Export (0) Print
Expand All

Security considerations for the server farm (FAST Search Server 2010 for SharePoint)

FAST Search Server 2010
 

Applies to: FAST Search Server 2010

Topic Last Modified: 2011-01-21

When planning a Microsoft FAST Search Server 2010 for SharePoint system, consider the following server farm security issues:

For item level security trimming specific to FAST Search Server 2010 for SharePoint, see Security considerations for indexing (FAST Search Server 2010 for SharePoint).

FAST Search Server 2010 for SharePoint uses certificates for:

  • Authentication and encryption

  • Secure Sockets Layer (SSL) communication between FAST Search Server 2010 for SharePoint and Microsoft SharePoint Server

  • Communication between servers in a multiple server FAST Search Server 2010 for SharePoint environment

Each server in a FAST Search Server 2010 for SharePoint system may have up to three certificates, fulfilling the following functions:

  • General purpose FAST Search certificate: for internal communications, administrative services, and feeding SharePoint Server. The general purpose FAST Search certificate must also be password-protected. You will choose a password during FAST Search Server 2010 for SharePoint deployment.

  • Claims certificate: to enable queries from the SharePoint Server search application to FAST Search Server 2010 for SharePoint

  • Server-specific certificate: for example, to help secure query traffic using HTTPS (optional)

importantImportant
When you install FAST Search Server 2010 for SharePoint, a self-signed certificate is created. This default general purpose certificate has a one year expiration date and is only useful for test environments. You should replace self-signed certificates in your production environment with certificates that are signed by a common certification authority. For more information, see Manage certificates (FAST Search Server 2010 for SharePoint).

All internal communication within the FAST Search Server 2010 for SharePoint farm uses Internet Protocol Security (IPsec). You can find details about required open ports and protocols for the communication between the FAST Search Server 2010 for SharePoint farm and the Search Service Applications (SSA) in the file <FASTSearchFolder>\Install_Info.txt (where <FASTSearchFolder> is the path of the folder where you have installed FAST Search Server 2010 for SharePoint, for example C:\FASTSearch).

By default, all query traffic from the FAST Search Query Search Service Application (SSA) to the FAST Search Server 2010 for SharePoint farm is sent via HTTP. This non-encrypted information transmits faster than HTTPS. However, to help provide more security for queries on sensitive content, you can enable an HTTPS communication channel that uses SSL certificates. See Enable queries from Microsoft SharePoint Server (FAST Search Server 2010 for SharePoint) for more information.

By default, the Administration Service, which configures FAST Search Server 2010 for SharePoint, uses Windows Communication Foundation (WCF) with HTTP. To provide more protection, you can use HTTPS for this traffic. See Enable Administration Service over HTTPS (FAST Search Server 2010 for SharePoint) for information.

Default authentication for the administrative interfaces (e.g. Add Best Bets) uses NTLM out-of-the-box. If you want an additional level of security, you can change this to Kerberos authentication. See Plan for Kerberos authentication (SharePoint Server 2010) for more information.

By default, all internal communication within the FAST Search Server 2010 for SharePoint farm uses Internet Protocol Security (IPsec) without encryption. To help protect sensitive content, you can enable IPsec encryption on internal interfaces.

HTTP communications are used in multiple server FAST Search Server 2010 for SharePoint farms and between query traffic from the FAST Search Query Search Service Application (SSA) to the FAST Search Server 2010 for SharePoint farm. HTTP communication must be enabled between all servers and the network proxy configuration on each server must be set correctly. See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) for detailed information.

When you install FAST Search Server 2010 for SharePoint on a server with anti-virus software installed, you should exclude the <FASTSearchFolder> directory from virus scanning. See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) for more information.

A multiple server installation of FAST Search Server 2010 for SharePoint requires credentials for certain user accounts to install, administer, and operate FAST Search Server 2010 for SharePoint. Plan for the following permissions:

  • The user who runs the Prerequisite Installer and the FAST Search Server 2010 for SharePoint installer must be a member of the Administrators group.

  • An authenticated domain user must run FAST Search Server 2010 for SharePoint. This user should not be a local administrator or a site administrator.

  • The FAST Search Server 2010 for SharePoint user must have dbcreator permissions in Microsoft SQL Server to access the FAST Search Server 2010 for SharePoint administration database. See Configure a stand-alone deployment or a multiple server deployment (FAST Search Server 2010 for SharePoint) for more information.

See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) for more information.

FAST Search Authorization (FSA) provides item level security for FAST Search Server 2010 for SharePoint systems by implementing security trimming. However, FSA does not authenticate users. Authentication is performed by the SharePoint Server search front-end. See Plan authentication methods (SharePoint Server 2010) for more information.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft