Поделиться через


Security considerations for the server farm (FAST Search Server 2010 for SharePoint) (на английском языке)

Обновлено: 12 августа 2010 г.

When planning a Microsoft FAST Search Server 2010 for SharePoint system, consider the following server farm security issues:

  • Certificates

  • Communication between the FAST Search Server farm and the SharePoint farm

  • Protecting administrative interfaces

  • Protecting communication within the farm

  • Proxy settings

  • Anti-virus configuration

  • Required user accounts

  • User authentication

For item level security trimming specific to FAST Search Server 2010 for SharePoint, see Security considerations for indexing (FAST Search Server 2010 for SharePoint) (на английском языке).

Certificates

FAST Search Server 2010 for SharePoint uses certificates for:

  • Authentication and encryption

  • Secure Sockets Layer (SSL) communication between FAST Search Server 2010 for SharePoint and Microsoft SharePoint Server

  • Communication between servers in a multiple server FAST Search Server 2010 for SharePoint environment

Each server in a FAST Search Server 2010 for SharePoint system may have up to three certificates, fulfilling the following functions:

  • General purpose FAST Search certificate: for internal communications, administrative services, and feeding SharePoint Server. The general purpose FAST Search certificate must also be password-protected. You will choose a password during FAST Search Server 2010 for SharePoint deployment.

  • Claims certificate: to enable queries from the SharePoint Server search application to FAST Search Server 2010 for SharePoint

  • Server-specific certificate: for example, to help secure query traffic using HTTPS (optional)

Ff599535.Important(ru-ru,office.14).gifВажно!

When you install FAST Search Server 2010 for SharePoint, a self-signed certificate is created. This default general purpose certificate has a one year expiration date and is only useful for test environments. You should replace self-signed certificates in your production environment with certificates that are signed by a common certification authority. For more information, see Manage certificates (FAST Search Server 2010 for SharePoint) (на английском языке).

Communication between the FAST Search Server farm and the SharePoint farm

All internal communication within the FAST Search Server 2010 for SharePoint farm uses Internet Protocol Security (IPsec). You can find details about required open ports and protocols for the communication between the FAST Search Server 2010 for SharePoint farm and the Search Service Applications (SSA) in the file <FASTSearchFolder>\Install_Info.txt (where <FASTSearchFolder> is the path of the folder where you have installed FAST Search Server 2010 for SharePoint, for example C:\FASTSearch).

By default, all query traffic from the FAST Search Query Search Service Application (SSA) to the FAST Search Server 2010 for SharePoint farm is sent via HTTP. This non-encrypted information transmits faster than HTTPS. However, to help provide more security for queries on sensitive content, you can enable an HTTPS communication channel that uses SSL certificates. See Enable queries from Microsoft SharePoint Server (FAST Search Server 2010 for SharePoint) (на английском языке) for more information.

Protecting administrative interfaces

By default, the Administration Service, which configures FAST Search Server 2010 for SharePoint, uses Windows Communication Foundation (WCF) with HTTP. To provide more protection, you can use HTTPS for this traffic. See Enable Administration Service over HTTPS (FAST Search Server 2010 for SharePoint) (на английском языке) for information.

Default authentication for the administrative interfaces (e.g. Add Best Bets) uses NTLM out-of-the-box. If you want an additional level of security, you can change this to Kerberos authentication. See Настройка проверки подлинности Kerberos (SharePoint Server 2010) for more information.

Protecting communication within the farm

By default, all internal communication within the FAST Search Server 2010 for SharePoint farm uses Internet Protocol Security (IPsec) without encryption. To help protect sensitive content, you can enable IPsec encryption on internal interfaces.

Proxy settings

HTTP communications are used in multiple server FAST Search Server 2010 for SharePoint farms and between query traffic from the FAST Search Query Search Service Application (SSA) to the FAST Search Server 2010 for SharePoint farm. HTTP communication must be enabled between all servers and the network proxy configuration on each server must be set correctly. See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) (на английском языке) for detailed information.

Anti-virus configuration

When you install FAST Search Server 2010 for SharePoint on a server with anti-virus software installed, you should exclude the <FASTSearchFolder> directory from virus scanning. See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) (на английском языке) for more information.

Required user accounts

A multiple server installation of FAST Search Server 2010 for SharePoint requires credentials for certain user accounts to install, administer, and operate FAST Search Server 2010 for SharePoint. Plan for the following permissions:

See Review hardware and software requirements (FAST Search Server 2010 for SharePoint) (на английском языке) for more information.

User authentication

поиска FAST (FSA) provides item level security for FAST Search Server 2010 for SharePoint systems by implementing security trimming. However, FSA does not authenticate users. Authentication is performed by the SharePoint Server search front-end. See Планирование способов проверки подлинности (SharePoint Server 2010) for more information.

См. также

Понятия

Security considerations for indexing (FAST Search Server 2010 for SharePoint) (на английском языке)
Manage certificates (FAST Search Server 2010 for SharePoint) (на английском языке)
Enable queries from Microsoft SharePoint Server (FAST Search Server 2010 for SharePoint) (на английском языке)
Enable Administration Service over HTTPS (FAST Search Server 2010 for SharePoint) (на английском языке)
Review hardware and software requirements (FAST Search Server 2010 for SharePoint) (на английском языке)
Configure a stand-alone deployment or a multiple server deployment (FAST Search Server 2010 for SharePoint) (на английском языке)

Другие ресурсы

Планирование способов проверки подлинности (SharePoint Server 2010)

История изменений

Дата Описание Причина

12 августа 2010 г.

2010/08/09

Обновление содержимого

05 августа 2010 г.

2010/08/02

Обновление содержимого

12 мая 2010 г.

Первоначальная публикация