Deploy a hosted cache mode design

Updated: October 7, 2009

Applies To: Windows 7, Windows Server 2008 R2

When you deploy BranchCache in hosted cache mode for a branch office, a hosted cache server is installed at the branch office.

Client computers that are running either Windows® 7 Enterprise or Windows® 7 Ultimate are also installed at the branch office. These clients download content from content servers that are installed at the main office; and after content is downloaded, the hosted cache server obtains and caches the content, providing the content to other clients in the same branch office upon request.

To deploy BranchCache in hosted cache mode, you must install and configure content servers in your main office and install and configure a hosted cache server and client computers in your branch office. In addition, client computers at branch offices must be able to access the main office content servers over some type of wide area network (WAN) link, such as a dedicated or on-demand virtual private network (VPN) connection between the offices; or clients must use some other method to connect to the content servers, such as by using DirectAccess.

Finally, you must enroll a server certificate to your hosted cache server that the server uses to prove its identity to client computers in the branch office. After the hosted cache server enrolls a certificate, you must obtain the SHA-1 hash of the certificate and link the certificate to BranchCache.

CAs and certificates

You can deploy server certificates with either a public CA or with a private CA that you own and deploy.

• Public CAs are deployed by third party companies, such as Verisign, who sell certificates for use by their customers. This guide does not describe how to deploy hosted cache mode with certificates that are issued by a public CA, but it is possible if you ensure that the certificates meet the minimum server certificate requirements and are configured in accordance with the Web Server certificate template as described in this guide. In addition, before purchasing a server certificate issued by a public CA, you should ensure that BranchCache client computers already trust the public CA.

• Private CAs are deployed by organizations who design and deploy a public key infrastructure (PKI). This guide provides instructions on how to deploy your own CA using Active Directory Certificate Services (AD CS).

There are two types of certificates that are used when you deploy BranchCache in hosted cache mode:

• CA certificate. When you deploy your own CA, the root CA certificate is automatically distributed to client computers that are domain members. The certificate is stored in the Trusted Root Certification Authorities certificate store for the Local Computer and for the Current User. These certificate stores can be viewed by using the Certificates Microsoft Management Console (MMC) snap-in. When a CA certificate exists in the Trusted Root Certification Authorities certificate store, it means that the computer trusts all certificates that are issued by the CA.

• Server certificate. The server certificate is issued by the CA to the hosted cache server. The hosted cache server uses the certificate to prove its identity to client computers during the authentication process.

Hosted cache mode

See the following topics to deploy BranchCache in hosted cache mode.

• Install and configure content servers

• Configure client computers for hosted cache mode

• Install the certification authority and enroll certificates to hosted cache servers

• Obtain the SHA-1 hash of the hosted cache server certificate

• Link the hosted cache server certificate to BranchCache