Tanium Server host computer, go to the Tanium Server host computer and take the following actions: 1. Stop the Tanium Server service. 2. Stop and disable the Tanium Module Server service. 3. Go to the Windows Registry HKEY_LOCAL_ MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server and clear the setting for the Module Server. (Clear the value 127.0.0.1.) 4. Restart the Tanium Server service. Run the installer 1. Log into the Tanium Module Server host system as an administrator user. 2. Copy the installation package file to a temporary location. 3. Right-click the SetupModuleServer.exe file and select Run as administrator. 4. Complete the installation wizard. The following table provides guidelines for key settings. Settings Choose Install Location Guidelines The default is C:\Program Files\Tanium\Tanium Module Server. Module Server Port The default is 17477. Server's Certificate Path The path to the SOAPServer.crt file copied from the Tanium Server installation directory. This certificate is used to establish trust with Tanium Server. 2018 Tanium Inc. All Rights Reserved Page 38

Settings Guidelines SSL Certificate Generate Self-Signed Certificate and Key The SSL certificate and key is used to secure connections to the Tanium Module Server from services like Patch. If you have not obtained a certificate for this server from a commercial CA or enterprise CA, you can select this option, and the installer will generate a self-signed certificate and key (ssl.crt and ssl.key). Specify the fully qualified domain name of the Tanium Module Server. For example, tms1.example.com. Use Existing Certificate and Key If you have purchased a commercial CA or generated an enterprise CA, use this option to select the certificate and key files. 5. Configure the Tanium Server to use the remote Module Server: a. Log into the Tanium Server host system. Next steps b. Go to Windows Services and stop the Tanium Server service. c. Go to the following location in the Windows Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server d. Find the ModuleServer key and change it to the FQDN of the remote Module Server. e. Restart the Tanium Server service. Note: If you previously installed a local Module Server, leave the Tanium Module Server service stopped and disabled on the Tanium Server. The Tanium Server must use only the remote Module Server. Verify the deployment. See Verifying the installation on page 40. 2018 Tanium Inc. All Rights Reserved Page 39

Verifying the installation Log into the Tanium Console to verify proper communication among deployment components: Successful installation of Tanium content packs verifies communication with content.tanium.com. Successful installation of Tanium Interact verifies communication between the Tanium Server and Module Server. Successful registration by Tanium Clients verifies communication with clients. Log into the Tanium Console 1. From a web browser, open the Tanium Console URL. The Tanium Console URL has the following form: https://<fqdn> 2. Log in with the administrator username and password you set when you ran the installation wizard. When you first log into the Tanium Console, it automatically initiates the following actions: Imports the Initial Content - Base content pack. The Initial Content packs include the sensors, packages, saved questions, and dashboards that are essential for getting started with Tanium. Imports the Client Maintenance content pack. The Client Maintenance pack includes the sensors, packages, actions, and saved questions that are used to perform hygiene checks on Tanium Clients. Imports the Tanium Interact workbench. The Interact workbench includes the user interface for questions and results. Verify the Tanium Server connection to the remote Module Server Go to the Tanium Console info page (https://<fqdn>/info) and search for Module Count. It should list the remote Module Server. If it lists 127.0.0.1, it is using the local Module Server, and you must revisit the steps you took to install the Tanium Server and remote Module 2018 Tanium Inc. All Rights Reserved Page 40

Server. Use the CDT to deploy the Tanium Client This installation guide includes a brief section on deploying Tanium Client so that you can use basic client-server registration to verify successful installation of the Tanium Core Platform server components. For comprehensive information on client deployment options, see the Tanium Client Deployment Guide. Before you begin Make sure: You have a Windows computer on which you can install the Tanium Client Deployment Tool (CDT). Network firewall rules allow the Tanium CDT to make connections to the target endpoints. You know the username and password of an administrator account that can log into the target endpoint and install the Tanium Client. You have downloaded the Tanium Server public key file so you can include it in Tanium Client installation packages. 2018 Tanium Inc. All Rights Reserved Page 41

Install the CDT 1. Right-click the TaniumClientDeploymentToolSetup.exe file and select Run as administrator. The installation wizard prompts you for one value the installation directory. The default is C:\Program Files (x86)\tanium\tanium Client Deployment Tool. 2. In Windows, select Start > Tanium Client Deployment Tool to open the tool. Upon initialization, the tool prompts you to download the latest endpoint software from secure Tanium download servers. 2018 Tanium Inc. All Rights Reserved Page 42

3. Click OK to download the latest endpoint software. The software is downloaded to C:\Program Files (x86)\tanium\tanium Client Deployment Tool\clients\. 4. If you plan to use Microsoft PSExec to push Tanium Client to endpoints: a. When prompted, follow the link to download PSTools from the Microsoft download site. b. Unzip the package and copy the PsExec.exe file to the CDT installation directory. c. Restart the Tanium CDT. 2018 Tanium Inc. All Rights Reserved Page 43

Deploy the Tanium Client to the Tanium Platform Windows host systems 1. Under Settings, specify: Tanium pub file Server Name Port Log Verbosity Level Type or browse to the Tanium Server public key file. The default installation location is C:\Program Files\Tanium\Tanium Server\tanium.pub. The Tanium Server public key you specify here is included in the Tanium Client installation. The Tanium Server FQDN, such as ts1.example.com. The Tanium Client registers with the Tanium Server you specify here. In high availability deployments and deployments with Zone Servers, you can list the FDQNs for all servers, using commas as separators. For example: ts1.example.com,ts2.example.com,zs1.example.com. Port that Tanium Clients use to communicate with their designated peers and with the Tanium Server. The default is 17472. The following decimal values are best practices for specific use cases: 0: Disable logging. This is the best practice value for clients installed on sensitive endpoints or virtual desktop infrastructure (VDI) endpoints. 1: This is the best practice value during normal operation. 41: This is the best practice value during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only. 2018 Tanium Inc. All Rights Reserved Page 44

2. For deployments to Windows endpoints, specify: Username Password Target Folder Override Execution Method Impersonate User Local or domain user with administrative privileges on the targeted endpoints. The deployment tool uses this account when it connects to the targeted endpoint and executes the client installer. The corresponding password. Specify an installation folder if you do not want to use the default. On Windows, the default is C:\Program Files (x86)\tanium\tanium Client. For Windows endpoints, specify which Windows operating system command line utility the tool uses to analyze target computers and perform the remote installation of the client: PSEXEC: Best practice option because it is faster. WMIC: Best practice option if analysis using PSEXEC returns endpoints with OS Unknown and status Processing. Select this option to use the PSEXEC user impersonation option. The credentials specified in the Settings section are used to connect to endpoint using a PSEXEC process that is run under those credentials on the Client Deployment tool host computer. Those credentials are also used to install the client. 2018 Tanium Inc. All Rights Reserved Page 45

3. Use the Active Directory tab to search for the target endpoints. a. Domain: Specify the Active Directory domain to which the targeted endpoints belong. For example, example.com. b. Connect using credentials: Select this option to use the administrator credentials specified in Settings instead of the logged in user credentials. c. Include computers in child containers: When this option is unchecked, computer names from endpoints within only the first level are included in the target list, not computers contained in child containers. When checked, all computers within an Organizational Unit or container and all child Organization Units or containers are included in the list. d. Click Analyze to query the AD tree and populate the results table. Click Retry Bind if necessary in the event the AD query fails. 4. Select one or more rows in the results table and click Install. The Status table has information about the installation attempt. Review the information to confirm deployment. Click Clear Completed or Clear All to clear Status table entries. 2018 Tanium Inc. All Rights Reserved Page 46

Review Tanium Client registration and ask a question 1. Go to Administration > System Status to review recent client registration details. 2. In Interact, verify the endpoints respond to the following query: Get Computer Name and Tanium Server Name from all machines 3. Review the results grid to verify that all endpoints with Tanium Client software installed are now reporting. 2018 Tanium Inc. All Rights Reserved Page 47

Installing Tanium Zone Server Overview In Tanium deployments, Tanium Clients initiate connections with the Tanium Server. However, enterprise network security policies typically do not allow endpoints that reside in an external, untrusted network to initiate connections to resources such as the Tanium Server that reside in a trusted, internal network. To enable the Tanium Server to manage external endpoints, deploy one or more Tanium Zone Servers in your DMZ to proxy communication from the external endpoints. The following figure illustrates Zone Server communication. The Zone Server is installed as a service, typically on an existing, shared device in the DMZ. It communicates with the Tanium Server through a Tanium Zone Server Hub process that you install on a host computer in the internal network, typically the Tanium Server host computer. You configure Tanium Clients on external endpoints to register with the Zone Server as if it were the primary Tanium Server. To optimize performance, the Zone Server caches sensor definitions, configuration information, and package files associated with actions. It provides these resources to Tanium Clients without having to re-request them from the Tanium Server. IMPORTANT: When using Tanium to manage external endpoints, be mindful that they might not have the same access to internal resources as internal endpoints. Target actions so that Tanium Clients on external endpoints do not attempt to access resources on the internal network, like an Active Directory server, or package files staged on an internal URL. Figure 2: Zone Server deployment 2018 Tanium Inc. All Rights Reserved Page 48

Before you begin Make sure: You have the right version of the installer. The installation package for all servers must have the same build number (for example, all must have build number 7.1.314.3214). Contact your Tanium technical account manager (TAM). All of the host computers meet the system requirements. Your network administrator has configured firewall rules to allow communication from the Zone Server Hub to the Zone Server on TCP port 17472. Your security team has configured exceptions to host-based security policies to allow Tanium processes to operate smoothly and at optimal performance. Install the Tanium Zone Server This section provides procedures for the following workflow: 1. Run the installer on the Zone Server Hub host computer and configure a Zone Server list that defines the Zone Servers with which it can communicate. In this example, the Tanium Server host computer is also the Zone Server Hub host computer. 2. Run the installer on one or more Zone Server host computers in the DMZ. The Tanium Zone Server installer takes the following actions: Opens TCP port 17472 in the local host computer Windows Firewall. Installs Tanium Zone Server Hub or Zone Server on the local host computer and starts the service. Install the Zone Server Hub 1. Log in as an administrator user on the internal network host system where you will install the Zone Server Hub. 2. Copy the installation package file (SetupZoneServer.exe) to a temporary location. 3. Right-click SetupZoneServer.exe and select Run as administrator. 4. Complete the installation wizard. The following table provides guidelines for key settings. 2018 Tanium Inc. All Rights Reserved Page 49

Settings Choose Install Location Choose Service Account for Tanium Zone Server Guidelines The default is C:\Program Files (x86)\tanium\tanium Zone Server. Specify Account Specify a service account to run the Tanium Zone Server Service on the local host computer. Specify the following details: User Name: Just the account name portion of the credentials. For example, taniumsvc. Domain: The fully qualified domain name. For example, example.com. Password: The corresponding password. Local System Account Select this option to install software and run the service in the context of the Local System account. Server Address Specify the FQDN or IP address of the Tanium Server. Server Port The default is 17472. Public Key File Make this server the hub server. The path to the Tanium Server public key. The Tanium Server public key is used to set up secure communication between the Zone Server Hub and Zone Server. Select this option when you run the installer on the internal network host computer (such as the Tanium Server host computer in this example). 5. Run Notepad as Administrator: right-click Notepad.exe and select Run as Administrator. 6. Open C:\Program Files (x86)\tanium\tanium ZoneServer\ZoneServerList.txt. 7. Add one line with the Tanium Zone Server FQDN or IP address. If you deploy multiple Zone Servers, list one entry per line. Note: If Tanium Servers are configured for high availability (HA), ensure that each Zone Server Hub has unique entries in its Zone Server List. Do not configure multiple hubs to communicate with the same Zone Server. 2018 Tanium Inc. All Rights Reserved Page 50

