beautypg.com

Perimeter security – Google Search Appliance Security User Manual

Page 22

background image


22

Here are some unique behaviors and deployment best practices:

● The connector will run for a long time—it could be days if the Active Directory has a lot of users

and groups. It’s recommended to:

○ Use dedicated AD Groups connector instances. This is true even for the SharePoint

connector which has an embedded Active Directory Groups connector capability and can
index both SharePoint content and Active Directory groups.

○ Increase the traversal time out. There are six stages to complete the traversal. You can

see that in the logs. If you see repeated “update 1/6" and “"update 2/6”, but it nevers
goes beyond that, it’s a sign that the traversal thread was interrupted before it could
finish. You can increase the time by changing the variable traversal.time.limit in
INSTALLROOT/INSTANCENAME/Tomcat/webapps/connector-manager/WEB-
INF/applicationContext.properties

● Make sure you are binding directly to a non-load balanced Domain Controller Host to take

advantage of incremental AD traversal.

○ The connector uses checkpointing that is unique to a specific Domain Controller, so in

order to take advantage of the checkpointed updates, you must continue to connect to
the same unique Domain Controller upon every request.

● Always use an offboard connector, and one connector instance per connector manager.

○ Easier to patch and troubleshoot

○ More scalable since you can control resource consumption easily.

● Use an external database to store the group information.

○ It is more reliable for production than using the embedded database.

○ As the embedded database is tied to a Connector Manager instance, it is also the only

way to correctly resolve groups when multiple combinations of AD groups connectors and
SharePoint connectors are used over multiple Connector Managers. For example, when
there are multiple AD domains, there must be one connector for each domain. In order to
resolve groups for users from different domains or if memberships cross domain, the
groups information must be put in the same database and same tables. Since the
database configuration is at the connector manager level, you have to configure these
connector managers to use an external database in order for the multiple instances to
share the same related data.

Perimeter security

Documents in the search appliance index can be labeled as either “public” or “secure.” How a document
is labeled depends on how the content was indexed, either by crawling or feeding, as well as the
configuration information in the GSA. In terms of security, an indexed document falls into one of the
following two categories:

See also other documents in the category Google Software: