Forefront TMG and BranchCache: Which should I deploy in my organization?

Forefront TMG and BranchCache: Which should I deploy in my organization?

  • Comments 1
  • Likes

Branch offices are often connected to a corporate headquarters or corporate data center to access Line of Business (LOB) applications via a WAN link. Depending on the deployment, branch offices may connect directly to the Internet, or indirectly via the WAN link. WAN links can be slow, so organizations often look for ways to optimize their WAN utilization and improve the effectiveness and user-experience of users in the branch.

Forefront TMG optimizes branch office Internet traffic by applying caching and compression. Windows 7 and Windows Server 2008 R2 introduce BranchCache, which optimizes LOB HTTP applications and file-access traffic via caching. This post lists various aspects that describe how Forefront TMG and BranchCache provide improved WAN-link utilization. By considering those aspects, organizations can select the solution that best serves their specific needs. In many cases the best solution will actually be to deploy both!

BranchCache

Forefront TMG

Protocol support

HTTP, HTTPS and SMB2

HTTP

Caches access restricted or encrypted content

BranchCache securely caches access-restricted content and content sent over encrypted channels. It works seamlessly with network security technologies, including SSL, SMB signing, and IPSec – even when the content is encrypted - without compromising access restriction or privacy.

No

Compression

BranchCache-enabled servers deliver a compact description of the actual data. BranchCache-enabled clients use this compact description to lookup and retrieve the locally cached data.

Optionally applies GZIP compression (and decompression) of HTTP traffic. GZIP is very effective for textual data, and least effective for most media data. Compression can be set per source or destination.

(related note)

The first two requests from a BranchCache-enabled server are served full data.

In TMG data is cached after the first request.

Distributed Cache

Supports both distributed (peer-to-peer) and central (HostedCache) caching. Using BranchCache does not require a deployment of a cache server at the branch

To provide caching capabilities in a branch, Forefront TMG must be deployed in the branch.

Supported Server OS

Accelerates applications running on Windows Server 2008 R2 via caching. You can optimize delivery of published content from LOB applications running Windows Server 2008 R2 by enabling BranchCache on these servers. BranchCache is not available on earlier Windows Server releases

Caches content from any server

Supported Client OS

Supports clients running Windows 7 and Windows Server 2008 R2

Delivers cached content to any client

Cache management

Provides monitoring via performance counters.

Provides extended cache management capabilities. For example, you can define what content should or should not be cached. You can also monitor the cache behavior, through Forefront TMG logging and reporting modules.

Pre-fetching

No

Yes. Download content jobs can be defined and run overnight to pre-fetch content during idle hours.

Content Inspection

No

Yes. Provides advanced Web-access protection via URL filtering, malware inspection and even HTTPS inspection. In addition to providing cache capabilities, Forefront TMG is an edge firewall. As such, it can apply corporate security policies (for example limit access to specific applications or destinations by specific users, groups or source network, at specified times).

Frequently asked questions:

Q1: I want to deploy both Forefront TMG and BranchCache Hosted Cache in a branch office. Can they be deployed on the same host to save hardware, software and management cost?

Yes, Forefront TMG and BranchCache can be deployed on the same Windows Server 2008 R2 host. You will need to add Forefront TMG policy rules that allow BranchCache-specific traffic (e.g. retrieval of cached objects from BranchCache) to and from the host. In the near future, we will issue a special administrator guide that describes step by step how to deploy Forefront TMG and BranchCache hosted cache on the same host. We’ll announce it on the team blog.

Q2: I already have Forefront TMG deployed in a branch office as a firewall, separating the branch office network from the corporate network. I intend to deploy Windows 7 clients in the branch, and enable BranchCache in distributed mode. Should I apply a special policy to allow BranchCache traffic through Forefront TMG to the corporate network?

No special policy is required to enable BranchCache traversal across Forefront TMG. Regular LOB HTTP, HTTPS and SMB2 traffic between the branch office and the corporate network must be allowed via Forefront TMG policy rules. Forefront TMG will recognize BranchCache and allows its traffic as part of the regular LOB traffic, within that policy.

Q3: Is there any other kind of interference between Forefront TMG and BranchCache that I need to be aware of?

As a Secure Web Access Gateway and as a firewall, Forefront TMG inspects all the traffic that passes through it. While that essentially increases latency, combining Forefront TMG with BranchCache implies that there will be less traffic to inspect, because cached data is inspected once for all subsequent uses. Thus, both security and performance may be improved.

Q4: I have more questions about BranchCache. Where can I find more information?

http://www.branchcache.com .

Authors: Adi Kurtz and Yossi Siles

Reviewers: Ravi Rao, Eliot Flannery, Nilesh Shah, David Strausberg, Gabriel Koren, Alon Yardeni

Comments
  • "The first two requests from a BranchCache-enabled server are served full data"

    This is not how I understand how BranchCache works. After the first request, the content is downloaded to the branch office, and cached on the client or BC host server. The second request obtains the identifiers from the BC enabled servers, and if the content is unchanged, the cached version of the file is obtained from the cache at the branch office, either on a client (distrubted mode) or host server (hosted mode).

    I don't see any documentation that indicates that the second request also returns the file from the BC enabled server and *not* from the cache at the branch office, when their is valid content at the branch office.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment