Branch Cache Deep Dive Joey Snow Technical Evangelist Microsoft Corporation
Agenda • Problem background • Solution modes • Deployment • Demo • Deep Dives • Content Identification • Integration architecture • Security • End to end flow • Partners • Resources
Problem Background • Thin, expensive WAN links between main office and branch offices • High link utilization • Poor application responsiveness • Trend towards data centralization
Distributed Cache Main Office Data Get Get ID ID Data Data Get Branch Office Get
Hosted Cache Main Office Get Get ID ID ID ID ID Data ID Data Data Data Search Search Get Put Offer Get Request Branch Office
Hosted Cache • Centralized cache of data downloaded by the branch • The Hosted cache on Windows Server 2008 R2 provides the following features • A centralized cache for • Protocols: HTTP, SMB • E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc • Does not “modify” protocols; benefits from protocol optimizations • Configurable size/location/persisted across reboots/flush-able • Works across multiple subnets • Admins can seed content by writing custom scripts • Can be a virtual workload in an appliance • Easy to deploy; clients are configured via policy
Hosted Cache vs. Distributed Distributed Cache Distributed Cache Data cached amongst clients • Recommended for branches without any infrastructure • Easy to deploy: Enabled on clients through Group Policy • Cache availability decreases with laptops that go offline Enterprise Hosted Cache Data cached at hosted cache server • Recommended for larger branches • Cache stored centrally: can use existing server in the branch • Cache availability is high • Enables branch-wide caching
Overall Framework 3rd Party Applications IE BITS WMP Office Robo copy Explorer Office Share Point AppV SMB HTTP BranchCache™
Deployment • Distributed • HQ: Content Server (must run R2) • Branch: Client (must run Win 7 or R2) • Hosted • HQ: Content Server (must run R2) • Branch: Hosted Cache (must run R2) • Branch: Client (must run Win 7) • Works on Server Core R2 as well!
Deployment - Content server • HTTP server (IIS) - Install the BranchCache feature from Server Manager • SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager • That’s it…
Deployment - Summary Group Policy to enable clients Branch Office Branch Office Install BranchCache™ feature on an R2 server Hosted Cache Branch Office IIS • Optionally, install a hosted cache in your branch File Server Group Policy Management Main Office
Content Identifiers Segment hashes, Block hashes up to ~2000x data reduction Hashes Returned by server B1 B2 Bn B1 B2 Bn B1 B2 Bn Blocks Unit of download S1 S2 S3 Segments Unit of discovery Content
HTTP Integration IE IIS Open URL Data “Branch Cache Capable” Data Getdata wininet http.sys Hashlist Hashlist Data Data Hashlist BranchCache BranchCache Data H3 Hashlist H1 H2 H4 H5
SMB Integration BranchCache Data Hashlist SMB Hash Generation Service Generate or update hash Application CSC Service HashGen Utility ReadFile Request Hashes Prefetch File Generate or update hash Savehashes Data Request Hashes Hashlist Data CSC Driver SMB Client Driver SMB Server Driver Access hashes Hashlist Hashlist Data CSCCache
How is SSL Optimized? Server Client IIS IE Data in clear Data in clear BranchCache BranchCache HTTP HTTP Data in clear Data in clear SSL SSL Data encrypted Data encrypted Sockets Sockets Data encrypted Data encrypted IPsec IPsec Data encrypted
Security Client Segment discovery key Hash(SK, SH+”HoHoDk”) Encryption key Hash(SK, “KeKeKe”) Private Segment key (SK) Hash(SH, Ks) Segment hash (SH) Hash (Blockhashes) Server secret key Ks Block hashes Hash(block) B1 B2 Bn Blocks Server
Flow – a Security View • Client requests data from the server, and indicates BranchCache capability • Server authorizes the client • Server retrieves metadata (block hashes, segment hashes, private segment key) for the data • Server sends metadata on same channel as data • Client computes a segment discovery key • Broadcasts on the local network
Flow, Continued • Serving clients receive the broadcast • Decrypt the segment hash from the segment discovery key • Respond with data availability • Client requests blocks from the serving client • Serving client computes encryption key from the segment private key • Serving client encrypts each block with the encryption key • Client receives the data • Decrypts the data • Validates block data against the block hash • If valid, returns to application
Security of Data at Rest • Clients • Cache only contains content requested by the client • Data in cache ACL’d so that it is only accessible if authorized by the server • If data leakage is a concern, then use BitLocker or EFS • Hosted Cache • Cache contains content requested by all branch clients • Use BitLocker or EFS to encrypt cache as necessary • All data can be purged from the cache using netsh
The usual answers… Q: When will this be made available for Vista? A: It won’t. BranchCache in only supported with Windows 7 Enterprise, Ultimate & Windows 2008 R2 editions. Q: What size content is cached? A: 64 KB and greater. Q: Is there a peer discovery timeout? A: 300 ms Q: What kind of encryption is used? A: Custom scheme based on AES128. Q: Does knowledge of the hash ID grant access? A: No. Access must still be granted by the file server.
The usual answers… (cont’d) Q: Will BranchCache work during WAN outages? A: No. Clients must be able to contact the content server to get content identifiers. Q: Can I pre-populate cached files? A: Sure. Consider using scheduled task , PowerShellRemoting or some other technique. For WSUS & SCCM, consider targeting one client in each remote office before the others. Q: How doesn’t BC avoid discovery storms? A: Responses to search requests are staggered. Additionally, if a client detects that many others on the subnet already have a piece of content, it won’t bother caching it too.
The usual answers… (last one) Q: What happens to the local cache if the BranchCache client mode changes? A: The local cache is unaffected and will still be used by the client: • Hosted clients that become Distributed clients will begin responding to WS-D searches, serving data from the same cache. • Distributed client that become Hosted clients will stop responding to WS-D searchers, but will continue to use the local cache. Q: How long does data stay in cache? A: Until NetSH is used to flush the cache or until the cache is full and starts to roll. Q: Is BranchCache supported on Server Core? A: Absolutely.
To Summarize • BranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience • BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office. • BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy • BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs
Conclusion • For Windows 7, Microsoft has made numerous improvements that streamline image deployment. These improvements include native compatibility mitigation for an extended range of applications, new and improved image-engineering tools that improve the deployment experience for IT professionals and users alike, as well as improvements that streamline migration of users’ files and settings.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.