Branch Cache Deploy (2)

BranchCache Deployment Guide

Microsoft Corporation

Published: October, 2009

Author: James McIllece

Editor: Scott Somohano

AbstractBranchCache is a wide area network (WAN) bandwidth optimization technology that is included in

some editions of the Windows Server® 2008 R2 and Windows® 7 operating systems. To optimize

WAN bandwidth, BranchCache copies content from your main office content servers and caches

the content at branch office locations, allowing client computers at branch offices to access the

content locally rather than over the WAN.

This deployment guide provides instructions on deploying BranchCache in both distributed cache

mode and hosted cache mode, and allows you to deploy Hypertext Transfer protocol (HTTP),

Background Intelligent Transfer Service (BITS), and Server Message Block (SMB)-based content

servers that are Web servers, application servers, and file servers, respectively.

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place,

or event is intended or should be inferred.

Your right to copy this documentation is limited by copyright law and the terms of the software

license agreement. As the software licensee, you may make a reasonable number of copies or

printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative

works for commercial distribution is prohibited and constitutes a punishable violation of the law.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Contents

BranchCache Deployment Guide...................................................................................................5

What this guide provides..........................................................................................................5

What this guide does not provide.............................................................................................6

Deploy BranchCache...................................................................................................................... 6

Deploy BranchCache in distributed cache mode.........................................................................6

Deploy BranchCache in hosted cache mode...............................................................................6

Install and configure content servers..............................................................................................7

Install content servers that use the BranchCache feature...............................................................7

Install the BranchCache feature......................................................................................................7

Configure Windows Server Update Services (WSUS) content servers..........................................8

Install File Services content servers...............................................................................................8

Configure the File Services server role...........................................................................................9

Install a new file server as a content server....................................................................................9

Configure an existing file server as a content server....................................................................10

Enable hash publication for file servers........................................................................................10

Enable hash publication for non-domain member file servers.......................................................11

Enable hash publication for domain member file servers..............................................................12

Create the BranchCache file servers organizational unit..............................................................12

Move file servers to the BranchCache file servers organizational unit..........................................13

Create the BranchCache hash publication Group Policy object....................................................13

Configure the BranchCache hash publication Group Policy object...............................................14

Enable BranchCache on a file share............................................................................................16

Deploy a distributed cache mode design......................................................................................16

Configure client computers for distributed cache mode................................................................17

Use Group Policy to configure domain member clients for distributed cache mode.....................17

Configure domain member client distributed cache mode firewall rules.......................................19

Non-domain member client configuration for distributed cache mode..........................................21

Enable BranchCache distributed cache mode using network shell commands............................21

Configure client computer distributed cache mode firewall rules..................................................22

[MS-PCCRD]: Peer Content Caching and Retrieval Discovery Protocol...................................22

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol....................................22

Deploy a hosted cache mode design............................................................................................23

Configure client computers for hosted cache mode......................................................................24

Use Group Policy to configure domain member clients for hosted cache mode...........................25

Configure domain member client hosted cache mode firewall rules.............................................26

Non-domain member client configuration for hosted cache mode................................................28

Enable BranchCache hosted cache mode using network shell commands..................................28

Configure hosted cache mode firewall rules.................................................................................29

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol....................................29

[MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol..............................30

Install and configure the hosted cache server...............................................................................30

Install the BranchCache feature....................................................................................................31

Enable hosted cache server mode on a hosted cache server......................................................32

Install the certification authority and enroll certificates to hosted cache servers...........................32

Create the hosted cache servers group........................................................................................33

Add hosted cache servers to the group........................................................................................34

Install the certification authority (CA)............................................................................................34

Configure the Web Server certificate template.............................................................................36

Configure server certificate autoenrollment..................................................................................37

Refresh Group Policy.................................................................................................................... 38

Obtain the SHA-1 hash of the hosted cache server certificate......................................................39

Link the hosted cache server certificate to BranchCache.............................................................40

Additional Resources.................................................................................................................... 41

BranchCache Deployment Guide

BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in

some editions of the Windows Server® 2008 R2 and Windows® 7 operating systems.

For more information about operating systems that support BranchCache, see the

section “Operating system versions for BranchCache” in the topic BranchCache

Overview in the Windows Server® 2008 and Windows Server 2008 R2 Technical Library

at http://go.microsoft.com/fwlink/?LinkId=167096.

To optimize WAN bandwidth, BranchCache copies content from your main office content servers

and caches the content at branch office locations, allowing client computers at branch offices to

access the content locally rather than over the WAN.

At branch offices, content is cached either on servers that are running the BranchCache feature

of Windows Server 2008 R2 or, when no server is available in the branch office, on computers

running Windows 7. After a client computer requests and receives content from the main office

and the content is cached at the branch office, other computers at the same branch office can

obtain the content locally rather than contacting the main office over the WAN link.

What this guide providesThis deployment guide allows you to deploy BranchCache in the following modes:

Distributed cache mode. In this mode, branch office client computers download content from

the content servers in the main office and then cache the content for other computers in the

same branch office. Distributed cache mode does not require a server computer in the branch

office.

Hosted cache mode. In this mode, branch office client computers download content from the

content servers in the main office, and a hosted cache server retrieves the content from the

clients. The hosted cache server then caches the content for other client computers. Hosted

cache mode does require a server computer in the branch office, and there are additional

requirements.

This guide also provides instructions on how to deploy three types of content servers. Content

servers contain the source content that is downloaded by branch office client computers, and one

or more content server is required to deploy BranchCache in either mode. The content server

types are:

Web server-based content servers. These content servers send content to BranchCache

client computers using the HTTP and HTTPS protocols. These content servers must be

running Windows Server 2008 R2 versions that support BranchCache and upon which the

BranchCache feature is installed.

Note

http://go.microsoft.com/fwlink/?LinkId=167096


BITS-based application servers. These content servers send content to BranchCache client

computers using the Background Intelligent Transfer Service (BITS). These content servers

must be running Windows Server 2008 R2 versions that support BranchCache and upon

which the BranchCache feature is installed.

File server-based content servers. These content servers must be running Windows

Server 2008 R2 versions that support BranchCache and upon which the File Services server

role is installed. In addition, the BranchCache for network files role service of the File

Services server role must be installed and configured. These content servers send content to

BranchCache client computers using the Server Message Block (SMB) protocol.

What this guide does not provideThis guide does not provide conceptual information that explains BranchCache functionality. This

guide also does not contain information on how to plan and design a BranchCache deployment.

That information is included in other BranchCache documentation, which is in the

Windows Server® 2008 and Windows Server 2008 R2 Technical Library at

http://go.microsoft.com/fwlink/?LinkId=162776.

Deploy BranchCache

See the following topics to deploy BranchCache.

The procedures in this guide do not include instructions for those cases in which the User

Account Control dialog box opens to request your permission to continue. If this dialog

box opens while you are performing the procedures in this guide, and if the dialog box

was opened in response to your actions, click Continue.

Deploy BranchCache in distributed cache modeTo deploy BranchCache in distributed cache mode, use the following topics.

Install and configure content servers

Deploy a distributed cache mode design

Deploy BranchCache in hosted cache modeTo deploy BranchCache in hosted cache mode, use the following topics.


Deploy a hosted cache mode design

For more information on the technologies used to deploy BranchCache, see Additional

Resources.

Note



When you deploy BranchCache in distributed cache mode or hosted cache mode, you must

deploy one or more content servers at your main office. Content servers that are Web servers or

application servers use the BranchCache feature. Content servers that are file servers use the

BranchCache for network files role service of the File Services server role in Windows

Server® 2008 R2.

See the following topics to deploy content servers.

Install content servers that use the BranchCache feature

Install File Services content servers

Install content servers that use the BranchCache feature

To deploy content servers that are Secure Hypertext Transfer Protocol (HTTPS) 1.1 Web servers,

Hypertext Transfer Protocol (HTTP) 1.1 Web servers, and Background Intelligent Transfer service

(BITS)-based application servers, such as Windows Server Update Services (WSUS) and

System Center Configuration Manager branch distribution site system servers, you must install

the BranchCache feature, start the BranchCache service, and (for WSUS servers only) perform

additional configuration steps.


Install the BranchCache feature

Configure Windows Server Update Services (WSUS) content servers


You can use this procedure to install the BranchCache feature and start the BranchCache service

on a computer running Windows Server® 2008 R2.

Membership in Administrators, or equivalent is the minimum required to perform this procedure.

1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager

opens.

2. In the Server Manager left pane, right-click Features, and then click Add Features. The

Add Features Wizard opens.

3. In the Add Features Wizard, in Features, select the BranchCache check box, and then

click Next.

To install and enable the BranchCache feature

4. In Confirm Installation Selections, review your choice and then click Install. The

Installation Progress pane is displayed during installation, and then the Installation

Results pane is displayed.

5. In Installation Results, review the summary and then click Close. The Add Features

Wizard closes.

6. In the Server Manager left pane, double-click Configuration, and then click Services.

7. In the details pane, in Services, double-click BranchCache. The BranchCache

Properties dialog box opens.

8. In the BranchCache Properties dialog box, on the General tab, click Start to start the

BranchCache service, and then click OK.

Important

The BranchCache service startup type is Automatic, which means that the

BranchCache service starts whenever the computer is restarted. It is

recommended that you keep the startup type value set to Automatic.

Configure Windows Server Update Services (WSUS) content servers

After installing the BranchCache feature and starting the BranchCache service, WSUS servers

must be configured to store update files on the local computer. When you configure WSUS

servers to store update files on the local computer, both the update metadata and the update files

are downloaded by and stored directly upon the WSUS server. This ensures that BranchCache

client computers receive Microsoft product update files from the WSUS server rather than directly

from the Microsoft Update Web site.

To learn more about WSUS server configuration, see “Advanced Synchronization Options for

WSUS” on Microsoft TechNet at http://go.microsoft.com/fwlink/?LinkId=150597.

Install File Services content servers

To deploy content servers that are running the File Services server role, you must install the

BranchCache for network files role service of the File Services server role. In addition, you must

enable hash publication on the server, and enable BranchCache on file shares according to your

requirements.

During the configuration of the content server, you can allow BranchCache publication of

content for all file shares or you can select a subset of file shares to publish.

Note


Configure the File Services server role

Enable hash publication for non-domain member file servers

Enable BranchCache on a file share

Configure the File Services server role

You can deploy BranchCache file server-based content servers on computers running Windows

Server® 2008 R2 and the File Services server role with the BranchCache for network files role

service installed.

To install a BranchCache content server on a computer that does not already have File

Services installed, see Install a new file server as a content server.

To install a BranchCache content server on a computer that is already configured with the File

Services server role, see Configure an existing file server as a content server.

Install a new file server as a content server

You can use this procedure to install the File Services server role and the BranchCache for

network files role service on a computer running Windows Server® 2008 R2.



opens.

2. In the Server Manager left pane, right-click Roles, and then click Add Roles. The Add

Roles Wizard opens. In Before You Begin, click Next.

3. In Select Server Roles, in Roles, select the File Services check box, and then click

Next.

4. In File Services, review the information, and then click Next.

5. In Select Role Services, in Role services, ensure that File Server is selected. Also

select the BranchCache for network files check box, and then click Next.

6. In Confirm Installation Selections, review your selections, and then click Install. The


Results pane is displayed. Review your results, and then click Close.

To install File Services and the BranchCache for network files role service

Configure an existing file server as a content server

You can use this procedure to install the BranchCache for network files role service of the File

Services server role on a computer running Windows Server® 2008 R2.


If the File Services server role is not already installed, do not follow this procedure.

Instead, see Install a new file server as a content server


opens.

2. In the Server Manager left pane, double-click Roles, right-click File Services, and then

click Add Role Services. The Add Role Services wizard opens.

3. In Select Role Services, select the BranchCache for network files check box, and

then click Next.

4. In Confirm Installation Selections, review your selections, and then click Install. The


Results pane is displayed. Review your results, and then click Close.

Enable hash publication for file servers

You can enable BranchCache hash publication on one file server or on multiple file servers.

To enable hash publication on one file server using local computer Group Policy, see Enable

hash publication for non-domain member file servers.

To enable hash publication on multiple file servers using domain Group Policy, see Enable

hash publication for domain member file servers.

If you have multiple file servers and you want to enable hash publication per share, rather

than enabling hash publication for all shares, you can use the instructions in the topic

Enable hash publication for non-domain member file servers.

Important To install the BranchCache for network files role service

Note

Enable hash publication for non-domain member file servers

You can use this procedure to configure hash publication for BranchCache using local computer

Group Policy on a file server that is running Windows Server® 2008 R2 with the BranchCache for

network files role service of the File Services server role installed. This procedure is intended for

use on a non-domain member file server. If you perform this procedure on a domain member file

server and you also configure BranchCache using domain Group Policy, domain Group Policy

settings override local Group Policy settings.


If you have one or more domain member file servers, you can add them to an

organizational unit (OU) in Active Directory Domain Services and then use Group Policy

to configure hash publication for all of the file servers at one time, rather than individually

configuring each file server. For more information, see Enable hash publication for

domain member file servers.

1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management

Console (MMC) opens.

2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snap-

ins dialog box opens.

3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy Object

Editor. The Group Policy Wizard opens with the Local Computer object selected. Click

Finish, and then click OK.

4. In the Local Group Policy Editor MMC, expand the following path: Computer

Configuration, Administrative Templates, Network, Lanman Server. Click Lanman

Server.

5. In the details pane, double-click Hash Publication for BranchCache. The Hash

Publication for BranchCache dialog box opens.

6. In the Hash Publication for BranchCache dialog box, click Enabled.

7. In Options, click Allow hash publication for all shared folder, and then click one of the

following:

a. To enable hash publication for all shared folders on this computer, click Allow hash

publication for all shared folder.

b. To enable hash publication only for shared folders for which BranchCache is enabled,

click Allow hash publication only for shared folders on which BranchCache is

enabled.

c. To disallow hash publication for all shared folders on the computer even if

BranchCache is enabled on the file shares, click Disallow hash publication on all

Note To enable hash publication for one file server

shared folders.

