Forefront TMG and BranchCache: Which should I deploy in my organization?

Branch offices are often connected to a corporate headquarters or corporate data center to access Line of Business (LOB) applications via a WAN link. Depending on the deployment, branch offices may connect directly to the Internet, or indirectly via the WAN link. WAN links can be slow, so organizations often look for ways to optimize their WAN utilization and improve the effectiveness and user-experience of users in the branch.

Forefront TMG optimizes branch office Internet traffic by applying caching and compression. Windows 7 and Windows Server 2008 R2 introduce BranchCache, which optimizes LOB HTTP applications and file-access traffic via caching. This post lists various aspects that describe how Forefront TMG and BranchCache provide improved WAN-link utilization. By considering those aspects, organizations can select the solution that best serves their specific needs. In many cases the best solution will actually be to deploy both!

BranchCache

Forefront TMG

Protocol support

HTTP, HTTPS and SMB2

HTTP

Caches access restricted or encrypted content

BranchCache securely caches access-restricted content and content sent over encrypted channels. It works seamlessly with network security technologies, including SSL, SMB signing, and IPSec – even when the content is encrypted - without compromising access restriction or privacy.

No

Compression

BranchCache-enabled servers deliver a compact description of the actual data. BranchCache-enabled clients use this compact description to lookup and retrieve the locally cached data.

Optionally applies GZIP compression (and decompression) of HTTP traffic. GZIP is very effective for textual data, and least effective for most media data. Compression can be set per source or destination.

(related note)

The first two requests from a BranchCache-enabled server are served full data.

In TMG data is cached after the first request.

Distributed Cache

Supports both distributed (peer-to-peer) and central (HostedCache) caching. Using BranchCache does not require a deployment of a cache server at the branch

To provide caching capabilities in a branch, Forefront TMG must be deployed in the branch.

Supported Server OS

Accelerates applications running on Windows Server 2008 R2 via caching. You can optimize delivery of published content from LOB applications running Windows Server 2008 R2 by enabling BranchCache on these servers. BranchCache is not available on earlier Windows Server releases

Caches content from any server

Supported Client OS

Supports clients running Windows 7 and Windows Server 2008 R2

Delivers cached content to any client

Cache management

Provides monitoring via performance counters.

Provides extended cache management capabilities. For example, you can define what content should or should not be cached. You can also monitor the cache behavior, through Forefront TMG logging and reporting modules.

Pre-fetching

No

Yes. Download content jobs can be defined and run overnight to pre-fetch content during idle hours.

Content Inspection

No

Yes. Provides advanced Web-access protection via URL filtering, malware inspection and even HTTPS inspection. In addition to providing cache capabilities, Forefront TMG is an edge firewall. As such, it can apply corporate security policies (for example limit access to specific applications or destinations by specific users, groups or source network, at specified times).

Frequently asked questions:

Q1: I want to deploy both Forefront TMG and BranchCache Hosted Cache in a branch office. Can they be deployed on the same host to save hardware, software and management cost?

Yes, Forefront TMG and BranchCache can be deployed on the same Windows Server 2008 R2 host. You will need to add Forefront TMG policy rules that allow BranchCache-specific traffic (e.g. retrieval of cached objects from BranchCache) to and from the host. In the near future, we will issue a special administrator guide that describes step by step how to deploy Forefront TMG and BranchCache hosted cache on the same host. We’ll announce it on the team blog.

Q2: I already have Forefront TMG deployed in a branch office as a firewall, separating the branch office network from the corporate network. I intend to deploy Windows 7 clients in the branch, and enable BranchCache in distributed mode. Should I apply a special policy to allow BranchCache traffic through Forefront TMG to the corporate network?

No special policy is required to enable BranchCache traversal across Forefront TMG. Regular LOB HTTP, HTTPS and SMB2 traffic between the branch office and the corporate network must be allowed via Forefront TMG policy rules. Forefront TMG will recognize BranchCache and allows its traffic as part of the regular LOB traffic, within that policy.

Q3: Is there any other kind of interference between Forefront TMG and BranchCache that I need to be aware of?

As a Secure Web Access Gateway and as a firewall, Forefront TMG inspects all the traffic that passes through it. While that essentially increases latency, combining Forefront TMG with BranchCache implies that there will be less traffic to inspect, because cached data is inspected once for all subsequent uses. Thus, both security and performance may be improved.

Q4: I have more questions about BranchCache. Where can I find more information?

http://www.branchcache.com .

Authors: Adi Kurtz and Yossi Siles

Reviewers: Ravi Rao, Eliot Flannery, Nilesh Shah, David Strausberg, Gabriel Koren, Alon Yardeni