Transcript Windows 7 Beta - WordPress.com

Joey Snow
Technical Evangelist
Microsoft Corporation
Problem background
Solution modes
Deployment
Demo
Deep Dives
Content Identification
Integration architecture
Security
End to end flow
Partners
Resources
Thin, expensive WAN links between
main office and branch offices
High link utilization
Poor application responsiveness
Trend towards data centralization
Solution Tenets
Optimized
• Distributed –
retrieve from other
clients in
the branch
• Centralized –
retrieve from a
“hosted cache” in
the branch
Secured
• Client can only
retrieve content
locally if
authorized by the
content server
• All data transfers
in the branch
are encrypted
End to End
• Maintains
protocol integrity
• Benefits from
protocol
optimizations
• Optimizes SSL,
IPsec, SMB
signing, HTTP,
SMB
Distributed Cache
ID
Data
Data
Hosted Cache
ID
Data
ID
Search
Data
ID
ID
ID
Data
Centralized cache of data downloaded by the branch
The Hosted cache on Windows Server 2008 R2 provides
the following features
A centralized cache for
Protocols: HTTP, SMB
E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc
Does not “modify” protocols; benefits from protocol optimizations
Configurable size/location/persisted across reboots/flush-able
Works across multiple subnets
Admins can seed content by writing custom scripts
Can be a virtual workload in an appliance
Easy to deploy; clients are configured via policy
Hosted Cache vs. Distributed
Enterprise
Distributed Cache
Data cached amongst clients
Recommended for branches
without any infrastructure
Easy to deploy: Enabled on clients
through Group Policy
Cache availability decreases with
laptops that go offline
Hosted Cache
Data cached at hosted cache server
Recommended for larger branches
Cache stored centrally: can use
existing server in the branch
Cache availability is high
Enables branch-wide caching
Overall Framework
3rd Party Applications
Office
Robo
copy
Explore
r
AppV
Share
Point
SMB
Office
HTTP
BranchCache™
BIT
S
WMP
IE
Distributed
HQ: Content Server (must run R2)
Branch: Client (must run Win 7 or R2)
Hosted
HQ: Content Server (must run R2)
Branch: Hosted Cache (must run R2)
Branch: Client (must run Win 7)
Works on Server Core R2 as well!
HTTP server (IIS) - Install the BranchCache
feature from Server Manager
SMB server (File server) – Install the
BranchCache role service feature within the
file server role using Server Manager
That’s it…
Deployment - Client
Identify the “branch”
• An Active Directory Site
• An IP address range
• A collection of specific client computers
Choose how to deploy
• Group Policy
• netsh
Deploy to clients!
• Group policy: Use built-in ADMX files
• netsh: Run netsh branchcache set
service distributed on all relevant clients
Deployment – Hosted Cache
Setup the hosted cache
• Install the BranchCache feature on an R2 server
• Install a server-auth certificate for use with SSL
• Run netsh branchcache set service hostedserver
on the hosted cache
Identify Branch
Choose how to deploy
Deploy to clients!
• Group policy: Use built-in ADMX files
• netsh: Run netsh branchcache set service
hostedclient location=<> on all clients
Deployment - Summary
Group Policy to
enable clients
Install BranchCache™
feature on an R2 server
Hosted
Cache
IIS
File Server
Group Policy
Management
Optionally, install a hosted
cache in your branch
Going Deeper…
Content Identifiers
Hashes
Returned by server
Blocks
Unit of download
Segments
Unit of discovery
Content
Segment hashes, Block hashes
up to ~2000x data reduction
BB
1 2
BBB
n 1 2
S1
BBB
n 1 2
S2
B
n
S3
HTTP Integration
IE
Open
URL
IIS
Data
“Branch Cache
Capable”
Data
Get data
wininet
http.sys
Hashlist
Hashlist
Data
Data
Hashlist
BranchCach
e
BranchCache
Data
Hashlist
H1
H2
H3
H4
H5
Branch
Cache
Hashlist
Application
Data
CSC
Driver
Data
CSC
Cache
SMB Hash
Generation
Service
CSC
Service
ReadFile
Prefetch
File
Data
Data
Request
Hashes
Hashlist
Generate or
update hash
Request
Hashes
SMB Client
Driver
HashlistHashlist
SMB
Server
Driver
Generate or
update hash
HashGen
Utility
Save
hashes
Access
hashes
How is SSL Optimized?
