Skip to main content

Windows 7 BranchCache™ Explained 

Posted By:  Yung Chou
Publish Date: 12/8/2009

One of the key capabilities delivered in Windows 7 for enabling people to be productive anywhere is BranchCache™. It not only speeds up access to data and documents from Web and file servers by reducing web and file access over a WAN link, it frees up bandwidth over the WAN link for other uses.

With BranchCache™, the first request from a branch office network to download content from a web server or file server (or in the context of BranchCache™ a “content server”) also caches a copy in the local, branch network. In a subsequent request from the branch network for the same content in the content server, instead of downloading content from the content server over the WAN, clients receive the locally cached copy from the branch network. This occurs once the content server authenticates and authorizes the request. BranchCache™ has two operating modes, Distributed Cache mode and Hosted Cache mode.

Distributed Cache mode is for a small branch without a local file server that can be used as a hosted cache server. This configuration caches content downloaded from a content server over the WAN at a user’s computer. Caching occurs at the very first request from a user in a branch office. Subsequent requests form the same branch office for the same content will locate the cached content by broadcasting to the local network, and then retrieve the content from that user’s computer in the local area network. Peer-to-peer sharing is the basic idea. -- There is no central repository in the branch. There are no requirements for servers or services  in the branch office beyond client computers running Windows 7.

Hosted Cache mode, on the other hand, specifies a branch office server for caching content downloaded over the WAN. It is recommended for a branch with more than 50 clients. The key differences from the Distributed Cache Mode process are:

  • Content downloaded over the WAN on the first request is cached only in a designated server local to a branch office, while Distributed Cache Mode caches content at a requester’s computer.
  • Subsequently clients requesting for the same content will later establish a direct connection with and get the content form the designated server, once the content server authenticates and authorizes the request. In Distributed Cache Mode, clients broadcast over the local network to find the computer with the cached content.

The concept of BranchCache™ is fairly straightforward. Technical specifics which minimize the communications and reduce the bandwidth over the WAN are, however, quite interesting. While a second Windows 7 client requests the same file from the content server, a user is authenticated and authorized in exactly the same manner it would if BranchCache™ was not being used. If successful, the content server returns content metadata over the same channel that data would normally have been sent. The metadata is the mechanism for reducing bandwidth, because the content metadata is significantly smaller than the actual content. It is important that the content server sends the content metadata to each client to ensure that a client always receives hashes for the most up-to-date content. This process ensures that users are always accessing the most current data. The content is broken into blocks. For each block, a hash is computed (known as the “block hash”). A hash is also computed on a collection of blocks (known as the “segment hash”). Contentmetadata is primarily composed of block hashes and segment hashes and the segment hashes provide a unit of discovery. The hash algorithm that is used is Secure Hash Algorithm (or SHA) 256. The compression ratio achieved is approximately 2000:1; that is, the size of the metadata sent over the wire is ~2000 times smaller than the size of the original data itself.

This is how the BranchCache™ process works:

  1. A Windows 7 client connects to the content server in the central office and requests a file (or file segment) exactly as it would if it were retrieving the file without using BranchCache™.
  3. The content server authenticates and authorizes the client exactly as it would without BranchCache™. If successful, it returns content metadata over the same channel that data would normally have been sent. If this is the first time any client from the branch office network is requesting a file not already cached on the local network, the client retrieves the file directly from the content server.
  5. In Distributed Cache mode, the client sends a request on the local network for the required file by using the Web Services Discovery (WS-Discovery) multicast protocol. The segment hashes provide a unit of discovery. This helps reduce the total number of lookups performed for a given piece of content (versus looking up each block). The client that previously cached the file sends the file to the requesting client. The data is encrypted using a key derived from the hashes sent by the content server, as part of the content metadata. The client decrypts the data, computes the hashes on the blocks received from the first client, and ensures that it is identical to the block hashes provided as part of the content metadata by the content server. This ensures that the content has not been modified.

While in Hosted Cache mode, the client uses the hashes in the metadata to search for the file in the Hosted Cache server. A key difference in Hosted Cache mode is that a client establishes an SSL connection with the Hosted Cache server, and it offers content identifiers over this encrypted channel. The Hosted Cache server connects to the client and retrieves the set of blocks that are not cached.

To implement BranchCache, client computers must be running Windows® 7, with the BranchCache™ feature enabled. Web servers and file servers must be running Windows® Server 2008 R2, with the BranchCache™ feature enabled.

BranchCache™ is designed to give branch-office users an experience similar to being connected directly to the central office. It works with your existing network and security infrastructure including IPv4, IPv6, and end-to-end encryption methods such as Secure Sockets Layer (SSL) and Internet Protocol Security (IPSec). The process requires that a content server authenticates and authorizes a client before retrieving content from within the branch. Additionally, the content server returns content metadata to a requesting client to ensure that the client will reference the current version of requested content in the content server.