Upload
buidan
View
219
Download
0
Embed Size (px)
Citation preview
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Published: January 2010
The following content may no longer reflect Microsoft’s current position or infrastructure. This
content should be viewed as reference documentation only, to inform IT business decisions
within your own company or organization.
Does the increasing cost of wide area network (WAN) access restrict
you from providing your branch offices with the data center services
they need? Learn how Microsoft IT uses the BranchCache™ feature
available in the Windows® 7 operating system and the Windows
Server® 2008 R2 operating system to improve performance and
availability to branch offices. Services at the branch office level
include file and print management, offline folder redirection, operating
system and application distribution, and patch management. By
implementing BranchCache, Microsoft IT significantly improved
service availability while maintaining network traffic encryption
including HTTPS and IPsec and reducing WAN usage and server
demand. Using BranchCache, Microsoft IT expects to save money
while increasing branch user productivity.
Situation
In the continuing effort to streamline operations and reduce the cost and complexity of IT,
many businesses are consolidating their applications onto centralized servers. An unintended
consequence of this application centralization is the increasing reliance on and demand for
the business’ WAN link.
As network bandwidth demand increases, application performance degrades. Users at
branch offices often experience delays when they use network applications that need to
access a WAN to connect to servers. For example, it might take several seconds or even
minutes for a user in a branch office to open a large file on a shared folder that is located on
a server at the central office. Similarly, a user attempting to view a video in their Web browser
might have to wait for a long time for the video to load.
In additional to performance degradation, branch office demand for network bandwidth can
drive up costs. Recent studies have shown that despite the reduction of costs associated with
WAN links, WAN costs are still a major component of enterprises’ operational expenses.
Situation
Driven by challenges of reducing the
costs and complexity of branch IT,
businesses are seeking to centralize
applications. However, as businesses
centralize applications, they increase
their dependency on the availability and
quality of the WAN link.
The increased utilization of the WAN link
is a direct result of centralization, as is
the degradation of application
performance. Recent studies have
shown that despite the reduction of costs
associated with WAN links, WAN costs
are still a major component of
enterprises’ operational expenses.
Solution
Microsoft IT is implementing
BranchCache, a new feature in
Windows 7 and Windows Server 2008
R2, to cache data locally within the
branch office. When another client on
the same network requests the file, the
client downloads it from the local cache
without downloading the same content
across the WAN.
Benefits
Reduced network bandwidth utilization
Improved application performance
Enhanced worker productivity
Operational cost savings
No new dependencies; respects
existing security infrastructure
Products & Technologies
Windows Server 2008 R2
Windows 7 Client
System Center Configuration Manager
2007 SP2
Active Directory and Group Policies
IPv4, IPv6
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 2
Solution
To better support how Microsoft branch offices access data on the corporate network,
Microsoft Information Technology (Microsoft IT) is implementing a new data-caching feature
in Windows 7 and Windows Server 2008 R2 called BranchCache, which caches data locally
in a branch office. When another client on the same network requests the file, the client
downloads it from the local cache instead of having to access the WAN.
System Design
This section of the document provides an overview of how BranchCache works and
discusses the underlying network technologies that Microsoft IT has implemented as part of
the BranchCache system.
System Requirements
Systems must meet the following requirements to use BranchCache:
Client computers must be running the Windows 7 Enterprise operating system or the
Windows 7 Ultimate operating system with the BranchCache feature enabled.
Web servers and file servers must be running Windows Server 2008 R2, with the
BranchCache feature enabled. For a complete list of operating systems that support
BranchCache, see http://technet.microsoft.com/en-us/library/ee307962(WS.10).aspx.
Improving Networked Application Performance
BranchCache only retrieves data from a server when the client requests it. Because it is a
passive cache, it will not increase WAN utilization. BranchCache only caches read requests,
and thus does not interfere with a user saving a file.
BranchCache improves the responsiveness of common network applications that access
intranet servers across slow links. Because it does not require any infrastructure, you can
improve the performance of remote networks simply by deploying Windows 7 to client
computers, deploying Windows Server 2008 R2 to server computers, and enabling
BranchCache.
BranchCache works seamlessly alongside network security technologies such as Secure
Sockets Layer (SSL), Server Message Block (SMB) Signing, and end-to-end IPsec. You can
use BranchCache to reduce network bandwidth utilization and improve application
performance even if the content is encrypted.
