Branch-Cache in Windows 7 and Windows Server 2008 R2 Overview
Microsoft Windows Family of Operating Systems
Microsoft Corporation
Published: April 2009
Abstract
This document provides an overview of BranchCache, explains
the different modes in which BranchCache operates, and describes how
BranchCache is configured. The paper also explains how BranchCache works with
Web servers and file servers and the steps BranchCache takes to determine that
the content is up-to-date.
Copyright information
The information contained in this document represents the
current view of Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This white paper is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in, or introduced into a
retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without
the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks,
copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement
from Microsoft, the furnishing of this document does not give you any license
to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious. No association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be
inferred. Microsoft, BitLocker, Active
Directory, BranchCache, Internet Explorer, Windows, Windows Media, Windows
Server, and Windows Vista are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
Contents
BranchCache™ is a feature in Windows® 7 and Windows
Server® 2008 R2 that can reduce wide area network (WAN) utilization
and enhance network application responsiveness when users access content in a
central office from branch office locations. When you enable BranchCache, a
copy of the content that is retrieved from the Web server or file server is
cached within the branch office. If another client in the branch requests the
same content, the client can download it directly from the local branch network
without needing to retrieve the content by using the Wide Area Network (WAN).
This whitepaper provides an overview of BranchCache,
explains the different modes in which BranchCache operates, and describes how
BranchCache is configured. The paper also explains how BranchCache works with
Web servers and file servers and the steps BranchCache takes to determine that
the content is up-to-date.
For a Web version of this document, see BranchCache in
Windows 7 and Windows Server 2008 R2 Overview in the Windows 7
Technical Library (http://technet.microsoft.com/en-gb/library/dd349336.aspx).
For a complete view of Windows 7 resources, articles,
demos, and guidance, please visit the Springboard Series for
Windows 7 on the Windows Client TechCenter.
Technical overview
Users at branch offices often experience poor performance
when they use network applications that connect to servers by using the WAN.
For example, it might take several seconds or even minutes for a branch-office
user to open a large file on a shared folder located on a server at the central
office. Similarly, a user attempting to view a video in their Web browser might
have to wait for a long time for the video to load.
BranchCache is designed to give branch-office users an
experience like being connected directly to the central office. With
BranchCache, the first client to download data from a Web server or file server
(known as the content server) caches a copy on the local branch network.
Subsequent clients, download the locally cached copy of the content from within
the branch after it is authenticated and authorized by the content server.
BranchCache is designed to work with your existing network
and security infrastructure. It supports IPv4, IPv6, and end-to-end encryption
methods such as SSL and IPsec. BranchCache ensures that the most up-to-date
version of content is served and that clients are authorized by the content
server before they can retrieve content from within the branch.
Your system must meet the following requirements to use
BranchCache:
· Client
computers must be running Windows 7, with the BranchCache feature enabled.
· Web
servers file servers must be running Windows Server 2008 R2, with the
BranchCache feature enabled.
Modes
Depending on where the cache is located, BranchCache can operate
in one of two modes: Hosted Cache mode or Distributed Cache mode. The Hosted
Cache mode operates by deploying a computer that is running Windows
Server 2008 R2 as a host in the branch office. Clients are configured
with the fully qualified domain name of the host computer so that they can
retrieve content from the Hosted Cache, when available. If the content is not
available in the Hosted Cache, it is retrieved from the content server by using
the WAN and then offered to the Hosted Cache so that subsequent clients can
benefit.
For branch offices with fewer than 50 users, BranchCache can
be configured in Distributed Cache mode. In this mode, local Windows 7
clients keep a copy of the content and make it available to other authorized
clients that request the same data. This eliminates the need to have a server
in the branch office. However, unlike Hosted Cache mode, this configuration
works across a single subnet only (that is, the content has to be retrieved
once per subnet in the branch office by using the WAN ). In addition, clients
that hibernate or otherwise disconnect from the network are not able to provide
content to requesting clients. The sections that follow describe Hosted Cache
mode and Distributed Cache mode in more detail.
Content metadata
The mechanism for reducing bandwidth is to send metadata
about the content (known as content metadata) to clients, which retrieve the
content from within the branch. This reduces the WAN bandwidth because the
content metadata is significantly smaller than the actual content. Prior to
sending content metadata, the server authorizes the client.It is important that
the content server sends the content metadata to each client to ensure that the
client always receives hashes for the most up-to-date content.
The content is broken into blocks. For each block, a hash is
computed (known as the block hash). A hash is also computed on a collection of
blocks (known as the segment hash). Content metadata is primarily composed of
block hashes and segment hashes. The hash
algorithm that is used is SHA 256. The compression ratio achieved is
approximately 2000:1. That is, the size of the metadata is ~2000 times
smaller than the size of the original data itself.
Segment hashes provide a unit of discovery. This helps reduce
the total number of lookups performed for a given content (compared to looking
up every block). Block hashes are a unit of download. When a client needs to
retrieve data from the Hosted Cache or another client, it downloads the content
in units of blocks to ensure that the data can quickly return to the
application.
