microsoft india - branchcache in windows 7 and windows server 2008 r2 overview whitepaper
DESCRIPTION
This document provides an overview of BranchCache, explains the different modes in which BranchCache operates, and describes how BranchCache is configured. The paper also explains how BranchCache works with Web servers and file servers and the steps BranchCache takes to determine that the content is up-to-date.TRANSCRIPT
BranchCache in Windows 7 and Windows Server 2008 R2 Overview
Microsoft Windows Family of Operating Systems
Microsoft Corporation
Published: April 2009
Abstract
This document provides an overview of BranchCache, explains the different modes in which
BranchCache operates, and describes how BranchCache is configured. The paper also explains
how BranchCache works with Web servers and file servers and the steps BranchCache takes to
determine that the content is up-to-date.
Copyright information
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in, or introduced into
a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious. No association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is intended or
should be inferred. Microsoft, BitLocker, Active Directory, BranchCache, Internet Explorer,
Windows, Windows Media, Windows Server, and Windows Vista are either registered trademarks
or trademarks of Microsoft Corporation in the United States and/or other countries.
Contents
BranchCache in Windows 7 and Windows Server 2008 R2 Overview ........................................... 5
Technical overview ....................................................................................................................... 5
Modes ........................................................................................................................................... 6
Content metadata ..................................................................................................................... 6
Hosted Cache mode ................................................................................................................. 7
Distributed Cache mode ........................................................................................................... 8
Configuring BranchCache ............................................................................................................. 10
Protocols .................................................................................................................................... 10
Security ...................................................................................................................................... 11
Summary and Resources .............................................................................................................. 12
Additional references ................................................................................................................. 12
5
BranchCache in Windows 7 and Windows Server 2008 R2 Overview
BranchCache™ is a feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide
area network (WAN) utilization and enhance network application responsiveness when users
access content in a central office from branch office locations. When you enable BranchCache, a
copy of the content that is retrieved from the Web server or file server is cached within the branch
office. If another client in the branch requests the same content, the client can download it directly
from the local branch network without needing to retrieve the content by using the Wide Area
Network (WAN).
This whitepaper provides an overview of BranchCache, explains the different modes in which
BranchCache operates, and describes how BranchCache is configured. The paper also explains
how BranchCache works with Web servers and file servers and the steps BranchCache takes to
determine that the content is up-to-date.
For a Web version of this document, see BranchCache in Windows 7 and Windows Server 2008
R2 Overview in the Windows 7 Technical Library (http://technet.microsoft.com/en-
gb/library/dd349336.aspx).
For a complete view of Windows 7 resources, articles, demos, and guidance, please visit the
Springboard Series for Windows 7 on the Windows Client TechCenter.
Technical overview Users at branch offices often experience poor performance when they use network applications
that connect to servers by using the WAN. For example, it might take several seconds or even
minutes for a branch-office user to open a large file on a shared folder located on a server at the
central office. Similarly, a user attempting to view a video in their Web browser might have to wait
for a long time for the video to load.
BranchCache is designed to give branch-office users an experience like being connected directly
to the central office. With BranchCache, the first client to download data from a Web server or file
server (known as the content server) caches a copy on the local branch network. Subsequent
clients, download the locally cached copy of the content from within the branch after it is
authenticated and authorized by the content server.
BranchCache is designed to work with your existing network and security infrastructure. It
supports IPv4, IPv6, and end-to-end encryption methods such as SSL and IPsec. BranchCache
ensures that the most up-to-date version of content is served and that clients are authorized by
the content server before they can retrieve content from within the branch.
Your system must meet the following requirements to use BranchCache:
Client computers must be running Windows 7, with the BranchCache feature enabled.
6
Web servers file servers must be running Windows Server 2008 R2, with the BranchCache
feature enabled.
