Overview
SMB over QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:
- All packets are always encrypted and handshake is authenticated with TLS 1.3
- Parallel streams of reliable and unreliable application data
- Exchanges application data in the first round trip (0-RTT)
- Improved congestion control and loss recovery
- Survives a change in the clients IP address or port
SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.
A file server administrator must opt in to enabling SMB over QUIC. It isn’t on by default and a client can’t force a file server to enable SMB over QUIC. Windows SMB clients still use TCP by default and will only attempt SMB over QUIC if the TCP attempt first fails or if intentionally requiring QUIC using NET USE /TRANSPORT:QUIC or New-SmbMapping -TransportType QUIC.
Prerequisites
To use SMB over QUIC, you need the following things:
- A file server running Windows Server 2022 Datacenter: Azure Edition (Microsoft Server Operating Systems)
- Any edition of Windows Server 2025 (preview) or later.
- Domain Controller (for Authentication)
- A Windows 11 computer (Windows for business)
- Windows Admin Center (Homepage)
- A Public Key Infrastructure to issue certificates like Active Directory Certificate Server or access to a trusted third party certificate issuer like Verisign, Digicert, Let’s Encrypt, and so on.
- Microsoft Windows Admin Center (WAC)
Deploy SMB over QUIC
Step 1: Install a server certificate
Before creating the certificate template, you need to know that SMB over QUIC request the following properties on the ssl certificate:
Key usage: digital signature
Purpose: Server Authentication (EKU 1.3.6.1.5.5.7.3.1)
Signature algorithm: SHA256RSA (or greater)
Signature hash: SHA256 (or greater)
Public key algorithm: ECDSA_P256 (or greater. Can also use RSA with at least 2048 length)
Subject Alternative Name (SAN): (A DNS name entry for each fully qualified DNS name used to reach the SMB server)
Subject: (CN= anything, but must exist)
Private key included: yes
- Login to windows CA server.
- Go Certificate Templates, and Manage.
- Duplicate the
Computer
Certificate Template. - Change the following:
- on Compatibility tab setting, change the compatibility setting to Windows 2016 or later (For Better encryption)
- on General tab setting, change the Name of the duplicated certificate template (like
SMB over QUIC
or anything else) - On Validity Period -> Keep default or Change if necessary.
- Thick or checklist the Publich Certificate in Active Directory option.
- On Request Handling tab setting, Change Purpose setting to Signature
- On Cryptography -> Change to Key storage provider, and ECDSA_P256.
- On Minimum Request Hash Change to SHA256
- On Extenstion tab, Edit Application Policy, and remove Client Authentication (Keep the server Auth)
- On Subject Name, change to Supply in the request, and thick Use Subject information from existing certifciate for autoenrollment renewal requests
- Once done, click apply, and OK.
Step 2: Publish the new certificate template.
- On Certificate Template, select New->Certificate Template to Issue, and select the new duplicated template we created before.
Step 3: Install the new certificate template on the FileServer.
- On the endpoint computer, go to RUN and type
MMC
- Add/Remove Snap-in
- Add Certificates, Add.
- Select Computer Account.
- Go to Personal->Certificates.
- Select All Tasks-> Request New Certificate.
- Select the new Certificate Template we created before.
Step 4: Applying the SMB over QUIC
Applying the SMB over QUIC can be done via Admin center.
Ensure you’re using at least Windows Admin Center version 2110.
- Login the admin center and access the file server.
- Go to File and file sharing.
- Configure SMB over QUIC.
- Select Certificate that will be used to serve the SMB over QUIC.
If you created more than name, select all of the Name.
- On Advanced Setting. Change to the following:
- SMB encryption (In Addition to QUIC Encryption) ->
Disabled
- Access to named Piples:
Disabled
- SMB encryption (In Addition to QUIC Encryption) ->
- Once done, click Enabled
- On the file server you can disable the SMB port (445) on the windows firewall.
Step 4: Testing the SMB over QUIC.
-
Join your Windows 11 device to your domain. Be certain the names of the SMB over QUIC file server’s certificate subject alternative names are published to DNS and are fully qualified OR added to the HOST files for your Windows 11. Ensure that the server’s certificate subject alternative names are published to DNS OR added to the HOSTS files for your Windows 11 .
-
Move your Windows 11 device to an external network where it no longer has any network access to domain controllers or the file server’s internal IP addresses.
-
In Windows File Explorer, in the Address Bar, type the UNC path to a share on the file server and confirm you can access data in the share. Alternatively, you can use
NET USE /TRANSPORT:QUIC`` or
New-SmbMapping -TransportType QUIC` with a UNC path. Examples:
NET USE * \\fsedge1.contoso.com\sales
(automatically tries TCP then QUIC)
NET USE * \\fsedge1.contoso.com\sales /TRANSPORT:QUIC
(tries only QUIC)
New-SmbMapping -LocalPath 'Z:' -RemotePath '\\fsedge1.contoso.com\sales' -TransportType QUIC
(tries only QUIC)
- On the endpoint computer, access the fileserver fqdn.
- If the configuration is correct, you will able to access the shared folder via QUIC while the SMB port is disabled on the server, if you’re not, it might the incorrect configuration.
- To ensure if the connection is no longer using TCP/UDP 445 port, you can use wireshark or any similiar network packet tools.