On distributed cache mode client computers and hosted cache servers that are located in branch offices, content caches are built up over time as content is retrieved over WAN links.
When client computers are configured with hosted cache mode, they add content to their own local cache and also offer data to the hosted cache server. The Hosted Cache Protocol provides a mechanism for clients to inform the hosted cache server about content and segment availability. To upload content to the hosted cache server, the client informs the server that it has a segment that is available.
The hosted cache server then retrieves all of the content information that is associated with the offered segment, and downloads the blocks within the segment that it actually needs. This process is repeated until the client has no more segments to offer the hosted cache server. To update the hosted cache server by using the Hosted Cache Protocol, the following requirements must be met:.
The client computer is required to have a set of blocks within a segment that it can offer to the hosted cache server. The client must supply content information for the offered segment; this is comprised of the Segment ID, the segment Hash of Data, the Segment Secret, and a list of all block hashes that are contained within the segment.
For hosted cache servers that are running Windows Server R2, a hosted cache server certificate and associated private key are required, and the certification authority CA that issued the certificate must be trusted by client computers in the branch office. Hosted cache servers that are running Windows Server , Windows Server R2 , or Windows Server do not require a hosted cache server certificate and associated private key. The client computer is configured with the computer name of the hosted cache server and the Transmission Control Protocol TCP port number upon which the hosted cache server is listening for BranchCache traffic.
The hosted cache server's certificate is bound to this port. The computer name of the hosted cache server can be a fully qualified domain name FQDN , if the hosted cache server is a domain member computer; or it can be the NetBIOS name of the computer if the hosted cache server is not a domain member. The client computer actively listens for incoming block requests.
The port on which it is listening is passed as part of the offer messages from the client to the hosted cache server. This enables the hosted cache server to use BranchCache protocols to connect to the client computer to retrieve data blocks in the segment. If the hosted cache server is configured to require client computer authentication, both the client and the hosted cache server are required to support HTTPS authentication. The hosted cache server responds with an OK message and initiates the download of the missing blocks from the offering client computer.
The segment Hash of Data, list of block hashes, and the segment secret are used to ensure that the content that is being downloaded has not been tampered with or otherwise altered.
The downloaded blocks are then added to the hosted cache server's block cache. This section provides information on how BranchCache secures cached data on client computers and on hosted cache servers. The greatest threat to data stored in the BranchCache is tampering. If an attacker can tamper with content and content information that is stored in the cache, then it might be possible to use this to try and launch an attack against the computers that are using BranchCache.
Attackers can initiate an attack by inserting malicious software in place of other data. BranchCache mitigates this threat by validating all content using block hashes found in the content information. If an attacker attempts to tamper with this data, it is discarded and is replaced with valid data from the original source. A secondary threat to data stored in the BranchCache is information disclosure. In distributed cache mode, the client caches only the content that it has requested itself; however, that data is stored in clear text, and might be at risk.
To help restrict cache access to the BranchCache Service only, the local cache is protected by file system permissions that are specified in an ACL.
Although the ACL is effective in preventing unauthorized users from accessing the cache, it is possible for a user with administrative privileges to gain access to the cache by manually changing the permissions that are specified in the ACL.
BranchCache does not protect against the malicious use of an administrative account. Data that is stored in the content cache is not encrypted, so if data leakage is a concern, you can use encryption technologies such as BitLocker or the Encrypting File System EFS. The local cache that is used by BranchCache does not increase the information disclosure threat borne by a computer in the branch office; the cache contains only copies of files that reside unencrypted elsewhere on the disk.
Encrypting the entire disk is particularly important in environments in which the physical security of the clients is difficult to ensure. For example, encrypting the entire disk helps to secure sensitive data on mobile computers that might be removed from the branch office environment.
In hosted cache mode, the greatest threat to the security of the hosted cache server is information disclosure. BranchCache in a hosted cache environment behaves in a similar manner to distributed cache mode, with file system permission protecting the cached data. The difference is that the hosted cache server stores all of the content that any BranchCache-enabled computer in the branch office requests, rather than just the data that a single client requests.
The consequences of unauthorized intrusion into this cache could be much more serious, because much more data is at risk. In a hosted cache environment where the hosted cache server is running Windows Server R2, the use of encryption technologies such as BitLocker or EFS is advisable if any of the clients in the branch office can access sensitive data across the WAN link. It is also necessary to prevent physical access to the hosted cache, because disk encryption works only when the computer is turned off when the attacker gains physical access.
If the computer is turned on or is in sleep mode, then disk encryption offers little protection. Hosted cache servers that are running Windows Server , Windows Server R2, or Windows Server encrypt all data in the cache by default, so the use of additional encryption technologies is not required. Even if a client is configured in hosted cache mode, it will still cache data locally, and you might want to take steps to protect the local cache in addition to the cache on the hosted cache server.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note In addition to this topic, the following BranchCache documentation is available. Note You can deploy BranchCache using both modes, however only one mode can be used per branch office. Note Only source content - that is, content that client computers initially obtain from a BranchCache-enabled content server - is accelerated by BranchCache.
Note In the table below, the acronym "OS" means operating system. The first method is via netsh. Needless to say, running a netsh command is not the most efficient way of turning on BranchCache. That is why most people will use the second method for configuring BranchCache on your clients, which is GPO.
To do this:. For example, BranchCache clients will initiate multicast WSD Probe messages with the hashes of the content probes to other BranchCache clients also known as peers. If these peers have the content, they will then reply with unicast Probe-Match message. Then, once you have all of your chess pieces in place and have correctly configured BranchCache. The Distributed Cache service uses half of that memory allocation for data storage also known as cache size , and the other half of that memory allocation is used for memory management overhead.
When the cached data grows, the Distributed Cache service uses the entire 10 percent of the allocated memory. When you add physical memory to the server. When your server farm has a dedicated Distributed Cache server. Use the following method to calculate how much memory can be assigned to the Distributed Cache service:. Determine the total physical memory on the server.
For this example, we will use 16 GB as the total physical memory available on the server. Reserve 2 GB of memory for other processes and services that are running on the cache host.
This remaining memory is allocated to the Distributed Cache service. Take half of the remaining memory, and convert it to MB. This is the cache size of the Distributed Cache service.
Use this procedure to reconfigure the memory allocation of the cache size of the Distributed Cache service. Optional To check the existing memory allocation for the Distributed Cache service on a server, run the following command at the SharePoint Management Shell command prompt:. Stop the Distributed Cache service on all cache hosts. To reconfigure the cache size of the Distributed Cache service, run the following command one time only on any cache host at the SharePoint Management Shell command prompt:.
Restart the Distributed Cache service on all cache hosts. An administrator can add or remove a server to a cache cluster, or might want to remove a server from the cache cluster, perform some operational or maintenance tasks on the server, and then rejoin or add the server to the cache cluster.
When removing the server, the Distributed Cache service is stopped, then unregistered from the server. Unregistering the Distributed Cache service means that an administrator will not see the Distributed Cache service listed on the Services on Server page in Central Administration.
Similarly, when a server is added, the Distributed Cache service is registered and then is started on the server. Registering the Distributed Cache service means that an administrator will see the Distributed Cache service listed on the Services on Server page in Central Administration.
Use the following procedures to add and remove a server from a cache cluster. These SharePoint Management Shell cmdlets are run on the server being added or removed. For more information, see Firewall configuration considerations.
This procedure will stop the cache service and nonpersisted cached data will be lost. If you want to keep the cached data, use the graceful shutdown procedure that is described in the next section. The server authorizes the user and returns an identifier. Because this is the first time any client has attempted to retrieve the file, it is not already cached on the local network.
0コメント