Modes Depending on where the cache is located, BranchCache can operate in one of two modes:
Hosted Cache mode or Distributed Cache mode. The Hosted Cache mode operates by deploying
a computer that is running Windows Server 2008 R2 as a host in the branch office. Clients are
configured with the fully qualified domain name of the host computer so that they can retrieve
content from the Hosted Cache, when available. If the content is not available in the Hosted
Cache, it is retrieved from the content server by using the WAN and then offered to the Hosted
Cache so that subsequent clients can benefit.
For branch offices with fewer than 50 users, BranchCache can be configured in Distributed
Cache mode. In this mode, local Windows 7 clients keep a copy of the content and make it
available to other authorized clients that request the same data. This eliminates the need to have
a server in the branch office. However, unlike Hosted Cache mode, this configuration works
across a single subnet only (that is, the content has to be retrieved once per subnet in the branch
office by using the WAN ). In addition, clients that hibernate or otherwise disconnect from the
network are not able to provide content to requesting clients. The sections that follow describe
Hosted Cache mode and Distributed Cache mode in more detail.
Content metadata
The mechanism for reducing bandwidth is to send metadata about the content (known as content
metadata) to clients, which retrieve the content from within the branch. This reduces the WAN
bandwidth because the content metadata is significantly smaller than the actual content. Prior to
sending content metadata, the server authorizes the client.It is important that the content server
sends the content metadata to each client to ensure that the client always receives hashes for the
most up-to-date content.
The content is broken into blocks. For each block, a hash is computed (known as the block hash).
A hash is also computed on a collection of blocks (known as the segment hash). Content
metadata is primarily composed of block hashes and segment hashes. The hash algorithm that
is used is SHA 256. The compression ratio achieved is approximately 2000:1. That is, the size of
the metadata is ~2000 times smaller than the size of the original data itself.
Segment hashes provide a unit of discovery. This helps reduce the total number of lookups
performed for a given content (compared to looking up every block). Block hashes are a unit of
download. When a client needs to retrieve data from the Hosted Cache or another client, it
downloads the content in units of blocks to ensure that the data can quickly return to the
application.
The minimum size of content that BranchCache would cache is 64 KB. When content is less than
64 KB, data is directly retrieved from the content server by using the WAN.
7
Figure 1 Blocks and hashes
Hosted Cache mode
The Hosted Cache is a central repository of data downloaded from BranchCache enabled servers
into the branch office by BranchCache enabled clients. The configuration of Hosted Cache mode
is described later in this document.
Hosted Cache mode does not require a dedicated server. The BranchCache feature can be
enabled on a server that is running Windows Server 2008 R2, which is located in a branch that is
also running other workloads. In addition, BranchCache can be set up as a virtual workload and
run on a server with other workloads, such as File and Print.
Figure 2 illustrates Hosted Cache mode and provides a simplified illustration of the document
caching and retrieval process.
Figure 2 Hosted Cache mode
8
At a detailed level, Hosted Cache mode uses the following process to cache and retrieve data:
1. The Windows 7 client connects to the content server and requests a file (or part of a file)
exactly as it would if it were to retrieve the file without using BranchCache.
2. The content server authenticates and authorizes the client exactly as it would without using
BranchCache. If successful, it returns content metadata over the same channel that data
would normally have been sent.
3. The client uses the hashes in the metadata to search for the file in the Hosted Cache server.
Because this is the first time any client has retrieved the file, it is not already cached on the
local network. Therefore, the client retrieves the file directly from the content server.
4. The client establishes a Secure Sockets Layer (SSL) connection with the Hosted Cache
server, and it offers the content identifiers over this encrypted channel.
5. The Hosted Cache server connects to the client and retrieves the set of blocks that it does
not have cached.
6. A second Windows 7 client requests the same file from the content server. Again, the content
server authorizes the user and returns content identifiers.
7. The client uses these identifiers to request the data from the Hosted Cache server. The
Hosted Cache server encrypts the data and returns it to the client. (The data is encrypted by
using a key that is derived from the hashes sent by the content server as part of the content
metadata.)
