BranchCache: Helping You Save on WAN Bandwidth Consumption at Branch Offices Ravi Rao

Senior Program ManagerMicrosoft CorporationWSV303

Agenda

Problem backgroundSolution modesDeploymentDemoDeep Dives

Content IdentificationIntegration architectureSecurityEnd to end flow

PartnersResources

Problem BackgroundThin, expensive WAN links between main office and branch offices

High link utilization Poor application responsiveness Trend towards data centralization

Customers Say…“We are improving the efficiency of our branch offices and saving bandwidth by using BranchCache in Windows Server 2008 R2 and Windows 7,” said Lukas Kucera, IT services manager of Lukoil CEEB, one of the largest integrated oil and gas companies in the world. “Some of our smaller facilities, such as the office in Slovakia and the storage terminal in Belgium, have just five to 10 users, so it’s not efficient to deploy a file server on-site, but it consumes bandwidth to have them continually accessing files from the main servers. BranchCache is the perfect solution.”

“Taking advantage of the BranchCache feature in Windows Server 2008 R2, we can spend $20,000 rather than $50,000 per year on bandwidth by postponing our expansion schedule.”David Feng, IT Director, Sporton International

Convergent Computing (CCO) wanted to improve remote network access for its mobile users. Using the DirectAccess and BranchCache™ features in Windows Server® 2008 R2 and Windows 7, CCO has simplified remote connection to its network and sped the downloading of important files. It has cut costs by eliminating its virtual private network and has seen a 43 percent savings in wide area network (WAN) bandwidth.

Solution Tenets

Optimized

• Distributed – retrieve from other clients in the branch

• Centralized – retrieve from a “hosted cache” in the branch

Secured• Client can only

retrieve content locally if authorized by the content server

• All data transfers in the branch are encrypted

End to End• Maintains

protocol integrity

• Benefits from protocol optimizations

• Optimizes SSL, IPsec, SMB signing, HTTP, SMB

Get

GetID

Get

Data

Distributed Cache

Get

IDData

Data

Get

GetID

Put

Data

Hosted Cache

Get

DataID

Search

Get

Sear

ch

Request

Offer

ID

ID

ID

Data

ID

Data

Hosted CacheCentralized cache of data downloaded by the branch

The Hosted cache on Windows Server 2008 R2 provides the following features

A centralized cache for Protocols: HTTP, SMB E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc

Does not “modify” protocols; benefits from protocol optimizationsConfigurable size/location/persisted across reboots/flush-ableWorks across multiple subnetsAdmins can seed content by writing custom scriptsCan be a virtual workload in an appliance

Easy to deploy; clients are configured via policy

Hosted CacheData cached at hosted cache server

Recommended for larger branchesCache stored centrally: can use existing server in the branchCache availability is highEnables branch-wide caching

Hosted Cache vs. Distributed

Enterprise

Distributed CacheDistributed CacheData cached amongst clients

Recommended for branches without any infrastructureEasy to deploy: Enabled on clients through Group PolicyCache availability decreases with laptops that go offline

Overall Framework

IE

HTTP

BranchCache™

SMB

Explorer

3rd Party Applications

Robocopy

Office WMPBITSOfficeSharePointAppV

Deployment

Deployment

DistributedHQ: Content Server (must run R2)Branch: Client (must run Win 7 or R2)

HostedHQ: Content Server (must run R2)Branch: Hosted Cache (must run R2)Branch: Client (must run Win 7)

Works on Server Core R2 as well!

Deployment - Content server

HTTP server (IIS) - Install the BranchCache feature from Server Manager

SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager

That’s it…

Deployment - ClientIdentify the “branch”• An Active Directory Site• An IP address range• A collection of specific client computers

Choose how to deploy• Group Policy• netsh

Deploy to clients!• Group policy: Use built-in ADMX files• netsh: Run netsh branchcache set service distributed on all relevant clients

Deployment – Hosted CacheSetup the hosted cache• Install the BranchCache feature on an R2 server• Install a server-auth certificate for use with SSL• Run netsh branchcache set service hostedserver on the hosted cache

Identify Branch

Choose how to deploy

Deploy to clients!• Group policy: Use built-in ADMX files• netsh: Run netsh branchcache set service hostedclient location=<> on all clients

IISFile Server

Group PolicyManagement

Install BranchCache™ feature on an R2 server

Group Policy to enable clients

HostedCache

Optionally, install a hosted cache in your branch

Deployment - Summary

Additional configuration options

Enable / disable distributed cache modeEnable / disable hosted cache modeSet the cache sizeSet the location of the hosted cacheClear the cacheCreate and replicate a shared key for use in a server clusterAnd more …

Works in domains and workgroups

Monitoring

Event logs - Operational logs & Audit logs

Perfmon counters - Client, hosted cache and Content Server

netsh for querying the infrastructure for |potential problems

Cache size too small, firewall issues, certificate problems etc

SCOM pack - for rolling all the information up

BranchCache in ActionDevrim IyigunSenior Product ManagerMicrosoft Corporation

demo

Going Deeper…

Content Identifiers

S1 S2 S3

B1

B2

B1

B2

Bn

B1

B2

Bn

Content

SegmentsUnit of discovery

BlocksUnit of download

HashesReturned by server

Segment hashes, Block hashesup to ~2000x data reduction

Bn

HTTP Integration

http.sys

IIS

BranchCache

wininet

Open URL

“Branch Cache Capable” Get data

Data

Data

Data

H1 H2 H4 H5Hashlist

Hashlist

HashlistHashlist

Data

Data

H3

BranchCache

IE

SMB Integration

SMB ServerDriver

SMB Hash Generation

Service HashGen Utility

Generate or update hash

Generate or update hashApplication

CSC Driver SMB Client Driver

CSCCache

Hashlist

CSC Service

BranchCache

DataHashlist

Request Hashes

ReadFile

Data

Prefetch File Data

DataAccess hashes

Savehashes

Request Hashes

Hashlist

Hashlist

How is SSL Optimized?

Sockets

SSL

HTTP

IE

BranchCach

e

BranchCach

e

Data encrypted

Data in clear

Data in clear

Client Server

Data encryptedIPsec

Sockets

SSL

HTTP

IIS

Data encrypted

Data in clear

Data in clear

IPsec

Data encryptedData encrypted

Security

B1

B2

BnBlocks

Block hashesHash(block)

Segment hash (SH)Hash (Blockhashes)

Server secret keyKs

Private Segment key (SK)Hash(SH, Ks)

Encryption keyHash(SK, “KeKeKe”)

Segment discovery keyHash(SK, SH+”HoHoDk”)

Client

Server

Flow – a Security View

Client requests data from the server, and indicates BranchCache capability

Server authorizes the clientServer retrieves metadata (block hashes, segment hashes, private segment key) for the dataServer sends metadata on same channel as data

Client computes a segment discovery keyBroadcasts on the local network

Flow, Continued

Serving clients receive the broadcastDecrypt the segment hash from the segment discovery keyRespond with data availability

Client requests blocks from the serving clientServing client computes encryption key from the segment private keyServing client encrypts each block with the encryption key

Client receives the dataDecrypts the dataValidates block data against the block hashIf valid, returns to application

Security of Data at Rest

ClientsCache only contains content requested by the clientData in cache ACL’d so that it is only accessible if authorized by the serverIf data leakage is a concern, then use BitLocker or EFS

Hosted CacheCache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary

All data can be purged from the cache using netsh

BranchCache Ecosystem Partnersannouncing

Steelhead ApplianceRSP

VM VM VM VM

Virtualization Layer

VM

Riverbed and Microsoft to extend optimization further for Windows 7 users with BranchCache

Microsoft and Riverbed - Better TogetherJoint Optimization Solution for Windows 7 users

Riverbed Steelhead: Leading WAN optimization solution + BranchCacheLeader in the Gartner magic quadrantAccelerate applications: CIFS, MAPI, HTTP/S, TCP, and all other key protocolsCut bandwidth use: Save 65 – 95% of WAN utilizationPOLP Licensing Partner, and Windows OEMDeliver Windows to the branch with the Riverbed Services Platform (RSP): Offer Windows services such as AD, Streaming, Print, DNS and BranchCacheVisit Booth 247 for more info

WAN

Blue Coat – BranchCache Support

About Blue Coat Application Delivery Network Vendor ProxySG for WAN Optimization & Secure Web GatewayLeader in Gartner Magic Quadrants

Secure Web Gateway, Sep 2008 WAN Optimization Controllers, Nov 2007

Blue Coat will support BranchCache protocolsBlue Coat will license Hosted Cache protocols on ProxySGEdge site hosted cache for SMB2, SMB signed & IPsecCore site proxy for legacy content servers (non-WS 2008 R2)

RemoteOffice

Data Center

ProxySG

ProxySG

F5 and BranchCache

F5 is a player in Application Delivery Networking, with the mission of building network devices that support your applications, ensuring high availability, scalability, performance and security.BranchCache adds to BIG-IP’s WAN acceleration portfolioSee a demo of BranchCache on the BIG-IP 6900 –visit booth 311

New Generation Application Delivery PlatformApplication Acceleration & Load Balancing BranchCache Augments AX Native Optimized Caching

BranchCache: Enhancing the Windows File Experience

Delivering best-in-class Windows® files services solutionThousands of joint customers using SMB (CIFS) todayUse ranges from home directories to high performance engineering applicationsNow also supporting SMB 2.0

BranchCache — NetApp® as a Content ServerBring remote Windows users closerSave on bandwidth and remote administration

NetApp is a gold sponsor – visit their booth!

Branch office / remote users

NetApp NAS in the data

center

Symantec Support for BranchCacheSymantec

World’s 4th largest ISV… Found in almost as many Windows environments as Microsoft

Security, Storage, HA, Backup, Archiving, Data Loss Prevention, Management…

Altiris Server Management Suite from SymantecProvide support for monitoring BranchCache on Windows Server 2008 R2Provide alerting when problems are detectedOrchestrate and automate remediation when necessary Branch

Corp HQ data center

Altiris Server Management

SuiteFrom Symantec

Site to Site VPN

Forefront Threat Management Gateway in the Branch

Web Proxy & CacheFeaturing• Anti-Virus• URL Filtering• HTTPS Inspection• Network Intrusion Inspection

Single Host for TMG & BranchCache (Hosted Cache) Standard deployment

• Enterprise Management• Running on Windows

Server 2008 R2

To SummarizeBranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience

BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office.

BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy

BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs

ResourcesWebsite/TechNet

http://www.branchcache.com http://technet.microsoft.com/en-us/network/dd425028.aspx

Emailbranch@microsoft.com

At TechEd, we have booths in the TLC Orange AreaWindows Server Branch Office Solutions - BranchCacheWindows Services for the Branch – Partner Solutions

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related Content

Breakout Sessions WSV 403: Enhancing the Branch office experience with Windows Server 2008 R2

Hands-on LabsWSV14-HOL: Windows Server 2008 R2 - BranchCaching

Windows Server ResourcesMake sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter

Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2

Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies•Over 15 booths and experts from Microsoft and our partners

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.