8. Click OK.

Enable hash publication for domain member file servers

When you’re using Active Directory Domain Services (AD DS), you can use domain Group Policy

to enable BranchCache hash publication for multiple file servers. To do so, you must create an

organizational unit (OU), add file servers to the OU, create a BranchCache hash publication

Group Policy object (GPO), and then configure the GPO.

See the following topics to enable hash publication for multiple file servers.

Create the BranchCache file servers organizational unit

Move file servers to the BranchCache file servers organizational unit

Create the BranchCache hash publication Group Policy object

Configure the BranchCache hash publication Group Policy object

Create the BranchCache file servers organizational unit

You can use this procedure to create an organizational unit (OU) in Active Directory Domain

Services (AD DS) for BranchCache file servers.

Membership in Domain Admins, or equivalent is the minimum required to perform this

procedure.

1. On a computer where AD DS is installed, click Start, click Administrative Tools, and

then click Active Directory Users and Computers. The Active Directory Users and

Computers console opens.

2. In the Active Directory Users and Computers console, right-click the domain to which you

want to add an OU. For example, if your domain is named example.com, right click

example.com. Point to New, and then click Organizational Unit. The New Object –

Organizational Unit dialog box opens.

3. In the New Object – Organizational Unit dialog box, in Name, type a name for the new

OU. For example, if you want to name the OU BranchCache file servers, type

BranchCache file servers, and then click OK.

To create the BranchCache file servers organizational unit

Move file servers to the BranchCache file servers organizational unit

You can use this procedure to add BranchCache file servers to an organizational unit (OU) in

Active Directory Domain Services (AD DS).


procedure.

You must create a BranchCache file servers OU in the Active Directory Users and

Computers console before you add computer accounts to the OU with this procedure. For

more information, see Create the BranchCache file servers organizational unit.

1. On a computer where AD DS is installed, click Start, click Administrative Tools, and

then click Active Directory Users and Computers. The Active Directory Users and

Computers console opens.

2. In the Active Directory Users and Computers console, locate the computer account for a

BranchCache file server, left-click to select the account, and then drag and drop the

computer account on the BranchCache file servers OU that you previously created. For

example, if you previously created an OU named BranchCache file servers, drag and

drop the computer account on the BranchCache file servers OU.

3. Repeat the previous step for each BranchCache file server in the domain that you want to

move to the OU.

Create the BranchCache hash publication Group Policy object

You can use this procedure to create the BranchCache hash publication Group Policy object

(GPO).


procedure.

Before performing this procedure, you must create the BranchCache file servers

organizational unit and move file servers into the OU. For more information, see Enable

hash publication for domain member file servers.

Note To move file servers to the BranchCache file servers organizational unit

Note





3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy

Management, and then click OK.

4. In the Group Policy Management MMC, expand the path to the BranchCache file servers

OU that you previously created. For example, if your forest is named example.com, your

domain is named example1.com, and your OU is named BranchCache file servers,

expand the following path: Group Policy Management, Forest: example.com,

Domains, example1.com, Group Policy Objects.

5. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens.

In Name, type a name for the new Group Policy object (GPO). For example, if you want

to name the object BranchCache Hash Publication, type BranchCache Hash

Publication. Click OK.

6. In the Group Policy Management MMC, right-click the BranchCache file servers

organizational unit (OU) that you created previously. For example, if your OU is named

BranchCache file servers, right-click BranchCache file servers, and then click Link an

Existing GPO. The Select GPO dialog box opens.

7. In the Select GPO dialog box, in Group Policy objects, click the BranchCache hash

publication GPO that you created earlier in this procedure. For example, if your GPO is

named BranchCache Hash Publication, click BranchCache Hash Publication. Click OK.

Configure the BranchCache hash publication Group Policy object

You can use this procedure to configure the BranchCache hash publication Group Policy object

(GPO).


procedure.

Before performing this procedure, you must create the BranchCache file servers

organizational unit, move file servers into the OU, and create the BranchCache hash

publication Group Policy object (GPO). For more information, see Enable hash

publication for domain member file servers.


To create the BranchCache hash publication Group Policy objectNote

To configure the BranchCache hash publication Group Policy object




3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy

Management, and then click OK.

4. In the Group Policy Management MMC, expand the path to the BranchCache hash

publication GPO that you previously created. For example, if your forest is named

example.com, your domain is named example1.com, and your GPO is named

BranchCache Hash Publication, expand the following path: Group Policy

Management, Forest: example.com, Domains, example1.com, Group Policy

Objects, BranchCache Hash Publication.

5. Right-click the BranchCache Hash Publication GPO and click Edit. The Group Policy

Management Editor console opens.

6. In the Group Policy Management Editor console, expand the following path: Computer

Configuration, Policies, Administrative Templates, Network, Lanman Server.

7. In the Group Policy Management Editor console, click Lanman Server. In the details

pane, double-click Hash Publication for BranchCache. The Hash Publication for

BranchCache dialog box opens.

8. In the Hash Publication for BranchCache dialog box, click Enabled.

9. In Options, click Allow hash publication for all shared folder, and then click one of the

following:

a. To enable hash publication for all shared folders on this computer, click Allow hash

publication for all shared folder.

b. To enable hash publication only for shared folders for which BranchCache is enabled,

click Allow hash publication only for shared folders on which BranchCache is

enabled.

c. To disallow hash publication for all shared folders on the computer even if

BranchCache is enabled on the file shares, click Disallow hash publication on all

shared folders.

10. Click OK.

In most cases, you must save the MMC console and refresh the view to display the

configuration changes you have made.

Enable BranchCache on a file share

You can use this procedure to enable BranchCache on a file share.

Note


procedure.

To make shared content available to BranchCache client computers, you must enable

BranchCache on the file share and the hash publication setting in Group Policy must be

set to either Allow hash publication only for shared folders on which BranchCache

is enabled or Allow hash publication for all shared folder.

1. Click Start, click Administrative Tools, and then click Share and Storage

Management. The Share and Storage Management console opens.

2. In the details pane, on the Shares tab, right-click a share, and then click Properties. The

share’s Properties dialog box opens.

3. In the Properties dialog box, on the Sharing tab, click Advanced.

4. Click the Caching tab, ensure that Only the files and programs that users specify are

available offline is selected, and then click Enable BranchCache.

5. Click OK twice.

Deploy a distributed cache mode design

When you deploy BranchCache in distributed cache mode for a branch office, a hosted cache

server is not required at the branch office.

Client computers that are running either Windows® 7 Enterprise or Windows® 7 Ultimate are

installed at the branch office. These clients download content from content servers that are

installed at the main office; and after downloading content, the client computers act as client

cache servers by providing the content to other clients in the same branch office upon request.

To deploy BranchCache in distributed cache mode, you must install and configure content servers

in your main office and install and configure client computers in your branch office. In addition,

client computers at branch offices must be able to access the main office content servers over

some type of wide area network (WAN) link, such as a dedicated or on-demand virtual private

network (VPN) connection between the offices; or clients must use some other method to connect

to the content servers, such as by using DirectAccess.