8. The client decrypts the data, computes the hashes on the blocks received from the Hosted
Cache, and ensures that it is identical to the block hashes that the content server provided as
part of the content metadata. This ensures that the content has not been modified.
Distributed Cache mode
In Distributed Cache mode, Windows 7 clients cache content that they retrieve by using the WAN,
then send that content directly to other authorized Windows 7 clients upon request. Distributed
Cache mode is best suited for branch offices with fewer than 50 users.
Figure 3 illustrates Distributed Cache mode and provides a simplified illustration of the caching
and retrieval process. The first client to retrieve content from a content server by using the WAN
becomes a source for that content within the branch for other clients requesting the same
content. When a second client requests the same content, it downloads the content metadata
from the content server. The second client then sends a request for the segment hashes on the
local network to determine if any other client already has the data cached. Finding the first client,
the second client retrieves the content locally from it.
9
Figure 3 Distributed Cache mode
This process is similar to the process followed by the Hosted Cache mode, except that the
requests for cached content are sent to the local network and a Hosted Cache server is not
required.
At a detailed level, the Distributed Cache mode uses the following process to cache and retrieve
data:
1. A Windows 7 client connects to the content server and requests a file (or part of a file),
exactly as it would if it were to retrieve the file without using BranchCache.
2. The content server authenticates and authorizes the client, and the server returns an
identifier that the client uses to search for the file on the local network. Because this is the
first time any client has attempted to retrieve the file, it is not already cached on the local
network. Therefore, the client retrieves the file directly from the content server and caches it.
3. A second Windows 7 client requests the same file from the content server. The content
server authenticates and authorizes the user in exactly the same manner it would if
BranchCache were not being used. If successful, it returns content metadata over the same
channel that data would normally have been sent.
4. The second client sends a request on the local network for the required file by using the Web
Services Discovery (WS-Discovery) multicast protocol. For more information about
WS_Discovery, see the whitepaper Web Services Dynamic Discovery.
5. The client that previously cached the file sends the file to the requesting client. The data is
encrypted by using a key that is derived from the hashes sent by the content server as part of
the content metadata.
6. The client decrypts the data, computes the hashes on the blocks received from the first client,
and ensures that it is identical to the block hashes provided as part of the content metadata
by the content server. This ensures that the content has not been modified.
10
Distributed Cache mode allows IT professionals to take advantage of BranchCache with minimal
hardware deployments in the branch office. However, if the branch has deployed other
infrastructure (for example, servers running workloads such as file or print), using Hosted Cache
mode may be beneficial for the following reasons:
Increased cache availability. Hosted Cache mode increases the cache efficiency because
content is available even if the client that originally requested the data is offline.
Caching for the entire branch office. Distributed Cache mode operates on a single subnet.
If a branch office that is using Distributed Cache mode has multiple subnets, a client on each
subnet needs to download a separate copy of each requested file. With Hosted Cache mode,
all clients in a branch office can access a single cache, even if they are on different subnets.
Configuring BranchCache
BranchCache clients can be managed by using Group Policy settings or the netsh command-line
scripting utility. You can use either tool to perform the following configuration tasks on
BranchCache clients:
Enable BranchCache (it is disabled by default).
Select Distributed Cache or Hosted Cache mode.
Specify the size of the client computers’ cache (if using Distributed Cache mode). By default,
BranchCache uses up to 5% of the hard disk drive for the cache.
Specify the location of the Hosted Cache (if using Hosted Cache mode).
Details about now to configuring a computer for Hosted Cache mode are described in the
BranchCache Early Adopter’s Guide (http://go.microsoft.com/fwlink/?LinkID=148641).
The BranchCache Early Adopter’s Guide also describes the following:
Other configuration options that are available.
How to monitor BranchCache performance on client computers by using performance
counters.
How to add events to the Event Log to simplify monitoring the health of BranchCache.
Protocols BranchCache supports the SMB 2 and HTTP 1.1 protocols. Figure 4 shows that applications do
not need to directly communicate with BranchCache (although they can if they need to).