8. Save the file as an ASCII plain text file (not RTF). 9. (Non-local hub only) If the Zone Server Hub resides on a different host than the Tanium Server, configure the following Windows registry keys on the Tanium Server. Value Type Guidelines AllowedHubs REG_SZ A comma-separated list of Zone Server Hubs that are authorized to communicate with this Tanium Server. Specify the hubs by FQDN or IP address. The default value is 127.0.0.1 (localhost). EnforceAllowedHubs Install the Zone Server REG_ DWORD The default value 1 specifies that the Tanium Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Tanium Server. The value 0 enables any Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting. 1. Go to the Tanium Server host system installation directory and copy the Tanium Server SSL public key file (tanium.pub) to the Tanium Zone Server host computer so you can select it when you run the installer. 2. Log into the Tanium Zone Server host computer as an administrator user. 3. Copy the installation package file to a temporary location. 4. Right-click the SetupZoneServer.exe file and select Run as administrator. 5. Complete the installation wizard. The following table provides guidelines for key settings. Settings Choose Install Location Guidelines The default is C:\Program Files (x86)\tanium\tanium Zone Server. 2018 Tanium Inc. All Rights Reserved Page 51

Settings Choose Service Account for Tanium Zone Server Guidelines Specify Account Specify a service account to run the Tanium Zone Server Service on the local host computer. Specify the following details: User Name: Just the account name portion of the credentials. For example, taniumsvc. Domain: The fully qualified domain name. For example, example.com. Password: The corresponding password. Local System Account Select this option to install software and run the service in the context of the Local System account. Server Address This field does not apply when you install the Zone Server. Server Port The default is 17472. Public Key File Make this server the hub server. The path to the Tanium Server public key. The Tanium Server public key is used to set up secure communication between the Zone Server Hub and Zone Server. Make sure this option is not selected when you run the installer on the Tanium Zone Server host computer. 6. For Zone Server 7.1.314.3204 and later: Add the following Windows registry keys on the Zone Server host computer to specify the Zone Server Hubs that are allowed to communicate with this Zone Server. Value Type Guidelines AllowedHubs REG_SZ A comma-separated list of IP addresses of Zone Server Hubs that are authorized to communicate with this Zone Server. EnforceAllowedHubs REG_ DWORD Set the value to 1. This option enhances security by restricting access to only hubs that are explicitly specified. If you do not want to restrict allowed hubs, set EnforceAllowedHubs to 0. 7. On the Tanium Server host computer, go to Windows Services and restart the Tanium Server service. 2018 Tanium Inc. All Rights Reserved Page 52

8. On the Zone Server Hub host computer, go to Windows Services and restart the Tanium Zone Server service. 9. On the Zone Server host computer, go to Windows Services and restart the Tanium Zone Server service. Verify the deployment 1. On the Tanium Server host computer, use the Tanium Client Deployment Tool to deploy the Tanium Client to the Tanium Zone Server host computer. In the configuration, for Tanium Server, specify the Zone Server FQDN (zs1.tam.local in this example). 2018 Tanium Inc. All Rights Reserved Page 53

2. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that the Tanium Client on the Zone Server is reporting via the Tanium Zone Server. Troubleshoot If verification fails: 1. Check the status of the Windows Service for the Tanium Server, Zone Server, Zone Server Hub, and Tanium Client. Start any services that are not started. 2018 Tanium Inc. All Rights Reserved Page 54

3. Test connectivity from the Zone Server Hub to the Zone Server. You can use whatever utility you like to test connectivity. The following example shows how to use Portqry at the CLI of the Zone Server Hub host to verify whether the Zone Server is listening on a specified port. c:\>portqry -n zs1.tam.local -p tcp -e 17472 Querying target system called: zs1.tam.local Attempting to resolve name to IP address... Name resolved to 10.10.10.15 querying... TCP port 17472 (unknown service): LISTENING c:\> If you can reach the Zone Server and get an answer (LISTENING), then basic connectivity is not the issue. If you cannot reach the Zone Server, you might need to work with your network and security administrators to resolve the issue. 4. Verify that the Zone Server FQDN resolves to an IP address through DNS. The preceding step uses Portqry as an example to show DNS resolution. You can also use nslookup at the CLI of the Zone Server Hub host, as follows. c:\>nslookup zs1.tam.local Server: Unknown Address: 10.10.10.10 Name: zs1.tam.local Address: 10.10.10.15 If DNS resolution fails, work with your network administrator to resolve it. If that is not possible, you can reconfigure the connection settings using the IP address instead of FQDN. 5. If the preceding steps do not resolve the issue, generate logs as follows and then contact your TAM. a. Set the log verbosity level to 41 on the Tanium Client (see Client Deployment Guide: Tanium Client Settings) and on the Zone Server, Zone Server Hub, and Tanium Server (see Windows Registry on page 66). b. Reproduce the issue by re-asking the question you used to verify the deployment. c. Examine both the server and client logs. Your TAM can analyze the logs. 2018 Tanium Inc. All Rights Reserved Page 56

Installing the Tanium Server in an activeactive HA cluster Overview You can deploy two or more Tanium Servers in an active-active high availability (HA) cluster to ensure continuous availability in the event of an outage or scheduled maintenance. In an active-active HA deployment: Tanium Clients use a Tanium Server list to automatically find a backup server in the event the primary Tanium Server assigned to them is unavailable. The Tanium Servers read and write to one shared database. Each server creates an entry for itself in the tanium database that identifies it to the other Tanium Servers in the HA cluster. Follow database administration best practices to ensure availability of the database server and to ensure that the Tanium databases and related database objects are backed up routinely. Each HA cluster member has a Tanium Console with its own URL. Tanium solution modules are installed on a shared Tanium Module Server (the Module Server does not support HA). However, to make the modules available in all the Tanium Servers in an HA cluster, you must import the modules through the Tanium Console of each cluster member. Each Tanium Server passes Tanium messages (such as answers to questions) and package files to the other HA cluster members over port 17472. When you upload package files to a Tanium Server, it automatically synchronizes the files to the other HA cluster members. Note: HA clustering is not required to scale Tanium capacity or improve performance. You can resize the host system hardware and operating systems of standalone Tanium Core Platform servers to meet your capacity and performance requirements. For details, see Reference: Host system sizing guidelines on page 88. 2018 Tanium Inc. All Rights Reserved Page 57

Figure 3: HA topology HA cluster requirements and limitations An HA deployment has the following requirements: Each Tanium Server must run the same software version, including build number (for example, each must have build number 7.1.314.3214). Each Tanium Server in the cluster must meet or exceed the requirements for the total number of endpoints targeted by your deployment. Each must be able to independently handle load from the full deployment in the event of failure. For details, see Reference: Host system sizing guidelines on page 88. The cluster members must be able to connect to each other via a reliable Ethernet connection. A minimum 1 Gbps connection is required. Each cluster member must be able to access the Internet to download files from designated domains. Access can be direct or through a proxy server. Each cluster member must be able to connect to the shared database server and shared Module Server. Note: You do not have to configure a Microsoft Windows cluster. The procedures provided here are based on two standalone Windows Server host computers. The Tanium Appliance supports database high availability. For details, see the Tanium Appliance Installation Guide. 2018 Tanium Inc. All Rights Reserved Page 58

Before you begin Make sure: You can access the installer package and license file. Your network security administrator has configured security rules to allow communication on the TCP ports Tanium Core Platform components use. In addition to the ports used by standalone Tanium Servers, a Tanium Server in an HA cluster sends and receives HA-related data on port 17472 (TCP). Your Microsoft Active Directory administrator has set up the accounts your team needs for the Tanium platform deployment. Your database administrator has created a database server for the Tanium platform deployment and that there is a privileged domain administrator account that you can use to create the Tanium databases when you run the installer. Deploy the HA cluster 1. Set up the shared database server. 2. Complete the installation for the Tanium Server on the primary host computer as described in Installing Tanium Server on page 30. 3. Complete the installation for the Tanium Module server as described in Installing Tanium Module Server on page 37. 4. Log into the second host computer and run the Command Prompt utility as the local administrator so that you have privileges to create a folder in Program Files. 5. Create the directory by running the following command, where <drive> is the target drive (such as C or D). md "<drive>:\program Files\Tanium\Tanium Server" 6. Copy the following files from the Tanium Server installation directory on the primary host computer to the directory you just created on the secondary host: 2018 Tanium Inc. All Rights Reserved Page 59

SOAPServer.crt SOAPServer.key tanium.license tanium.pvk tanium.pub IMPORTANT: Always follow your organization's best practices for securely copying sensitive files, such as the Tanium Server private key file. For example, use GPG to encrypt the files before copying and to decrypt when they are in place on the target server. 7. If the primary server has been deployed for days before you are deploying the secondary server, copy the Strings folder from the Tanium installation directory on the primary host computer to the same directory on the secondary host computer. This step is not necessary if you are deploying both servers at the same time. 8. Copy the installation package file to a temporary location. 9. Right-click the SetupServer.exe file and select Run as administrator. 10. Complete the installation wizard. 11. Configure the second Tanium Server to use the remote Module Server: a. Go to the following location in the Windows Registry: 2018 Tanium Inc. All Rights Reserved Page 60

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tanium\Tanium Server b. Find the ModuleServer key and change it to the FQDN of the remote module server. c. Go to Windows Services and restart the Tanium Server service. Note: Leave the Tanium Module Server service stopped and disabled. Verify the installation 1. Import solution modules into each Tanium Console. Tanium solution modules are installed on a shared Module Server. However, the solution module workbench files must be installed on each Tanium Server. See the Tanium Core Platform User Guide for details. 2. Deploy the Tanium Client to endpoints. When you configure client settings, specify both server names so the Tanium Clients use the ServerNameList setting to select a Tanium Server. See the Tanium Client Deployment Guide. 2018 Tanium Inc. All Rights Reserved Page 61

3. In Interact, ask Get Computer Name and Tanium Server Name from all machines and verify that both Tanium Servers are active. 4. Verify that both servers download packages with URL-specified files when such a package is created or imported. Distribute Copy Tools is an example of a package with URL-specified files: a. Go to Authoring > Packages. b. Select the row for Distribute Copy Tools. 2018 Tanium Inc. All Rights Reserved Page 62

c. Click Status and check that the files have been downloaded and are now cached on both servers. 5. Create a new package and specify a locally uploaded file. After you have saved the package, wait a moment for HA sync to occur, and then check that the files are 2018 Tanium Inc. All Rights Reserved Page 63

downloaded and cached by both servers. HA configuration notes The Tanium Server settings that are stored in the Windows Registry are not automatically synced to other cluster nodes. In active-active deployments, if you make changes to these settings, be sure to do so on both nodes. Settings stored in the Windows Registry include: 2018 Tanium Inc. All Rights Reserved Page 64

Log level Proxy server settings Bypass proxy settings Trusted host settings Bypass CRL check settings Client subnets In the Tanium Console, you can use the Configuration workbench to edit these settings. Be sure to do it with each Tanium Console (for example, log into ts1.example.com and make your changes; then log into ts2.example.com and make the same changes). For instructions on using the Configuration workbench, see the Tanium Core Platform User Guide. For guidelines on Tanium Server Windows Registry settings, see Windows Registry on page 66. 2018 Tanium Inc. All Rights Reserved Page 65

Troubleshooting the installation This chapter includes information on the location of the settings and logs you can use to troubleshoot installation issues. Basic tips Check with your technical account manager (TAM) to ensure the Tanium software version is a recommended version. Ensure your environment meets the host system and network requirements. Review any error messages reported to the user interface or installation log files. If you encounter failed access messages when running an installer, examine the privileges for the logged in user. If you encounter failed connections, use standard tools like ping and traceroute to verify basic connectivity. If those checks fail, work with your network administrator to diagnose. If those pass, it might be a certificate problem or firewall issue. If the Tanium Console is unavailable, check the status of the Tanium Server Windows Service and the Tanium databases on the database server. Windows Registry Many installation settings get populated to the Windows Registry. If you encounter issues with the installation, you can review the registry entries for typos. Note: Proxy server-related keys have entries only if you configured a proxy server (see Reference: Proxy server settings on page 104). Tanium Server The Windows Registry entry for Tanium Server is found in the following location: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server IMPORTANT: Tanium Server settings that are stored in the Windows Registry are not automatically synced between high availability peers. If you change these settings in an active-active deployment, be sure to change them on both Tanium Servers. 2018 Tanium Inc. All Rights Reserved Page 66

Table 6: Tanium Server Registry Key settings Name Type Data AddressMask REG_DWORD Hexadecimal value of a subnet CIDR that delineates the clients that belong to a linear chain. Do not change this registry value unless your TAM instructs you to do so. AllowedHubs REG_SZ A comma-separated list of Zone Server Hubs that are authorized to communicate with this Tanium Server. Specify the hubs by FQDN or IP address. The default value is 127.0.0.1 (localhost). Note that you can configure the AllowLocalHubs key as an exception to the AllowedHubs list. BypassCRLCheckHostList REG_SZ Servers that the Tanium Server trusts without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. BypassProxyHostList REG_SZ Hosts that bypass the proxy server. For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster. A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server to download content. It is important to bypass the proxy server for these URIs, or else the download will fail. Enter the exceptions as FQDNs or IP addresses. In most cases, the exceptions you need to specify are localhost, 127.0.0.1, and all Tanium Server FQDNs and IP addresses. For example: ts1.example.com, ts2.example.com,localhost,127.0.0.1, 10.10.10.11,10.10.10.15 Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards. 2018 Tanium Inc. All Rights Reserved Page 67

Name Type Data ConsoleSettingsJSON REG_SZ Path to the console settings file. DBUserDomain REG_SZ FQDN of the domain for the service account that connects to the database server. Specified when you completed the installation wizard. DBUserName REG_SZ Username for the service account that connects to the database server. Specified when you completed the installation wizard. EnforceAllowedHubs REG_DWORD The default value 1 specifies that the Tanium Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Tanium Server. The value 0 enables any Zone Server Hub to communicate with the Tanium Server regardless of the AllowedHubs setting. LogPath REG_SZ Path to Tanium Server logs. LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only. ModuleServer REG_SZ FQDN of the Module Server. ModuleServerPort REG_DWORD Module Server Port. The default is 17477. Path REG_SZ Installation path. PGDLLPath REG_SZ Path to the PostgreSQL Server libraries. PGRoot REG_SZ Path to the Postgres installation directory. 2018 Tanium Inc. All Rights Reserved Page 68

Name Type Data ProxyPassword REG_SZ For a basic proxy server that requires authentication, this setting is the account password used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. ProxyPort REG_SZ Proxy server listening port. ProxyType REG_SZ Basic or NTLM. ProxyServer REG_SZ IP address of the proxy server. ProxyUserid REG_SZ For a basic proxy server that requires authentication, this setting is the account username used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. PythonPath REG_SZ Deprecated setting that is no longer used. ServerName REG_SZ The network adapter binding that the Tanium Server uses to listen for IPv4 client registrations. The default value 0.0.0.0 indicates binding to all network adapters. Do not change this registry value unless your TAM instructs you to do so. ServerPort REG_DWORD Tanium Server Port. The server listens for Tanium Clients on this port. Specified when you completed the installation wizard. The default is 17472. ServerSOAPPort REG_DWORD Tanium Console and SOAP API port. Specified when you complete the installation wizard. The default is 443. 2018 Tanium Inc. All Rights Reserved Page 69

Name Type Data SQLConnectionString REG_SZ Database server connection information. Example SQL Server: SQL1\SQLEXPRESS@tanium Example PostgreSQL Server: postgres:localhost@dbname=postgres port=5432 TrustedCertPath REG_SZ Path to the certificate file used for secure connections to the Tanium Console port. The certificate is selected when you completed the installation wizard. TrustedHostList REG_SZ The trusted servers that the Tanium Server can download files from even if those servers do not have valid SSL certificates. In an active-active cluster, specify both Tanium Servers. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. Version REG_SZ Tanium Server version number. Tanium Module Server The Windows Registry entry for the Tanium Module Server is found in the following location: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Module Server When troubleshooting an issue, Tanium Support might ask you to review or confirm these settings, but would rarely ask you to change them. 2018 Tanium Inc. All Rights Reserved Page 70

Table 7: Tanium Module Server Registry Key settings Name Type Data LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. Path REG_SZ Installation path. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only. PythonPath REG_SZ Deprecated setting that is no longer used. ServerName REG_SZ The network adapter binding that the Tanium Module Server uses to listen for IPv4 connections. The default value 0.0.0.0 indicates binding to all network adapters. ServerPort REG_DWORD Tanium Module Server port. The default is 17477. Version REG_SZ Tanium Module Server version number. The Module Server host computer has a registry entry for the Tanium Server: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium Server The settings in this registry entry are for the proxy server configuration. Table 8: Tanium Server Registry Key settings on Module Server host computer Name Type Data BypassCRLCheckHostList REG_SZ Servers that the Tanium Server trusts without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. 2018 Tanium Inc. All Rights Reserved Page 71

Name Type Data BypassProxyHostList REG_SZ Hosts that bypass the proxy server. For example, do not use a proxy server for traffic between Tanium Servers in an active-active cluster. A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server to download content. It is important to bypass the proxy server for these URIs, or else the download will fail. Enter the exceptions as FQDNs or IP addresses. In most cases, the exceptions you need to specify are localhost, 127.0.0.1 (IPv4), and all Tanium Server FQDNs and IP addresses. For example: ts1.example.com, ts2.example.com,localhost,127.0.0.1, 10.10.10.11,10.10.10.15 Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards. ProxyPassword REG_SZ For a basic proxy server that requires authentication, this setting is the account password used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. ProxyPort REG_SZ Proxy server listening port. ProxyType REG_SZ Basic or NTLM. ProxyServer REG_SZ IP address of the proxy server. 2018 Tanium Inc. All Rights Reserved Page 72

Name Type Data ProxyUserid REG_SZ For a basic proxy server that requires authentication, this setting is the account username used when establishing a connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. TrustedHostList REG_SZ The trusted servers that the Tanium Server can download files from even if those servers do not have valid SSL certificates. In an active-active cluster, specify both Tanium Servers. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. TDownloader The Tanium Downloader (TDownloader) service manages import and download operations on both the Tanium Server and Tanium Module Server. The hosts for both servers have an entry for TDownloader: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Downloader Table 9: Name Type Data LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level: Zone Server TDownloader Registry Key setting 0: Logging disabled. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only. The Windows Registry entry for the Tanium Zone Server is found in the following location: 2018 Tanium Inc. All Rights Reserved Page 73

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Tanium\Tanium ZoneServer When troubleshooting an issue, Tanium Support might ask you to review or confirm these settings, but would rarely ask you to change them. Table 10: Tanium Zone Server Registry Key settings Name Type Data AllowedHubs REG_SZ A comma-separated list of Zone Server Hubs that are authorized to communicate with this Zone Server. Specify the hubs by FQDN or IP address. EnforceAllowedHubs REG_DWORD The default value 1 specifies that the Zone Server enforces the AllowedHubs setting: only Zone Server Hubs listed in AllowedHubs can communicate with the Zone Server. The value 0 enables any Zone Server Hub to communicate with the Zone Server regardless of the AllowedHubs setting. LogPath REG_SZ Path to Tanium Zone Server logs. LogVerbosityLevel REG_DWORD Specify one of the following decimal values for the log verbosity level: 0: Logging disabled. Path REG_SZ Installation path. 1: Log level during normal operation. 41: Best practice log level during troubleshooting. 91 or higher: Enable the most detailed log levels for short periods of time only. ServerName REG_SZ Tanium Server fully qualified domain name. ServerPort REG_DWORD Tanium Server Port. Specified when you completed the installation wizard. The default is 17472. ServiceUserDomain REG_SZ The Zone Server Windows service runs in the context of a service account. This entry contains the domain specified during installation. ServiceUserName REG_SZ The Zone Server Windows service runs in the context of a service account. This entry contains the username specified during installation. Version REG_SZ Tanium Zone Server version number. 2018 Tanium Inc. All Rights Reserved Page 74

Name Type Data ZoneHubFlag REG_DWORD The value indicates whether this Zone Server instance is (1) or is not (0) a Zone Server Hub. Logs Installation logs The installation log files are chronological logs of the actions taken by the installer. If you encounter issues with your installation, examine the installation log file to see which actions completed successfully and which failed. Table 11: Component Installation logs directories Default Location Tanium Server Tanium Module Server Tanium Zone Server C:\Program Files\Tanium\Tanium Server\Install.txt C:\Program Files\Tanium\Tanium Module Server\Install.txt C:\Program Files (x86)\tanium\tanium Zone Server\Install.txt TDownloader logs TDownloader logs are chronological logs of the actions that the TDownloader service performs when it downloads files from Tanium and other Internet locations. The logs include proxy server connection status events when applicable. The TDownloader logs might help you troubleshoot when importing Tanium content packs and solution modules or downloading updates to package files. Logs are written to the file log0.txt. When that file reaches 1 MB in size, log0.txt is renamed to log1.txt. When log0.txt reaches 1 MB in size again, log1.txt is renamed to log2.txt, and log0.txt again renamed to log1.txt. The process to roll the logs whenever log0.txt reaches the 1 MB size limit continues until 10 logs exist in total. In effect, once the Tanium component reaches the 10 log limit, the log details in log9.txt are overwritten each time a new log0.txt is started. Table 12: Component TDownloader logs directories Default Location Tanium Server Tanium Module Server C:\Program Files\Tanium\Tanium Server\TDL_Logs C:\Program Files\Tanium\Tanium Module Server\TDL_Logs 2018 Tanium Inc. All Rights Reserved Page 75

Tanium Support Your TAM is your first contact for assistance with preparing for and performing the installation, as well as verifying and troubleshooting the initial deployment. If you require further assistance from Tanium Support, please be sure to include version information for Tanium core platform components and specific details on dependencies, such as the host system hardware and OS details and database server version. Log into https://support.tanium.com and submit a new ticket or send us an email at support@tanium.com. 2018 Tanium Inc. All Rights Reserved Page 76

Upgrading Tanium Core Platform servers Supported upgrade paths Path 7.1.x to 7.1.x 7.0.x to 7.1.x 6.5.x to 7.1.x Notes Minor upgrade. However, specific steps must be taken to initialize role-based access control (RBAC) for Tanium solution modules. Major upgrade. In 7.1, RBAC replaces system roles. Make sure you understand RBAC and are ready to assign roles to users before you upgrade. Major upgrade. Note the Tanium Console user interface is different in 7.0 and later. The best practice is to upgrade your lab deployment first and verify that you can perform your key tasks with the new 7.x user interface before upgrading your production deployment. Overview The maintenance window for upgrading Tanium Core Platform servers is usually under an hour. To avoid unexpected issues, all servers must run the same software version. As a best practice, complete the upgrade for all the servers in the same maintenance window. If you have a high availability (HA) cluster, complete the upgrade for all Tanium Server HA peers in the same window. If you do not need to change the server hostname or SSL certificate or key files, you can simply run the 7.1.x installers to overwrite the existing installation with updated files, and copy the new license file (if any) to the installation directory on the Tanium Servers. In some cases, you might want to take the opportunity to change the server hostname or install new SSL certificates and keys (for example, if the existing ones are due to expire). If so, the upgrade experience is similar to the initial installation and has similar prerequisite steps. You must be able to copy the certificate and key files between host computers to complete the installation. If you change the server hostnames, you must reconfigure the Tanium Client on endpoints so they can communicate with the servers. The upgrade procedures in this guide assume your host and network environment meets the initial installation requirements. There are no new requirements added for 7.1.x. 2018 Tanium Inc. All Rights Reserved Page 77

The settings you manage with the Tanium Console are saved to the database, so any customizations you have saved in your existing deployment will persist through the upgrade. Before you begin Read the release notes for all of the core platform software versions that were released after your current version to stay informed about expected behavior. Make sure the current deployment is working as expected. Be sure to check all core platform server components and all solutions. Consult with your TAM if you plan to change the Tanium Server hostname. Your TAM needs the new hostname when creating a Tanium license for you. Obtain the installers (.exe files) and new license file from your TAM. A normal upgrade does not require you to restore from the backups, but backups can save you work in the event you encounter issues and want to restore the system to a known functional state. Take the following actions: o Back up the current installation folder, particularly the license files and SSL certificate and key files. The SSL public and private keys are unique to your environment and cannot be recreated or recovered. Copies of these files should be archived, secured, and managed according to your internal security policies as you would any other system-level security and credential files. 2018 Tanium Inc. All Rights Reserved Page 78

o Back up the tanium and tanium_archive databases. As a best practice, stop the following Tanium Core Platform services in the given order: o Tanium Zone Server o o o o Order of upgrade Tanium Zone Server Hub Tanium Module Server (HA deployment only) Secondary Tanium Server Primary or standalone Tanium Server 1. Tanium Server(s) 2. Module Server 3. Zone Server Hub 4. Zone Server Upgrade Tanium Server When you upgrade, the Tanium Server installer takes the following actions: 2018 Tanium Inc. All Rights Reserved Page 79

Stops the Tanium Server service. Installs Tanium Server software and Tanium Console UI components. Updates the Windows registry with the values you specify in the interactive installation wizard. Updates the Tanium databases on the remote database server and re-initializes the database tables in those databases. Opens required ports in the local host computer Windows Firewall. Starts the Tanium Server service. Note: In an upgrade of a production deployment, the installer detects from the Windows Registry that the Tanium Module Server is not installed locally, so it does not attempt to upgrade it or start the Tanium Module Server service. Upgrade a standalone Tanium Server (or the first member of an active-active cluster) 1. Log into the host system as a local administrator or domain user with administrator privileges. 2. Copy the installer (SetupServer.exe) and license files to a temporary location on the host computer. 3. If you have new SSL certificate and key files, copy them to the host computer so you can select them when you run the installer. 4. Right-click the SetupServer.exe file and select Run as administrator. 5. Complete the installation wizard. Consider the following: Select the Custom installation type, not Express. When you select Custom, the installer prompts you for each setting and populates the wizard form with the values extant in the present installation. This gives you a chance to review the current installation and replace the certificate and license files, if necessary, or change other installation settings. When you select Express, the installer uses the existing values but does not give you an opportunity to review or change them. On the License Configuration page, be sure to select the new license file. If the server has new SSL certificate and key files, use the SSL Certificate and Key controls to select them; otherwise, retain the values populated by the installer. 2018 Tanium Inc. All Rights Reserved Page 80

Upgrade the second member of an active-active cluster 1. Log into the host system as a local administrator or domain user with administrator privileges. 2. Copy the installer (SetupServer.exe) and license files to a temporary location on the host computer. 3. If you have updated the SSL certificate and key files, copy the following files from the Tanium Server installation directory on the primary host to the installation directory on the secondary host: SOAPServer.crt SOAPServer.key tanium.license tanium.pvk tanium.pub IMPORTANT: Always follow your organization's best practices for securely copying sensitive files, such as the Tanium Server private key file. For example, use GPG to encrypt the files before copying and then decrypt when they are in place on the target server. 4. Right-click the SetupServer.exe file and select Run as administrator. 5. Complete the installation wizard. Consider the following: Select the Custom installation type, not Express. When you select Custom, the installer prompts you for each setting and populates the wizard form with the values extant in the present installation. This gives you a chance to review the current installation and replace the certificate and license files, if necessary, or change other installation settings. When you select Express, the installer uses the existing values but does not give you an opportunity to review or change them. On the License Configuration page, be sure to select the new license file. If the server has new SSL certificate and key files, use the SSL Certificate and Key controls to select them; otherwise, retain the values populated by the installer. Upgrade Tanium Module Server When you upgrade, the Tanium Module Server installer takes the following actions: 2018 Tanium Inc. All Rights Reserved Page 81

Stops the Tanium Module Server service. Updates Tanium Module Server software. Updates the Windows registry with the values you specify in the interactive installation wizard. Opens required ports in the local host computer Windows Firewall. Starts the Tanium Module Server service. Upgrade the Tanium Module Server 1. Log into the Tanium Module Server host system as an administrator user. 2. Copy the installer (SetupModuleServer.exe) to a temporary location on the host computer. 3. If the Tanium Server has new certificate and public key files, copy these files from the Tanium Server installation directory to a temporary location on the Tanium Module Server host computer so you can select them when you run the installer. 4. If the Tanium Module Server has new certificate and public key files, copy them to a temporary location on the Tanium Module Server host computer so you can select them when you run the installer. 5. Right-click the SetupModuleServer.exe file and select Run as administrator. 6. Complete the installation wizard. Consider these points: If the Tanium Server has a new certificate, use the Server's Certificate Path controls to select it. If the Tanium Module Server has a new certificate and key, use the Use Existing Certificate and Key controls to select them. Note: If you have changed the Module Server hostname, go the Tanium Server Windows registry, and edit the Tanium Server ModuleServer registry setting. Upgrade Tanium Zone Server Tanium Zone Server software is installed on the Zone Server hub (a host computer in the internal network, typically the Tanium Server host computer) and on one or more dedicated Zone Server host computers in the DMZ. Upgrade both types of servers. When you upgrade, the Tanium Zone Server installer takes the following actions: Stops the Tanium Zone Server service. Updates Tanium Zone Server software. 2018 Tanium Inc. All Rights Reserved Page 82

Updates the Windows registry with the values you specify in the interactive installation wizard. Opens required ports in the local host computer Windows Firewall. Starts the Tanium Zone Server service. Upgrade the Zone Server hub 1. Log into the Tanium Server host system as an administrator user. 2. Copy the installer (SetupZoneServer.exe) to a temporary location. 3. If the Tanium Server has a new public key, go to the Tanium Server host system installation directory and copy the Tanium Server SSL public key file (tanium.pub) to a temporary location on the Tanium Zone Server host system so you can select it when you run the installer. 4. Right-click the SetupZoneServer.exe file and select Run as administrator. 5. Complete the installation wizard. Be sure to select the Make this server the hub server option. Upgrade the dedicated Zone Server 1. Log into the Tanium Zone Server host system as an administrator user. 2. Copy the installer (SetupZoneServer.exe) to a temporary location. 3. If the Tanium Server has a new public key, go to the Tanium Server host system installation directory and copy the Tanium Server SSL public key file (tanium.pub) to a temporary location on the Tanium Zone Server host system so you can select it when you run the installer. 4. Right-click the SetupZoneServer.exe file and select Run as administrator. 5. Complete the installation wizard. Be sure to not select the Make this server the hub server option. Verify the server upgrade 1. Open the Tanium Console URL. 2. Log in as a user with the Administrator role. The Tanium Console opens to the home page, which displays any errors that occurred during the Module Server upgrade. 3. Go to Administration > System Status to review recent client registration details and verify that Tanium Clients are registering as expected. 2018 Tanium Inc. All Rights Reserved Page 83

Reimport Tanium solution modules and content packs If you are upgrading from 7.0 to 7.1.314.3214, you must re-import content packs and solution modules to make your deployment RBAC-ready. For information on getting started with RBAC, see the Tanium Core Platform User Guide. If you have already upgraded to an earlier version of 7.1 (such as 7.1.314.2874), you presumably already re-imported the content packs. After the upgrade to 7.1.314.3214, you must reimport Tanium solution modules. Note: Solution module workbench files are written to the file system of the host computer, not to the shared database. Therefore, the configurations are not automatically synced. in an HA deployment, you must reimport solution modules into both instances of the Tanium Console. Troubleshooting Under ordinary circumstances, the installer: (1) stops the Tanium service; (2) updates the software; (3) restarts the Tanium service. In deployments with an exceptionally large amount of data, stopping the service may take an exceptionally long time, and it is possible that the installer will abort the installation before the service has been properly shut down. If this occurs (or to avoid it), you can stop the Tanium service manually before you run the installer. In most cases, you do not need to do this. Basic tips Ensure all Tanium Core Platform components are the same version. For example, make sure all have build number 7.1.314.3214. Ensure your environment meets the host system and network requirements. Review any error messages reported to the user interface or installation log files. If you encounter failed access messages when running an installer, examine the privileges for the logged in user. Many installation settings get populated to the Windows Registry. Review the registry entries for typos. If you encounter failed connections, use standard tools like ping and traceroute to verify basic connectivity. If those checks fail, work with your network administrator to diagnose. If those pass, it might be a certificate problem or firewall issue. 2018 Tanium Inc. All Rights Reserved Page 84

