Reducing Bandwidth Utilization with Windows 7 and Windows Server 2008 R2 BranchCache
Technical Case Study
Published: January 2010
Does the increasing cost of wide area network (WAN) access restrict you from providing your branch offices with the data center services they need? Learn how Microsoft IT uses the BranchCache™ feature available in the Windows® 7 operating system and the Windows Server® 2008 R2 operating system to improve performance and availability to branch offices. Services at the branch office level include file and print management, offline folder redirection, operating system and application distribution, and patch management. By implementing BranchCache, Microsoft IT significantly improved service availability while maintaining network traffic encryption including HTTPS and IPsec and reducing WAN usage and server demand. Using BranchCache, Microsoft IT expects to save money while increasing branch user productivity.
Technical Case Study, 487 KB, Microsoft Word file
Products & Technology
Driven by challenges of reducing the costs and complexity of branch IT, businesses are seeking to centralize applications. However, as businesses centralize applications, they increase their dependency on the availability and quality of the WAN link.
The increased utilization of the WAN link is a direct result of centralization, as is the degradation of application performance. Recent studies have shown that despite the reduction of costs associated with WAN links, WAN costs are still a major component of enterprises' operational expenses.
Microsoft IT is implementing BranchCache, a new feature in Windows 7 and Windows Server 2008 R2, to cache data locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.
In the continuing effort to streamline operations and reduce the cost and complexity of IT, many businesses are consolidating their applications onto centralized servers. An unintended consequence of this application centralization is the increasing reliance on and demand for the business' WAN link.
As network bandwidth demand increases, application performance degrades. Users at branch offices often experience delays when they use network applications that need to access a WAN to connect to servers. For example, it might take several seconds or even minutes for a user in a branch office to open a large file on a shared folder that is located on a server at the central office. Similarly, a user attempting to view a video in their Web browser might have to wait for a long time for the video to load.
In additional to performance degradation, branch office demand for network bandwidth can drive up costs. Recent studies have shown that despite the reduction of costs associated with WAN links, WAN costs are still a major component of enterprises' operational expenses.
To better support how Microsoft branch offices access data on the corporate network, Microsoft Information Technology (Microsoft IT) is implementing a new data-caching feature in Windows 7 and Windows Server 2008 R2 called BranchCache, which caches data locally in a branch office. When another client on the same network requests the file, the client downloads it from the local cache instead of having to access the WAN.
This section of the document provides an overview of how BranchCache works and discusses the underlying network technologies that Microsoft IT has implemented as part of the BranchCache system.
Systems must meet the following requirements to use BranchCache:
- Client computers must be running the Windows 7 Enterprise operating system or the Windows 7 Ultimate operating system with the BranchCache feature enabled.
- Web servers and file servers must be running Windows Server 2008 R2, with the BranchCache feature enabled. For a complete list of operating systems that support BranchCache, see http://technet.microsoft.com/en-us/library/ee307962(WS.10).aspx.
Improving Networked Application Performance
BranchCache only retrieves data from a server when the client requests it. Because it is a passive cache, it will not increase WAN utilization. BranchCache only caches read requests, and thus does not interfere with a user saving a file.
BranchCache improves the responsiveness of common network applications that access intranet servers across slow links. Because it does not require any infrastructure, you can improve the performance of remote networks simply by deploying Windows 7 to client computers, deploying Windows Server 2008 R2 to server computers, and enabling BranchCache.
BranchCache works seamlessly alongside network security technologies such as Secure Sockets Layer (SSL), Server Message Block (SMB) Signing, and end-to-end IPsec. You can use BranchCache to reduce network bandwidth utilization and improve application performance even if the content is encrypted.
BranchCache Operational Modes
When BranchCache is enabled, a copy of data accessed from intranet Web and file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.
BranchCache can operate in one of two modes:
- Distributed Cache. In Distributed Cache mode, the cache is kept on Windows 7 client computers. Improving performance is as easy as enabling BranchCache on your Windows 7 client and Windows Server 2008 R2–based computers.
- Hosted Cache. In Hosted Cache mode, the cache resides on any branch office server running Windows Server 2008 R2. Other clients who need the same content retrieve it directly from the Hosted Cache. The Hosted Cache server can run the Server Core installation option of Windows Server 2008 R2 and can also host other applications. In addition, Hosted Cache can be configured as a virtual workload and run on a server with other workloads, such as File and Print.
The following figure illustrates the two BranchCache modes:
Figure 1. BranchCache can operate in two different modes
Choosing the Right Cache Mode
Because Distributed Cache mode allows IT professionals to take advantage of BranchCache with minimal hardware deployments, it is especially beneficial for branch offices with fewer than 50 users and that do not have a local server.
However, if the branch office has deployed other infrastructure (such as file or print servers), using Hosted Cache mode may be beneficial for the following reasons:
- Increased cache availability. Hosted Cache mode increases the cache efficiency because content is available even if the client that originally requested the data is offline.
- Caching for the entire branch office. Distributed Cache mode operates on a single subnet. If a branch office that is using Distributed Cache mode has multiple subnets, a client on each subnet needs to download a separate copy of each requested file. With Hosted Cache mode, all clients in a branch office can access a single cache, even if they are on different subnets.
For more information about BranchCache's two operational modes, download the BranchCache Technical Overview white paper at http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ee07308f-7c53-4c76-9ed9-670bc25a4c9d.
Architecture and Security
The following figure illustrates the server-side protocols utilized by the BranchCache system.
Figure 2. The BranchCache architecture
BranchCache works with any of the following protocols:
- Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS). The protocols that Web browsers and many other applications (such as Microsoft® Internet Explorer®, Windows Media® Player, and more) use.
- SMB (including signed SMB traffic). SMB is the protocol used for shared folders on Windows networks.
- Background Intelligent Transfer Service (BITS). BITS is used to transfer files asynchronously between a client and a server. BITS is the protocol that Microsoft System Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS) use.
Works with Existing Security Infrastructure
BranchCache implements a secure-by-design approach that works seamlessly alongside the existing network security architectures deployed in an enterprise, without the requirement of additional equipment or complex configuration. BranchCache is easily managed by using existing systems management technology; for example, you can enable BranchCache on client computers by using Group Policy.
When you enable BranchCache, the security architectures and systems specifically designed for your environment will continue to work as is; nothing different is needed to support BranchCache. Authentication is still performed using domain credentials. Authorization using access control lists (ACLs) is respected, and other configurations continue to function just as they did before BranchCache was enabled.
The BranchCache security model is based on the exchange of metadata using the original protocol (HTTP, HTTPS, or SMB). This metadata takes the place of the original content in that protocol exchange. BranchCache accelerates delivery of encrypted content such as when using HTTPS and IPSec, and at the same time it ensures that content can be retrieved locally only when authorized by the original server. Additionally, BranchCache supports the optimization of downloads over end-to-end secure transports such as HTTPS and IPsec.
Microsoft IT researched and installed a variety of network appliances throughout the corporate infrastructure, but many of these do not support encryption. Microsoft IT was especially interested in implementing BranchCache because of its ability to maintain IPsec-encrypted data transfers through the enterprise network.
Note: BranchCache encrypts data during transmission over the network, but it is not involved in encrypting data while the information sits on a local computer. If you want to encrypt any or all of your computer's stored information, Microsoft IT encourages users to enable BitLocker® drive encryption on their computers.
For more information about BranchCache security, download the BranchCache Security Guide at http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=449be4b1-5f87-47f1-945b-ccd4b196b34f.
BranchCache Deployments at Microsoft
As the earliest adopter and tester of Microsoft technology, Microsoft IT was working with BranchCache as early as Windows 7 Beta. Microsoft IT was especially interested in using BranchCache in branch offices that were known to have slow links to the main corporate data center in hopes of improving local access time while simultaneously reducing WAN bandwidth demand.
The pilot deployments discussed in this document occurred during the Windows Server 2008 R2/Windows 7 Release Candidate (RC) timeframe. Microsoft IT implemented BranchCache pilots to test the technology using three different systems and protocols:
- Testing access to internal file shares via SMB
- Testing access to an internal Microsoft Office SharePoint® Server 2007 site via HTTP
- Testing integration with System Center Configuration Manager and accessing advertised downloads via BITS
In total, BranchCache was deployed to 24 branch offices where it was tested against internal file shares using SMB, and against a SharePoint Server 2007 SP2 site accessed via HTTP. From these 24 sites, five North American branch offices were also used for System Center Configuration Manager 2007 SP2 (BITS) validation.
Figure 3. Locations and numbers of branch offices used for BranchCache pilots
The remainder of this section provides details about these pilot deployments.
Note: The percentage bandwidth savings discussed in these results measure the amount of WAN bandwidth saved for cached files; they are not the percentage reduction of total branch office WAN use. Overall, WAN bandwidth savings will be measured as Microsoft IT upgrades the majority of its back-end servers to Windows Server 2008 R2.
There were twenty-four branch offices involved in using BranchCache when accessing two resources: an internal file share site via SMB, and a SharePoint 2007 SP2 site accessed via HTTP.
SMB/HTTP Pilot Implementation
The SMB/HTTP pilot tested both of BranchCache's operational modes:
- Hosted Cache mode was tested in 14 branch offices that historically had restricted network bandwidth and that had Virtual Branch Office Servers (VBOS) in place. These computers were Windows Server 2008 systems that operated as remote site platforms to host a variety of services as virtual machines (VMs). With an available virtual server infrastructure, adding BranchCache to these branch offices involved adding a new BranchCache Windows Server 2008 R2 VM to each VBOS and installing 100-gigabyte (GB) hard disk drives that were reserved for BranchCache use. A total of 2,709 Windows 7 clients were identified in the hosted cache sites. To connect client systems to the appropriate branch office hosted cache, Microsoft IT used site-based Group Policy to push down the server name only when they were connected to that network. When a computer moved to a different site with another hosted cache server, it would receive a new Group Policy object (GPO) that pointed to the local server.
- Distributed Cache mode was tested in 10 branch offices as well as a domain in Africa. Distributed Cache mode involved 4,823 Windows 7 clients. As with Hosted Cache mode facilities, Microsoft IT targeted locations with restricted bandwidth. Microsoft IT enabled one regional office in the African domain for Distributed Cache via the domain-based GPO, as well as enabling the same site for Hosted Cache via the site-based GPO in order to validate that site-based GPO settings override the domain-based ones. This ability was of special interest to Microsoft IT, as they plan to use Hosted Cache during the next phase of BranchCache implementation due to its more highly available cache and its ability to serve multiple subnets, as was described previously in this document.
Microsoft IT determined that for the 14 Hosted Cache mode sites, the average percentage of data transferred from BranchCache-aware traffic across all sites was 40 percent. Because the Distributed Cache mode sites included BITS validation, almost 90 percent of BranchCache-aware traffic in the Distributed Cache sites came from locally distributed caches.
Figure 4. Percent of bandwidth served by BranchCache mode
Note: Microsoft IT expects if the Hosted Cache mode sites included BITS data, the percent WAN bandwidth saved by Hosted Cache mode would be similar to the Distributed Cache mode results.
Overall, out of a total 16.5 GB of HTTP content downloaded by clients at the branch offices, only 4.7 GB crossed the WAN. The majority of the data (11.8 GB) was transferred from hosted cache servers or from peers on the LAN, resulting in a 71 percent reduction in the bandwidth utilization of the BranchCache-enabled servers.
Figure 5. Overall percent bandwidth utilization of BranchCache-enabled servers
System Center Configuration Manager Pilot
Another important scenario for BranchCache at Microsoft was integration with System Center Configuration Manager 2007 SP2. Microsoft IT uses Configuration Manager 2007 to manage over 280,000 of its enterprise client systems.
Why System Center Configuration Manager with BranchCache?
