Serving from master and nonmaster nodes, About security – Google Search Appliance Configuring Distributed Crawling and Serving version 6.14 and later User Manual

Google Search Appliance: Configuring Distributed Crawling and Serving

7

Serving from Master and Nonmaster Nodes

In this release, you can serve results from both the master and nonmaster nodes in distributed crawling
and serving configurations whether or not you have replicas configured and regardless of whether the
mirroring configuring is active-active or active passive.

If you are using a load balancer, a client creates a separate session for each node that it uses. In some
cases, this might slow down initial searches because of the overhead added by uses authentication
requests. You can minimize this issue by using a sticky load balancer that can preserve user sessions for
time periods of five minutes or more. In the absence of a sticky load balancer, search users may have to
log in N times, where N is the number of search appliances in the configuration.

About Security

The Google Search Appliance uses secret tokens and private IP addresses to enforce security within a
distributed crawling configuration.

The search appliances in a distributed crawling configuration authenticate each other using shared
secret tokens that you provide during configuration. The shared secret tokens must consist only of
printable ASCII characters.

There are no restrictions on the public IP addresses assigned to the search appliances in the
configuration beyond a requirement that a search appliance must able to reach another search
appliance’s public IP address on UDP port 500 and on IP protocol number 51 (IPsec AH). Both ports are
used by IPSec, the security protocol for communications among the appliances in the configuration.

Certain communications among the search appliances in a distributed crawling configuration are
conducted over a virtual private network, including search requests, search credentials transmitted as
sessions, and search results that include snippets, whether the results are authorized or not authorized.
When you set up a distributed crawling configuration, you must assign the private IP addresses and
secret tokens to each machine in the configuration.

The following guidelines apply to the private network IP addresses that you assign in a distributed
crawling configuration:

•

You can assign or change the private IP addresses at any time.

•

The private IP addresses must be different from the IP addresses that will be crawled on your
internal network. For example, if you use 10.0.0.0/8 for your intranet then you should choose the
private IP addresses from the 192.168.0.0/24 network. If the 192.168.0.0/24 network is also in use,
try 192.168.1.0/24 or the 172.16.0.0/12 range.

•

The private IP addresses must conform to the private address space as defined in RFC 1918 and
must not overlap with any other private address space used on your network.

•

The private network addresses cannot be in the range spanning subnet /16 to /8.