Joey Snow Technical Evangelist Microsoft Corporation
Problem background Solution modes Deployment Demo Deep Dives Content Identification Integration architecture Security End to end flow Partners Resources
Thin, expensive WAN links between main office and branch offices High link utilization Poor application responsiveness Trend towards data centralization
Solution Tenets Optimized Distributed – retrieve from other clients in the branchDistributed – retrieve from other clients in the branch Centralized – retrieve from a “hosted cache” in the branchCentralized – retrieve from a “hosted cache” in the branch Secured Client can only retrieve content locally if authorized by the content serverClient can only retrieve content locally if authorized by the content server All data transfers in the branch are encryptedAll data transfers in the branch are encrypted End to End Maintains protocol integrityMaintains protocol integrity Benefits from protocol optimizationsBenefits from protocol optimizations Optimizes SSL, IPsec, SMB signing, HTTP, SMBOptimizes SSL, IPsec, SMB signing, HTTP, SMB
Get Get ID Get Data Distributed Cache Get ID Data
Get Get ID Put Data Hosted Cache Get Data ID Search Get Search Request Offer Data ID Data
Centralized cache of data downloaded by the branch The Hosted cache on Windows Server 2008 R2 provides the following features A centralized cache for Protocols: HTTP, SMB E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc Does not “modify” protocols; benefits from protocol optimizations Configurable size/location/persisted across reboots/flush-able Works across multiple subnets Admins can seed content by writing custom scripts Can be a virtual workload in an appliance Easy to deploy; clients are configured via policy
Hosted Cache Data cached at hosted cache server Recommended for larger branches Cache stored centrally: can use existing server in the branch Cache availability is high Enables branch-wide caching Hosted Cache vs. Distributed Enterprise Distributed Cache Data cached amongst clients Recommended for branches without any infrastructure Easy to deploy: Enabled on clients through Group Policy Cache availability decreases with laptops that go offline
Overall Framework IEIE HTTPHTTP BranchCache™BranchCache™ SMBSMB Explore r 3 rd Party Applications Robo copy OfficeOffice WMPWMP BIT S OfficeOffice Share Point AppVAppV
Distributed HQ: Content Server (must run R2) Branch: Client (must run Win 7 or R2) Hosted HQ: Content Server (must run R2) Branch: Hosted Cache (must run R2) Branch: Client (must run Win 7) Works on Server Core R2 as well!
HTTP server (IIS) - Install the BranchCache feature from Server Manager SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager That’s it…
Deployment - Client Identify the “branch” An Active Directory SiteAn Active Directory Site An IP address rangeAn IP address range A collection of specific client computersA collection of specific client computers Choose how to deploy Group PolicyGroup Policy netshnetsh Deploy to clients! Group policy: Use built-in ADMX filesGroup policy: Use built-in ADMX files netsh: Run netsh branchcache set service distributed on all relevant clientsnetsh: Run netsh branchcache set service distributed on all relevant clients
Deployment – Hosted Cache Setup the hosted cache Install the BranchCache feature on an R2 serverInstall the BranchCache feature on an R2 server Install a server-auth certificate for use with SSLInstall a server-auth certificate for use with SSL Run netsh branchcache set service hostedserver on the hosted cacheRun netsh branchcache set service hostedserver on the hosted cache Identify Branch Choose how to deploy Deploy to clients! Group policy: Use built-in ADMX filesGroup policy: Use built-in ADMX files netsh: Run netsh branchcache set service hostedclient location=<> on all clientsnetsh: Run netsh branchcache set service hostedclient location=<> on all clients
IIS File Server Group Policy Management Install BranchCache™ feature on an R2 server Group Policy to enable clients Hosted Cache Optionally, install a hosted cache in your branch Deployment - Summary
Enable / disable distributed cache mode Enable / disable hosted cache mode Set the cache size Set the location of the hosted cache Clear the cache Create and replicate a shared key for use in a server cluster And more … Works in domains and workgroups
Event logs - Operational logs & Audit logs Perfmon counters - Client, hosted cache and Content Server netsh for querying the infrastructure for | potential problems Cache size too small, firewall issues, certificate problems etc SCOM pack - for rolling all the information up
