Driven by challenges of reducing cost and complexity of Branch IT, organizations are seeking to centralize applications. However, as organizations centralize applications the dependency on the availability and quality of the WAN link increases. A direct result of centralization is the increased utilization of the WAN link, and the degradation of application performance. Recent studies have shown the despite of the reduction of costs associated with WAN links, and WAN costs are still a major component of enterprises’ operational expenses.
Figure 31: The branch office problem
The BranchCache™™ feature in Windows Server 2008 R2 and Windows 7 Client reduces the network utilization on WAN links that connect branch offices and improve end user experience at branch locations, by locally caching frequently used content on the branch office network.
As remote branch clients attempt to retrieve data from servers located in the corporate data center, they store a copy of the retrieved content on the local branch office network. Subsequent requests for the same content are served from this local cache in the branch office, thereby improving access times locally and reducing WAN bandwidth utilization between the branch and corpnet. BranchCache™ caches both HTTP and SMB content and ensures access to only authorized users as the authorization process is carried out at the servers located in the data center. BranchCache™ works alongside SSL or IPSEC encrypted content and accelerates delivery of such content as well.
BranchCache™ can be implemented in two ways: The first involves storing the cached content on a dedicated BranchCache™ server located in the branch office which improves cache availability. This scenario will likely be the most popular and is intended for larger branch offices where numerous users might be looking to access the BranchCache™ feature simultaneously. A BranchCache™ server at the remote site ensures that content is always available as well as maintaining end-to-end security for all content requests.
Figure 32: The BranchCache™ server deployment scenario
The second deployment scenario centers around peer content requests and is intended solely for very small remote offices, with roughly 5-10 users that don’t warrant a dedicated local server resource. In this scenario, the BranchCache™ server at corpnet receives a client content request, and if the content has been previously requested at the remote site will return a set of hash directions to the content’s location on the remote network, usually another worker’s PC. Content is then served from this location. If the content was never requested or if the user who previously requested the content is off-site, then the request is fulfilled normally across the WAN.
Figure 33: BranchCache™ peer-based deployment model
Hosted Caching for HTTP Content: Step-by-step Feature Review
To review how the Hosted Caching feature works for HTTP content, you need to complete the following tasks:
Configure the BranchCache feature to support caching of HTTP content.
Enable the BranchCache feature on client computers using Group Policy settings.
Verify the performance of HTTP content caching.
Note: Perform these steps in a test environment as these steps could adversely affect your production environment. Also, you need to have a method of simulating a Wide Area Network (WAN) connection to perform these steps.
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 1213: Configure BranchCache Feature for HTTP Content Caching
High-level task
|
Details
|
Start Server Manager
|
On the Start menu, point to Administrative Tools, and then click Server Manager.
|
Install the Windows Branch Cache feature
|
In Server Manager, click Features.
Under Features Summary, click Add Features.
In the Add Features Wizard, under Features, check Windows Branch Cache, click Next, and then click Install.
Wait for the installation to complete.
Click Close.
|
Enable Hosted Cache Server mode
|
On the Start menu, in Start Search, type cmd, and then press Enter.
At the command prompt, type the following command and then press Enter.
netsh peerdist set service mode=HOSTEDSERVER
|
Verify Hosted Cache Server mode is enabled
|
At the command prompt, type the following command and then press Enter.
Netsh peerdist show status all
|
Verify SSL bindings
|
At the command prompt, type the following command and then press Enter.
Netsh http show sslcert
The SSL certificate mapping is required for the hosted cache to function.
|
View the SSL certificate
|
At the command prompt, type the following command s, pressing Enter after each command.
PowerShell
CD Cert:
CD LocalMachine
CD MY
Get-ChildItem | Format-List *
exit
View the value of the Subject field.
When configuring the hosted cache clients, you must use the computer name as listed in this field.
|
Enable BranchCache Feature on Client Computers using Group Policy
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 1314: Enable BrancheCache Feature using Group Policy
High-level task
|
Details
|
Start Group Policy Management console
|
On the Start menu, point to Administrative Tools, and then click Group Policy Management.
|
Create new Group Policy object
|
In the Group Policy Management console, navigate to forest_name\Domains\domain_name\Group Policy Objects, right-click Group Policy Objects, and then click New.
In the New GPO dialog box, in Name, type BranchCache Policy, and then click OK.
|
Configure BranchCache Group Policy settings
|
In the Group Policy Management console, right-click BranchCache Policy, and then click Edit.
The Group Policy Editor starts.
In the Group Policy Editor, go to Computer Configuration/Policies/Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine/Network/Windows Branch Cache.
Configure the following settings (where server_name is the fully qualified domain name of the server you are configuring):
Turn on Windows Branch Cache: Enabled
Turn on Windows Branch Cache – Hosted cache mode: Enabled
Turn on Windows Branch Cache – Hosted cache mode: Cache Location: server_name.
|
Configure Windows Firewall Inbound Rules Group Policy settings for BrancheCache
|
In the Group Policy Editor, go to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/Inbound Rules.
On the Action menu, click New Rule.
Create a new inbound rule using the values in the following information.
Rule Type: Predefined: Peer Distribution – HTTP Transport (Uses HTTP)
Action: Allow the connection
On the Action menu, click New Rule.
Create a new inbound rule using the values in the following information.
Rule Type: Predefined: Peer Distribution – Hosted Cache (Uses HTTP)
Action: Allow the connection
|
Configure Windows Firewall Inbound Rules Group Policy settings for BrancheCache
|
In the Group Policy Editor, go to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/Outbound Rules.
On the Action menu, click New Rule.
Create a new outbound rule using the values in the following information.
Rule Type: Predefined: Peer Distribution – HTTP Transport (Uses HTTP)
Action: Allow the connection
On the Action menu, click New Rule.
Create a new outbound rule using the values in the following information.
Rule Type: Predefined: Peer Distribution – Hosted Cache (Uses HTTP)
Action: Allow the connection
|
Close the Group Policy Management Editor console
|
Close Group Policy Management Editor
|
Close the Group Policy Management console
|
Close Group Policy Management.
|
Verify Performance of HTTP Content Caching
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Note: Perform these steps on two client computers that have the Group Policy configuration settings and is on the other side of a WAN connection from the server.
Table 1415: Verify Performance of HTTP Content Caching
High-level task
|
Details
|
Start Internet Explorer on the first client computer
|
On the first client computer, on the Quick Launch bar, click Internet Explorer.
|
Download the HTTP content on the first client computer
|
In Internet Explorer, go to http_site (where http_site is the URL to the web site where the content is located).
Save content from the site (such as a file or graphic)
Record the download speed of the content while waiting for the content to download.
|
Start Internet Explorer on the second client computer
|
On the second client computer, on the Quick Launch bar, click Internet Explorer.
|
Download the HTTP content on the second client computer
|
In Internet Explorer, go to http_site (where http_site is the URL to the web site where the content is located).
Save content from the site (such as a file or graphic)
Record the download speed of the content while waiting for the content to download.
Note: The content should download almost immediately because the content is being downloaded from the hosted cache.
|
Review the size of the hosted cache
|
On the server with BranchCache feature enabled, at a command prompt, type the following command and then press Enter.
Netsh peerdist show status all
The value of Current Cache Size indicates how much data is stored in the hosted cache.
|
Hosted Caching for SMB Content: Step-by-step Feature Review
To review how the Hosted Caching feature works for SMB content, you need to complete the following tasks:
Create a BranchCache-enabled shared network folder
Publish files hashes and generate file hashes for files stored in the network shared folder.
Verify the performance of SMB content caching
Note: Perform these steps in a test environment as these steps could adversely affect your production environment. Also, you need to have a method of simulating a WAN connection to perform these steps.
Create a BranchCache-enabled Shared Network Folder
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 1516: Configure BranchCache Feature for HTTP Content Caching
High-level task
|
Details
|
Start Server Manager
|
On the Start menu, point to Administrative Tools, and then click Share and Storage Management.
|
Create a BranchCache-enabled shared network folder
|
In the Share and Storage Management, console in the Actions pane, click Provision Share.
In Location, type C:\inetpub\wwwroot, and then click Next.
On the Permissions page, click Next
In Share name, type CorpFiles, and then click Next.
Click Advanced.
On the Caching tab, click Enable Windows Branch Cache, and then click OK.
On the SMB Settings page, click Next.
On the SMB Permissions page, click Next.
On the DFS Namespace Publishing page, click Next.
Click Create.
Click Close.
| Publish File Hashes and Generate File Hashes
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 1617: Publish File Hashes and Generate File Hashes
High-level task
|
Details
|
Start Server Manager
|
On the Start menu, in Start Search, type gpedit.msc, and then press Enter.
The Local Group Policy Editor starts.
|
Configure the Hash Publication settings
|
In the Local Group Policy Editor console, go to Computer Configuration/Administrative Templates/Network/LanManServer.
Change the value of Hash Publication for Windows Branch Cache to Enabled, and verify that Allow has publication for all shares is selected.
Close the Local Group Policy Editor console.
|
Generate file hashes
|
At a command prompt, type the following command and then press Enter (where server_name is the name of the server you configured)
Hashgen –s \\server_name\corpfiles
| Verify the Performance of SMB Content Caching
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 1718: Verify the Performance of SMB Content Caching
High-level task
|
Details
|
Access shared network folder on the first computer
|
On the first client computer, on the Start menu, in Start Search, type \\server_name\corpfiles, and then press Enter (where server_name is the name of your server where BranchCache is enabled).
|
Download the SMB content on the first client computer
|
Copy a file from the shared network folder.
