branchcache speeding up the branch office chad duffey premier field engineer microsoft certified...
TRANSCRIPT
BranchCacheSpeeding up the Branch Office
Chad Duffey
Premier Field Engineer
Microsoft Certified Master – Active Directory
December 15th 2011
Agenda
• BranchCache 101• A little Deeper• FAQ’s
Branch Cache Fundamentals
4
Branch Office Network Performance
Caches content downloaded from file and Web serversUsers in the branch can quickly open files stored in the cacheFrees up network bandwidth for other uses
Application and data access over WAN is slow in branch officesSlow connections hurt user productivity Improving network performance is expensive and difficult to implement
Normal Branch Office Windows 7 & Server 2008 R2 SolutionBranchCache™
5
Cache stored centrally: existing server in the branchCache availability is highEnables branch-wide cachingIncreased reliability
BranchCache: Two Approaches
Enterprise
Recommended for branches without a branch serverEasy to deploy: Enabled on clients through Group PolicyCache availability decreases with laptops that go offline
Distributed Mode Hosted Mode
6
IISFile Server
Group PolicyManagement
Install the optional “Windows BranchCache” component on a Windows 2008 R2 web or file server
Use Group Policy to enable Windows BranchCache on Windows 7 clients
HostedCache
Optionally, install a hosted cache in your branch. Configure clients to use it with Group Policy
Deployment Summary
7
Get
GetID
Get
Data
How it works: BranchCache Distributed Cache
Get
IDData
Data
8
Get
GetID
Put
Data
How it works: BranchCache Hosted Cache
Get
DataID
Search
Get
Sear
ch
Request
Advertize
ID
ID
ID
Data
ID
Data
Demonstration of Branch Cache
10
BranchCache Framework
3rd Party Applications
IE
HTTP (WebIO/http.sys)
BranchCache
WMP
SMB(CSC/SRV)
SharePointExplorer Office BITSOffice CopyFile
11
BranchCache Deployment
Distributed Cache Implementation
HQ: Content Server (Windows Server 2008 R2 required)Branch: Client (Windows 7 required)
Hosted Cache Implementation
HQ: Content Server (Windows Server 2008 R2 required) Branch: Hosted Cache (Windows Server 2008 R2 required) Branch: Client (Windows 7 required)
12
Deployment - Content Server
HTTP server (IIS) - Install the BranchCache feature from Server Manager
SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager
That’s it…
Optional: Hasgen.exe
13
Deployment - Client
Identify the “branch”• An Active Directory Site• An IP address range• A collection of specific client computers
Choose how to deploy• Group Policy• netsh
Deploy to clients• Group policy: Use built-in ADMX files• netsh: Run netsh branchcache set service distributed on all relevant clients
14
Deployment – Hosted Cache
Setup the Hosted Cache• Install the BranchCache feature on an R2 server• Install a server-auth certificate for use with SSL• Run netsh branchcache set service hostedserver on the
hosted cache
Identify Branch
Choose how to deploy
Deploy to clients• Group policy: Use built-in ADMX files• netsh: Run netsh branchcache set service hostedclient location=<> on all clients
Demonstration of Configuration
16
Additional Configuration Options
With Group Policy and NetSH you can:Enable / disable Distributed CacheEnable / disable Hosted CacheSet the cache sizeSet the location of the Hosted CacheClear the cacheCreate and replicate a shared key for use in a server clusterAnd more …
Works in domains and workgroups
A little deeper…
18
Content identifiers
S1 S2 S3
B1
B2
B1
B2
Bn
B1
B2
Bn
Content
SegmentsUnit of discovery
BlocksUnit of download
HashesReturned by server
Segment hashes, Block hashes2000:1 compression ratio
Bn
19
How is SSL optimized?
Sockets
SSL
HTTP
IE
Sockets
SSL
HTTP
IIS
Data in clear
Data in clear
Data encrypted
BranchCache
BranchCache
Data encrypted
Data in clear
Data in clear
20
Security
B1
B2
BnBlocks
Block hashesHash(block)
Segment hash (SH)Hash (Blockhashes)
Server secret keyKs
Private Segment key (SK)Hash(SH, Ks)
Encryption keyHash(SK, “KeKeKe”)
Segment discovery keyHash(SK, SH+”HoHoDk”)
Client
Server
21
Flow – a Security View
Client requests data from the server, and indicates BranchCache capabilityServer authorizes the clientServer retrieves metadata (block hashes, segment hashes, private segment key) for the dataServer sends metadata on same channel as data
Client computes a segment discovery keyBroadcasts on the local network
22
Security of Data at Rest
ClientsCache only contains content requested by the clientData in cache ACL’d so that it is only accessible if authorized by the serverIf data leakage is a concern, then use BitLocker or EFS
Hosted CacheCache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
23
BranchCache Benefits
Improve application responsiveness and reduce file transfer wait timeCombined with other SMB offerings enhance the user experience on remote shares
Optimize network utilization:Recommended for HTTP and HTTPS-based intranet trafficPerforms well for SMB (and signed SMB) shares on the read pathSupport network security protocols (SSL, Ipsec)Reduce the cost of managing WAN
End User Benefits
IT Pro Benefits
Common Questions
Q: When will this be made available for Vista or XP?A: It won’t. BranchCache in only supported with Windows 7 Enterprise, Ultimate & Windows 2008 R2
editions.
Q: What size content is cached?A: 64 KB and greater.
Q: Is there a peer discovery timeout? A: 300 ms
Q: What kind of encryption is used?A: Custom scheme based on AES128.
Q: Does knowledge of the hash ID grant access?A: No. Access must still be granted by the file server.
Common Questions Continued…
Q: Will BranchCache work during WAN outages?A: No. Clients must be able to contact the content server to get content identifiers.
Q: Can I pre-populate cached files?A: Yes. Consider using scheduled task , PowerShell Remoting or some other technique. For WSUS &
SCCM, consider targeting one client in each remote office before the others.
Q: How does Branch Cache avoid discovery storms?A: Responses to search requests are staggered. If a client detects that many others on the subnet
already have a piece of content, it won’t bother caching it too.
Q: How long does data stay in cache? A: Until NetSH is used to flush the cache or until the cache is full and starts to roll.
Q: Is BranchCache supported on Server Core? A: Absolutely.
26
Microsoft Confidential
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
27
Microsoft Confidential
Hashgen
By default the BranchCache cache is under C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub.