0

SMB over QUIC in Windows Server 2025 – What’s this?

Share

#SMB #QUIC #Windows #Server #Whats

Windows Server 2025 is the next version of Microsoft’s server operating system, expected to be released in the second half of 2024. From “Windows Server Preview Build 26010”, Windows Server Standard and Datacenter will integrate a new feature: SMB over QUIC. Until now, SMB over QUIC was only available on Azure virtual machines running Windows Server 2022. With the future version of Windows Server which name might be Windows Server 2025 things will evolve.

With SMB over QUIC, the TCP transport protocol is no longer used. Instead it is the UDP protocol who is being used and the connection is encrypted natively through a certificate and TLS 1.3. Microsoft says : “The server certificate creates a TLS 1.3 encrypted tunnel – on a UDP port instead of the old TCP/445. No SMB traffic – including authentication and authorization – is exposed to the underlying network.” Thus, the stream can use the default port 443, or even a specific port.

By default, SMB over QUIC will not be activated. It is up to the system administrator to make the configuration (via Powershell or via Windows Admin Center) , which involves create a certificate for the SMB server to use it within SMB over QUIC connections. For this, the PowerShell cmdlet “New-SmbServerCertificateMapping” can be used, even if you can use the usual console ( MMC ) to request a certificate.

Then the connection will be secure from start to finish and there will be no impact on the operation of the SMB : “SMB normally behaves in the QUIC tunnel, which means that the user experience does not change.”, specifies Microsoft in its documentation.

Recently, Microsoft has also added the ability to use a specific and custom listening port (included in the range 0-65536). Again, a cmdlet PowerShell will make the configuration to use a number other than the port UDP/443 in the case of SMB over QUIC : “SmbServerAlternativePort.

To deploy SMB over QUIC you can follow the procedure in detail here.

Quote:

SMB over QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:

      • All packets are always encrypted and handshake is authenticated with TLS 1.3
      • Parallel streams of reliable and unreliable application data
      • Exchanges application data in the first round trip (0-RTT)
      • Improved congestion control and loss recovery
    • Survives a change in the clients IP address or port

SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.

Screenshot from Microsoft and Windows Admin Center

The current version of WAC however still do not support the configuration of SMB over QUIC. You must be using the Azure edition (for now).

I also found a video on YT which details the process on creating a certificate.

Then there is an another video detailing the config:

 

Wrap Up

Windows Server 2025 is the next generation of Microsoft’s server operating system, and it brings many new features and improvements for server administrators and developers. Whether you are looking for better performance and security, or more user experience and productivity, Windows Server 2025 has something for you.. It’s more and more clear that after the release it will become the most popular Windows Server system to work with. But the release is still long time ahead…. So wait.

Windows Server 2025

More posts from ESX Virtualization:

Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)