BranchCache Deployment Guide
Microsoft Corporation
Published: October, 2009
Author: James McIllece
Editor: Scott Somohano
Abstract
BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in
some editions of the Windows Server® 2008 R2 and Windows® 7 operating systems. To
optimize WAN bandwidth, BranchCache copies content from your main office content servers and
caches the content at branch office locations, allowing client computers at branch offices to
access the content locally rather than over the WAN.
This deployment guide provides instructions on deploying BranchCache in both distributed cache
mode and hosted cache mode, and allows you to deploy Hypertext Transfer protocol (HTTP),
Background Intelligent Transfer Service (BITS), and Server Message Block (SMB)-based content
servers that are Web servers, application servers, and file servers, respectively.
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Your right to copy this documentation is limited by copyright law and the terms of the software
license agreement. As the software licensee, you may make a reasonable number of copies or
printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative
works for commercial distribution is prohibited and constitutes a punishable violation of the law.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
BranchCache Deployment Guide .................................................................................................... 5
What this guide provides .......................................................................................................... 5
What this guide does not provide ............................................................................................. 6
Deploy BranchCache ....................................................................................................................... 6
Deploy BranchCache in distributed cache mode ......................................................................... 6
Deploy BranchCache in hosted cache mode ............................................................................... 6
Install and configure content servers ............................................................................................... 7
Install content servers that use the BranchCache feature .............................................................. 7
Install the BranchCache feature ...................................................................................................... 7
Configure Windows Server Update Services (WSUS) content servers .......................................... 8
Install File Services content servers ................................................................................................ 8
Configure the File Services server role ........................................................................................... 9
Install a new file server as a content server .................................................................................... 9
Configure an existing file server as a content server .................................................................... 10
Enable hash publication for file servers ......................................................................................... 10
Enable hash publication for non-domain member file servers ...................................................... 11
Enable hash publication for domain member file servers ............................................................. 12
Create the BranchCache file servers organizational unit .............................................................. 12
Move file servers to the BranchCache file servers organizational unit .......................................... 13
Create the BranchCache hash publication Group Policy object ................................................... 13
Configure the BranchCache hash publication Group Policy object ............................................... 14
Enable BranchCache on a file share ............................................................................................. 16
Deploy a distributed cache mode design ...................................................................................... 16
Configure client computers for distributed cache mode ................................................................ 17
Use Group Policy to configure domain member clients for distributed cache mode ..................... 17
Configure domain member client distributed cache mode firewall rules ....................................... 19
Non-domain member client configuration for distributed cache mode .......................................... 21
Enable BranchCache distributed cache mode using network shell commands ............................ 21
Configure client computer distributed cache mode firewall rules .................................................. 22
[MS-PCCRD]: Peer Content Caching and Retrieval Discovery Protocol ................................... 22
[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol ................................... 22
Deploy a hosted cache mode design ............................................................................................ 23
Configure client computers for hosted cache mode ...................................................................... 24
Use Group Policy to configure domain member clients for hosted cache mode .......................... 25
Configure domain member client hosted cache mode firewall rules ............................................. 26
Non-domain member client configuration for hosted cache mode ................................................ 28
Enable BranchCache hosted cache mode using network shell commands ................................. 28
Configure hosted cache mode firewall rules ................................................................................. 29
[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol ................................... 29
[MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol ............................. 30
Install and configure the hosted cache server ............................................................................... 30
Install the BranchCache feature .................................................................................................... 31
Enable hosted cache server mode on a hosted cache server ...................................................... 32
Install the certification authority and enroll certificates to hosted cache servers .......................... 32
Create the hosted cache servers group ........................................................................................ 33
Add hosted cache servers to the group ......................................................................................... 34
Install the certification authority (CA) ............................................................................................. 34
Configure the Web Server certificate template .............................................................................. 36
Configure server certificate autoenrollment ................................................................................... 37
Refresh Group Policy .................................................................................................................... 38
Obtain the SHA-1 hash of the hosted cache server certificate ..................................................... 39
Link the hosted cache server certificate to BranchCache ............................................................. 40
Additional Resources ..................................................................................................................... 41
BranchCache Deployment Guide
BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in
some editions of the Windows Server® 2008 R2 and Windows® 7 operating systems.
Note
For more information about operating systems that support BranchCache, see the
section “Operating systems for BranchCache content server functionality” in the topic
BranchCache Overview in the Windows Server® 2008 and Windows Server 2008 R2
Technical Library at http://technet.microsoft.com/en-us/library/ee307962(WS.10).aspx.
To optimize WAN bandwidth, BranchCache copies content from your main office content servers
and caches the content at branch office locations, allowing client computers at branch offices to
access the content locally rather than over the WAN.
At branch offices, content is cached either on servers that are running the BranchCache feature
of Windows Server 2008 R2 or, when no server is available in the branch office, on computers
running Windows 7. After a client computer requests and receives content from the main office
and the content is cached at the branch office, other computers at the same branch office can
obtain the content locally rather than contacting the main office over the WAN link.
What this guide provides
This deployment guide allows you to deploy BranchCache in the following modes:
Distributed cache mode. In this mode, branch office client computers download content from
the content servers in the main office and then cache the content for other computers in the
same branch office. Distributed cache mode does not require a server computer in the
branch office.
Hosted cache mode. In this mode, branch office client computers download content from the
content servers in the main office, and a hosted cache server retrieves the content from the
clients. The hosted cache server then caches the content for other client computers. Hosted
cache mode does require a server computer in the branch office, and there are additional
requirements.
This guide also provides instructions on how to deploy three types of content servers. Content
servers contain the source content that is downloaded by branch office client computers, and one
or more content server is required to deploy BranchCache in either mode. The content server
types are:
Web server-based content servers. These content servers send content to BranchCache
client computers using the HTTP and HTTPS protocols. These content servers must be
running Windows Server 2008 R2 versions that support BranchCache and upon which the
BranchCache feature is installed.
5
BITS-based application servers. These content servers send content to BranchCache client
computers using the Background Intelligent Transfer Service (BITS). These content servers
must be running Windows Server 2008 R2 versions that support BranchCache and upon
which the BranchCache feature is installed.
File server-based content servers. These content servers must be running Windows
Server 2008 R2 versions that support BranchCache and upon which the File Services server
role is installed. In addition, the BranchCache for network files role service of the File
Services server role must be installed and configured. These content servers send content to
BranchCache client computers using the Server Message Block (SMB) protocol.
What this guide does not provide
This guide does not provide conceptual information that explains BranchCache functionality. This
guide also does not contain information on how to plan and design a BranchCache deployment.
That information is included in other BranchCache documentation, which is in the
Windows Server® 2008 and Windows Server 2008 R2 Technical Library at
http://go.microsoft.com/fwlink/?LinkId=162776.
Deploy BranchCache
See the following topics to deploy BranchCache.
Note
The procedures in this guide do not include instructions for those cases in which the User
Account Control dialog box opens to request your permission to continue. If this dialog
box opens while you are performing the procedures in this guide, and if the dialog box
was opened in response to your actions, click Continue.
Deploy BranchCache in distributed cache mode
To deploy BranchCache in distributed cache mode, use the following topics.
Install and configure content servers
Deploy a distributed cache mode design
Deploy BranchCache in hosted cache mode
To deploy BranchCache in hosted cache mode, use the following topics.
Install and configure content servers
Deploy a hosted cache mode design
For more information on the technologies used to deploy BranchCache, see Additional
Resources.
6
Install and configure content servers
When you deploy BranchCache in distributed cache mode or hosted cache mode, you must
deploy one or more content servers at your main office. Content servers that are Web servers or
application servers use the BranchCache feature. Content servers that are file servers use the
BranchCache for network files role service of the File Services server role in Windows
Server® 2008 R2.
See the following topics to deploy content servers.
Install content servers that use the BranchCache feature
Install File Services content servers
Install content servers that use the
BranchCache feature
To deploy content servers that are Secure Hypertext Transfer Protocol (HTTPS) 1.1 Web servers,
Hypertext Transfer Protocol (HTTP) 1.1 Web servers, and Background Intelligent Transfer service
(BITS)-based application servers, such as Windows Server Update Services (WSUS) and
System Center Configuration Manager branch distribution site system servers, you must install
the BranchCache feature, start the BranchCache service, and (for WSUS servers only) perform
additional configuration steps.
See the following topics to deploy content servers.
Install the BranchCache feature
Configure Windows Server Update Services (WSUS) content servers
Install the BranchCache feature
You can use this procedure to install the BranchCache feature and start the BranchCache service
on a computer running Windows Server® 2008 R2.
Membership in Administrators, or equivalent is the minimum required to perform this procedure.
To install and enable the BranchCache feature
1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager
opens.
2. In the Server Manager left pane, right-click Features, and then click Add Features. The
Add Features Wizard opens.
3. In the Add Features Wizard, in Features, select the BranchCache check box, and then
click Next.
7
4. In Confirm Installation Selections, review your choice and then click Install. The
Installation Progress pane is displayed during installation, and then the Installation
Results pane is displayed.
5. In Installation Results, review the summary and then click Close. The Add Features
Wizard closes.
6. In the Server Manager left pane, double-click Configuration, and then click Services.
7. In the details pane, in Services, double-click BranchCache. The BranchCache
Properties dialog box opens.
8. In the BranchCache Properties dialog box, on the General tab, click Start to start the
BranchCache service, and then click OK.
Important
The BranchCache service startup type is Automatic, which means that the
BranchCache service starts whenever the computer is restarted. It is
recommended that you keep the startup type value set to Automatic.
Configure Windows Server Update Services
(WSUS) content servers
After installing the BranchCache feature and starting the BranchCache service, WSUS servers
must be configured to store update files on the local computer. When you configure WSUS
servers to store update files on the local computer, both the update metadata and the update files
are downloaded by and stored directly upon the WSUS server. This ensures that BranchCache
client computers receive Microsoft product update files from the WSUS server rather than directly
from the Microsoft Update Web site.
To learn more about WSUS server configuration, see “Advanced Synchronization Options for
WSUS” on Microsoft TechNet at http://go.microsoft.com/fwlink/?LinkId=150597.
Install File Services content servers
To deploy content servers that are running the File Services server role, you must install the
BranchCache for network files role service of the File Services server role. In addition, you must
enable hash publication on the server, and enable BranchCache on file shares according to your
requirements.
Note
During the configuration of the content server, you can allow BranchCache publication of
content for all file shares or you can select a subset of file shares to publish.
8
See the following topics to deploy content servers.
Configure the File Services server role
Enable hash publication for non-domain member file servers
Enable BranchCache on a file share
Configure the File Services server role
You can deploy BranchCache file server-based content servers on computers running Windows
Server® 2008 R2 and the File Services server role with the BranchCache for network files role
service installed.
To install a BranchCache content server on a computer that does not already have File
Services installed, see Install a new file server as a content server.
To install a BranchCache content server on a computer that is already configured with the
File Services server role, see Configure an existing file server as a content server.
Install a new file server as a content server
You can use this procedure to install the File Services server role and the BranchCache for
network files role service on a computer running Windows Server® 2008 R2.
Membership in Administrators, or equivalent is the minimum required to perform this procedure.
To install File Services and the BranchCache for network files role service
1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager
opens.
2. In the Server Manager left pane, right-click Roles, and then click Add Roles. The Add
Roles Wizard opens. In Before You Begin, click Next.
3. In Select Server Roles, in Roles, select the File Services check box, and then click
Next.
4. In File Services, review the information, and then click Next.
5. In Select Role Services, in Role services, ensure that File Server is selected. Also
select the BranchCache for network files check box, and then click Next.
6. In Confirm Installation Selections, review your selections, and then click Install. The
Installation Progress pane is displayed during installation, and then the Installation
Results pane is displayed. Review your results, and then click Close.
9
Configure an existing file server as a content
server
You can use this procedure to install the BranchCache for network files role service of the File
Services server role on a computer running Windows Server® 2008 R2.
Membership in Administrators, or equivalent is the minimum required to perform this procedure.
Important
If the File Services server role is not already installed, do not follow this procedure.
Instead, see Install a new file server as a content server
To install the BranchCache for network files role service
1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager
opens.
2. In the Server Manager left pane, double-click Roles, right-click File Services, and then
click Add Role Services. The Add Role Services wizard opens.
3. In Select Role Services, select the BranchCache for network files check box, and
then click Next.
4. In Confirm Installation Selections, review your selections, and then click Install. The
Installation Progress pane is displayed during installation, and then the Installation
Results pane is displayed. Review your results, and then click Close.
Enable hash publication for file servers
You can enable BranchCache hash publication on one file server or on multiple file servers.
To enable hash publication on one file server using local computer Group Policy, see Enable
hash publication for non-domain member file servers.
To enable hash publication on multiple file servers using domain Group Policy, see Enable
hash publication for domain member file servers.
Note
If you have multiple file servers and you want to enable hash publication per share, rather
than enabling hash publication for all shares, you can use the instructions in the topic
Enable hash publication for non-domain member file servers.
10
Enable hash publication for non-domain
member file servers
You can use this procedure to configure hash publication for BranchCache using local computer
Group Policy on a file server that is running Windows Server® 2008 R2 with the BranchCache for
network files role service of the File Services server role installed. This procedure is intended for
use on a non-domain member file server. If you perform this procedure on a domain member file
server and you also configure BranchCache using domain Group Policy, domain Group Policy
settings override local Group Policy settings.
Membership in Administrators, or equivalent is the minimum required to perform this procedure.
Note
If you have one or more domain member file servers, you can add them to an
organizational unit (OU) in Active Directory Domain Services and then use Group Policy
to configure hash publication for all of the file servers at one time, rather than individually
configuring each file server. For more information, see Enable hash publication for
domain member file servers.
To enable hash publication for one file server
1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management
Console (MMC) opens.
2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snapins dialog box opens.
3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy Object
Editor. The Group Policy Wizard opens with the Local Computer object selected. Click
Finish, and then click OK.
4. In the Local Group Policy Editor MMC, expand the following path: Computer
Configuration, Administrative Templates, Network, Lanman Server. Click Lanman
Server.
5. In the details pane, double-click Hash Publication for BranchCache. The Hash
Publication for BranchCache dialog box opens.
6. In the Hash Publication for BranchCache dialog box, click Enabled.
7. In Options, click Allow hash publication for all shared folder, and then click one of the
following:
a. To enable hash publication for all shared folders on this computer, click Allow hash
publication for all shared folder.
b. To enable hash publication only for shared folders for which BranchCache is
enabled, click Allow hash publication only for shared folders on which
BranchCache is enabled.
c.
To disallow hash publication for all shared folders on the computer even if
11
BranchCache is enabled on the file shares, click Disallow hash publication on all
shared folders.
8. Click OK.
Enable hash publication for domain member
file servers
When you’re using Active Directory Domain Services (AD DS), you can use domain Group Policy
to enable BranchCache hash publication for multiple file servers. To do so, you must create an
organizational unit (OU), add file servers to the OU, create a BranchCache hash publication
Group Policy object (GPO), and then configure the GPO.
See the following topics to enable hash publication for multiple file servers.
Create the BranchCache file servers organizational unit
Move file servers to the BranchCache file servers organizational unit
Create the BranchCache hash publication Group Policy object
Configure the BranchCache hash publication Group Policy object
Create the BranchCache file servers
organizational unit
You can use this procedure to create an organizational unit (OU) in Active Directory Domain
Services (AD DS) for BranchCache file servers.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To create the BranchCache file servers organizational unit
1. On a computer where AD DS is installed, click Start, click Administrative Tools, and
then click Active Directory Users and Computers. The Active Directory Users and
Computers console opens.
2. In the Active Directory Users and Computers console, right-click the domain to which you
want to add an OU. For example, if your domain is named example.com, right click
example.com. Point to New, and then click Organizational Unit. The New Object –
Organizational Unit dialog box opens.
3. In the New Object – Organizational Unit dialog box, in Name, type a name for the new
OU. For example, if you want to name the OU BranchCache file servers, type
12
BranchCache file servers, and then click OK.
Move file servers to the BranchCache file
servers organizational unit
You can use this procedure to add BranchCache file servers to an organizational unit (OU) in
Active Directory Domain Services (AD DS).
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
Note
You must create a BranchCache file servers OU in the Active Directory Users and
Computers console before you add computer accounts to the OU with this procedure. For
more information, see Create the BranchCache file servers organizational unit.
To move file servers to the BranchCache file servers organizational unit
1. On a computer where AD DS is installed, click Start, click Administrative Tools, and
then click Active Directory Users and Computers. The Active Directory Users and
Computers console opens.
2. In the Active Directory Users and Computers console, locate the computer account for a
BranchCache file server, left-click to select the account, and then drag and drop the
computer account on the BranchCache file servers OU that you previously created. For
example, if you previously created an OU named BranchCache file servers, drag and
drop the computer account on the BranchCache file servers OU.
3. Repeat the previous step for each BranchCache file server in the domain that you want to
move to the OU.
Create the BranchCache hash publication
Group Policy object
You can use this procedure to create the BranchCache hash publication Group Policy object
(GPO).
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
Note
13
Before performing this procedure, you must create the BranchCache file servers
organizational unit and move file servers into the OU. For more information, see Enable
hash publication for domain member file servers.
To create the BranchCache hash publication Group Policy object
1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management
Console (MMC) opens.
2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snapins dialog box opens.
3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy
Management, and then click OK.
4. In the Group Policy Management MMC, expand the path to the BranchCache file servers
OU that you previously created. For example, if your forest is named example.com, your
domain is named example1.com, and your OU is named BranchCache file servers,
expand the following path: Group Policy Management, Forest: example.com,
Domains, example1.com, Group Policy Objects.
5. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens.
In Name, type a name for the new Group Policy object (GPO). For example, if you want
to name the object BranchCache Hash Publication, type BranchCache Hash
Publication. Click OK.
6. In the Group Policy Management MMC, right-click the BranchCache file servers
organizational unit (OU) that you created previously. For example, if your OU is named
BranchCache file servers, right-click BranchCache file servers, and then click Link an
Existing GPO. The Select GPO dialog box opens.
7. In the Select GPO dialog box, in Group Policy objects, click the BranchCache hash
publication GPO that you created earlier in this procedure. For example, if your GPO is
named BranchCache Hash Publication, click BranchCache Hash Publication. Click OK.
Configure the BranchCache hash publication
Group Policy object
You can use this procedure to configure the BranchCache hash publication Group Policy object
(GPO).
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
Note
14
Before performing this procedure, you must create the BranchCache file servers
organizational unit, move file servers into the OU, and create the BranchCache hash
publication Group Policy object (GPO). For more information, see Enable hash
publication for domain member file servers.
To configure the BranchCache hash publication Group Policy object
1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management
Console (MMC) opens.
2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snapins dialog box opens.
3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy
Management, and then click OK.
4. In the Group Policy Management MMC, expand the path to the BranchCache hash
publication GPO that you previously created. For example, if your forest is named
example.com, your domain is named example1.com, and your GPO is named
BranchCache Hash Publication, expand the following path: Group Policy
Management, Forest: example.com, Domains, example1.com, Group Policy
Objects, BranchCache Hash Publication.
5. Right-click the BranchCache Hash Publication GPO and click Edit. The Group Policy
Management Editor console opens.
6. In the Group Policy Management Editor console, expand the following path: Computer
Configuration, Policies, Administrative Templates, Network, Lanman Server.
7. In the Group Policy Management Editor console, click Lanman Server. In the details
pane, double-click Hash Publication for BranchCache. The Hash Publication for
BranchCache dialog box opens.
8. In the Hash Publication for BranchCache dialog box, click Enabled.
9. In Options, click Allow hash publication for all shared folder, and then click one of the
following:
a. To enable hash publication for all shared folders on this computer, click Allow hash
publication for all shared folder.
b. To enable hash publication only for shared folders for which BranchCache is
enabled, click Allow hash publication only for shared folders on which
BranchCache is enabled.
c.
To disallow hash publication for all shared folders on the computer even if
BranchCache is enabled on the file shares, click Disallow hash publication on all
shared folders.
10. Click OK.
Note
15
In most cases, you must save the MMC console and refresh the view to display the
configuration changes you have made.
Enable BranchCache on a file share
You can use this procedure to enable BranchCache on a file share.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
Note
To make shared content available to BranchCache client computers, you must enable
BranchCache on the file share and the hash publication setting in Group Policy must be
set to either Allow hash publication only for shared folders on which BranchCache
is enabled or Allow hash publication for all shared folder.
To enable BranchCache on a file share
1. Click Start, click Administrative Tools, and then click Share and Storage
Management. The Share and Storage Management console opens.
2. In the details pane, on the Shares tab, right-click a share, and then click Properties. The
share’s Properties dialog box opens.
3. In the Properties dialog box, on the Sharing tab, click Advanced.
4. Click the Caching tab, ensure that Only the files and programs that users specify are
available offline is selected, and then click Enable BranchCache.
5. Click OK twice.
Deploy a distributed cache mode design
When you deploy BranchCache in distributed cache mode for a branch office, a hosted cache
server is not required at the branch office.
Client computers that are running either Windows® 7 Enterprise or Windows® 7 Ultimate are
installed at the branch office. These clients download content from content servers that are
installed at the main office; and after downloading content, the client computers act as client
cache servers by providing the content to other clients in the same branch office upon request.
To deploy BranchCache in distributed cache mode, you must install and configure content
servers in your main office and install and configure client computers in your branch office. In
addition, client computers at branch offices must be able to access the main office content
servers over some type of wide area network (WAN) link, such as a dedicated or on-demand
16
virtual private network (VPN) connection between the offices; or clients must use some other
method to connect to the content servers, such as by using DirectAccess.
See the following topics to deploy BranchCache in distributed cache mode.
Install and configure content servers
Configure client computers for distributed cache mode
Configure client computers for distributed
cache mode
You can use the procedures in this section to configure client computers for BranchCache when
you deploy distributed cache mode. Client computers running Windows® 7 have BranchCache
installed by default, however you must enable and configure BranchCache and configure firewall
exceptions.
See the following topics to perform these actions.
Use Group Policy to configure domain member clients for distributed cache mode
Configure domain member client distributed cache mode firewall rules
Non-domain member client configuration for distributed cache mode
Note
When distributed cache mode clients are connecting to main office resources using
DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache
traffic. Use the inbound and outbound rule settings provided in the topic Configure client
computer distributed cache mode firewall rules to create IPsec rules.
Use Group Policy to configure domain
member clients for distributed cache mode
You can use this procedure to configure Group Policy to enable and configure BranchCache
distributed cache mode on domain-joined client computers.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To use Group Policy to configure clients for distributed cache mode
1. On a computer upon which the Active Directory Domain Services server role is installed,
click Start, click Administrative Tools, and click Group Policy Management. The
Group Policy Management console opens.
2. In the Group Policy Management console, expand the following path: Forest:
17
example.com, Domains, example.com, Group Policy Objects, where example.com is
the name of the domain where the BranchCache client computer accounts that you want
to configure are located.
3. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens.
In Name, type a name for the new Group Policy object (GPO). For example, if you want
to name the object BranchCache Client Computers, type BranchCache Client
Computers. Click OK.
4. In the Group Policy Management console, ensure that Group Policy Objects is
selected, and in the details pane right-click the GPO that you just created. For example, if
you named your GPO BranchCache Client Computers, right-click BranchCache Client
Computers. Click Edit. The Group Policy Management Editor console opens.
5. In the Group Policy Management Editor console, expand the following path: Computer
Configuration, Policies, Administrative Templates: Policy definitions (ADMX files)
retrieved from the local machine, Network, BranchCache.
6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache.
The Turn on BranchCache dialog box opens.
7. In the Turn on BranchCache dialog box, click Enabled, and then click OK.
8. In the Group Policy Management Editor console, ensure that BranchCache is still
selected, and then in the details pane double-click Set BranchCache Distributed Cache
mode. The Set BranchCache Distributed Cache mode dialog box opens.
9. In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and then
click OK.
10. To configure the amount of hard disk space allocated on each client computer for the
BranchCache cache: In the Group Policy Management Editor console, ensure that
BranchCache is still selected, and then in the details pane double-click Set percentage
of disk space used for client computer cache. The Set percentage of disk space
used for client computer cache dialog box opens. Click Enabled, and then in Options
type a numeric value that represents the percentage of hard disk space used on each
client computer for the BranchCache cache.
11. To enable client computers to download and cache content from BranchCache file
server-based content servers: In the Group Policy Management Editor console, ensure
that BranchCache is still selected, and then in the details pane double-click
BranchCache for network files. The Configure BranchCache for network files dialog
box opens.
12. In the Configure BranchCache for network files dialog box, click Enabled. In Options,
type a numeric value, in milliseconds, for the maximum round trip network latency time,
and then click OK.
Note
By default, client computers cache content from file servers if the round trip
network latency is longer than 80 milliseconds.
18
Configure domain member client distributed
cache mode firewall rules
When you configure BranchCache in distributed cache mode, BranchCache client computers use
the Hypertext Transfer Protocol (HTTP) for data transfer with other client computers.
BranchCache client computers also use the Web Services Dynamic Discovery (WS-Discovery)
protocol when they attempt to discover content on client cache servers. You can use this
procedure to configure client firewall exceptions to allow incoming HTTP and WS-Discovery traffic
on client computers that are configured for distributed cache mode.
Note
The HTTP inbound and outbound firewall exceptions created with this procedure have
the following settings: TCP port 80. The WS-Discovery inbound and outbound firewall
exceptions created with this procedure have the following settings: UDP port 3702.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To configure distributed cache mode client firewall exceptions
1. On a computer upon which the Active Directory Domain Services server role is installed,
click Start, click Administrative Tools, and click Group Policy Management. The
Group Policy Management console opens.
2. In the Group Policy Management console, expand the following path: Forest:
example.com, Domains, example.com, Group Policy Objects, where example.com is
the name of the domain where the BranchCache client computer accounts that you want
to configure are located.
3. In the Group Policy Management console, ensure that Group Policy Objects is
selected, and in the details pane right-click the BranchCache client computers GPO that
you created previously. For example, if you named your GPO BranchCache Client
Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy
Management Editor console opens.
4. In the Group Policy Management Editor console, expand the following path: Computer
Configuration, Policies, Windows Settings, Security Settings, Windows Firewall
with Advanced Security, Windows Firewall with Advanced Security – LDAP…,
Inbound Rules.
5. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard
opens.
6. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache
– Content Retrieval (Uses HTTP). Click Next.
19
7. In Predefined Rules, click Next.
8. In Action, ensure that Allow the connection is selected, and then click Finish.
Important
You must select Allow the connection for the BranchCache client to be able
to receive traffic on this port.
9. To create the WS-Discovery firewall exception, again right-click Inbound Rules, and
then click New Rule. The New Inbound Rule Wizard opens.
10. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache
– Peer Discovery (Uses WSD). Click Next.
11. In Predefined Rules, click Next.
12. In Action, ensure that Allow the connection is selected, and then click Finish.
Important
You must select Allow the connection for the BranchCache client to be able
to receive traffic on this port.
13. In the Group Policy Management Editor console, right-click Outbound Rules, and then
click New Rule. The New Outbound Rule Wizard opens.
14. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache
– Content Retrieval (Uses HTTP). Click Next.
15. In Predefined Rules, click Next.
16. In Action, ensure that Allow the connection is selected, and then click Finish.
Important
You must select Allow the connection for the BranchCache client to be able
to send traffic on this port.
17. To create the WS-Discovery firewall exception, again right-click Outbound Rules, and
then click New Rule. The New Outbound Rule Wizard opens.
18. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache
– Peer Discovery (Uses WSD). Click Next.
19. In Predefined Rules, click Next.
20. In Action, ensure that Allow the connection is selected, and then click Finish.
Important
You must select Allow the connection for the BranchCache client to be able
to send traffic on this port.
20
Non-domain member client configuration for
distributed cache mode
Using Group Policy to automate the configuration of BranchCache client computers for distributed
cache mode is recommended, however you can also manually configure individual computers. In
addition, you can use these topics to configure non-domain member computers.
See the following topics to manually configure BranchCache client computers.
Enable BranchCache distributed cache mode using network shell commands
Configure client computer distributed cache mode firewall rules
Enable BranchCache distributed cache mode
using network shell commands
You can use this procedure to manually configure a BranchCache client computer for distributed
cache mode using network shell (netsh) commands.
Note
If you have configured BranchCache client computers using Group Policy, the Group
Policy settings override any manual configuration of client computers to which the
policies are applied.
Membership in Administrators, or equivalent is the minimum required to perform this procedure.
To enable BranchCache distributed cache mode using network shell commands
1. On the BranchCache client computer that you want to configure, click Start, click Search
programs and files, and then type command. In search results, under Programs, rightclick Command Prompt, and then click Run as Administrator. The command prompt
opens with the elevated privileges that are required to run netsh commands.
2. Run the following command: netsh branchcache set service mode=DISTRIBUTED
Note
Running the netsh branchcache set service command both configures the
client computer for distributed cache mode and automatically configures the
client computer firewall with the following inbound exceptions for distributed
cache mode: TCP port 80 and UDP port 3702.
3. To enable client computers to download and cache content from BranchCache file
server-based content servers, run the following command: netsh branchcache smb set
latency latency=Number, where Number is a numeric value, in milliseconds, for the
maximum round trip network latency time.
21
Configure client computer distributed cache
mode firewall rules
You can use the information in this topic to configure third party firewall products and to manually
configure a client computer with firewall rules that allow BranchCache to run in distributed cache
mode.
Notes
If you have configured BranchCache client computers using Group Policy, the Group Policy
settings override any manual configuration of client computers to which the policies are
applied.
If you have deployed BranchCache with DirectAccess, you can use the settings in this topic
to configure IPsec rules to allow BranchCache traffic.
Membership in Administrators, or equivalent is the minimum required to make these
configuration changes.
[MS-PCCRD]: Peer Content Caching and Retrieval
Discovery Protocol
Distributed cache clients must allow inbound and outbound MS-PCCRD traffic, which is carried in
the Web Services Dynamic Discovery (WS-Discovery) protocol.