BranchCache Operational Modes
When BranchCache is enabled, a copy of data accessed from intranet Web and file servers
is cached locally within the branch office. When another client on the same network requests
the file, the client downloads it from the local cache without downloading the same content
across the WAN.
BranchCache can operate in one of two modes:
Distributed Cache. In Distributed Cache mode, the cache is kept on Windows 7 client
computers. Improving performance is as easy as enabling BranchCache on your
Windows 7 client and Windows Server 2008 R2–based computers.
Hosted Cache. In Hosted Cache mode, the cache resides on any branch office server
running Windows Server 2008 R2. Other clients who need the same content retrieve it
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 3
directly from the Hosted Cache. The Hosted Cache server can run the Server Core
installation option of Windows Server 2008 R2 and can also host other applications. In
addition, Hosted Cache can be configured as a virtual workload and run on a server with
other workloads, such as File and Print.
The following figure illustrates the two BranchCache modes:
Figure 1. BranchCache can operate in two different modes
Choosing the Right Cache Mode
Because Distributed Cache mode allows IT professionals to take advantage of BranchCache
with minimal hardware deployments, it is especially beneficial for branch offices with fewer
than 50 users and that do not have a local server.
However, if the branch office has deployed other infrastructure (such as file or print servers),
using Hosted Cache mode may be beneficial for the following reasons:
Increased cache availability. Hosted Cache mode increases the cache efficiency
because content is available even if the client that originally requested the data is offline.
Caching for the entire branch office. Distributed Cache mode operates on a single
subnet. If a branch office that is using Distributed Cache mode has multiple subnets, a
client on each subnet needs to download a separate copy of each requested file. With
Hosted Cache mode, all clients in a branch office can access a single cache, even if they
are on different subnets.
For more information about BranchCache's two operational modes, download the
BranchCache Technical Overview white paper at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ee07308f-7c53-
4c76-9ed9-670bc25a4c9d.
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 4
Architecture and Security
The following figure illustrates the server-side protocols utilized by the BranchCache system.
Figure 2. The BranchCache architecture
BranchCache works with any of the following protocols:
Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure
(HTTPS). The protocols that Web browsers and many other applications (such as
Microsoft® Internet Explorer®, Windows Media® Player, and more) use.
SMB (including signed SMB traffic). SMB is the protocol used for shared folders on
Windows networks.
Background Intelligent Transfer Service (BITS). BITS is used to transfer files
asynchronously between a client and a server. BITS is the protocol that Microsoft
System Center Configuration Manager (SCCM) and Windows Server Update Services
(WSUS) use.
Works with Existing Security Infrastructure
BranchCache implements a secure-by-design approach that works seamlessly alongside the
existing network security architectures deployed in an enterprise, without the requirement of
additional equipment or complex configuration. BranchCache is easily managed by using
existing systems management technology; for example, you can enable BranchCache on
client computers by using Group Policy.
When you enable BranchCache, the security architectures and systems specifically designed
for your environment will continue to work as is; nothing different is needed to support
BranchCache. Authentication is still performed using domain credentials. Authorization using
access control lists (ACLs) is respected, and other configurations continue to function just as
they did before BranchCache was enabled.
The BranchCache security model is based on the exchange of metadata using the original
protocol (HTTP, HTTPS, or SMB). This metadata takes the place of the original content in
that protocol exchange. BranchCache accelerates delivery of encrypted content such as
when using HTTPS and IPSec, and at the same time it ensures that content can be retrieved
locally only when authorized by the original server. Additionally, BranchCache supports the
optimization of downloads over end-to-end secure transports such as HTTPS and IPsec.
Microsoft IT researched and installed a variety of network appliances throughout the
corporate infrastructure, but many of these do not support encryption. Microsoft IT was
especially interested in implementing BranchCache because of its ability to maintain IPsec-
encrypted data transfers through the enterprise network.
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 5
Note: BranchCache encrypts data during transmission over the network, but it is not
involved in encrypting data while the information sits on a local computer. If you want to
encrypt any or all of your computer's stored information, Microsoft IT encourages users to
enable BitLocker® drive encryption on their computers.
For more information about BranchCache security, download the BranchCache Security
Guide at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=449be4b1-5f87-
47f1-945b-ccd4b196b34f.
BranchCache Deployments at Microsoft
As the earliest adopter and tester of Microsoft technology, Microsoft IT was working with
BranchCache as early as Windows 7 Beta. Microsoft IT was especially interested in using
BranchCache in branch offices that were known to have slow links to the main corporate data
center in hopes of improving local access time while simultaneously reducing WAN
bandwidth demand.