See the following topics to deploy BranchCache in distributed cache mode.


Configure client computers for distributed cache mode

Note To enable BranchCache on a file share

Configure client computers for distributed cache mode

You can use the procedures in this section to configure client computers for BranchCache when

you deploy distributed cache mode. Client computers running Windows® 7 have BranchCache

installed by default, however you must enable and configure BranchCache and configure firewall

exceptions.

See the following topics to perform these actions.

Use Group Policy to configure domain member clients for distributed cache mode

Configure domain member client distributed cache mode firewall rules

Non-domain member client configuration for distributed cache mode

When distributed cache mode clients are connecting to main office resources using

DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache

traffic. Use the inbound and outbound rule settings provided in the topic Configure client

computer distributed cache mode firewall rules to create IPsec rules.

Use Group Policy to configure domain member clients for distributed cache mode

You can use this procedure to configure Group Policy to enable and configure BranchCache

distributed cache mode on domain-joined client computers.


procedure.

1. On a computer upon which the Active Directory Domain Services server role is installed,

click Start, click Administrative Tools, and click Group Policy Management. The

Group Policy Management console opens.

2. In the Group Policy Management console, expand the following path: Forest:

example.com, Domains, example.com, Group Policy Objects, where example.com is

the name of the domain where the BranchCache client computer accounts that you want

to configure are located.



to name the object BranchCache Client Computers, type BranchCache Client

Computers. Click OK.

4. In the Group Policy Management console, ensure that Group Policy Objects is

Note To use Group Policy to configure clients for distributed cache mode

selected, and in the details pane right-click the GPO that you just created. For example, if

you named your GPO BranchCache Client Computers, right-click BranchCache Client

Computers. Click Edit. The Group Policy Management Editor console opens.


Configuration, Policies, Administrative Templates: Policy definitions (ADMX files)

retrieved from the local machine, Network, BranchCache.

6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache.

The Turn on BranchCache dialog box opens.

7. In the Turn on BranchCache dialog box, click Enabled, and then click OK.

8. In the Group Policy Management Editor console, ensure that BranchCache is still

selected, and then in the details pane double-click Set BranchCache Distributed Cache

mode. The Set BranchCache Distributed Cache mode dialog box opens.

9. In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and then

click OK.

10. To configure the amount of hard disk space allocated on each client computer for the

BranchCache cache: In the Group Policy Management Editor console, ensure that

BranchCache is still selected, and then in the details pane double-click Set percentage

of disk space used for client computer cache. The Set percentage of disk space

used for client computer cache dialog box opens. Click Enabled, and then in Options

type a numeric value that represents the percentage of hard disk space used on each

client computer for the BranchCache cache.

11. To enable client computers to download and cache content from BranchCache file server-

based content servers: In the Group Policy Management Editor console, ensure that

BranchCache is still selected, and then in the details pane double-click BranchCache

for network files. The Configure BranchCache for network files dialog box opens.

12. In the Configure BranchCache for network files dialog box, click Enabled. In Options,

type a numeric value, in milliseconds, for the maximum round trip network latency time,

and then click OK.

Note

By default, client computers cache content from file servers if the round trip

network latency is longer than 80 milliseconds.

Configure domain member client distributed cache mode firewall rules

When you configure BranchCache in distributed cache mode, BranchCache client computers use

the Hypertext Transfer Protocol (HTTP) for data transfer with other client computers.

BranchCache client computers also use the Web Services Dynamic Discovery (WS-Discovery)

protocol when they attempt to discover content on client cache servers. You can use this

procedure to configure client firewall exceptions to allow incoming HTTP and WS-Discovery traffic

on client computers that are configured for distributed cache mode.

The HTTP inbound and outbound firewall exceptions created with this procedure have

the following settings: TCP port 80. The WS-Discovery inbound and outbound firewall

exceptions created with this procedure have the following settings: UDP port 3702.


procedure.









selected, and in the details pane right-click the BranchCache client computers GPO that

you created previously. For example, if you named your GPO BranchCache Client

Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy



Configuration, Policies, Windows Settings, Security Settings, Windows Firewall

with Advanced Security, Windows Firewall with Advanced Security – LDAP…,

Inbound Rules.

5. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard

opens.

6. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache

– Content Retrieval (Uses HTTP). Click Next.

7. In Predefined Rules, click Next.

8. In Action, ensure that Allow the connection is selected, and then click Finish.

Important

Note To configure distributed cache mode client firewall exceptions

You must select Allow the connection for the BranchCache client to be able to

receive traffic on this port.

9. To create the WS-Discovery firewall exception, again right-click Inbound Rules, and then

click New Rule. The New Inbound Rule Wizard opens.


– Peer Discovery (Uses WSD). Click Next.



Important



13. In the Group Policy Management Editor console, right-click Outbound Rules, and then

click New Rule. The New Outbound Rule Wizard opens.





Important


send traffic on this port.

17. To create the WS-Discovery firewall exception, again right-click Outbound Rules, and

then click New Rule. The New Outbound Rule Wizard opens.


– Peer Discovery (Uses WSD). Click Next.



Important



Non-domain member client configuration for distributed cache mode

Using Group Policy to automate the configuration of BranchCache client computers for distributed

cache mode is recommended, however you can also manually configure individual computers. In

addition, you can use these topics to configure non-domain member computers.

See the following topics to manually configure BranchCache client computers.

Enable BranchCache distributed cache mode using network shell commands

Configure client computer distributed cache mode firewall rules

Enable BranchCache distributed cache mode using network shell commands

You can use this procedure to manually configure a BranchCache client computer for distributed

cache mode using network shell (netsh) commands.

If you have configured BranchCache client computers using Group Policy, the Group

Policy settings override any manual configuration of client computers to which the

policies are applied.


1. On the BranchCache client computer that you want to configure, click Start, click Search

programs and files, and then type command. In search results, under Programs, right-

click Command Prompt, and then click Run as Administrator. The command prompt

opens with the elevated privileges that are required to run netsh commands.

2. Run the following command: netsh branchcache set service mode=DISTRIBUTED

Note

Running the netsh branchcache set service command both configures the

client computer for distributed cache mode and automatically configures the

client computer firewall with the following inbound exceptions for distributed

cache mode: TCP port 80 and UDP port 3702.


based content servers, run the following command: netsh branchcache smb set

latency latency=Number, where Number is a numeric value, in milliseconds, for the

maximum round trip network latency time.

Note To enable BranchCache distributed cache mode using network shell commands

Configure client computer distributed cache mode firewall rules

You can use the information in this topic to configure third party firewall products and to manually

configure a client computer with firewall rules that allow BranchCache to run in distributed cache

mode.

If you have configured BranchCache client computers using Group Policy, the Group Policy

settings override any manual configuration of client computers to which the policies are

applied.

If you have deployed BranchCache with DirectAccess, you can use the settings in this topic

to configure IPsec rules to allow BranchCache traffic.

Membership in Administrators, or equivalent is the minimum required to make these

configuration changes.