Firewall settings must allow multicast traffic in addition to inbound and outbound traffic. You can
use the following settings to configure firewall exceptions for distributed cache mode.
IPv4 multicast: 239.255.255.250
IPv6 multicast: FF02::C
Inbound traffic: Local port: 3702, Remote port: ephemeral
Outbound traffic: Local port: ephemeral, Remote port: 3702
Program: %systemroot%\system32\svchost.exe (BranchCache Service [PeerDistSvc])
[MS-PCCRR]: Peer Content Caching
and Retrieval: Retrieval Protocol
Distributed cache clients must allow inbound and outbound MS-PCCRR traffic, which is carried in
the HTTP 1.1 protocol as documented in request for comments (RFC) 2616.
Firewall settings must allow inbound and outbound traffic. You can use the following settings to
configure firewall exceptions for distributed cache mode.
Inbound traffic: Local port: 80, Remote port: ephemeral
Outbound traffic: Local port: ephemeral, Remote port: 80
22
Deploy a hosted cache mode design
When you deploy BranchCache in hosted cache mode for a branch office, a hosted cache server
is installed at the branch office.
Client computers that are running either Windows® 7 Enterprise or Windows® 7 Ultimate are also
installed at the branch office. These clients download content from content servers that are
installed at the main office; and after content is downloaded, the hosted cache server obtains and
caches the content, providing the content to other clients in the same branch office upon request.
To deploy BranchCache in hosted cache mode, you must install and configure content servers in
your main office and install and configure a hosted cache server and client computers in your
branch office. In addition, client computers at branch offices must be able to access the main
office content servers over some type of wide area network (WAN) link, such as a dedicated or
on-demand virtual private network (VPN) connection between the offices; or clients must use
some other method to connect to the content servers, such as by using DirectAccess.
Important
BranchCache is compatible only with VPN software that supports split tunneling. Do not
enable hosted cache mode on client computers in a branch office if these clients use
host-based VPN software that does not support split tunneling. If the VPN software does
not support split tunneling, client computers route traffic through the main office VPN
servers when downloading from the local hosted cache, which will create unnecessary
WAN link traffic and network congestion.
Finally, you must enroll a server certificate to your hosted cache server that the server uses to
prove its identity to client computers in the branch office. After the hosted cache server enrolls a
certificate, you must obtain the SHA-1 hash of the certificate and link the certificate to
BranchCache.
Note
The server certificate that is enrolled to hosted cache servers must be issued by a
certification authority (CA) that is trusted by client computers. If client computers do not
trust the CA that issued the certificate to the hosted cache server, authentication fails and
the client computers will not be able to obtain content from the hosted cache server.
CAs and certificates
You can deploy server certificates with either a public CA or with a private CA that you own and
deploy.
Public CAs are deployed by third party companies, such as Verisign, who sell certificates for
use by their customers. This guide does not describe how to deploy hosted cache mode with
certificates that are issued by a public CA, but it is possible if you ensure that the certificates
meet the minimum server certificate requirements and are configured in accordance with the
Web Server certificate template as described in this guide. In addition, before purchasing a
server certificate issued by a public CA, you should ensure that BranchCache client
computers already trust the public CA.
23
Private CAs are deployed by organizations who design and deploy a public key infrastructure
(PKI). This guide provides instructions on how to deploy your own CA using Active Directory
Certificate Services (AD CS).
Note
This guide does not provide instructions on how to design a PKI, and you should review
AD CS documentation before deploying your own CA. For more information, see
Additional Resources.
There are two types of certificates that are used when you deploy BranchCache in hosted cache
mode:
CA certificate. When you deploy your own CA, the root CA certificate is automatically
distributed to client computers that are domain members. The certificate is stored in the
Trusted Root Certification Authorities certificate store for the Local Computer and for the
Current User. These certificate stores can be viewed by using the Certificates Microsoft
Management Console (MMC) snap-in. When a CA certificate exists in the Trusted Root
Certification Authorities certificate store, it means that the computer trusts all certificates that
are issued by the CA.
Server certificate. The server certificate is issued by the CA to the hosted cache server. The
hosted cache server uses the certificate to prove its identity to client computers during the
authentication process.
Hosted cache mode
See the following topics to deploy BranchCache in hosted cache mode.
Install and configure content servers
Configure client computers for hosted cache mode
Install the certification authority and enroll certificates to hosted cache servers
Obtain the SHA-1 hash of the hosted cache server certificate
Link the hosted cache server certificate to BranchCache
Configure client computers for hosted cache
mode
You can use the procedures in this section to configure client computers for BranchCache when
you deploy hosted cache mode. Client computers running some versions of Windows® 7 have
BranchCache installed by default, however you must enable and configure BranchCache and
configure firewall rules on client computers.
See the following topics to perform these actions.
Use Group Policy to configure domain member clients for hosted cache mode
Configure domain member client hosted cache mode firewall rules
Non-domain member client configuration for hosted cache mode
24
Note
When hosted cache mode clients are connecting to main office resources using
DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache
traffic. Use the inbound and outbound rule settings provided in the topic Configure hosted
cache mode firewall rules to create IPsec rules.
Use Group Policy to configure domain
member clients for hosted cache mode
With this procedure you can use Group Policy to enable and configure BranchCache distributed
cache mode on domain-joined client computers.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To use Group Policy to configure clients for hosted cache mode
1. On a computer upon which the Active Directory Domain Services server role is installed,
click Start, click Administrative Tools, and click Group Policy Management. The
Group Policy Management console opens.
2. In the Group Policy Management console, expand the following path: Forest:
example.com, Domains, example.com, Group Policy Objects, where example.com is
the name of the domain where the BranchCache client computer accounts that you want
to configure are located.
3. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens.
In Name, type a name for the new Group Policy object (GPO). For example, if you want
to name the object BranchCache Client Computers, type BranchCache Client
Computers. Click OK.
4. In the Group Policy Management console, ensure that Group Policy Objects is
selected, and in the details pane right-click the GPO that you just created. For example, if
you named your GPO BranchCache Client Computers, right-click BranchCache Client
Computers. Click Edit. The Group Policy Management Editor console opens.
5. In the Group Policy Management Editor console, expand the following path: Computer
Configuration, Policies, Administrative Templates: Policy definitions (ADMX files)
retrieved from the local machine, Network, BranchCache.
6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache.
The Turn on BranchCache dialog box opens.
7. In the Turn on BranchCache dialog box, click Enabled, and then click OK.
8. In the Group Policy Management Editor console, ensure that BranchCache is still
selected, and then in the details pane double-click Set BranchCache Hosted Cache
25
mode. The Set BranchCache Hosted Cache mode dialog box opens.
9. In the Set BranchCache Hosted Cache mode dialog box, click Enabled. In Enter the
location of hosted cache, type the fully qualified domain name (FQDN) of the hosted
cache server, and then click OK.
10. To configure the amount of hard disk space allocated on each client computer for the
BranchCache cache: In the Group Policy Management Editor console, ensure that
BranchCache is still selected, and then in the details pane double-click Set percentage
of disk space used for client computer cache. The Set percentage of disk space
used for client computer cache dialog box opens. Click Enabled, and then in Options
type a numeric value that represents the percentage of hard disk space used on each
client computer for the BranchCache cache.
11. To enable client computers to download and cache content from BranchCache file
server-based content servers: In the Group Policy Management Editor console, ensure
that BranchCache is still selected, and then in the details pane double-click
BranchCache for network files. The Configure BranchCache for network files dialog
box opens.
12. In the Configure BranchCache for network files dialog box, click Enabled. In Options,
type a numeric value, in milliseconds, for the maximum round trip network latency time,
and then click OK.
Note
By default, client computers cache content from file servers if the round trip
network latency is longer than 80 milliseconds.
