Plan security hardening for an extranet (Search Server 2008)
Applies To: Microsoft Search Server 2008
Topic Last Modified: 2009-08-26
Note
Unless otherwise noted, the information in this article applies to both Microsoft Search Server 2008 and Microsoft Search Server 2008 Express.
In this article:
Extranet hardening planning tool
Network topology
Domain trust relationships
Communication with server-farm roles
Communication with infrastructure server roles
Communication between network domains
Connections to external servers
This article details the hardening requirements for an extranet environment in which a Microsoft Search Server 2008 server farm is put inside a perimeter network and content is available from the Internet or from the corporate network.
Extranet hardening planning tool
The following planning tool is available for use with this article: Extranet hardening planning tool: back-to-back perimeter. Based on the back-to-back perimeter topology, this tool articulates the port requirements for each of the computers that are running Microsoft Internet Security and Acceleration (ISA) Server and each of the routers or firewalls. This tool is an editable Microsoft Office Visio file that you can revise for your environment. For example, you can:
Add your custom port numbers, where applicable.
Where a choice of protocols or ports is provided, indicate which ports you will use.
Indicate the specific ports that are used for database communication in your environment.
Add or remove requirements for ports based on:
Whether you are configuring e-mail integration.
Which layer you deploy the query role to.
If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.
Network topology
Note
The information in this section does not apply to Microsoft Search Server 2008 Express. It applies to the full version of Microsoft Search Server 2008 only.
The hardening guidance in this article can be applied to many extranet configurations. The following back-to-back perimeter network topology diagram shows a sample implementation and illustrates the server and client roles across an extranet environment. The purpose of the diagram is to explain each of the possible roles and their relationship to the overall environment. Consequently, the query role appears twice. In a real implementation, the query role is deployed either on Web servers or as an application server, but not both. And, if the query role is deployed to the Web servers, it is deployed to all Web servers in a farm. For the purpose of communicating security hardening requirements, the diagram illustrates all options. The routers illustrated can be exchanged for firewalls. The content deployment service is not a feature of Search Server 2008.
.gif "Extranet security hardening diagram")
Domain trust relationships
The requirement for a domain trust relationship depends on how the server farm is configured. This section discusses two possible configurations.
Server farm resides in the perimeter network
The perimeter network requires its own Active Directory directory service infrastructure and domain. Typically, the perimeter domain and the corporate domain are not configured to trust one another. However, to authenticate intranet users and remote employees who are using their domain credentials (Windows authentication), you must configure a one-way trust relationship in which the perimeter domain trusts the corporate domain. Forms authentication does not require a domain trust relationship.
Server farm is split between the perimeter network and the corporate network
If the server farm is split between the perimeter network and the corporate network with the database servers residing inside the corporate network, a domain trust relationship is required if Windows accounts are used. In this scenario, the perimeter network must trust the corporate network. If SQL authentication is used, a domain trust relationship is not required. The following table summarizes the differences between these two approaches.
| Aspect | Windows authentication | SQL authentication |
|---|---|---|
Description |
Corporate domain accounts are used for all Search Server 2008 service and administration accounts, including application pool accounts. A one-way trust relationship, in which the perimeter network trusts the corporate network, is required. |
Search Server 2008 accounts are configured in the following ways:
A trust relationship is not required but can be configured to support client authentication against an internal domain controller. Note If the application servers reside in the corporate domain, a one-way trust relationship, in which the perimeter network trusts the corporate network, is required. |
Setup |
Setup includes the following:
|
Setup includes the following:
|
Additional information |
The one-way trust relationship allows the Web servers and application servers that are joined to the extranet domain to resolve accounts that are in the corporate domain. |
SQL login accounts are encrypted in the registry of the Web servers and application servers. The server farm account is not used to access the configuration database and the SharePoint_AdminContent database. The corresponding SQL login accounts are used instead. |
The information in the previous table assumes the following:
Both the Web servers and the application servers reside in the perimeter network.
All accounts are created with the least privileges necessary, including the following recommendations:
Separate accounts are created for all administrative and service accounts.
No account is a member of the Administrators group on any computer, including the server computer that hosts SQL Server.
If you are using SQL authentication, the following SQL logins must be created with the following permissions:
SQL login for the account used to run the Psconfig command-line tool The account must be a member of the following SQL roles: dbcreator and securityadmin. The account must be a member of the Administrators group on each server on which Setup is run, but not on the database server.
SQL login for the server farm account This login is used to create the configuration database and the SharePoint_AdminContent database. The login must include the dbcreator role. The login does not have to be a member of the securityadmin role. The login must be created by using SQL authentication. Configure the server farm account to use SQL authentication with the password that is specified when you create the SQL login.
SQL login for all other databases The login must be created by using SQL authentication. The login must be a member of the following SQL roles: dbcreator and securityadmin.
For more information about Search Server 2008 accounts, see Plan for administrative and service accounts (Search Server 2008).
For more information about how to create databases by using the Psconfig command-line tool, see Command-line reference for the SharePoint Products and Technologies Configuration Wizard (Office SharePoint Server).
Communication with server-farm roles
Note
The information in this section does not apply to Microsoft Search Server 2008 Express. It applies to the full version of Microsoft Search Server 2008 only.
