Download - Branch office access with branch cache

Transcript
Page 1: Branch office access with branch cache

Speed Up Branch Office AccessSpeed Up Branch Office Accesswith BranchCachewith BranchCache

Greg Shields, MVP, vExpertGreg Shields, MVP, vExpertHead Geek, Concentrated Technologywww.ConcentratedTech.com

Page 2: Branch office access with branch cache

This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it

within your own organization however you like.

For more information on our company, including information on private classes and upcoming conference appearances, please

visit our Web site, www.ConcentratedTech.com.

For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg

This work is copyright ©Concentrated Technology, LLC

Page 3: Branch office access with branch cache

AgendaAgenda

Part I: Understanding BranchCache– Discussion: Architectures you’d use in your own

environment.

– Discussion: Is this solution more advantageous than WAN optimizers?

Part II: Implementing BranchCache– Fairly unexciting, but that’s a good thing…

3

Not much to see in terms of DEMO.

So, we’ll focus on architecture and best fit for your enviornment.

Page 4: Branch office access with branch cache

Part I: Understanding BranchCachePart I: Understanding BranchCache

Page 5: Branch office access with branch cache

The Problem withThe Problem withBranch OfficesBranch Offices

Branch office users are people too! However, their connection to the LAN

includes a hop through a sometimes nasty WAN.– Local files are fast. Remote files are not.

Users in branch offices often suffer because of WAN delay.

Bad for business. Bad for IT.

Page 6: Branch office access with branch cache

Branch Offices DonBranch Offices Don’’t Have to be t Have to be ““Branch OfficesBranch Offices””

A “branch office” doesn’t necessarily need to be an office that exists in a branch location.

A branch office in this context is really any LAN location that is separated by a slow network link.

Slow ==< LAN speed

Page 7: Branch office access with branch cache

More Problems with Branch More Problems with Branch OfficesOffices

Branch offices are often locations with few people and resources.– Their lack of people and resources is usually the

reason for their slow network connection!

WAN optimizers exist, but can be expensive. Often involves hardware.– But the central business problem is that there simply

isn’t enough “work” at the site to justify hardware.

WAN optimizers are often too powerful of a solution.– People just need faster access to files and web sites.

– Businesses can’t justify cost.

Page 8: Branch office access with branch cache

Solving the Branch Office Solving the Branch Office ConundrumConundrum

Businesses today need cost-effective solutions that don’t necessarily require on-site hardware.– However, such solutions should be “future proof

”,e.g. scalable with hardware if needed in the future.

Page 9: Branch office access with branch cache

Solving the Branch Office Solving the Branch Office ConundrumConundrum

Businesses today need cost-effective solutions that don’t necessarily require on-site hardware.– However, such solutions should be “future proof”,

e.g. scalable with hardware if needed in the future.

Most businesses today just need a solution to improve file and folder access, web site access, and perhaps a few applications.– Must be a “set-it-and-forget-it” solution.– Other application and data accesses can be handled

through existing solutions: RDS, for example.

Solution: BranchCache!

Page 10: Branch office access with branch cache

What is BranchCache?What is BranchCache?

BranchCache caches content from main office servers to branch office locations.– To specially-configured BranchCache servers…– …or, to one or more desktops at the branch

office.

What kind of content?– Files and folders– HTTP / HTTPS sites– BITS-enabled applications (WSUS comes to mind)– Any tool, service, application, or widget that

makes use of the SMB/HTTP/BITS stack

Page 11: Branch office access with branch cache

What is BranchCache?What is BranchCache?

BranchCache’s services operate “below” the SMB/HTTP/BITS stack.– This means that any tool (Robocopy, WMP, IE,

Flash, Silverlight, etc) that uses SMB/HTTP is transparently and automatically cached.

Page 12: Branch office access with branch cache

What is BranchCache?What is BranchCache?

BranchCache’s services operate “below” the SMB/HTTP/BITS stack.– This means that any tool (Robocopy, WMP, IE,

Flash, Silverlight, etc) that uses SMB/HTTP is transparently and automatically cached.

Result: No change in user procedures.– Users simply access their files in the same

locations they’re used to.– Under the covers, they’re transparently

redirected to a locally-cached copy (if it exists).– If no copy exists, one is cached after its first

access and download to the remote site.

Page 13: Branch office access with branch cache

BranchCache DataflowBranchCache Dataflow(Initial Access, Distributed Cache)(Initial Access, Distributed Cache)

1. Client 1 sends a request for content to the main office content server. In this request, Client 1 indicates that it is BranchCache-capable.

2. The content server obtains previously generated content information from a local cache and sends it to Client 1.

3. Client 1 uses the content information and sends a multicast message to all computers on the subnet requesting the content; no computers have the content, however, because none of them has previously downloaded the content from the main office.

4. Client 1 requests the content from the main office content server.

5. Client 1 receives content from the content server and stores the content in its cache.

Page 14: Branch office access with branch cache

BranchCache DataflowBranchCache Dataflow(Subsequent Accesses, Distributed Cache)(Subsequent Accesses, Distributed Cache)

1. Client 2 sends a request for content to the main office content server. In this case, Client 2 seeks the same content that Client 1 has already obtained.

2. The content server obtains previously generated content information from a local cache and sends it to Client 2.

3. Client 2 uses the content information and sends a multicast message to determine if any clients in the branch office have already cached the content. Client 1 sends a response stating that it has the content.

4. Client 2 requests the content from Client 1, connects to Client 1, and downloads the content.

Page 15: Branch office access with branch cache

OK, So What is thisOK, So What is this““Previously-Generated ContentPreviously-Generated Content””??

Call it…“content metadata”.– Content is broken into blocks, or “chunks of

data”.– For each block, block and segment hashes are

computed (using SHA-256).– Compression ratio of hash to original content is

around 2000:1.– One file == many blocks. Discrete content

chunking.

Page 16: Branch office access with branch cache

OK, So What is thisOK, So What is this““Previously-Generated ContentPreviously-Generated Content””??

Call it…“content metadata”.– Content is broken into blocks, or “chunks of data”.– For each block, block and segment hashes are

computed (using SHA-256).– Compression ratio of hash to original content is

around 2000:1.– One file == many blocks. Discrete content chunking.

Segment hashes provide a unit of discovery.– “I’m looking for this file, do you have it, and do you

have the version of it that I want?”

Block hashes provide a unit of download.– “You do? Good. I already have most of the file.

Give me just this tiny bit of it that I still need.”

Page 17: Branch office access with branch cache

What is What is ““Previously-Generated Previously-Generated ContentContent””??

All of this is transparent to both you and the user.

Its faster to compare content “chunks” than actual content.

Page 18: Branch office access with branch cache

Options:Options:Distributed & Hosted CacheDistributed & Hosted Cache

Distributed Cache– Windows 7 computers store the cached content.– Windows 7 computers multicast with each other to

inform a requestor that they have/don’t-have content.

– Client bits are a default component of Windows 7 & R2 (only), must be specifically enabled.

Hosted Cache– A specially-configured Server 2008 R2 server is

used for content storage at branch office.– Desktops still complete the initial download on

their own. Server then caches the content from the client.

The previous example used a Distributed Cache

Page 19: Branch office access with branch cache

BranchCache DataflowBranchCache Dataflow(Initial Access, Hosted Cache)(Initial Access, Hosted Cache)

1. Client 1 sends a request for content to the main office content server. In this request, Client 1 indicates that it is BranchCache-capable.

2. The content server obtains previously generated content information from a local cache and sends it to Client 1.

3. Client 1 requests the content from the hosted cache server in the branch office, and the hosted cache server informs Client 1 that it does not have the content in its cache.

4. Client 1 requests the content from the main office content server.

5. Client 1 receives content from the main office content server.

6. Client 1 advertises the content to the hosted cache server in the branch office; the hosted cache server connects to the client and downloads the content to store in its cache.

Page 20: Branch office access with branch cache

BranchCache DataflowBranchCache Dataflow(Subsequent Accesses, Hosted Cache)(Subsequent Accesses, Hosted Cache)

1. Client 2 sends a request for content to the main office content server. In this case, Client 2 seeks the same content that Client 1 has already obtained.

2. The content server obtains previously generated content information from a local cache and sends it to Client 2.

3. Client 2 uses the content information and sends a request to the hosted cache server for the content. The hosted cache server sends a response stating that it has the content.

4. Client 2 connects to the hosted cache server and downloads the content, using the content information that it received from the main office content server to verify the data.

Page 21: Branch office access with branch cache

BranchCache DataflowBranchCache Dataflow(Subsequent Accesses, Hosted Cache)(Subsequent Accesses, Hosted Cache)

1. Client 2 sends a request for content to the main office content server. In this case, Client 2 seeks the same content that Client 1 has already obtained.

2. The content server obtains previously generated content information from a local cache and sends it to Client 2.

3. Client 2 uses the content information and sends a request to the hosted cache server for the content. The hosted cache server sends a response stating that it has the content.

4. Client 2 connects to the hosted cache server and downloads the content, using the content information that it received from the main office content server to verify the data.

Notice:Initial access in each example is always to the Main Office’s

content server.

Thus:No change in user behavior.

Page 22: Branch office access with branch cache

DISCUSS:DISCUSS:Which Would You Use? Why?Which Would You Use? Why?

Distributed Mode? Cached Mode?

Why?

Page 23: Branch office access with branch cache

Advantages of Hosted ModeAdvantages of Hosted Mode

No need to use Windows 7 desktops as content storage locations.– Uses drive space, slight increase in processor use.– Eliminates need for multicasting around local net.

Hosted cache is a server, always on.– Powered down desktops also take down cache data.

Better bandwidth savings (in comparison) Multiple subnets with distributed mode

creates cache islands. Won’t cross subnets. Larger offices need more cached data, can

justify a server purchase– Auditing: Easier to audit in hosted mode.

Page 24: Branch office access with branch cache

Protocols in UseProtocols in Use

Protocol Used For

SHA-256 Hashing data on content server.

HTTP / SMB / BITS Initial client communication with content (file, web, application) server.

BranchCache Discovery Protocol

Used by clients to search local network for content.

WS-Discovery Used by BranchCache Discovery Protocol (Web Services, Multicast, UDP)

BranchCache Retrieval Protocol (MS-PCCRD)

Used by clients to obtain content (HTTP)

BranchCache Hosted Cache Protocol (MD-PCHC)

Used by clients to advertise to Hosted Cache that they have content for storage.

Page 25: Branch office access with branch cache

Built-in Security FeaturesBuilt-in Security Features

Security at Rest– Content integrity through chunking– Pre-transfer authentication/authorization through

requesting protocol (SMB/HTTP/etc).– Metadata hashes become post-transfer integrity

verification.– BranchCache respects NTFS ACLs at all times.– Cache can be encrypted with BitLocker or EFS.

– Hosted cache further protected via certificate.

Security in Transit– SSL authentication optional for content transfer– Transferred content encrypted using AES 128 (key

derived from metadata).

Page 26: Branch office access with branch cache

DISCUSS:DISCUSS:Is this More Advantageous than Is this More Advantageous than WAN Optimizers?WAN Optimizers?

Financially advantageous? Features & capabilities? Usefulness for users?

Page 27: Branch office access with branch cache

Part II: Deploying BranchCachePart II: Deploying BranchCache

Page 28: Branch office access with branch cache

Important Points for DesignImportant Points for Design

BranchCache available on Windows® 7 Enterprise and Ultimate, Windows Server 2008 R2 (only).– You must enable BranchCache and create firewall exceptions

to allow BranchCache traffic between client computers.

Web server content– Install the BranchCache feature on the application server or Web

server whose content you wish to cache in branch offices.

File server content– The BranchCache for network files role service of the File Server role

in Windows Server 2008 R2 must be installed and enabled.

Do not also deploy WAN accelerators between branch offices and the main office.– BranchCache does not function correctly when there are WAN

accelerators between a branch office and the main office.

Page 29: Branch office access with branch cache

Important Points for DesignImportant Points for Design

Functionality Computer Location

Install this Component

Web server Main office BranchCache feature

File server Main office BranchCache for Network Files role service of File Services role

BITS application server

Main office BranchCache feature

Hosted cache server

Branch office BranchCache feature with hosted cache mode enabled; trusted certificate

Client cache server Branch office Enable BranchCache on the client

Page 30: Branch office access with branch cache

Important Points for DesignImportant Points for Design

Page 31: Branch office access with branch cache

Implementing Distributed ModeImplementing Distributed Mode

Install the BranchCache for Network Files role service to a file server in the main office.

Page 32: Branch office access with branch cache

Implementing Distributed ModeImplementing Distributed Mode

Install the BranchCache feature to a web or application server in the main office.

Page 33: Branch office access with branch cache

Implementing Distributed ModeImplementing Distributed Mode

Use Group Policy to configure BranchCache client settings– Computer Configuration | Policies | Administrative

Templates | Network | BranchCache– Turn on BranchCache (Yes/No)– Set BranchCache Distributed Cache mode (Yes / No)– Set BranchCache Hosted Cache mode (Yes / No,

Enter location [FQDN] of hosted cache)– Configure BranchCache for network files (Yes / No,

Round trip latency value above which files are cached)

– Set percentage of disk space used for client computer cache (Numerical percentage value)

Page 34: Branch office access with branch cache

Implementing Distributed ModeImplementing Distributed Mode

Use Group Policy to configure BranchCache server settings– Computer Configuration | Policies |

Administrative Templates | Network | Lanman Server

– Hash Publication for BranchCache– 0 = Allow hash publication only for shared

folders on which BranchCache is enabled.– 1 = Disallow hash publication on all shared

folders– 2 = Allow hash publication for all shared folders

Page 35: Branch office access with branch cache

Implementing Distributed ModeImplementing Distributed Mode

Use Group Policy to create firewall exception.– Predefined: BranchCache – Content Retrieval

(Uses HTTP)– Predefined: BranchCache – Peer Discovery

(Uses WSD)

Page 36: Branch office access with branch cache

Implementing Distributed ModeImplementing Distributed Mode

Enable BranchCache on file shares– Accomplished within Share

and Storage Management

Page 37: Branch office access with branch cache

Implementing Hosted ModeImplementing Hosted Mode

All of the above, plus:– Install and configure a Windows Server 2008 R2

server within the branch office site.– Install a trusted web server certificate to the server.– Install BranchCache feature.– Link the certificate to BranchCache using netsh http

add sslcert ipport=0.0.0.0:443 certhash=<SHA-1_Hash> appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}

– Resize the cache on the server (defaults to 5% of active partition) with netsh branchcache set cachesize size=<sizeInPercent> percent=TRUE

– Sit back. Relax. Enjoy.

Page 38: Branch office access with branch cache

Verifying HappynessVerifying Happyness

Page 39: Branch office access with branch cache
Page 40: Branch office access with branch cache

This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it

within your own organization however you like.

For more information on our company, including information on private classes and upcoming conference appearances, please

visit our Web site, www.ConcentratedTech.com.

For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg

This work is copyright ©Concentrated Technology, LLC