SMB over QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:
SMB over QUIC offers an "SMB VPN" for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.
A file server administrator must opt in to enabling SMB over QUIC. It isn't on by default and a client can't force a file server to enable SMB over QUIC. Windows SMB clients still use TCP by default and will only attempt SMB over QUIC if the TCP attempt first fails or if intentionally requiring QUIC using NET USE /TRANSPORT:QUIC or New-SmbMapping -TransportType QUIC.
Note
It's not recommended to define particular names for DFS namespaces in scenarios involving SMB and QUIC connections with external endpoints. This is because the internal DFS namespace names are going to be referenced, and these references are usually not reachable for an external client in current releases of Windows.
PrerequisitesTo use SMB over QUIC, you need the following things:
An SMB server running on one of the following operating systems.
Windows Server 2022 Datacenter: Azure Edition (Microsoft Server Operating Systems) or later
Any edition of Windows Server 2025 or later
A Windows 11 device (Windows for business)
The SMB server and client must be joined to an Active Directory domain or the client must have a local user account on the SMB server. The SMB server must have access to at least one domain controller for authentication, but no domain controller requires any internet access. We recommended using SMB over QUIC with Active Directory domains however it isn't required. You can also use SMB over QUIC on a workgroup-joined server with local user credentials and NTLM.
Your server must be accessible to clients on its public interface by adding a firewall allow rule to allow SMB over QUIC. By default SMB over QUIC uses UDP/443 inbound. Do not allow TCP/445 inbound to the file server. To learn about how to change the default port, see Configure alternative SMB ports.
The file server must have access to at least one domain controller for authentication, but no domain controller requires any internet access.
Windows Admin Center (WAC) (Homepage)
A Public Key Infrastructure (PKI) to issue certificates like Active Directory Certificate Server or access to a trusted third party certificate issuer like Verisign, Digicert, Let's Encrypt, etc.
Administrative privileges or equivalent for the SMB server you're configuring.
Create a Certificate Authority-issued certificate with the following properties:
If using a Microsoft Enterprise Certificate Authority, you can create a certificate template and allow the file server administrator to supply the DNS names when requesting it. For more information on creating a certificate template, review Designing and Implementing a PKI: Part III Certificate Templates. For a demonstration of creating a certificate for SMB over QUIC using a Microsoft Enterprise Certificate Authority, watch this video:
For requesting a third-party certificate, consult your vendor documentation.
If using a Microsoft Enterprise Certificate Authority:
Note
Don't use IP addresses for SMB over QUIC server Subject Alternative Names.
Note
If you're using a certificate file issued by a third party certificate authority, you can use the Certificates snap-in or WAC to import it.
Step 2: Configure SMB over QUICTo configure SMB over QUIC, select your preferred method and follow the steps.
Important
If you're using Windows Server 2025, you need to use the PowerShell method to configure SMB over QUIC. The Windows Admin Center method is not currently supported for Windows Server 2025.
For a demonstration of configuring and using SMB over QUIC, watch this video:
Sign in to your file server as an administrator.
Install the latest version of WAC on a management PC or the file server. You need the latest version of the Files & File Sharing extension. It's installed automatically by WAC if Automatically update extensions is enabled in Settings > Extensions.
Connect to the server with WAC and select the Settings icon in the lower left. In the File shares (SMB server) section, under File sharing across the internet with SMB over QUIC, select Configure.
Select a certificate under Select a computer certificate for this file server, select the server addresses clients can connect to or select Select all, and select Enable.
Ensure that the certificate and SMB over QUIC report are healthy.
Select the Files and File Sharing menu option. Note your existing SMB shares or create a new one.
Sign in to your file server as an administrator.
Open an elevated PowerShell prompt.
List the certificates in the server's certificate store by running the following command.
Get-ChildItem -Path Cert:\LocalMachine\My
Run the following command to store the certificate in a variable. Replace <subject name> with the subject name of the certificate you want to use.
$serverCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Match "<subject name>"}
Verify the certificate matches the one you want to use by running the following command.
$serverCert
To enable SMB over QUIC using the certificate thumbprint of the matched certificate, run the following command. Make sure to replace <server FQDN> with the fully qualified domain name of the SMB over QUIC server.
New-SmbServerCertificateMapping -Name <server FQDN> -ThumbPrint $serverCert.Thumbprint -Storename My
If you want to apply control to SMB over client, you can use Client Access Control. To learn more how to restrict which clients can access SMB over QUIC servers, see Configure SMB over QUIC client access control.
Join your Windows client device to your domain. Be certain the names of the SMB over QUIC file server's certificate subject alternative names are published to DNS and are fully qualified or added to the HOST files for your Windows client. Ensure that the server's certificate subject alternative names are published to DNS or added to the HOSTS files for your Windows client.
Move your Windows client device to an external network where it no longer has any network access to domain controllers or the file server's internal IP addresses.
In Windows File Explorer, in the Address Bar, type the UNC path to a share on the file server and confirm you can access data in the share. Alternatively, you can use NET USE /TRANSPORT:QUIC or New-SmbMapping -TransportType QUIC with a UNC path. Examples:
REM Automatically tries TCP then QUIC
NET USE * \\fsedge1.contoso.com\sales
REM Tries only QUIC
NET USE * \\fsedge1.contoso.com\sales /TRANSPORT:QUIC
#Tries only QUIC
New-SmbMapping -LocalPath 'Z:' -RemotePath '\\fsedge1.contoso.com\sales' -TransportType QUIC
Admins can disable SMB over QUIC for a server by running the following command:
Set-SmbServerConfiguration -EnableSMBQUIC $false
To disable SMB over QUIC for a client device, run the following command:
Set-SmbClientConfiguration -EnableSMBQUIC $false
SMB over QUIC can be enabled on either the server or client by setting $false to $true.