When configuring an extranet environment, you should understand how the various server roles communicate within the server farm.
Communication between server roles
The following figure illustrates the communication channels in a server farm. The table directly after the figure indicates the ports and protocols that are represented in the figure. The black solid arrows indicate which server role initiates communication. A red dotted arrow indicates that either server initiates communication. This is important to know when you configure inbound and outbound communication on a firewall.
.gif "Interfarm server communication")
| Callout | Ports and protocols |
|---|---|
1 |
Client access (including Information Rights Management (IRM) and search queries), one or more of the following:
|
2 |
File and printer sharing service — Either of the following:
|
3 |
Office Server Web Services — Both:
|
4 |
Database communication:
|
5 |
Search crawling — Depending on how authentication is configured, Search Server sites might be extended with an additional zone or Internet Information Services (IIS) site to ensure that the index component can access content. This configuration can result in custom ports.
|
Web servers automatically load-balance query requests to the available query servers. Consequently, if the query role is deployed across Web server computers, these servers communicate with one another using the File and Printer Sharing service and the Office Server Web services. The following figure illustrates the communication channels between these servers.
.gif "Web server to query server")
Communication between the Central Administration site and server roles
The Central Administration site, which is hosted on the Central Administration Web Application, is used for all administration functions in Search Server 2008.
This section details the port and protocol requirements for communication between an administrator workstation and server roles within the farm. The Central Administration site can be installed on any Web server. Configuration changes that are made through the Central Administration site are communicated to the configuration database. Other server roles in the farm pick up configuration changes that are registered in the configuration database during their polling cycles. Consequently, the Central Administration site does not introduce any new communication requirements to other server roles in the server farm.
The following figure illustrates the communication channels from an administrator workstation to the Search Center, Central Administration site, and the configuration database.
.gif "Administrator Site Administration Topology")
The following table describes the ports and protocols illustrated in the previous illustration.
| Callout | Ports and protocols |
|---|---|
A |
Search Center site — One or more of the following:
|
B |
Central Administration site — One or more of the following:
|
C |
Database communication:
|
Communication with infrastructure server roles
When configuring an extranet environment, you should understand how the various server roles communicate within infrastructure server computers.
Active Directory domain controller
The following table lists the port requirements for inbound connections from each server role to an Active Directory domain controller.
| Item | Web Server | Query Server | Index Server | Database Server |
|---|---|---|---|---|
TCP/UDP 445 (Directory Services) |
X |
X |
X |
X |
TCP/UDP 88 (Kerberos authentication) |
X |
X |
X |
X |
Lightweight Directory Access Protocol (LDAP)/LDAPS ports 389/636 by default, customizable |
X |
X |
LDAP/LDAPS ports are required for server roles based on the following conditions:
- Web servers Use LDAP/LDAPS ports if LDAP authentication is configured.
DNS server
The following table lists the port requirements for inbound connections from each server role to a Domain Name System (DNS) server. In many extranet environments, one server computer hosts both the Active Directory domain controller and the DNS server.
| Item | Web Server | Query Server | Index Server | Database Server |
|---|---|---|---|---|
DNS, TCP/UDP 53 |
X |
X |
X |
X |
Communication between network domains
Active Directory communication
Active Directory communication between domains to support authentication with a domain controller inside the corporate network requires at least a one-way trust relationship in which the perimeter network trusts the corporate network.
In the example illustrated in Network topology, the first figure in this article, the following ports are required as inbound connections to ISA Server B to support a one-way trust relationship:
TCP/UDP 135 (RPC)
TCP/UDP 389 by default, customizable (LDAP)
TCP 636 by default, customizable (LDAP SSL)
TCP 3268 (LDAP GC)
TCP 3269 (LDAP GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP/UDP 445 (Directory Services)
TCP/UDP 749 (Kerberos-Adm)
TCP port 750 (Kerberos-IV)
When configuring ISA Server B (or another device between the perimeter network and the corporate network), the network relationship must be defined as routed. Do not define the network relationship as Network Address Translation (NAT).
For more information about security hardening requirements related to trust relationships, see the following resources:
Connections to external servers
Search Server 2008 can be configured to index content that resides on server computers outside the server farm. If you configure access to content on external server computers, ensure that you enable communication between the appropriate computers. In most cases, the ports, protocols, and services that are used depend on the external resource. For example:
Connections to file shares use the File and Printer Sharing service.
Connections to external SQL Server databases use the default or customized ports for SQL Server communication.
Connections to Oracle typically use OLE DB.
Connections to Web services use both HTTP and HTTPS.
The following table lists features that can be configured to access content that resides on server computers outside the server farm.
| Feature | Description |
|---|---|
Content crawling |
You can configure crawl rules to crawl content that resides on external resources, including Web sites, file shares, Exchange public folders, and business data applications that have an appropriate source connector. When crawling external data sources, the index role communicates directly with these external resources. For more information, see Plan to crawl content (Search Server 2008). |
See Also
Concepts
Plan server farm security (Search Server 2008)
Review the secure topology design checklists (Search Server 2008)
Plan for secure communication within a server farm (Search Server 2008)
Plan security hardening for server roles within a server farm (Search Server 2008)