Configure domain member client hosted
cache mode firewall rules
When you configure BranchCache in hosted cache mode, BranchCache client computers use the
Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) for data transfer with other client
computers. You can use this procedure to configure client firewall inbound and outbound rules to
allow HTTP and HTTPS traffic on client computers that are configured for hosted cache mode.
Note
The HTTP inbound and outbound firewall rules that are created with this procedure have
the following settings: TCP port 80. The HTTPS outbound firewall exception created with
this procedure has the following setting: TCP port 443.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
26
To configure hosted cache mode client firewall exceptions
1. On a computer upon which the Active Directory Domain Services server role is installed,
click Start, click Administrative Tools, and click Group Policy Management. The
Group Policy Management console opens.
2. In the Group Policy Management console, expand the following path: Forest:
example.com, Domains, example.com, Group Policy Objects, where example.com is
the name of the domain where the BranchCache client computer accounts that you want
to configure are located.
3. In the Group Policy Management console, ensure that Group Policy Objects is
selected, and in the details pane right-click the BranchCache client computers GPO that
you created previously. For example, if you named your GPO BranchCache Client
Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy
Management Editor console opens.
4. In the Group Policy Management Editor console, expand the following path: Computer
Configuration, Policies, Windows Settings, Security Settings, Windows Firewall
with Advanced Security, Windows Firewall with Advanced Security – LDAP…,
Inbound Rules.
5. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard
opens.
6. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache
– Content Retrieval (Uses HTTP). Click Next.
7. In Predefined Rules, click Next.
8. In Action, ensure that Allow the connection is selected, and then click Finish.
Important
You must select Allow the connection for the BranchCache client to be able
to receive traffic on this port.
9. In the Group Policy Management Editor console, right-click Outbound Rules, and then
click New Rule. The New Outbound Rule Wizard opens.
10. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache
– Content Retrieval (Uses HTTP). Click Next.
11. In Predefined Rules, click Next.
12. In Action, ensure that Allow the connection is selected, and then click Finish.
Important
You must select Allow the connection for the BranchCache client to be able
to send traffic on this port.
13. In the Group Policy Management Editor console, right-click Outbound Rules, and then
click New Rule. The New Outbound Rule Wizard opens.
14. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache
27
– Hosted Cache Client (Uses HTTPS). Click Next.
15. In Predefined Rules, click Next.
16. In Action, ensure that Allow the connection is selected, and then click Finish.
Important
You must select Allow the connection for the BranchCache client to be able
to send traffic on this port.
Non-domain member client configuration for
hosted cache mode
Using Group Policy to automate the configuration of BranchCache client computers for hosted
cache mode is recommended, however you can also manually configure individual computers.
See the following topics to manually configure BranchCache client computers.
Enable BranchCache hosted cache mode using network shell commands
Configure hosted cache mode firewall rules
Enable BranchCache hosted cache mode
using network shell commands
You can use this procedure to manually configure a BranchCache client computer for hosted
cache mode using network shell (netsh) commands. Running the command below configures the
client computer for hosted cache mode and automatically configures the client computer firewall
with the following inbound exception for hosted cache mode: TCP port 80.
Note
If you have configured BranchCache client computers using Group Policy, the Group
Policy settings override any manual configuration of client computers to which the
policies are applied.
Membership in Administrators, or equivalent is the minimum required to perform this procedure.
To enable BranchCache hosted cache mode using network shell commands
1. On the BranchCache client computer that you want to configure, click Start, click Search
programs and files, and then type command. In search results, under Programs, rightclick Command Prompt, and then click Run as Administrator. The command prompt
opens with the elevated privileges that are required to run netsh commands.
2. Run the following command: netsh branchcache set service mode=HOSTEDCLIENT
28
location=HostedCacheName, where HostedCacheName is the fully qualified domain
name of the hosted cache server.
Note
If the hosted cache server and client computers are not joined to an Active
Directory domain, set client authentication to NONE using the additional
clientauthentication parameter in this command: Netsh branchcache set
service mode=HOSTEDSERVER
location=HostedCacheName clientauthentication=NONE
Configure hosted cache mode firewall rules
You can use the information in this topic to configure third party firewall products and to manually
configure a client computer or a hosted cache server in a branch office with firewall rules that
allow BranchCache to run in hosted cache mode.
Notes
If you have configured BranchCache client computers using Group Policy, the Group Policy
settings override any manual configuration of client computers to which the policies are
applied.
If you have deployed BranchCache with DirectAccess, you can use the settings in this topic
to configure IPsec rules to allow BranchCache traffic.
Membership in Administrators, or equivalent is the minimum required to perform firewall
configuration changes.
[MS-PCCRR]: Peer Content Caching
and Retrieval: Retrieval Protocol
Hosted Cache clients must allow inbound and outbound MS-PCCRR traffic, which is carried in
the HTTP 1.1 protocol as documented in request for comments (RFC) 2616.
Firewall settings must allow inbound, outbound, and program traffic. You can use the following
settings to configure firewall exceptions for hosted cache mode.
Inbound traffic: Local port: 80, Remote port: ephemeral
Outbound traffic: Local port: ephemeral, Remote port: 80
29
[MS-PCHC]: Peer Content Caching and Retrieval:
Hosted Cache Protocol
Hosted Cache clients must allow inbound and outbound MS-PCHC traffic, which is carried in the
HTTP 1.1 over TLS (HTTPs) protocol as documented in request for comments (RFC) 2818.
Firewall settings must enable outbound traffic. You can use the following settings to configure
firewall exceptions for hosted cache mode.
Outbound traffic: Local port: ephemeral, Remote port: 443
Install and configure the hosted cache server
When you deploy BranchCache in hosted cache mode for one or more branch offices, you must
install a hosted cache server in each branch office. You can use an existing application server as
a hosted cache server if you upgrade the server to one of the following operating systems:
Windows Server® 2008 R2 Enterprise
Windows Server 2008 R2 Enterprise with Hyper-V
Windows Server 2008 R2 Enterprise Core Install
Windows Server 2008 R2 Enterprise Core Install with Hyper-V
Windows Server 2008 R2 for Itanium-Based Systems
Windows Server® 2008 R2 Datacenter
Windows Server® 2008 R2 Datacenter with Hyper-V
Windows Server® 2008 R2 Datacenter Core Install with Hyper-V
To deploy a hosted cache server, you must install and enable the BranchCache feature, enable
hosted cache mode, and configure firewall exceptions to allow communication between the
hosted cache server and client computers in the branch office.
Note
By default, the cache on the hosted cache server is configured to use 5% of the hard disk
space on the local hard disk. If you want to change the size of the cache, you can use the
netsh branchcache set cachesize command, which specifies the size of the local cache
as either a percentage of the size of the hard disk where the cache is located or as an
exact number of bytes. For more information, see Additional Resources.
See the following topics to install and configure the hosted cache server.
Install the BranchCache feature
Enable hosted cache server mode on a hosted cache server
Note
When you enable hosted cache mode using the netsh branchcache set service
command as described in the topic Enable hosted cache server mode on a hosted cache
30
server, the firewall on the hosted cache server is automatically configured with the correct
exceptions for hosted cache mode. You do not need to make additional configuration to
the firewall, however the topic Configure hosted cache mode firewall rules is provided for
reference.
Install the BranchCache feature
You can use this procedure to install the BranchCache feature and start the BranchCache service
on a computer running Windows Server® 2008 R2.
Membership in Administrators, or equivalent is the minimum required to perform this procedure.
To install and enable the BranchCache feature
1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager
opens.
2. In the Server Manager left pane, right-click Features, and then click Add Features. The
Add Features Wizard opens.
3. In the Add Features Wizard, in Features, select the BranchCache check box, and then
click Next.
4. In Confirm Installation Selections, review your choice and then click Install. The
Installation Progress pane is displayed during installation, and then the Installation
Results pane is displayed.
5. In Installation Results, review the summary and then click Close. The Add Features
Wizard closes.
6. In the Server Manager left pane, double-click Configuration, and then click Services.
7. In the details pane, in Services, double-click BranchCache. The BranchCache
Properties dialog box opens.
8. In the BranchCache Properties dialog box, on the General tab, click Start to start the
BranchCache service, and then click OK.
Important
The BranchCache service startup type is Automatic, which means that the
BranchCache service starts whenever the computer is restarted. It is
recommended that you keep the startup type value set to Automatic.
31
Enable hosted cache server mode on a
hosted cache server
You can use this procedure to manually configure a BranchCache hosted cache server for hosted
cache mode using network shell (netsh) commands. Running the command below both
configures the server for hosted cache mode and automatically configures the firewall with the
following inbound exceptions for hosted cache mode: TCP port 80 and TCP port 443.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To enable hosted cache mode on a hosted cache server
1. On the BranchCache hosted cache server that you want to configure, click Start, click
Search programs and files, and then type command. In search results, under
Programs, right-click Command Prompt, and then click Run as Administrator. The
command prompt opens with the elevated privileges that are required to run netsh
commands.
2. Run the following command: netsh branchcache set service mode=HOSTEDSERVER.
Note
If the hosted cache server and client computers are not joined to an Active
Directory domain, set client authentication to NONE using the additional
clientauthentication parameter in this command: Netsh branchcache set
service mode=HOSTEDSERVER clientauthentication=NONE
Install the certification authority and enroll
certificates to hosted cache servers
When you deploy BranchCache in hosted cache mode, you must enroll server certificates to
hosted cache servers.
You can use the following topics to create a hosted cache servers group in Active Directory Users
and Computers, add hosted cache servers to the group, install an enterprise root certification
authority using Active Directory Certificate Services (AD CS), and then configure the automatic
distribution, or autoenrollment, of server certificates to hosted cache servers.
See the following topics to perform these actions.
Create the hosted cache servers group
Add hosted cache servers to the group
Install the certification authority (CA)
32
Configure the Web Server certificate template
Configure server certificate autoenrollment
Refresh Group Policy
Notes
When you deploy a public key infrastructure (PKI), you should also configure certificate
revocation and publish a certificate revocation list (CRL).
If your BranchCache deployment includes only one or two hosted cache servers and you
prefer not to use autoenrollment, you can use the Certificates Microsoft Management
Console (MMC) snap-in to manually enroll server certificates to hosted cache servers.
For more information, see Additional Resources.
Create the hosted cache servers group
You can use this procedure to create a new Hosted Cache Servers group in Active Directory
Users and Computers Microsoft Management Console (MMC).
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To add a Hosted Cache Servers group
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, right-click the folder in which you want to add a new group.
Where?
Active Directory Users and Computers/domain node/folder
3. Point to New, and then click Group.
4. In New Object – Group, in Group name, type the name of the new group. For example,
type Hosted Cache Servers.
By default, the name you type is also entered as the pre-Windows 2000 name of the new
group.
5. In Group scope, select one of the following options:
Domain local
Global
Universal
6. In Group type, select one of the following options:
Security
33
Distribution
7. Click OK.
Add hosted cache servers to the group
You can use this procedure to assign group membership to BranchCache hosted cache servers
using the Active Directory Users and Computers Microsoft Management Console (MMC).
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To add hosted cache servers to the Hosted Cache Servers group
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, double-click the folder that contains the Hosted Cache Servers
group to which you want to add a member.
Where?
Active Directory Users and Computers/domain node/folder that contains the group
3. In the details pane, right-click the group to which you want to add a member, and then
click Properties. The group Properties dialog box opens. Click the Members tab.
4. On the Members tab, click Add.
5. In Enter the object names to select, type the name of the hosted cache server that you
want to add, and then click OK.
6. To assign group membership to other hosted cache servers, repeat steps 4 and 5 of this
procedure.
Install the certification authority (CA)
You can use this procedure to install Active Directory® Certificate Services (AD CS) so that you
can enroll a server certificate to hosted cache servers.
Important
To perform this procedure, the computer on which you are installing AD CS must be
joined to a domain where Active Directory Domain Services (AD DS) is installed.
34
Membership in both the Enterprise Admins and the root domain's Domain Admins group is the
minimum required to complete this procedure.
To install Active Directory Certificate Services
1. Log on as a member of both the Enterprise Admins group and the root domain's Domain
Admins group.
2. Click Start, click Administrative Tools, and then click Server Manager. The Server
Manager console opens. In Roles Summary, click Add roles.
3. The Add Roles Wizard opens. Click Next.
4. On the Select Server Roles page, in Roles, select Active Directory Certificate
Services, and then click Next twice.
5. On the Select Role Services page, in Role services, verify that Certification Authority
is selected, and then click Next.
6. On the Specify Setup Type page, verify that Enterprise is selected, and then click Next.
7. On the Specify CA Type page, verify that Root CA is selected, and then click Next.
8. On the Set Up Private Key page, verify that Create a new private key is selected, and
then click Next.
9. On the Configure Cryptography for CA page, keep the default settings for CSP
(RSA#Microsoft Software Key Storage Provider) and hash algorithm (sha1), and
determine the best key character length for your deployment. Large key character lengths
provide optimal security; however, they can impact server performance. It is
recommended that you keep the default setting of 2048 or, if you deem it appropriate for
your deployment, reduce Key character length to 1024. Click Next.
10. On the Configure CA Name page, keep the suggested common name for the CA or
change the name according to your requirements, and then click Next.
11. On the Set Validity Period page, in Select validity period for the certificate
generated for this CA, type the number and select a time value (Years, Months, Weeks,
or Days). The default setting of five years is recommended. Click Next.
12. On the Configure Certificate Database page, in Certificate database location and
Certificate database log location, specify the folder location for these items. If you
specify locations other than the default locations, ensure that the folders are secured with
access control lists (ACLs) that prevent unauthorized users or computers from accessing
the CA database and log files.
13. Click Next, click Install, and then click Close.
35
Configure the Web Server certificate
template
You can use this procedure to configure the certificate template that Active Directory® Certificate
Services (AD CS) uses as the basis for computer certificates that are enrolled to hosted cache
server computers.
Membership in both the Enterprise Admins and the root domain's Domain Admins group is the
minimum required to complete this procedure.
To configure the certificate template and autoenrollment
1. On the computer where AD CS is installed, click Start, click Run, type mmc, and then
click OK.
2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog
box opens.
3. In the Add or Remove Snap-ins dialog box, in Available snap-ins, double-click
Certification Authority. Select the CA that you want to manage, and then click Finish.
The Certification Authority dialog box closes, returning you to the Add or Remove
Snap-ins dialog box.
4. In Available snap-ins, double-click Certificate Templates, and then click OK.
5. In the console tree, click the Certificate Templates snap-in. All of the certificate
templates are displayed in the details pane.
6. In the details pane, click the Web Server template.
7. On the Action menu, click Duplicate Template. In the Duplicate Template dialog box,
select the template version that is appropriate for your deployment. For client and server
interoperability reasons, it is recommended that you select Windows Server 2003
Enterprise.
8. Click OK. The Properties dialog box for the certificate template opens.
9. On the General tab, in Display Name, type a new name for the certificate template or
keep the default name, Copy of Web Server.
10. Click the Subject Name tab. Ensure that Build from this Active Directory information
is selected. In Subject name format, select Fully distinguished name.