However, applications accessing SMB and HTTP interfaces in the Windows 7 and Windows
Server 2008 R2 operating systems automatically benefit from BranchCache.
Consequently, applications like Windows Explorer, Robocopy CopyFile, Windows Media® Player
(WMP), Internet Explorer®, Flash, and Silverlight automatically benefit. These benefits are also
realized when using HTTPS, IPsec, or SMB signing. However, applications that implement SMB
or HTTP stacks will not benefit from BranchCache, because BranchCache optimizations are
11
leveraged directly by the SMB and HTTP protocol stack implementations in the Windows 7 and
Windows Server 2008 R2 operating systems.
Figure 4 The BranchCache architecture
Security Security is central to all aspects of BranchCache. This section describes the security of data in
transit (over the wire), and at rest (in the client cache or Hosted Cache).
1. A client requests data from the content server, and indicates that it is capable of
understanding BranchCache.
2. The content server authenticates and authorizes the client in exactly the same way it would if
BranchCache were not being used. That is, authentication and authorization of a client to
access data are independent of BranchCache.
3. The content server recognizes that the client can utilize BranchCache, and checks to make
sure that the stored metadata is up to date with the content.
4. The content server then sends the metadata on the same channel that data normally would
have been sent. If an SSL connection were established between the client and the server,
then the hashes are sent back over this encrypted SSL connection.
5. The client that is requesting content obtains the metadata and uses it to look up availability in
the branch.
6. The client establishes a connection with the caching computer (a Hosted Cache server when
Hosted Cache mode is used, or a peer caching computer when Distributed Cache mode is
used), and requests the blocks it wants.
7. The caching computer encrypts the blocks with an encryption key that is derived from the
content metadata (using AES 128 by default) and sends it to the client.
8. The client decrypts the data by using the same encryption key that the caching computer.
The client and the caching computer compute the same encryption key because they derive it
from the same content metadata, which is sent by the content server.
9. After the client decrypts the data, it validates that the data is not corrupted or tampered. To
do this, the client computes the block hashes on the blocks received, and then compares
them to the block hashes received in the content metadata from the server. If the hashes do
not match, the client discards the data.
12
The data in the cache is accessible. The data is stored in the clear in the Distributed Cache
and the Hosted Cache, which is similar to other caches and data on the system (such as the
IE cache, the SMB offline files cache, and file system).
Note
If encryption of the cache is desired, it is recommended that administrators use
BitLocker™ on the computer (preferred) or Encrypting File System on the cache file only
after the content server authorizes the client.
Summary and Resources
BranchCache, a feature of Windows 7 and Windows Server 2008 R2, improves user productivity
and reduces WAN link utilization in branch offices while supporting your existing security
requirements. BranchCache can be easily deployed and managed in your environment.
In short:
BranchCache reduces WAN bandwidth consumed by end-users for intranet-based HTTP and
SMB traffic and improves the end-user experience.
BranchCache accelerates delivery of encrypted content using HTTPS and IPsec and requires
content servers to authenticate all users before granting access to cached content.
BranchCache doesn’t require additional equipment in the branch offices and can be easily
managed using Group Policy.
Providing significant bandwidth savings and an improved user experience, BranchCache adds
remarkable value to Windows 7 and Windows Server 2008 R2 with little overhead. At the same
time, it is simple to deploy and manage.
Additional references BranchCache TechNet page (http://go.microsoft.com/fwlink/?LinkId=149834)
Branch Office TechCenter (http://go.microsoft.com/fwlink/?LinkId=149835)
BranchCache Executive Overview Whitepaper (http://go.microsoft.com/fwlink/?LinkID=137760)
BranchCache Early Adopter’s Guide (http://go.microsoft.com/fwlink/?LinkID=148641)
BranchCache Migration guide (http://go.microsoft.com/fwlink/?LinkID=139091)
The BitLocker Home page (http://go.microsoft.com/fwlink/?LinkID=141534)