BranchCacheBranchCache

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題,適用於資訊技術 (IT) 專業人員,提供概觀 BranchCache,包括 BranchCache 模式、的功能、功能,以及 BranchCache 功能,可在不同的作業系統資訊。This topic, which is intended for Information Technology (IT) professionals, provides overview information about BranchCache, including BranchCache modes, features, capabilities, and the BranchCache functionality that is available in different operating systems.

注意

本主題中,除了下列 BranchCache 文件會提供。In addition to this topic, the following BranchCache documentation is available.

誰會想要 BranchCache?Who will be interested in BranchCache?

如果您是系統管理員、網路、儲存方案架構或其他 IT 專業人員,BranchCache 您可能感興趣下列下底下:If you are a system administrator, network or storage solution architect, or other IT professional, BranchCache might interest you under the following circumstances:

  • 設計,或從分公司具有兩個或更多的所在位置和寬區域 (wan) 連接到主要辦公室組織的支援 IT 基礎結構。You design or support IT infrastructure for an organization that has two or more physical locations and a wide area network (WAN) connection from the branch offices to the main office.

  • 您設計或組織已部署雲端技術支援 IT 基礎架構與 WAN 連接使用遠端應用程式存取的資料與工作人員。You design or support IT infrastructure for an organization that has deployed cloud technologies, and a WAN connection is used by workers to access data and applications at remote locations.

  • 您想要最佳化 WAN 的頻寬,來減少分公司和主要辦公室間網路流量。You want to optimize WAN bandwidth usage by reducing the amount of network traffic between branch offices and the main office.

  • 您有部署或計畫部署內容伺服器主要辦公室符合本主題中所述的設定。You have deployed or are planning on deploying content servers at your main office that match the configurations that are described in this topic.

  • 在您分公司 client 的電腦執行 Windows 10、Windows 8.1、Windows 8 或 Windows 7。The client computers in your branch offices are running Windows 10, Windows 8.1, Windows 8, or Windows 7 .

本主題包含下列的區段:This topic includes the following sections:

BranchCache 為何?What is BranchCache?

BranchCache 是隨附於某些版本的 Windows Server 2016 和 Windows 10 作業系統、以及於某些版本的 Windows Server 2012 R2、Windows 8.1、Windows Server 2012、Windows 8、Windows Server 2008 R2 和 Windows 7 的寬形區域網路 (WAN) 頻寬最佳化技術。BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some editions of the Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2 and Windows 7. 若要最佳化 WAN 的頻寬,當使用者存取 content 遠端伺服器上的,BranchCache 從您的主要辦公室擷取 content 或裝載的雲端內容伺服器和快取 content 分公司的位置,在電腦本機而不是透過 WAN 存取 content 分公司允許 client。To optimize WAN bandwidth when users access content on remote servers, BranchCache fetches content from your main office or hosted cloud content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN.

分公司,在 content 會儲存到快取的主機或,不伺服器提供分公司 client 電腦正在執行 Windows 10、Windows 8.1、Windows 8 或 Windows 7 中設定伺服器上。At branch offices, content is stored either on servers that are configured to host the cache or, when no server is available in the branch office, on client computers that are running Windows 10, Windows 8.1, Windows 8 or Windows 7. Client 電腦要求 content 接收主要辦公室及 content 分公司快取之後,相同分公司其他電腦就可以取得 content 本機而不是從內容伺服器下載 content WAN 連結。After a client computer requests and receives content from the main office and the content is cached at the branch office, other computers at the same branch office can obtain the content locally rather than downloading the content from the content server over the WAN link.

當 client 電腦所做的相同 content 後續的要求時,戶端下載內容資訊來自而不是實際 content 伺服器。When subsequent requests for the same content are made by client computers, the clients download content information from the server instead of the actual content. 使用的原始 content,區塊計算,而且非常小相較於在原始資料 content hashes 所組成內容資訊。Content information consists of hashes that are calculated using chunks of the original content, and are extremely small compared to the content in the original data. 位於 client 的電腦上或在伺服器上的快取是否 client 電腦然後中找不到快取中的 content 分公司使用內容資訊。Client computers then use the content information to locate the content from a cache in the branch office, whether the cache is located on a client computer or on a server. Client 電腦」和「伺服器也保護快取的 content,使其無法存取未經授權的使用者使用內容資訊。Client computers and servers also use content information to secure cached content so that it cannot be accessed by unauthorized users.

BranchCache 增加使用者生產力改善內容查詢回應時間戶端和中分公司伺服器,也可以協助改善網路效能降低流量透過 WAN 連結。BranchCache increases end user productivity by improving content query response times for clients and servers in branch offices, and can also help improve network performance by reducing traffic over WAN links.

BranchCache 模式BranchCache modes

BranchCache 有兩種模式的作業:散發快取模式和裝載快取模式。BranchCache has two modes of operation: distributed cache mode and hosted cache mode.

當您在分散式快取模式部署 BranchCache 時,讓分公司內容快取分散在 client 的電腦。When you deploy BranchCache in distributed cache mode, the content cache at a branch office is distributed among client computers.

當您在裝載快取模式部署 BranchCache 時,裝載內容快取分公司在上一個或更多伺服器電腦,稱為「裝載快取的伺服器。When you deploy BranchCache in hosted cache mode, the content cache at a branch office is hosted on one or more server computers, which are called hosted cache servers.

注意

您可以部署 BranchCache 使用這兩種模式,但只能有一個模式可以使用每個分公司。You can deploy BranchCache using both modes, however only one mode can be used per branch office. 例如,如果您有兩個分公司一個擁有伺服器,其中不,這您就可以裝載快取模式包含伺服器,同時部署 BranchCache 分散式快取 office,其中包含只有 client 電腦模式中的 office 部署 BranchCache。For example, if you have two branch offices, one which has a server and one which does not, you can deploy BranchCache in hosted cache mode in the office that contains a server, while deploying BranchCache in distributed cache mode in the office that contains only client computers.

下圖,BranchCache 部署在這兩種模式。In the following illustration, BranchCache is deployed in both modes.

BranchCache 模式

快取分散式的模式最適合小分公司不包含作為裝載快取伺服器本機伺服器。Distributed cache mode is best suited for small branch offices that do not contain a local server for use as a hosted cache server. 快取分散式的模式可讓您在分公司額外的硬體與部署 BranchCache。Distributed cache mode allows you to deploy BranchCache with no additional hardware in branch offices.

您想要用來部署 BranchCache 分公司包含額外的基礎結構,例如一或多部執行其他工作負載,部署 BranchCache 模式裝載快取中有幫助的原因如下:If the branch office where you want to deploy BranchCache contains additional infrastructure, such as one or more servers that are running other workloads, deploying BranchCache in hosted cache mode is beneficial for the following reasons:

增加快取的可用性Increased cache availability

裝載快取模式增加效率快取因為 content 使用即使離線 client 原始要求而且快取的資料。Hosted cache mode increases the cache efficiency because content is available even if the client that originally requested and cached the data is offline. 因為都可使用裝載快取伺服器,更多 content 快取,可提供更大節省 WAN 的頻寬,並改進 BranchCache 效率。Because the hosted cache server is always available, more content is cached, providing greater WAN bandwidth savings, and BranchCache efficiency is improved.

集中多子網路分公司快取Centralized caching for multiple-subnet branch offices

快取分散式的模式單一子網路上的運作方式。Distributed cache mode operates on a single subnet. 在多個子網路分公司已設定為 [快取分散式的模式,無法與 client 電腦上其他子網路共用檔案下載至一個子網路。At a multiple-subnet branch office that is configured for distributed cache mode, a file downloaded to one subnet cannot be shared with client computers on other subnets.

