Security considerations for the server farm (FAST Search Server 2010 for SharePoint)

 

Applies to: FAST Search Server 2010

When planning a Microsoft FAST Search Server 2010 for SharePoint system, consider the following server farm security issues:

  • Certificates

  • Communication between the FAST Search Server farm and the SharePoint farm

  • Protecting administrative interfaces

  • Protecting communication within the farm

  • Proxy settings

  • Anti-virus configuration

  • Required user accounts

  • User authentication

For item level security trimming specific to FAST Search Server 2010 for SharePoint, see Security considerations for indexing (FAST Search Server 2010 for SharePoint).

Certificates

FAST Search Server 2010 for SharePoint uses certificates for:

  • Authentication and encryption

  • Secure Sockets Layer (SSL) communication between FAST Search Server 2010 for SharePoint and Microsoft SharePoint Server

  • Communication between servers in a multiple server FAST Search Server 2010 for SharePoint environment

Each server in a FAST Search Server 2010 for SharePoint system may have up to three certificates, fulfilling the following functions:

  • General purpose FAST Search certificate: for internal communications, administrative services, and feeding SharePoint Server. The general purpose FAST Search certificate must also be password-protected. You will choose a password during FAST Search Server 2010 for SharePoint deployment.

  • Claims certificate: to enable queries from the SharePoint Server search application to FAST Search Server 2010 for SharePoint

  • Server-specific certificate: for example, to help secure query traffic using HTTPS (optional)

Important

When you install FAST Search Server 2010 for SharePoint, a self-signed certificate is created. This default general purpose certificate has a one year expiration date and is only useful for test environments. You should replace self-signed certificates in your production environment with certificates that are signed by a common certification authority. For more information, see Manage certificates (FAST Search Server 2010 for SharePoint).

Communication between the FAST Search Server farm and the SharePoint farm

All internal communication within the FAST Search Server 2010 for SharePoint farm uses Internet Protocol Security (IPsec). You can find details about required open ports and protocols for the communication between the FAST Search Server 2010 for SharePoint farm and the Search Service Applications (SSA) in the file <FASTSearchFolder>\Install_Info.txt (where <FASTSearchFolder> is the path of the folder where you have installed FAST Search Server 2010 for SharePoint, for example C:\FASTSearch).

By default, all query traffic from the FAST Search Query Search Service Application (SSA) to the FAST Search Server 2010 for SharePoint farm is sent via HTTP. This non-encrypted information transmits faster than HTTPS. However, to help provide more security for queries on sensitive content, you can enable an HTTPS communication channel that uses SSL certificates. See Enable queries from Microsoft SharePoint Server (FAST Search Server 2010 for SharePoint) for more information.

Protecting administrative interfaces

By default, the Administration Service, which configures FAST Search Server 2010 for SharePoint, uses Windows Communication Foundation (WCF) with HTTP. To provide more protection, you can use HTTPS for this traffic. See Enable Administration Service over HTTPS (FAST Search Server 2010 for SharePoint) for information.

Default authentication for the administrative interfaces (e.g. Add Best Bets) uses NTLM out-of-the-box. If you want an additional level of security, you can change this to Kerberos authentication. See Plan for Kerberos authentication (SharePoint Server 2010) for more information.

Protecting communication within the farm

By default, all internal communication within the FAST Search Server 2010 for SharePoint farm uses Internet Protocol Security (IPsec) without encryption. To help protect sensitive content, you can enable IPsec encryption on internal interfaces.

Proxy settings

HTTP communications are used in multiple server FAST Search Server 2010 for SharePoint farms and between query traffic from the FAST Search Query Search Service Application (SSA) to the FAST Search Server 2010 for SharePoint farm. HTTP communication must be enabled between all servers and the network proxy configuration on each server must be set correctly. See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) for detailed information.

Anti-virus configuration

When you install FAST Search Server 2010 for SharePoint on a server with anti-virus software installed, you should exclude the <FASTSearchFolder> directory from virus scanning. See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) for more information.

Required user accounts

A multiple server installation of FAST Search Server 2010 for SharePoint requires credentials for certain user accounts to install, administer, and operate FAST Search Server 2010 for SharePoint. Plan for the following permissions:

  • The user who runs the Prerequisite Installer and the FAST Search Server 2010 for SharePoint installer must be a member of the Administrators group.

  • An authenticated domain user must run FAST Search Server 2010 for SharePoint. This user should not be a local administrator or a site administrator.

  • The FAST Search Server 2010 for SharePoint user must have dbcreator permissions in Microsoft SQL Server to access the FAST Search Server 2010 for SharePoint administration database. See Configure a stand-alone deployment or a multiple server deployment (FAST Search Server 2010 for SharePoint) for more information.

See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) for more information.

User authentication

FAST Search Authorization (FSA) provides item level security for FAST Search Server 2010 for SharePoint systems by implementing security trimming. However, FSA does not authenticate users. Authentication is performed by the SharePoint Server search front-end. See Plan authentication methods (SharePoint Server 2010) for more information.

See Also

Concepts

Security considerations for indexing (FAST Search Server 2010 for SharePoint)
Manage certificates (FAST Search Server 2010 for SharePoint)
Enable queries from Microsoft SharePoint Server (FAST Search Server 2010 for SharePoint)
Enable Administration Service over HTTPS (FAST Search Server 2010 for SharePoint)
Review hardware and software requirements (FAST Search Server 2010 for SharePoint)
Configure a stand-alone deployment or a multiple server deployment (FAST Search Server 2010 for SharePoint)

Other Resources

Plan authentication methods (SharePoint Server 2010)