Applies To: Windows Server 2008 R2
BranchCache clients can be managed by using Group Policy settings or the netsh command-line scripting utility. You can use either tool to perform the following configuration tasks on BranchCache clients:
Enable BranchCache (it is disabled by default).
Select Distributed Cache or Hosted Cache mode.
Specify the size of the client computers’ cache (if using Distributed Cache mode). By default, BranchCache uses up to 5% of the hard disk drive for the cache.
Specify the location of the Hosted Cache (if using Hosted Cache mode).
The BranchCache Early Adopter’s Guide also describes the following:
Other configuration options that are available.
How to monitor BranchCache performance on client computers by using performance counters.
How to add events to the Event Log to simplify monitoring the health of BranchCache.
BranchCache supports the SMB 2 and HTTP 1.1 protocols. Figure 4 shows that applications do not need to directly communicate with BranchCache (although they can if they need to). However, applications accessing SMB and HTTP interfaces in the Windows 7 and Windows Server 2008 R2 operating systems automatically benefit from BranchCache.
Consequently, applications like Windows Explorer, Robocopy CopyFile, Windows Media® Player (WMP), Internet Explorer®, Flash, and Silverlight automatically benefit. These benefits are also realized when using HTTPS, IPsec, or SMB signing. However, applications that implement SMB or HTTP stacks will not benefit from BranchCache, because BranchCache optimizations are leveraged directly by the SMB and HTTP protocol stack implementations in the Windows 7 and Windows Server 2008 R2 operating systems.
Figure 4 The BranchCache architecture
Security is central to all aspects of BranchCache. This section describes the security of data in transit (over the wire), and at rest (in the client cache or Hosted Cache).
A client requests data from the content server, and indicates that it is capable of understanding BranchCache.
The content server authenticates and authorizes the client in exactly the same way it would if BranchCache were not being used. That is, authentication and authorization of a client to access data are independent of BranchCache.
The content server recognizes that the client can utilize BranchCache, and checks to make sure that the stored metadata is up to date with the content.
The content server then sends the metadata on the same channel that data normally would have been sent. If an SSL connection were established between the client and the server, then the hashes are sent back over this encrypted SSL connection.
The client that is requesting content obtains the metadata and uses it to look up availability in the branch.
The client establishes a connection with the caching computer (a Hosted Cache server when Hosted Cache mode is used, or a peer caching computer when Distributed Cache mode is used), and requests the blocks it wants.
The caching computer encrypts the blocks with an encryption key that is derived from the content metadata (using AES 128 by default) and sends it to the client.
The client decrypts the data by using the same encryption key that the caching computer. The client and the caching computer compute the same encryption key because they derive it from the same content metadata, which is sent by the content server.
After the client decrypts the data, it validates that the data is not corrupted or tampered. To do this, the client computes the block hashes on the blocks received, and then compares them to the block hashes received in the content metadata from the server. If the hashes do not match, the client discards the data.
The data in the cache is accessible. The data is stored in the clear in the Distributed Cache and the Hosted Cache, which is similar to other caches and data on the system (such as the IE cache, the SMB offline files cache, and file system).
If encryption of the cache is desired, it is recommended that administrators use BitLocker™ on the computer (preferred) or Encrypting File System on the cache file only after the content server authorizes the client.