Ravi Rao Senior Program Manager Microsoft Corporation WSV303.
-
Upload
alina-billet -
Category
Documents
-
view
237 -
download
6
Transcript of Ravi Rao Senior Program Manager Microsoft Corporation WSV303.
BranchCache: Helping You Save on WAN Bandwidth Consumption at Branch Offices Ravi Rao
Senior Program ManagerMicrosoft CorporationWSV303
Agenda
Problem backgroundSolution modesDeploymentDemoDeep Dives
Content IdentificationIntegration architectureSecurityEnd to end flow
PartnersResources
Problem BackgroundThin, expensive WAN links between main office and branch offices
High link utilization Poor application responsiveness Trend towards data centralization
Customers Say…“We are improving the efficiency of our branch offices and saving bandwidth by using BranchCache in Windows Server 2008 R2 and Windows 7,” said Lukas Kucera, IT services manager of Lukoil CEEB, one of the largest integrated oil and gas companies in the world. “Some of our smaller facilities, such as the office in Slovakia and the storage terminal in Belgium, have just five to 10 users, so it’s not efficient to deploy a file server on-site, but it consumes bandwidth to have them continually accessing files from the main servers. BranchCache is the perfect solution.”
“Taking advantage of the BranchCache feature in Windows Server 2008 R2, we can spend $20,000 rather than $50,000 per year on bandwidth by postponing our expansion schedule.”David Feng, IT Director, Sporton International
Convergent Computing (CCO) wanted to improve remote network access for its mobile users. Using the DirectAccess and BranchCache™ features in Windows Server® 2008 R2 and Windows 7, CCO has simplified remote connection to its network and sped the downloading of important files. It has cut costs by eliminating its virtual private network and has seen a 43 percent savings in wide area network (WAN) bandwidth.
Solution Tenets
Optimized
• Distributed – retrieve from other clients in the branch
• Centralized – retrieve from a “hosted cache” in the branch
Secured• Client can only
retrieve content locally if authorized by the content server
• All data transfers in the branch are encrypted
End to End• Maintains
protocol integrity
• Benefits from protocol optimizations
• Optimizes SSL, IPsec, SMB signing, HTTP, SMB
Get
GetID
Get
Data
Distributed Cache
Get
IDData
Data
Get
GetID
Put
Data
Hosted Cache
Get
DataID
Search
Get
Sear
ch
Request
Offer
ID
ID
ID
Data
ID
Data
Hosted CacheCentralized cache of data downloaded by the branch
The Hosted cache on Windows Server 2008 R2 provides the following features
A centralized cache for Protocols: HTTP, SMB E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc
Does not “modify” protocols; benefits from protocol optimizationsConfigurable size/location/persisted across reboots/flush-ableWorks across multiple subnetsAdmins can seed content by writing custom scriptsCan be a virtual workload in an appliance
Easy to deploy; clients are configured via policy
Hosted CacheData cached at hosted cache server
Recommended for larger branchesCache stored centrally: can use existing server in the branchCache availability is highEnables branch-wide caching
Hosted Cache vs. Distributed
Enterprise
Distributed CacheDistributed CacheData cached amongst clients
Recommended for branches without any infrastructureEasy to deploy: Enabled on clients through Group PolicyCache availability decreases with laptops that go offline
Overall Framework
IE
HTTP
BranchCache™
SMB
Explorer
3rd Party Applications
Robocopy
Office WMPBITSOfficeSharePointAppV
Deployment
Deployment
DistributedHQ: Content Server (must run R2)Branch: Client (must run Win 7 or R2)
HostedHQ: Content Server (must run R2)Branch: Hosted Cache (must run R2)Branch: Client (must run Win 7)
Works on Server Core R2 as well!
Deployment - Content server
HTTP server (IIS) - Install the BranchCache feature from Server Manager
SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager
That’s it…
Deployment - ClientIdentify the “branch”• An Active Directory Site• An IP address range• A collection of specific client computers
Choose how to deploy• Group Policy• netsh
Deploy to clients!• Group policy: Use built-in ADMX files• netsh: Run netsh branchcache set service distributed on all relevant clients
Deployment – Hosted CacheSetup the hosted cache• Install the BranchCache feature on an R2 server• Install a server-auth certificate for use with SSL• Run netsh branchcache set service hostedserver on the hosted cache
Identify Branch
Choose how to deploy
Deploy to clients!• Group policy: Use built-in ADMX files• netsh: Run netsh branchcache set service hostedclient location=<> on all clients
IISFile Server
Group PolicyManagement
Install BranchCache™ feature on an R2 server
Group Policy to enable clients
HostedCache
Optionally, install a hosted cache in your branch
Deployment - Summary
Additional configuration options
Enable / disable distributed cache modeEnable / disable hosted cache modeSet the cache sizeSet the location of the hosted cacheClear the cacheCreate and replicate a shared key for use in a server clusterAnd more …
Works in domains and workgroups
Monitoring
Event logs - Operational logs & Audit logs
Perfmon counters - Client, hosted cache and Content Server
netsh for querying the infrastructure for |potential problems
Cache size too small, firewall issues, certificate problems etc
SCOM pack - for rolling all the information up
BranchCache in ActionDevrim IyigunSenior Product ManagerMicrosoft Corporation
demo
Going Deeper…
Content Identifiers
S1 S2 S3
B1
B2
B1
B2
Bn
B1
B2
Bn
Content
SegmentsUnit of discovery
BlocksUnit of download
HashesReturned by server
Segment hashes, Block hashesup to ~2000x data reduction
Bn
HTTP Integration
http.sys
IIS
BranchCache
wininet
Open URL
“Branch Cache Capable” Get data
Data
Data
Data
H1 H2 H4 H5Hashlist
Hashlist
HashlistHashlist
Data
Data
H3
BranchCache
IE
SMB Integration
SMB ServerDriver
SMB Hash Generation
Service HashGen Utility
Generate or update hash
Generate or update hashApplication
CSC Driver SMB Client Driver
CSCCache
Hashlist
CSC Service
BranchCache
DataHashlist
Request Hashes
ReadFile
Data
Prefetch File Data
DataAccess hashes
Savehashes
Request Hashes
Hashlist
Hashlist
How is SSL Optimized?
Sockets
SSL
HTTP
IE
BranchCach
e
BranchCach
e
Data encrypted
Data in clear
Data in clear
Client Server
Data encryptedIPsec
Sockets
SSL
HTTP
IIS
Data encrypted
Data in clear
Data in clear
IPsec
Data encryptedData encrypted
Security
B1
B2
BnBlocks
Block hashesHash(block)
Segment hash (SH)Hash (Blockhashes)
Server secret keyKs
Private Segment key (SK)Hash(SH, Ks)
Encryption keyHash(SK, “KeKeKe”)
Segment discovery keyHash(SK, SH+”HoHoDk”)
Client
Server
Flow – a Security View
Client requests data from the server, and indicates BranchCache capability
Server authorizes the clientServer retrieves metadata (block hashes, segment hashes, private segment key) for the dataServer sends metadata on same channel as data
Client computes a segment discovery keyBroadcasts on the local network
Flow, Continued
Serving clients receive the broadcastDecrypt the segment hash from the segment discovery keyRespond with data availability
Client requests blocks from the serving clientServing client computes encryption key from the segment private keyServing client encrypts each block with the encryption key
Client receives the dataDecrypts the dataValidates block data against the block hashIf valid, returns to application
Security of Data at Rest
ClientsCache only contains content requested by the clientData in cache ACL’d so that it is only accessible if authorized by the serverIf data leakage is a concern, then use BitLocker or EFS
Hosted CacheCache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
BranchCache Ecosystem Partnersannouncing
Steelhead ApplianceRSP
VM VM VM VM
Virtualization Layer
VM
Riverbed and Microsoft to extend optimization further for Windows 7 users with BranchCache
Microsoft and Riverbed - Better TogetherJoint Optimization Solution for Windows 7 users
Riverbed Steelhead: Leading WAN optimization solution + BranchCacheLeader in the Gartner magic quadrantAccelerate applications: CIFS, MAPI, HTTP/S, TCP, and all other key protocolsCut bandwidth use: Save 65 – 95% of WAN utilizationPOLP Licensing Partner, and Windows OEMDeliver Windows to the branch with the Riverbed Services Platform (RSP): Offer Windows services such as AD, Streaming, Print, DNS and BranchCacheVisit Booth 247 for more info
WAN
Blue Coat – BranchCache Support
About Blue Coat Application Delivery Network Vendor ProxySG for WAN Optimization & Secure Web GatewayLeader in Gartner Magic Quadrants
Secure Web Gateway, Sep 2008 WAN Optimization Controllers, Nov 2007
Blue Coat will support BranchCache protocolsBlue Coat will license Hosted Cache protocols on ProxySGEdge site hosted cache for SMB2, SMB signed & IPsecCore site proxy for legacy content servers (non-WS 2008 R2)
RemoteOffice
Data Center
ProxySG
ProxySG
F5 and BranchCache
F5 is a player in Application Delivery Networking, with the mission of building network devices that support your applications, ensuring high availability, scalability, performance and security.BranchCache adds to BIG-IP’s WAN acceleration portfolioSee a demo of BranchCache on the BIG-IP 6900 –visit booth 311
New Generation Application Delivery PlatformApplication Acceleration & Load Balancing BranchCache Augments AX Native Optimized Caching
BranchCache: Enhancing the Windows File Experience
Delivering best-in-class Windows® files services solutionThousands of joint customers using SMB (CIFS) todayUse ranges from home directories to high performance engineering applicationsNow also supporting SMB 2.0
BranchCache — NetApp® as a Content ServerBring remote Windows users closerSave on bandwidth and remote administration
NetApp is a gold sponsor – visit their booth!
Branch office / remote users
NetApp NAS in the data
center
Symantec Support for BranchCacheSymantec
World’s 4th largest ISV… Found in almost as many Windows environments as Microsoft
Security, Storage, HA, Backup, Archiving, Data Loss Prevention, Management…
Altiris Server Management Suite from SymantecProvide support for monitoring BranchCache on Windows Server 2008 R2Provide alerting when problems are detectedOrchestrate and automate remediation when necessary Branch
Corp HQ data center
Altiris Server Management
SuiteFrom Symantec
Site to Site VPN
Forefront Threat Management Gateway in the Branch
Web Proxy & CacheFeaturing• Anti-Virus• URL Filtering• HTTPS Inspection• Network Intrusion Inspection
Single Host for TMG & BranchCache (Hosted Cache) Standard deployment
• Enterprise Management• Running on Windows
Server 2008 R2
To SummarizeBranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience
BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office.
BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy
BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs
ResourcesWebsite/TechNet
http://www.branchcache.com http://technet.microsoft.com/en-us/network/dd425028.aspx
At TechEd, we have booths in the TLC Orange AreaWindows Server Branch Office Solutions - BranchCacheWindows Services for the Branch – Partner Solutions
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
Breakout Sessions WSV 403: Enhancing the Branch office experience with Windows Server 2008 R2
Hands-on LabsWSV14-HOL: Windows Server 2008 R2 - BranchCaching
Windows Server ResourcesMake sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter
Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2
Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies•Over 15 booths and experts from Microsoft and our partners
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.