Client
Server
IE
IIS
Data in clear
Data in clear
HTTP
Branch
Cache
Branch
Cache
HTTP
Data in clear
Data in clear
SSL
SSL
Data encrypted
Data encrypted
Sockets
Sockets
Data encrypted
Data encrypted
IPsec
IPsec
Data encrypted
Security
Client
Segment discovery key
Encryption key
Hash(SK, SH+”HoHoDk”)
Hash(SK, “KeKeKe”)
Private Segment key (SK)
Hash(SH, Ks)
Segment hash (SH)
Server secret key
Hash (Blockhashes)
Ks
Block hashes
Hash(block)
Blocks
BB
1 2
B
n
Server
Client requests data from the server, and
indicates BranchCache capability
Server authorizes the client
Server retrieves metadata (block hashes,
segment hashes, private segment key) for the
data
Server sends metadata on same channel as
data
Client computes a segment discovery key
Broadcasts on the local network
Serving clients receive the broadcast
Decrypt the segment hash from the segment discovery
key
Respond with data availability
Client requests blocks from the serving client
Serving client computes encryption key from the
segment private key
Serving client encrypts each block with the encryption
key
Client receives the data
Decrypts the data
Validates block data against the block hash
If valid, returns to application
Clients
Cache only contains content requested by the client
Data in cache ACL’d so that it is only accessible if
authorized by the server
If data leakage is a concern, then use BitLocker or EFS
Hosted Cache
Cache contains content requested by all branch clients
Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
Q: When will this be made available for Vista?
A: It won’t. BranchCache in only supported with Windows 7
Enterprise, Ultimate & Windows 2008 R2 editions.
Q: What size content is cached?
A: 64 KB and greater.
Q: Is there a peer discovery timeout?
A: 300 ms
Q: What kind of encryption is used?
A: Custom scheme based on AES128.
Q: Does knowledge of the hash ID grant access?
A: No. Access must still be granted by the file server.
Q: Will BranchCache work during WAN outages?
A: No. Clients must be able to contact the content server to get
content identifiers.
Q: Can I pre-populate cached files?
A: Sure. Consider using scheduled task , PowerShell Remoting or
some other technique. For WSUS & SCCM, consider targeting
one client in each remote office before the others.
Q: How doesn’t BC avoid discovery storms?
A: Responses to search requests are staggered. Additionally, if a
client detects that many others on the subnet already have a piece
of content, it won’t bother caching it too.
Q: What happens to the local cache if the BranchCache client
mode changes?
A: The local cache is unaffected and will still be used by the client:
•
•
Hosted clients that become Distributed clients will begin responding to WS-D
searches, serving data from the same cache.
Distributed client that become Hosted clients will stop responding to WS-D
searchers, but will continue to use the local cache.
Q: How long does data stay in cache?
A: Until NetSH is used to flush the cache or until the cache is full and
starts to roll.
Q: Is BranchCache supported on Server Core?
A: Absolutely.
BranchCache™ reduces WAN bandwidth consumed by end users for
intranet based HTTP and SMB traffic and improves end user
experience
BranchCache™ accelerates delivery of encrypted and signed content
such as when using HTTPS, IPsec, SMB signing and at the same time
ensures authorization of users by the server at the central office.
BranchCache™ doesn’t require additional equipment in the branch
offices and can be easily managed using existing systems
management technology such as group policy
BranchCache has a vibrant and growing ecosystem giving customers
the choice to pick a solution that works best for their needs
For Windows 7, Microsoft has made numerous
improvements that streamline image deployment. These
improvements include native compatibility mitigation for an
extended range of applications, new and improved imageengineering tools that improve the deployment experience
for IT professionals and users alike, as well as
improvements that streamline migration of users’ files and
settings.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.