11. Click the Request Handling tab. For Minimum key size, determine the best key
character length for your deployment. Large key character lengths provide optimal
security, but they can impact server performance. It is recommended that you keep the
default setting of 2048 or, if you deem it appropriate for your deployment, reduce
Minimum key size to 1024.
12. Click the Security tab. In Group or user names, click Add. The Select Users,
Computers, Service Accounts, or Groups dialog box opens.
13. In Select Users, Computers, Service Accounts, or Groups, type the name of the
36
group that you created for your hosted cache servers, and then click OK. For example,
type Hosted Cache Servers.
14. In Properties of New Template, in Group or User Names, click the name of the group
you just added. For example, if your group is named Hosted Cache Servers, click that
group.
15. In Properties of New Template, in Permissions for Hosted Cache Servers, under
Allow, select the Enroll and Autoenroll permission check boxes, and then click OK.
Note: If your group name is not Hosted Cache Servers, this section of the dialog box is
named Permissions for Group Name, where Group Name is the name of the hosted
cache servers group that you created.
16. In the left pane of the Microsoft Management Console (MMC), double-click Certification
Authority, double-click the CA name, and then click Certificate Templates. On the
Action menu, point to New, and then click Certificate Template to Issue. The Enable
Certificate Templates dialog box opens.
17. Click the name of the certificate template you just configured, and then click OK. For
example, if you did not change the default certificate template name, click Copy of Web
Server, and then click OK.
Configure server certificate autoenrollment
Note
Before you perform this procedure, you must configure a server certificate template by
using the Certificate Templates Microsoft Management Console snap-in on a CA that is
running AD CS.
Membership in both the Enterprise Admins and the root domain's Domain Admins group is the
minimum required to complete this procedure.
To configure server certificate autoenrollment
1. On the computer where Active Directory Domain Services is installed, click Start, click
Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog
box opens.
3. In Available snap-ins, scroll down to and double-click Group Policy Management
Editor, and then click OK. The Group Policy Wizard opens.
4. In Group Policy Object, click Browse. The Browse for a Group Policy Object dialog
box opens.
5. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and
37
then click OK.
6. Click Finish, and then click OK.
7. Double-click Default Domain Policy. In the console, expand the following path:
Computer Configuration, Policies, Windows Settings, Security Settings, and then
Public Key Policies.
8. Click Public Key Policies. In the details pane, double-click Certificate Services Client Auto-Enrollment. The Properties dialog box opens. Configure the following items, and
then click OK:
a. In Configuration Model, select Enabled.
b. Select the Renew expired certificates, update pending certificates, and remove
revoked certificates check box.
c.
Select the Update certificates that use certificate templates check box.
9. Click OK.
Refresh Group Policy
You can use this procedure to manually refresh Group Policy on the local computer. When Group
Policy is refreshed, if certificate autoenrollment is configured and functioning correctly, the local
computer is autoenrolled a certificate by the certification authority (CA).
Note
Group Policy is automatically refreshed when you restart the domain member computer,
or when a user logs on to a domain member computer. In addition, Group Policy is
periodically refreshed. By default, this periodic refresh is performed every 90 minutes with
a randomized offset of up to 30 minutes.
Membership in Administrators, or equivalent, is the minimum required to complete this
procedure.
To refresh Group Policy on the local computer
1. Click Start, click Run, type cmd, and then press ENTER. The Command Prompt window
opens.
2. Type gpupdate, and then press ENTER.
38
Obtain the SHA-1 hash of the hosted cache
server certificate
You can use this procedure to obtain the SHA-1 hash, also called the thumbprint, of the server
certificate of a hosted cache server so that you can link the certificate to BranchCache. This
procedure must be performed on a hosted cache server to which a server certificate has already
been enrolled.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To obtain the SHA-1 hash of the hosted cache server certificate
1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management
Console (MMC) opens.
2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snapins dialog box opens.
3. In Add or Remove Snap-ins, in Available snap-ins, double-click Certificates. The
Certificates snap-in dialog box opens. Click Computer account, and then click Next.
4. In Select Computer, in This snap-in will always manage, ensure that Local
computer: (the computer this console is running on) is selected, click Finish, and
then click OK.
5. In the navigation pane, double-click Certificates (Local Computer) and then doubleclick the Personal certificate store.
6. The Certificates folder is a subfolder of the Personal certificate store. Click the
Certificates folder.
7. In the details pane, browse to the server certificate and double-click the certificate. The
Certificate dialog box opens.
8. In the Certificate dialog box, click the Details tab.
Note
On the Details tab, in Field, ensure that the value of the Certificate
Template Name extension matches the name of the copy of the Web Server
certificate template that you configured in a previous step. For example, if
you used the default name Copy of Web Server, ensure that this value
appears in Certificate Template Name to verify that you have selected the
correct certificate.
9. In the list of fields, select Thumbprint.
10. In the lower pane, the hexadecimal string that is the SHA-1 hash of your certificate is
displayed. Select the SHA-1 hash and press the Windows keyboard shortcut for the Copy
command (Ctl+C) to copy the hash to the Windows clipboard.
11. Click Start, click All Programs, click Accessories, and then click Notepad. The
39
Notepad application opens.
12. In Notepad, press the Windows keyboard shortcut for the Paste command (Ctl+V) to
paste the SHA-1 hash into a new text file. Remove all of the spaces between the
characters in the SHA-1 hash so that the hash contains no spaces, and then save the
text file to hard disk.
Note
In the next procedure where you link the hosted cache server certificate to BranchCache,
you will use the SHA-1 hash of the certificate while running a network shell (netsh)
command.
Link the hosted cache server certificate to
BranchCache
You can use this procedure to link the server certificate of a hosted cache server to BranchCache
using network shell (netsh) commands.
Important
In this procedure you must use the SHA-1 hash of the hosted cache server certificate that
you obtained while performing the previous procedure in this guide. Before using the
SHA-1 hash in this procedure, remove all spaces from the SHA-1 hash. Do not replace
the spaces with alternate characters, just remove the spaces. If you do not remove the
spaces from the SHA-1 hash, the effort to link the certificate to BranchCache will fail.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To link the hosted cache server certificate to BranchCache
1. On the BranchCache hosted cache server that you want to configure, click Start, click
Search programs and files, and then type command. In search results, under
Programs, right-click Command Prompt, and then click Run as Administrator. The
command prompt opens with the elevated privileges that are required to run netsh
commands.
2. Run the following command: netsh http add sslcert ipport=0.0.0.0:443 certhash=SHA1_Hash appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}, where SHA-1_Hash is the
SHA-1 hash of the server certificate on the hosted cache server.
40
Additional Resources
For more information about the technologies in this guide, see the following resources in the
Windows Server® 2008 and Windows Server® 2008 R2 Technical Library.
Active Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=110923)
Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkId=110928)
Background Intelligent File Transfer Service (BITS)
(http://go.microsoft.com/fwlink/?LinkId=163282)
Configuring Certificate Revocation (http://go.microsoft.com/fwlink/?LinkId=163242)
File Services (http://go.microsoft.com/fwlink/?LinkId=163286)
Group Policy (http://go.microsoft.com/fwlink/?LinkId=110930)
Network Shell (Netsh) Commands for BranchCache
(http://go.microsoft.com/fwlink/?LinkId=156640)
Web Server (http://go.microsoft.com/fwlink/?LinkId=163294)
The following topics provide information about designing a public key infrastructure and the
server message block (SMB) protocol.
Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003
public key infrastructure) in Windows Server TechCenter
(http://go.microsoft.com/fwlink/?LinkId=106049)
Microsoft SMB Protocol and CIFS Protocol Overview (Windows) in the Microsoft Developer
Network (MSDN) (http://go.microsoft.com/fwlink/?LinkId=163293)
41