因為戶端上其他子網路,無法探索您的已下載的檔案,檔案從主要辦公室內容伺服器取得,使用此程序 WAN 頻寬。Because of this, clients on other subnets, unable to discover that the file has already been downloaded, get the file from the main office content server, using WAN bandwidth in the process.

在部署裝載快取模式時,但不是-分公司多子網路中的所有戶端可以都存取儲存在裝載快取伺服器上,即使戶端不同子網路上的單一快取。When you deploy hosted cache mode, however, this is not the case - all clients in a multiple-subnet branch office can access a single cache, which is stored on the hosted cache server, even if the clients are on different subnets. 此外,Windows Server 2016、Windows Server 2012 R2、Windows Server 2012 中的 BranchCache 提供部署分公司每一部以上的裝載快取伺服器的能力。In addition, BranchCache in Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012 provides the ability to deploy more than one hosted cache server per branch office.

警告

如果您使用 BranchCache SMB 快取的檔案和資料夾,做停用 Offline 檔案。If you use BranchCache for SMB caching of files and folders, do not disable Offline Files. 如果您停用 Offline 檔案,BranchCache SMB 快取運作不正常運作。If you disable Offline Files, BranchCache SMB caching does not function correctly.

BranchCache 式內容伺服器BranchCache-enabled content servers

當您部署 BranchCache 時,來源儲存 BranchCache 式內容伺服器中主要辦公室或雲端的資料中心。When you deploy BranchCache, the source content is stored on BranchCache-enabled content servers in your main office or in a cloud data center. BranchCache 所支援的內容伺服器下列類型:The following types of content servers are supported by BranchCache:

注意

僅限來源 content-也就是內容 client 電腦最初獲得 BranchCache 式內容伺服器-是 BranchCache 來加速。Only source content - that is, content that client computers initially obtain from a BranchCache-enabled content server - is accelerated by BranchCache. Content client 電腦取得直接從其他來源,例如 Windows Update 或網際網路上的網頁伺服器可 client 的電腦不會快取裝載快取伺服器或與其他電腦中分公司然後共用。Content that client computers obtain directly from other sources, such as Web servers on the Internet or Windows Update, is not cached by client computers or hosted cache servers and then shared with other computers in the branch office. 如果您想要加速 content Windows 更新,但是,您可以安裝應用程式在您的主要辦公室或雲端的資料中心 Windows Server Update Services (WSUS) 伺服器並將其設定為 BranchCache 內容伺服器。If you want to accelerate Windows Update content, however, you can install a Windows Server Update Services (WSUS) application server at your main office or cloud data center and configure it as a BranchCache content server.

網頁伺服器Web servers

支援的網頁伺服器包含的電腦正在執行 Windows Server 2016、Windows Server 2012 R2、Windows Server 2012 或 Windows Server 2008 R2 的已安裝的網頁伺服器 (IIS) 伺服器角色,也會使用超傳輸通訊協定 (HTTP) 或 HTTP 安全 (HTTPS)。Supported Web servers include computers that are running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 that have the Web Server (IIS) server role installed and that use Hypertext Transfer Protocol (HTTP) or HTTP Secure (HTTPS).

此外,網頁伺服器必須安裝 BranchCache 功能。In addition, the Web server must have the BranchCache feature installed.

檔案伺服器File servers

支援的檔案伺服器包括的電腦是執行 Windows Server 2016、Windows Server 2012 R2、Windows Server 2012 或 Windows Server 2008 R2 檔案服務伺服器角色與 BranchCache 適用於已安裝的角色服務網路的檔案。Supported file servers include computers that are running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 that have the File Services server role and the BranchCache for Network Files role service installed.

這些檔案伺服器換貨資訊電腦之間,使用伺服器訊息區 (SMB)。These file servers use Server Message Block (SMB) to exchange information between computers. 完成您的檔案伺服器的安裝之後,您必須也共用資料夾,以及 hash 代的共用資料夾,可讓 BranchCache 使用群組原則」或「本機電腦的原則。After you complete installation of your file server, you must also share folders and enable hash generation for shared folders by using Group Policy or Local Computer Policy to enable BranchCache.

應用程式伺服器Application servers

支援的應用程式伺服器包含電腦正在執行 Windows Server 2016、Windows Server 2012 R2、Windows Server 2012,或安裝 Windows Server 2008 R2 的背景聰明傳輸服務(位元),並支援。Supported application servers include computers that are running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with Background Intelligent Transfer Service (BITS) installed and enabled.

此外,應用程式伺服器必須安裝 BranchCache 功能。In addition, the application server must have the BranchCache feature installed. 做為範例的應用程式的伺服器,您可以為 BranchCache 內容伺服器部署 Microsoft Windows Server Update Services (WSUS) 和 Microsoft 系統 Center Configuration Manager 分支 Distribution 點伺服器。As examples of application servers, you can deploy Microsoft Windows Server Update Services (WSUS) and Microsoft System Center Configuration Manager Branch Distribution Point servers as BranchCache content servers.

BranchCache 和雲端BranchCache and the cloud

雲端龐大可能降低費用,並達到新層級的縮放比例,但移動工作負載原位依賴這些人可以增加網路成本和傷害生產力。The cloud has enormous potential to reduce operational expenses and achieve new levels of scale, but moving workloads away from the people who depend on them can increase networking costs and hurt productivity. 使用者預期高效能並不保養放置應用程式和資料。Users expect high performance and don't care where their applications and data are hosted.

BranchCache 可以改進的應用程式網路效能,並減少頻寬耗用量的共用快取的資料。BranchCache can improve the performance of networked applications and reduce bandwidth consumption with a shared cache of data. 它可以改善生產力分公司及總部,背景工作的位置在雲端中使用伺服器上的部署。It improves productivity in branch offices and in headquarters, where workers are using servers that are deployed in the cloud.

因為 BranchCache 不需要新的硬體或網路拓撲變更,是很好方案改善辦公室位置與公開和私人雲朵之間的通訊。Because BranchCache does not require new hardware or network topology changes, it is an excellent solution for improving communication between office locations and both public and private clouds.

注意

因為某些 Web proxy 無法處理標準 Content 編碼標頭,建議使用 BranchCache 不 HTTP 與超文字傳輸通訊協定安全 (HTTPS)。Because some Web proxies cannot process non-standard Content-Encoding headers, it is recommended that you use BranchCache with Hyper Text Transfer Protocol Secure (HTTPS) and not HTTP.

=== 適用於 Windows Server 2016 中的雲端技術的詳細資訊,請查看軟體定義網路與 #40;SDN 與 #41;.======= For more information about cloud technologies in Windows Server 2016, see Software Defined Networking (SDN).

內容資訊版本Content information versions

有兩個版本的內容資訊:There are two versions of content information:

  • 與執行 Windows Server 2008 R2 或 Windows 7 相容內容資訊稱為版本 1 或 V1。Content information that is compatible with computers running Windows Server 2008 R2 and Windows 7 is called version 1, or V1. V1 BranchCache 檔案區段,以檔案區段大於 V2,且有修正的大小。With V1 BranchCache file segmentation, file segments are larger than in V2 and are of fixed size. 大型修正的區段大小,而當使用者修改檔案長度的變更,這項變更區段失效,不僅失效所有的區段結尾的檔案。Because of large fixed segment sizes, when a user makes a change that modifies the file length, not only is the segment with the change invalidated, but all of the segments to the end of the file are invalidated. 下一步通話的另一位使用者分公司中變更檔案因此會導致降低 WAN 頻寬節省因為變更的 content 與所有 content 變更後的傳送 WAN 連結。The next call for the changed file by another user in the branch office therefore results in reduced WAN bandwidth savings because the changed content and all content after the change are sent over the WAN link.

