BranchCache
Speeding up the Branch Office
Chad Duffey
Premier Field Engineer
Microsoft Certified Master – Active Directory
chduffey@microsoft.com
December 15th 2011
Agenda
• BranchCache 101
• A little Deeper
• FAQ’s
Branch Cache Fundamentals
Branch Office Network Performance
Normal Branch Office
Windows 7 & Server 2008 R2 Solution
BranchCache™
Application and data access over WAN is slow in
branch offices
Slow connections hurt user productivity
Improving network performance is expensive and
difficult to implement
4
Caches content downloaded from file and Web
servers
Users in the branch can quickly open files stored in
the cache
Frees up network bandwidth for other uses
BranchCache: Two Approaches
Enterprise
Distributed Mode
Recommended for branches without a
branch server
Easy to deploy: Enabled on clients through
Group Policy
Cache availability decreases with laptops
that go offline
5
Hosted Mode
Cache stored centrally: existing server in the
branch
Cache availability is high
Enables branch-wide caching
Increased reliability
Deployment Summary
Use Group Policy to enable Windows BranchCache
on Windows 7 clients
Install the optional “Windows BranchCache”
component on a Windows 2008 R2 web or file
server
Hosted
Cache
IIS
File Server
Group Policy
Management
6
Optionally, install a hosted cache in your branch. Configure
clients to use it with
Group Policy
How it works: BranchCache Distributed Cache
ID
ID
Data
Data
Data
7
How it works: BranchCache Hosted Cache
ID
Data
ID
ID
Search
Data
ID
ID
ID
Data
8
Demonstration of Branch Cache
BranchCache Framework
3rd Party Applications
Office
CopyFile
Explorer
Office
SMB(CSC/SRV)
BITS
HTTP (WebIO/http.sys)
BranchCache
10
SharePoint
WMP
IE
BranchCache Deployment
Distributed Cache Implementation
HQ: Content Server (Windows Server 2008 R2 required)
Branch: Client (Windows 7 required)
Hosted Cache Implementation
HQ: Content Server (Windows Server 2008 R2 required)
Branch: Hosted Cache (Windows Server 2008 R2 required)
Branch: Client (Windows 7 required)
11
Deployment - Content Server
HTTP server (IIS) - Install the BranchCache feature from Server
Manager
SMB server (File server) – Install the BranchCache role service feature
within the file server role using Server Manager
That’s it…
Optional: Hasgen.exe
12
Deployment - Client
Identify the “branch”
• An Active Directory Site
• An IP address range
• A collection of specific client computers
Choose how to deploy
• Group Policy
• netsh
Deploy to clients
• Group policy: Use built-in ADMX files
• netsh: Run netsh branchcache set service
distributed on all relevant clients
13
Deployment – Hosted Cache
Setup the Hosted Cache
• Install the BranchCache feature on an R2 server
• Install a server-auth certificate for use with SSL
• Run netsh branchcache set service hostedserver on the
hosted cache
Identify Branch
Choose how to deploy
Deploy to clients
• Group policy: Use built-in ADMX files
• netsh: Run netsh branchcache set service hostedclient
location=<> on all clients
14
Demonstration of Configuration
Additional Configuration Options
With Group Policy and NetSH you can:
Enable / disable Distributed Cache
Enable / disable Hosted Cache
Set the cache size
Set the location of the Hosted Cache
Clear the cache
Create and replicate a shared key for use in a server cluster
And more …
Works in domains and workgroups
16
A little deeper…
Content identifiers
Hashes
Returned by server
Blocks
Unit of download
Segments
Unit of discovery
Content
18
Segment hashes, Block hashes
2000:1 compression ratio
B B
1 2
B B B
n 1 2
S1
B B B
n 1 2
S2
B
n
S3
How is SSL optimized?
IE
IIS
Data in clear
Data in clear
HTTP
BranchCac
he
BranchCac
he
HTTP
Data in clear
Data in clear
SSL
Data encrypted
Sockets
19
SSL
Data encrypted
Sockets
Security
Client
Segment discovery key
Encryption key
Hash(SK, SH+”HoHoDk”)
Hash(SK, “KeKeKe”)
Private Segment key (SK)
Hash(SH, Ks)
Segment hash (SH)
Server secret key
Hash (Blockhashes)
Ks
Block hashes
Hash(block)
Blocks
20
B B
1 2
B
n
Server
Flow – a Security View
Client requests data from the server, and indicates BranchCache capability
Server authorizes the client
Server retrieves metadata (block hashes, segment hashes, private segment key) for the data
Server sends metadata on same channel as data
Client computes a segment discovery key
Broadcasts on the local network
21
Security of Data at Rest
Clients
Cache only contains content requested by the client
Data in cache ACL’d so that it is only accessible if authorized by the server
If data leakage is a concern, then use BitLocker or EFS
Hosted Cache
Cache contains content requested by all branch clients
Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
22
BranchCache Benefits
End User Benefits
Improve application responsiveness and reduce file transfer wait time
Combined with other SMB offerings enhance the user experience on remote shares
IT Pro Benefits
Optimize network utilization:
Recommended for HTTP and HTTPS-based intranet traffic
Performs well for SMB (and signed SMB) shares on the read path
Support network security protocols (SSL, Ipsec)
Reduce the cost of managing WAN
23
Common Questions
Q: When will this be made available for Vista or XP?
A: It won’t. BranchCache in only supported with Windows 7 Enterprise, Ultimate & Windows 2008 R2 editions.
Q: What size content is cached?
A: 64 KB and greater.
Q: Is there a peer discovery timeout?
A: 300 ms
Q: What kind of encryption is used?
A: Custom scheme based on AES128.
Q: Does knowledge of the hash ID grant access?
A: No. Access must still be granted by the file server.
Common Questions Continued…
Q: Will BranchCache work during WAN outages?
A: No. Clients must be able to contact the content server to get content identifiers.
Q: Can I pre-populate cached files?
A: Yes. Consider using scheduled task , PowerShell Remoting or some other technique. For WSUS & SCCM,
targeting one client in each remote office before the others.
consider
Q: How does Branch Cache avoid discovery storms?
A: Responses to search requests are staggered. If a client detects that many others on the subnet already
piece of content, it won’t bother caching it too.
Q: How long does data stay in cache?
A: Until NetSH is used to flush the cache or until the cache is full and starts to roll.
Q: Is BranchCache supported on Server Core?
A: Absolutely.
have a
Microsoft Confidential
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
26
Microsoft Confidential
Hashgen
By default the BranchCache cache is under
C:\Windows\ServiceProfiles\NetworkService
\AppData\Local\PeerDistRepub.
27