beautypg.com

About security – Google Search Appliance Configuring GSA Mirroring version 7.0 User Manual

Page 8

background image

Google Search Appliance: Configuring GSA Mirroring

8

Connectors (Connector Manager definitions and configurations are copied)

Existing feeds

Certificates

About Security

The Google Search Appliance uses secret tokens and private IP addresses to enforce security within GSA
mirroring configurations.

The search appliances in a GSA mirroring configuration authenticate each other using shared secret
tokens that you provide during configuration. The shared secret tokens must consist only of printable
ASCII characters.

There are no restrictions on the public IP addresses assigned to the search appliances in the
configuration beyond a requirement that a search appliance must be able to reach another search
appliance’s public IP address on UDP port 500 and on IP protocol number 51 (IPsec AH). Both ports are
used by IPSec, the security protocol for communications among the appliances in the configuration.

Configuration and index data are communicated among the search appliances in a GSA mirroring
configuration over a virtual private network. When you set up a GSA mirroring configuration, the search
appliance automatically assigns private IP addresses and secret tokens to each machine in the
configuration. The private IP addresses are in the range 10.0.0.1, 10.0.0.2, 10.0.0.n unless this range
conflicts with the public IP address of the search appliance. In that case, a different address range can
be used for the private IP addresses.

If you need to manually change the private IP addresses, the following guidelines apply:

The search appliance must able to reach another search appliance’s public IP address on UDP port
500 and on IP protocol number 51 (IPsec AH). Both ports are used by IPSec, the security protocol for
communications among the appliances in the configuration. The master node should be able to
access Port 8443 (SSL) on the replica.

GRE (Generic Routing Encapsulation) is used to encapsulate the IP packets over the IPsec tunnel.
The replica’s IP setup for tunneling can be checked by clicking Update Settings and Perform
Diagnostics on the Administration > Network Settings page, but network diagnostics cannot be
used to check the private IP of replica.

The private IP addresses you choose must conform to the private address space as defined in RFC
1918 and must not overlap with the private address space used by the subnet to which the
appliances are connected. For example, if the subnet where the search appliances are deployed
uses 10.0.0.0/8, choose the private IP addresses from the 192.168.0.0/24 network. If the
192.168.0.0/24 network is used by the subnet, try the 192.168.1.0/24 range or the 172.16.0.0/12
range.

Do not use the private IP address from the 192.168.255.0/24 network.

Do not use 127.0.0.0/8.

Do not use non-private address space such as 1.0.0.0/8 or 216.239.43.0/24.

See also other documents in the category Google Software: