Non-Microsoft Firewall Settings for BranchCache

  • Article

If your organization uses a non-Microsoft firewall, configure the firewall to allow the traffic for the protocols and programs that BranchCache uses. This section provides a reference of protocols and the settings that you can use to configure firewalls to allow BranchCache traffic.

For more information about the protocols referenced in this section, see the following topics on the Microsoft Web site:

Non-Microsoft firewall settings for Distributed Cache clients

This section describes firewall settings for Distributed Cache clients when Distributed Cache mode is used.

[MS-PCCRD]: Peer Content Caching and Retrieval Discovery Protocol

Distributed Cache clients must support inbound and outbound MS-PCCRD traffic, which is carried in the Web Services Dynamic Discovery (WS-Discovery) protocol. Firewall settings must allow multicast traffic, inbound and outbound traffic, and program traffic as follows:

  • IPv4 multicast: 239.255.255.250

  • IPv6 multicast: FF02::C

  • Inbound traffic: Local port: 3702, Remote port: ephemeral

  • Outbound traffic: Local port: ephemeral, Remote port: 3702

  • Program: %systemroot%\system32\svchost.exe (BranchCache Service [PeerDistSvc])

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol

Distributed Cache clients must support inbound and outbound MS-PCCRR traffic, which is carried in the HTTP 1.1 [RFC 2616] protocol. Firewall settings must allow inbound, outbound, and program traffic as follows:

  • Inbound traffic: Local port: 80, Remote port: ephemeral

  • Outbound traffic: Local port: ephemeral, Remote port: 80

  • Program: SYSTEM

Non-Microsoft firewall settings for Hosted Cache clients

This section describes firewall settings for Hosted Cache clients when Hosted Cache mode is used.

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol

Hosted Cache clients must support inbound and outbound MS-PCCRR traffic, which is carried in the HTTP 1.1 [RFC 2616] protocol. Firewall settings must allow inbound, outbound, and program traffic as follows:

  • Inbound traffic: Local port: 80, Remote port: ephemeral

  • Outbound traffic: Local port: ephemeral, Remote port: 80

  • Program: SYSTEM

[MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol

Hosted Cache clients must support inbound and outbound MS-PCHC traffic, which is carried in the HTTP 1.1 over TLS (HTTPs) [RFC 2818] protocol. Firewall settings must enable outbound traffic as follows:

  • Outbound traffic: Local port: ephemeral, Remote port: 443

  • Program: SYSTEM

Non-Microsoft firewall settings for the Hosted Cache server

This section describes firewall settings for the Hosted Cache server when Hosted Cache mode is used.

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol

The Hosted Cache server must support inbound and outbound MS-PCCRR traffic, which is carried in the HTTP 1.1 [RFC 2616] protocol. Firewall settings must allow inbound, outbound, and program traffic as follows:

  • Inbound traffic: Local port: 80, Remote port: ephemeral

  • Outbound traffic: Local port: ephemeral, Remote port: 80

  • Program: SYSTEM

[MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol

The Hosted Cache server must support inbound MS-PCHC traffic, which is carried in the HTTP 1.1 over TLS (HTTPs) [RFC 2818] protocol. Firewall settings must enable inbound and program traffic as follows:

  • Inbound traffic: Local port: 443, Remote port: ephemeral

  • Program: SYSTEM

BranchCache protocols for content servers (such as a Web server or file server)

No additional ports or protocols are required on the content server. All BranchCache communication with clients occurs in the context of the optimized protocol (HTTP, SMB, and BITS). Extensions to these protocols enable BranchCache on client computers that are running Windows 7.

For more information, see the following topics on the Microsoft Web site: