Forefront TMG and BranchCache Hosted Cache deployed on the same host


BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).

How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.

But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.

When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.

To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use  branchcache. The followings are the steps involve in head office and Branch Offices.

Head Office:

  1. Install and configure TMG Server (Upstream Proxy)
  2. Add FQDN of branch TMG server in DNS server
  3. Prepare necessary routing for both TMG

Branch Office:

  1. Install and configure TMG server
  2. Create DFS share in Branch Office
  3. Install and configure Branchcache File Server
  4. Configure GPO for Branchcache
  5. Validate hosted cache is working

By default, Forefront TMG blocks most traffic that is destined explicitly for the host or originating from the host. To allow BranchCache to function in Hosted Cache mode, you must define specific Forefront TMG policy rules so that BranchCache clients and the BranchCache Hosted Cache must communicate. To allow this communication you must define two Forefront TMG policy rules:

  1. Allow Hosted Cache Inbound Connections—A rule that allows clients to advertise new content to the Hosted Cache server, and retrieve data from the Hosted Cache server.
  2. Allow Hosted Cache Outbound Connections—A rule that allows the Hosted Cache server to retrieve advertised content from the client.

Step1: Connect Branch TMG (downstream TMG) with Head office TMG (Upstream TMG), Microsoft Active Directory and DNS.

1.Click on Monitoring, click Connectivity Verifiers, Click Create New Connectivity Verifier, Type the name of new connectivity verifier, Click Next.

2. Select Web Connectivity from drop down list, Type FQDN of Upstream proxy, Click Next and Click Finish.

3. Repeat step 1 and step 2 to create connectivity for Active Directory, and DNS.

4. Apply changes and Click ok.

Step 2: Write down which ports clients are actually configured to use

Choose any BranchCache client and check the registry. The registry keys below will contain the actual value if the defaults were modified.

  • The Retrieval port registry key (if not specified, the default is 80):
    HKLM\Software\Microsoft\WindowsNT\CurrentVersion\PeerDist\

             DownloadManager\Peers\Connection

  • The Hosted Cache port registry key (if not specified, the default is 443):
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Connection

Step 3: Define the Retrieval protocol

  1. Select the Firewall Policy node.
  2. Select the Toolbox tab.
  3. Expand Protocols.
  4. Click New and then select Protocol.
  5. Enter the protocol definition name as “BranchCache -Retrieval” and click Next.
  6. Click New and add the new protocol, as follows:
    1. Protocol Type: TCP
    2. Direction: Outbound
    3. Port Range: From 80 to 80 (replace 80 if otherwise identified in step 1)
    4. Click OK.

  Step 4: Define the Hosted Cache protocol

  1. Select the Firewall Policy node.
  2. Select the Toolbox tab.
  3. Expand Protocols.
  4. Click New and then select Protocol.
  5. Enter the protocol definition name as “BranchCache -Advertise” and click Next.
  6. Click New and add the new protocol, as follows:
    1. Protocol Type: TCP
    2. Direction: Outbound
    3. Port Range: From 443 To 443 (replace 443 if otherwise identified in step 1)
    4. Click OK.

 Step 5: Create a rule to allow Hosted Cache Inbound Connections

  1. Select the Firewall Policy node.
  2. Select the Tasks tab.
  3. Click Create Access Rule.
  4. Define the rule name as “Allow Hosted Cache Inbound Connections” and then click Next.
  5. On the Rule Action page, select Allow and then click Next.
  6. On the This rule applies to page:
    1. Choose Selected Protocols from the list, and then click the Add button.
    2. In the Add Protocols dialog box, expand User-defined protocols.
    3. Select BranchCache -Retrieval protocol and click Add.
    4. Select BranchCache -Advertise protocol, click Add and then click Close.
    5. Click Next.
  7. On the Access Rule Sources page:
    1. Click Add.
    2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.
    3. Click Next.
  8. On the Access Rule Destinations page:
    1. Click Add.
    2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.
    3. Click Next.
  9. On the User Sets page, click Next to apply the rule to all users.
  10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.

Step 6: Create a rule to allow Hosted Cache Outbound Connections

  1. Select the Firewall Policy tab.
  2. Select the Tasks tab.
  3. Click Create Access Rule.
  4. Define the rule name as “Allow Hosted Cache Outbound Connections” and click Next.
  5. On the Rule Action page, select Allow and then click Next.
  6. On the This rule applies to page:
    1. Choose Selected Protocols from the list, and then click the Add button.
    2. In the Add Protocols dialog box, expand User-defined protocols.
    3. Select BranchCache -Retrieval protocol and click Add.
    4. Click Next.
  7. On the Access Rule Sources page:
    1. Click Add.
    2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.
    3. Click Next.
  8. On the Access Rule Destinations page:
    1. Click Add.
    2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.
    3. Click Next.
  9. On the User Sets page, click Next to apply the rule to all users.
  10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.
  11. Click Apply to save the changes and update the configuration.

