Upload
dinhbao
View
232
Download
0
Embed Size (px)
Citation preview
BranchCache Deep Dive – An IT Administrator’s Primer (SVR 306)
Ravi RaoSenior Program ManagerMicrosoftSession Code: SVR306
AgendaProblem backgroundSolution architectureDemosDeep DivesEcosystem
Branch – The problem space
€€
€€€€€€€€€€
€€€€€€
€€€€
€€
€€€€
€€ €€€€ €€
€€
€€
€€€€
€€€€
In other words
WAN links are “thin” and congestedWAN links lead to loss of productivityWAN links are expensive
Data centralization makes the problem worse
Solution Tenets
Local• Distributed –
retrieve from other clients in the branch
• Centralized – retrieve from a “hosted cache” in the branch
Secured• Client can only
retrieve content locally if authorized by the content server
• All data transfers in the branch are encrypted
End to End• Maintains
protocol integrity
• Benefits from protocol optimizations
• Optimizes SSL, IPsec, SMB signing, HTTP, SMB
Get
GetID
Get
Data
Distributed Cache
Get
IDData
Data
Get
GetID
Put
Data
Hosted Cache
Get
DataID
Search
Get
Sear
ch
Request
Offer
ID
ID
ID
Data
ID
Data
Applications light up!
Configuration Manager & WSUSGoals
Reduce WAN utilization in the remote office scenarioReduce the number of actively managed Distribution PointsFor users, transfer content faster and with less restrictions in the remote office scenario
IntegrationDistribution Points (DPs) run on Windows Server 2008 R2Download packages (apps, updates etc) once into a branch office, get it from other clients or the Hosted Cache after that
Support for Configuration Manager (and WSUS) clients available on Windows Vista, Windows Server 2008 R2
Application Virtualization (AppV)Goals
Make users productive quickly in branch officesSave on the need for deploying IT infrastructure in branch officesReduce bandwidth utilization over the WAN link to save costs
IntegrationHTTP Streaming in AppV optimized using BranchCacheVirtual applications only have to traverse the WAN link onceEliminate IIS Servers (AppV staging servers) from the branch office
Support available on Windows 7 and Windows Server 2008 R2
SharePoint & IISGoals
Improve SharePoint, IIS responsiveness in branch offices without requiring separate branch infrastructureEnable Office Web Applications to see improved performance in branch offices
IntegrationIIS and SharePoint need to run on Windows Server 2008 R2Users never get stale content; if content is updated, the content identifiers change
Support available for Windows 7 and Windows 2008 R2
File ServersGoals
Improve the SMB protocol to reduce chattiness over the WAN link, and be aware of common application behaviorsReduce bandwidth utilization over the WAN link, and improve performance of applications (Robocopy, Office etc) in branch offices
IntegrationSMB 2.1 introduces “Leasing and OpLocks” – mechanisms to improve protocol behavior over the WAN linkBranchCache integration ensures that data needs to move over the WAN link only onceSMB Transparent Caching enables better road-warrior scenariosOffline Files enables file access even when WAN link is downAll application semantics around locking are automatically maintained
Available on Windows 7 and Windows Server 2008 R2
DirectAccess , SSL, IPsec, SMB SigningScenarios requiring end-to-end secure, encrypted transports “just work” with BranchCache
As a result, DirectAccess, IPsec scenarios (such as Server/Domain Isolation) and even point to point VPNs automatically work
Overall Framework
IE
HTTP/1.1
BranchCache™
SMB2.1
3rd Party Applications
RobocopyOffice WMPBITSShare
PointAppV
SCCMWSUS
How is SSL Optimized?
Sockets
SSL
HTTP
IEBranchCach
e
BranchCach
e
Data encrypted
Data in clear
Data in clear
Client Server
Data encryptedIPsec
Sockets
SSL
HTTP
IIS
Data encrypted
Data in clear
Data in clear
IPsecData encryptedData encrypted
Deployment
Deployment - Content server
HTTP server (IIS) Install the BranchCache feature from Server Manager
SMB server (File server) Install the BranchCache role service feature within the file server role using Server ManagerEnable on whole machine or specific share
Deployment - ClientIdentify the “branch”• An Active Directory Site• An IP address range• A collection of specific client computers
Choose how to deploy• Group Policy• netsh
Deploy to clients!• Group policy: Use built-in ADMX files• netsh: Run netsh branchcache set service distributed on all relevant clients
Deployment – Hosted CacheSetup the hosted cache• Install the BranchCache feature on an R2 server• Install a server-auth certificate for use with SSL• Run netsh branchcache set service hostedserver
on the hosted cache
Identify Branch
Choose how to deploy
Deploy to clients!• Group policy: Use built-in ADMX files• netsh: Run netsh branchcache set service hostedclient location=<> on all clients
IISFile Server
Group PolicyManagement
Install BranchCache™ feature on an R2 server
Group Policy to enable clients
HostedCache
Optionally, install a hosted cache in your branch.
Deployment - Summary
MonitoringEvent logs - Operational logs & Audit logs
Perfmon counters - Client, hosted cache and Content Server
netsh for querying the infrastructure for potential problems
Cache size too small, firewall issues, certificate problems etc
SCOM pack - for rolling all the information up
Going Deeper…
Content Identifiers
S1 S2 S3
B1
B2
B1
B2
Bn
B1
B2
Bn
Content
SegmentsUnit of discovery
BlocksUnit of download
HashesReturned by server
Segment hashes, Block hashesup to ~2000x data reduction
Bn
HTTP/HTTPS Integration
http.sys
IIS
BranchCache
wininet
Open URL
“Branch Cache Capable” Get data
Data
Data
Data
H1 H2 H4 H5Hashlist
Hashlist
HashlistHashlist
Data
Data
H3
BranchCache
IE
SMB/SMB Signing Integration
SMB ServerDriver
SMB Hash Generation
Service HashGen Utility
Generate or update hash
Generate or update hashApplication
CSC Driver SMB Client Driver
CSCCache
Hashlist
CSC Service
BranchCache
DataHashlist
Request Hashes
ReadFile
Data
Prefetch File Data
DataAccess hashes
Savehashes
Request Hashes
Hashlist
Hashlist
Security
B1
B2
BnBlocks
Block hashesHash(block)
Segment hash of dataHoD = Hash (Blockhashes)
Server secret keyKs
Segment Secret Kp = Hash(HoD, Ks)
Encryption keyKe = Kp
Segment IdHash(Kp, HoD + K)
Client
Server
Flow – a Security View
Client requests data from the server, and indicates BranchCache capability
Server authorizes the clientServer retrieves content identifiers (block hashes, segment hashes, segment secrets) for the dataServer sends content identifiers on same channel as data
Client computes a segment IDBroadcasts on the local network
Flow, ContinuedServing clients receive the broadcast
Decrypt the segment hash from the segment discovery keyRespond with data availability
Client requests blocks from the serving clientServing client computes encryption key from the segment secretServing client encrypts each block with the encryption key
Client receives the dataDecrypts the dataValidates block data against the block hashIf valid, returns to application
Security of Data at RestClients
Cache only contains content requested by the clientData in cache ACL’d so that it is only accessible if authorized by the serverIf data leakage is a concern, then use BitLocker or EFS
Hosted CacheCache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
Customers say…“We are improving the efficiency of our branch offices and saving bandwidth by using BranchCache in Windows Server 2008 R2 and Windows 7,” said Lukas Kucera, IT services manager of Lukoil CEEB, one of the largest integrated oil and gas companies in the world. “Some of our smaller facilities, such as the office in Slovakia and the storage terminal in Belgium, have just five to 10 users, so it’s not efficient to deploy a file server on-site, but it consumes bandwidth to have them continually accessing files from the main servers. BranchCache is the perfect solution.”
“Taking advantage of the BranchCache feature in Windows Server 2008 R2, we can spend $20,000 rather than $50,000 per year on bandwidth by postponing our expansion schedule.”David Feng, IT Director, Sporton International
Convergent Computing (CCO) wanted to improve remote network access for its mobile users. Using the DirectAccess and BranchCache™ features in Windows Server® 2008 R2 and Windows 7, CCO has simplified remote connection to its network and sped the downloading of important files. It has cut costs by eliminating its virtual private network and has seen a 43 percent savings in wide area network (WAN) bandwidth.
Microsoft Service Offerings
• Microsoft Services: It is a part of the Microsoft commitment to help you be successful with your Microsoft solutions
• Offerings Built using…• Service Delivery Methodology (SDM)• Microsoft Operations Framework (MOF)• IT Infrastructure Library (ITIL)
• Contain Implementation and Operations IP from…• Product Groups• Architects• Consultants
• Include best practices from enterprise deployments• Ensure quality & consistency• Available to partners to deliver
Optimized Branch Infrastructure Solution Framework
Branch Standardization
SCOPE: Build a basic platform using Windows Client & Server and System Center products
BUSINESS DRIVERS: Cost Reduction, Agility, Manageability, Security
TECHNOLOGIES: Hyper-V, Network Infrastructure, BitLocker, BrachCache, SCVMM, File Service, Desktop deployment, W2K8 R2, Win7
Server Consolidation and Service OptimizationScenarios: Server, Desktop, and Application VirtualizationTechnologies: High Availability, Active Directory, Exchange, SVAM WMP
Centralized Management and Branch ProvisioningScenarios: Provisioning, Patch Mgmt, Server and Configuration MonitoringTechnologies: SCOM, SCCM, NAP, SCDPM
Network Efficiency and Client ProductivityScenarios: Identity and Access Mgt., Data Security, WAN OptimizationTechnologies: BranchCache, OS deployment, FileService, Win7, Office14
Envisioning: Discovery & Assessment, Vision & Scope
Pre-engagement: Questionnaire, Engagement Kickoff
Planning: Deployment Plan
Stabilize: Operations Plan
Build: Implementation Plan
Deploy: Final Presentation
Branch Allianceannouncing
To SummarizeBranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience
BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office.
BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy
BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs
BranchCache ResourcesProtocols
Content Identification (PCCRC)Discovery (PCCRD)Retrieval (PCCRR)Hosted Cache Offer (PCHC)HTTP extensions for BranchCache (PCCRTP)SMB extensions for BranchCache (SMB2.1)
Netmon ParsersProtocol parsers
CollateralBranchCache Executive Overview BranchCache Technical Overview BranchCache Security GuideBranchCache Deployment Guide
Case studies (partial) Sporton InternationalConvergent Computing
Websitehttp://www.branchcache.com
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Windows Server ResourcesMake sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter
Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2
Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies•Over 15 booths and experts from Microsoft and our partners
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.