The minimum size of content that BranchCache would cache is
64 KB. When content is less than 64 KB, data is directly retrieved from the
content server by using the WAN.
Figure 1 Blocks
and hashes
Hosted Cache mode
The Hosted Cache is a central repository of data downloaded
from BranchCache enabled servers into the branch office by BranchCache enabled
clients. The configuration of Hosted Cache mode is described later in this
document.
Hosted Cache mode does not require a dedicated server. The
BranchCache feature can be enabled on a server that is running Windows
Server 2008 R2, which is located in a branch that is also running
other workloads. In addition, BranchCache can be set up as a virtual workload
and run on a server with other workloads, such as File and Print.
Figure 2 illustrates Hosted Cache mode and provides a
simplified illustration of the document caching and retrieval process.
Figure 2 Hosted
Cache mode
At a detailed level, Hosted Cache mode uses the following
process to cache and retrieve data:
1. The Windows 7 client connects to the
content server and requests a file (or part of a file) exactly as it would if
it were to retrieve the file without using BranchCache.
2. The content server authenticates and
authorizes the client exactly as it would without using BranchCache. If
successful, it returns content metadata over the same channel that data would
normally have been sent.
3. The client uses the hashes in the metadata to
search for the file in the Hosted Cache server. Because this is the first time
any client has retrieved the file, it is not already cached on the local
network. Therefore, the client retrieves the file directly from the content
server.
4. The client establishes a Secure Sockets Layer
(SSL) connection with the Hosted Cache server, and it offers the content
identifiers over this encrypted channel.
5. The Hosted Cache server connects to the
client and retrieves the set of blocks that it does not have cached.
6. A second Windows 7 client requests the
same file from the content server. Again, the content server authorizes the
user and returns content identifiers.
7. The client uses these identifiers to request
the data from the Hosted Cache server. The Hosted Cache server encrypts the
data and returns it to the client. (The data is encrypted by using a key that
is derived from the hashes sent by the content server as part of the content
metadata.)
8. The client decrypts the data, computes the
hashes on the blocks received from the Hosted Cache, and ensures that it is
identical to the block hashes that the content server provided as part of the
content metadata. This ensures that the content has not been modified.
Distributed Cache mode
In Distributed Cache mode, Windows 7 clients cache
content that they retrieve by using the WAN, then send that content directly to
other authorized Windows 7 clients upon request. Distributed Cache mode is
best suited for branch offices with fewer than 50 users.
Figure 3 illustrates Distributed Cache mode and
provides a simplified illustration of the caching and retrieval process. The
first client to retrieve content from a content server by using the WAN becomes
a source for that content within the branch for other clients requesting the
same content. When a second client requests the same content, it downloads the
content metadata from the content server. The second client then sends a
request for the segment hashes on the local network to determine if any other
client already has the data cached. Finding the first client, the second client
retrieves the content locally from it.
Figure 3 Distributed
Cache mode
This process is similar to the process followed by the
Hosted Cache mode, except that the requests for cached content are sent to the
local network and a Hosted Cache server is not required.
At a detailed level, the Distributed Cache mode uses the
following process to cache and retrieve data:
1. A Windows 7 client connects to the
content server and requests a file (or part of a file), exactly as it would if
it were to retrieve the file without using BranchCache.
2. The content server authenticates and
authorizes the client, and the server returns an identifier that the client
uses to search for the file on the local network. Because this is the first
time any client has attempted to retrieve the file, it is not already cached on
the local network. Therefore, the client retrieves the file directly from the
content server and caches it.
3. A second Windows 7 client requests the
same file from the content server. The content server authenticates and
authorizes the user in exactly the same manner it would if BranchCache were not
being used. If successful, it returns content metadata over the same channel that
data would normally have been sent.
4. The second client sends a request on the
local network for the required file by using the Web Services Discovery
(WS-Discovery) multicast protocol. For
more information about WS_Discovery, see the whitepaper Web Services Dynamic
Discovery.
5. The client that previously cached the file
sends the file to the requesting client. The data is encrypted by using a key
that is derived from the hashes sent by the content server as part of the
content metadata.
6. The client decrypts the data, computes the
hashes on the blocks received from the first client, and ensures that it is
identical to the block hashes provided as part of the content metadata by the
content server. This ensures that the content has not been modified.
Distributed Cache mode allows IT professionals to take
advantage of BranchCache with minimal hardware deployments in the branch
office. However, if the branch has deployed other infrastructure (for example,
servers running workloads such as file or print), using Hosted Cache mode may
be beneficial for the following reasons:
· Increased cache availability. Hosted Cache mode
increases the cache efficiency because content is available even if the client
that originally requested the data is offline.
· Caching for the entire branch office. Distributed
Cache mode operates on a single subnet. If a branch office that is using
Distributed Cache mode has multiple subnets, a client on each subnet needs to
download a separate copy of each requested file. With Hosted Cache mode, all
clients in a branch office can access a single cache, even if they are on
different subnets.
