A major advantage of QUIC is its mandatory certificate-based encryption. SMB over QUIC is like an SMB VPN for users working remotely. The server certificate creates a TLS 1.3 encrypted tunnel via UDP port 443. SMB traffic, including authentication, is not exposed to the underlying network.
Within the QUIC tunnel, SMB behaves as usual from the user’s point of view, and features such as multi-channel and compression are still available.
SMB over QUIC as the preferred protocol in the future
Microsoft has positioned SMB over QUIC as a feature primarily for edge servers. These are file servers that operate either in the cloud or DMZ and are accessible over the internet. Microsoft restricted QUIC support to the Azure Edition as it operates within the Microsoft Cloud. It is likewise compatible with Azure Stack HCI for on-premises use.
The announcement of SMB over QUIC for Windows Server 2025 signifies a shift in positioning the feature. It serves as a safe alternative to SMB over TCP, enhances the security measures for file servers even for internal usage, and guards NTLM credentials against leakage. Therefore, it is anticipated that QUIC will emerge as the preferred transport method for SMB.
QUIC Client Access Control
Compared to the feature set in Windows Server 2022, there’s a new capability that permits file server access restriction via QUIC to specific clients. As it stands, any server will accept all client certificates that chains up to the root certificate used for QUIC on the said server.
This fresh restriction also hinges on certificates. Administrators have the allowance to append the client certificates’ fingerprints into a server trusted devices list. When a computer attempts a server connection, the server can determine, based on the forwarded certificate details, whether the client earns access rights.
In larger setups, keeping up with all client certificates’ thumbprints on the server might prove monotonous. Hence, QUIC Client Access Control also accommodates SAN certificates, capable of encompassing multiple hosts’ names.
Enabling SMB over QUIC
The Windows Server Insider Preview Build 25997 incorporates SMB over QUIC across all versions, including Standard and Datacenter. However, this feature is turned off by default and must be activated by the server administrator. The use of the protocol can’t be compelled by the Clients.
The methods available for turning on SMB over QUIC are the Windows Admin Center (WAC) and PowerShell. The present version of WAC allows QUIC configuration only for the Azure Edition and doesn’t support other OS editions for this task.
In PowerShell, the cmdlets involved in this task are New-SmbServerCertificateMapping and Set-SmbServerConfiguration (also refer: How to use SMB over QUIC in Windows Server 2022).
Summary
Microsoft initially positioned SMB over QUIC, introduced with Windows Server 2022, exclusively for accessing file servers via the internet. It was therefore only available in the Azure Edition. However, the enhanced security of the QUIC protocol also benefits purely on-prem environments.