Network Security. How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also. But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached. When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office. To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the Branch. Cache feature using server manager. This article discuss and show how to configure WSUS to use branchcache. The followings are the steps involve in head office and Branch Offices. Head Office: Install and configure TMG Server (Upstream Proxy)Add FQDN of branch TMG server in DNS server. Prepare necessary routing for both TMG Branch Office: Install and configure TMG server Create DFS share in Branch Office. Install and configure Branchcache File Server Configure GPO for Branchcache Validate hosted cache is working By default, Forefront TMG blocks most traffic that is destined explicitly for the host or originating from the host. I can reference that to my prem case, and lay some +1 action on those MSFT guys. So, my prem case has taken an interesting direction. The diagnostic has paused at the moment, whilst we determine/confirm 'health' of our SUP. Study online flashcards and notes for Network infrastructure configuration (2008).pdf including Contents Lesson 1: Introduction to Networking Concepts 1 Objective Domain Matrix 1 Key Terms 1 Understanding TCP/IP Addressing 2. Persistent Routing in Front-End TMG and all servers placed in perimeter/DMZ: You must add following routing table in front-end TMG server and all other servers placed in perimeter in elevated command prompt. Design Zone for Data Centers Citrix XenDesktop on FlexPod with Microsoft Private Cloud. Your personal information and card details are 100% secure. Computer: Internal NIC Configuration: External NIC Configuration: Back-End TMG 2010 (two NICs) IP: 10.10.10.2 Mask:255.255.255.0 DG:Null DNS:10.10.10.5: IP:192.168.100.4. To allow Branch. Cache to function in Hosted Cache mode, you must define specific Forefront TMG policy rules so that Branch. Cache clients and the Branch. Cache Hosted Cache must communicate. To allow this communication you must define two Forefront TMG policy rules: Allow Hosted Cache Inbound Connections—A rule that allows clients to advertise new content to the Hosted Cache server, and retrieve data from the Hosted Cache server. Allow Hosted Cache Outbound Connections—A rule that allows the Hosted Cache server to retrieve advertised content from the client. Step. 1: Connect Branch TMG (downstream TMG) with Head office TMG (Upstream TMG), Microsoft Active Directory and DNS. Click on Monitoring, click Connectivity Verifiers, Click Create New Connectivity Verifier, Type the name of new connectivity verifier, Click Next. Select Web Connectivity from drop down list, Type FQDN of Upstream proxy, Click Next and Click Finish. Repeat step 1 and step 2 to create connectivity for Active Directory, and DNS. Apply changes and Click ok. Step 2: Write down which ports clients are actually configured to use Choose any Branch. Cache client and check the registry. The registry keys below will contain the actual value if the defaults were modified. The Retrieval port registry key (if not specified, the default is 8. HKLM\Software\Microsoft\Windows. NT\Current. Version\Peer. Dist\ Download. Manager\Peers\Connection. The Hosted Cache port registry key (if not specified, the default is 4. HKLM\Software\Microsoft\Windows NT\Current. Version\Peer. Dist\Hosted. Cache\Connection. Step 3: Define the Retrieval protocol Select the Firewall Policy node. Select the Toolbox tab. Expand Protocols. Click New and then select Protocol. Enter the protocol definition name as “Branch. Cache - Retrieval” and click Next. Click New and add the new protocol, as follows: Protocol Type: TCPDirection: Outbound. Port Range: From 8. Click OK. Step 4: Define the Hosted Cache protocol. Select the Firewall Policy node. Select the Toolbox tab. Expand Protocols. Click New and then select Protocol. Enter the protocol definition name as “Branch. Cache - Advertise” and click Next. Click New and add the new protocol, as follows: Protocol Type: TCPDirection: Outbound. Port Range: From 4. To 4. 43 (replace 4. Click OK. Step 5: Create a rule to allow Hosted Cache Inbound Connections. Select the Firewall Policy node. Select the Tasks tab. Click Create Access Rule. Define the rule name as “Allow Hosted Cache Inbound Connections” and then click Next. On the Rule Action page, select Allow and then click Next. On the This rule applies to page: Choose Selected Protocols from the list, and then click the Add button. In the Add Protocols dialog box, expand User- defined protocols. Select Branch. Cache - Retrieval protocol and click Add. Select Branch. Cache - Advertise protocol, click Add and then click Close. Click Next. On the Access Rule Sources page: Click Add. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close. Click Next. On the Access Rule Destinations page: Click Add. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close. Click Next. On the User Sets page, click Next to apply the rule to all users. On the Completing the New Access Rule Wizard page, click Finish to close the wizard. Step 6: Create a rule to allow Hosted Cache Outbound Connections. Select the Firewall Policy tab. Select the Tasks tab. Click Create Access Rule. Define the rule name as “Allow Hosted Cache Outbound Connections” and click Next. On the Rule Action page, select Allow and then click Next. On the This rule applies to page: Choose Selected Protocols from the list, and then click the Add button. In the Add Protocols dialog box, expand User- defined protocols. Select Branch. Cache - Retrieval protocol and click Add. Click Next. On the Access Rule Sources page: Click Add. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close. Click Next. On the Access Rule Destinations page: Click Add. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close. Click Next. On the User Sets page, click Next to apply the rule to all users. On the Completing the New Access Rule Wizard page, click Finish to close the wizard. Click Apply to save the changes and update the configuration. Step 7: (Optional) Reduce the impact of NIS Inspection on Hosted Cache traffic NIS is a protocol decode- based traffic inspection feature of Forefront TMG that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources (for more information about NIS, This topic is not applicable if NIS is not enabled. To check if NIS is enabled: Select the Intrusion Prevention System node. On the Tasks pane, click Configure Properties. On the General tab, verify that the Enable NIS check box is selected. When enabled, NIS inspects all traffic, including traffic destined explicitly to the host or originating from the host. As a result, users may experience increased latency when retrieving cached objects from the Hosted Cache server. In the case of a significant impact, it is recommended to choose one of the following options to mitigate the issue: Disable the NIS inspection exclusively for traffic destined explicitly to the host or originating from the host. The risk of disabling NIS for traffic destined explicitly to the host or originating from the host is small, for the following reasons: NIS is applied to all other traffic, continuing to defend all internal un- patched machines. Forefront TMG itself, as an edge- located security device, is expected to be patched at all times, and thus protected from all known threats. By default, NIS does not inspect non HTTP/HTTPS traffic destined explicitly to the host or originating from the host; thus disabling NIS on the local host has no impact on other protocols. Forefront TMG does not initiate outbound web- access. As a result, the vulnerability of the host itself to web- originating threats is very low. As a common security practice, administrators are advised not to browse the Internet from the Forefront TMG host. To disable NIS for traffic destined explicitly to the host or originating from the host: 1. The following registry key has a default value of 1. To disable localhost traffic inspection, use Regedit on the host to assign it a value of 0. Re- apply the Forefront TMG policy: Open any of the firewall policy rules and add a space anywhere in the rule description. Click Apply. 3. Change the Branch. Cache protocols default port numbers (from 8. To retain that inspection without impacting Branch. Cache performance requires that Branch. Cache default ports be changed to any other available ports. Branch Forefront TMG also provides: Secure web- access via anti- malware, URL filtering and HTTPS inspection. Firewall and Network Inspection System (NIS). Reverse proxy (web- publishing) of web- applications at the branch. Site- to- site VPN. Roaming- user VPN. Step. 8: Installing Branch. Cache File Server on TMG1. Click Start, point to Administrative Tools, and then click Server Manager. Right- click Roles and then click Add Roles. In the Add Features Wizard, select File Server and Branch. Cache for network files and then click Next. In the Confirm Installation Selections dialog box, click Install. In the Installation Results dialog box, confirm that Branch. Cache installed successfully, and then click Close. Step 1. 0: Use Group Policy to configure branch cache. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy. Select New from the Action menu to create a new Group Policy object (GPO). Choose a name for the new GPO and click OK. Right- click the GPO just created and choose Edit. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2016
Categories |