Ravi Rao Senior Program Manager Microsoft Session Code: SVR306 Agenda Problem background Solution architecture Demos Deep Dives Ecosystem.
Download ReportTranscript Ravi Rao Senior Program Manager Microsoft Session Code: SVR306 Agenda Problem background Solution architecture Demos Deep Dives Ecosystem.
Ravi Rao Senior Program Manager Microsoft Session Code: SVR306 Agenda Problem background Solution architecture Demos Deep Dives Ecosystem Branch – The problem space €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ €€ In other words WAN links are “thin” and congested WAN links lead to loss of productivity WAN links are expensive Data centralization makes the problem worse Solution Tenets Local Secured • Distributed – retrieve from other clients in the branch • Client can only retrieve content locally if authorized by the content server • Centralized – retrieve from a “hosted cache” in the branch • All data transfers in the branch are encrypted End to End • Maintains protocol integrity • Benefits from protocol optimizations • Optimizes SSL, IPsec, SMB signing, HTTP, SMB Distributed Cache ID Data Data Hosted Cache ID Data ID Search Data ID ID ID Data Applications light up! Configuration Manager & WSUS Goals Reduce WAN utilization in the remote office scenario Reduce the number of actively managed Distribution Points For users, transfer content faster and with less restrictions in the remote office scenario Integration Distribution Points (DPs) run on Windows Server 2008 R2 Download packages (apps, updates etc) once into a branch office, get it from other clients or the Hosted Cache after that Support for Configuration Manager (and WSUS) clients available on Windows Vista, Windows Server 2008 R2 Application Virtualization (AppV) Goals Make users productive quickly in branch offices Save on the need for deploying IT infrastructure in branch offices Reduce bandwidth utilization over the WAN link to save costs Integration HTTP Streaming in AppV optimized using BranchCache Virtual applications only have to traverse the WAN link once Eliminate IIS Servers (AppV staging servers) from the branch office Support available on Windows 7 and Windows Server 2008 R2 SharePoint & IIS Goals Improve SharePoint, IIS responsiveness in branch offices without requiring separate branch infrastructure Enable Office Web Applications to see improved performance in branch offices Integration IIS and SharePoint need to run on Windows Server 2008 R2 Users never get stale content; if content is updated, the content identifiers change Support available for Windows 7 and Windows 2008 R2 File Servers Goals Improve the SMB protocol to reduce chattiness over the WAN link, and be aware of common application behaviors Reduce bandwidth utilization over the WAN link, and improve performance of applications (Robocopy, Office etc) in branch offices Integration SMB 2.1 introduces “Leasing and OpLocks” – mechanisms to improve protocol behavior over the WAN link BranchCache integration ensures that data needs to move over the WAN link only once SMB Transparent Caching enables better road-warrior scenarios Offline Files enables file access even when WAN link is down All application semantics around locking are automatically maintained Available on Windows 7 and Windows Server 2008 R2 DirectAccess , SSL, IPsec, SMB Signing Scenarios requiring end-to-end secure, encrypted transports “just work” with BranchCache As a result, DirectAccess, IPsec scenarios (such as Server/Domain Isolation) and even point to point VPNs automatically work Overall Framework 3rd Party Applications WSUS Office Robo copy AppV Share Point SMB2.1 BITS HTTP/1.1 BranchCache™ SCCM WMP IE How is SSL Optimized? Client Server IIS IE Data in clear Data in clear HTTP Branch Cache Data in clear HTTP Data in clear SSL SSL Data encrypted Data encrypted Sockets Sockets Data encrypted IPsec Branch Cache Data encrypted Data encrypted IPsec Deployment Deployment - Content server HTTP server (IIS) Install the BranchCache feature from Server Manager SMB server (File server) Install the BranchCache role service feature within the file server role using Server Manager Enable on whole machine or specific share Deployment - Client Identify the “branch” • An Active Directory Site • An IP address range • A collection of specific client computers Choose how to deploy • Group Policy • netsh Deploy to clients! • Group policy: Use built-in ADMX files • netsh: Run netsh branchcache set service distributed on all relevant clients Deployment – Hosted Cache Setup the hosted cache • Install the BranchCache feature on an R2 server • Install a server-auth certificate for use with SSL • Run netsh branchcache set service hostedserver on the hosted cache Identify Branch Choose how to deploy Deploy to clients! • Group policy: Use built-in ADMX files • netsh: Run netsh branchcache set service hostedclient location=<> on all clients Deployment - Summary Group Policy to enable clients Install BranchCache™ feature on an R2 server Hosted Cache File Server IIS Group Policy Management Optionally, install a hosted cache in your branch. Monitoring Event logs - Operational logs & Audit logs Perfmon counters - Client, hosted cache and Content Server netsh for querying the infrastructure for potential problems Cache size too small, firewall issues, certificate problems etc SCOM pack - for rolling all the information up Going Deeper… Content Identifiers Hashes Returned by server Blocks Unit of download Segments Unit of discovery Content Segment hashes, Block hashes up to ~2000x data reduction BB 1 2 BBB n 1 2 S1 BBB n 1 2 S2 B n S3 