 Step 7: (Optional) Reduce the impact of NIS Inspection on Hosted Cache traffic

NIS is a protocol decode-based traffic inspection feature of Forefront TMG that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources (for more information about NIS,

This topic is not applicable if NIS is not enabled. To check if NIS is enabled:

  1. Select the Intrusion Prevention System node.
  2. On the Tasks pane, click Configure Properties.
  3. On the General tab, verify that the Enable NIS check box is selected.

When enabled, NIS inspects all traffic, including traffic destined explicitly to the host or originating from the host. As a result, users may experience increased latency when retrieving cached objects from the Hosted Cache server.

In the case of a significant impact, it is recommended to choose one of the following options to mitigate the issue:

Disable the NIS inspection exclusively for traffic destined explicitly to the host or originating from the host.

The risk of disabling NIS for traffic destined explicitly to the host or originating from the host is small, for the following reasons:

  • NIS is applied to all other traffic, continuing to defend all internal un-patched machines. Forefront TMG itself, as an edge-located security device, is expected to be patched at all times, and thus protected from all known threats.
  • By default, NIS does not inspect non HTTP/HTTPS traffic destined explicitly to the host or originating from the host; thus disabling NIS on the local host has no impact on other protocols.
  • Forefront TMG does not initiate outbound web-access. As a result, the vulnerability of the host itself to web-originating threats is very low. As a common security practice, administrators are advised not to browse the Internet from the Forefront TMG host.

To disable NIS for traffic destined explicitly to the host or originating from the host:

1.The following registry key has a default value of 1. To disable localhost traffic inspection, use Regedit on the host to assign it a value of 0.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray

\Debug\IPS\IPS_LOCALHOST_INSPECTION_MODE

2. Re-apply the Forefront TMG policy:
Open any of the firewall policy rules and add a space anywhere in the rule description. Click Apply.

3.Change the BranchCache protocols default port numbers (from 80 and 443) to custom port numbers.
Explanation: By default NIS inspects only HTTP and HTTPS on localhost traffic. To retain that inspection without impacting BranchCache performance requires that BranchCache default ports be changed to any other available ports.

Branch Forefront TMG also provides:

  • Secure web-access via anti-malware, URL filtering and HTTPS inspection.
  • Firewall and Network Inspection System (NIS).
  • Reverse proxy (web-publishing) of web-applications at the branch.
  • Site-to-site VPN.
  • Roaming-user VPN.

Step8: Installing BranchCache File Server on TMG

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. Right-click Roles and then click Add Roles.

3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.

4. In the Confirm Installation Selections dialog box, click Install.

5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.

Step 10: Use Group Policy to configure branch cache

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.

2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.

3. Select New from the Action menu to create a new Group Policy object (GPO).

4. Choose a name for the new GPO and click OK.

5. Right-click the GPO just created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.

7. Double-click Hash Publication for BranchCache.

8. Click Enabled.

9. Under Options, choose one of the following Hash publication actions:

a. Allow hash publication for all file shares.

b. Allow hash publication for file shares tagged with “BranchCache support.”

c. Disallow hash publication on all file shares.

10. Click OK.

Step 9: use registry editor to configure disk use for stored identifiers

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type Regedit.exe, and then press Enter.

3. Navigate to HKLM\CurrentControlSet\Service\LanmanServer\Parameters.

4. Right-click the HashStorageLimitPercent value, and then click Modify.

5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.

6. Close the Registry Editor.

Step 10: Setup branchcache support tag on a file server

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.

2. Right-click a share and then click Properties.

3. Click Advanced.

4. On the Caching tab, select Only the files and programs that users specify are available offline.

5. Select Enable BranchCache, and then click OK.

6. Click OK, and then close the Share and Storage Management Console.

To replicate cryptographic data

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.

Step 11: Configure client using GPO

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.

2. In the console tree, select the domain in which you will apply the GPO.

3. Create a new GPO by selecting New from the Action menu.

4. Choose a name for the new GPO, and then click OK.

5. Right click the GPO you created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.

7. Double-click Turn on BranchCache.

8. Click Enabled, and then click OK.

9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK.  or

To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.

10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.

Step 12: Validate the Hosted Cache is working properly

  1. Choose any client on the Branch Office.
  2. Open the Performance Monitor and track the BranchCache “Bytes from Cache” counter and take note of the current value
  3. Open your Internet Browser. Clear the browser cache to make sure it is not utilized in this validation.
  4. Instructions for clearing the cache using Internet Explorer 8:

    1. On the Tools menu, select Internet Options.
    2. On the General tab, in the Browsing History section, click the Delete… button.
    3. In the opened dialog box, select the Temporary Internet Files check box and clear the other check boxes, then click Delete.
    4. Wait for the operation to complete, and then close the dialog boxes.
  5. Using the client, access or download an object with a known size from an HTTP/S application on a Windows 2008 R2 server.
  6. Expected result:
    • If the object was never accessed from the Branch, the counter should increment by the object size on the third attempt to access it (between attempts, make sure you clear the browser cache).
    • If the object was already accessed from the Branch, the counter should increment by the object size on the first or second attempt.

Relevant Study:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

DFS Step-by-Step Guide for Windows Server 2008

How to configure DFS to use fully qualified domain names in referrals

How to configure Windows Server Update Services (WSUS) to use BranchCache

Share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 382 other followers