demo BranchCache in Action
Going Deeper…
Content Identifiers S1S1S2S2S3S3 B1B1B1B1 B1B1B1B1 B2B2B2B2 B2B2B2B2 B1B1B1B1 B1B1B1B1 B2B2B2B2 B2B2B2B2 BnBnBnBn BnBnBnBn B1B1B1B1 B1B1B1B1 B2B2B2B2 B2B2B2B2 BnBnBnBn BnBnBnBn Content Segments Unit of discovery Blocks Unit of download Hashes Returned by server Segment hashes, Block hashes up to ~2000x data reduction BnBnBnBn BnBnBnBn
HTTP Integration http.syshttp.sys IISIIS BranchCacheBranchCache wininetwininet OpenURL “Branch Cache Capable” Get data Data Data Data H1H2H4H5Hashlist Hashlist Hashlist Hashlist Data Data H3 BranchCach e IEIE
SMB Server Driver Driver SMB Hash Generation Service HashGen Utility Generate or update hash ApplicationApplication CSC Driver SMB Client Driver CSC Cache Hashlist CSC Service Branch Cache Data Hashlist Request Hashes Hashes ReadFile Data Prefetch File File Data Data Access hashes Save hashes Request Hashes Hashes Hashlist Hashlist
How is SSL Optimized? SocketsSockets SSLSSL HTTPHTTP IEIE Branch Cache Data encrypted Data in clear Client Server Data encrypted IPsecIPsec SocketsSockets SSLSSL HTTPHTTP IISIIS Data in clear IPsecIPsec Data encrypted
Security B1B1B1B1 B1B1B1B1 B2B2B2B2 B2B2B2B2 BnBnBnBn BnBnBnBn Blocks Block hashes Hash(block) Segment hash (SH) Hash (Blockhashes) Server secret key Ks Private Segment key (SK) Hash(SH, Ks) Encryption key Hash(SK, “KeKeKe”) Segment discovery key Hash(SK, SH+”HoHoDk”) Client Server
Client requests data from the server, and indicates BranchCache capability Server authorizes the client Server retrieves metadata (block hashes, segment hashes, private segment key) for the data Server sends metadata on same channel as data Client computes a segment discovery key Broadcasts on the local network
Serving clients receive the broadcast Decrypt the segment hash from the segment discovery key Respond with data availability Client requests blocks from the serving client Serving client computes encryption key from the segment private key Serving client encrypts each block with the encryption key Client receives the data Decrypts the data Validates block data against the block hash If valid, returns to application
Clients Cache only contains content requested by the client Data in cache ACL’d so that it is only accessible if authorized by the server If data leakage is a concern, then use BitLocker or EFS Hosted Cache Cache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary All data can be purged from the cache using netsh
Q: When will this be made available for Vista? A: It won’t. BranchCache in only supported with Windows 7 Enterprise, Ultimate & Windows 2008 R2 editions. Q: What size content is cached? A: 64 KB and greater. Q: Is there a peer discovery timeout? A: 300 ms Q: What kind of encryption is used? A: Custom scheme based on AES128. Q: Does knowledge of the hash ID grant access? A: No. Access must still be granted by the file server.
Q: Will BranchCache work during WAN outages? A: No. Clients must be able to contact the content server to get content identifiers. Q: Can I pre-populate cached files? A: Sure. Consider using scheduled task, PowerShell Remoting or some other technique. For WSUS & SCCM, consider targeting one client in each remote office before the others. Q: How doesn’t BC avoid discovery storms? A: Responses to search requests are staggered. Additionally, if a client detects that many others on the subnet already have a piece of content, it won’t bother caching it too.
Q: What happens to the local cache if the BranchCache client mode changes? A: The local cache is unaffected and will still be used by the client: Hosted clients that become Distributed clients will begin responding to WS-D searches, serving data from the same cache. Distributed client that become Hosted clients will stop responding to WS-D searchers, but will continue to use the local cache. Q: How long does data stay in cache? A: Until NetSH is used to flush the cache or until the cache is full and starts to roll. Q: Is BranchCache supported on Server Core? A: Absolutely.
BranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office. BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs
For Windows 7, Microsoft has made numerous improvements that streamline image deployment. These improvements include native compatibility mitigation for an extended range of applications, new and improved image- engineering tools that improve the deployment experience for IT professionals and users alike, as well as improvements that streamline migration of users’ files and settings.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.