HTTP/HTTPS Integration IE Open URL IIS Data “Branch Cache Capable” Data wininet Hashlist Get data http.sys Hashlist Data Data Hashlist BranchCa che BranchC ache Data Hashlist H1 H2 H3 H4 H5 SMB/SMB Signing Integration Branch Cache Hashlist Application ReadFile Prefetch File Data CSC Driver Data CSC Cache Data SMB Hash Generation Service CSC Service Data Request Hashes Hashlist SMB Client Driver Generate or update hash Generate or update hash Request Hashes Hashlist Hashlist SMB Server Driver HashGen Utility Save hashes Access hashes Security Client Encryption key Segment Id Ke = Kp Hash(Kp, HoD + K) Segment Secret Kp = Hash(HoD, Ks) Segment hash of data Server secret key HoD = Hash (Blockhashes) Ks Block hashes Hash(block) Blocks BB 1 2 B n Server Flow – a Security View Client requests data from the server, and indicates BranchCache capability Server authorizes the client Server retrieves content identifiers (block hashes, segment hashes, segment secrets) for the data Server sends content identifiers on same channel as data Client computes a segment ID Broadcasts on the local network Flow, Continued Serving clients receive the broadcast Decrypt the segment hash from the segment discovery key Respond with data availability Client requests blocks from the serving client Serving client computes encryption key from the segment secret Serving client encrypts each block with the encryption key Client receives the data Decrypts the data Validates block data against the block hash If valid, returns to application Security of Data at Rest Clients Cache only contains content requested by the client Data in cache ACL’d so that it is only accessible if authorized by the server If data leakage is a concern, then use BitLocker or EFS Hosted Cache Cache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary All data can be purged from the cache using netsh Customers say… “We are improving the efficiency of our branch offices and saving bandwidth by using BranchCache in Windows Server 2008 R2 and Windows 7,” said Lukas Kucera, IT services manager of Lukoil CEEB, one of the largest integrated oil and gas companies in the world. “Some of our smaller facilities, such as the office in Slovakia and the storage terminal in Belgium, have just five to 10 users, so it’s not efficient to deploy a file server on-site, but it consumes bandwidth to have them continually accessing files from the main servers. BranchCache is the perfect solution.” “Taking advantage of the BranchCache feature in Windows Server 2008 R2, we can spend $20,000 rather than $50,000 per year on bandwidth by postponing our expansion schedule.” David Feng, IT Director, Sporton International Convergent Computing (CCO) wanted to improve remote network access for its mobile users. Using the DirectAccess and BranchCache™ features in Windows Server® 2008 R2 and Windows 7, CCO has simplified remote connection to its network and sped the downloading of important files. It has cut costs by eliminating its virtual private network and has seen a 43 percent savings in wide area network (WAN) bandwidth. Microsoft Service Offerings • Microsoft Services: It is a part of the Microsoft commitment to help you be successful with your Microsoft solutions • Offerings Built using… • Service Delivery Methodology (SDM) • Microsoft Operations Framework (MOF) • IT Infrastructure Library (ITIL) • Contain Implementation and Operations IP from… • Product Groups • Architects • Consultants • Include best practices from enterprise deployments • Ensure quality & consistency • Available to partners to deliver Optimized Branch Infrastructure Solution Framework Pre-engagement: Questionnaire, Engagement Kickoff Envisioning: Discovery & Assessment, Vision & Scope Planning: Deployment Plan Build: Implementation Plan Stabilize: Operations Plan Deploy: Final Presentation Branch Standardization SCOPE: Build a basic platform using Windows Client & Server and System Center products BUSINESS DRIVERS: Cost Reduction, Agility, Manageability, Security TECHNOLOGIES: Hyper-V, Network Infrastructure, BitLocker, BrachCache, SCVMM, File Service, Desktop deployment, W2K8 R2, Win7 Server Consolidation and Service Optimization Scenarios: Server, Desktop, and Application Virtualization Technologies: High Availability, Active Directory, Exchange, SVAM WMP Centralized Management and Branch Provisioning Scenarios: Provisioning, Patch Mgmt, Server and Configuration Monitoring Technologies: SCOM, SCCM, NAP, SCDPM Network Efficiency and Client Productivity Scenarios: Identity and Access Mgt., Data Security, WAN Optimization Technologies: BranchCache, OS deployment, FileService, Win7, Office14 Branch Alliance To Summarize BranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office. BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs BranchCache Resources Protocols Content Identification (PCCRC) Discovery (PCCRD) Retrieval (PCCRR) Hosted Cache Offer (PCHC) HTTP extensions for BranchCache (PCCRTP) SMB extensions for BranchCache (SMB2.1) Netmon Parsers Protocol parsers Collateral BranchCache Executive Overview BranchCache Technical Overview BranchCache Security Guide BranchCache Deployment Guide Case studies (partial) Sporton International Convergent Computing Email [email protected] Website http://www.branchcache.com Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Windows Server Resources Make sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2 Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies • Over 15 booths and experts from Microsoft and our partners Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.