Forefront TMG and BranchCache Hosted Cache deployed on the same host

  • Article

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Important

Forefront TMG 2010 Service Pack 1 (SP1) provides simplified deployment of BranchCache at the branch office, using Forefront TMG as the BranchCache Hosted Cache server. For information on planning and configuring BranchCache in SP1, see Planning for BranchCache (SP1) and Configuring BranchCache in Forefront TMG (SP1).

BranchCache clients and the BranchCache Hosted Cache must communicate. However, by default, Forefront TMG blocks most traffic that is destined explicitly for the host or originating from the host (see System policy rules). To allow BranchCache to function in Hosted Cache mode, you must define specific Forefront TMG policy rules.

A client initiates the Hosted Cache protocol (PCHC, default port 443) to advertise the availability of new content it has retrieved to the Hosted Cache server. In return, the Hosted Cache server will initiate a new connection using the Retrieval protocol (PCCRR, default port 80), to retrieve the advertised data from the client. The data is now cached on the Hosted Cache server. Another client that needs to retrieve cached data will initiate the Retrieval protocol (PCCRR) to contact the Hosted Cache server and retrieve content from the cache. To allow this communication you must define two Forefront TMG policy rules:

  1. Allow Hosted Cache Inbound Connections—A rule that allows clients to advertise new content to the Hosted Cache server, and retrieve data from the Hosted Cache server.

  2. Allow Hosted Cache Outbound Connections—A rule that allows the Hosted Cache server to retrieve advertised content from the client.

The following steps describe how to create and implement the rules.

Note

The names used to define the rules and protocols in these steps are recommended to improve readability when querying the log to track BranchCache communications.

Step 1: Write down which ports clients are actually configured to use

Choose any BranchCache client and check the registry. The registry keys below will contain the actual value if the defaults were modified.

  • The Retrieval port registry key (if not specified, the default is 80):
    HKLM\Software\Microsoft\WindowsNT\CurrentVersion\PeerDist\DownloadManager\Peers\Connection

  • The Hosted Cache port registry key (if not specified, the default is 443):
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Connection

Step 2: Define the Retrieval protocol

  1. Select the Firewall Policy node.

  2. Select the Toolbox tab.

  3. Expand Protocols.

  4. Click New and then select Protocol.

  5. Enter the protocol definition name as “BranchCache -Retrieval” and click Next.

  6. Click New and add the new protocol, as follows:

    1. Protocol Type: TCP

    2. Direction: Outbound

    3. Port Range: From 80 to 80 (replace 80 if otherwise identified in step 1)

    4. Click OK.

Step 3: Define the Hosted Cache protocol

  1. Select the Firewall Policy node.

  2. Select the Toolbox tab.

  3. Expand Protocols.

  4. Click New and then select Protocol.

  5. Enter the protocol definition name as “BranchCache -Advertise” and click Next.

  6. Click New and add the new protocol, as follows:

    1. Protocol Type: TCP

    2. Direction: Outbound

    3. Port Range: From 443 To 443 (replace 443 if otherwise identified in step 1)

    4. Click OK.

Step 4: Create a rule to allow Hosted Cache Inbound Connections

  1. Select the Firewall Policy node.

  2. Select the Tasks tab.

  3. Click Create Access Rule.

  4. Define the rule name as “Allow Hosted Cache Inbound Connections” and then click Next.

  5. On the Rule Action page, select Allow and then click Next.

  6. On the This rule applies to page:

    1. Choose Selected Protocols from the list, and then click the Add button.

    2. In the Add Protocols dialog box, expand User-defined protocols.

    3. Select BranchCache -Retrieval protocol and click Add.

    4. Select BranchCache -Advertise protocol, click Add and then click Close.

    5. Click Next.

  7. On the Access Rule Sources page:

    1. Click Add.

    2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.

    3. Click Next.

  8. On the Access Rule Destinations page:

    1. Click Add.

    2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.

    3. Click Next.

  9. On the User Sets page, click Next to apply the rule to all users.

  10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.

Step 5: Create a rule to allow Hosted Cache Outbound Connections

  1. Select the Firewall Policy tab.

  2. Select the Tasks tab.

  3. Click Create Access Rule.

  4. Define the rule name as “Allow Hosted Cache Outbound Connections” and click Next.

  5. On the Rule Action page, select Allow and then click Next.

  6. On the This rule applies to page:

    1. Choose Selected Protocols from the list, and then click the Add button.

    2. In the Add Protocols dialog box, expand User-defined protocols.

    3. Select BranchCache -Retrieval protocol and click Add.

    4. Click Next.

  7. On the Access Rule Sources page:

    1. Click Add.

    2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.

    3. Click Next.

  8. On the Access Rule Destinations page:

    1. Click Add.

    2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.

    3. Click Next.

  9. On the User Sets page, click Next to apply the rule to all users.

  10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.

Step 6: Apply the updated policy

Click Apply to save the changes and update the configuration.

Step 7: Validate the Hosted Cache is working properly

  1. Choose any client on the Branch Office.

  2. Open the Performance Monitor and track the BranchCache “Bytes from Cache” counter and take note of the current value

    Tip

    For more information about BranchCache counters, see Performance Counters (https://go.microsoft.com/fwlink/?LinkId=165667).

  3. Open your Internet Browser. Clear the browser cache to make sure it is not utilized in this validation.

    Note

    Instructions for clearing the cache using Internet Explorer 8:

    1. On the Tools menu, select Internet Options.

    2. On the General tab, in the Browsing History section, click the Delete… button.

    3. In the opened dialog box, select the Temporary Internet Files check box and clear the other check boxes, then click Delete.

    4. Wait for the operation to complete, and then close the dialog boxes.

  4. Using the client, access or download an object with a known size from an HTTP/S application on a Windows 2008 R2 server.

  5. Expected result:

    • If the object was never accessed from the Branch, the counter should increment by the object size on the third attempt to access it (between attempts, make sure you clear the browser cache).

    • If the object was already accessed from the Branch, the counter should increment by the object size on the first or second attempt.

Step 8: (Optional) Reduce the impact of NIS Inspection on Hosted Cache traffic

NIS is a protocol decode-based traffic inspection feature of Forefront TMG that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources (for more information about NIS, see Enabling and configuring the Network Inspection System).

This topic is not applicable if NIS is not enabled. To check if NIS is enabled:

  1. Select the Intrusion Prevention System node.

  2. On the Tasks pane, click Configure Properties.

  3. On the General tab, verify that the Enable NIS check box is selected.

When enabled, NIS inspects all traffic, including traffic destined explicitly to the host or originating from the host. As a result, users may experience increased latency when retrieving cached objects from the Hosted Cache server.

In the case of a significant impact, it is recommended to choose one of the following options to mitigate the issue:

  1. Disable the NIS inspection exclusively for traffic destined explicitly to the host or originating from the host.

    Note

    The risk of disabling NIS for traffic destined explicitly to the host or originating from the host is small, for the following reasons:

    • NIS is applied to all other traffic, continuing to defend all internal unpatched machines. Forefront TMG itself, as an edge-located security device, is expected to be patched at all times, and thus protected from all known threats.

    • By default, NIS does not inspect non HTTP/HTTPS traffic destined explicitly to the host or originating from the host; thus disabling NIS on the local host has no impact on other protocols.

    • Forefront TMG does not initiate outbound web-access. As a result, the vulnerability of the host itself to web-originating threats is very low. As a common security practice, administrators are advised not to browse the Internet from the Forefront TMG host.

    To disable NIS for traffic destined explicitly to the host or originating from the host:

    1. The following registry key has a default value of 1. To disable localhost traffic inspection, use Regedit on the host to assign it a value of 0.

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\IPS\IPS_LOCALHOST_INSPECTION_MODE

    2. Re-apply the Forefront TMG policy:

      Open any of the firewall policy rules and add a space anywhere in the rule description. Click Apply.

  2. Change the BranchCache protocols default port numbers (from 80 and 443) to custom port numbers.

    Explanation: By default NIS inspects only HTTP and HTTPS on localhost traffic. To retain that inspection without impacting BranchCache performance requires that BranchCache default ports be changed to any other available ports.

Concepts

Interoperability with BranchCache solution guide