4Branch Office Network Performance Microsoft Confiential: Preliminary Information: NDA OnlyBranch Office Network PerformanceWindows 7 & Server 2008 R2 SolutionNormal Branch OfficeBranchCache™Application and data access over WAN is slow in branch officesSlow connections hurt user productivityImproving network performance is expensive and difficult to implementCaches content downloaded from file and Web serversUsers in the branch can quickly open files stored in the cacheFrees up network bandwidth for other uses
5BranchCache: Two Approaches Microsoft Confiential: Preliminary Information: NDA OnlyBranchCache: Two ApproachesEnterpriseDistributed ModeHosted ModeRecommended for branches without a branch serverEasy to deploy: Enabled on clients through Group PolicyCache availability decreases with laptops that go offlineCache stored centrally: existing server in the branchCache availability is highEnables branch-wide cachingIncreased reliability
6Deployment Summary Branch Office Main Office Use Group Policy to enable Windows BranchCache on Windows 7 clientsBranch OfficeBranch OfficeInstall the optional “Windows BranchCache” component on a Windows 2008 R2 web or file serverHostedCacheBranch OfficeIISFile ServerOptionally, install a hosted cache in your branch. Configure clients to use it withGroup PolicyGroup PolicyManagementMain Office
7How it works: BranchCache Distributed Cache Main OfficeDataDataIDIDGetGetGetGetDataBranch Office
8How it works: BranchCache Hosted Cache Main OfficeGetDataDataIDIDGetGetIDGetSearchSearchIDDataAdvertizeIDRequestBranch OfficeIDDataPut
10BranchCache Framework 3rd Party ApplicationsIEHTTP (WebIO/http.sys)BranchCacheWMPSMB(CSC/SRV)SharePointExplorerOfficeBITSOfficeCopyFile
11BranchCache Deployment Distributed Cache ImplementationHQ: Content Server (Windows Server 2008 R2 required)Branch: Client (Windows 7 required)Hosted Cache ImplementationBranch: Hosted Cache (Windows Server 2008 R2 required)
12Deployment - Content Server HTTP server (IIS) - Install the BranchCache feature from Server ManagerSMB server (File server) – Install the BranchCache role service feature within the file server role using Server ManagerThat’s it…Optional: Hasgen.exe
13Deployment - Client Identify the “branch” Choose how to deploy An Active Directory SiteAn IP address rangeA collection of specific client computersChoose how to deployGroup PolicynetshDeploy to clientsGroup policy: Use built-in ADMX filesnetsh: Run netsh branchcache set service distributed on all relevant clients
14Deployment – Hosted Cache Setup the Hosted CacheInstall the BranchCache feature on an R2 serverInstall a server-auth certificate for use with SSLRun netsh branchcache set service hostedserver on the hosted cacheIdentify BranchChoose how to deployDeploy to clientsGroup policy: Use built-in ADMX filesnetsh: Run netsh branchcache set service hostedclient location=<> on all clients
16Additional Configuration Options With Group Policy and NetSH you can:Enable / disable Distributed CacheEnable / disable Hosted CacheSet the cache sizeSet the location of the Hosted CacheClear the cacheCreate and replicate a shared key for use in a server clusterAnd more …Works in domains and workgroups
18Content identifiers Hashes Segment hashes, Block hashes Returned by serverSegment hashes, Block hashes2000:1 compression ratioB1B2BnB1B2BnB1B2BnBlocksUnit of downloadSegmentsUnit of discoveryS1S2S3Content
19How is SSL optimized? IE IIS HTTP HTTP SSL SSL Sockets Sockets Data in clearData in clearBranchCacheBranchCacheHTTPHTTPData in clearData in clearSSLSSLData encryptedData encryptedSocketsSockets
21Flow – a Security ViewClient requests data from the server, and indicates BranchCache capabilityServer authorizes the clientServer retrieves metadata (block hashes, segment hashes, private segment key) for the dataServer sends metadata on same channel as dataClient computes a segment discovery keyBroadcasts on the local network
22Security of Data at Rest ClientsCache only contains content requested by the clientData in cache ACL’d so that it is only accessible if authorized by the serverIf data leakage is a concern, then use BitLocker or EFSHosted CacheCache contains content requested by all branch clientsUse BitLocker or EFS to encrypt cache as necessaryAll data can be purged from the cache using netsh
23BranchCache BenefitsEnd User BenefitsImprove application responsiveness and reduce file transfer wait timeCombined with other SMB offerings enhance the user experience on remote sharesOptimize network utilization:Recommended for HTTP and HTTPS-based intranet trafficPerforms well for SMB (and signed SMB) shares on the read pathSupport network security protocols (SSL, Ipsec)Reduce the cost of managing WANIT Pro Benefits
24Common Questions Q: When will this be made available for Vista or XP? A: It won’t. BranchCache in only supported with Windows 7 Enterprise, Ultimate & Windows 2008 R2 editions.Q: What size content is cached?A: 64 KB and greater.Q: Is there a peer discovery timeout?A: 300 msQ: What kind of encryption is used?A: Custom scheme based on AES128.Q: Does knowledge of the hash ID grant access?A: No. Access must still be granted by the file server.
25Common Questions Continued… Q: Will BranchCache work during WAN outages? A: No. Clients must be able to contact the content server to get content identifiers.Q: Can I pre-populate cached files?A: Yes. Consider using scheduled task , PowerShell Remoting or some other technique. For WSUS & SCCM, consider targeting one client in each remote office before the others.Q: How does Branch Cache avoid discovery storms?A: Responses to search requests are staggered. If a client detects that many others on the subnet already have a piece of content, it won’t bother caching it too.Q: How long does data stay in cache? A: Until NetSH is used to flush the cache or until the cache is full and starts to roll.Q: Is BranchCache supported on Server Core? A: Absolutely.
27HashgenYou can find the location with “netsh branchcache show status all”Hashgen can pre-populate a dir with hashesBy default the BranchCache cache is under C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub.