TMG Firewall and BranchCache

image When I heard about the new BranchCache feature in Windows Server 2008 R2, I first thought it a tremendous idea! If you haven’t heard about BranchCache, what it allows you to do is cache content obtained from Web and File servers located at the main office, on machine in the branch office.

BranchCache works in two modes: one mode caches the content on the workstations in the branch office, and the other mode caches the content on a server at the branch office. In both cases, the content is obtained by a user and then cached.

When a second user asks for the same content, a check is done to see if the user is authorized to access that content, and then a check is made to confirm that the content hasn’t changed. If the user is authorized and the content hasn’t changed, then it’s retrieved from a computer at the branch office instead of the main office. This is really nice when you need to download 20 MB PPT files over a 1.5Mbps WAN link.

However, where does this leave the TMG firewall? It’s not immediately obvious whether there is a collision of functionality here or not. Some things to consider:

  • TMG firewalls don’t cache SMB/CIFS content, so that’s not an issue
  • TMG firewalls will cache Web content
  • TMG firewalls will cache HTTP and HTTPS content
  • TMG firewalls will check for authorization for outbound Web access (even over a site to site VPN link)
  • BranchCache requires Windows Server 2008 R2 servers and Windows 7 clients
  • TMG firewalls cache for all operating systems
  • TMG firewalls perform pre-fetching (content download jobs) and content inspection (anti-malware and NIS)
  • TMG enables you to control the type of content that is cached, and many other parameters controlling what content to cache

I think what’s clear here is that for Web content caching, the TMG firewall is the superior solution. However, since the TMG firewall doesn’t cache SMB/CIFS content at all, there’s still a big place for BranchCache.

The key thing here is that you should be able to place the BranchCache server role on the TMG firewall. Is it possible? Yes!

How? For more information, check out the TMG Firewall Team Blog over at:



Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top