BranchCache Deployment Guide

Microsoft Corporation Published: October, 2009 Author: James McIllece Editor: Scott Somohano

Abstract
BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some editions of the Windows Server 2008 R2 and Windows 7 operating systems. To optimize WAN bandwidth, BranchCache copies content from your main office content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN. This deployment guide provides instructions on deploying BranchCache in both distributed cache mode and hosted cache mode, and allows you to deploy Hypertext Transfer protocol (HTTP), Background Intelligent Transfer Service (BITS), and Server Message Block (SMB)-based content servers that are Web servers, application servers, and file servers, respectively.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law. 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents
BranchCache Deployment Guide....................................................................................................1 Abstract....................................................................................................................................1 Contents..........................................................................................................................................3 BranchCache Deployment Guide....................................................................................................6 What this guide provides..........................................................................................................6 What this guide does not provide.............................................................................................7 Deploy BranchCache......................................................................................................................7 Deploy BranchCache in distributed cache mode.........................................................................7 Deploy BranchCache in hosted cache mode...............................................................................7 Install and configure content servers..............................................................................................8 Install content servers that use the BranchCache feature...............................................................8 Install the BranchCache feature......................................................................................................8 Configure Windows Server Update Services (WSUS) content servers...........................................9 Install File Services content servers................................................................................................9 Configure the File Services server role.........................................................................................10 Install a new file server as a content server..................................................................................10 Configure an existing file server as a content server.....................................................................11 Enable hash publication for file servers.........................................................................................11 Enable hash publication for non-domain member file servers.......................................................12 Enable hash publication for domain member file servers..............................................................13 Create the BranchCache file servers organizational unit..............................................................13 Move file servers to the BranchCache file servers organizational unit..........................................14 Create the BranchCache hash publication Group Policy object....................................................14 Configure the BranchCache hash publication Group Policy object...............................................15 Enable BranchCache on a file share.............................................................................................17 Deploy a distributed cache mode design......................................................................................17

Configure client computers for distributed cache mode................................................................18 Use Group Policy to configure domain member clients for distributed cache mode.....................18 Configure domain member client distributed cache mode firewall rules.......................................20 Non-domain member client configuration for distributed cache mode..........................................22 Enable BranchCache distributed cache mode using network shell commands............................22 Configure client computer distributed cache mode firewall rules..................................................23 [MS-PCCRD]: Peer Content Caching and Retrieval Discovery Protocol...................................23 [MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol....................................23 Deploy a hosted cache mode design............................................................................................24 Configure client computers for hosted cache mode......................................................................26 Use Group Policy to configure domain member clients for hosted cache mode...........................26 Configure domain member client hosted cache mode firewall rules.............................................28 Non-domain member client configuration for hosted cache mode................................................29 Enable BranchCache hosted cache mode using network shell commands..................................29 Configure hosted cache mode firewall rules.................................................................................30 [MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol....................................31 [MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol..............................31 Install and configure the hosted cache server...............................................................................31 Install the BranchCache feature....................................................................................................32 Enable hosted cache server mode on a hosted cache server.......................................................33 Install the certification authority and enroll certificates to hosted cache servers...........................34 Create the hosted cache servers group........................................................................................34 Add hosted cache servers to the group.........................................................................................35 Install the certification authority (CA)............................................................................................36 Configure the Web Server certificate template..............................................................................37 Configure server certificate autoenrollment...................................................................................39 Refresh Group Policy....................................................................................................................39 Obtain the SHA-1 hash of the hosted cache server certificate......................................................40

Link the hosted cache server certificate to BranchCache.............................................................41 Additional Resources....................................................................................................................42

BranchCache Deployment Guide

BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some editions of the Windows Server 2008 R2 and Windows 7 operating systems. Note For more information about operating systems that support BranchCache, see the section Operating system versions for BranchCache in the topic BranchCache Overview in the Windows Server 2008 and Windows Server 2008 R2 Technical Library at http://go.microsoft.com/fwlink/?LinkId=167096. To optimize WAN bandwidth, BranchCache copies content from your main office content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN. At branch offices, content is cached either on servers that are running the BranchCache feature of Windows Server 2008 R2 or, when no server is available in the branch office, on computers running Windows 7. After a client computer requests and receives content from the main office and the content is cached at the branch office, other computers at the same branch office can obtain the content locally rather than contacting the main office over the WAN link.

What this guide provides

This deployment guide allows you to deploy BranchCache in the following modes: Distributed cache mode. In this mode, branch office client computers download content from the content servers in the main office and then cache the content for other computers in the same branch office. Distributed cache mode does not require a server computer in the branch office. Hosted cache mode. In this mode, branch office client computers download content from the content servers in the main office, and a hosted cache server retrieves the content from the clients. The hosted cache server then caches the content for other client computers. Hosted cache mode does require a server computer in the branch office, and there are additional requirements. This guide also provides instructions on how to deploy three types of content servers. Content servers contain the source content that is downloaded by branch office client computers, and one or more content server is required to deploy BranchCache in either mode. The content server types are: Web server-based content servers. These content servers send content to BranchCache client computers using the HTTP and HTTPS protocols. These content servers must be running Windows Server 2008 R2 versions that support BranchCache and upon which the BranchCache feature is installed.

 BITS-based application servers. These content servers send content to BranchCache client computers using the Background Intelligent Transfer Service (BITS). These content servers must be running Windows Server 2008 R2 versions that support BranchCache and upon which the BranchCache feature is installed. File server-based content servers. These content servers must be running Windows Server 2008 R2 versions that support BranchCache and upon which the File Services server role is installed. In addition, the BranchCache for network files role service of the File Services server role must be installed and configured. These content servers send content to BranchCache client computers using the Server Message Block (SMB) protocol.

What this guide does not provide

This guide does not provide conceptual information that explains BranchCache functionality. This guide also does not contain information on how to plan and design a BranchCache deployment. That information is included in other BranchCache documentation, which is in the Windows Server 2008 and Windows Server 2008 R2 Technical Library at http://go.microsoft.com/fwlink/?LinkId=162776.

Deploy BranchCache
See the following topics to deploy BranchCache. Note The procedures in this guide do not include instructions for those cases in which the User Account Control dialog box opens to request your permission to continue. If this dialog box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue.

Deploy BranchCache in distributed cache mode

To deploy BranchCache in distributed cache mode, use the following topics. Install and configure content servers Deploy a distributed cache mode design

Deploy BranchCache in hosted cache mode

To deploy BranchCache in hosted cache mode, use the following topics. Install and configure content servers Deploy a hosted cache mode design

For more information on the technologies used to deploy BranchCache, see Additional Resources.

Install and configure content servers

When you deploy BranchCache in distributed cache mode or hosted cache mode, you must deploy one or more content servers at your main office. Content servers that are Web servers or application servers use the BranchCache feature. Content servers that are file servers use the BranchCache for network files role service of the File Services server role in Windows Server 2008 R2. See the following topics to deploy content servers. Install content servers that use the BranchCache feature Install File Services content servers

Install content servers that use the BranchCache feature

To deploy content servers that are Secure Hypertext Transfer Protocol (HTTPS) 1.1 Web servers, Hypertext Transfer Protocol (HTTP) 1.1 Web servers, and Background Intelligent Transfer service (BITS)-based application servers, such as Windows Server Update Services (WSUS) and System Center Configuration Manager branch distribution site system servers, you must install the BranchCache feature, start the BranchCache service, and (for WSUS servers only) perform additional configuration steps. See the following topics to deploy content servers. Install the BranchCache feature Configure Windows Server Update Services (WSUS) content servers

Install the BranchCache feature

You can use this procedure to install the BranchCache feature and start the BranchCache service on a computer running Windows Server 2008 R2. Membership in Administrators, or equivalent is the minimum required to perform this procedure. To install and enable the BranchCache feature 1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager opens. 2. In the Server Manager left pane, right-click Features, and then click Add Features. The Add Features Wizard opens. 3. In the Add Features Wizard, in Features, select the BranchCache check box, and then click Next.

4. In Confirm Installation Selections, review your choice and then click Install. The Installation Progress pane is displayed during installation, and then the Installation Results pane is displayed. 5. In Installation Results, review the summary and then click Close. The Add Features Wizard closes. 6. In the Server Manager left pane, double-click Configuration, and then click Services. 7. In the details pane, in Services, double-click BranchCache. The BranchCache Properties dialog box opens. 8. In the BranchCache Properties dialog box, on the General tab, click Start to start the BranchCache service, and then click OK. Important The BranchCache service startup type is Automatic, which means that the BranchCache service starts whenever the computer is restarted. It is recommended that you keep the startup type value set to Automatic.

Configure Windows Server Update Services (WSUS) content servers

After installing the BranchCache feature and starting the BranchCache service, WSUS servers must be configured to store update files on the local computer. When you configure WSUS servers to store update files on the local computer, both the update metadata and the update files are downloaded by and stored directly upon the WSUS server. This ensures that BranchCache client computers receive Microsoft product update files from the WSUS server rather than directly from the Microsoft Update Web site. To learn more about WSUS server configuration, see Advanced Synchronization Options for WSUS on Microsoft TechNet at http://go.microsoft.com/fwlink/?LinkId=150597.

Install File Services content servers

To deploy content servers that are running the File Services server role, you must install the BranchCache for network files role service of the File Services server role. In addition, you must enable hash publication on the server, and enable BranchCache on file shares according to your requirements. Note

During the configuration of the content server, you can allow BranchCache publication of content for all file shares or you can select a subset of file shares to publish. See the following topics to deploy content servers. Configure the File Services server role Enable hash publication for non-domain member file servers Enable BranchCache on a file share

Configure the File Services server role

You can deploy BranchCache file server-based content servers on computers running Windows Server 2008 R2 and the File Services server role with the BranchCache for network files role service installed. To install a BranchCache content server on a computer that does not already have File Services installed, see Install a new file server as a content server. To install a BranchCache content server on a computer that is already configured with the File Services server role, see Configure an existing file server as a content server.

Install a new file server as a content server

You can use this procedure to install the File Services server role and the BranchCache for network files role service on a computer running Windows Server 2008 R2. Membership in Administrators, or equivalent is the minimum required to perform this procedure. To install File Services and the BranchCache for network files role service 1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager opens. 2. In the Server Manager left pane, right-click Roles, and then click Add Roles. The Add Roles Wizard opens. In Before You Begin, click Next. 3. In Select Server Roles, in Roles, select the File Services check box, and then click Next. 4. In File Services, review the information, and then click Next. 5. In Select Role Services, in Role services, ensure that File Server is selected. Also select the BranchCache for network files check box, and then click Next. 6. In Confirm Installation Selections, review your selections, and then click Install. The Installation Progress pane is displayed during installation, and then the Installation Results pane is displayed. Review your results, and then click Close.

Configure an existing file server as a content server

You can use this procedure to install the BranchCache for network files role service of the File Services server role on a computer running Windows Server 2008 R2. Membership in Administrators, or equivalent is the minimum required to perform this procedure. Important If the File Services server role is not already installed, do not follow this procedure. Instead, see Install a new file server as a content server To install the BranchCache for network files role service 1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager opens. 2. In the Server Manager left pane, double-click Roles, right-click File Services, and then click Add Role Services. The Add Role Services wizard opens. 3. In Select Role Services, select the BranchCache for network files check box, and then click Next. 4. In Confirm Installation Selections, review your selections, and then click Install. The Installation Progress pane is displayed during installation, and then the Installation Results pane is displayed. Review your results, and then click Close.

Enable hash publication for file servers

You can enable BranchCache hash publication on one file server or on multiple file servers. To enable hash publication on one file server using local computer Group Policy, see Enable hash publication for non-domain member file servers. To enable hash publication on multiple file servers using domain Group Policy, see Enable hash publication for domain member file servers. Note If you have multiple file servers and you want to enable hash publication per share, rather than enabling hash publication for all shares, you can use the instructions in the topic Enable hash publication for non-domain member file servers.

Enable hash publication for non-domain member file servers

You can use this procedure to configure hash publication for BranchCache using local computer Group Policy on a file server that is running Windows Server 2008 R2 with the BranchCache for network files role service of the File Services server role installed. This procedure is intended for use on a non-domain member file server. If you perform this procedure on a domain member file server and you also configure BranchCache using domain Group Policy, domain Group Policy settings override local Group Policy settings. Membership in Administrators, or equivalent is the minimum required to perform this procedure. Note If you have one or more domain member file servers, you can add them to an organizational unit (OU) in Active Directory Domain Services and then use Group Policy to configure hash publication for all of the file servers at one time, rather than individually configuring each file server. For more information, see Enable hash publication for domain member file servers. To enable hash publication for one file server 1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management Console (MMC) opens. 2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy Object Editor. The Group Policy Wizard opens with the Local Computer object selected. Click Finish, and then click OK. 4. In the Local Group Policy Editor MMC, expand the following path: Computer Configuration, Administrative Templates, Network, Lanman Server. Click Lanman Server. 5. In the details pane, double-click Hash Publication for BranchCache. The Hash Publication for BranchCache dialog box opens. 6. In the Hash Publication for BranchCache dialog box, click Enabled. 7. In Options, click Allow hash publication for all shared folder, and then click one of the following: a. To enable hash publication for all shared folders on this computer, click Allow hash publication for all shared folder. b. To enable hash publication only for shared folders for which BranchCache is enabled, click Allow hash publication only for shared folders on which BranchCache is enabled.

c. To disallow hash publication for all shared folders on the computer even if BranchCache is enabled on the file shares, click Disallow hash publication on all shared folders. 8. Click OK.

Enable hash publication for domain member file servers

When youre using Active Directory Domain Services (AD DS), you can use domain Group Policy to enable BranchCache hash publication for multiple file servers. To do so, you must create an organizational unit (OU), add file servers to the OU, create a BranchCache hash publication Group Policy object (GPO), and then configure the GPO. See the following topics to enable hash publication for multiple file servers. Create the BranchCache file servers organizational unit Move file servers to the BranchCache file servers organizational unit Create the BranchCache hash publication Group Policy object Configure the BranchCache hash publication Group Policy object

Create the BranchCache file servers organizational unit

You can use this procedure to create an organizational unit (OU) in Active Directory Domain Services (AD DS) for BranchCache file servers. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To create the BranchCache file servers organizational unit 1. On a computer where AD DS is installed, click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers console opens. 2. In the Active Directory Users and Computers console, right-click the domain to which you want to add an OU. For example, if your domain is named example.com, right click example.com. Point to New, and then click Organizational Unit. The New Object Organizational Unit dialog box opens. 3. In the New Object Organizational Unit dialog box, in Name, type a name for the new OU. For example, if you want to name the OU BranchCache file servers, type

BranchCache file servers, and then click OK.

Move file servers to the BranchCache file servers organizational unit

You can use this procedure to add BranchCache file servers to an organizational unit (OU) in Active Directory Domain Services (AD DS). Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. Note You must create a BranchCache file servers OU in the Active Directory Users and Computers console before you add computer accounts to the OU with this procedure. For more information, see Create the BranchCache file servers organizational unit. To move file servers to the BranchCache file servers organizational unit 1. On a computer where AD DS is installed, click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers console opens. 2. In the Active Directory Users and Computers console, locate the computer account for a BranchCache file server, left-click to select the account, and then drag and drop the computer account on the BranchCache file servers OU that you previously created. For example, if you previously created an OU named BranchCache file servers, drag and drop the computer account on the BranchCache file servers OU. 3. Repeat the previous step for each BranchCache file server in the domain that you want to move to the OU.

Create the BranchCache hash publication Group Policy object

You can use this procedure to create the BranchCache hash publication Group Policy object (GPO). Membership in Domain Admins, or equivalent is the minimum required to perform this procedure.

Note Before performing this procedure, you must create the BranchCache file servers organizational unit and move file servers into the OU. For more information, see Enable hash publication for domain member file servers. To create the BranchCache hash publication Group Policy object 1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management Console (MMC) opens. 2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy Management, and then click OK. 4. In the Group Policy Management MMC, expand the path to the BranchCache file servers OU that you previously created. For example, if your forest is named example.com, your domain is named example1.com, and your OU is named BranchCache file servers, expand the following path: Group Policy Management, Forest: example.com, Domains, example1.com, Group Policy Objects. 5. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens. In Name, type a name for the new Group Policy object (GPO). For example, if you want to name the object BranchCache Hash Publication, type BranchCache Hash Publication. Click OK. 6. In the Group Policy Management MMC, right-click the BranchCache file servers organizational unit (OU) that you created previously. For example, if your OU is named BranchCache file servers, right-click BranchCache file servers, and then click Link an Existing GPO. The Select GPO dialog box opens. 7. In the Select GPO dialog box, in Group Policy objects, click the BranchCache hash publication GPO that you created earlier in this procedure. For example, if your GPO is named BranchCache Hash Publication, click BranchCache Hash Publication. Click OK.

Configure the BranchCache hash publication Group Policy object

You can use this procedure to configure the BranchCache hash publication Group Policy object (GPO). Membership in Domain Admins, or equivalent is the minimum required to perform this procedure.

Note Before performing this procedure, you must create the BranchCache file servers organizational unit, move file servers into the OU, and create the BranchCache hash publication Group Policy object (GPO). For more information, see Enable hash publication for domain member file servers. To configure the BranchCache hash publication Group Policy object 1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management Console (MMC) opens. 2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy Management, and then click OK. 4. In the Group Policy Management MMC, expand the path to the BranchCache hash publication GPO that you previously created. For example, if your forest is named example.com, your domain is named example1.com, and your GPO is named BranchCache Hash Publication, expand the following path: Group Policy Management, Forest: example.com, Domains, example1.com, Group Policy Objects, BranchCache Hash Publication. 5. Right-click the BranchCache Hash Publication GPO and click Edit. The Group Policy Management Editor console opens. 6. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Administrative Templates, Network, Lanman Server. 7. In the Group Policy Management Editor console, click Lanman Server. In the details pane, double-click Hash Publication for BranchCache. The Hash Publication for BranchCache dialog box opens. 8. In the Hash Publication for BranchCache dialog box, click Enabled. 9. In Options, click Allow hash publication for all shared folder, and then click one of the following: a. To enable hash publication for all shared folders on this computer, click Allow hash publication for all shared folder. b. To enable hash publication only for shared folders for which BranchCache is enabled, click Allow hash publication only for shared folders on which BranchCache is enabled. c. To disallow hash publication for all shared folders on the computer even if BranchCache is enabled on the file shares, click Disallow hash publication on all shared folders. 10. Click OK.

Note In most cases, you must save the MMC console and refresh the view to display the configuration changes you have made.

Enable BranchCache on a file share

You can use this procedure to enable BranchCache on a file share. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. Note To make shared content available to BranchCache client computers, you must enable BranchCache on the file share and the hash publication setting in Group Policy must be set to either Allow hash publication only for shared folders on which BranchCache is enabled or Allow hash publication for all shared folder. To enable BranchCache on a file share 1. Click Start, click Administrative Tools, and then click Share and Storage Management. The Share and Storage Management console opens. 2. In the details pane, on the Shares tab, right-click a share, and then click Properties. The shares Properties dialog box opens. 3. In the Properties dialog box, on the Sharing tab, click Advanced. 4. Click the Caching tab, ensure that Only the files and programs that users specify are available offline is selected, and then click Enable BranchCache. 5. Click OK twice.

Deploy a distributed cache mode design

When you deploy BranchCache in distributed cache mode for a branch office, a hosted cache server is not required at the branch office. Client computers that are running either Windows 7 Enterprise or Windows 7 Ultimate are installed at the branch office. These clients download content from content servers that are installed at the main office; and after downloading content, the client computers act as client cache servers by providing the content to other clients in the same branch office upon request. To deploy BranchCache in distributed cache mode, you must install and configure content servers in your main office and install and configure client computers in your branch office. In addition,

client computers at branch offices must be able to access the main office content servers over some type of wide area network (WAN) link, such as a dedicated or on-demand virtual private network (VPN) connection between the offices; or clients must use some other method to connect to the content servers, such as by using DirectAccess. See the following topics to deploy BranchCache in distributed cache mode. Install and configure content servers Configure client computers for distributed cache mode

Configure client computers for distributed cache mode

You can use the procedures in this section to configure client computers for BranchCache when you deploy distributed cache mode. Client computers running Windows 7 have BranchCache installed by default, however you must enable and configure BranchCache and configure firewall exceptions. See the following topics to perform these actions. Use Group Policy to configure domain member clients for distributed cache mode Configure domain member client distributed cache mode firewall rules Non-domain member client configuration for distributed cache mode

Note When distributed cache mode clients are connecting to main office resources using DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache traffic. Use the inbound and outbound rule settings provided in the topic Configure client computer distributed cache mode firewall rules to create IPsec rules.

Use Group Policy to configure domain member clients for distributed cache mode
You can use this procedure to configure Group Policy to enable and configure BranchCache distributed cache mode on domain-joined client computers. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To use Group Policy to configure clients for distributed cache mode 1. On a computer upon which the Active Directory Domain Services server role is installed, click Start, click Administrative Tools, and click Group Policy Management.

The Group Policy Management console opens. 2. In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located. 3. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens. In Name, type a name for the new Group Policy object (GPO). For example, if you want to name the object BranchCache Client Computers, type BranchCache Client Computers. Click OK. 4. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the GPO that you just created. For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy Management Editor console opens. 5. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, BranchCache. 6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache. The Turn on BranchCache dialog box opens. 7. In the Turn on BranchCache dialog box, click Enabled, and then click OK. 8. In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set BranchCache Distributed Cache mode. The Set BranchCache Distributed Cache mode dialog box opens. 9. In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and then click OK. 10. To configure the amount of hard disk space allocated on each client computer for the BranchCache cache: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set percentage of disk space used for client computer cache. The Set percentage of disk space used for client computer cache dialog box opens. Click Enabled, and then in Options type a numeric value that represents the percentage of hard disk space used on each client computer for the BranchCache cache. 11. To enable client computers to download and cache content from BranchCache file server-based content servers: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click BranchCache for network files. The Configure BranchCache for network files dialog box opens. 12. In the Configure BranchCache for network files dialog box, click Enabled. In Options, type a numeric value, in milliseconds, for the maximum round trip network latency time, and then click OK. Note

By default, client computers cache content from file servers if the round trip network latency is longer than 80 milliseconds.

Configure domain member client distributed cache mode firewall rules

When you configure BranchCache in distributed cache mode, BranchCache client computers use the Hypertext Transfer Protocol (HTTP) for data transfer with other client computers. BranchCache client computers also use the Web Services Dynamic Discovery (WS-Discovery) protocol when they attempt to discover content on client cache servers. You can use this procedure to configure client firewall exceptions to allow incoming HTTP and WS-Discovery traffic on client computers that are configured for distributed cache mode. Note The HTTP inbound and outbound firewall exceptions created with this procedure have the following settings: TCP port 80. The WS-Discovery inbound and outbound firewall exceptions created with this procedure have the following settings: UDP port 3702. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To configure distributed cache mode client firewall exceptions 1. On a computer upon which the Active Directory Domain Services server role is installed, click Start, click Administrative Tools, and click Group Policy Management. The Group Policy Management console opens. 2. In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located. 3. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the BranchCache client computers GPO that you created previously. For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy Management Editor console opens. 4. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security LDAP, Inbound Rules. 5. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard

opens. 6. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Content Retrieval (Uses HTTP). Click Next. 7. In Predefined Rules, click Next. 8. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to receive traffic on this port. 9. To create the WS-Discovery firewall exception, again right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard opens. 10. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Peer Discovery (Uses WSD). Click Next. 11. In Predefined Rules, click Next. 12. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to receive traffic on this port. 13. In the Group Policy Management Editor console, right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens. 14. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Content Retrieval (Uses HTTP). Click Next. 15. In Predefined Rules, click Next. 16. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to send traffic on this port. 17. To create the WS-Discovery firewall exception, again right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens. 18. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Peer Discovery (Uses WSD). Click Next. 19. In Predefined Rules, click Next. 20. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to send traffic on this port.

Non-domain member client configuration for distributed cache mode

Using Group Policy to automate the configuration of BranchCache client computers for distributed cache mode is recommended, however you can also manually configure individual computers. In addition, you can use these topics to configure non-domain member computers. See the following topics to manually configure BranchCache client computers. Enable BranchCache distributed cache mode using network shell commands Configure client computer distributed cache mode firewall rules

Enable BranchCache distributed cache mode using network shell commands

You can use this procedure to manually configure a BranchCache client computer for distributed cache mode using network shell (netsh) commands. Note If you have configured BranchCache client computers using Group Policy, the Group Policy settings override any manual configuration of client computers to which the policies are applied. Membership in Administrators, or equivalent is the minimum required to perform this procedure. To enable BranchCache distributed cache mode using network shell commands 1. On the BranchCache client computer that you want to configure, click Start, click Search programs and files, and then type command. In search results, under Programs, right-click Command Prompt, and then click Run as Administrator. The command prompt opens with the elevated privileges that are required to run netsh commands. 2. Run the following command: netsh branchcache set service mode=DISTRIBUTED Note Running the netsh branchcache set service command both configures the client computer for distributed cache mode and automatically configures the client computer firewall with the following inbound exceptions for distributed cache mode: TCP port 80 and UDP port 3702. 3. To enable client computers to download and cache content from BranchCache file server-based content servers, run the following command: netsh branchcache smb set latency latency=Number, where Number is a numeric value, in milliseconds, for the

maximum round trip network latency time.

Configure client computer distributed cache mode firewall rules

You can use the information in this topic to configure third party firewall products and to manually configure a client computer with firewall rules that allow BranchCache to run in distributed cache mode. Notes If you have configured BranchCache client computers using Group Policy, the Group Policy settings override any manual configuration of client computers to which the policies are applied. If you have deployed BranchCache with DirectAccess, you can use the settings in this topic to configure IPsec rules to allow BranchCache traffic. Membership in Administrators, or equivalent is the minimum required to make these configuration changes.

[MS-PCCRD]: Peer Content Caching and Retrieval Discovery Protocol

Distributed cache clients must allow inbound and outbound MS-PCCRD traffic, which is carried in the Web Services Dynamic Discovery (WS-Discovery) protocol. Firewall settings must allow multicast traffic in addition to inbound and outbound traffic. You can use the following settings to configure firewall exceptions for distributed cache mode. IPv4 multicast: 239.255.255.250 IPv6 multicast: FF02::C Inbound traffic: Local port: 3702, Remote port: ephemeral Outbound traffic: Local port: ephemeral, Remote port: 3702 Program: %systemroot%\system32\svchost.exe (BranchCache Service [PeerDistSvc])

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol

Distributed cache clients must allow inbound and outbound MS-PCCRR traffic, which is carried in the HTTP 1.1 protocol as documented in request for comments (RFC) 2616.

Firewall settings must allow inbound and outbound traffic. You can use the following settings to configure firewall exceptions for distributed cache mode. Inbound traffic: Local port: 80, Remote port: ephemeral Outbound traffic: Local port: ephemeral, Remote port: 80

Deploy a hosted cache mode design

When you deploy BranchCache in hosted cache mode for a branch office, a hosted cache server is installed at the branch office. Client computers that are running either Windows 7 Enterprise or Windows 7 Ultimate are also installed at the branch office. These clients download content from content servers that are installed at the main office; and after content is downloaded, the hosted cache server obtains and caches the content, providing the content to other clients in the same branch office upon request. To deploy BranchCache in hosted cache mode, you must install and configure content servers in your main office and install and configure a hosted cache server and client computers in your branch office. In addition, client computers at branch offices must be able to access the main office content servers over some type of wide area network (WAN) link, such as a dedicated or on-demand virtual private network (VPN) connection between the offices; or clients must use some other method to connect to the content servers, such as by using DirectAccess. Important BranchCache is compatible only with VPN software that supports split tunneling. Do not enable hosted cache mode on client computers in a branch office if these clients use host-based VPN software that does not support split tunneling. If the VPN software does not support split tunneling, client computers route traffic through the main office VPN servers when downloading from the local hosted cache, which will create unnecessary WAN link traffic and network congestion. Finally, you must enroll a server certificate to your hosted cache server that the server uses to prove its identity to client computers in the branch office. After the hosted cache server enrolls a certificate, you must obtain the SHA-1 hash of the certificate and link the certificate to BranchCache. Note The server certificate that is enrolled to hosted cache servers must be issued by a certification authority (CA) that is trusted by client computers. If client computers do not trust the CA that issued the certificate to the hosted cache server, authentication fails and the client computers will not be able to obtain content from the hosted cache server. CAs and certificates You can deploy server certificates with either a public CA or with a private CA that you own and deploy.

 Public CAs are deployed by third party companies, such as Verisign, who sell certificates for use by their customers. This guide does not describe how to deploy hosted cache mode with certificates that are issued by a public CA, but it is possible if you ensure that the certificates meet the minimum server certificate requirements and are configured in accordance with the Web Server certificate template as described in this guide. In addition, before purchasing a server certificate issued by a public CA, you should ensure that BranchCache client computers already trust the public CA. Private CAs are deployed by organizations who design and deploy a public key infrastructure (PKI). This guide provides instructions on how to deploy your own CA using Active Directory Certificate Services (AD CS). Note This guide does not provide instructions on how to design a PKI, and you should review AD CS documentation before deploying your own CA. For more information, see Additional Resources. There are two types of certificates that are used when you deploy BranchCache in hosted cache mode: CA certificate. When you deploy your own CA, the root CA certificate is automatically distributed to client computers that are domain members. The certificate is stored in the Trusted Root Certification Authorities certificate store for the Local Computer and for the Current User. These certificate stores can be viewed by using the Certificates Microsoft Management Console (MMC) snap-in. When a CA certificate exists in the Trusted Root Certification Authorities certificate store, it means that the computer trusts all certificates that are issued by the CA. Server certificate. The server certificate is issued by the CA to the hosted cache server. The hosted cache server uses the certificate to prove its identity to client computers during the authentication process. Hosted cache mode See the following topics to deploy BranchCache in hosted cache mode. Install and configure content servers Configure client computers for hosted cache mode Install the certification authority and enroll certificates to hosted cache servers Obtain the SHA-1 hash of the hosted cache server certificate Link the hosted cache server certificate to BranchCache

Configure client computers for hosted cache mode

You can use the procedures in this section to configure client computers for BranchCache when you deploy hosted cache mode. Client computers running some versions of Windows 7 have BranchCache installed by default, however you must enable and configure BranchCache and configure firewall rules on client computers. See the following topics to perform these actions. Use Group Policy to configure domain member clients for hosted cache mode Configure domain member client hosted cache mode firewall rules Non-domain member client configuration for hosted cache mode

Note When hosted cache mode clients are connecting to main office resources using DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache traffic. Use the inbound and outbound rule settings provided in the topic Configure hosted cache mode firewall rules to create IPsec rules.

Use Group Policy to configure domain member clients for hosted cache mode
With this procedure you can use Group Policy to enable and configure BranchCache distributed cache mode on domain-joined client computers. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To use Group Policy to configure clients for hosted cache mode 1. On a computer upon which the Active Directory Domain Services server role is installed, click Start, click Administrative Tools, and click Group Policy Management. The Group Policy Management console opens. 2. In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located. 3. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens. In Name, type a name for the new Group Policy object (GPO). For example, if you want to name the object BranchCache Client Computers, type BranchCache Client Computers. Click OK.

4. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the GPO that you just created. For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy Management Editor console opens. 5. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, BranchCache. 6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache. The Turn on BranchCache dialog box opens. 7. In the Turn on BranchCache dialog box, click Enabled, and then click OK. 8. In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set BranchCache Hosted Cache mode. The Set BranchCache Hosted Cache mode dialog box opens. 9. In the Set BranchCache Hosted Cache mode dialog box, click Enabled. In Enter the location of hosted cache, type the fully qualified domain name (FQDN) of the hosted cache server, and then click OK. 10. To configure the amount of hard disk space allocated on each client computer for the BranchCache cache: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set percentage of disk space used for client computer cache. The Set percentage of disk space used for client computer cache dialog box opens. Click Enabled, and then in Options type a numeric value that represents the percentage of hard disk space used on each client computer for the BranchCache cache. 11. To enable client computers to download and cache content from BranchCache file server-based content servers: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click BranchCache for network files. The Configure BranchCache for network files dialog box opens. 12. In the Configure BranchCache for network files dialog box, click Enabled. In Options, type a numeric value, in milliseconds, for the maximum round trip network latency time, and then click OK. Note By default, client computers cache content from file servers if the round trip network latency is longer than 80 milliseconds.

Configure domain member client hosted cache mode firewall rules

When you configure BranchCache in hosted cache mode, BranchCache client computers use the Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) for data transfer with other client computers. You can use this procedure to configure client firewall inbound and outbound rules to allow HTTP and HTTPS traffic on client computers that are configured for hosted cache mode. Note The HTTP inbound and outbound firewall rules that are created with this procedure have the following settings: TCP port 80. The HTTPS outbound firewall exception created with this procedure has the following setting: TCP port 443. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To configure hosted cache mode client firewall exceptions 1. On a computer upon which the Active Directory Domain Services server role is installed, click Start, click Administrative Tools, and click Group Policy Management. The Group Policy Management console opens. 2. In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located. 3. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the BranchCache client computers GPO that you created previously. For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy Management Editor console opens. 4. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security LDAP, Inbound Rules. 5. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard opens. 6. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Content Retrieval (Uses HTTP). Click Next. 7. In Predefined Rules, click Next. 8. In Action, ensure that Allow the connection is selected, and then click Finish. Important

You must select Allow the connection for the BranchCache client to be able to receive traffic on this port. 9. In the Group Policy Management Editor console, right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens. 10. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Content Retrieval (Uses HTTP). Click Next. 11. In Predefined Rules, click Next. 12. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to send traffic on this port. 13. In the Group Policy Management Editor console, right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens. 14. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Hosted Cache Client (Uses HTTPS). Click Next. 15. In Predefined Rules, click Next. 16. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to send traffic on this port.

Non-domain member client configuration for hosted cache mode

Using Group Policy to automate the configuration of BranchCache client computers for hosted cache mode is recommended, however you can also manually configure individual computers. See the following topics to manually configure BranchCache client computers. Enable BranchCache hosted cache mode using network shell commands Configure hosted cache mode firewall rules

Enable BranchCache hosted cache mode using network shell commands

You can use this procedure to manually configure a BranchCache client computer for hosted cache mode using network shell (netsh) commands. Running the command below configures the

client computer for hosted cache mode and automatically configures the client computer firewall with the following inbound exception for hosted cache mode: TCP port 80. Note If you have configured BranchCache client computers using Group Policy, the Group Policy settings override any manual configuration of client computers to which the policies are applied. Membership in Administrators, or equivalent is the minimum required to perform this procedure. To enable BranchCache hosted cache mode using network shell commands 1. On the BranchCache client computer that you want to configure, click Start, click Search programs and files, and then type command. In search results, under Programs, right-click Command Prompt, and then click Run as Administrator. The command prompt opens with the elevated privileges that are required to run netsh commands. 2. Run the following command: netsh branchcache set service mode=HOSTEDCLIENT location=HostedCacheName, where HostedCacheName is the fully qualified domain name of the hosted cache server. Note If the hosted cache server and client computers are not joined to an Active Directory domain, set client authentication to NONE using the additional clientauthentication parameter in this command: Netsh branchcache set service mode=HOSTEDSERVER location=HostedCacheName clientauthentication=NONE

Configure hosted cache mode firewall rules

You can use the information in this topic to configure third party firewall products and to manually configure a client computer or a hosted cache server in a branch office with firewall rules that allow BranchCache to run in hosted cache mode. Notes If you have configured BranchCache client computers using Group Policy, the Group Policy settings override any manual configuration of client computers to which the policies are applied. If you have deployed BranchCache with DirectAccess, you can use the settings in this topic to configure IPsec rules to allow BranchCache traffic.

Membership in Administrators, or equivalent is the minimum required to perform firewall configuration changes.

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol

Hosted Cache clients must allow inbound and outbound MS-PCCRR traffic, which is carried in the HTTP 1.1 protocol as documented in request for comments (RFC) 2616. Firewall settings must allow inbound, outbound, and program traffic. You can use the following settings to configure firewall exceptions for hosted cache mode. Inbound traffic: Local port: 80, Remote port: ephemeral Outbound traffic: Local port: ephemeral, Remote port: 80

[MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol

Hosted Cache clients must allow inbound and outbound MS-PCHC traffic, which is carried in the HTTP 1.1 over TLS (HTTPs) protocol as documented in request for comments (RFC) 2818. Firewall settings must enable outbound traffic. You can use the following settings to configure firewall exceptions for hosted cache mode. Outbound traffic: Local port: ephemeral, Remote port: 443

Install and configure the hosted cache server

When you deploy BranchCache in hosted cache mode for one or more branch offices, you must install a hosted cache server in each branch office. You can use an existing application server as a hosted cache server if you upgrade the server to one of the following operating systems: Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Enterprise with Hyper-V Windows Server 2008 R2 Enterprise Core Install Windows Server 2008 R2 Enterprise Core Install with Hyper-V Windows Server 2008 R2 for Itanium-Based Systems Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Datacenter with Hyper-V Windows Server 2008 R2 Datacenter Core Install with Hyper-V

To deploy a hosted cache server, you must install and enable the BranchCache feature, enable hosted cache mode, and configure firewall exceptions to allow communication between the hosted cache server and client computers in the branch office.

Note By default, the cache on the hosted cache server is configured to use 5% of the hard disk space on the local hard disk. If you want to change the size of the cache, you can use the netsh branchcache set cachesize command, which specifies the size of the local cache as either a percentage of the size of the hard disk where the cache is located or as an exact number of bytes. For more information, see Additional Resources. See the following topics to install and configure the hosted cache server. Install the BranchCache feature Enable hosted cache server mode on a hosted cache server

Note When you enable hosted cache mode using the netsh branchcache set service command as described in the topic Enable hosted cache server mode on a hosted cache server, the firewall on the hosted cache server is automatically configured with the correct exceptions for hosted cache mode. You do not need to make additional configuration to the firewall, however the topic Configure hosted cache mode firewall rules is provided for reference.

Install the BranchCache feature

You can use this procedure to install the BranchCache feature and start the BranchCache service on a computer running Windows Server 2008 R2. Membership in Administrators, or equivalent is the minimum required to perform this procedure. To install and enable the BranchCache feature 1. Click Start, click Administrative Tools, and then click Server Manager. Server Manager opens. 2. In the Server Manager left pane, right-click Features, and then click Add Features. The Add Features Wizard opens. 3. In the Add Features Wizard, in Features, select the BranchCache check box, and then click Next. 4. In Confirm Installation Selections, review your choice and then click Install. The Installation Progress pane is displayed during installation, and then the Installation Results pane is displayed. 5. In Installation Results, review the summary and then click Close. The Add Features Wizard closes. 6. In the Server Manager left pane, double-click Configuration, and then click Services.

7. In the details pane, in Services, double-click BranchCache. The BranchCache Properties dialog box opens. 8. In the BranchCache Properties dialog box, on the General tab, click Start to start the BranchCache service, and then click OK. Important The BranchCache service startup type is Automatic, which means that the BranchCache service starts whenever the computer is restarted. It is recommended that you keep the startup type value set to Automatic.

Enable hosted cache server mode on a hosted cache server

You can use this procedure to manually configure a BranchCache hosted cache server for hosted cache mode using network shell (netsh) commands. Running the command below both configures the server for hosted cache mode and automatically configures the firewall with the following inbound exceptions for hosted cache mode: TCP port 80 and TCP port 443. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To enable hosted cache mode on a hosted cache server 1. On the BranchCache hosted cache server that you want to configure, click Start, click Search programs and files, and then type command. In search results, under Programs, right-click Command Prompt, and then click Run as Administrator. The command prompt opens with the elevated privileges that are required to run netsh commands. 2. Run the following command: netsh branchcache set service mode=HOSTEDSERVER. Note If the hosted cache server and client computers are not joined to an Active Directory domain, set client authentication to NONE using the additional clientauthentication parameter in this command: Netsh branchcache set service mode=HOSTEDSERVER clientauthentication=NONE

Install the certification authority and enroll certificates to hosted cache servers
When you deploy BranchCache in hosted cache mode, you must enroll server certificates to hosted cache servers. You can use the following topics to create a hosted cache servers group in Active Directory Users and Computers, add hosted cache servers to the group, install an enterprise root certification authority using Active Directory Certificate Services (AD CS), and then configure the automatic distribution, or autoenrollment, of server certificates to hosted cache servers. See the following topics to perform these actions. Create the hosted cache servers group Add hosted cache servers to the group Install the certification authority (CA) Configure the Web Server certificate template Configure server certificate autoenrollment Refresh Group Policy

Notes When you deploy a public key infrastructure (PKI), you should also configure certificate revocation and publish a certificate revocation list (CRL). If your BranchCache deployment includes only one or two hosted cache servers and you prefer not to use autoenrollment, you can use the Certificates Microsoft Management Console (MMC) snap-in to manually enroll server certificates to hosted cache servers. For more information, see Additional Resources.

Create the hosted cache servers group

You can use this procedure to create a new Hosted Cache Servers group in Active Directory Users and Computers Microsoft Management Console (MMC). Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. To add a Hosted Cache Servers group 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com.

2. In the details pane, right-click the folder in which you want to add a new group. Where? Active Directory Users and Computers/domain node/folder 3. Point to New, and then click Group. 4. In New Object Group, in Group name, type the name of the new group. For example, type Hosted Cache Servers. By default, the name you type is also entered as the pre-Windows 2000 name of the new group. 5. In Group scope, select one of the following options: Domain local Global Universal Security Distribution

6. In Group type, select one of the following options:

7. Click OK.

Add hosted cache servers to the group

You can use this procedure to assign group membership to BranchCache hosted cache servers using the Active Directory Users and Computers Microsoft Management Console (MMC). Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To add hosted cache servers to the Hosted Cache Servers group 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, double-click the folder that contains the Hosted Cache Servers group to which you want to add a member. Where? Active Directory Users and Computers/domain node/folder that contains the group 3. In the details pane, right-click the group to which you want to add a member, and then click Properties. The group Properties dialog box opens. Click the Members tab.

4. On the Members tab, click Add. 5. In Enter the object names to select, type the name of the hosted cache server that you want to add, and then click OK. 6. To assign group membership to other hosted cache servers, repeat steps 4 and 5 of this procedure.

Install the certification authority (CA)

You can use this procedure to install Active Directory Certificate Services (AD CS) so that you can enroll a server certificate to hosted cache servers. Important To perform this procedure, the computer on which you are installing AD CS must be joined to a domain where Active Directory Domain Services (AD DS) is installed. Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure. To install Active Directory Certificate Services 1. Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group. 2. Click Start, click Administrative Tools, and then click Server Manager. The Server Manager console opens. In Roles Summary, click Add roles. 3. The Add Roles Wizard opens. Click Next. 4. On the Select Server Roles page, in Roles, select Active Directory Certificate Services, and then click Next twice. 5. On the Select Role Services page, in Role services, verify that Certification Authority is selected, and then click Next. 6. On the Specify Setup Type page, verify that Enterprise is selected, and then click Next. 7. On the Specify CA Type page, verify that Root CA is selected, and then click Next. 8. On the Set Up Private Key page, verify that Create a new private key is selected, and then click Next. 9. On the Configure Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and hash algorithm (sha1), and determine the best key character length for your deployment. Large key character lengths provide optimal security; however, they can impact server performance. It is recommended that you keep the default setting of 2048 or, if you deem it appropriate for

your deployment, reduce Key character length to 1024. Click Next. 10. On the Configure CA Name page, keep the suggested common name for the CA or change the name according to your requirements, and then click Next. 11. On the Set Validity Period page, in Select validity period for the certificate generated for this CA, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click Next. 12. On the Configure Certificate Database page, in Certificate database location and Certificate database log location, specify the folder location for these items. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. 13. Click Next, click Install, and then click Close.

Configure the Web Server certificate template

You can use this procedure to configure the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for computer certificates that are enrolled to hosted cache server computers. Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure. To configure the certificate template and autoenrollment 1. On the computer where AD CS is installed, click Start, click Run, type mmc, and then click OK. 2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In the Add or Remove Snap-ins dialog box, in Available snap-ins, double-click Certification Authority. Select the CA that you want to manage, and then click Finish. The Certification Authority dialog box closes, returning you to the Add or Remove Snap-ins dialog box. 4. In Available snap-ins, double-click Certificate Templates, and then click OK. 5. In the console tree, click the Certificate Templates snap-in. All of the certificate templates are displayed in the details pane. 6. In the details pane, click the Web Server template. 7. On the Action menu, click Duplicate Template. In the Duplicate Template dialog box, select the template version that is appropriate for your deployment. For client and

server interoperability reasons, it is recommended that you select Windows Server 2003 Enterprise. 8. Click OK. The Properties dialog box for the certificate template opens. 9. On the General tab, in Display Name, type a new name for the certificate template or keep the default name, Copy of Web Server. 10. Click the Subject Name tab. Ensure that Build from this Active Directory information is selected. In Subject name format, select DNS name. 11. Click the Request Handling tab. For Minimum key size, determine the best key character length for your deployment. Large key character lengths provide optimal security, but they can impact server performance. It is recommended that you keep the default setting of 2048 or, if you deem it appropriate for your deployment, reduce Minimum key size to 1024. 12. Click the Security tab. In Group or user names, click Add. The Select Users, Computers, Service Accounts, or Groups dialog box opens. 13. In Select Users, Computers, Service Accounts, or Groups, type the name of the group that you created for your hosted cache servers, and then click OK. For example, type Hosted Cache Servers. 14. In Properties of New Template, in Group or User Names, click the name of the group you just added. For example, if your group is named Hosted Cache Servers, click that group. 15. In Properties of New Template, in Permissions for Hosted Cache Servers, under Allow, select the Enroll and Autoenroll permission check boxes, and then click OK. Note: If your group name is not Hosted Cache Servers, this section of the dialog box is named Permissions for Group Name, where Group Name is the name of the hosted cache servers group that you created. 16. In the left pane of the Microsoft Management Console (MMC), double-click Certification Authority, double-click the CA name, and then click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens. 17. Click the name of the certificate template you just configured, and then click OK. For example, if you did not change the default certificate template name, click Copy of Web Server, and then click OK.

Configure server certificate autoenrollment

Note Before you perform this procedure, you must configure a server certificate template by Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure. To configure server certificate autoenrollment 1. On the computer where Active Directory Domain Services is installed, click Start, click Run, type mmc, and then click OK. 2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In Available snap-ins, scroll down to and double-click Group Policy Management Editor, and then click OK. The Group Policy Wizard opens. 4. In Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens. 5. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK. 6. Click Finish, and then click OK. 7. Double-click Default Domain Policy. In the console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, and then Public Key Policies. 8. Click Public Key Policies. In the details pane, double-click Certificate Services Client - Auto-Enrollment. The Properties dialog box opens. Configure the following items, and then click OK: a. In Configuration Model, select Enabled. b. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box. c. Select the Update certificates that use certificate templates check box. 9. Click OK.

Refresh Group Policy

You can use this procedure to manually refresh Group Policy on the local computer. When Group Policy is refreshed, if certificate autoenrollment is configured and functioning correctly, the local computer is autoenrolled a certificate by the certification authority (CA).

Note Group Policy is automatically refreshed when you restart the domain member computer, or when a user logs on to a domain member computer. In addition, Group Policy is periodically refreshed. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes. Membership in Administrators, or equivalent, is the minimum required to complete this procedure. To refresh Group Policy on the local computer 1. Click Start, click Run, type cmd, and then press ENTER. The Command Prompt window opens. 2. Type gpupdate, and then press ENTER.

Obtain the SHA-1 hash of the hosted cache server certificate

You can use this procedure to obtain the SHA-1 hash, also called the thumbprint, of the server certificate of a hosted cache server so that you can link the certificate to BranchCache. This procedure must be performed on a hosted cache server to which a server certificate has already been enrolled. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To obtain the SHA-1 hash of the hosted cache server certificate 1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management Console (MMC) opens. 2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In Add or Remove Snap-ins, in Available snap-ins, double-click Certificates. The Certificates snap-in dialog box opens. Click Computer account, and then click Next. 4. In Select Computer, in This snap-in will always manage, ensure that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK. 5. In the navigation pane, double-click Certificates (Local Computer) and then doubleclick the Personal certificate store. 6. The Certificates folder is a subfolder of the Personal certificate store. Click the

Certificates folder. 7. In the details pane, browse to the server certificate and double-click the certificate. The Certificate dialog box opens. 8. In the Certificate dialog box, click the Details tab. Note On the Details tab, in Field, ensure that the value of the Certificate Template Name extension matches the name of the copy of the Web Server certificate template that you configured in a previous step. For example, if you used the default name Copy of Web Server, ensure that this value appears in Certificate Template Name to verify that you have selected the correct certificate. 9. In the list of fields, select Thumbprint. 10. In the lower pane, the hexadecimal string that is the SHA-1 hash of your certificate is displayed. Select the SHA-1 hash and press the Windows keyboard shortcut for the Copy command (Ctl+C) to copy the hash to the Windows clipboard. 11. Click Start, click All Programs, click Accessories, and then click Notepad. The Notepad application opens. 12. In Notepad, press the Windows keyboard shortcut for the Paste command (Ctl+V) to paste the SHA-1 hash into a new text file. Remove all of the spaces between the characters in the SHA-1 hash so that the hash contains no spaces, and then save the text file to hard disk. Note In the next procedure where you link the hosted cache server certificate to BranchCache, you will use the SHA-1 hash of the certificate while running a network shell (netsh) command.

Link the hosted cache server certificate to BranchCache

You can use this procedure to link the server certificate of a hosted cache server to BranchCache using network shell (netsh) commands. Important In this procedure you must use the SHA-1 hash of the hosted cache server certificate that you obtained while performing the previous procedure in this guide. Before using the SHA-1 hash in this procedure, remove all spaces from the SHA-1 hash. Do not replace the spaces with alternate characters, just remove the spaces. If you do not remove the spaces from the SHA-1 hash, the effort to link the certificate to BranchCache will fail.

Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To link the hosted cache server certificate to BranchCache 1. On the BranchCache hosted cache server that you want to configure, click Start, click Search programs and files, and then type command. In search results, under Programs, right-click Command Prompt, and then click Run as Administrator. The command prompt opens with the elevated privileges that are required to run netsh commands. 2. Run the following command: netsh http add sslcert ipport=0.0.0.0:443 certhash=SHA-1_Hash appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}, where SHA-1_Hash is the SHA-1 hash of the server certificate on the hosted cache server.

Additional Resources
For more information about the technologies in this guide, see the following resources in the Windows Server 2008 and Windows Server 2008 R2 Technical Library. Active Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=110923) Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkId=110928)

Background Intelligent File Transfer Service (BITS) (http://go.microsoft.com/fwlink/? LinkId=163282) Configuring Certificate Revocation (http://go.microsoft.com/fwlink/?LinkId=163242) File Services (http://go.microsoft.com/fwlink/?LinkId=163286) Group Policy (http://go.microsoft.com/fwlink/?LinkId=110930)

Network Shell (Netsh) Commands for BranchCache (http://go.microsoft.com/fwlink/? LinkId=156640) Web Server (http://go.microsoft.com/fwlink/?LinkId=163294) The following topics provide information about designing a public key infrastructure and the server message block (SMB) protocol. Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 public key infrastructure) in Windows Server TechCenter (http://go.microsoft.com/fwlink/? LinkId=106049) Microsoft SMB Protocol and CIFS Protocol Overview (Windows) in the Microsoft Developer Network (MSDN) (http://go.microsoft.com/fwlink/?LinkId=163293)