  • 版本 2 或 V2,稱為內容與執行 Windows Server 2016、Windows 10、Windows Server 2012 R2、Windows 8.1、Windows Server 2012,以及 Windows 8 電腦的資訊。Content information that is compatible with computers running Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, and Windows 8 is called version 2, or V2. V2 內容資訊使用較小、變數大小更具彈性變更檔案中的區段。V2 content information uses smaller, variable-sized segments that are more tolerant to changes within a file. 這可以重複使用較舊版本的檔案從區段的可能性,當使用者存取更新的版本,造成這些變更的部分檔案的擷取內容伺服器,並使用較少 WAN 的頻寬增加。This increases the probability that segments from an older version of the file can be reused when users access an updated version, causing them to retrieve only the changed portion of the file from the content server, and using less WAN bandwidth.

下表提供使用的 client,內容伺服器,而定內容資訊版本的相關資訊,並裝載快取伺服器作業系統您使用 BranchCache 部署。The following table provides information on the content information version that is used depending upon which client, content server, and hosted cache server operating systems you are using in your BranchCache deployment.

注意

下表中的縮寫」OS」表示作業系統。In the table below, the acronym "OS" means operating system.

Client 作業系統Client OS 內容伺服器作業系統Content Server OS 裝載快取伺服器作業系統Hosted Cache Server OS 內容資訊版本Content Information Version
Windows Server 2008 R2 和 Windows 7Windows Server 2008 R2 and Windows 7 Windows Server 2012 或更新版本Windows Server 2012 or later Windows Server 2012 或更新版本;無分散式快取模式Windows Server 2012 or later; none for distributed cache mode V1V1
Windows Server 2012 或更新版本;Windows 8 或更新版本Windows Server 2012 or later; Windows 8 or later Windows Server 2008 R2Windows Server 2008 R2 Windows Server 2012 或更新版本;無分散式快取模式Windows Server 2012 or later; none for distributed cache mode V1V1
Windows Server 2012 或更新版本;Windows 8 或更新版本Windows Server 2012 or later; Windows 8 or later Windows Server 2012 或更新版本Windows Server 2012 or later Windows Server 2008 R2Windows Server 2008 R2 V1V1
Windows Server 2012 或更新版本;Windows 8 或更新版本Windows Server 2012 or later; Windows 8 or later Windows Server 2012 或更新版本Windows Server 2012 or later Windows Server 2012 或更新版本;無分散式快取模式Windows Server 2012 or later; none for distributed cache mode V2V2

有內容伺服器裝載快取伺服器正在執行 Windows Server 2016、Windows Server 2012 R2,以及 Windows Server 2012 時,他們使用內容資訊版本適合根據要求資訊 BranchCache client 的作業系統。When you have content servers and hosted cache servers that are running Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012, they use the content information version that is appropriate based on the operating system of the BranchCache client that requests information.

內容和裝載快取伺服器當電腦執行的是 Windows Server 2012 和 Windows 8 或更新版本作業系統要求 content 時,使用 V2 內容資訊。當要求時 content 執行 Windows Server 2008 R2 和 Windows 7 的電腦,內容和裝載快取伺服器使用 V1 內容資訊。When computers running Windows Server 2012 and Windows 8 or later operating systems request content, the content and hosted cache servers use V2 content information; when computers running Windows Server 2008 R2 and Windows 7 request content, the content and hosted cache servers use V1 content information.

重要

當您 BranchCache 部署分散式快取模式時,使用不同的內容資訊版本戶端不要共用 content 彼此。When you deploy BranchCache in distributed cache mode, clients that use different content information versions do not share content with each other. 例如,client 電腦執行的是 Windows 7 與 client 電腦執行相同分公司在已安裝 Windows 10 不分享 content 彼此。For example, a client computer running Windows 7 and a client computer running Windows 10 that are installed in the same branch office do not share content with each other.

如何 BranchCache 處理 content 更新中的檔案How BranchCache handles content updates in files

時分公司使用者修改或更新的文件到,他們的變更會直接寫入中主要辦公室 BranchCache 的參與程度而內容伺服器。When branch office users modify or update the contents of documents, their changes are written directly to the content server in the main office without BranchCache's involvement. 使用者是否從內容伺服器下載文件或取得的其中一個裝載或分散快取中分公司也是如此。This is true whether the user downloaded the document from the content server or obtained it from either a hosted or distributed cache in the branch office.

修改的檔案,在分公司不同 client 要求時,檔案的新的區段中主要辦公室伺服器下載並新增至該新分支」中分散式或裝載快取。When the modified file is requested by a different client in a branch office, the new segments of the file are downloaded from the main office server and added to the distributed or hosted cache in that branch. 因為,分公司使用者永遠收到快取 content 的最新版本。Because of this, branch office users always receive the most recent versions of cached content.

BranchCache 安裝指南BranchCache installation guide

您可以使用在 Windows Server 2016 伺服器管理員安裝 BranchCache 功能或服務檔案伺服器角色網路檔案角色服務 BranchCache。You can use Server Manager in Windows Server 2016 to install either the BranchCache feature or the BranchCache for Network Files role service of the File Services server role. 若要判斷是否要安裝的角色服務或功能,您可以使用下表。You can use the following table to determine whether to install the role service or the feature.

功能Functionality 電腦的位置Computer location 安裝這個 BranchCache 項目Install this BranchCache element
內容伺服器 \ (位元為基礎的應用程式 server)Content server (BITS-based application server) 主要辦公室或雲端的資料中心Main office or cloud data center BranchCache 功能BranchCache feature
內容伺服器 (Web server)Content server (Web server) 主要辦公室或雲端的資料中心Main office or cloud data center BranchCache 功能BranchCache feature
內容伺服器 \(使用 SMB protocol\ 檔案伺服器)Content server (file server using the SMB protocol) 主要辦公室或雲端的資料中心Main office or cloud data center BranchCache 網路檔案角色服務檔案服務伺服器角色BranchCache for Network Files role service of the File Services server role
伺服器裝載快取Hosted cache server 分公司Branch office BranchCache 功能的支援裝載快取伺服器模式BranchCache feature with hosted cache server mode enabled
BranchCache 式 client 電腦BranchCache-enabled client computer 分公司Branch office 不需; 安裝只要 BranchCache 與 BranchCache 模式可讓 (distributed or hosted) client 上No installation needed; just enable BranchCache and a BranchCache mode (distributed or hosted) on the client

若要安裝的角色服務或功能,打開伺服器管理員並選取您想要讓 BranchCache 功能的電腦。To install either the role service or the feature, open Server Manager and select the computers where you want to enable BranchCache functionality. 在伺服器管理員中,按一下管理,然後按新增角色與功能In Server Manager, click Manage, and then click Add Roles and Features. 新增角色與功能開啟精靈。The Add Roles and Features wizard opens. 為您執行精靈中,進行下列選項:As you run the wizard, make the following selections:

  • 精靈頁面上的選擇安裝類型,請選取以角色為基礎,或為基礎的功能的安裝On the wizard page Select Installation Type, select Role-based or Feature-based Installation.

  • 精靈頁面上的選取伺服器角色,如果您正在安裝功能 BranchCache 檔案伺服器,展開 [檔案與儲存空間服務檔案和 iSCSI 服務,,然後選取 [ BranchCache 網路的檔案On the wizard page Select Server Roles, if you are installing a BranchCache-enabled file server, expand File and Storage Services and File and iSCSI Services, and then select BranchCache for Network Files. 若要節省磁碟空間,您也可以選取資料 Deduplication角色服務,然後再安裝並完成精靈。To save disk space, you can also select the Data Deduplication role service, and then continue through the wizard to installation and completion. 如果您不要安裝伺服器 BranchCache 支援的檔案,不要安裝檔案與儲存空間服務角色 BranchCache 網路檔案角色服務使用。If you do not want to install a BranchCache-enabled file server, do not install the File and Storage Services role with the BranchCache for Network Files role service.

  • 精靈頁面上的選擇功能,如果您要安裝的不是檔案伺服器內容伺服器,或您要安裝裝載快取伺服器、選取BranchCache,然後繼續安裝並完成精靈。On the wizard page Select features, if you are installing a content server that is not a file server or you are installing a hosted cache server, select BranchCache, and then continue through the wizard to installation and completion. 如果您不要安裝內容伺服器檔案伺服器或裝載快取伺服器以外,無法安裝 BranchCache 功能。If you do not want to install a content server other than a file server or a hosted cache server, do not install the BranchCache feature.

作業系統版本 BranchCacheOperating system versions for BranchCache

以下是作業系統的一份不同類型的 BranchCache 功能的支援。Following is a list of operating systems that support different types of BranchCache functionality.

作業系統 BranchCache client 電腦功能Operating systems for BranchCache client computer functionality

在下列作業系統提供 BranchCache 背景聰明傳輸服務(位元)、超文字傳輸通訊協定 (HTTP) 和伺服器訊息區 (SMB) 的支援。The following operating systems provide BranchCache with support for Background Intelligent Transfer Service (BITS), Hyper Text Transfer Protocol (HTTP), and Server Message Block (SMB).

  • Windows 10 企業版Windows 10 Enterprise

  • Windows 10 教育版Windows 10 Education

  • Windows 8.1 企業版Windows 8.1 Enterprise

  • Windows 8 企業版Windows 8 Enterprise

  • Windows 7 企業版Windows 7 Enterprise

  • Windows 7 旗艦版Windows 7 Ultimate

在下列作業系統中,BranchCache 不支援 HTTP 和 SMB 功能,但支援 BranchCache 位元的功能。In the following operating systems, BranchCache does not support HTTP and SMB functionality, but does support BranchCache BITS functionality.

  • Windows 10 專業版、位元支援只Windows 10 Pro, BITS support only

  • Windows 8.1 專業版,位元支援只Windows 8.1 Pro, BITS support only

  • Windows 8 專業版、位元支援只Windows 8 Pro, BITS support only

  • Windows 7 專業版,位元支援只Windows 7 Pro, BITS support only

注意

無法使用 Windows Server 2008 或 Windows Vista 的作業系統中的預設 BranchCache。BranchCache is not available by default in the Windows Server 2008 or Windows Vista operating systems. 在下列作業系統中,但是,如果您下載並安裝 Windows 管理架構的更新,BranchCache 功能適用於只背景聰明傳輸服務(位元)通訊協定。On these operating systems, however, if you download and install the Windows Management Framework update, BranchCache functionality is available for the Background Intelligent Transfer Service (BITS) protocol only. 如需詳細資訊,並下載 Windows 管理架構,請查看Windows 管理架構(Windows PowerShell 2.0,WinRM 2.0,以及 4.0 位元)http://go.microsoft.com/fwlink/?LinkId=188677。For more information, and to download Windows Management Framework, see Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0) at http://go.microsoft.com/fwlink/?LinkId=188677.

作業系統 BranchCache 內容伺服器功能Operating systems for BranchCache content server functionality

您可以使用 Windows Server 2016、Windows Server 2012 R2,以及 Windows Server 2012 系列的作業系統為 BranchCache 內容伺服器。You can use the Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012 families of operating systems as BranchCache content servers.

此外,Windows Server 2008 R2 家庭的作業系統可做為 BranchCache 內容伺服器,使用下列例外:In addition, the Windows Server 2008 R2 family of operating systems can be used as BranchCache content servers, with the following exceptions:

  • 不支援的 Windows Server 2008 R2 企業版與 HYPER-V Server Core 安裝 BranchCache。BranchCache is not supported in Server Core installations of Windows Server 2008 R2 Enterprise with Hyper-V.

  • 不支援的 Windows Server 2008 R2 Datacenter 與 HYPER-V Server Core 安裝 BranchCache。BranchCache is not supported in Server Core installations of Windows Server 2008 R2 Datacenter with Hyper-V.

作業系統 BranchCache 裝載快取伺服器功能Operating systems for BranchCache hosted cache server functionality

您可以使用作業系統的 Windows Server 2016、Windows Server 2012 R2,以及 Windows Server 2012 系列 BranchCache 裝載快取的伺服器。You can use the Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012 families of operating systems as BranchCache hosted cache servers.

此外,BranchCache 裝載快取的伺服器,可以使用下列 Windows Server 2008 R2 作業系統:In addition, the following Windows Server 2008 R2 operating systems can be used as BranchCache hosted cache servers:

  • Windows Server 2008 R2 企業版Windows Server 2008 R2 Enterprise

  • HYPER-V 與 Windows Server 2008 R2 企業版Windows Server 2008 R2 Enterprise with Hyper-V

  • Windows Server 2008 R2 企業 Server Core 安裝Windows Server 2008 R2 Enterprise Server Core Installation

  • Windows Server 2008 R2 企業 Server Core 安裝 HYPER-V 使用Windows Server 2008 R2 Enterprise Server Core Installation with Hyper-V

  • 適用於 Itanium 型系統的 Windows Server 2008 R2Windows Server 2008 R2 for Itanium-Based Systems

  • Windows Server 2008 R2 DatacenterWindows Server 2008 R2 Datacenter

  • HYPER-V 與 Windows Server 2008 R2 DatacenterWindows Server 2008 R2 Datacenter with Hyper-V

  • Windows Server 2008 R2 Datacenter Server Core 安裝 HYPER-V 使用Windows Server 2008 R2 Datacenter Server Core Installation with Hyper-V

BranchCache 安全性BranchCache Security

BranchCache 實作完美地搭配您現有的網路安全性架構,而不需要額外的設備或其他複雜的安全性設定的安全-設計的方法。BranchCache implements a secure-by-design approach that works seamlessly alongside your existing network security architectures, without the requirement for additional equipment or complex additional security configuration.

非侵入式 BranchCache 且不會變更任何 Windows 驗證或授權處理程序。BranchCache is non-invasive and does not alter any Windows authentication or authorization processes. 部署 BranchCache 之後,驗證仍然會使用網域憑證,並不變功能的授權的存取清單控制項 (Acl) 中的方式。After you deploy BranchCache, authentication is still performed using domain credentials, and the way in which authorization with Access Control Lists (ACLs) functions is unchanged. 此外,繼續運作,就像往常 BranchCache 部署其他設定。In addition, other configurations continue to function just as they did before BranchCache deployment.

BranchCache 安全性模型根據建立 hashes 一系列的形式中繼資料。The BranchCache security model is based on the creation of metadata, which takes the form of a series of hashes. 這些 hashes 也稱為內容資訊。These hashes are also called content information.

建立內容資訊之後,用於 BranchCache 訊息交換而不是實際的資料,以及交換使用支援的通訊協定(HTTP、HTTPS 和 SMB)。After content information is created, it is used in BranchCache message exchanges rather than the actual data, and it is exchanged using the supported protocols (HTTP, HTTPS, and SMB).

快取的資料會將保持在加密,並無法用無權存取 content 原始來源的存取。Cached data is kept encrypted and cannot be accessed by clients that do not have permission to access content from the original source. 戶端必須驗證,且可以擷取內容中繼資料和必須擁有存取的快取中本機 office 內容中繼資料之前授權原始內容來源。Clients must be authenticated and authorized by the original content source before they can retrieve content metadata, and must possess content metadata to access the cache in the local office.