The pilot deployments discussed in this document occurred during the Windows Server 2008
R2/Windows 7 Release Candidate (RC) timeframe. Microsoft IT implemented BranchCache
pilots to test the technology using three different systems and protocols:
Testing access to internal file shares via SMB
Testing access to an internal Microsoft Office SharePoint® Server 2007 site via HTTP
Testing integration with System Center Configuration Manager and accessing advertised
downloads via BITS
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 6
In total, BranchCache was deployed to 24 branch offices where it was tested against internal
file shares using SMB, and against a SharePoint Server 2007 SP2 site accessed via HTTP.
From these 24 sites, five North American branch offices were also used for System Center
Configuration Manager 2007 SP2 (BITS) validation.
Figure 3. Locations and numbers of branch offices used for BranchCache pilots
The remainder of this section provides details about these pilot deployments.
Note: The percentage bandwidth savings discussed in these results measure the amount of
WAN bandwidth saved for cached files; they are not the percentage reduction of total branch
office WAN use. Overall, WAN bandwidth savings will be measured as Microsoft IT upgrades
the majority of its back-end servers to Windows Server 2008 R2.
SMB/HTTP Pilot
There were twenty-four branch offices involved in using BranchCache when accessing two
resources: an internal file share site via SMB, and a SharePoint 2007 SP2 site accessed via
HTTP.
SMB/HTTP Pilot Implementation
The SMB/HTTP pilot tested both of BranchCache's operational modes:
Hosted Cache mode was tested in 14 branch offices that historically had restricted
network bandwidth and that had Virtual Branch Office Servers (VBOS) in place. These
computers were Windows Server 2008 systems that operated as remote site platforms
to host a variety of services as virtual machines (VMs). With an available virtual server
infrastructure, adding BranchCache to these branch offices involved adding a new
BranchCache Windows Server 2008 R2 VM to each VBOS and installing 100-gigabyte
(GB) hard disk drives that were reserved for BranchCache use. A total of 2,709
Windows 7 clients were identified in the hosted cache sites. To connect client systems to
the appropriate branch office hosted cache, Microsoft IT used site-based Group Policy to
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 7
push down the server name only when they were connected to that network. When a
computer moved to a different site with another hosted cache server, it would receive a
new Group Policy object (GPO) that pointed to the local server.
Distributed Cache mode was tested in 10 branch offices as well as a domain in Africa.
Distributed Cache mode involved 4,823 Windows 7 clients. As with Hosted Cache mode
facilities, Microsoft IT targeted locations with restricted bandwidth. Microsoft IT enabled
one regional office in the African domain for Distributed Cache via the domain-based
GPO, as well as enabling the same site for Hosted Cache via the site-based GPO in
order to validate that site-based GPO settings override the domain-based ones. This
ability was of special interest to Microsoft IT, as they plan to use Hosted Cache during
the next phase of BranchCache implementation due to its more highly available cache
and its ability to serve multiple subnets, as was described previously in this document.
Results
Microsoft IT determined that for the 14 Hosted Cache mode sites, the average percentage of
data transferred from BranchCache-aware traffic across all sites was 40 percent. Because
the Distributed Cache mode sites included BITS validation, almost 90 percent of
BranchCache-aware traffic in the Distributed Cache sites came from locally distributed
caches.
Figure 4. Percent of bandwidth served by BranchCache mode
Note: Microsoft IT expects if the Hosted Cache mode sites included BITS data, the percent
WAN bandwidth saved by Hosted Cache mode would be similar to the Distributed Cache
mode results.
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 8
Overall, out of a total 16.5 GB of HTTP content downloaded by clients at the branch offices,
only 4.7 GB crossed the WAN. The majority of the data (11.8 GB) was transferred from
hosted cache servers or from peers on the LAN, resulting in a 71 percent reduction in the
bandwidth utilization of the BranchCache-enabled servers.
Figure 5. Overall percent bandwidth utilization of BranchCache-enabled servers
System Center Configuration Manager Pilot
Another important scenario for BranchCache at Microsoft was integration with System Center
Configuration Manager 2007 SP2. Microsoft IT uses Configuration Manager 2007 to manage
over 280,000 of its enterprise client systems.
Why System Center Configuration Manager with BranchCache?