If the Tanium Console is unavailable, check the status of the Tanium Server Windows Service and the Tanium databases on the database server. Upgrade logs The upgrade log files are chronological logs of the actions taken by the installer. If you encounter issues with your upgrade, examine the installation log file to see which actions completed successfully and which failed. Table 13: Upgrade logs Component Tanium Server Tanium Module Server Tanium Zone Server Location C:\Program Files\Tanium\Tanium Server\Install.txt C:\Program Files\Tanium\Tanium Module Server\Install.txt C:\Program Files (x86)\tanium\tanium Zone Server\Install.txt Tanium Support Your TAM is your first contact for assistance with preparing for and performing the upgrade, as well as verifying and troubleshooting the initial deployment. If you require further assistance from Tanium Support, please be sure to include version information for Tanium Core Platform components and specific details on dependencies, such as the host system hardware and OS details and database server version. Log into https://support.tanium.com and submit a new ticket or send us an email at support@tanium.com. 2018 Tanium Inc. All Rights Reserved Page 85

Uninstalling Tanium If you no longer want to use the Tanium Core Platform, or you want to clean up completely before reinstalling: 1. Uninstall the Tanium Core Platform servers: Tanium Server, Tanium Module Server, Tanium Zone Server, Tanium Zone Server Hub. 2. Remove the Tanium databases (tanium and tanium_archive) from the database server. Uninstall a server 1. Use the Windows Control Panel Uninstall a program feature to uninstall Tanium server components. The Windows program invokes the Tanium uninstaller. The Tanium services are stopped and removed. The Windows Registry entries are deleted (except the top entry for Tanium). There are a few more manual steps to completely wipe the installation. 2. In the Windows Registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ and delete Tanium. 3. In Windows Explorer, go to the Tanium installation location and delete the Tanium directory. 4. Empty the Recycle Bin. 2018 Tanium Inc. All Rights Reserved Page 86

Remove databases Log into the database server as a database administrator and delete the tanium and tanium.archive databases. Uninstall a solution module For information about uninstalling a Tanium solution module, refer to the solution module user guide. Solution module Tanium Asset Tanium Comply Tanium Connect Tanium Deploy Tanium Detect Tanium Discover Tanium Incident Response Tanium Integrity Monitor Tanium Interact Tanium Map Tanium Network Quarantine Tanium Patch Tanium Protect Tanium Trace Tanium Trends Uninstall link User Guide TBD User Guide User Guide User Guide User Guide N/A TBD User Guide User Guide User Guide User Guide User Guide User Guide User Guide 2018 Tanium Inc. All Rights Reserved Page 87

Reference: Host system sizing guidelines You can use this reference to estimate host system requirements for Tanium Core Platform component servers. Exact requirements vary according to dynamic usage behavior, including, but not limited to: The number of managed computers running Windows, Mac, Linux, or UNIX The number of saved questions that you configured to automatically archive results Whether the archived results for a given question are aggregated rather than stored as individual rows within the database The number of configuration, state, or property data elements that must be stored from each computer per saved question The size of each data element that is archived from managed computers The number of potential unique values that computers return for any given data element The frequency at which the data elements are archived The Tanium solutions you intend to use in addition to the Core Platform Because the usage behavior is so different among customers, the requirements that the following tables present are based on representative data from numerous deployments ranging in size from less than 1,000 to more than 500,000 managed computers. Tanium Server host system Use the following tables to estimate host system specifications for the Tanium Server. The columns indicate the total endpoints deployed. In a high availability (HA) deployment, each Tanium Server in the cluster must meet or exceed the requirements for the total number of endpoints that your deployment targets. (Each must be able to independently handle load from the full deployment in the event of failure.) Table 14: Tanium Server operating system sizing Edition Up to 3,000 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Microsoft Windows Server 2008 R2 SP1 or later Standard 2018 Tanium Inc. All Rights Reserved Page 88

Edition Up to 3,000 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Enterprise Data Center Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Standard Enterprise ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. Table 15: Tanium Server hardware sizing Edition Up to 3,000 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Server Device Physical or virtual Physical or virtual Physical or virtual Physical² Physical² Physical² CPU Core³ 4 8 16 24 40 80 Memory 16 GB 32 GB 48 GB 96 GB 256 GB 512 GB Disk Space⁴ 100 GB 250 GB 400 GB 750 GB 1.5 TB 3 TB ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. ² Tanium strongly recommends that the host system have 10Gb network cards with chipsets from Intel for deployments with over 70,000 endpoints. ³ Calculate CPU cores based on only the physical cores from allocated CPUs, not the logical cores available with Hyper-Threading enabled. ⁴ Total space for Microsoft OS and Tanium Server. If you use Tanium Patch, the Tanium Server needs an additional 500 GB of disk space to store and manage patches. If you use Tanium Deploy, the Tanium Server needs additional disk space greater than or equal to twice the Deploy software library storage. 2018 Tanium Inc. All Rights Reserved Page 89

Tanium Module Server host system Use the following tables to estimate Tanium Module Server host system specifications. The columns indicate the total endpoints deployed. Table 16: Tanium Module Server operating system sizing Edition Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Microsoft Windows Server 2008 R2 SP1 or later Standard Enterprise Data Center Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Standard Enterprise ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. Table 17: Tanium Module Server hardware sizing Edition Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Server Device Physical or virtual Physical or virtual Physical or virtual Physical or virtual CPU Core 4 8 12 16 Memory 8 GB 16 GB 24 GB 48 GB Disk Space 150 GB 150 GB 200 GB 300 GB ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. Tanium Zone Server host system Use the following tables to estimate Zone Server host system specifications. The columns indicate the number of endpoints reporting through the Zone Server. In a Zone Server HA deployment, provision each Zone Server to independently handle load for the cluster in case one HA peer fails. 2018 Tanium Inc. All Rights Reserved Page 90

Table 18: Tanium Zone Server operating system sizing Edition Up to 3,000 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Microsoft Windows Server 2008 R2 SP1 or later Standard Enterprise Data Center Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Standard Enterprise ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. Table 19: Tanium Zone Server hardware sizing Edition Up to 3,000 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Server Device Physical or virtual Physical or virtual Physical or virtual Physical² Physical² Physical² CPU Core³ 4 8 16 24 40 80 Memory 8 GB 16 GB 24 GB 48 GB 128 GB 256 GB Disk Space⁴ 100 GB 250 GB 400 GB 750 GB 1.5 TB 3 TB ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. ² Tanium strongly recommends that the host system have 10Gb network cards with chipsets from Intel for deployments with over 70,000 endpoints. ³ Calculate CPU cores based on only the physical cores from allocated CPUs, not the logical cores available with Hyper-Threading enabled. ⁴ Total space for Microsoft OS and Tanium Zone Server. If you use Tanium Patch, the Tanium Zone Server needs an additional 500 GB of disk space to store and manage patches. If you use Tanium Deploy, the Tanium Zone Server needs additional disk space greater than or equal to twice the Deploy software library storage. 2018 Tanium Inc. All Rights Reserved Page 91

PostgreSQL Server Contact your TAM for guidance on host computer specifications and PostgreSQL Server version specifications. SQL Server Use the following tables to estimate SQL Server host computer specifications and SQL Server version specifications. The columns indicate the total endpoints deployed. Table 20: Database server sizing Edition Up to 500 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Microsoft SQL Server 2008 (64-bit) Express² Workgroup Standard Enterprise Data Center SQL Server 2012, SQL Server 2014, SQL Server 2016, SQL Server 2017³ Express² Standard Business Intelligence Enterprise ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. ² Proof-of-concept deployments only. ³ SQL Server 2017 is validated for use only with Tanium 7.2 and later. 2018 Tanium Inc. All Rights Reserved Page 92

Table 21: SQL Server host operating system sizing Edition Up to 3,000 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Microsoft Windows Server 2008 SP3 (64-bit) Standard Enterprise Data Center Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Standard Enterprise ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. The following hardware specifications are for use with Tanium Core Platform 7.x versions with archiving disabled. If you use an older platform version (6.x), or you require archiving, consult your TAM for appropriate specifications. Table 22: SQL Server hardware sizing Edition Up to 3,000 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Server Device Physical or virtual Physical or virtual Physical or virtual Physical² Physical² Physical² CPU Core³ 4 4 8 10 16 32 Memory 4 GB 8 GB 16 GB 24 GB 32 GB 48 GB Disk Space⁴ 125 GB 150 GB 200 GB 300 GB 500 GB 750 GB Database Size 5 GB 20 GB 75 GB 150 GB 300 GB 500 GB 2018 Tanium Inc. All Rights Reserved Page 93

Edition Up to 3,000 Up to 10,000 Up to 35,000 Up to 75,000 Up to 150,000 Up to 500,000¹ Disk Array IOPS <100 100 150 250 500 1000 ¹ The Tanium Core Platform supports over one million endpoints. For the sizing specifications of deployments with over 500,000 endpoints, contact Tanium. ² Tanium strongly recommends that the host system have 10Gb network cards with chipsets from Intel for deployments with over 70,000 endpoints. ³ Calculate CPU cores based on only the physical cores from allocated CPUs, not the logical cores available with Hyper-Threading enabled. ⁴ Total space for Microsoft OS and SQL Server. Microsoft recommends that the disk space available for memory dumps be at least three times the amount of installed RAM. The required disk space for the OS and SQL Server accounts for the size of the OS, the size of the swap file, and the space required for memory dumps. Most organizations achieve optimal performance using a single, internal RAID array when Microsoft SQL Server transaction logging is set to Simple. If you plan to enable Full transaction logging, you might have to provision an external RAID array to manage the transaction logs. To determine the specific disk drive performance characteristics and RAID configuration necessary to support deployments of different sizes, Table 22 identifies the minimum input/output operations per second (IOPS) for the database server. Using IOPS as the performance measurement enables internal storage administrators or storage vendors the flexibility to recommend a final disk configuration to provide optimal performance at the least cost. The results reported and archived from each managed computer use an average of about 20 MB of data. However, storage requirements are directly related to platform usage patterns. Unless actual measurements confirm that the underlying disk infrastructure provides the minimum acceptable performance, the best practice is to not use a storage attached network (SAN) for the Tanium application server databases. 2018 Tanium Inc. All Rights Reserved Page 94

Reference: Host system security exceptions Some environments use security software to monitor and block unknown host system processes. Work with your network and security team to whitelist Tanium processes. Define exclusions to allow the Tanium platform components to operate smoothly and at optimal performance. Typically, this means configuring the security software to exempt the Tanium Client, Tanium Server, Tanium Module Server, and Tanium Zone Server installation directories from real-time inspection as well as setting a policy to ignore I/O from the Tanium binaries. Folders Table 23 lists Tanium core platform folders that should be excluded from on-access or realtime scans by antivirus or other host-based security applications. The default values are shown. Include subfolders of these locations when you create the exception rules. If you have changed the defaults, create rules based on the actual locations. Table 23: Tanium Core Platform folders Component OS Installation Folder Tanium Server Windows 64- bit Tanium Module Server Windows 64- bit \Program Files\Tanium\Tanium Server\ \Program Files\Tanium\Tanium Module Server\ Tanium Zone Server / Zone Server Hub Windows 64- bit \Program Files (x86)\tanium\tanium ZoneServer\ Tanium Client Windows 32- bit Windows 64- bit macos Linux, UNIX \Program Files\Tanium\Tanium Client\ \Program Files (x86)\tanium\tanium Client\ /Library/Tanium/TaniumClient /opt/tanium/taniumclient System processes Table 24 lists Tanium Core Platform system processes that must be allowed (not blocked, quarantined, or otherwise processed). 2018 Tanium Inc. All Rights Reserved Page 95

Table 24: Tanium Core Platform processes Component Process Tanium Server Tanium Module Server Tanium Zone Server / Zone Server Hub Tanium Client TaniumReceiver.exe TaniumModuleServer.exe TaniumZoneServer.exe TaniumClient.exe (Windows) TaniumExecWrapper.exe (Windows) TaniumClient (macos, Linux, UNIX) Notes: If you use Microsoft Group Policy Objects (GPO) or other central management tools to manage host firewalls, you might need to create rules to allow inbound and output TCP traffic across port 17472 on any endpoints to be managed, including the Tanium Server. If running McAfee Host Intrusion Prevention System (HIPS), mark the Tanium Client as both "Trusted for Firewall" and "Trusted for IPS", per McAfee KB71704. The Tanium Client uses the Windows Update offline scan file, Wsusscn2.cab, to assess computers for installed or missing operating system and application security patches. If your endpoint security solutions scan archive files, refer to the Microsoft KB for information on how to configure those tools to interact appropriately with the Wsusscn2.cab file. Solution module folders and processes If you install Tanium solution modules, there are additional processes to exclude on the Module Server and/or Tanium Client. Refer to the solution module documentation for details. Table 25: Module Asset Comply Solution module exclusions Link User Guide User Guide 2018 Tanium Inc. All Rights Reserved Page 96

Module Connect Deploy Detect Discover Incident Response Integrity Monitor Map Network Quarantine Patch Protect Trace Trends Link User Guide User Guide User Guide User Guide User Guide User Guide User Guide User Guide User Guide User Guide User Guide User Guide To get a combined reference of Tanium platform and solution module folders and processes on one page, go to the Tanium Support Knowledge Base article (login required). 2018 Tanium Inc. All Rights Reserved Page 97

Reference: Network ports This reference gives details on network port requirements for core platform components. Tanium solution modules may have additional requirements. For a detailed summary that includes solution module ports, see the Tanium Support Knowledge Base article (login required). Summary Component Process Inbound Port Destination Port Tanium Server TaniumReceiver.exe 443, 17472 80, 443, 1433 or 5432, 17472 (HA), 17477 SQL Server or PostgreSQL Server Tanium Module Server Sqlservr.exe or postgres.exe 1433 or 5432 TaniumModuleServer.exe 17477 80, 443 Tanium Zone Server TaniumZoneServer.exe 17472 Tanium Zone Server Hub TaniumZoneServer.exe 17472 Tanium Client TaniumClient.exe 17472 17472 Tanium Client Deployment Tool (CDT) TaniumClientDeploy.exe 22, 135, 445 Unmanaged Asset CDT platform-specific methods (during deployment only) 22, 135, 445 Tanium Server The Tanium Server acts as the central hub of communication in the Tanium environment. The server receives traffic initiated by Tanium Clients and the Tanium Console and initiates connections to the database server as well as any Zone Servers. 2018 Tanium Inc. All Rights Reserved Page 98

Inbound (Tanium Client to Tanium Server) RULE SUMMARY Allow traffic to Tanium Server port 17472 (TCP) from any computer to be managed on the internal network. DETAILS The communication flow between the Tanium Clients and the Tanium Server is counterintuitive. For instance, if you ask a question through the Tanium Console, intuition might suggest that it is the server that initiates connections to query the clients. However, in the Tanium platform, special clients known as leaders are the only ones that initiate connections to the Tanium Server. In addition, all Tanium Clients initiate connections when they register. During registration, the Tanium Client reports information about itself and gathers configuration updates, including changes to peer lists. Inbound (Tanium Console) RULE SUMMARY Allow traffic to the Tanium Server port 443 (TCP) from trusted hosts (such as a management subnet address). DETAILS For security, the TCP and SOAP communication to the Tanium Server is TLS-encrypted, so the Tanium Server installer configures the server to listen for TCP and SOAP requests on port 443. If another installed application is listening on port 443, you can designate a different port. Outbound (Tanium Server to Database Server) RULE SUMMARY Allow traffic from the Tanium Server on port 1433 or 5432 (TCP) to the database server. DETAILS The Tanium Server initiates connections to the database server on port 1433 (SQL Server) or 5432 (PostgreSQL). Outbound (Tanium Server to Module Server) RULE SUMMARY Allow traffic from the Tanium Server to the Module Server port 17477 (TCP). 2018 Tanium Inc. All Rights Reserved Page 99

DETAILS Tanium Server initiates connections to the Module Server on port 17477. Inbound/Outbound (HA) RULE SUMMARY Allow traffic to and from Tanium Server cluster members on port 17472 (TCP). DETAILS Any cluster member may initiate a connection to the other. Package files that are uploaded to one member are synchronized to the other cluster members. In addition, each server passes Tanium messages (for example, answers to questions) to the other cluster members. Tanium Module Server Inbound (Tanium Server to Module Server) RULE SUMMARY Allow traffic to the Module Server port 17477 (TCP) from the Tanium Server. DETAILS Check the documentation for the particular solution modules you plan to use to see if they require additional inbound ports. Outbound (Module Server to Internet) RULE SUMMARY Allow traffic from the Module Server to destination ports 80 and 443 (TCP) on the Internet. DETAILS The Module Server itself does not initiate connections. However, when a solution module is imported, the Module Server might need to connect to Tanium and other Internet locations to download required content, and the installed solution module services might initiate connections. Check the documentation for the particular solution modules you plan to use to see if they require additional outbound ports. Outbound (Module Services to Tanium Server) RULE SUMMARY Allow traffic from the Module Server to destination port 443 (TCP) on the Tanium Server. 2018 Tanium Inc. All Rights Reserved Page 100

DETAILS The Tanium Module Server itself does not initiate connections. However, a solution module (such as Trace) might initiate a connection to the Tanium Server. Tanium Zone Server hub Outbound (Tanium Zone Server hub to Zone Server) RULE SUMMARY Allow traffic from the Zone Server hub (usually the Tanium Server host computer) to the destination port 17472 (TCP) on DMZ device(s) hosting the Zone Server(s). DETAILS If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. The ZoneServerList.txt configuration file located in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers. Tanium Zone Server Inbound (Tanium Client to Zone Server) RULE SUMMARY Allow traffic from any computer on the Internet to port 17472 (TCP) on the Zone Server(s) in the DMZ. DETAILS Tanium Clients initiate connections to a Zone Server just as if it were a Tanium Server. Inbound (Tanium Zone Server Hub to Zone Server) RULE SUMMARY Allow traffic from the Zone Server Hub (usually the Tanium Server host computer) to port 17472 (TCP) on the Zone Server(s) in the DMZ. DETAILS If you are using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, then the 2018 Tanium Inc. All Rights Reserved Page 101

Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. Tanium Client Inbound/Outbound (Tanium Client to Client) RULE SUMMARY Allow traffic to and from client peers on port 17472 (TCP). DETAILS In addition to the client-to-server TCP communication that takes place on port 17472, Tanium Clients also communicate to peers on port 17472. Clients dynamically communicate with peers based on proximity and latency. Peer chains form to match an enterprise topology automatically. For example, endpoints in California form one chain, while endpoints in Germany form a separate chain. With this dynamic configuration in mind, you must allow bi-directional TCP communication on port 17472 between clients on the same local area network, but not necessarily all clients on the internal network. Outbound (Tanium Client to Zone Server) RULE SUMMARY Allow traffic from any computer on the Internet to port 17472 (TCP) on the Zone Server(s) in the DMZ. DETAILS In environments using the Tanium Zone Server, a Tanium Client may be configured to point to a Zone Server instead of a Tanium Server. The communication requirements for these Clients are identical to the Server-to-Client requirements. Tanium Client Deployment Tool Outbound (Client Deployment Tool to endpoints) RULE SUMMARY Allow traffic from the Tanium Client Deployment Tool host computer destination ports 135 and 445 (TCP) on the endpoints on which you want to deploy the Tanium Client. The endpoints must allow inbound traffic on these ports during deployment only. 2018 Tanium Inc. All Rights Reserved Page 102

DETAILS The Tanium Client Deployment Tool (CDT) allows you to target the Tanium client for installation to designated endpoints. The CDT can be installed and run from any Windows workstation or server in the target domain. This deployment mechanism is not required since there are other ways of deploying the Tanium Client (for example, existing software distribution mechanisms like epo EEDK, and GPO), but it does require a couple items to be configured for it to be successful. The CDT attempts to copy the necessary installation files to the root drive via the \\ {machine_name}\c$ UNC. In addition to the Admin user having sufficient privileges to access machine's admin share, file sharing must be enabled. In most Active Directory environments, admin shares are already available. However, for standalone machines that have not joined the domain, it might be required to enable admin shares, such that c$ can be reached by a user with sufficient privileges. Admin shares are not available in Home editions of Windows operating systems, but are available in all other editions. In Windows XP machines, admin shares are enabled by default. In Windows 7 and 8 machines, the admin shares of a standalone machine can be enabled by adding the following registry key and rebooting: Hive: HKEY_LOCAL_MACHIN Key: Software\Microsoft\Windows\CurrentVersion\Policies\System Name: LocalAccountTokenFilterPolicy Data Type: REG_DWORD Value: 1 Next, the tool uses either Microsoft PsExec or WMIC to remotely execute the installer on the endpoint. For either, the admin user must have sufficient privileges to remotely execute commands. If PsExec is used, check with your AV/endpoint protection suites, as PsExec is often disallowed. If WMIC is used, ensure the following services are enabled on the endpoint: Windows Firewall Remote Management (RPC-EPMAP) Windows Management Instrumentation (WMI-In) 2018 Tanium Inc. All Rights Reserved Page 103

Reference: Proxy server settings Some organizations use proxy servers for traffic between internal servers and the Internet. If your organization uses proxies and its security policy does not allow Tanium Core Platform servers to access Internet locations directly, you can configure access through the proxies. The Tanium Server connects to the Internet to download content updates from Tanium and necessary files from other trusted suppliers (for a list of sites the Tanium Server accesses, see Internet access (direct or by proxy). The Tanium Module Server connects to the Internet to download solution module software updates from Tanium. Solution modules also might have requirements to access the Internet. IMPORTANT: The proxy server configuration is stored in configuration files on the Tanium Server host. Tanium Servers do not automatically sync the configuration files among high availability (HA) peers. If you change these settings in HA deployments, be sure to perform the procedure on all Tanium Servers in the HA cluster. Types of proxy servers Basic Basic proxies might require authentication; you can configure the account ID and password. A strictly IP-address-based proxy server allows a specified list of servers to traverse the proxy and access the network or Internet. If this is the case, be sure to add the IP address or hostname of the Tanium Server to the access list of the proxy server. NTLM If the proxy server is set up to use NTLM, and you configured the Tanium Server service on Windows to run in the context of a service account that has sufficient privileges to traverse the proxy server, you do not have to configure the account ID and password. Configure and test proxy server settings 1. Go to Configuration > Common > Proxy Settings. 2. Use the Tanium Server Proxy Settings box to specify proxy settings for the Tanium Server connections. Proxy Server IP address of the proxy server. 2018 Tanium Inc. All Rights Reserved Page 104

