Upload
philomena-dickerson
View
240
Download
3
Tags:
Embed Size (px)
Citation preview
Agenda
Problem backgroundSolution modesDeploymentDemoDeep Dives
Content IdentificationIntegration architectureSecurityEnd to end flow
PartnersResources
Problem BackgroundThin, expensive WAN links between main office and branch offices
High link utilization Poor application responsiveness Trend towards data centralization
Solution Tenets
Optimized
• Distributed – retrieve from other clients in the branch
• Centralized – retrieve from a “hosted cache” in the branch
Secured
• Client can only retrieve content locally if authorized by the content server
• All data transfers in the branch are encrypted
End to End
• Maintains protocol integrity
• Benefits from protocol optimizations
• Optimizes SSL, IPsec, SMB signing, HTTP, SMB
Hosted CacheCentralized cache of data downloaded by the branch
The Hosted cache on Windows Server 2008 R2 provides the following features
A centralized cache for Protocols: HTTP, SMB E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc
Does not “modify” protocols; benefits from protocol optimizationsConfigurable size/location/persisted across reboots/flush-ableWorks across multiple subnetsAdmins can seed content by writing custom scriptsCan be a virtual workload in an appliance
Easy to deploy; clients are configured via policy
Hosted CacheData cached at hosted cache server
Recommended for larger branchesCache stored centrally: can use existing server in the branchCache availability is highEnables branch-wide caching
Hosted Cache vs. Distributed
Enterprise
Distributed CacheDistributed CacheData cached amongst clients
Recommended for branches without any infrastructureEasy to deploy: Enabled on clients through Group PolicyCache availability decreases with laptops that go offline
Overall Framework
IE
HTTP
BranchCache™
SMB
Explorer
3rd Party Applications
Robo
copy
Office
WMPBITS
Office
Share PointAppV
Deployment
DistributedHQ: Content Server (must run R2)Branch: Client (must run Win 7 or R2)
HostedHQ: Content Server (must run R2)Branch: Hosted Cache (must run R2)Branch: Client (must run Win 7)
Works on Server Core R2 as well!
Deployment - Content server
HTTP server (IIS) - Install the BranchCache feature from Server Manager
SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager
That’s it…
Deployment - ClientChoose how to deploy
Group Policynetsh
Deploy to clients!• G
roup policy: Use built-in ADMX files
• netsh: Run netsh branchcache set service distributed on all relevant clients
Deployment – Hosted Cache
Setup the hosted cache• I
nstall the BranchCache feature on an R2 server
• Install a server-auth certificate for use with SSL
• Run netsh branchcache set service hostedserver on the hosted cache
Identify Branch
Choose how to deploy
Deploy to clients!• G
roup policy: Use built-in ADMX files
• netsh: Run netsh branchcache set service hostedclient location=<> on all clients
IISFile Server
Group PolicyManagement
Install BranchCache™ feature on an R2 server
Group Policy to enable clients
HostedCache
Optionally, install a hosted cache in your branch
Deployment - Summary
Content Identifiers
S1 S2 S3
B1
B2
B1
B2
Bn
B1
B2
Bn
Content
SegmentsUnit of discovery
BlocksUnit of download
HashesReturned by server
Segment hashes, Block hashesup to ~2000x data reduction
Bn
HTTP Integration
http.sys
IIS
BranchCache
wininet
Open URL
“Branch Cache Capable” Get data
Data
Data
Data
H1
H2
H4
H5
Hashlist
Hashlist
HashlistHashlist
Data
Data
H3
BranchCache
IE
SMB Integration
SMB ServerDriver
SMB Hash Generation
Service HashGen Utility
Generate or update
hash
Generate or update hash
Application
CSC Driver
SMB Client Driver
CSCCache
Hashlist
CSC Service
Branch
Cache
DataHashlist
Request Hashes
ReadFile
Data
Prefetch File
Data
DataAccess hashes
Savehashes
Request Hashes
Hashlist
Hashlist
How is SSL Optimized?
Sockets
SSL
HTTP
IE
BranchCach
e
BranchCach
e
Data encrypted
Data in clear
Data in clear
Client Server
Data encrypted
IPsec
Sockets
SSL
HTTP
IIS
Data encrypted
Data in clear
Data in clear
IPsec
Data encryptedData encrypted
Security
B1
B2
BnBlocks
Block hashesHash(block)
Segment hash (SH)Hash (Blockhashes)
Server secret keyKs
Private Segment key (SK)Hash(SH, Ks)
Encryption keyHash(SK, “KeKeKe”)
Segment discovery keyHash(SK, SH+”HoHoDk”)
Client
Server
Flow – a Security View
Client requests data from the server, and indicates BranchCache capability
Server authorizes the clientServer retrieves metadata (block hashes, segment hashes, private segment key) for the dataServer sends metadata on same channel as data
Client computes a segment discovery key
Broadcasts on the local network
Flow, Continued
Serving clients receive the broadcastDecrypt the segment hash from the segment discovery keyRespond with data availability
Client requests blocks from the serving client
Serving client computes encryption key from the segment private keyServing client encrypts each block with the encryption key
Client receives the dataDecrypts the dataValidates block data against the block hashIf valid, returns to application
Security of Data at Rest
ClientsCache only contains content requested by the clientData in cache ACL’d so that it is only accessible if authorized by the serverIf data leakage is a concern, then use BitLocker or EFS
Hosted CacheCache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
The usual answers…Q: When will this be made available for Vista?
A: It won’t. BranchCache in only supported with Windows 7 Enterprise, Ultimate & Windows 2008 R2 editions.
Q: What size content is cached?A: 64 KB and greater.
Q: Is there a peer discovery timeout? A: 300 ms
Q: What kind of encryption is used?A: Custom scheme based on AES128.
Q: Does knowledge of the hash ID grant access?A: No. Access must still be granted by the file server.
The usual answers… (cont’d)
Q: Will BranchCache work during WAN outages?A: No. Clients must be able to contact the content server to
get content identifiers.
Q: Can I pre-populate cached files?A: Sure. Consider using scheduled task , PowerShell
Remoting or some other technique. For WSUS & SCCM, consider targeting one client in each remote office before the others.
Q: How doesn’t BC avoid discovery storms?A: Responses to search requests are staggered. Additionally,
if a client detects that many others on the subnet already have a piece of content, it won’t bother caching it too.
The usual answers… (last one)Q: What happens to the local cache if the
BranchCache client mode changes? A: The local cache is unaffected and will still be used by the
client:• Hosted clients that become Distributed clients will begin responding
to WS-D searches, serving data from the same cache.• Distributed client that become Hosted clients will stop responding to
WS-D searchers, but will continue to use the local cache.
Q: How long does data stay in cache? A: Until NetSH is used to flush the cache or until the cache is
full and starts to roll.
Q: Is BranchCache supported on Server Core?A: Absolutely.
To SummarizeBranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience
BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office.
BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy
BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs
Conclusion
For Windows 7, Microsoft has made numerous improvements that streamline image deployment. These improvements include native compatibility mitigation for an extended range of applications, new and improved image-engineering tools that improve the deployment experience for IT professionals and users alike, as well as improvements that streamline migration of users’ files and settings.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.