Ravi Rao Senior Program Manager Microsoft WSV303 Agenda Problem background Solution modes Deployment Demo Deep Dives Content Identification Integration architecture Security End to end flow Partners Resources.
Download ReportTranscript Ravi Rao Senior Program Manager Microsoft WSV303 Agenda Problem background Solution modes Deployment Demo Deep Dives Content Identification Integration architecture Security End to end flow Partners Resources.
Ravi Rao Senior Program Manager Microsoft WSV303 Agenda Problem background Solution modes Deployment Demo Deep Dives Content Identification Integration architecture Security End to end flow Partners Resources Problem background Thin, expensive WAN links between main office and branch offices High link utilization Poor application responsiveness Trend towards data centralization Customers say… “We are improving the efficiency of our branch offices and saving bandwidth by using BranchCache in Windows Server 2008 R2 and Windows 7,” said Lukas Kucera, IT services manager of Lukoil CEEB, one of the largest integrated oil and gas companies in the world. “Some of our smaller facilities, such as the office in Slovakia and the storage terminal in Belgium, have just five to 10 users, so it’s not efficient to deploy a file server on-site, but it consumes bandwidth to have them continually accessing files from the main servers. BranchCache is the perfect solution.” “Taking advantage of the BranchCache feature in Windows Server 2008 R2, we can spend $20,000 rather than $50,000 per year on bandwidth by postponing our expansion schedule.” David Feng, IT Director, Sporton International Convergent Computing (CCO) wanted to improve remote network access for its mobile users. Using the DirectAccess and BranchCache™ features in Windows Server® 2008 R2 and Windows 7, CCO has simplified remote connection to its network and sped the downloading of important files. It has cut costs by eliminating its virtual private network and has seen a 43 percent savings in wide area network (WAN) bandwidth. Solution Tenets Optimized Secured • Distributed – retrieve from other clients in the branch • Client can only retrieve content locally if authorized by the content server • Centralized – retrieve from a “hosted cache” in the branch • All data transfers in the branch are encrypted End to End • Maintains protocol integrity • Benefits from protocol optimizations • Optimizes SSL, IPsec, SMB signing, HTTP, SMB Distributed Cache ID Data Data Hosted Cache ID Data ID Search Data ID ID ID Data Hosted Cache Centralized cache of data downloaded by the branch The Hosted cache on Windows Server 2008 R2 provides the following features A centralized cache for Protocols: HTTP, SMB E2E encrypted/signed traffic: SSL, IPsec, SMB signing etc Does not “modify” protocols; benefits from protocol optimizations Configurable size/location/persisted across reboots/flush-able Works across multiple subnets Admins can seed content by writing custom scripts Can be a virtual workload in an appliance Easy to deploy; clients are configured via policy Hosted Cache vs. Distributed Enterprise Distributed Cache Data cached amongst clients Recommended for branches without any infrastructure Easy to deploy: Enabled on clients through Group Policy Cache availability decreases with laptops that go offline Hosted Cache Data cached at hosted cache server Recommended for larger branches Cache stored centrally: can use existing server in the branch Cache availability is high Enables branch-wide caching Overall Framework 3rd Party Applications Office Robo copy Expl orer AppV Share Point SMB Office HTTP BranchCache™ BITS WMP IE Deployment Deployment Distributed HQ: Content Server (must run R2) Branch: Client (must run Win 7 or R2) Hosted HQ: Content Server (must run R2) Branch: Hosted Cache (must run R2) Branch: Client (must run Win 7) Works on Server Core R2 as well! Deployment - Content server HTTP server (IIS) - Install the BranchCache feature from Server Manager SMB server (File server) – Install the BranchCache role service feature within the file server role using Server Manager That’s it… Deployment - Client Identify the “branch” • An Active Directory Site • An IP address range • A collection of specific client computers Choose how to deploy • Group Policy • netsh Deploy to clients! • Group policy: Use built-in ADMX files • netsh: Run netsh branchcache set service distributed on all relevant clients Deployment – Hosted Cache Setup the hosted cache • Install the BranchCache feature on an R2 server • Install a server-auth certificate for use with SSL • Run netsh branchcache set service hostedserver on the hosted cache Identify Branch Choose how to deploy Deploy to clients! • Group policy: Use built-in ADMX files • netsh: Run netsh branchcache set service hostedclient location=<> on all clients Deployment - Summary Group Policy to enable clients Install BranchCache™ feature on an R2 server Hosted Cache File Server IIS Group Policy Management Optionally, install a hosted cache in your branch. Additional configuration options Enable / disable distributed cache mode Enable / disable hosted cache mode Set the cache size Set the location of the hosted cache Clear the cache Create and replicate a shared key for use in a server cluster And more … Works in domains and workgroups Monitoring Event logs - Operational logs & Audit logs Perfmon counters - Client, hosted cache and Content Server netsh for querying the infrastructure for potential problems Cache size too small, firewall issues, certificate problems etc SCOM pack - for rolling all the information up BranchCache in Action Devrim Iyigun Senior Product Manager Microsoft Going Deeper… Content Identifiers Hashes Returned by server Blocks Unit of download Segments Unit of discovery Content Segment hashes, Block hashes up to ~2000x data reduction BB 1 2 BBB n 1 2 S1 BBB n 1 2 S2 B n S3 HTTP Integration IE Open URL IIS Data “Branch Cache Capable” Data wininet Hashlist Get data http.sys Hashlist Data Data Hashlist BranchCa che BranchC ache Data Hashlist H1 H2 H3 H4 H5 SMB Integration Branch Cache Hashlist Application ReadFile Prefetch File Data CSC Driver Data CSC Cache Data SMB Hash Generation Service