A key aspect of Configuration Manager's client management capabilities is distributing content for applications and patches. Content distributed by Configuration Manager to clients can range in size from single patches to full operating system images, resulting in a need to have Distribution Points (content file servers) at each branch location in order to provide high-speed (LAN) access to potentially large files.
Microsoft IT has 125 remote locations that require dedicated Distribution Points. Implementing and maintaining Distribution Points at all branch locations is expensive from both a hardware and operational standpoint, so leveraging BranchCache for content distribution in a Configuration Manager context is hugely compelling to Microsoft for its potential to reduce remote server overhead.
System Center Configuration Manager Pilot Implementation
To validate BranchCache in a Configuration Manager context, Microsoft IT implemented a single Windows Server 2008 R2 Distribution Point at its central data center, hosting a single, synthetic 200 MB application on that host. The Distribution Point was configured to deliver content through BITS, and was also configured to run BranchCache.
Through Group Policy applied to Microsoft Active Directory sites, clients at three North America locations (two in the U.S., one in Mexico) were configured to use BranchCache in Distributed Cache mode. These clients were targeted with a System Center Configuration Manager advertisement, which caused them to look for installation binaries (the 200 MEG synthetic package) on this single, data center-hosted Distribution Point, which was remote (WAN) from each targeted client.
The BranchCache-enabled clients contacted the BranchCache- enabled Distribution Point and downloaded the binaries via HTTP (a protocol supported by System Center Configuration Manager and BranchCache). Using BranchCache's Distributed Cache mode, clients downloaded the majority of this content payload from peers in their local subnets, rather than each client pulling the large binaries through the expensive WAN link.
In total, 219 clients (203 systems running Windows 7, and 16 systems running Windows Vista that had been upgraded to BITS 4.0) from all three targeted branch locations received the System Center Configuration Manager advertisement and pulled down content.
Note: The general HTTP and SMB optimizations in BranchCache are only supported on Windows 7 and Windows Server 2008 R2; there are no plans to make BranchCache available for Windows Vista or Windows XP clients. However, BITS 4.0 has engineered support for BranchCache on Windows Vista and Windows Server 2008. As a result, customers using solutions such as WSUS, System Center Configuration Manager, or other enterprise applications that leverage BITS as the underlying file distribution technology will benefit on these platforms as well.
Through forwarded events from those clients, Microsoft IT determined that out of a total 44.84 gigabytes (GB) of content downloaded by clients at these locations, only 6.61 GB crossed the WAN. The majority of the data (38.23 GB) was transferred from peers on the LAN, resulting in an overall 85 percent reduction in content that normally would have been pulled over the WAN.
Figure 6. Average percent utilization of locally cached file for each test site
This drastic reduction of the amount of data requested across the corporate WAN is such a positive result that Microsoft IT is exploring the possibility of removing content servers at these remote locations.
In the course of designing, implementing, and operating BranchCache, Microsoft IT followed these best practices:
- Work with your application group(s) to ensure that they enable BranchCache on their file/print, Web, and SharePoint servers.
- Use a Windows Management Instrumentation (WMI) filter on the GPO to ensure that the Hosted Cache server does not receive the site-based client GPO.
- When content servers are clustered for network load balancing or for failover, each
member must have the same key passphrase. The key passphrase must be applied to
each server using netsh, as in the following example:
netsh branchcache set key passphrase="MY_PASSPHRASE"
For more information on key passphrases, see the BranchCache Early Adopter's Guide at http://download.microsoft.com/download/1/5/9/1596E2C5-400C-4ED3-BD5F-9456D536EBFD/WS_2008_R2_documents/BranchCache_Early_Adopters_Guide_EN.doc.
- Use BranchCache - Kernel Mode - performance counters on HTTP content servers to validate bandwidth optimization. For more guidance on using performance counters, see the "Web Server Performance Counters" section of the BranchCache Early Adopters Guide at http://download.microsoft.com/download/1/5/9/1596E2C5-400C-4ED3-BD5F-9456D536EBFD/WS_2008_R2_documents/BranchCache_Early_Adopters_Guide_EN.doc.
- When using BranchCache with SCCM:
- Ensure that your content servers are hosted on Windows Server 2008 R2 servers with BranchCache enabled, and that clients have BranchCache policy.
- Use the performance counters on Windows Server 2008 R2 or client events to analyze and monitor BranchCache distributions.
- If you want to analyze client-based details, set up a collector and use Windows Event Forwarding technology to have client systems send their BranchCache-related events to a central collector. Then use SCOM against this collector to perform detailed analysis on the aggregate data.
- In situations where the BranchCache key passphrase is set manually, make sure to use a strong phrase for your password.
- Use BitLocker, Encrypted File System, or similar technologies if you want to encrypt the cached data in each computer.
By implementing BranchCache, Microsoft IT has derived a number of benefits:
- Reduced WAN bandwidth utilization: BranchCache reduces WAN bandwidth consumed by end users for intranet-based traffic, improving the end-user experience.
- Faster delivery of secure data: BranchCache accelerates delivery of encrypted content using HTTPS and IPsec, and requires content servers to authenticate all users before granting access to cached content.
- Enhances productivity: Microsoft IT anticipates productivity gains for many branch office workers. For example, sales people who are distributed throughout the world need to access thousands of centrally stored product demos. Hosted BranchCache will allow a much faster means of accessing the latest demo information, which may result in providing our customers with the right information in near-real time.
- Improves SLAs: Microsoft IT anticipates improved Service Level Agreements (SLAs) as a result of BranchCache's ability to remove the content distribution dependency from a single host, as well as by reducing the administrative overhead associated with distributing content to dedicated file servers globally with each application deployment.
- Leverages existing infrastructure: BranchCache does not require additional equipment in the branch offices and can be easily managed using Group Policy.
- Respects existing security protocols: BranchCache is compatible with IPsec and other encryption protocols. It simply works without requiring any change to existing security architectures.
- Seamless functionality: BranchCache does not require any input on the part of the end user; it works transparently.
- Interoperates with SCCM: Using BranchCache in tandem with SCCM helps reduce the number of content servers located at branch offices that administrators manage.
As with many larger businesses that have branch offices, Microsoft IT has noted an increasing reliance on and demand for the company's WAN link. In order to test the ability of BranchCache to reduce remote sites' dependency on the WAN, Microsoft IT engaged in two BranchCache pilot deployments that involved over 7,500 clients accessing almost 80 GB of data across 24 branch offices around the globe.
The results of these tests showed a significant reduction of WAN use, averaging more than 53 percent across both pilots and cache modes when branch office workers accessed locally cached data. BranchCache achieved these impressive results without requiring Microsoft IT to modify their security architecture or implement any new management technology. BranchCache is compelling not only from a functionality and manageability view, but from a cost savings perspective as well. Microsoft IT expects that their adoption of BranchCache will reduce IT costs by precluding the need for increasing the size of the WAN link, and by enabling Microsoft IT to reduce the number of expensive Distribution Point servers that currently support branch offices.
Moving forward, Microsoft IT plans to expand its use of BranchCache. A larger-scale study of BranchCache with System Center Configuration Manager will perform a global analysis to determine which and how many Distribution Point servers used by Microsoft IT can be removed from their infrastructure through a transition to BranchCache. Additional studies are planned to measure the ability of BranchCache to reduce overall network utilization, and to quantitatively test the improvements in user productivity that are achieved by enabling branch office workers to quickly access local resources that reside on branch caches.
As servers continue to be upgraded to Windows Server 2008 R2 in calendar year 2010, Microsoft IT plans to deploy domain-based Distributed Cache globally and site-based Hosted Cache where needed. As BranchCache becomes enabled on branch office servers, Microsoft IT anticipates that BranchCache will not only reduce branch offices' WAN usage, but it may reduce the number of virtual machines and physical servers currently required to perform similar functions.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Microsoft, BitLocker, BranchCache, Internet Explorer, SharePoint, Windows, Windows Media, Windows Server, and Windows Vista are trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.