A new feature in Windows Server 2022 is support for Quick UDP Internet Connections (QUIC). This protocol, which is based on UDP, can be used for DNS or SMB traffic. In Server 2022 and Windows 10/11, it accelerates access to file shares via the Internet and can replace VPNs.

Originally developed by Google in 2013, QUIC was later submitted to the Internet Engineering Task Force (IETF) for standardization and finally published in May 2021 as RCP8999-9002.

QUIC was intended to be an alternative for secure communication, for example to TCP, TLS/SSL, and HTTP/2. It offers equivalent protection for data traffic, but in addition has lower connection and transport delays and allows multiplex connections.

Transport security via TLS

When a connection attempt is made between the sender and the recipient, they exchange the relevant certificates and keys. This process is not needed for a later connection (latency minimization). The current TLS version, 1.3, is used as the encryption protocol.

QUIC is just another transport mechanism for SMB

QUIC is just another transport mechanism for SMB

For multiplexing, QUIC uses another protocol developed by Google called SPDY. This makes it possible to transmit different data streams via a single connection, which significantly reduces loading times.

Advantages and disadvantages of QUIC

In addition to the advantages of short connection times and multiplexed connections, QUIC also offers unique sequence numbers, forward error correction, congestion control, authentication, and encryption.

Currently, there seems to be one main drawback to QUIC: the protocol's packet header contains less plain text information than TCP connections. This makes it harder to troubleshoot, control traffic, or manage the network. This poses new challenges for manufacturers of network components such as firewalls.

In addition, there are problems with congestion control, which can have an impact on the transfer rate. However, optimization is still going on here, and it can be assumed that there will be a solution for these problems sooner or later.

Microsoft's QUIC implementation

Microsoft implemented QUIC under the name MsQuic. It is included in the Windows 10 21Hx, 11, and Server 2022 operating systems. The source code can be viewed on GitHub and is distributed under the MIT license.

The combination of MsQuic with the SMB protocol is particularly interesting with regard to accelerating access to file shares via the Internet without having to set up a VPN.

QUIC only in the Azure Edition

Microsoft is therefore positioning SMB over QUIC for so-called edge file servers. These are servers that are accessible from outside and typically run in the cloud or in the DMZ of the local network.

However, Windows Server 2022 reserves SMB over QUIC for the new Datacenter: Azure Edition. As expected, this is available in the Microsoft cloud. It can also be run on-prem, but only in a VM on Azure Stack HCI. A normal Hyper-V server is thus left out for no technical reason.

Configuring SMB over QUIC

SMB over QUIC can be activated via Windows Admin Center (WAC) or PowerShell. If you prefer the web GUI, then go to the settings of the relevant server.

Under File Shares (SMB Server), you will find the section File sharing across the internet with SMB over QUIC. If this is missing, it is probably because the server is not an Azure Edition.

Section in the server settings where you can configure SMB over QUIC

Section in the server settings where you can configure SMB over QUIC

Here, follow the Configure link. On the following page, you can adjust the feature with a few settings. This includes the selection of the SSL certificate, which must be available in the local store and which the clients should accept. Therefore, a certificate from a public CA or one issued by an AD certificate authority can be used.

SMB over QUIC uses TLS 1.3 and therefore needs a certificate for server authentication

SMB over QUIC uses TLS 1.3 and therefore needs a certificate for server authentication

From the list of addresses that clients can connect to, select the addresses you want or check Select all.

Under Advanced Settings, you can choose to activate SMB encryption in addition to QUIC encryption and to allow access to named pipes. Both are switched off by default; this is also the recommended setting for encryption.

Configure SMB over QUIC with PowerShell

If you prefer to use PowerShell instead of WAC, then you can link QUIC to the certificate using the New-SmbServerCertificateMapping cmdlet:

Get-SmbServerConfiguration |select EnableSMBQUIC, \`
RestrictNamedPipeAccessViaQuic, DisableSmbEncryptionOnSecureConnection

Use the above cmdlet to query the three settings that correspond to those in the WAC.

Querying the status of SMB over QUIC with PowerShell

Querying the status of SMB over QUIC with PowerShell

You then change them according to this pattern:

Set-SmbServerConfiguration -DisableSmbEncryptionOnSecureConnection $false

The other two settings are also available as parameters.

If a connection cannot be established via TCP, the client automatically switches to QUIC. Admins can force this behavior by blocking TCP:445 in the firewall.

As an alternative, a network drive can be mapped on the client such that SMB over QUIC is explicitly activated. To do so, use the new switch /transport: quic for net use and the TransportType QUIC parameter with the New-SmbMapping cmdlet.

Conclusion

SMB over QUIC is an interesting option wherever users need to access a file share in the company or in the cloud while on the road or at home. In addition to the better performance, the simple configuration speaks in favor of this technology. Furthermore, it eliminates the need for a VPN.

The biggest (and arbitrary) limitation of this feature is that it is only included in the Azure Edition. It is exclusively available in the Microsoft Cloud and on Azure Stack HCI, so that many other usage scenarios are left out.

avatar
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account