SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Heya folks, Ned here again. Starting with Windows Server Insider Preview Build 25997, the SMB over QUIC server feature is now available in Datacenter and Standard editions. This changes the previous behavior, where it was only available in Windows Server Azure Edition.

 

SMB over QUIC

SMB over QUIC introduced an alternative to TCP and RDMA, supplying secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords.

 

SMB over QUIC offers an "SMB VPN" for telecommuters, mobile device users, and on highest security internal networks. The server certificate creates a TLS 1.3-encrypted tunnel over a UDP port instead of the legacy TCP/445. No SMB traffic - including authentication and authorization - is exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change and capabilities like multichannel and compression continue to work.

 

A file server administrator must opt in to enabling SMB over QUIC, it isn't on by default and a client can't force a file server to enable SMB over QUIC. We recently added an additional option called Client Access Control that lets you further secure the file server through an allow-list for clients.

 

What changed

In Windows Server 2022, the SMB over QUIC server is limited to Azure Edition machines. Now in Windows Server Insider Preview servers, you can configure SMB over QUIC on all editions, including Datacenter and Standard. There are no additional requirements, it is now just available everywhere. Azure Edition is designed to be a cutting-edge platform for new features and organizations who want state-of-the-art-technology, but it is not a final destination for all of them. Windows 11, Windows Server 2022, Windows Insider clients, and third parties can connect to the server like usual.

 

Because Windows Admin Center still checks that you're on Azure Edition for now, you'll need to use PowerShell to configure the feature. Follow the configuration steps at https://aka.ms/smboverquic to get your certificate, but skip the WAC steps and use the New-SmbServerCertificateMapping command to setup the server for now:

 

New-SmbServerCertificateMapping -Name server FQDN -ThumbPrint certificate thumbprint -Storename My 

 

powershell outputpowershell output

You can also now specify the SMB over QUIC listening ports, as mentioned in the SMB alternative ports blog post recently. The default is UDP/443 but you can now change it using:

 

Set-SmbServerAlternativePort -TransportType QUIC -Port <a number between 0 and 65536> -EnableInstances Default

 

You can then connect to it using that port from a recent Windows 11 Insider client using NET USE /QUICPORT or New-SmbMapping -QuicPort:

 

net use commandnet use command

Final Notes

As mentioned in the SMB alternative ports blog post recently, you will also be able to configure SMB over QUIC to listen on a UDP port other than the default 443. Look for this option in a coming Windows Server Insiders release.  

 

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

 

 

For more information on securing SMB on Windows in-market, check out:

 

 

Until next time,

 

Ned Pyle

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.