1

2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache Frees up network bandwidth for other uses Application and data access over WAN is slow in branch offices Slow connections hurt user productivity Improving network performance is expensive and difficult to implement

3 BranchCache

4 Cache stored centrally: existing server in the branch Cache availability is high Enables branch-wide caching Increased reliability BranchCache Enterprise Recommended for branches without a branch server Easy to deploy: Enabled on clients through Group Policy Cache availability decreases with laptops that go offline

5 Get ID Get Data BranchCache Distributed Cache Get ID Data

6 Get ID Put Data BranchCache Hosted Cache Get Data ID Search Get Search Request Advertize ID Data ID Data

7 BranchCache Framework 3rd Party Applications IEIE HTTP (WebIO/http.sys) BranchCacheBranchCache WMPWMP SMB ( CSC/SRV ) SharePointSharePoint ExplorerExplorer OfficeOffice BITSBITS OfficeOffice CopyFileCopyFile

8 BranchCache Deployment Distributed Cache Implementation HQ: Content Server (Windows Server 2008 R2 required) Branch: Client (Windows 7 required) Hosted Cache Implementation HQ: Content Server (Windows Server 2008 R2 required) Branch: Hosted Cache (Windows Server 2008 R2 required) Branch: Client (Windows 7 required)

9 Deployment - Content Server HTTP server (IIS) - Install the BranchCache feature from Server Manager SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager That’s it…

10 Deployment - Client Identify the “branch” An Active Directory Site An IP address range A collection of specific client computers Choose how to deploy Group Policy netsh Deploy to clients Group policy: Use built-in ADMX files netsh: Run netsh branchcache set service distributed on all relevant clients

11 Deployment – Hosted Cache Setup the Hosted Cache Install the BranchCache feature on an R2 server Install a server-auth certificate for use with SSL Run netsh branchcache set service hostedserver on the hosted cache Identify Branch Choose how to deploy Deploy to clients Group policy: Use built-in ADMX files netsh: Run netsh branchcache set service hostedclient location=<> on all clients

12 IIS File Server Group Policy Management Install the optional “Windows BranchCache” component on a Windows 2008 R2 web or file server Use Group Policy to enable Windows BranchCache on Windows 7 clients Hosted Cache Optionally, install a hosted cache in your branch. Configure clients to use it with Group Policy Deployment Summary

13 Additional Configuration Options With group policy and NetSH you can: Enable / disable Distributed Cache Enable / disable Hosted Cache Set the cache size Set the location of the Hosted Cache Clear the cache Create and replicate a shared key for use in a server cluster And more … Works in domains and workgroups

14 Monitoring Event logs - Operational logs & Audit logs Perfmon counters - Client, hosted cache and Content Server netsh for querying the infrastructure for potential problems Cache size too small, firewall issues, certificate problems etc MOM pack - for rolling all the information up

15 Improve application responsiveness and reduce file transfer wait time Combined with other SMB offerings enhance the user experience on remote shares Optimize network utilization: Recommended for HTTP and HTTPS-based intranet traffic Performs well for SMB (and signed SMB) shares on the read path Support network security protocols (SSL, Ipsec) Reduce the cost of managing WAN BranchCache Benefits

16 To Summarize BranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience. BranchCache™ accelerates delivery of encrypted content such as when using HTTPS and IPsec, and at the same time ensures authorization of users by the server at the central office. BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy

17 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Content identifiers S1S1S2S2S3S3 B1B1B1B1 B1B1B1B1 B2B2B2B2 B2B2B2B2 B1B1B1B1 B1B1B1B1 B2B2B2B2 B2B2B2B2 BnBnBnBn BnBnBnBn B1B1B1B1 B1B1B1B1 B2B2B2B2 B2B2B2B2 BnBnBnBn BnBnBnBn Content Segments Unit of discovery Blocks Unit of download Hashes Returned by server Segment hashes, Block hashes 2000:1 compression ratio BnBnBnBn BnBnBnBn

19 HTTP integration http.sys IIS BranchCa che wininet Open URL “Branch Cache Capable” Get data Data H1 H2 H4 H5 Hashlist Data H3 BranchC ache IE

20 SMB integration SMB Server Driver SMB Server Driver SMB Hash Generation Service HashGen Utility Generate or update hash Application CSC Driver SMB Client Driver CSC Cache Hashlist CSC Service Branch Cache Data Hashlist Request Hashes ReadFile Data Prefetch File Data Access hashes Save hashes Request Hashes Hashlist

21 How is SSL optimized? SocketsSockets SSLSSL HTTPHTTP IEIE SocketsSockets SSLSSL HTTPHTTP IISIIS Data in clear Data encrypted Branch Cache Data encrypted Data in clear

Security B1B1B1B1 B1B1B1B1 B2B2B2B2 B2B2B2B2 BnBnBnBn BnBnBnBn Blocks Block hashes Hash(block) Segment hash (SH) Hash (Blockhashes) Server secret key Ks Private Segment key (SK) Hash(SH, Ks) Encryption key Hash(SK, “KeKeKe”) Segment discovery key Hash(SK, SH+”HoHoDk”) Client Server

Security Flow Client requests data from the server, and indicates BranchCache capability Server authorizes the client Server retrieves metadata (block hashes, segment hashes, private segment key) for the data Server sends data on same channel as data Client computes a segment discovery key Broadcasts on the local network

Security Flow – Continued… Serving clients receive the broadcast Decrypt the segment hash from the segment discovery key Respond with data availability Client requests blocks from the serving client Serving client computes encryption key from the segment private key Serving client encrypts each block with the encryption key Client receives the data Decrypts the data Validates block data against the block hash If valid, returns to application

25 Security of data at rest Clients Cache only contains content requested by the client Data in cache ACL’d so that it is only accessible if authorized by the server If data leakage is a concern, then use BitLocker or EFS Hosted Cache Cache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary All data can be purged from the cache using netsh Microsoft Confidential