Required Slide. SESSION CODE: WSV322. Optimizing the Branch Infrastructure with BranchCache . Tyler Barton Program Manager Microsoft Corporation Manish Kalra Senior Product Manager Microsoft Corporation. Agenda. 1. Problem Background. 2. BranchCache Solution Modes.
Required Slide SESSION CODE: WSV322 Optimizing the Branch Infrastructure with BranchCache Tyler Barton Program Manager Microsoft Corporation Manish Kalra Senior Product Manager Microsoft Corporation
Agenda • 1. Problem Background • 2. BranchCacheSolution Modes • 3. Protocols and Workloads • 4. Deployment and Management • 5. Deep Dives • Content Identification • Integration Architecture • Security • End to End Flow • 6. Q&A
Branch – The problem space $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$
Problem Background • High link utilization • Poor application responsiveness • Trend towards data centralization Thin, expensive WAN links between main office and branch offices
BranchCache Distributed Cache Data Main Office Get Get ID ID Data Data Get Get Branch Office
BranchCache Hosted Cache ID Get Main Office Get ID ID ID ID ID Data ID Data Data Data Search Get Offer Search Put Get Request Branch Office
Entities in the Solution • Distributed Cache • Client (in the branch)– wishes to get content • Serving client (in the branch) – serves content to requesting client • Content Server (across the WAN link) • Hosted Cache • Client (in the branch) • Hosted Cache Server (in the branch) • Content Server (across the WAN link)
Hosted Cache vs Distributed Cache Enterprise Hosted Cache Data cached at hosted cache server Distributed Cache Data cached amongst clients Recommended for larger branches Cache stored centrally: can use existing server in the branch Cache availability is high Enables branch-wide caching Recommended for branches without any infrastructure Easy to deploy: Enabled on clients through Group Policy Cache availability decreases with laptops that go offline
Overall Framework 3rd Party Applications Office CopyFile Explorer SharePoint Office BITS WMP IE SMB HTTP BranchCache™
Configuration Manager & WSUS • Goals • Reduce WAN utilization in the remote office scenario • Reduce the number of actively managed Distribution Points • For users, transfer content faster and with less restrictions in the remote office scenario • Integration • Distribution Points (DPs) run on Windows Server 2008 R2 • Download packages (apps, updates etc) once into a branch office, get it from other clients or the Hosted Cache after that Support for Configuration Manager (and WSUS) clients available on Windows Vista, Windows Server 2008 R2
Application Virtualization (AppV) • Goals • Make users productive quickly in branch offices • Save on the need for deploying IT infrastructure in branch offices • Reduce bandwidth utilization over the WAN link to save costs • Integration • HTTP Streaming in AppV optimized using BranchCache • Virtual applications only have to traverse the WAN link once • Eliminate IIS Servers (AppV staging servers) from the branch office Support available on Windows 7 and Windows Server 2008 R2
SharePoint & IIS • Goals • Improve SharePoint, IIS responsiveness in branch offices without requiring separate branch infrastructure • Enable Office Web Applications to see improved performance in branch offices • Integration • IIS and SharePoint need to run on Windows Server 2008 R2 • Users never get stale content; if content is updated, the content identifiers change Support available for Windows 7 and Windows 2008 R2
File Servers • Goals • Improve the SMB protocol to reduce chattiness over the WAN link, and be aware of common application behaviors • Reduce bandwidth utilization over the WAN link, and improve performance of applications (Robocopy, Office etc) in branch offices • Integration • SMB 2.1 introduces “Leasing and OpLocks” – mechanisms to improve protocol behavior over the WAN link • BranchCache integration ensures that data needs to move over the WAN link only once • SMB Transparent Caching enables better road-warrior scenarios • Offline Files enables file access even when WAN link is down • All application semantics around locking are automatically maintained Available on Windows 7 and Windows Server 2008 R2
DirectAccess , SSL, IPsec, SMB Signing Scenarios requiring end-to-end secure, encrypted transports “just work” with BranchCache As a result, DirectAccess, IPsec scenarios (such as Server/Domain Isolation) and even point to point VPNs automatically work
How is SSL Optimized? Client Server Branch Cache Branch Cache IIS IE Data in clear Data in clear HTTP HTTP Data in clear Data in clear SSL SSL Data encrypted Data encrypted Sockets Sockets Data encrypted Data encrypted IPsec IPsec Data encrypted
Deployment Overview Use Group Policy to enable Windows BranchCache on Windows 7 clients Install the optional “Windows BranchCache” component on a Windows 2008 R2 web or file server Branch Office Branch Office IIS Group Policy Management File Server HostedCache Main Office Branch Office Optionally, install a hosted cache in your branch. Configure clients to use it with Group Policy
Deployment - Content Server HTTP server (IIS) - Install the BranchCache feature from Server Manager SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager • That’s it…
BranchCache Deployment • Distributed Cache Implementation • HQ: Content Server (Windows Server 2008 R2 required) • Branch: Client (Windows 7 required) • Hosted Cache Implementation • HQ: Content Server (Windows Server 2008 R2 required) • Branch: Hosted Cache (Windows Server 2008 R2 required) • Branch: Client (Windows 7 required)
Distributed Cache Mode Deployment • Identify the “branch” • An Active Directory Site • An IP address range • A collection of specific client computers • Choose how to deploy • Group Policy • netsh • Deploy to clients • Group policy: Use built-in ADMX files • netsh: Run netshbranchcache set service distributed on all relevant clients