[MS-PCCRD]: Peer Content Caching and Retrieval Discovery ProtocolDistributed cache clients must allow inbound and outbound MS-PCCRD traffic, which is carried in

the Web Services Dynamic Discovery (WS-Discovery) protocol.

Firewall settings must allow multicast traffic in addition to inbound and outbound traffic. You can

use the following settings to configure firewall exceptions for distributed cache mode.

IPv4 multicast: 239.255.255.250

IPv6 multicast: FF02::C

Inbound traffic: Local port: 3702, Remote port: ephemeral

Outbound traffic: Local port: ephemeral, Remote port: 3702

Program: %systemroot%\system32\svchost.exe (BranchCache Service [PeerDistSvc])

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval ProtocolDistributed cache clients must allow inbound and outbound MS-PCCRR traffic, which is carried in

the HTTP 1.1 protocol as documented in request for comments (RFC) 2616.

Firewall settings must allow inbound and outbound traffic. You can use the following settings to

configure firewall exceptions for distributed cache mode.



Notes

Deploy a hosted cache mode design

When you deploy BranchCache in hosted cache mode for a branch office, a hosted cache server

is installed at the branch office.

Client computers that are running either Windows® 7 Enterprise or Windows® 7 Ultimate are also

installed at the branch office. These clients download content from content servers that are

installed at the main office; and after content is downloaded, the hosted cache server obtains and

caches the content, providing the content to other clients in the same branch office upon request.

To deploy BranchCache in hosted cache mode, you must install and configure content servers in

your main office and install and configure a hosted cache server and client computers in your

branch office. In addition, client computers at branch offices must be able to access the main

office content servers over some type of wide area network (WAN) link, such as a dedicated or

on-demand virtual private network (VPN) connection between the offices; or clients must use

some other method to connect to the content servers, such as by using DirectAccess.

BranchCache is compatible only with VPN software that supports split tunneling. Do not

enable hosted cache mode on client computers in a branch office if these clients use

host-based VPN software that does not support split tunneling. If the VPN software does

not support split tunneling, client computers route traffic through the main office VPN

servers when downloading from the local hosted cache, which will create unnecessary

WAN link traffic and network congestion.

Finally, you must enroll a server certificate to your hosted cache server that the server uses to

prove its identity to client computers in the branch office. After the hosted cache server enrolls a

certificate, you must obtain the SHA-1 hash of the certificate and link the certificate to

BranchCache.

The server certificate that is enrolled to hosted cache servers must be issued by a

certification authority (CA) that is trusted by client computers. If client computers do not

trust the CA that issued the certificate to the hosted cache server, authentication fails and

the client computers will not be able to obtain content from the hosted cache server.

CAs and certificates

You can deploy server certificates with either a public CA or with a private CA that you own and

deploy.

Public CAs are deployed by third party companies, such as Verisign, who sell certificates for

use by their customers. This guide does not describe how to deploy hosted cache mode with

certificates that are issued by a public CA, but it is possible if you ensure that the certificates

meet the minimum server certificate requirements and are configured in accordance with the

Web Server certificate template as described in this guide. In addition, before purchasing a

server certificate issued by a public CA, you should ensure that BranchCache client

computers already trust the public CA.

Important Note

Private CAs are deployed by organizations who design and deploy a public key infrastructure

(PKI). This guide provides instructions on how to deploy your own CA using Active Directory

Certificate Services (AD CS).

This guide does not provide instructions on how to design a PKI, and you should review

AD CS documentation before deploying your own CA. For more information, see

Additional Resources.

There are two types of certificates that are used when you deploy BranchCache in hosted cache

mode:

CA certificate. When you deploy your own CA, the root CA certificate is automatically

distributed to client computers that are domain members. The certificate is stored in the

Trusted Root Certification Authorities certificate store for the Local Computer and for the

Current User. These certificate stores can be viewed by using the Certificates Microsoft

Management Console (MMC) snap-in. When a CA certificate exists in the Trusted Root

Certification Authorities certificate store, it means that the computer trusts all certificates that

are issued by the CA.

Server certificate. The server certificate is issued by the CA to the hosted cache server. The

hosted cache server uses the certificate to prove its identity to client computers during the

authentication process.

Hosted cache mode

See the following topics to deploy BranchCache in hosted cache mode.


Configure client computers for hosted cache mode

Install the certification authority and enroll certificates to hosted cache servers

Obtain the SHA-1 hash of the hosted cache server certificate

Link the hosted cache server certificate to BranchCache

Configure client computers for hosted cache mode

You can use the procedures in this section to configure client computers for BranchCache when

you deploy hosted cache mode. Client computers running some versions of Windows® 7 have

BranchCache installed by default, however you must enable and configure BranchCache and

configure firewall rules on client computers.


Use Group Policy to configure domain member clients for hosted cache mode

Configure domain member client hosted cache mode firewall rules

Non-domain member client configuration for hosted cache mode

Note

When hosted cache mode clients are connecting to main office resources using

DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache

traffic. Use the inbound and outbound rule settings provided in the topic Configure hosted

cache mode firewall rules to create IPsec rules.

Use Group Policy to configure domain member clients for hosted cache mode

With this procedure you can use Group Policy to enable and configure BranchCache distributed

cache mode on domain-joined client computers.


procedure.










to name the object BranchCache Client Computers, type BranchCache Client

Computers. Click OK.


selected, and in the details pane right-click the GPO that you just created. For example, if

you named your GPO BranchCache Client Computers, right-click BranchCache Client

Computers. Click Edit. The Group Policy Management Editor console opens.


Configuration, Policies, Administrative Templates: Policy definitions (ADMX files)

retrieved from the local machine, Network, BranchCache.

6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache.

The Turn on BranchCache dialog box opens.

7. In the Turn on BranchCache dialog box, click Enabled, and then click OK.

8. In the Group Policy Management Editor console, ensure that BranchCache is still

selected, and then in the details pane double-click Set BranchCache Hosted Cache

mode. The Set BranchCache Hosted Cache mode dialog box opens.

9. In the Set BranchCache Hosted Cache mode dialog box, click Enabled. In Enter the

Note To use Group Policy to configure clients for hosted cache mode

location of hosted cache, type the fully qualified domain name (FQDN) of the hosted

cache server, and then click OK.

10. To configure the amount of hard disk space allocated on each client computer for the

BranchCache cache: In the Group Policy Management Editor console, ensure that

BranchCache is still selected, and then in the details pane double-click Set percentage

of disk space used for client computer cache. The Set percentage of disk space

used for client computer cache dialog box opens. Click Enabled, and then in Options

type a numeric value that represents the percentage of hard disk space used on each

client computer for the BranchCache cache.


based content servers: In the Group Policy Management Editor console, ensure that

BranchCache is still selected, and then in the details pane double-click BranchCache

for network files. The Configure BranchCache for network files dialog box opens.

12. In the Configure BranchCache for network files dialog box, click Enabled. In Options,

type a numeric value, in milliseconds, for the maximum round trip network latency time,

and then click OK.

Note

By default, client computers cache content from file servers if the round trip

network latency is longer than 80 milliseconds.

Configure domain member client hosted cache mode firewall rules

When you configure BranchCache in hosted cache mode, BranchCache client computers use the

Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) for data transfer with other client

computers. You can use this procedure to configure client firewall inbound and outbound rules to

allow HTTP and HTTPS traffic on client computers that are configured for hosted cache mode.

The HTTP inbound and outbound firewall rules that are created with this procedure have

the following settings: TCP port 80. The HTTPS outbound firewall exception created with

this procedure has the following setting: TCP port 443.


procedure.




Note To configure hosted cache mode client firewall exceptions






selected, and in the details pane right-click the BranchCache client computers GPO that

you created previously. For example, if you named your GPO BranchCache Client

Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy



Configuration, Policies, Windows Settings, Security Settings, Windows Firewall

with Advanced Security, Windows Firewall with Advanced Security – LDAP…,

Inbound Rules.

5. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard

opens.





Important









Important






– Hosted Cache Client (Uses HTTPS). Click Next.



Important



Non-domain member client configuration for hosted cache mode

Using Group Policy to automate the configuration of BranchCache client computers for hosted

cache mode is recommended, however you can also manually configure individual computers.

See the following topics to manually configure BranchCache client computers.

Enable BranchCache hosted cache mode using network shell commands

Configure hosted cache mode firewall rules

Enable BranchCache hosted cache mode using network shell commands

You can use this procedure to manually configure a BranchCache client computer for hosted

cache mode using network shell (netsh) commands. Running the command below configures the

client computer for hosted cache mode and automatically configures the client computer firewall

with the following inbound exception for hosted cache mode: TCP port 80.

If you have configured BranchCache client computers using Group Policy, the Group

Policy settings override any manual configuration of client computers to which the

policies are applied.


1. On the BranchCache client computer that you want to configure, click Start, click Search

programs and files, and then type command. In search results, under Programs, right-

click Command Prompt, and then click Run as Administrator. The command prompt

opens with the elevated privileges that are required to run netsh commands.

2. Run the following command: netsh branchcache set service mode=HOSTEDCLIENT

location=HostedCacheName, where HostedCacheName is the fully qualified domain

name of the hosted cache server.

Note

If the hosted cache server and client computers are not joined to an Active

Note To enable BranchCache hosted cache mode using network shell commands

Directory domain, set client authentication to NONE using the additional

clientauthentication parameter in this command: Netsh branchcache set

service mode=HOSTEDSERVER

location=HostedCacheName clientauthentication=NONE

Configure hosted cache mode firewall rules

You can use the information in this topic to configure third party firewall products and to manually

configure a client computer or a hosted cache server in a branch office with firewall rules that

allow BranchCache to run in hosted cache mode.

If you have configured BranchCache client computers using Group Policy, the Group Policy

settings override any manual configuration of client computers to which the policies are

applied.

If you have deployed BranchCache with DirectAccess, you can use the settings in this topic

to configure IPsec rules to allow BranchCache traffic.

Membership in Administrators, or equivalent is the minimum required to perform firewall

configuration changes.

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval ProtocolHosted Cache clients must allow inbound and outbound MS-PCCRR traffic, which is carried in

the HTTP 1.1 protocol as documented in request for comments (RFC) 2616.

Firewall settings must allow inbound, outbound, and program traffic. You can use the following

settings to configure firewall exceptions for hosted cache mode.



[MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache ProtocolHosted Cache clients must allow inbound and outbound MS-PCHC traffic, which is carried in the

HTTP 1.1 over TLS (HTTPs) protocol as documented in request for comments (RFC) 2818.

Firewall settings must enable outbound traffic. You can use the following settings to configure

firewall exceptions for hosted cache mode.


Notes

Install and configure the hosted cache server

When you deploy BranchCache in hosted cache mode for one or more branch offices, you must

install a hosted cache server in each branch office. You can use an existing application server as

a hosted cache server if you upgrade the server to one of the following operating systems:

Windows Server® 2008 R2 Enterprise

Windows Server 2008 R2 Enterprise with Hyper-V

Windows Server 2008 R2 Enterprise Core Install

Windows Server 2008 R2 Enterprise Core Install with Hyper-V

Windows Server 2008 R2 for Itanium-Based Systems

Windows Server® 2008 R2 Datacenter

Windows Server® 2008 R2 Datacenter with Hyper-V

Windows Server® 2008 R2 Datacenter Core Install with Hyper-V

To deploy a hosted cache server, you must install and enable the BranchCache feature, enable

hosted cache mode, and configure firewall exceptions to allow communication between the

hosted cache server and client computers in the branch office.

By default, the cache on the hosted cache server is configured to use 5% of the hard disk

space on the local hard disk. If you want to change the size of the cache, you can use the

netsh branchcache set cachesize command, which specifies the size of the local cache

as either a percentage of the size of the hard disk where the cache is located or as an

exact number of bytes. For more information, see Additional Resources.

See the following topics to install and configure the hosted cache server.


Enable hosted cache server mode on a hosted cache server

When you enable hosted cache mode using the netsh branchcache set service

command as described in the topic Enable hosted cache server mode on a hosted cache

server, the firewall on the hosted cache server is automatically configured with the correct

exceptions for hosted cache mode. You do not need to make additional configuration to

the firewall, however the topic Configure hosted cache mode firewall rules is provided for

reference.


You can use this procedure to install the BranchCache feature and start the BranchCache service

on a computer running Windows Server® 2008 R2.


Note Note


opens.

2. In the Server Manager left pane, right-click Features, and then click Add Features. The

Add Features Wizard opens.

3. In the Add Features Wizard, in Features, select the BranchCache check box, and then

click Next.

4. In Confirm Installation Selections, review your choice and then click Install. The


Results pane is displayed.

5. In Installation Results, review the summary and then click Close. The Add Features

Wizard closes.

6. In the Server Manager left pane, double-click Configuration, and then click Services.

7. In the details pane, in Services, double-click BranchCache. The BranchCache

Properties dialog box opens.

8. In the BranchCache Properties dialog box, on the General tab, click Start to start the

BranchCache service, and then click OK.

Important

The BranchCache service startup type is Automatic, which means that the

BranchCache service starts whenever the computer is restarted. It is

recommended that you keep the startup type value set to Automatic.

Enable hosted cache server mode on a hosted cache server

You can use this procedure to manually configure a BranchCache hosted cache server for hosted

cache mode using network shell (netsh) commands. Running the command below both

configures the server for hosted cache mode and automatically configures the firewall with the

following inbound exceptions for hosted cache mode: TCP port 80 and TCP port 443.


procedure.

1. On the BranchCache hosted cache server that you want to configure, click Start, click

Search programs and files, and then type command. In search results, under

Programs, right-click Command Prompt, and then click Run as Administrator. The

command prompt opens with the elevated privileges that are required to run netsh

To install and enable the BranchCache feature To enable hosted cache mode on a hosted cache server

commands.

2. Run the following command: netsh branchcache set service mode=HOSTEDSERVER.

Note

If the hosted cache server and client computers are not joined to an Active

Directory domain, set client authentication to NONE using the additional

clientauthentication parameter in this command: Netsh branchcache set

service mode=HOSTEDSERVER clientauthentication=NONE

Install the certification authority and enroll certificates to hosted cache servers

When you deploy BranchCache in hosted cache mode, you must enroll server certificates to

hosted cache servers.

You can use the following topics to create a hosted cache servers group in Active Directory Users

and Computers, add hosted cache servers to the group, install an enterprise root certification

authority using Active Directory Certificate Services (AD CS), and then configure the automatic

distribution, or autoenrollment, of server certificates to hosted cache servers.


Create the hosted cache servers group

Add hosted cache servers to the group

Install the certification authority (CA)

Configure the Web Server certificate template

Configure server certificate autoenrollment

Refresh Group Policy

When you deploy a public key infrastructure (PKI), you should also configure certificate

revocation and publish a certificate revocation list (CRL).

If your BranchCache deployment includes only one or two hosted cache servers and you

prefer not to use autoenrollment, you can use the Certificates Microsoft Management

Console (MMC) snap-in to manually enroll server certificates to hosted cache servers.

For more information, see Additional Resources.

Notes

Create the hosted cache servers group

You can use this procedure to create a new Hosted Cache Servers group in Active Directory

Users and Computers Microsoft Management Console (MMC).

Membership in Domain Admins, or equivalent, is the minimum required to perform this

procedure.

1. Click Start, click Administrative Tools, and then click Active Directory Users and

Computers. The Active Directory Users and Computers MMC opens. If it is not already

selected, click the node for your domain. For example, if your domain is example.com,

click example.com.

2. In the details pane, right-click the folder in which you want to add a new group.

Where?

Active Directory Users and Computers/domain node/folder

3. Point to New, and then click Group.

4. In New Object – Group, in Group name, type the name of the new group. For example,

type Hosted Cache Servers.

By default, the name you type is also entered as the pre-Windows 2000 name of the new

group.

5. In Group scope, select one of the following options:

Domain local

Global

Universal

6. In Group type, select one of the following options:

Security

Distribution

7. Click OK.

Add hosted cache servers to the group

You can use this procedure to assign group membership to BranchCache hosted cache servers

using the Active Directory Users and Computers Microsoft Management Console (MMC).


procedure.

To add a Hosted Cache Servers group

1. Click Start, click Administrative Tools, and then click Active Directory Users and

Computers. The Active Directory Users and Computers MMC opens. If it is not already

selected, click the node for your domain. For example, if your domain is example.com,

click example.com.

2. In the details pane, double-click the folder that contains the Hosted Cache Servers

group to which you want to add a member.

Where?

Active Directory Users and Computers/domain node/folder that contains the group

3. In the details pane, right-click the group to which you want to add a member, and then

click Properties. The group Properties dialog box opens. Click the Members tab.

4. On the Members tab, click Add.

5. In Enter the object names to select, type the name of the hosted cache server that you

want to add, and then click OK.

6. To assign group membership to other hosted cache servers, repeat steps 4 and 5 of this

procedure.

Install the certification authority (CA)

You can use this procedure to install Active Directory® Certificate Services (AD CS) so that you

can enroll a server certificate to hosted cache servers.

To perform this procedure, the computer on which you are installing AD CS must be

joined to a domain where Active Directory Domain Services (AD DS) is installed.

Membership in both the Enterprise Admins and the root domain's Domain Admins group is the

minimum required to complete this procedure.

1. Log on as a member of both the Enterprise Admins group and the root domain's Domain

Admins group.

2. Click Start, click Administrative Tools, and then click Server Manager. The Server

Manager console opens. In Roles Summary, click Add roles.

3. The Add Roles Wizard opens. Click Next.

4. On the Select Server Roles page, in Roles, select Active Directory Certificate

Services, and then click Next twice.

5. On the Select Role Services page, in Role services, verify that Certification Authority

is selected, and then click Next.

6. On the Specify Setup Type page, verify that Enterprise is selected, and then click Next.

To add hosted cache servers to the Hosted Cache Servers groupImportant

To install Active Directory Certificate Services

7. On the Specify CA Type page, verify that Root CA is selected, and then click Next.

8. On the Set Up Private Key page, verify that Create a new private key is selected, and

then click Next.

9. On the Configure Cryptography for CA page, keep the default settings for CSP

(RSA#Microsoft Software Key Storage Provider) and hash algorithm (sha1), and

determine the best key character length for your deployment. Large key character lengths

provide optimal security; however, they can impact server performance. It is

recommended that you keep the default setting of 2048 or, if you deem it appropriate for

your deployment, reduce Key character length to 1024. Click Next.

10. On the Configure CA Name page, keep the suggested common name for the CA or

change the name according to your requirements, and then click Next.

11. On the Set Validity Period page, in Select validity period for the certificate generated

for this CA, type the number and select a time value (Years, Months, Weeks, or Days).

The default setting of five years is recommended. Click Next.

12. On the Configure Certificate Database page, in Certificate database location and

Certificate database log location, specify the folder location for these items. If you

specify locations other than the default locations, ensure that the folders are secured with

access control lists (ACLs) that prevent unauthorized users or computers from accessing

the CA database and log files.

13. Click Next, click Install, and then click Close.

Configure the Web Server certificate template

You can use this procedure to configure the certificate template that Active Directory® Certificate

Services (AD CS) uses as the basis for computer certificates that are enrolled to hosted cache

server computers.



1. On the computer where AD CS is installed, click Start, click Run, type mmc, and then

click OK.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog

box opens.

3. In the Add or Remove Snap-ins dialog box, in Available snap-ins, double-click

Certification Authority. Select the CA that you want to manage, and then click Finish.

To configure the certificate template and autoenrollment

The Certification Authority dialog box closes, returning you to the Add or Remove

Snap-ins dialog box.

4. In Available snap-ins, double-click Certificate Templates, and then click OK.

5. In the console tree, click the Certificate Templates snap-in. All of the certificate

templates are displayed in the details pane.

6. In the details pane, click the Web Server template.

7. On the Action menu, click Duplicate Template. In the Duplicate Template dialog box,

select the template version that is appropriate for your deployment. For client and server

interoperability reasons, it is recommended that you select Windows Server 2003

Enterprise.

8. Click OK. The Properties dialog box for the certificate template opens.

9. On the General tab, in Display Name, type a new name for the certificate template or

keep the default name, Copy of Web Server.

10. Click the Subject Name tab. Ensure that Build from this Active Directory information

is selected. In Subject name format, select DNS name.

11. Click the Request Handling tab. For Minimum key size, determine the best key

character length for your deployment. Large key character lengths provide optimal

security, but they can impact server performance. It is recommended that you keep the

default setting of 2048 or, if you deem it appropriate for your deployment, reduce

Minimum key size to 1024.

12. Click the Security tab. In Group or user names, click Add. The Select Users,

Computers, Service Accounts, or Groups dialog box opens.

13. In Select Users, Computers, Service Accounts, or Groups, type the name of the

group that you created for your hosted cache servers, and then click OK. For example,

type Hosted Cache Servers.

