Dawie Human Infrastructure Architect Inobits Consulting WSV303 Agenda Problem background Solution modes Deployment Demo Deep Dives Content Identification Integration architecture Security End to end flow Resources Problem background Thin, expensive WAN links between main office and branch offices High link utilization Poor application responsiveness Trend towards data centralization Customers say… “We are improving the efficiency of our branch offices and saving bandwidth by using BranchCache in Windows Server 2008 R2 and Windows 7,” said Lukas Kucera, IT services manager of Lukoil CEEB, one of the largest integrated oil and gas companies in the world. “Some of our smaller facilities, such as the office in Slovakia and the storage terminal in Belgium, have just five to 10 users, so it’s not efficient to deploy a file server on-site, but it consumes bandwidth to have them continually accessing files from the main servers. BranchCache is the perfect solution.” “Taking advantage of the BranchCache feature in Windows Server 2008 R2, we can spend $20,000 rather than $50,000 per year on bandwidth by postponing our expansion schedule.” David Feng, IT Director, Sporton International Convergent Computing (CCO) wanted to improve remote network access for its mobile users. Using the DirectAccess and BranchCache™ features in Windows Server® 2008 R2 and Windows 7, CCO has simplified remote connection to its network and sped the downloading of important files. It has cut costs by eliminating its virtual private network and has seen a 43 percent savings in wide area network (WAN) bandwidth. Solution Tenets Optimized Secured • Distributed – retrieve from other clients in the branch • Client can only retrieve content locally if authorized by the content server • Centralized – retrieve from a “hosted cache” in the branch • All data transfers in the branch are encrypted End to End • Maintains protocol integrity • Benefits from protocol optimizations • Optimizes SSL, IPsec, SMB signing, HTTP, SMB Distributed Cache ID Data Data Hosted Cache ID Data ID Search Data ID ID ID Data Hosted Cache Centralized cache of data downloaded by the branch The Hosted cache on Windows Server 2008 R2 provides the following features A centralized cache for Protocols: HTTP, SMB E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc Does not “modify” protocols; benefits from protocol optimizations Configurable size/location/persisted across reboots/flush-able Works across multiple subnets Admins can seed content by writing custom scripts Can be a virtual workload in an appliance Easy to deploy; clients are configured via policy Hosted Cache vs. Distributed Enterprise Distributed Cache Data cached amongst clients Recommended for branches without any infrastructure Easy to deploy: Enabled on clients through Group Policy Cache availability decreases with laptops that go offline Hosted Cache Data cached at hosted cache server Recommended for larger branches Cache stored centrally: can use existing server in the branch Cache availability is high Enables branch-wide caching Overall Framework 3rd Party Applications Office Robo copy Expl orer AppV Share Point SMB Office HTTP BranchCache™ BITS WMP IE Deployment Distributed HQ: Content Server (must run R2) Branch: Client (must run Win 7 or R2) Hosted HQ: Content Server (must run R2) Branch: Hosted Cache (must run R2) Branch: Client (must run Win 7) Works on Server Core R2 as well! Deployment - Content server HTTP server (IIS) - Install the BranchCache feature from Server Manager SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager That’s it… Deployment - Client Identify the “branch” • An Active Directory Site • An IP address range • A collection of specific client computers Choose how to deploy • Group Policy • netsh Deploy to clients! • Group policy: Use built-in ADMX files • netsh: Run netsh branchcache set service distributed on all relevant clients Deployment – Hosted Cache Setup the hosted cache • Install the BranchCache feature on an R2 server • Install a server-auth certificate for use with SSL • Run netsh branchcache set service hostedserver on the hosted cache Identify Branch Choose how to deploy Deploy to clients! • Group policy: Use built-in ADMX files • netsh: Run netsh branchcache set service hostedclient location=<> on all clients Deployment - Summary Group Policy to enable clients Install BranchCache™ feature on an R2 server Hosted Cache File Server IIS Group Policy Management Optionally, install a hosted cache in your branch. Additional configuration options Enable / disable distributed cache mode Enable / disable hosted cache mode Set the cache size Set the location of the hosted cache Clear the cache Create and replicate a shared key for use in a server cluster And more … Works in domains and workgroups Monitoring Event logs - Operational logs & Audit logs Perfmon counters - Client, hosted cache and Content Server netsh for querying the infrastructure for potential problems Cache size too small, firewall issues, certificate problems etc SCOM pack - for rolling all the information up BranchCache in Action Going Deeper… Group Policy – Hashing Server Group Policy – Client Side Content Identifiers Hashes Returned by server Blocks Unit of download Segments Unit of discovery Content Segment hashes, Block hashes up to ~2000x data reduction BB 1 2 BBB n 1 2 S1 BBB n 1 2 S2 B n S3 HTTP Integration IE Open URL IIS Data “Branch Cache Capable” Data wininet Hashlist Get data http.sys Hashlist Data Data Hashlist BranchCa che BranchC ache Data Hashlist H1 H2 H3 H4 H5 SMB Integration Branch Cache Hashlist Application ReadFile Prefetch File Data CSC Driver Data CSC Cache Data SMB Hash Generation Service CSC Service Data Request Hashes Hashlist SMB Client Driver Generate or update hash Generate or update hash Request Hashes Hashlist Hashlist SMB Server Driver HashGen Utility Save hashes Access hashes How is SSL Optimized? Client Server IIS IE Data in clear Data in clear HTTP Branch Cache Data in clear HTTP Data in clear SSL SSL Data encrypted Data encrypted Sockets Sockets Data encrypted IPsec Branch Cache Data encrypted Data encrypted IPsec Security Client Encryption key Segment discovery key Hash(SK, “KeKeKe”) Hash(SK, SH+”HoHoDk”) Private Segment key (SK) Hash(SH, Ks) Segment hash (SH) Server secret key Hash (Blockhashes) Ks Block hashes Hash(block) Blocks BB 1 2 B n Server Flow – a Security View Client requests data from the server, and indicates BranchCache capability Server authorizes the client Server retrieves metadata (block hashes, segment hashes, private segment key) for the data Server sends metadata on same channel as data Client computes a segment discovery key Broadcasts on the local network Flow, Continued Serving clients receive the broadcast Decrypt the segment hash from the segment discovery key Respond with data availability Client requests blocks from the serving client Serving client computes encryption key from the segment private key Serving client encrypts each block with the encryption key Client receives the data Decrypts the data Validates block data against the block hash If valid, returns to application Security of Data at Rest Clients Cache only contains content requested by the client Data in cache ACL’d so that it is only accessible if authorized by the server If data leakage is a concern, then use BitLocker or EFS Hosted Cache Cache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary All data can be purged from the cache using netsh To Summarize BranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office. BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs Resources Website/TechNet http://www.branchcache.com http://technet.microsoft.com/en-us/network/dd425028.aspx Email [email protected] Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Related Content Breakout Sessions • WSV 312:Enhancing the BRANCH Office Experience with Windows Server 2008 R2 Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.