Hosted Cache Mode Deployment • Setup the Hosted Cache • Install the BranchCache feature on an R2 server • Install a server-auth certificate for use with SSL • Run netshbranchcache set service hosted server on the hosted cache Identify Branch Choose how to deploy • Deploy to clients • Group policy: Use built-in ADMX files • netsh: Run netshbranchcache set service hostedclientlocation=<> on all clients
Monitoring Event logs - Operational logs & Audit logs Perfmon counters - Client, hosted cache and Content Server • netsh for querying the infrastructure for potential problems • Cache size too small, firewall issues, certificate problems etc MOM pack - for rolling all the information up
Additional Configuration Options • With group policy and NetSH you can: • Enable / disable Distributed Cache • Enable / disable Hosted Cache • Set the cache size • Set the location of the Hosted Cache • Clear the cache • Create and replicate a shared key for use in a server cluster • And more … Works in domains and workgroups
BranchCache Demo Tyler Barton Program Manager Microsoft Corporation DEMO
Content Identifiers Segment hashes, Block hashesup to ~2000x data reduction Hashes Returned by server Blocks Unit of download B1 B2 Bn B1 B2 Bn B1 B2 Bn Segments Unit of discovery S1 S2 S3 Content
HTTP/HTTPS Integration IE IIS Open URL Data “Branch Cache Capable” Data Getdata wininet http.sys Hashlist Hashlist Data Data Hashlist BranchCache BranchCache Data H3 H1 H2 H4 H5 Hashlist
SMB/SMB Signing Integration BranchCache Data Hashlist SMB Hash Generation Service Generate or update hash Application CSC Service HashGen Utility ReadFile Request Hashes Prefetch File Generate or update hash Savehashes Data Request Hashes Hashlist Data CSC Driver SMB Client Driver SMB Server Driver Access hashes Hashlist Data CSCCache
Security Client Segment Id Hash(Kp, HoD + K) Encryption key Ke = Kp Segment Secret Kp = Hash(HoD, Ks) Segment hash of data HoD = Hash (Blockhashes) Server secret key Ks Block hashes Hash(block) B1 B2 Bn Blocks Server
Flow – a Security View • Client requests data from the server, and indicates BranchCache capability • Server authorizes the client • Server retrieves content identifiers (block hashes, segment hashes, segment secrets) for the data • Server sends content identifiers on same channel as data • Client computes a segment ID • Broadcasts on the local network
Flow, Continued • Serving clients receive the broadcast • Decrypt the segment hash from the segment discovery key • Respond with data availability • Client requests blocks from the serving client • Serving client computes encryption key from the segment secret • Serving client encrypts each block with the encryption key • Client receives the data • Decrypts the data • Validates block data against the block hash • If valid, returns to application
Security of Data at Rest • Clients • Cache only contains content requested by the client • Data in cache ACL’d so that it is only accessible if authorized by the server • If data leakage is a concern, then use BitLocker or EFS • Hosted Cache • Cache contains content requested by all branch clients • Use BitLocker or EFS to encrypt cache as necessary All data can be purged from the cache using netsh
Customers say… “We are improving the efficiency of our branch offices and saving bandwidth by using BranchCache in Windows Server 2008 R2 and Windows 7,” said Lukas Kucera, IT services manager of Lukoil CEEB, one of the largest integrated oil and gas companies in the world. “Some of our smaller facilities, such as the office in Slovakia and the storage terminal in Belgium, have just five to 10 users, so it’s not efficient to deploy a file server on-site, but it consumes bandwidth to have them continually accessing files from the main servers. BranchCache is the perfect solution.” “Taking advantage of the BranchCache feature in Windows Server 2008 R2, we can spend $20,000 rather than $50,000 per year on bandwidth by postponing our expansion schedule.” David Feng, IT Director, Sporton International Convergent Computing (CCO) wanted to improve remote network access for its mobile users. Using the DirectAccess and BranchCache™ features in Windows Server® 2008 R2 and Windows 7, CCO has simplified remote connection to its network and sped the downloading of important files. It has cut costs by eliminating its virtual private network and has seen a 43 percent savings in wide area network (WAN) bandwidth.
WAN Optimization Appliance Partners Cisco Wide Area Application Services (WAAS) Comprehensive WAN optimization solution that accelerates applications over the WAN, delivers video to the branch office, and provides local hosting of branch-office IT services Citrix Branch Repeater Branch optimization solution that accelerates application delivery to globally distributed users while dramatically reducing bandwidth costs and simplifying branch infrastructure Riverbed Steelhead Appliances Solution that enables distributed organizations to accelerate applications by up to 100x over the WAN, and reduce WAN traffic by up to 95 percent.
To Summarize BranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of usersby the server at the central office. BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs
BranchCache Resources Collateral Protocols Content Identification (PCCRC) Discovery (PCCRD) Retrieval (PCCRR) Hosted Cache Offer (PCHC) HTTP extensions for BranchCache (PCCRTP) SMB extensions for BranchCache (SMB2.1) BranchCache Executive Overview BranchCache Technical Overview BranchCache Security Guide BranchCache Deployment Guide Case Studies Sporton International Convergent Computing E-mail Netmon Parsers firstname.lastname@example.org Protocol parsers Website http://www.branchcache.com
Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn
Required Slide Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.