Deploy a hosted cache mode design

Updated: October 7, 2009

Applies To: Windows 7, Windows Server 2008 R2

When you deploy BranchCache in hosted cache mode for a branch office, a hosted cache server is installed at the branch office.

Client computers that are running either Windows® 7 Enterprise or Windows® 7 Ultimate are also installed at the branch office. These clients download content from content servers that are installed at the main office; and after content is downloaded, the hosted cache server obtains and caches the content, providing the content to other clients in the same branch office upon request.

To deploy BranchCache in hosted cache mode, you must install and configure content servers in your main office and install and configure a hosted cache server and client computers in your branch office. In addition, client computers at branch offices must be able to access the main office content servers over some type of wide area network (WAN) link, such as a dedicated or on-demand virtual private network (VPN) connection between the offices; or clients must use some other method to connect to the content servers, such as by using DirectAccess.


BranchCache is compatible only with VPN software that supports split tunneling. Do not enable hosted cache mode on client computers in a branch office if these clients use host-based VPN software that does not support split tunneling. If the VPN software does not support split tunneling, client computers route traffic through the main office VPN servers when downloading from the local hosted cache, which will create unnecessary WAN link traffic and network congestion.

Finally, you must enroll a server certificate to your hosted cache server that the server uses to prove its identity to client computers in the branch office. After the hosted cache server enrolls a certificate, you must obtain the SHA-1 hash of the certificate and link the certificate to BranchCache.


The server certificate that is enrolled to hosted cache servers must be issued by a certification authority (CA) that is trusted by client computers. If client computers do not trust the CA that issued the certificate to the hosted cache server, authentication fails and the client computers will not be able to obtain content from the hosted cache server.

CAs and certificates

You can deploy server certificates with either a public CA or with a private CA that you own and deploy.

  • Public CAs are deployed by third party companies, such as Verisign, who sell certificates for use by their customers. This guide does not describe how to deploy hosted cache mode with certificates that are issued by a public CA, but it is possible if you ensure that the certificates meet the minimum server certificate requirements and are configured in accordance with the Web Server certificate template as described in this guide. In addition, before purchasing a server certificate issued by a public CA, you should ensure that BranchCache client computers already trust the public CA.

  • Private CAs are deployed by organizations who design and deploy a public key infrastructure (PKI). This guide provides instructions on how to deploy your own CA using Active Directory Certificate Services (AD CS).


This guide does not provide instructions on how to design a PKI, and you should review AD CS documentation before deploying your own CA. For more information, see Additional Resources.

There are two types of certificates that are used when you deploy BranchCache in hosted cache mode:

  • CA certificate. When you deploy your own CA, the root CA certificate is automatically distributed to client computers that are domain members. The certificate is stored in the Trusted Root Certification Authorities certificate store for the Local Computer and for the Current User. These certificate stores can be viewed by using the Certificates Microsoft Management Console (MMC) snap-in. When a CA certificate exists in the Trusted Root Certification Authorities certificate store, it means that the computer trusts all certificates that are issued by the CA.

  • Server certificate. The server certificate is issued by the CA to the hosted cache server. The hosted cache server uses the certificate to prove its identity to client computers during the authentication process.

Hosted cache mode

See the following topics to deploy BranchCache in hosted cache mode.