close

Вход

Забыли?

вход по аккаунту

код для вставкиСкачать
Dawie Human
Infrastructure Architect
Inobits Consulting
WSV303
Agenda
Problem background
Solution modes
Deployment
Demo
Deep Dives
Content Identification
Integration architecture
Security
End to end flow
Resources
Problem background
Thin, expensive WAN links between
main office and branch offices
High link utilization
Poor application responsiveness
Trend towards data centralization
Customers say…
“We are improving the efficiency of our branch offices and saving bandwidth by
using BranchCache in Windows Server 2008 R2 and Windows 7,” said Lukas Kucera,
IT services manager of Lukoil CEEB, one of the largest integrated oil and gas
companies in the world. “Some of our smaller facilities, such as the office in Slovakia
and the storage terminal in Belgium, have just five to 10 users, so it’s not efficient to
deploy a file server on-site, but it consumes bandwidth to have them continually
accessing files from the main servers. BranchCache is the perfect solution.”
“Taking advantage of the BranchCache feature in Windows Server 2008 R2, we can
spend $20,000 rather than $50,000 per year on bandwidth by postponing our
expansion schedule.”
David Feng, IT Director, Sporton International
Convergent Computing (CCO) wanted to improve remote network access for its
mobile users. Using the DirectAccess and BranchCache™ features in Windows
Server® 2008 R2 and Windows 7, CCO has simplified remote connection to its
network and sped the downloading of important files. It has cut costs by
eliminating its virtual private network and has seen a 43 percent savings in wide
area network (WAN) bandwidth.
Solution Tenets
Optimized
Secured
• Distributed –
retrieve from other
clients in
the branch
• Client can only
retrieve content
locally if authorized
by the
content server
• Centralized –
retrieve from a
“hosted cache” in
the branch
• All data transfers in
the branch
are encrypted
End to End
• Maintains
protocol integrity
• Benefits from
protocol
optimizations
• Optimizes SSL,
IPsec, SMB signing,
HTTP, SMB
Distributed Cache
ID
Data
Data
Hosted Cache
ID
Data
ID
Search
Data
ID
ID
ID
Data
Hosted Cache
Centralized cache of data downloaded by the branch
The Hosted cache on Windows Server 2008 R2 provides the
following features
A centralized cache for
Protocols: HTTP, SMB
E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc
Does not “modify” protocols; benefits from protocol optimizations
Configurable size/location/persisted across reboots/flush-able
Works across multiple subnets
Admins can seed content by writing custom scripts
Can be a virtual workload in an appliance
Easy to deploy; clients are configured via policy
Hosted Cache vs. Distributed
Enterprise
Distributed Cache
Data cached amongst clients
Recommended for branches
without any infrastructure
Easy to deploy: Enabled on
clients through Group Policy
Cache availability decreases
with laptops that go offline
Hosted Cache
Data cached at hosted cache server
Recommended for larger
branches
Cache stored centrally: can use
existing server in the branch
Cache availability is high
Enables branch-wide caching
Overall Framework
3rd Party Applications
Office
Robo
copy
Expl
orer
AppV
Share
Point
SMB
Office
HTTP
BranchCache™
BITS
WMP
IE
Deployment
Distributed
HQ: Content Server (must run R2)
Branch: Client (must run Win 7 or R2)
Hosted
HQ: Content Server (must run R2)
Branch: Hosted Cache (must run R2)
Branch: Client (must run Win 7)
Works on Server Core R2 as well!
Deployment - Content server
HTTP server (IIS) - Install the BranchCache
feature from Server Manager
SMB server (File server) – Install the
BranchCache role service feature within the file
server role using Server Manager
That’s it…
Deployment - Client
Identify the “branch”
• An Active Directory Site
• An IP address range
• A collection of specific client computers
Choose how to deploy
• Group Policy
• netsh
Deploy to clients!
• Group policy: Use built-in ADMX files
• netsh: Run netsh branchcache set
service distributed on all relevant clients
Deployment – Hosted Cache
Setup the hosted cache
• Install the BranchCache feature on an R2 server
• Install a server-auth certificate for use with SSL
• Run netsh branchcache set service
hostedserver on the hosted cache
Identify Branch
Choose how to deploy
Deploy to clients!
• Group policy: Use built-in ADMX files
• netsh: Run netsh branchcache set service
hostedclient location=<> on all clients
Deployment - Summary
Group Policy to enable
clients
Install BranchCache™
feature on an R2 server
Hosted
Cache
File Server
IIS
Group Policy
Management
Optionally, install a hosted
cache in your branch.
Additional configuration options
Enable / disable distributed cache mode
Enable / disable hosted cache mode
Set the cache size
Set the location of the hosted cache
Clear the cache
Create and replicate a shared key for use in a server
cluster
And more …
Works in domains and workgroups
Monitoring
Event logs - Operational logs & Audit logs
Perfmon counters - Client, hosted cache and Content
Server
netsh for querying the infrastructure for potential
problems
Cache size too small, firewall issues, certificate problems etc
SCOM pack - for rolling all the information up
BranchCache in Action
Going Deeper…
Group Policy – Hashing Server
Group Policy – Client Side
Content Identifiers
Hashes
Returned by server
Blocks
Unit of download
Segments
Unit of discovery
Content
Segment hashes, Block hashes
up to ~2000x data reduction
BB
1 2
BBB
n 1 2
S1
BBB
n 1 2
S2
B
n
S3
HTTP Integration
IE
Open
URL
IIS
Data
“Branch Cache
Capable”
Data
wininet
Hashlist
Get data
http.sys
Hashlist
Data
Data
Hashlist
BranchCa
che
BranchC
ache
Data
Hashlist
H1
H2
H3
H4
H5
SMB Integration
Branch
Cache
Hashlist
Application
ReadFile
Prefetch
File
Data
CSC Driver
Data
CSC
Cache
Data
SMB Hash
Generation
Service
CSC
Service
Data
Request
Hashes
Hashlist
SMB Client
Driver
Generate or
update hash
Generate or
update hash
Request
Hashes
Hashlist Hashlist
SMB
Server
Driver
HashGen
Utility
Save
hashes
Access
hashes
How is SSL Optimized?
Client
Server
IIS
IE
Data in clear
Data in clear
HTTP
Branch
Cache
Data in clear
HTTP
Data in clear
SSL
SSL
Data encrypted
Data encrypted
Sockets
Sockets
Data encrypted
IPsec
Branch
Cache
Data encrypted
Data encrypted
IPsec
Security
Client
Encryption key
Segment discovery key
Hash(SK, “KeKeKe”)
Hash(SK, SH+”HoHoDk”)
Private Segment key (SK)
Hash(SH, Ks)
Segment hash (SH)
Server secret key
Hash (Blockhashes)
Ks
Block hashes
Hash(block)
Blocks
BB
1 2
B
n
Server
Flow – a Security View
Client requests data from the server, and
indicates BranchCache capability
Server authorizes the client
Server retrieves metadata (block hashes, segment
hashes, private segment key) for the data
Server sends metadata on same channel as data
Client computes a segment discovery key
Broadcasts on the local network
Flow, Continued
Serving clients receive the broadcast
Decrypt the segment hash from the segment discovery key
Respond with data availability
Client requests blocks from the serving client
Serving client computes encryption key from the segment
private key
Serving client encrypts each block with the encryption key
Client receives the data
Decrypts the data
Validates block data against the block hash
If valid, returns to application
Security of Data at Rest
Clients
Cache only contains content requested by the client
Data in cache ACL’d so that it is only accessible if authorized
by the server
If data leakage is a concern, then use BitLocker or EFS
Hosted Cache
Cache contains content requested by all branch clients
Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
To Summarize
BranchCache™ reduces WAN bandwidth consumed by end users for
intranet based HTTP and SMB traffic and improves end user experience
BranchCache™ accelerates delivery of encrypted and signed content
such as when using HTTPS, IPsec, SMB signing and at the same time
ensures authorization of users by the server at the central office.
BranchCache™ doesn’t require additional equipment in the branch
offices and can be easily managed using existing systems
management technology such as group policy
BranchCache has a vibrant and growing ecosystem giving customers
the choice to pick a solution that works best for their needs
Resources
Website/TechNet
http://www.branchcache.com
http://technet.microsoft.com/en-us/network/dd425028.aspx
Email
[email protected]
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Related Content
Breakout Sessions
• WSV 312:Enhancing the BRANCH Office Experience with Windows Server 2008 R2
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
1/--страниц
Пожаловаться на содержимое документа