Joey Snow
Technical Evangelist
Microsoft Corporation
Problem background
Solution modes
Deployment
Demo
Deep Dives
Content Identification
Integration architecture
Security
End to end flow
Partners
Resources
Thin, expensive WAN links between main office and branch offices
High link utilization
Poor application responsiveness
Trend towards data centralization
• Distributed – retrieve from other clients in the branch
• Centralized – retrieve from a
“hosted cache” in the branch
• Client can only retrieve content locally if authorized by the content server
• All data transfers in the branch are encrypted
• Maintains protocol integrity
• Benefits from protocol optimizations
• Optimizes SSL,
IPsec, SMB signing, HTTP,
SMB
Data
ID
ID
ID
Search
Data
ID
Data
Centralized cache of data downloaded by the branch
The Hosted cache on Windows Server 2008 R2 provides the following features
A centralized cache for
Protocols: HTTP, SMB
E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc
Does not “modify” protocols; benefits from protocol optimizations
Configurable size/location/persisted across reboots/flush-able
Works across multiple subnets
Admins can seed content by writing custom scripts
Can be a virtual workload in an appliance
Easy to deploy; clients are configured via policy
Distributed Cache
Data cached amongst clients
Recommended for branches without any infrastructure
Easy to deploy: Enabled on clients through Group Policy
Cache availability decreases with laptops that go offline
Enterprise
Hosted Cache
Data cached at hosted cache server
Recommended for larger branches
Cache stored centrally: can use existing server in the branch
Cache availability is high
Enables branch-wide caching
3 rd Party Applications
Office
Robo copy
SMB
Explore r
AppV
Share
Point
BranchCache™
Office
HTTP
BIT
S
WMP IE
Distributed
HQ: Content Server (must run R2)
Branch: Client (must run Win 7 or R2)
Hosted
HQ: Content Server (must run R2)
Branch: Hosted Cache (must run R2)
Branch: Client (must run Win 7)
Works on Server Core R2 as well!
HTTP server (IIS) - Install the BranchCache feature from Server Manager
SMB server (File server) – Install the
BranchCache role service feature within the file server role using Server Manager
That’s it…
Identify the “branch”
• An Active Directory Site
• An IP address range
• A collection of specific client computers
Choose how to deploy
• Group Policy
• netsh
Deploy to clients!
• Group policy: Use built-in ADMX files
• netsh: Run netsh branchcache set service distributed on all relevant clients
Setup the hosted cache
• Install the BranchCache feature on an R2 server
• Install a server-auth certificate for use with SSL
• Run netsh branchcache set service hostedserver on the hosted cache
Identify Branch
Choose how to deploy
Deploy to clients!
• Group policy: Use built-in ADMX files
• netsh: Run netsh branchcache set service hostedclient location=<> on all clients
Group Policy to enable clients
Install BranchCache™ feature on an R2 server
File Server
IIS
Group Policy
Management
Hosted
Cache
Optionally, install a hosted cache in your branch
Hashes
Returned by server
Segment hashes, Block hashes up to ~2000x data reduction
Blocks
Unit of download
B
1
B
2
Segments
Unit of discovery
S1
B n
B
1
B
2
S2
B n
B
1
B
2
S3
B n
Content
IE
Open
URL wininet
Data
“Branch Cache
Capable”
Hashlist
Hashlist
Data
BranchCach e
Data
IIS http.sys
Get data
Data
Hashlist
BranchCache
Data
Hashlist H1 H2 H3 H4 H5
Branch
Cache
Hashlist Data
Application
CSC
Service
SMB Hash
Generation
Service
ReadFile
Data
Data
CSC
Driver
Prefetch
File
Data
Hashlist
Request
Hashes
Request
Hashes
SMB Client
Driver
Generate or update hash
Hashlist Hashlist
SMB
Server
Driver
Generate or update hash
HashGen
Utility
Save hashes
Access hashes
CSC
Cache
Client Server
IE
Data in clear
HTTP
Data in clear
SSL
Data encrypted
Sockets
Data encrypted
Branch
Cache
IPsec
Data encrypted
Data in clear
IIS
Branch
Cache
HTTP
Data in clear
SSL
Data encrypted
Sockets
Data encrypted
IPsec
Encryption key
Hash(SK, “KeKeKe”)
Private Segment key (SK)
Hash(SH, Ks)
Segment hash (SH)
Hash (Blockhashes)
Block hashes
Hash(block)
Blocks
B
1
B
2
B n
Client
Segment discovery key
Hash(SK, SH+”HoHoDk”)
Server secret key
Ks
Server
Client requests data from the server, and indicates BranchCache capability
Server authorizes the client
Server retrieves metadata (block hashes, segment hashes, private segment key) for the data
Server sends metadata on same channel as data
Client computes a segment discovery key
Broadcasts on the local network
Serving clients receive the broadcast
Decrypt the segment hash from the segment discovery key
Respond with data availability
Client requests blocks from the serving client
Serving client computes encryption key from the segment private key
Serving client encrypts each block with the encryption key
Client receives the data
Decrypts the data
Validates block data against the block hash
If valid, returns to application
Clients
Cache only contains content requested by the client
Data in cache ACL’d so that it is only accessible if authorized by the server
If data leakage is a concern, then use BitLocker or EFS
Hosted Cache
Cache contains content requested by all branch clients
Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
Q: When will this be made available for Vista?
A: It won’t. BranchCache in only supported with Windows 7
Enterprise, Ultimate & Windows 2008 R2 editions.
Q: What size content is cached?
A: 64 KB and greater.
Q: Is there a peer discovery timeout?
A: 300 ms
Q: What kind of encryption is used?
A: Custom scheme based on AES128.
Q: Does knowledge of the hash ID grant access?
A: No. Access must still be granted by the file server.
Q: Will BranchCache work during WAN outages?
A: No. Clients must be able to contact the content server to get content identifiers.
Q: Can I pre-populate cached files?
A: Sure. Consider using scheduled task , PowerShell Remoting or some other technique. For WSUS & SCCM, consider targeting one client in each remote office before the others.
Q: How doesn’t BC avoid discovery storms?
A: Responses to search requests are staggered. Additionally, if a client detects that many others on the subnet already have a piece of content, it won’t bother caching it too.
Q: What happens to the local cache if the BranchCache client mode changes?
A: The local cache is unaffected and will still be used by the client:
• Hosted clients that become Distributed clients will begin responding to WS-D searches, serving data from the same cache.
• Distributed client that become Hosted clients will stop responding to WS-D searchers, but will continue to use the local cache.
Q: How long does data stay in cache?
A: Until NetSH is used to flush the cache or until the cache is full and starts to roll.
Q: Is BranchCache supported on Server Core?
A: Absolutely.
BranchCache ™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience
BranchCache ™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office.
BranchCache ™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy
BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs
For Windows 7, Microsoft has made numerous improvements that streamline image deployment. These improvements include native compatibility mitigation for an extended range of applications, new and improved imageengineering tools that improve the deployment experience for IT professionals and users alike, as well as improvements that streamline migration of users’ files and settings.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.