beautypg.com

About security – Google Search Appliance Configuring GSA Mirroring version 7.2 User Manual

Page 8

background image

Google Search Appliance: Configuring GSA Mirroring

8

The following settings and data are not copied from the master to the replica search appliances:

Kerberos

Connectors (Connector Manager definitions and configurations are copied)

Existing feeds

Certificates

About Security

The Google Search Appliance uses secret tokens and private IP addresses to enforce security within GSA
mirroring configurations.

The search appliances in a GSA mirroring configuration authenticate each other using shared secret
tokens that you provide during configuration. The shared secret tokens must consist only of printable
ASCII characters.

There are no restrictions on the public IP addresses assigned to the search appliances in the
configuration beyond a requirement that a search appliance must be able to reach another search
appliance’s public IP address on UDP port 500 and on IP protocol number 51 (IPsec AH). IPSec security
protocol uses port 500 and AH protocol to build a secure private network between mirrored nodes.
ICMP Echo is used for testing public IP address availability. Ports 8000 and 8443 are used for
transmitting configurations between appliances.

Configuration and index data are communicated among the search appliances in a GSA mirroring
configuration over a virtual private network. When you set up a GSA mirroring configuration, the search
appliance automatically assigns private IP addresses and secret tokens to each machine in the
configuration. The private IP addresses are in the range 10.0.0.1, 10.0.0.2, 10.0.0.n unless this range
conflicts with the public IP address of the search appliance. In that case, a different address range can
be used for the private IP addresses.

If you need to manually change the private IP addresses, the following guidelines apply:

The search appliance must able to reach another search appliance’s public IP address on UDP port
500 and on IP protocol number 51 (IPsec AH). The master node should be able to access Port 8443
(SSL) on the replica.

GRE (Generic Routing Encapsulation) is used to encapsulate the IP packets over the IPsec tunnel.
The replica’s IP setup for tunneling can be checked by clicking Update Settings and Perform
Diagnostics on the Administration > Network Settings page, but network diagnostics cannot be
used to check the private IP of replica.

The private IP addresses you choose must conform to the private address space as defined in RFC
1918 and must not overlap with the private address space used by the subnet to which the
appliances are connected. For example, if the subnet where the search appliances are deployed
uses 10.0.0.0/8, choose the private IP addresses from the 192.168.0.0/24 network. If the
192.168.0.0/24 network is used by the subnet, try the 192.168.1.0/24 range or the 172.16.0.0/12
range.

Do not use the private IP address from the 192.168.255.0/24 network.

Do not use 127.0.0.0/8.

Do not use non-private address space such as 1.0.0.0/8 or 216.239.43.0/24.

See also other documents in the category Google Software: