Plan for secure communication within a server farm (Search Server 2008)
Applies To: Microsoft Search Server 2008
Topic Last Modified: 2009-08-04
Note
Unless otherwise noted, the information in this article applies to both Microsoft Search Server 2008 and Microsoft Search Server 2008 Express.
In this article:
Plan server-to-server communication
Plan client-server communication
Plan for using SSL
Use this article to plan server farm security. This article contains guidance about how to secure server-to-server communication and client-server communication.
The tasks in this article are appropriate for the following security environments:
External secure access
External anonymous access
Plan server-to-server communication
If servers are not inside a physically secure data center in which the threat of network eavesdropping is less significant, you must use an encrypted communication channel to protect data sent between servers.
In Microsoft Search Server 2008, server-to-server communication in a server farm is extensive. Securing this communication helps reduce the risk that sensitive data will be compromised, and also helps protect the servers from malicious attacks or unintentional threats.
The following figure shows several common communication transactions among servers in a farm.
Common communication transactions among servers in a farm include the following:
Configuration changes Front-end Web servers communicate with the configuration database to communicate configuration changes for farm settings.
Search requests Front-end Web servers first communicate with the query server to generate results for search queries. Next, for content that is stored locally, the front-end Web servers communicate with the content database to satisfy user requests for specific documents within the search results.
Indexing The indexing component communicates through a front-end Web server to crawl local content that is stored in the content databases to include in the index. For information about the different kinds of external sources that the index server can crawl, see Plan to crawl content (Search Server 2008).
Note
In a Search Server 2008 environment, the search service is provided by two roles: query and index. These roles can be installed on different server computers.
The Advanced installation of Microsoft Search Server 2008 Express can have multiple Web front-end servers. However, the Query and Index roles can only exist on one physical application server.
The Advanced installation of Microsoft Search Server 2008 can have multiple Web front-end servers, and multiple instances of query server running on separate application servers. There can still only be one instance of the Index role.
Internet Protocol security (IPsec) and Secure Sockets Layer (SSL) can both be used to help protect communication between servers by encrypting traffic. Each of these methods works well. The choice of which method to use depends on the specific communication channels you are securing and the benefits and tradeoffs that are most appropriate for your organization.
IPsec
IPsec is generally recommended for protecting the communication channel between two servers and restricting which computers can communicate with one another. For example, you can help protect a database server by establishing a policy that permits requests only from a trusted client computer, such as an application server or a Web server. You can also restrict communication to specific IP protocols and TCP/UDP ports.
The networking requirements and recommendations for a server farm make IPsec a good option for the following reasons:
All servers are contained on one physical LAN (to improve IPsec performance).
Servers are assigned static IP addresses.
IPsec can also be used between trusted Windows Server 2008, Windows Server 2003, or Windows 2000 Server domains. For example, you can use IPsec to help secure communication of a Web server or application server in a perimeter network that connects to a computer that is running Microsoft SQL Server on an internal network. For more information, see Selecting IPSec Authentication Methods in the Windows Server 2003 Deployment Guide.
For more information about recommended environments for IPsec, see Determining Your IPSec Needs in the Windows Server 2003 Deployment Guide.
SSL
The general recommendation for SSL is to use this encryption method when you want granular channel protection for a particular application instead of for all applications and services that are running on a computer. SSL must be implemented by individual applications. Therefore, you cannot use SSL to encrypt all communications between two hosts.
Additionally, SSL is less flexible than IPsec because it only supports authentication by using public key certificates. SSL does provide several distinct advantages, however. Most significantly, SSL is supported by a wide variety of servers and client computers, and the maturity of the standard has almost eliminated interoperability problems.
Scenarios to consider for SSL
There are several scenarios that make SSL a good option. They include the following:
Administration The Central Administration site can be secured by using SSL.
Searching sensitive content If Search Server indexes sensitive content, malicious users could intercept information about that content in query results. You can prevent this interception by using SSL.
Plan client-server communication
It might not be practical to secure all client-server communication. However, there are several scenarios that justify the additional configuration that is required to provide more secure communication between client computers and servers within the server farm:
Secure collaboration with partners Partners run searches from outside the local network in an extranet environment.
Remote employee access Employees access Search Server remotely to run searches when they are off-site.
Customers searching for sensitive data Customers log on and search content that includes sensitive information. For example, customers may be required to log on to search through knowledge base articles about a product.
Basic or forms-based authentication If users authenticate with either of these methods, credentials are sent in plain text. At a minimum, secure the client-server communication for the logon page.
SSL is generally recommended to help secure communications between users and servers when sensitive information must be passed. SSL can be configured to require server authentication or both server and client authentication.
Plan for using SSL
SSL can decrease the performance of the network. There are several common guidelines that you can use to optimize pages that use SSL. First, use SSL only for pages that require it. This includes pages that contain or capture sensitive data, such as passwords or other personal data. Use SSL only if the following conditions are true:
You want to encrypt the page data.
You want to guarantee that the server to which you send the data is the server that you expect.
For pages where you must use SSL, follow these guidelines:
Make the page size as small as possible.
Avoid using graphics that have large file sizes. If you use graphics, use graphics that have smaller file sizes and lower resolution.
See Also
Concepts
Plan server farm security (Search Server 2008)
Review the secure topology design checklists (Search Server 2008)
Plan security hardening for server roles within a server farm (Search Server 2008)
Plan security hardening for an extranet (Search Server 2008)