Planning for BranchCache (SP1)

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)


The information in this topic is relevant only for Forefront TMG SP1, and on computers that are running Windows Server 2008 R2.

BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some editions of the Windows Server 2008 R2 and Windows 7 operating systems. To optimize WAN bandwidth utilization, BranchCache copies content from your main office content servers and caches the content at branch office locations, thus allowing client computers at branch offices to access the content locally rather than over the WAN.


BranchCache can operate in Hosted Cache (server-based) or Distributed Cache (client-based) mode. However, in order to deploy with Forefront TMG, you must use Hosted Cache mode.

The following sections describe:

  • Hosted Cache mode

  • Hosted Cache secure connections

  • BranchCache and Forefront TMG

Hosted Cache mode

The Hosted Cache mode operates by deploying a computer that is running Windows Server 2008 R2 as a host in the branch office. The Hosted Cache is a central repository of data that is downloaded from BranchCache-enabled servers in the main office to the branch office. Windows 7 client and Windows Server 2008 R2 computers in the branch office are configured with the fully qualified domain name (FQDN) of the host computer so that they can retrieve content from the Hosted Cache, when available. If the content is not available in the Hosted Cache, it is retrieved from the content server by using the WAN, and then offered to the Hosted Cache so that subsequent client computers can benefit. In Hosted Cache mode, all clients in a branch office can access a single cache, even if they are on different subnets.

To deploy BranchCache in Hosted Cache mode, you must install and configure content servers in your main office, and install and configure a Hosted Cache server and client computers in your branch office. In addition, computers at branch offices must be able to access the main office content servers over a WAN link, such as a dedicated or on-demand virtual private network (VPN) connection between the offices; otherwise, clients must use another method to connect to the content servers, such as by using DirectAccess.

Hosted Cache secure connections

The Hosted Cache is trusted by client computers to cache and distribute data that may be under access control. For this reason, client computers use transport layer security (TLS) when communicating with the Hosted Cache server. To support a TLS connection, the Hosted Cache server must be provisioned with a certificate that is trusted by clients and is suitable for server authentication. For information about deploying server certificates for BrancheCache, see Deploy a hosted cache mode design (

BranchCache and Forefront TMG

Because Hosted Cache mode does not require a dedicated server, you can collocate BranchCache and Forefront TMG on a computer running Windows Server 2008 R2.


BranchCache can also be set up as a virtual workload and run on a server with other workloads, possibly even Forefront TMG.

The advantages of collocating BranchCache and Forefront TMG include:

  • A reduction in the total cost of ownership, which is a common issue for branch office deployments.

  • Simplified deployment. Enabling BranchCache via the Forefront TMG Management console installs and enables the Windows feature with a few clicks, and enables System Policy rules that allow BranchCache traffic to pass through the firewall.

For information about configuring BranchCache on Forefront TMG, see Configuring BranchCache in Forefront TMG (SP1).


Configuring BranchCache in Forefront TMG (SP1)


Access design guide for Forefront TMG