14. In Properties of New Template, in Group or User Names, click the name of the group

you just added. For example, if your group is named Hosted Cache Servers, click that

group.

15. In Properties of New Template, in Permissions for Hosted Cache Servers, under

Allow, select the Enroll and Autoenroll permission check boxes, and then click OK.

Note: If your group name is not Hosted Cache Servers, this section of the dialog box is

named Permissions for Group Name, where Group Name is the name of the hosted

cache servers group that you created.

16. In the left pane of the Microsoft Management Console (MMC), double-click Certification

Authority, double-click the CA name, and then click Certificate Templates. On the

Action menu, point to New, and then click Certificate Template to Issue. The Enable

Certificate Templates dialog box opens.

17. Click the name of the certificate template you just configured, and then click OK. For

example, if you did not change the default certificate template name, click Copy of Web

Server, and then click OK.

Configure server certificate autoenrollment

Before you perform this procedure, you must configure a server certificate template by

using the Certificate Templates Microsoft Management Console snap-in on a CA that is

running AD CS.



1. On the computer where Active Directory Domain Services is installed, click Start, click

Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog

box opens.

3. In Available snap-ins, scroll down to and double-click Group Policy Management

Editor, and then click OK. The Group Policy Wizard opens.

4. In Group Policy Object, click Browse. The Browse for a Group Policy Object dialog

box opens.

5. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and

then click OK.

6. Click Finish, and then click OK.

7. Double-click Default Domain Policy. In the console, expand the following path:

Computer Configuration, Policies, Windows Settings, Security Settings, and then

Public Key Policies.

8. Click Public Key Policies. In the details pane, double-click Certificate Services Client -

Auto-Enrollment. The Properties dialog box opens. Configure the following items, and

then click OK:

a. In Configuration Model, select Enabled.

b. Select the Renew expired certificates, update pending certificates, and remove

revoked certificates check box.

c. Select the Update certificates that use certificate templates check box.

9. Click OK.

Note To configure server certificate autoenrollment

Refresh Group Policy

You can use this procedure to manually refresh Group Policy on the local computer. When Group

Policy is refreshed, if certificate autoenrollment is configured and functioning correctly, the local

computer is autoenrolled a certificate by the certification authority (CA).

Group Policy is automatically refreshed when you restart the domain member computer,

or when a user logs on to a domain member computer. In addition, Group Policy is

periodically refreshed. By default, this periodic refresh is performed every 90 minutes with

a randomized offset of up to 30 minutes.

Membership in Administrators, or equivalent, is the minimum required to complete this

procedure.

1. Click Start, click Run, type cmd, and then press ENTER. The Command Prompt window

opens.

2. Type gpupdate, and then press ENTER.

Obtain the SHA-1 hash of the hosted cache server certificate

You can use this procedure to obtain the SHA-1 hash, also called the thumbprint, of the server

certificate of a hosted cache server so that you can link the certificate to BranchCache. This

procedure must be performed on a hosted cache server to which a server certificate has already

been enrolled.


procedure.





3. In Add or Remove Snap-ins, in Available snap-ins, double-click Certificates. The

Certificates snap-in dialog box opens. Click Computer account, and then click Next.

4. In Select Computer, in This snap-in will always manage, ensure that Local

computer: (the computer this console is running on) is selected, click Finish, and

then click OK.

5. In the navigation pane, double-click Certificates (Local Computer) and then double-

Note To refresh Group Policy on the local computerTo obtain the SHA-1 hash of the hosted cache server certificate

click the Personal certificate store.

6. The Certificates folder is a subfolder of the Personal certificate store. Click the

Certificates folder.

7. In the details pane, browse to the server certificate and double-click the certificate. The

Certificate dialog box opens.

8. In the Certificate dialog box, click the Details tab.

Note

On the Details tab, in Field, ensure that the value of the Certificate Template

Name extension matches the name of the copy of the Web Server certificate

template that you configured in a previous step. For example, if you used the

default name Copy of Web Server, ensure that this value appears in Certificate

Template Name to verify that you have selected the correct certificate.

9. In the list of fields, select Thumbprint.

10. In the lower pane, the hexadecimal string that is the SHA-1 hash of your certificate is

displayed. Select the SHA-1 hash and press the Windows keyboard shortcut for the Copy

command (Ctl+C) to copy the hash to the Windows clipboard.

11. Click Start, click All Programs, click Accessories, and then click Notepad. The

Notepad application opens.

12. In Notepad, press the Windows keyboard shortcut for the Paste command (Ctl+V) to

paste the SHA-1 hash into a new text file. Remove all of the spaces between the

characters in the SHA-1 hash so that the hash contains no spaces, and then save the

text file to hard disk.

In the next procedure where you link the hosted cache server certificate to BranchCache,

you will use the SHA-1 hash of the certificate while running a network shell (netsh)

command.

Link the hosted cache server certificate to BranchCache

You can use this procedure to link the server certificate of a hosted cache server to BranchCache

using network shell (netsh) commands.

In this procedure you must use the SHA-1 hash of the hosted cache server certificate that

you obtained while performing the previous procedure in this guide. Before using the

SHA-1 hash in this procedure, remove all spaces from the SHA-1 hash. Do not replace

the spaces with alternate characters, just remove the spaces. If you do not remove the

spaces from the SHA-1 hash, the effort to link the certificate to BranchCache will fail.

Note Important


procedure.

1. On the BranchCache hosted cache server that you want to configure, click Start, click

Search programs and files, and then type command. In search results, under

Programs, right-click Command Prompt, and then click Run as Administrator. The

command prompt opens with the elevated privileges that are required to run netsh

commands.

2. Run the following command: netsh http add sslcert ipport=0.0.0.0:443 certhash=SHA-

1_Hash appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}, where SHA-1_Hash is the

SHA-1 hash of the server certificate on the hosted cache server.

Additional Resources

For more information about the technologies in this guide, see the following resources in the

Windows Server® 2008 and Windows Server® 2008 R2 Technical Library.

Active Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=110923)

Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkId=110928)

Background Intelligent File Transfer Service (BITS) (http://go.microsoft.com/fwlink/?

LinkId=163282)

Configuring Certificate Revocation (http://go.microsoft.com/fwlink/?LinkId=163242)

File Services (http://go.microsoft.com/fwlink/?LinkId=163286)

Group Policy (http://go.microsoft.com/fwlink/?LinkId=110930)

Network Shell (Netsh) Commands for BranchCache (http://go.microsoft.com/fwlink/?

LinkId=156640)

Web Server (http://go.microsoft.com/fwlink/?LinkId=163294)

The following topics provide information about designing a public key infrastructure and the

server message block (SMB) protocol.

Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003

public key infrastructure) in Windows Server TechCenter (http://go.microsoft.com/fwlink/?

LinkId=106049)

Microsoft SMB Protocol and CIFS Protocol Overview (Windows) in the Microsoft Developer

Network (MSDN) (http://go.microsoft.com/fwlink/?LinkId=163293)

To link the hosted cache server certificate to BranchCache













Branch Cache Deploy (2)

Documents

Transcript of Branch Cache Deploy (2)