Proxy User ID Proxy Type Port Number Proxy Password Bypass Proxy Host List For a basic proxy that requires authentication, enter an account username to establish the connection with the proxy server. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. The options are Basic, NTLM, or None. Port number of the proxy server. For a basic proxy that requires authentication, enter an account password to establish the connection with the proxy server. The password is stored in clear text within the registry. This setting does not apply NTLM proxies, which use the credentials of the user context that runs the Tanium Server service. You might need to configure exceptions so that connections to specific hosts bypass the proxy server. For example, do not use a proxy server for traffic among Tanium Servers in an active-active cluster. A proxy server can cause problems with other traffic to a destination Tanium Server. For example, a package configuration can specify file URIs that are local to the Tanium Server to download content. It is important to bypass the proxy server for these URIs, or else the download will fail. Enter the exceptions as FQDNs or IP addresses. In most cases, the exceptions you need to specify are localhost, 127.0.0.1 (IPv4), and all Tanium Server FQDNs and IP addresses. For example: ts1.example.com, ts2.example.com,localhost,127.0.0.1, 10.10.10.11,10.10.10.15 Specify literal values. Tanium Core Platform 7.0.314.6242 and later supports wildcards. Bypass CRL Check Host List Use this setting to list servers that the Tanium Server can trust without checking a certificate revocation list (CRL). The Tanium Server performs a CRL check on all servers that are not in this list, and does not download files from a server that fails the check. Specify the servers by FQDN or IP address. 2018 Tanium Inc. All Rights Reserved Page 105

Trusted Host List Use this setting to list the trusted servers that the Tanium Server can download files from even if those servers do not have valid SSL certificates. In an active-active cluster, specify both Tanium Servers. Tanium core platform 7.0.314.6242 and later supports wildcards. Specify the servers by FQDN or IP address. 3. Optional. To propagate the Tanium Server Proxy Settings to the Module Server Proxy Settings, select Mirror Changes to Module Server. 4. Save your changes. 5. Use the Module Server Proxy Settings box to specify proxy settings for the Module Server connections if they differ from the proxy settings for the Tanium Server. 6. Save your changes. 7. Use the Validate Proxy Settings box to test your settings. Component Tanium Server or Module Server. File Source From Tanium Use predefined settings for a connection to content.tanium.com. From Random Site Use predefined settings for a connection to www.msftncsi.com. Specify URL/Hash Configure your own test settings. URL If you set the File Source to Specify URL/Hash, specify the URL. 2018 Tanium Inc. All Rights Reserved Page 106

Hash If you set the File Source to Specify URL/Hash, specify the hash. Download Time 8. Click Start Download. If you set the File Source to Specify URL/Hash, specify a maximum download time before returning a failure message. The Tanium Console returns a success or failure message. If the test fails, check that the proxy server is up and is configured as expected. Also, check that the Tanium settings you specified match the settings that the proxy server expects. The TDownloader logs on page 75 have detailed event messages. Note: Only users assigned the Administrator reserved role can see and use the Configuration pages. In Windows installations, the proxy settings are written to the Windows Registry. You can change settings in the registry directly (see Windows Registry on page 66). Be sure to edit only the Tanium Server entry, not the Tanium Module Server entry, in the registries of both the Tanium Server host and the Tanium Module Server host. 2018 Tanium Inc. All Rights Reserved Page 107

Reference: SSL certificates You can replace the self-signed certificates generated by the Tanium Server and Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA). To obtain a CA certificate, you create a certificate signing request (CSR) and submit it to the CA. When you create your CSR, be sure to specify appropriate options and X.509 attributes so the resulting certificate returned by the CA meets the certificate requirements. The private key file is generated on a local system when you use a tool such as OpenSSL to generate the CSR. You do not send the private key to the CA. Instead, save it to a secure location. You are instructed to copy this key into the Tanium Server installation directory along with the CA-issued certificate. Certificate requirements Work with your CA to obtain a server certificate with the following specifications: X.509 certificate with Extended Key Usage including both: TLS Web Server Authentication TLS Web Client Authentication Separate certificate and key files. The key file should have the passphrase removed. PEM format Base-64 encoded Certificate signed with SHA-256 hashing algorithm RSA 2048-bit key encryption Subject Alternative Name lists all Tanium Server names (for example, a certificate for an active-active deployment would include both ts1.example.com and ts2.example.com) Replacing certificates in your deployment Use the procedures in the following table to replace the existing SSL certificate and key files with new ones. 2018 Tanium Inc. All Rights Reserved Page 108

Tanium Server Tanium Module Server Certificate/key files in installation directory SOAPServer.crt SOAPServer.key ssl.crt ssl.key trusted.crt To update the certificates/key files 1. Back up the existing certificate and key file in case you want to revert your changes. 2. Make a copy of the CA-issued certificate and your private key. 3. Rename the CA-issued certificate and corresponding key to the names used in the Tanium Server installation SOAPServer.crt and SOAPServer.key. 4. Stop the Tanium Server service. 5. Copy the new certificate and key files in place of the existing ones. 6. Restart the Tanium Server service. 1. Back up the existing certificate and key file in case you want to revert your changes. 2. Make a copy of the CA-issued certificate and corresponding key. 3. Rename the copies to the names used in the Tanium Module Server installation ssl.crt and ssl.key. 4. Break down the CA-issued certificate (the Tanium Server SOAPServer.crt file) into its parts and then recreate the chain as shown in the example. Name the resulting file trusted.crt. 5. Stop the Tanium Module Server service, as well as services for all Tanium solution modules. 6. Copy the new certificate and key files in place of the existing ones. 7. Restart the Tanium Module Server service and the services for all Tanium solution modules. Example: Creating a CSR with OpenSSL This example shows how to use OpenSSL to create a CSR. You can use vendor-provided web forms or any tool you prefer as long as you end up with a certificate with the required attributes and a corresponding private key. This OpenSSL example uses a configuration file 2018 Tanium Inc. All Rights Reserved Page 109

to pass X.509 attributes to the openssl command. You can specify command-line options instead of using a configuration file. 1. Create a configuration file with the following content (change the values in bold to ones appropriate for your servers): [req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryname = US countryname_default = US stateorprovincename = CA stateorprovincename_default = CA localityname = Emeryville localityname_default = Emeryville organizationname = IT organizationalunitname = IT organizationalunitname_default = IT commonname = server.domain.com commonname_max = 64 [ v3_req ] # Extensions to add to a certificate request basicconstraints = CA:FALSE keyusage = digitalsignature, keyencipherment extendedkeyusage = serverauth,clientauth subjectaltname = @alt_names [alt_names] DNS.1 = server1.domain.com DNS.2 = server2.domain.com 2. Create a private key file to digitally sign the certificate request: openssl genrsa -out tanium.key 2048 3. Generate a certificate signing request file. The following example specifies the configuration file and private key created in the previous steps: openssl req -sha256 -new -out SOAPServer.csr -key tanium.key -config tanium-openssl.cfg 4. Open the generated file to confirm that the CSR was created. The following example shows a PEM-formatted CSR. 2018 Tanium Inc. All Rights Reserved Page 110

-----BEGIN CERTIFICATE REQUEST----- MIIC9DCCAdwCAQAwUzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQH DApFbWVyeXZpbGxlMQswCQYDVQQLDAJJVDEVMBMGA1UEAwwMdHMudGFtLmxvY2Fs MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApUekQ9Q2cdV4HejVI6KY +EgnUsZm2qbQUHoTsRjQV82BUdsybOqY7/I4haTCA5x0tZVPmBV358B6cIiOtWdV +dwp8ufx90isaugypop3kq/ke7ws4twziyl+svzyewarpzm0aiqt4iexs5+kw+f5 uovnlhj7f+csu8q4vzwf+qsgrgmnssnawzxgpvv9lghaeyow3op+lmrn2lvrmy82 tsmhml2+vowipr4lyaknxjs6nif3broxuxqfc0vghdi2/ilx+2gm3mmgznxpn5ic nxxzlm/yltytwylb/mb77ts/si8benlzrztevsv+dqwkq6a428/izd4fyp6+lmd4 gqidaqabofwwwgyjkozihvcnaqkomu0wszajbgnvhrmeajaamasga1uddwqeawif odaxbgnvhreekjaoghjzzxj2zxixlmrvbwfpbi5jb22cennlcnzlcjiuzg9tywlu LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAC4ki2mTKzmrSAv/xW3L8FnJ8cUEzmfex Q/7N+XKGszUesAToBtVG1EHY2gSdA7gTR/OfUxZUrPJTx7oHWb9L/UgNB6gHeI2R uxwuombtcasjcwdekh+n+veenubmt/rztun4qk+cgqlws/jbgosmcv2kopj4/2qm oxpnchkyjc3hyacvbyvt7ubfk9hnnfpl0djqxm0lrai0uqqt5t0wmzijxsvxy4ay F5bhwdCTLQT+e7ERqFStblBdfkIzxGOexUG96iQR4R8noN4qp/iNRFUTTiJPZ9aN 84Ab494Q4BtYY2cIA2LWQfSrCVgzcXSdpPwDdb2w5b8p5wSA0/rdMw== -----END CERTIFICATE REQUEST----- 5. Save the private key to a secure location and submit the CSR to the CA. The submission process varies by CA. In some cases, you submit a file; in other cases, you paste the contents of the file into an online form. In any case, be sure to communicate the certificate requirements to your CA. Example: Recreating the certificate chain This example shows how to break down the CA-issued certificate into its parts and then recreate the chain. The CA vendor might offer an option of a chained certificate file, but that chained certificate file is not in the same form as the trusted.crt file. Do not use a vendor supplied certificate chain file. You must break it down and re-create it as shown in this example. Note: Pre-7.2 installations only. In 7.2 and later, the Module Server registration performed by the installer creates a proper trusted.crt file. You can simply re-run the installer and select the CA-issued certificates, and the registration process creates the trusted.crt file. 1. On a Windows computer, such as the Tanium Server host computer, double-click the certificate file to open it in the Windows Certificate Snap-In. 2018 Tanium Inc. All Rights Reserved Page 111

2. On the Details tab, select Extensions Only from the list box, select the Enhanced Key Usage field, and verify that the CA has indeed issued a certificate with both Server Authentication and Client Authentication attributes. 3. On the Certification Path tab, select the root certificate. In the following example, DigiCert is the root certificate. 2018 Tanium Inc. All Rights Reserved Page 112

6. Select a folder and specify a filename. You are going to export 3 certificates and order is important, so name it something like example1.cer as shown in the example. 2018 Tanium Inc. All Rights Reserved Page 115

8. On the Certification Path tab, select the next certificate in the chain. In the following example, DigiCert SHA2 High Assurance Server CA is the next certificate. Export this certificate with a name like example2.cer. 2018 Tanium Inc. All Rights Reserved Page 117

9. On the Certification Path tab, select the next certificate in the chain. In the following example, it is the server certificate issued by the CA. Export this certificate with a name like example3.cer. 2018 Tanium Inc. All Rights Reserved Page 118

10. Create a file named trusted.crt. 11. Copy and paste in the contents of each certificate in the chain into the file. The order can be 1. Server 2. Intermediate 3. Root or 1. Root 2. Intermediate 3. Server. In this example, the server certificate is pasted first (example3.cer), then the intermediate certificate (example2.cer), and the root CA certificate is last (example1.cer). 2018 Tanium Inc. All Rights Reserved Page 119

Important: Each section of the certificate file must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. There must be only one carriage return between each certificate in the chain. There must be no extra white spaces or carriage returns at the beginning or end of the file. 12. Save the file. The trusted.crt file is now ready to be copied into the Module Server installation directory. 2018 Tanium Inc. All Rights Reserved Page 120

Reference: Smart card authentication The Tanium Console supports smart card authentication. A smart card is physical credential that has a microchip and data, such as secure certificates and keys. Smart cards are also known as common access cards (CAC) and personal identity verification (PIV) cards. Endpoint systems are set up with smart card readers, and end users use their smart card to authenticate and gain access. Deployment requirements When smart card authentication is enabled, the Tanium Server and Tanium Module server must reside on separate hosts. All authentication to the Tanium Console requires smart cards unless the authentication request is from: The system hosting the Tanium Server via the local loopback address 127.0.0.1. The Tanium Module Server connection to the Tanium Server. Consequently, any additional integrations that you want to automate must reside on one of the two hosts. Some examples are: SSRS plugin Excel plugin (unless using the version that supports smart card authentication) Connection Manager AD Sync Pytan 3rd party SOC websites that query Tanium for data IMPORTANT: There are additional caveats for an air gap deployment with smart card authentication: Links to content that is hosted on the Tanium Server must use the local loopback address. This is because the TDownloader service that downloads content to the Tanium Server cannot present a certificate. Links to solution module imports use both the local loopback address (for the workbench) and the Tanium Module Server FQDN for the portion of the solution installed on the Tanium Module Server. 2018 Tanium Inc. All Rights Reserved Page 121

Create a certificate Smart card authentication for Tanium access depends on the public key infrastructure (PKI) that has been set up for the enterprise. You can get started if you have a client certificate that has been signed by the root certificate for the domain in which the Tanium Server is deployed. Make sure it has the Proves your identity to a remote computer attribute. Figure 4: Proves your identity to a remote computer The following procedure shows how to extract certificates from the client certificate and use them to create a new certificate file. In most cases, you only need to extract the root certificate. If this does not work, you might need to add intermediate certificates to the chain as well. Extract the certificates 1. Get a copy of a client certificate file that has been signed by the root CA for the domain. See Figure 4. 2. On a Windows computer, double-click the certificate file to open it in the Windows Certificate Snap-In. 2018 Tanium Inc. All Rights Reserved Page 122

3. On the Certification Path tab, select the root certificate. In this example, DigiCert is the root certificate. 4. Go to the Details tab and click Copy to File to display the Certificate Export Wizard. 5. Select Base-64 encoded X.509 (.CER). 6. Select a folder and specify a filename. Name it something like example1.cer. 7. Review the settings and click Finish to save the certificate. 8. If your deployment has intermediate CAs, repeat these steps to extract the certificates for any intermediate CAs. Go to the Certification Path tab and select the next certificate in the chain. In the following example, DigiCert SHA2 High Assurance Server CA is the next certificate. Export this certificate with a name like example2.cer. 2018 Tanium Inc. All Rights Reserved Page 123

Create a new certificate file 1. Create a file named cac.pem. 2. Copy and paste in the contents of each certificate in the chain into the file. IMPORTANT: Each section of the certificate file must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE---- -. 2018 Tanium Inc. All Rights Reserved Page 125

There must be only one carriage return between each certificate in the chain. 3. Save the file. There must be no extra white spaces or carriage returns at the beginning or end of the file. The preceding example shows the root certificate last. Placing the root certificate last is a best practice convention that Tanium TAMs use. Copy to the Tanium installation directory Copy the file to the Tanium Server installation directory: \Program Files\Tanium\Tanium Server\ Add Windows registry keys on Tanium Server host 1. Add Windows registry key entries as described in the following tables. 2. Restart the Tanium Server service. Table 26: Location Value Value Type Enable smart card authentication HKLM\Software\Wow6432Node\Tanium\Tanium Server ForceSOAPSSLClientCert REG_DWORD Valid Range 0 or 1 Default Value 1 Guidelines Optional. If the registry value does not exist (but other CAC/PIV registry values do exist), or is set to a value of 1, CAC/PIV authentication becomes mandatory. Note: The design supports the value 0 to turn off client certificate authentication and use the console login credentials instead. However, the current implementation to support the value 0 is not finished. At this time, the value should only be set to 1. Table 27: Location Certificate attribute to be matched HKLM\Software\Wow6432Node\Tanium\Tanium Server 2018 Tanium Inc. All Rights Reserved Page 126

Value Value Type Valid Range Default Value Guidelines ClientCertificateAuthField REG_SZ Any valid certificate field. Subject Optional. If it is not defined, certificate authentication matches on the Subject field. Specify a value for this key if you want to match on a different attribute. Many organizations use X509v3 Subject Alternative Name. Example: X509v3 Subject Alternative Name Note: X509v3 is typically hidden when displayed in Windows. Note that X509v3 is case sensitive. Table 28: Location Value Value Type Valid Range Regular expression to match HKLM\Software\Wow6432Node\Tanium\Tanium Server ClientCertificateAuthRegex REG_SZ Any valid regular expression. Default Value Guidelines.*CN=(.*)$ Optional. If it is not defined, the default regular expression is used to match the user's identifier. The following example is the best practice to match any Subject Alternative Name entry:.*:\s(\d+\.?\w?)@.* Table 29: Location Value Value Type Location of the smart card certificate file HKLM\Software\Wow6432Node\Tanium\Tanium Server ClientCertificateAuth REG_SZ 2018 Tanium Inc. All Rights Reserved Page 127

Valid Range Default Value Guidelines Any valid certificate file. None Defines the location of the certificate file to use for authentication. Example: D:\Program Files\Tanium\Tanium Server\cac.pem Note: The pathname is case sensitive. Table 30: Location Value Value Type Valid Range Add 127.0.0.1 to the TrustedHostList entry HKLM\Software\Wow6432Node\Tanium\Tanium Server TrustedHostList REG_SZ A comma-separated list of IP addresses or FQDNs for the Tanium Server, Module Server, and database server host computers. Default Value Guidelines None Do not remove any values. Instead, append 127.0.0.1 so that TDownloader can add local packages to the Tanium Server with CAC/PIV enabled. Table 31: Location Value Value Type Valid Range Define trusted systems and components HKLM\Software\Wow6432Node\Tanium\Tanium Server CACTrustedAddresses REG_SZ A comma-separated list of FQDNs. Default Value None 2018 Tanium Inc. All Rights Reserved Page 128

Guidelines Defines which endpoints to exempt from CAC authentication requirements. These systems will not require a CAC/PIV certificate to authenticate and will work for all Tanium assets. Specify the Tanium Server and Tanium Module Server. Specify additional addresses to exempt any other trusted systems and components. In an HA deployment, you must configure this setting on both Tanium Servers to prevent errors with TDownloader. Table 32: Location Value Value Type Valid Range (Optional) LDAP server HKLM\Software\Wow6432Node\Tanium\Tanium Server cac_ldap_server_url REG_SZ A valid LDAP server. Default Value Guidelines None Optional. If it is defined, requires that Tanium validate every CAC/PIV authentication attempt with AD to determine the state of the account that is logging in. This does not use the Windows authentication subsystem, so the service account running Tanium must have the privileges to look up accounts via direct LDAP query. Use the following syntax: LDAP://<Active Directory FQDN> Note: LDAP must be in uppercase characters. If multiple domains are in use, specify a global catalog. It must use the syntax GC://<domain>. Tip: It is highly recommended that you also use Tanium Connection Manager to align AD users and security groups with roles in Tanium. Table 33: Location Value (Optional) LDAP query HKLM\Software\Wow6432Node\Tanium\Tanium Server CertLDAPQueryField 2018 Tanium Inc. All Rights Reserved Page 129

Value Type Valid Range Default Value Guidelines REG_SZ userprincipalname or samaccountname userprincipalname Optional. If it is defined, it specifies an Active Directory user naming attribute. If it is not defined, the default attribute is used. Valid values are: userprincipalname The logon name for the user. samaccountname A logon name that supports previous version of Windows. Table 34: Location Value Value Type (Optional) LDAP secondary lookup HKLM\Software\Wow6432Node\Tanium\Tanium Server CertLDAPCertField REG_SZ Valid Range Default Value Guidelines Subject Optional. Add this setting in conjunction with the cac_ldap_server_url setting. This setting specifies a secondary attribute to query within the X509 certificate. Most of the time, this value should match ClientCertificateAuthField with a value of X509v3 Subject Alternative Name. If it is not defined, certificate authentication matches on the Subject attribute. Example: X509v3 Subject Alternative Name Note: X509v3 is typically hidden when displayed in Windows. The string X509v3 is case sensitive. Table 35: Location Value (Optional) LDAP regex HKLM\Software\Wow6432Node\Tanium\Tanium Server CertLDAPCertFieldRegex 2018 Tanium Inc. All Rights Reserved Page 130

Value Type Valid Range Default Value Guidelines REG_SZ Any valid regular expression. None Optional. Add this attribute in conjunction with the cac_ldap_server_url setting. This setting specifies a regular expression that accounts for the UPN Suffix when a secondary LDAP lookup occurs. This is necessary because AD-Sync matches UPN without the UPN Suffix. If it is not defined, whatever is returned in the user naming attribute would be used. Examples: The following example is most commonly used. It returns the full UPN:.*\:\s*([^@]+@.*)$ The following example returns just the numeric value from the UPN: ([^@]+)@.*$ Troubleshoot Check the registry key entries for typos (i.e. extra space). Test whether the system works with just the required registry keys. Then, enable and test optional settings, such as the LDAP integration settings. In HA deployments, the CACTrustedAddresses value must be configured with entries for each Tanium Server and the Tanium Module Server in order to avoid TDownloader errors during package synchronization. Set log level 81 or 91 to log the following events: No regex match: Client Certificate auth logon denied, match failed: " + authrequest.getclientcertificatematchregex() + " does not match " + (*iter).second Field used for regex not found in the CA: Client Certificate auth logon denied, match property not present. Property: " + authrequest.getclientcertificatematchfield() 2018 Tanium Inc. All Rights Reserved Page 131

If it does match but the name is not valid, we log: Client Certificate auth logon denied, unknown user: ") + username If it does not match: Unable to extract certificate user, no match 2018 Tanium Inc. All Rights Reserved Page 132

Reference: Tanium server CLI Tanium core platform release 7.1.314.2924 and later support the configuration of component server settings with a command-line interface (CLI). The Windows Registry is still the canonical source of configuration. The CLI controls read and write to the settings Windows Registry. The best practice is to use the CLI if you get or set the configuration programmatically. The following examples show how to use the CLI. Note: If necessary, elevate privileges to open the command prompt as administrator. Tanium Server TaniumReceive.exe is the executable program. It is in the Tanium Server installation directory. Display help cmd-prompt>taniumreceiver --help Usage: TaniumReceiver [options] <command> [<args>] General Options: -h [ --help ] Print this help message -v [ --version ] Print the version --verbose Verbose output Service Options: 2018 Tanium Inc. All Rights Reserved Page 133