Note
If a client attempts to connect to a server over QUIC and SMB over QUIC is disabled, the client attempts to connect to the server over TCP. This is assuming the server is not in the exception list.
Admins can now specify an SMB over QUIC server exception list on the client. A client can connect to a server when SMB over QUIC is disabled on the client as long as the server IP address, NetBIOS name or FQDN is in the exception list. To learn more, see Enable exceptions to NTLM blocking. A server exception list can be created by running the following command:
Set-SmbClientConfiguration -DisabledSMBQUICServerExceptionList "<Server01>, <Server02>, <Server03>"
To disable SMB over QUIC for the server, perform the following:
To enable SMB over QUIC, set this policy to Enabled.
To disable SMB over QUIC for a client device, perform the following:
To enable SMB over QUIC, set this policy to Enabled.
To enable a server exception list for SMB over QUIC, perform the following:
Auditing is used to track client connections for SMB over QUIC, with events being written to an event log. The Event Viewer captures this information for the QUIC transport protocol. This feature is available to SMB Client starting with Windows 11, version 24H2 To view these logs, follow these steps:
By default, a Windows client device won't have access to an Active Directory domain controller when connecting to an SMB over QUIC file server. This means authentication uses NTLMv2, where the file server authenticates on behalf of the client. No NTLMv2 authentication or authorization occurs outside the TLS 1.3-encrypted QUIC tunnel. However, we still recommend using Kerberos as a general security best practice and don't recommend creating new NTLMv2 dependencies in deployments. To allow this, you can configure the KDC proxy to forward ticket requests on the user's behalf, all while using an internet-friendly HTTPS encrypted communication channel. The KDC Proxy is supported by SMB over QUIC and highly recommended.
Note
You cannot configure the WAC in gateway mode using TCP port 443 on a file server where you are configuring KDC Proxy. When configuring WAC on the file server, change the port to one that is not in use and is not 443. If you have already configured WAC on port 443, re-run the WAC setup MSI and choose a different port when prompted.
Ensure you're using WAC version 2110 or later.
Configure SMB over QUIC normally. Starting in WAC 2110, the option to configure KDC proxy in SMB over QUIC is automatically enabled and you don't need to perform extra steps on the file servers. The default KDC proxy port is 443 and assigned automatically by WAC.
Note
You cannot configure an SMB over QUIC server joined to a Workgroup using WAC. You must join the server to an Active Directory domain or follow the steps in configuring the KDC proxy either in PowerShell or Group Policy.
On the file server, in an elevated PowerShell prompt, run:
NETSH http add urlacl url=https://+:443/KdcProxy user="NT authority\Network Service"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings" -Name "HttpsClientAuth" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings" -Name "DisallowUnprotectedPasswordAuth" -Value 0 -Type DWord -Force
Get-SmbServerCertificateMapping
Copy the thumbprint value from the certificate associated with SMB over QUIC certificate (there may be multiple lines but they'll all have the same thumbprint) and paste it as the Certhash value for the following command:
$guid = [Guid]::NewGuid()
Add-NetIPHttpsCertBinding -IPPort 0.0.0.0:443 -CertificateHash <thumbprint> -CertificateStoreName "My" -ApplicationId "{$guid}" -NullEncryption $false
Add the file server's SMB over QUIC names as SPNs in Active Directory for Kerberos. For example:
NETDOM computername ws2022-quic.corp.contoso.com /add fsedge1.contoso.com`
Set the KDC Proxy service to automatic and start it:
Set-Service -Name kpssvc -StartupType Automatic
Start-Service -Name kpssvc
Configure the following group policy to apply to the Windows client device:
Computer Configuration\Administrative Templates\System\Kerberos\Specify KDC proxy servers for Kerberos clients
The format of this group policy setting is a value name of your fully qualified Active Directory domain name and the value becomes the external name you specified for the QUIC server. For example, where the Active Directory domain is named corp.contoso.com and the external DNS domain is named contoso.com:
value name: corp.contoso.com
value: <https fsedge1.contoso.com:443:kdcproxy />
This Kerberos realm mapping means that if user ned@corp.contoso.com tried to connect to a file server name fs1edge.contoso.com", the KDC proxy knows to forward the kerberos tickets to a domain controller in the internal corp.contoso.com domain. The communication with the client will be over HTTPS on port 443 and user credentials aren't directly exposed on the client-file server network.
Create a Windows Defender Firewall rule that inbound-enables TCP port 443 for the KDC Proxy service to receive authentication requests.
Ensure that edge firewalls allow HTTPS on port 443 inbound to the file server.
Apply the group policy and restart the Windows client device.
Note
Automatic configuration of the KDC Proxy will come later in the SMB over QUIC and these server steps will not be necessary.
Certificate expiration and renewalAn expired SMB over QUIC certificate that you replace with a new certificate from the issuer will contain a new thumbprint. While you can automatically renew SMB over QUIC certificates when they expire using Active Directory Certificate Services, a renewed certificate gets a new thumbprint as well. This effectively means that SMB over QUIC must be reconfigured when the certificate expires, as a new thumbprint must be mapped. Select your new certificate in WAC for the existing SMB over QUIC configuration or use the Set-SMBServerCertificateMapping PowerShell command to update the mapping for the new certificate. You can use Azure Automanage for Windows Server to detect impending certificate expiration and prevent an outage. For more information, review Azure Automanage for Windows Server.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3