BranchCache clients can be managed by using Group Policy
settings or the netsh command-line scripting utility. You can use either tool
to perform the following configuration tasks on BranchCache clients:
· Enable
BranchCache (it is disabled by default).
· Select
Distributed Cache or Hosted Cache mode.
· Specify
the size of the client computers’ cache (if using Distributed Cache mode). By
default, BranchCache uses up to 5% of the hard disk drive for the cache.
· Specify
the location of the Hosted Cache (if using Hosted Cache mode).
Details about now to configuring a computer for Hosted Cache
mode are described in the BranchCache Early Adopter’s
Guide (http://go.microsoft.com/fwlink/?LinkID=148641).
The BranchCache Early Adopter’s Guide also describes the
following:
· Other
configuration options that are available.
· How
to monitor BranchCache performance on client computers by using performance
counters.
· How
to add events to the Event Log to simplify monitoring the health of
BranchCache.
Protocols
BranchCache supports the SMB 2 and HTTP 1.1
protocols. Figure 4 shows that applications do not need to directly
communicate with BranchCache (although they can if they need to). However,
applications accessing SMB and HTTP interfaces in the Windows 7 and
Windows Server 2008 R2 operating systems automatically benefit from
BranchCache.
Consequently, applications like Windows Explorer, Robocopy
CopyFile, Windows Media® Player (WMP), Internet Explorer®, Flash, and
Silverlight automatically benefit. These benefits are also realized when using
HTTPS, IPsec, or SMB signing. However, applications that implement SMB or HTTP
stacks will not benefit from BranchCache, because BranchCache optimizations are
leveraged directly by the SMB and HTTP protocol stack implementations in the
Windows 7 and Windows Server 2008 R2 operating systems.
Figure 4 The
BranchCache architecture
Security
Security is central to all aspects of BranchCache. This
section describes the security of data in transit (over the wire), and at rest
(in the client cache or Hosted Cache).
1. A client requests data from the content
server, and indicates that it is capable of understanding BranchCache.
2. The content server authenticates and
authorizes the client in exactly the same way it would if BranchCache were not
being used. That is, authentication and authorization of a client to access
data are independent of BranchCache.
3. The content server recognizes that the client
can utilize BranchCache, and checks to make sure that the stored metadata is up
to date with the content.
4. The content server then sends the metadata on
the same channel that data normally would have been sent. If an SSL connection
were established between the client and the server, then the hashes are sent
back over this encrypted SSL connection.
5. The client that is requesting content obtains
the metadata and uses it to look up availability in the branch.
6. The client establishes a connection with the
caching computer (a Hosted Cache server when Hosted Cache mode is used, or a
peer caching computer when Distributed Cache mode is used), and requests the
blocks it wants.
7. The caching computer encrypts the blocks with
an encryption key that is derived from the content metadata (using AES 128
by default) and sends it to the client.
8. The client decrypts the data by using the
same encryption key that the caching computer. The client and the caching computer
compute the same encryption key because they derive it from the same content
metadata, which is sent by the content server.
9. After the client decrypts the data, it
validates that the data is not corrupted or tampered. To do this, the client
computes the block hashes on the blocks received, and then compares them to the
block hashes received in the content metadata from the server. If the hashes do
not match, the client discards the data.
The data in the cache is accessible. The data is stored in
the clear in the Distributed Cache and the Hosted Cache, which is similar to
other caches and data on the system (such as the IE cache, the SMB offline
files cache, and file system).
Note
If encryption of the cache is desired, it is recommended
that administrators use BitLocker™ on the computer (preferred) or Encrypting
File System on the cache file only after the content server authorizes the
client.
BranchCache, a feature of Windows 7 and Windows
Server 2008 R2, improves user productivity and reduces WAN link
utilization in branch offices while supporting your existing security
requirements. BranchCache can be easily deployed and managed in your
environment.
In short:
· BranchCache
reduces WAN bandwidth consumed by end-users for intranet-based HTTP and SMB
traffic and improves the end-user experience.
· BranchCache
accelerates delivery of encrypted content using HTTPS and IPsec and
requires content servers to authenticate all users before granting access to
cached content.
· BranchCache
doesn’t require additional equipment in the branch offices and can be easily
managed using Group Policy.
Providing significant bandwidth savings and an improved user
experience, BranchCache adds remarkable value to Windows 7 and Windows
Server 2008 R2 with little overhead. At the same time, it is simple
to deploy and manage.
Additional references
BranchCache
TechNet page (http://go.microsoft.com/fwlink/?LinkId=149834)
Branch
Office TechCenter (http://go.microsoft.com/fwlink/?LinkId=149835)
BranchCache
Executive Overview Whitepaper (http://go.microsoft.com/fwlink/?LinkID=137760)
BranchCache
Early Adopter’s Guide (http://go.microsoft.com/fwlink/?LinkID=148641)
BranchCache
Migration guide (http://go.microsoft.com/fwlink/?LinkID=139091)
The
BitLocker Home page (http://go.microsoft.com/fwlink/?LinkID=141534)
No comments:
Post a Comment