A key aspect of Configuration Manager's client management capabilities is distributing
content for applications and patches. Content distributed by Configuration Manager to clients
can range in size from single patches to full operating system images, resulting in a need to
have Distribution Points (content file servers) at each branch location in order to provide high-
speed (LAN) access to potentially large files.
Microsoft IT has 125 remote locations that require dedicated Distribution Points.
Implementing and maintaining Distribution Points at all branch locations is expensive from
both a hardware and operational standpoint, so leveraging BranchCache for content
distribution in a Configuration Manager context is hugely compelling to Microsoft for its
potential to reduce remote server overhead.
System Center Configuration Manager Pilot Implementation
To validate BranchCache in a Configuration Manager context, Microsoft IT implemented a
single Windows Server 2008 R2 Distribution Point at its central data center, hosting a single,
synthetic 200 MB application on that host. The Distribution Point was configured to deliver
content through BITS, and was also configured to run BranchCache.
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 9
Through Group Policy applied to Microsoft Active Directory sites, clients at three North
America locations (two in the U.S., one in Mexico) were configured to use BranchCache in
Distributed Cache mode. These clients were targeted with a System Center Configuration
Manager advertisement, which caused them to look for installation binaries (the 200 MEG
synthetic package) on this single, data center-hosted Distribution Point, which was remote
(WAN) from each targeted client.
The BranchCache-enabled clients contacted the BranchCache- enabled Distribution Point
and downloaded the binaries via HTTP (a protocol supported by System Center
Configuration Manager and BranchCache). Using BranchCache's Distributed Cache mode,
clients downloaded the majority of this content payload from peers in their local subnets,
rather than each client pulling the large binaries through the expensive WAN link.
Results
In total, 219 clients (203 systems running Windows 7, and 16 systems running Windows
Vista that had been upgraded to BITS 4.0) from all three targeted branch locations received
the System Center Configuration Manager advertisement and pulled down content.
Note: The general HTTP and SMB optimizations in BranchCache are only supported on
Windows 7 and Windows Server 2008 R2; there are no plans to make BranchCache
available for Windows Vista or Windows XP clients. However, BITS 4.0 has engineered
support for BranchCache on Windows Vista and Windows Server 2008. As a result,
customers using solutions such as WSUS, System Center Configuration Manager, or other
enterprise applications that leverage BITS as the underlying file distribution technology will
benefit on these platforms as well.
Through forwarded events from those clients, Microsoft IT determined that out of a total
44.84 gigabytes (GB) of content downloaded by clients at these locations, only 6.61 GB
crossed the WAN. The majority of the data (38.23 GB) was transferred from peers on the
LAN, resulting in an overall 85 percent reduction in content that normally would have been
pulled over the WAN.
Figure 6. Average percent utilization of locally cached file for each test site
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 10
This drastic reduction of the amount of data requested across the corporate WAN is such a
positive result that Microsoft IT is exploring the possibility of removing content servers at
these remote locations.
Best Practices
In the course of designing, implementing, and operating BranchCache, Microsoft IT followed
these best practices:
Deployment
Work with your application group(s) to ensure that they enable BranchCache on their
file/print, Web, and SharePoint servers.
Use a Windows Management Instrumentation (WMI) filter on the GPO to ensure that the
Hosted Cache server does not receive the site-based client GPO.
When content servers are clustered for network load balancing or for failover, each
member must have the same key passphrase. The key passphrase must be applied to
each server using netsh, as in the following example:
netsh branchcache set key passphrase=”MY_PASSPHRASE”
For more information on key passphrases, see the BranchCache Early Adopter’s Guide
at http://download.microsoft.com/download/1/5/9/1596E2C5-400C-4ED3-BD5F-
9456D536EBFD/WS_2008_R2_documents/BranchCache_Early_Adopters_Guide_EN.doc.
Use BranchCache - Kernel Mode - performance counters on HTTP content servers to
validate bandwidth optimization. For more guidance on using performance counters, see
the “Web Server Performance Counters” section of the BranchCache Early Adopters
Guide at http://download.microsoft.com/download/1/5/9/1596E2C5-400C-4ED3-BD5F-
9456D536EBFD/WS_2008_R2_documents/BranchCache_Early_Adopters_Guide_EN.doc.
When using BranchCache with SCCM:
Ensure that your content servers are hosted on Windows Server 2008 R2 servers
with BranchCache enabled, and that clients have BranchCache policy.
Use the performance counters on Windows Server 2008 R2 or client events to
analyze and monitor BranchCache distributions.
If you want to analyze client-based details, set up a collector and use Windows
Event Forwarding technology to have client systems send their BranchCache-
related events to a central collector. Then use SCOM against this collector to
perform detailed analysis on the aggregate data.
Security
In situations where the BranchCache key passphrase is set manually, make sure to use
a strong phrase for your password.
Use BitLocker, Encrypted File System, or similar technologies if you want to encrypt the
cached data in each computer.
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 11
Benefits
By implementing BranchCache, Microsoft IT has derived a number of benefits:
Reduced WAN bandwidth utilization: BranchCache reduces WAN bandwidth
consumed by end users for intranet-based traffic, improving the end-user experience.
Faster delivery of secure data: BranchCache accelerates delivery of encrypted content
using HTTPS and IPsec, and requires content servers to authenticate all users before
granting access to cached content.
Enhances productivity: Microsoft IT anticipates productivity gains for many branch
office workers. For example, sales people who are distributed throughout the world need
to access thousands of centrally stored product demos. Hosted BranchCache will allow a
much faster means of accessing the latest demo information, which may result in
providing our customers with the right information in near-real time.
Improves SLAs: Microsoft IT anticipates improved Service Level Agreements (SLAs) as
a result of BranchCache’s ability to remove the content distribution dependency from a
single host, as well as by reducing the administrative overhead associated with
distributing content to dedicated file servers globally with each application deployment.
Leverages existing infrastructure: BranchCache does not require additional
equipment in the branch offices and can be easily managed using Group Policy.
Respects existing security protocols: BranchCache is compatible with IPsec and
other encryption protocols. It simply works without requiring any change to existing
security architectures.
Seamless functionality: BranchCache does not require any input on the part of the end
user; it works transparently.
Interoperates with SCCM: Using BranchCache in tandem with SCCM helps reduce the
number of content servers located at branch offices that administrators manage.
Conclusion
As with many larger businesses that have branch offices, Microsoft IT has noted an
increasing reliance on and demand for the company's WAN link. In order to test the ability of
BranchCache to reduce remote sites’ dependency on the WAN, Microsoft IT engaged in two
BranchCache pilot deployments that involved over 7,500 clients accessing almost 80 GB of
data across 24 branch offices around the globe.
The results of these tests showed a significant reduction of WAN use, averaging more than
53 percent across both pilots and cache modes when branch office workers accessed locally
cached data. BranchCache achieved these impressive results without requiring Microsoft IT
to modify their security architecture or implement any new management technology.
BranchCache is compelling not only from a functionality and manageability view, but from a
cost savings perspective as well. Microsoft IT expects that their adoption of BranchCache will
reduce IT costs by precluding the need for increasing the size of the WAN link, and by
enabling Microsoft IT to reduce the number of expensive Distribution Point servers that
currently support branch offices.
Moving forward, Microsoft IT plans to expand its use of BranchCache. A larger-scale study of
BranchCache with System Center Configuration Manager will perform a global analysis to
Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache Page 12
determine which and how many Distribution Point servers used by Microsoft IT can be
removed from their infrastructure through a transition to BranchCache. Additional studies are
planned to measure the ability of BranchCache to reduce overall network utilization, and to
quantitatively test the improvements in user productivity that are achieved by enabling branch
office workers to quickly access local resources that reside on branch caches.
As servers continue to be upgraded to Windows Server 2008 R2 in calendar year 2010,
Microsoft IT plans to deploy domain-based Distributed Cache globally and site-based Hosted
Cache where needed. As BranchCache becomes enabled on branch office servers, Microsoft
IT anticipates that BranchCache will not only reduce branch offices' WAN usage, but it may
reduce the number of virtual machines and physical servers currently required to perform
similar functions.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales
Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information
Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your
local Microsoft subsidiary. To access information via the World Wide Web, go to:
http://www.microsoft.com
http://www.microsoft.com/technet/itshowcase
http://www.branchcache.com
This document supports a preliminary release of a software product that may be changed substantially prior to
final commercial release. This document is provided for informational purposes only and Microsoft makes no
warranties, either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the results from
the use of this document remains with the user. Unless otherwise noted, the companies, organizations,
products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Microsoft, BitLocker, BranchCache, Internet Explorer, SharePoint, Windows, Windows Media, Windows Server,
and Windows Vista are trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.