如何 BranchCache 產生內容資訊How BranchCache generates content information

因為建立多個項目從內容資訊,都唯一內容資訊的值。Because content information is created from multiple elements, the value of the content information is always unique. 這些項目包括:These elements are:

  • (例如網頁或共用的檔案)要衍生 hashes 實際的 content。The actual content (such as Web pages or shared files) from which the hashes are derived.

  • 設定參數,例如 hashing 演算法並封鎖大小。Configuration parameters, such as the hashing algorithm and block size. 若要產生內容資訊,內容伺服器 content 分為區段,然後在區塊細分區段。To generate content information, the content server divides the content into segments and then subdivides those segments into blocks. BranchCache 使用安全密碼編譯 hashes 以找出並確認每個封鎖區段,支援 SHA256 hash 演算法。BranchCache uses secure cryptographic hashes to identify and verify each block and segment, supporting the SHA256 hash algorithm.

  • 伺服器密碼。A server secret. 必須設定伺服器的密碼,也就是二進位任意長度的值與所有內容伺服器。All content servers must be configured with a server secret, which is a binary value of arbitrary length.

注意

伺服器秘密使用確保 client 電腦不能本身產生內容資訊。The use of a server secret ensures that client computers are not able to generate the content information themselves. 如此可防止惡意使用者暴力攻擊使用猜測 content 變更次要版本情形,client 存取先前的版本,但不一定目前的版本存取所有 BranchCache 式 client 的電腦。This prevents malicious users from using brute force attacks with BranchCache-enabled client computers to guess minor changes in content across versions in situations in which the client had access to a previous version but does not have access to the current version.

內容資訊的詳細資料Content information details

BranchCache 做按鍵以衍生會傳送至授權戶端 content 特定 hash 伺服器密碼。BranchCache uses the server secret as a key in order to derive a content-specific hash that is sent to authorized clients. 申請 hashing 演算法組合的伺服器機密資料的 Hash 與產生這個 hash。Applying a hashing algorithm to the combined server secret and the Hash of Data generates this hash.

這個 hash 稱為區段密碼。This hash is called the segment secret. BranchCache 使用區段機密安全通訊。BranchCache uses segment secrets to secure communications. 此外,BranchCache 建立封鎖 Hash 清單中,這是 hashed 的資料封鎖清單,並 Hash 的資料,這由 hashing 封鎖 Hash 清單。In addition, BranchCache creates a Block Hash List, which is list of hashed data blocks, and the Hash of Data, which is generated by hashing the Block Hash List.

內容資訊包含:The content information includes the following:

  • 封鎖 Hash 清單:The Block Hash List:

    BlockHashi = Hash(dataBlocki) 1<=i<=n

  • Hash 的資料 (HoD):The Hash of Data (HoD):

    HoD = Hash(BlockHashList)

  • 區段密碼 (Kp):Segment Secret (Kp):

    Kp = HMAC(Ks, HoD)

BranchCache 會使用等 Content 快取的通訊協定與擷取架構通訊協定來執行所需確保安全的快取,並擷取之間內容快取的資料的處理程序。BranchCache uses the Peer Content Caching protocol and the Retrieval Framework protocol to implement the processes that are required to ensure the secure caching and retrieval of data between content caches.

此外,BranchCache 控點的內容具有相同程度的處理和傳送本身的實際 content 時,它所使用的安全性資訊。In addition, BranchCache handles content information with the same degree of security that it uses when handling and transmitting the actual content itself.

內容流程和處理程序Content flow and processes

流程內容資訊和實際 content 分為四個階段中:The flow of content information and actual content is divided into four phases:

  1. BranchCache 處理程序:要求 contentBranchCache processes: Request content

  2. BranchCache 處理程序:找出 contentBranchCache processes: Locate content

  3. BranchCache 處理程序:擷取 contentBranchCache processes: Retrieve content

  4. BranchCache 處理程序:content 快取BranchCache processes: Cache content

下列區段描述這些階段。The following sections describe these phases.

BranchCache 處理程序:要求 contentBranchCache processes: Request content

第一階段,分公司 client 電腦從遠端的位置,例如主要辦公室的內容伺服器要求 content,例如檔案或網頁。In the first phase, the client computer in the branch office requests content, such as a file or a Web page, from a content server in a remote location, such as a main office. 內容伺服器驗證 client 電腦已授權接收要求的 content。The content server verifies that the client computer is authorized to receive the requested content. 如果 client 電腦已獲得授權與同時內容伺服器 client BranchCache\ 功能,內容伺服器產生內容資訊。If the client computer is authorized and both content server and client are BranchCache-enabled, the content server generates content information.

內容伺服器接著會內容資訊傳送到 client 電腦使用相同的通訊協定時使用的實際 content。The content server then sends the content information to the client computer using the same protocol as would have been used for the actual content.

例如,如果 client 電腦透過 HTTP 要求網頁,內容伺服器內容會將資訊傳送使用 HTTP。For example, if the client computer requested a Web page over HTTP, the content server sends the content information using HTTP. 因此,花朵層級的安全性保證 content 的並內容資訊都一樣。Because of this, the wire-level security guarantees of the content and the content information are identical.

收到內容資訊(Hash 的資料 + 區段密碼)的初始部分之後,client 電腦執行下列動作:After the initial portion of content information (Hash of Data + Segment Secret) is received, the client computer performs the following actions:

  • 使用區段密碼 (Kp) 做為加密金鑰 (Ke)。Uses the Segment Secret (Kp) as the encryption key (Ke).

  • 從 HoD Kp 產生區段 ID (HoHoDk):Generates the Segment ID (HoHoDk) from the HoD and Kp:

    HoHoDk = HMAC(Kp, HoD + C), where C is the ASCII string "MS_P2P_CACHING" with NUL terminator.

在這個層級的主要威脅是區段密碼、的風險,但是 BranchCache 加密保護區段機密內容資料區塊。The primary threat at this layer is the risk to the Segment Secret, however BranchCache encrypts the content data blocks to protect the Segment Secret. BranchCache 會利用加密金鑰衍生從區段內容區塊是位於內容區段的密碼。BranchCache does this by using the encryption key that is derived from the Segment Secret of the content segment within which the content blocks are located.

這種方式可確保您擁有的伺服器密碼的不是實體,就無法探索實際 content 資料區塊中。This approach ensures that an entity that is not in possession of the server secret cannot discover the actual content in a data block. 區段機密被視為具有相同程度的安全性純文字區段,因為知道特定的區段密碼可從同儕取得該區段並加以解密實體。The Segment Secret is treated with the same degree of security as the plaintext segment itself, because knowledge of the Segment Secret for a given segment enables an entity to obtain the segment from peers and then decrypt it. 不會立即產生任何特定純文字知道伺服器密碼,但可以使用密碼文字,然後到 [可能部分部分已知暴力猜測攻擊資料公開衍生特定類型的資料。Knowledge of the Server Secret does not immediately yield any particular plaintext but can be used to derive certain types of data from the cipher text and then to possibly expose some partially known data to a brute-force guessing attack. 伺服器密碼,因此,則會保留機密。The server secret, therefore, should be kept confidential.

BranchCache 處理程序:找出 contentBranchCache processes: Locate content

內容資訊收到 client 電腦之後,client 使用區段 ID 中找不到要求的 content 本機分支 office 快取,不論該快取散發 client 電腦之間,或位於裝載快取的伺服器上。After the content information is received by the client computer, the client uses the Segment ID to locate the requested content in the local branch office cache, whether that cache is distributed between client computers or is located on a hosted cache server.

Client 電腦設定為裝載快取模式時,如果它設定伺服器裝載快取的電腦名稱,並連絡人擷取 content 至該伺服器。If the client computer is configured for hosted cache mode, it is configured with the computer name of the hosted cache server and contacts that server to retrieve the content.

如果 client 電腦設定為 [快取分散式的模式時,不過,可能會儲存 content 跨多個分公司在多部電腦上的快取。If the client computer is configured for distributed cache mode, however, the content might be stored across multiple caches on multiple computers in the branch office. Client 的電腦必須探索 content 所在擷取 content 之前。The client computer must discover where the content is located before the content is retrieved.

當他們的設定分散式快取模式時,client 電腦使用找出 content 為基礎的 Web 服務動態探索(WS 探索)通訊協定探索通訊協定。When they are configured for distributed cache mode, client computers locate content by using a discovery protocol that is based on the Web Services Dynamic Discovery (WS-Discovery) protocol. 戶端傳送 WS 探索發現在網路上的快取的 content 多點的探查訊息。Clients send WS-Discovery multicast Probe messages to discover cached content over the network. 檢查簡訊包含的區段 ID,讓用來檢查是否要求的 content 是否符合儲存在他們的快取 content 戶端。Probe messages include the Segment ID, which enables clients to check whether the requested content matches the content stored in their cache. 用單點比對探查訊息查詢 client 的初始探查訊息回覆收到區段 ID 符合 content 本機快取。Clients that receive the initial Probe message reply to the querying client with unicast Probe-Match messages if the Segment ID matches content that is cached locally.

成功 WS-探索程序的事實執行探索 client 已正確內容資訊,所提供的內容伺服器,它要求 content 而定。The success of the WS-Discovery process depends on the fact that the client that is performing the discovery has the correct content information, which was provided by the content server, for the content that it is requesting.

主要要求內容階段資料威脅,所以資訊洩漏、 內容資訊的存取權表示 content 授權的存取。The main threat to data during the Request content phase is information disclosure, because access to the content information implies authorized access to content. 若要降低此風險,探索程序不會顯示內容的資訊,不顯示任何項目相關包含 content 純文字區段區段 ID 以外。To mitigate this risk, the discovery process does not reveal the content information, other than the Segment ID, which does not reveal anything about the plaintext segment that contains the content.

此外,惡意的使用者來執行相同子網路上的另一部 client 電腦可以查看原始內容來源後續路由器 BranchCache 探索傳輸。In addition, another client computer run by a malicious user on the same network subnet can see the BranchCache discovery traffic to the original content source going through the router.

如果分公司中找不到要求的 content,client content 直接從內容伺服器要求透過 WAN 連結。If the requested content is not found in the branch office, the client requests the content directly from the content server across the WAN link.

收到 content 之後,就被新增到本機快取上或裝載快取的伺服器上。After the content is received, it is added to the local cache, either on the client computer or on a hosted cache server. 若是如此,內容資訊會防止 client 或裝載快取伺服器本機快取中新增任何不符合 hashes content。In this case, the content information prevents a client or hosted cache server from adding to the local cache any content that does not match the hashes. 藉由符合 hashes 驗證 content 程序確保只有有效 content 快取中新增了,而且本機快取的完整性受保護。The process of verifying content by matching hashes ensures that only valid content is added to the cache, and the integrity of the local cache is protected.

BranchCache 處理程序: 擷取 contentBranchCache processes: Retrieve content

Client 電腦內容主機會裝載快取伺服器或分散式快取模式 client 的電腦上尋找您想要的 content 之後 client 電腦開始擷取 content 的程序。After a client computer locates the desired content on the content host, which is either a hosted cache server or a distributed cache mode client computer, the client computer begins the process of retrieving the content.

第一次 client 電腦會傳送至內容主機,需要先封鎖要求。First the client computer sends a request to the content host for the first block that it requires. 要求包含找出您想要的 content 區段 ID 和封鎖範圍。The request contains the Segment ID and block range that identify the desired content. 因為傳回只有一個封鎖,則封鎖範圍包括單一區塊。Because only one block is returned, the block range contains only a single block. (要求的多個區塊目前不支援。)Client 也會儲存在本機未完成要求清單中的要求。(Requests for multiple blocks are currently not supported.) The client also stores the request in its local Outstanding Request List.

在 client 從收到有效無法接受要求訊息,內容主機檢查內容主機內容快取中是否有封鎖指定在要求中。Upon receiving a valid request message from a client, the content host checks whether the block specified in the request exists in the content host's content cache.

如果握有內容封鎖內容主機,則內容主機傳送包含區段 ID、 封鎖 ID、 加密的資料區塊,以及適用於加密封鎖初始化向量的回應。If the content host is in possession of the content block, then the content host sends a response that contains the Segment ID, the Block ID, the encrypted data block, and the initialization vector that is used for encrypting the block.

如果內容主機不是處於擁有內容封鎖,內容主機傳送空白回應訊息。If the content host is not in possession of the content block, the content host sends an empty response message. 這會通知 client 電腦內容主機,不需要要求的封鎖。This informs the client computer that the content host does not have the requested block. 空回應訊息包含的區段 ID 和封鎖 ID 要求封鎖,以及零大小資料封鎖。An empty response message contains the Segment ID and Block ID of the requested block, along with a zero-sized data block.

當 client 電腦收到回應從內容主機時,client 確認訊息對應要求簡訊未完成要求清單中。When the client computer receives the response from the content host, the client verifies that the message corresponds to a request message in its Outstanding Request List. (區段 ID 和封鎖索引必須符合未完成的要求。)(The Segment ID and block index must match that of an outstanding request.)

如果此驗證程序未成功,且 client 的電腦不是對應要求訊息未完成要求清單中,client 電腦會捨棄訊息。If this verification process is unsuccessful and the client computer does not have a corresponding request message in its Outstanding Request List, the client computer discards the message.

如果此驗證程序成功,且 client 的電腦未完成要求清單中有對應要求訊息,client 電腦解密封鎖。If this verification process is successful and the client computer has a corresponding request message in its Outstanding Request List, the client computer decrypts the block. Client 然後驗證解密的封鎖針對適當封鎖湊從內容原始內容伺服器的初次取得 client 的資訊。The client then validates the decrypted block against the appropriate block hash from the content information that the client initially obtained from the original content server.

如果成功驗證,解密的封鎖快取中儲存。If the block validation is successful, the decrypted block is stored in the cache.

重複此程序,直到 client 具有區塊所需的所有為止。This process is repeated until the client has all of the required blocks.

注意

如果上一部電腦不存在完成 content 的區段,擷取通訊協定擷取,並從來源組合組合 content: 一組散發快取模式 client 電腦裝載快取伺服器,並-如果分公司快取不包含完整 content-中主要辦公室的原始內容伺服器。If the complete segments of content do not exist on one computer, the retrieval protocol retrieves and assembles content from a combination of sources: a set of distributed cache mode client computers, a hosted cache server, and - if the branch office caches do not contain the complete content - the original content server in the main office.

BranchCache 傳送內容資訊或 content 之前,請先加密資料。Before BranchCache sends content information or content, the data is encrypted. BranchCache 加密回應訊息區塊。BranchCache encrypts the block in the response message. 在 Windows 7 BranchCache 使用的預設加密演算法為好一段-128、 加密金鑰是 Ke,而金鑰大小 128 的位元,依照加密演算法。In Windows 7, the default encryption algorithm that BranchCache uses is AES-128, the encryption key is Ke, and the key size is 128 bits, as dictated by the encryption algorithm.

BranchCache 產生初始化向量適用於加密演算法,並使用加密金鑰來加密區塊。BranchCache generates an initialization vector that is suitable for the encryption algorithm and uses the encryption key to encrypt the block. BranchCache 然後記錄加密演算法與初始化向量訊息中。BranchCache then records the encryption algorithm and the initialization vector in the message.

伺服器戶端從未交換、 分享,或傳送彼此加密金鑰。Servers and clients never exchange, share, or send each other the encryption key. Client 從主控來源 content 內容伺服器接收加密金鑰。The client receives the encryption key from the content server that hosts the source content. 然後,它會使用收到來自伺服器的它加密演算法和初始化向量,解密封鎖。Then, using the encryption algorithm and initialization vector it received from the server, it decrypts the block. 還有其他明確驗證或建置下載通訊協定的授權。There is no other explicit authentication or authorization built into the download protocol.

安全性威脅的攻擊Security threats

在這個層級的主要安全性威脅包括:The primary security threats at this layer include:

  • 竄改資料:Tampering with data:

    波資料,為要求者 client 竄改資料A client serving data to a requester tampers with the data. BranchCache 安全性型號使用 hashes 確認 client 都伺服器變更資料。The BranchCache security model uses hashes to confirm that neither the client nor the server has altered the data.

  • 資訊洩漏:Information disclosure:

    BranchCache 傳送加密的 content 至任何 client 指定區段 ID 適當的BranchCache sends encrypted content to any client that specifies the appropriate Segment ID. 區段 Id 是公用成員,讓任何 client 可以接收 content 加密。Segment IDs are public, so any client can receive encrypted content. 不過,如果惡意的使用者會取得加密的 content,他們必須知道解密 content 加密金鑰。However, if a malicious user obtains encrypted content, they must know the encryption key to decrypt the content. 上層通訊協定執行驗證,驗證,授權 client 會再提供內容資訊。The upper layer protocol performs authentication and then gives the content information to the authenticated and authorized client. 內容資訊的安全性與 content 本身提供的安全性,而且 BranchCache 從未公開內容資訊。The security of the content information is equivalent to the security provided to the content itself, and BranchCache never exposes the content information.

    攻擊者探查取得 content 網路An attacker sniffs the wire to obtain the content. BranchCache 加密所有傳輸之間戶端使用 AES128 私密金鑰所在 Ke,從網路步阻止資料。BranchCache encrypts all transfers between clients by using AES128 where the secret key is Ke, preventing data from being sniffed from the wire. 資料本身了,因此不較多或較少保護比如果 BranchCache 必須未使用的所有資訊洩漏內容下載內容伺服器的資訊受完全相同的方式。Content information that is downloaded from the content server is protected in exactly the same way as the data itself would have been and is hence no more or less protected from information disclosure than if BranchCache had not been used at all.

  • 阻斷服務:Denial of Service:

    Client 已被要求資料的A client is overwhelmed by requests for data. BranchCache 通訊協定整合佇列管理計數器及戶端避免過載計時器。BranchCache protocols incorporate queue management counters and timers to prevent clients from being overloaded.

BranchCache 處理程序: content 快取BranchCache processes: Cache content

在分散式快取模式 client 電腦及位於分公司裝載快取伺服器,內容快取建立隨著時間的 content 擷取透過 WAN 連結。On distributed cache mode client computers and hosted cache servers that are located in branch offices, content caches are built up over time as content is retrieved over WAN links.

Client 電腦的設定裝載快取模式時,它們 content 加入自己本機快取,並也提供伺服器裝載快取的資料。When client computers are configured with hosted cache mode, they add content to their own local cache and also offer data to the hosted cache server. 裝載快取通訊協定提供 content 及區段可用性的相關通知的裝載快取伺服器戶端機制。The Hosted Cache Protocol provides a mechanism for clients to inform the hosted cache server about content and segment availability.

上傳 content,裝載快取伺服器,client 通知伺服器它有可用的區段。To upload content to the hosted cache server, the client informs the server that it has a segment that is available. 然後裝載快取伺服器擷取的所有資訊內容相關聯的非區段,並下載的區塊實際需要區段中。The hosted cache server then retrieves all of the content information that is associated with the offered segment, and downloads the blocks within the segment that it actually needs. 重複此程序,直到 client 有提供裝載快取伺服器不需區段為止。This process is repeated until the client has no more segments to offer the hosted cache server.

若要使用裝載快取通訊協定更新裝載快取伺服器,您必須符合下列需求:To update the hosted cache server by using the Hosted Cache Protocol, the following requirements must be met:

  • Client 電腦需要有一組區塊裝載快取伺服器提供區段中。The client computer is required to have a set of blocks within a segment that it can offer to the hosted cache server. Client 必須提供內容資訊所提供的區段。這被組成區段 ID、 區段 Hash 的資料、 區段機密和所有封鎖 hashes 區段中所包含的清單。The client must supply content information for the offered segment; this is comprised of the Segment ID, the segment Hash of Data, the Segment Secret, and a list of all block hashes that are contained within the segment.

  • 裝載快取的伺服器上執行 Windows Server 2008 R2 的裝載快取伺服器的憑證和相關的私密金鑰,然後在分公司 client 電腦必須信任的憑證授權單位發行憑證。For hosted cache servers that are running Windows Server 2008 R2, a hosted cache server certificate and associated private key are required, and the certification authority (CA) that issued the certificate must be trusted by client computers in the branch office. 這可讓 client 以及伺服器成功參與 HTTPS 伺服器的驗證。This allows the client and server to participate successfully in HTTPS Server authentication.

    重要

    裝載快取伺服器的憑證及相關的私密金鑰不需要執行 Windows Server 2016、 Windows Server 2012 R2 或 Windows Server 2012 的裝載快取伺服器。Hosted cache servers that are running Windows Server 2016, Windows Server 2012 R2 , or Windows Server 2012 do not require a hosted cache server certificate and associated private key.

  • Client 的電腦設定裝載快取伺服器及傳輸控制項通訊協定 (TCP) 連接埠號碼裝載快取伺服器聆聽 BranchCache 流量所在的電腦名稱。The client computer is configured with the computer name of the hosted cache server and the Transmission Control Protocol (TCP) port number upon which the hosted cache server is listening for BranchCache traffic. 此連接埠結合裝載快取伺服器的憑證。The hosted cache server's certificate is bound to this port. 伺服器裝載快取的電腦名稱的完整的網域名稱 (FQDN),如果可能裝載快取伺服器成員網域的電腦。或如果裝載快取伺服器不網域成員可以是 NetBIOS 電腦的名稱。The computer name of the hosted cache server can be a fully qualified domain name (FQDN), if the hosted cache server is a domain member computer; or it can be the NetBIOS name of the computer if the hosted cache server is not a domain member.

  • 輸入封鎖要求積極接聽 client 的電腦。The client computer actively listens for incoming block requests. 連接埠它用心聆聽傳遞提供訊息的一部分從 client 裝載快取伺服器。The port on which it is listening is passed as part of the offer messages from the client to the hosted cache server. 這可讓用於 BranchCache 通訊協定連接至 client 電腦擷取區段中的資料區塊裝載快取伺服器。This enables the hosted cache server to use BranchCache protocols to connect to the client computer to retrieve data blocks in the segment.

  • 開始聆聽傳入 HTTP 要求初始化時裝載快取伺服器。The hosted cache server starts to listen for incoming HTTP requests when it is initialized.

  • 如果需要 client 電腦驗證設定裝載快取伺服器,client 和裝載快取伺服器所需的支援 HTTPS 驗證。If the hosted cache server is configured to require client computer authentication, both the client and the hosted cache server are required to support HTTPS authentication.

裝載快取模式快取擴展Hosted cache mode cache population

將 content 新增至分公司裝載快取伺服器的快取的一開始 client 傳送 INITIAL_OFFER_MESSAGE,包括區段編號。The process of adding content to the hosted cache server's cache in a branch office begins when the client sends an INITIAL_OFFER_MESSAGE, which includes the Segment ID. 區段中的 ID INITIAL_OFFER_MESSAGE 要求用於對應區段 Hash 的資料、 封鎖 hashes 的清單及區段機密擷取裝載快取伺服器封鎖快取。The Segment ID in the INITIAL_OFFER_MESSAGE request is used to retrieve the corresponding segment Hash of Data, list of block hashes, and the Segment Secret from the hosted cache server's block cache. 如果裝載快取伺服器已經有特定的區段內容的所有資訊,以 INITIAL_OFFER_MESSAGE 回應將 [確定] 並下載封鎖不要求。If the hosted cache server already has all the content information for a particular segment, the response to the INITIAL_OFFER_MESSAGE will be OK, and no request to download blocks occurs.

如果裝載快取伺服器未包含所有封鎖 hashes 區段中相關聯的資料提供組塊,感 INITIAL_OFFER_MESSAGE 的回應。If the hosted cache server does not have all of the offered data blocks that are associated with the block hashes in the segment, the response to the INITIAL_OFFER_MESSAGE is INTERESTED. Client 再傳送 SEGMENT_INFO_MESSAGE 描述提供是單一區段。The client then sends a SEGMENT_INFO_MESSAGE that describes the single segment that is being offered. 裝載快取伺服器回應出現 [確定] 訊息,並開始遺失區塊所提供的下載 client 的電腦。The hosted cache server responds with an OK message and initiates the download of the missing blocks from the offering client computer.

區段 Hash 的資料、 封鎖 hashes 的清單及區段機密用來確保正在下載 content,未經竄改或變更。The segment Hash of Data, list of block hashes, and the segment secret are used to ensure that the content that is being downloaded has not been tampered with or otherwise altered. 然後加入下載的區塊裝載快取伺服器封鎖快取。The downloaded blocks are then added to the hosted cache server's block cache.

快取安全性Cache Security

本章節提供 BranchCache 如何保護快取的資料和裝載快取的伺服器上 client 電腦相關資訊。This section provides information on how BranchCache secures cached data on client computers and on hosted cache servers.

Client 電腦快取安全性Client computer cache security

最大的威脅資料儲存在 BranchCache 竄改。The greatest threat to data stored in the BranchCache is tampering. 如果攻擊可以竄改內容和內容快取中儲存的資訊,然後可能會使用此嘗試及上市的電腦使用 BranchCache 的攻擊。If an attacker can tamper with content and content information that is stored in the cache, then it might be possible to use this to try and launch an attack against the computers that are using BranchCache. 攻擊者可以起始攻擊插入惡意軟體來其他資料取代。Attackers can initiate an attack by inserting malicious software in place of other data. BranchCache 藉由驗證使用封鎖 hashes 內容資訊中找到所有 content 降低這項重大威脅。BranchCache mitigates this threat by validating all content using block hashes found in the content information. 如果攻擊嘗試竄改這項資料,它會捨棄,並會取代有效資料來源。If an attacker attempts to tamper with this data, it is discarded and is replaced with valid data from the original source.

資料儲存在 BranchCache 次要威脅是洩露。A secondary threat to data stored in the BranchCache is information disclosure. 快取分散式模式,client 快取只 content 它已要求。不過,該資料儲存在清除文字,和可能會有風險。In distributed cache mode, the client caches only the content that it has requested itself; however, that data is stored in clear text, and might be at risk. 為了 BranchCache 服務只限制快取的存取,詳列於 ACL 檔案系統權限受本機快取。To help restrict cache access to the BranchCache Service only, the local cache is protected by file system permissions that are specified in an ACL.

雖然 ACL 是有效的防止未經授權的使用者存取快取,可能是系統管理員權限的使用者存取快取的手動變更 ACL 中所指定的權限。Although the ACL is effective in preventing unauthorized users from accessing the cache, it is possible for a user with administrative privileges to gain access to the cache by manually changing the permissions that are specified in the ACL. BranchCache 無法防護惡意管理 account 使用。BranchCache does not protect against the malicious use of an administrative account.

未加密內容快取中儲存的資料,因此如果資料流失的問題,您可以使用例如 BitLocker 或加密檔案系統 (EFS) 加密技術。Data that is stored in the content cache is not encrypted, so if data leakage is a concern, you can use encryption technologies such as BitLocker or the Encrypting File System (EFS). 使用 BranchCache 本機快取不會增加傳播分公司; 在的電腦透過資訊洩漏威脅快取包含複本存放磁碟上的其他地方未加密的檔案。The local cache that is used by BranchCache does not increase the information disclosure threat borne by a computer in the branch office; the cache contains only copies of files that reside unencrypted elsewhere on the disk.

加密整個磁碟是重要的環境中的用實體安全性難確保中。Encrypting the entire disk is particularly important in environments in which the physical security of the clients is difficult to ensure. 例如,加密整個磁碟協助重要可能會移除分公司環境中的行動裝置版電腦上的資料的安全。For example, encrypting the entire disk helps to secure sensitive data on mobile computers that might be removed from the branch office environment.

裝載快取伺服器快取安全性Hosted cache server cache security

裝載快取模式,最大的裝載快取伺服器安全性威脅是洩露。In hosted cache mode, the greatest threat to the security of the hosted cache server is information disclosure. 在裝載快取的環境中 BranchCache 行為分散式快取模式時,類似的方式與檔案系統的權限保護快取的資料。BranchCache in a hosted cache environment behaves in a similar manner to distributed cache mode, with file system permission protecting the cached data. 不同的是裝載快取伺服器會儲存所有 content 要求分公司任何 BranchCache 式電腦,而非只單一 client 要求的資料。The difference is that the hosted cache server stores all of the content that any BranchCache-enabled computer in the branch office requests, rather than just the data that a single client requests. 未經授權入侵此快取的結果可能更多嚴重,因為資料更多風險。The consequences of unauthorized intrusion into this cache could be much more serious, because much more data is at risk.

在裝載快取伺服器執行 Windows Server 2008 R2 裝載快取環境中,使用加密技術,例如 BitLocker 或 EFS 建議如果的分公司用的任何可跨 WAN 連結來存取敏感的資料。In a hosted cache environment where the hosted cache server is running Windows Server 2008 R2, the use of encryption technologies such as BitLocker or EFS is advisable if any of the clients in the branch office can access sensitive data across the WAN link. 磁碟加密運作只有當電腦已關閉攻擊者取得實體的存取權時,因為還有必要裝載快取,使實體存取。It is also necessary to prevent physical access to the hosted cache, because disk encryption works only when the computer is turned off when the attacker gains physical access. 電腦已或處於睡眠模式時,如果磁碟加密提供一些保護。If the computer is turned on or is in sleep mode, then disk encryption offers little protection.

注意

執行 Windows Server 2016、 Windows Server 2012 R2 或 Windows Server 2012 的裝載快取伺服器以便使用其他加密技術不需要根據預設,所有的快取的資料加密。Hosted cache servers that are running Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012 encrypt all data in the cache by default, so the use of additional encryption technologies is not required.

即使 client 設定裝載快取模式,仍會在本機快取的資料,您可能想要保護除了裝載快取伺服器上的快取本機快取的步驟執行。Even if a client is configured in hosted cache mode, it will still cache data locally, and you might want to take steps to protect the local cache in addition to the cache on the hosted cache server.