Record the download speed of the content while waiting for the content to download.
|
Access shared network folder on the second computer
|
On the second client computer, on the Start menu, in Start Search, type \\server_name\corpfiles, and then press Enter (where server_name is the name of your server where BranchCache is enabled).
|
Download the SMB content on the second client computer
|
Copy the same file from the shared network folder.
Record the download speed of the content while waiting for the content to download.
Note: The content should download almost immediately because the content is being downloaded from the hosted cache.
| Improved Security for Branch Offices
Windows Server 2008 introduced the read-only domain controller feature, which allows a read-only copy of Active Directory to be placed in less secure environments such as branch offices. Windows Server 2008 R2 introduces support for read-only copies of information stored in Distributed File System (DFS) replicas, as illustrated in the following figure.
Figure 34: Read-only DFS in a branch office scenario
Read-only DFS replicas helps protect your digital assets by allowing branch offices read-only access to information that you replicate to the offices by using DFS. Because the information is read-only, users are unable to modify the content stored in read-only DFS replicated content and thereby protects data in DFS replicas from accidental deletion at branch office locations.
More Efficient Power Management
Windows 7 includes a number of power-management features that allow you to control power utilization in your organization with a finer degree of granularity than in previous operating systems. Windows 7 allows you to take advantage of the latest hardware developments for reducing power consumption in desktop and laptop computers.
Windows Server 2008 R2 includes a number of Group Policy settings that allow you to centrally manage the power consumption of computers running Windows 7.
Improved Virtualized Desktop Integration
Windows 7 introduces the RemoteApp & Desktop (RAD) feeds feature, which helps integrate desktops and applications virtualized by using Remote Desktop Services with the Windows 7 user interface. This integration makes the user experience for running virtualized applications or desktops the same as running the applications locally. For a detailed description of RDS and VDI, see the “Terminal Services Becomes Remote Desktop Services for Improved Presentation Virtualization” section earlier in this guide.
Higher Fault Tolerance for Connectivity Between Sites
One of the most common scenarios facing organizations today is connectivity between sites and locations. Many organizations connect their sites and locations by using VPN tunnels over public networks, such as the Internet.
One problem with existing VPN solutions is that they are not resilient to connection failures or device outages. When any outage occurs, the VPN tunnel is terminated and the VPN tunnel must be reestablished, resulting in momentary connectivity outages.
The Agile VPN feature in Windows Server 2008 R2 allows a VPN to have multiple network paths between points in the VPN tunnel. In the event of a failure, Agile VPN automatically uses another network path to maintain the existing VPN tunnel, with no interruption of connectivity.
Increased Protection for Removable Drives
In Windows Server 2008 and prior operating systems primarily used BitLocker Drive Encryption (BitLocker) to protect the operating system volume. Information stored on other volumes, including removable media, was encrypted by using Encrypted File System (EFS).
In Windows 7, you can use BitLocker to encrypt removable drives, such as eSATA hard disks, USB hard disks, USB thumb drives, or CompactFlash drives. This allows you to protect information stored on removable media with the same level of protection as the operating system volume.
BitLocker requires the use of a Trusted Platform Module (TPM) device or physical key to access information encrypted by BitLocker. You can also require a personal identification number (PIN) in addition to the TPM device or physical key.
BitLocker keys can also be archived in Active Directory, which provide an extra level of protection in the event that the physical key is lost or the TPM device fails. This integration between Windows 7 and Windows Server 2008 R2 allows you to protect sensitive information without worrying about users losing their physical key.
Improved Prevention of Data Loss for Mobile Users
The Offline Files feature allows you to designate files and folders stored on network shared folders for use even when the network shared folders are unavailable (offline); for example, when a mobile user disconnects a laptop computer from your intranet and works from a remote location.
The Offline Files feature has the following operation modes:
Online mode. The user is working in online mode when they are connected to the server, and most file requests are sent to the server.
Offline mode. The user is working in offline mode when they are not connected to the server, and all file requests are satisfied from the Offline Files cache stored locally on the computer.
In Windows Server 2008 RTM and Windows Vista, the Offline Files feature was configured for online mode by default. In Windows Server 2008 R2 and Windows 7, the Offline Files feature supports transitioning to offline mode when on a slow network by default. This helps reduce network traffic while connected to your intranet because the users are modifying locally cached copies of the information stored in the Offline Files local cache. However, the information stored in the Offline Files local cache is still protected from loss because the information is synchronized with the network shared folder.
Page #
|