CSC Service Data Request Hashes Hashlist SMB Client Driver Generate or update hash Generate or update hash Request Hashes Hashlist Hashlist SMB Server Driver HashGen Utility Save hashes Access hashes How is SSL Optimized? Client Server IIS IE Data in clear Data in clear HTTP Branch Cache Data in clear HTTP Data in clear SSL SSL Data encrypted Data encrypted Sockets Sockets Data encrypted IPsec Branch Cache Data encrypted Data encrypted IPsec Security Client Encryption key Segment discovery key Hash(SK, “KeKeKe”) Hash(SK, SH+”HoHoDk”) Private Segment key (SK) Hash(SH, Ks) Segment hash (SH) Server secret key Hash (Blockhashes) Ks Block hashes Hash(block) Blocks BB 1 2 B n Server Flow – a Security View Client requests data from the server, and indicates BranchCache capability Server authorizes the client Server retrieves metadata (block hashes, segment hashes, private segment key) for the data Server sends metadata on same channel as data Client computes a segment discovery key Broadcasts on the local network Flow, Continued Serving clients receive the broadcast Decrypt the segment hash from the segment discovery key Respond with data availability Client requests blocks from the serving client Serving client computes encryption key from the segment private key Serving client encrypts each block with the encryption key Client receives the data Decrypts the data Validates block data against the block hash If valid, returns to application Security of Data at Rest Clients Cache only contains content requested by the client Data in cache ACL’d so that it is only accessible if authorized by the server If data leakage is a concern, then use BitLocker or EFS Hosted Cache Cache contains content requested by all branch clients Use BitLocker or EFS to encrypt cache as necessary All data can be purged from the cache using netsh BranchCache Ecosystem Partners Microsoft and Riverbed - Better Together Joint Optimization Solution for Windows 7 users Riverbed Steelhead: Leading WAN optimization solution + BranchCache Leader in the Gartner magic quadrant Accelerate applications: CIFS, MAPI, HTTP/S, TCP, and all other key protocols Cut bandwidth use: Save 65 – 95% of WAN utilization POLP Licensing Partner, and Windows OEM Deliver Windows to the branch with the Riverbed Services Platform (RSP): Offer Windows services such as AD, Streaming, Print, DNS and BranchCache Visit Booth 247 for more info RSP VM Steelhead Appliance VM VM VM Virtualization Layer Riverbed and Microsoft to extend optimization further for Windows 7 users with BranchCache VM Blue Coat – BranchCache Support About Blue Coat Application Delivery Network Vendor ProxySG for WAN Optimization & Secure Web Gateway Leader in Gartner Magic Quadrants Data Center ProxySG Secure Web Gateway, Sep 2008 WAN Optimization Controllers, Nov 2007 Blue Coat will support BranchCache protocols Blue Coat will license Hosted Cache protocols on ProxySG Edge site hosted cache for SMB2, SMB signed & IPsec Core site proxy for legacy content servers (non-WS 2008 R2) ProxySG Remote Office F5 and BranchCache F5 is a player in Application Delivery Networking, with the mission of building network devices that support your applications, ensuring high availability, scalability, performance and security. BranchCache adds to BIG-IP’s WAN acceleration portfolio See a demo of BranchCache on the BIG-IP 6900 – visit booth 311 New Generation Application Delivery Platform Application Acceleration & Load Balancing BranchCache Augments AX Native Optimized Caching BranchCache: Enhancing the Windows File Experience Delivering best-in-class Windows® files services solution Thousands of joint customers using SMB (CIFS) today Use ranges from home directories to high performance engineering applications Now also supporting SMB 2.0 BranchCache — NetApp® as a Content Server Bring remote Windows users closer Save on bandwidth and remote administration NetApp is a gold sponsor – visit their booth! NetApp NAS in the data center Branch office / remote users Symantec support for BranchCache Symantec World’s 4th largest ISV… Found in almost as many Windows environments as Microsoft Security, Storage, HA, Backup, Archiving, Data Loss Prevention, Management… Branch Altiris Server Management Suite from Symantec Provide support for monitoring BranchCache on Windows Server 2008 R2 Provide alerting when problems are detected Orchestrate and automate remediation when necessary Altiris Server Management Suite From Symantec Corp HQ data center Forefront Threat Management Gateway in the Branch Site to Site VPN Web Proxy & Cache Single Host for TMG & BranchCache (Hosted Cache) Standard deployment • Enterprise Management • Running on Windows Server 2008 R2 Featuring • Anti-Virus • URL Filtering • HTTPS Inspection • Network Intrusion Inspection To Summarize BranchCache™ reduces WAN bandwidth consumed by end users for intranet based HTTP and SMB traffic and improves end user experience BranchCache™ accelerates delivery of encrypted and signed content such as when using HTTPS, IPsec, SMB signing and at the same time ensures authorization of users by the server at the central office. BranchCache™ doesn’t require additional equipment in the branch offices and can be easily managed using existing systems management technology such as group policy BranchCache has a vibrant and growing ecosystem giving customers the choice to pick a solution that works best for their needs Resources Website/TechNet http://www.branchcache.com http://technet.microsoft.com/en-us/network/dd425028.aspx Email [email protected] At TechEd, we have booths in the TLC Orange Area Windows Server Branch Office Solutions - BranchCache Windows Services for the Branch – Partner Solutions Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Related Content Breakout Sessions • WSV 403: Enhancing the Branch office experience with Windows Server 2008 R2 Hands-on Labs • WSV14-HOL: Windows Server 2008 R2 - BranchCaching Windows Server Resources Make sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2 Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies • Over 15 booths and experts from Microsoft and our partners Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.